44 research outputs found
Implicit factorization of unbalanced RSA moduli
International audienceLet N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 share an amount of their Most Significant Bits (MSBs) or an amount of their Least Significant Bits (LSBs). Using a method based on the continued fraction algorithm, we propose a method that leads to the factorization of N1 and N2. Using simultaneous diophantine approximations and lattice reduction , we extend the method to factor k ≥ 3 RSA moduli Ni = piqi, i = 1,. .. , k given the implicit information that there exist unknown multiples a1p1,. .. , ak pk sharing an amount of their MSBs or their LSBs. Also, this paper extends many previous works where similar results were obtained when the pi's share their MSBs or their LSBs
Generalized Implicit Factorization Problem
The Implicit Factorization Problem was first introduced by May and
Ritzenhofen at PKC'09. This problem aims to factorize two RSA moduli
and when their prime factors share a certain number
of least significant bits (LSBs). They proposed a lattice-based algorithm to
tackle this problem and extended it to cover RSA moduli. Since then,
several variations of the Implicit Factorization Problem have been studied,
including the cases where and share some most significant bits
(MSBs), middle bits, or both MSBs and LSBs at the same position.
In this paper, we explore a more general case of the Implicit Factorization
Problem, where the shared bits are located at different and unknown positions
for different primes. We propose a lattice-based algorithm and analyze its
efficiency under certain conditions. We also present experimental results to
support our analysis
Generalized Implicit Factorization Problem
The Implicit Factorization Problem (IFP) was first introduced by May and Ritzenhofen at PKC\u2709, which concerns the factorization of two RSA moduli and , where and share a certain consecutive number of least significant bits. Since its introduction, many different variants of IFP have been considered, such as the cases where and share most significant bits or middle bits at the same positions. In this paper, we consider a more generalized case of IFP, in which the shared consecutive bits can be located at positions in each prime, not necessarily required to be located at the same positions as before. We propose a lattice-based algorithm to solve this problem under specific conditions, and also provide some experimental results to verify our analysis
On oracle factoring of integers
We present an oracle factorisation algorithm which finds a nontrivial factor
of almost all squarefree positive integers based on the knowledge of the
number of points on certain elliptic curves in residue rings modulo
The Hidden Number Problem with Small Unknown Multipliers: Cryptanalyzing MEGA in Six Queries and Other Applications
In recent work, Backendal, Haller, and Paterson identified several exploitable vulnerabilities in the cloud storage provider MEGA. They demonstrated an RSA key recovery attack in which a malicious server could recover a client\u27s private RSA key after 512 client login attempts. We show how to exploit additional information revealed by MEGA\u27s protocol vulnerabilities to give an attack that requires only six client logins to recover the secret key.
Our optimized attack combines several cryptanalytic techniques. In particular, we formulate and give a solution to a variant of the hidden number problem with small unknown multipliers, which may be of independent interest. We show that our lattice construction for this problem can be used to give improved results for the implicit factorization problem of May and Ritzenhofen
Finding Small Solutions of the Equation and Its Applications to Cryptanalysis of the RSA Cryptosystem
In this paper, we study the condition of finding small solutions of the equation . The framework is derived from Wiener\u27s small private exponent attack on RSA and May-Ritzenhofen\u27s investigation about the implicit factorization problem, both of which can be generalized to solve the above equation. We show that these two methods, together with Coppersmith\u27s method, are equivalent for solving in the general case. Then based on Coppersmith\u27s method, we present two improvements for solving in some special cases. The first improvement pays attention to the case where either or is large enough. As the applications of this improvement, we propose some new cryptanalysis of RSA, such as new results about the generalized implicit factorization problem, attacks with known bits of the prime factor, and so on. The motivation of these applications comes from oracle based complexity of factorization problems. The second improvement assumes that the value of is known. We present two attacks on RSA as its applications. One focuses on the case with known bits of the private exponent together with the prime factor, and the other considers the case with a small difference of the two prime factors. Our new attacks on RSA improve the previous corresponding results respectively, and the correctness of the approach is verified by experiments
Factoring Unbalanced Moduli with Known Bits
Let be an RSA modulus. This note describes a LLL-based method allowing to factor given contiguous bits of , irrespective to their position. A second method is presented, which needs fewer bits but whose length depends on the position of the known bit pattern. Finally, we introduce a somewhat surprising ad hoc method where two different known bit chunks, totalling bits suffice to factor
Solving Linear Equations Modulo Unknown Divisors: Revisited
We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor for a known composite integer .
In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt\u2708) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS\u2712). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc.
In this paper, by introducing multiple parameters, we propose several generalizations of the above equations. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically,
\begin{itemize}
\item We improve May\u27s results (PKC\u2704) on small secret exponent attack on RSA variant with moduli ().
\item We experimentally improve Boneh et al.\u27s algorithm (Crypto\u2798) on factoring () with known bits problem.
\item We significantly improve Jochemsz-May\u27 attack (Asiacrypt\u2706) on Common Prime RSA.
\item We extend Nitaj\u27s result (Africacrypt\u2712) on weak encryption exponents of RSA and CRT-RSA.
\end{itemize
Some Applications of Lattice Based Root Finding Techniques
In this paper we present some problems and their solutions exploiting
lattice based root finding techniques.
In CaLC 2001, Howgrave-Graham proposed a method to find the Greatest
Common Divisor (GCD) of two large integers when one of the integers is
exactly known and the other one is known approximately. In this paper, we present three applications of the technique. The first one is
to show deterministic polynomial time equivalence between factoring
(, where or are of same bit size) and knowledge of . Next, we consider the problem of finding smooth integers in a short interval. The third one is to factorize given a multiple of the decryption exponent in RSA.
In Asiacrypt 2006, Jochemsz and May presented a general strategy
for finding roots of a polynomial. We apply that technique for solving the following two problems. The first one is to factorize given an
approximation of a multiple of the decryption exponent in RSA. The second one is to solve the implicit factorization problem given three RSA moduli considering certain portions of LSBs as well as MSBs of one set of three secret primes are same