A polynomial time attack on RSA with private CRT-exponents smaller than N0.073N^{0.073}

Wiener’s famous attack on RSA with d

Solving Linear Equations Modulo Unknown Divisors: Revisited

We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor $p$ for a known composite integer $N$. In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt\u2708) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS\u2712). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc. In this paper, by introducing multiple parameters, we propose several generalizations of the above equations. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically, \begin{itemize} \item We improve May\u27s results (PKC\u2704) on small secret exponent attack on RSA variant with moduli $N = p^rq$ ($r\geq 2$). \item We experimentally improve Boneh et al.\u27s algorithm (Crypto\u2798) on factoring $N=p^rq$ ($r\geq 2$) with known bits problem. \item We significantly improve Jochemsz-May\u27 attack (Asiacrypt\u2706) on Common Prime RSA. \item We extend Nitaj\u27s result (Africacrypt\u2712) on weak encryption exponents of RSA and CRT-RSA. \end{itemize

Authentication system for e-certificate by using RSA’s digital signature

Online learning and teaching become the popular channel for all participants, because they can access the courses everywhere with the high-speed internet. E-certificate is being prepared for everyone who has participated or passed the requirements of the courses. Because of many benefits frome-certificate, it may become the demand for intruders to counterfeit the certificate. In this paper, Rivest-Shamir-Adleman (RSA)’s digital signature is chosen to signe-certificate in order to avoid being counterfeited by intruders. There are two applications to managee-certificate. The first application is the signing application to sign the sub image including only participant’s name in e-certificate. In general, the file of digital signature is divided frome-certificate. That means, both of them must be selected to compare each other in checking application. In fact, the solution will be approved when each pixel of participant’s name is equal to each part from the decrypted message at the same position. In experimental session, 40 e-certificatesare chosen for the implementation. The results reveal that the accuracy is 100% and both of signing and checking processes are completed rapidly fast, especially when signing application is applied with Chinese remainder theorem (CRT) or the special technique of CRT. Therefore, the proposed method is one of the best solutions to protect e-certificate from the forgery by intruders

A Novel Method of Encryption using Modified RSA Algorithm and Chinese Remainder Theorem

Security can only be as strong as the weakest link. In this world of cryptography, it is now well established, that the weakest link lies in the implementation of cryptographic algorithms. This project deals with RSA algorithm implementation with and without Chinese Remainder Theorem and also using Variable Radix number System. In practice, RSA public exponents are chosen to be small which makes encryption and signature verification reasonably fast. Private exponents however should never be small for obvious security reasons. This makes decryption slow. One way to speed things up is to split things up, calculate modulo p and modulo q using Chinese Remainder Theorem. For smart cards which usually have limited computing power, this is a very important and useful technique. This project aims at implementing RSA algorithm using Chinese Remainder Theorem as well as to devise a modification using which it would be still harder to decrypt a given encrypted message by employing a Variable radix system in order to encrypt the given message at the first place

On the Efficiency of Fast RSA Variants in Modern Mobile Phones

Modern mobile phones are increasingly being used for more services that require modern security mechanisms such as the public key cryptosystem RSA. It is, however, well known that public key cryptography demands considerable computing resources and that RSA encryption is much faster than RSA decryption. It is consequently an interesting question if RSA as a whole can be executed efficiently on modern mobile phones. In this paper, we explore the efficiency on modern mobile phones of variants of the RSA cryptosystem, covering CRT, MultiPrime RSA, MultiPower RSA, Rebalanced RSA and R Prime RSA by comparing the encryption and decryption time using a simple Java implementation and a typical RSA setup.Comment: 5 pages IEEE format, International Journal of Computer Science and Information Security, IJCSIS December 2009, ISSN 1947 5500, http://sites.google.com/site/ijcsis

On Deterministic Polynomial-time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorise N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice-based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorise N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task.Defence Science Journal, 2012, 62(2), pp.122-126, DOI:http://dx.doi.org/10.14429/dsj.62.171

Hard isogeny problems over RSA moduli and groups with infeasible inversion

We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.Comment: Significant revision of the article previously titled "A Candidate Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the constructions by giving toy examples, added "The Parallelogram Attack" (Sec 5.3.2). 54 pages, 8 figure