New attacks on RSA with Moduli N = p^r q

International audienceWe present three attacks on the Prime Power RSA with mod-ulus N = p^r q. In the first attack, we consider a public exponent e satisfying an equation ex − φ(N)y = z where φ(N) = p^(r−1 )(p − 1)(q − 1). We show that one can factor N if the parameters |x| and |z| satisfy |xz| < N r(r−1) (r+1)/ 2 thereby extending the recent results of Sakar [16]. In the second attack, we consider two public exponents e1 and e2 and their corresponding private exponents d1 and d2. We show that one can factor N when d1 and d2 share a suitable amount of their most significant bits, that is |d1 − d2| < N r(r−1) (r+1) /2. The third attack enables us to factor two Prime Power RSA moduli N1 = p1^r q1 and N2 = p2^r q2 when p1 and p2 share a suitable amount of their most significant bits, namely, |p1 − p2| < p1/(2rq1 q2)

Asymptotic Bound for RSA Variant with Three Decryption Exponents

This paper presents a cryptanalysis attack on the RSA variant with modulus $N=p^rq$ for $r\geq 2$ with three public and private exponents $(e_1,d_1),$ $(e_2,d_2),$ $(e_3,d_3)$ sharing the same modulus $N$ where $p$ and $q$ are consider to prime having the same bit size. Our attack shows that we get the private exponent \sigma_1\sigma_2\sigma_3<\left(\frac{r-1}{r+1}\right)^4, which makes the modulus vulnerable to Coppersmith's attacks and can lead to the factorization of $N$ efficiently where d_1 The asymptotic bound of our attack is greater than the bounds for May \cite{May}, Zheng and Hu \cite{Z}, and Lu et al. \cite{Y} for 2\leq r \leq 10 and greater than Sarkar's \cite{Sarkar1} and \cite{Sarkar} bounds for 5 \leq r \leq10$

New Number-Theoretic Cryptographic Primitives

This paper introduces new $p^r q$-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat--Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli $n_i = p_i^2 q_i$ and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the $n_i$\u27s match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. Given of their very unique design the proposed signature schemes seem to be overlooked missing species in the corpus of known signature algorithms

Factoring the modulus of type n = p2q by finding small solutions of the equation er − (ns + t) = αp2 + βq2

The modulus of type N=p2q is often used in many variants of factoring-based cryptosystems due to its ability to fasten the decryption process. Faster decryption is suitable for securing small devices in the Internet of Things (IoT) environment or securing fast-forwarding encryption services used in mobile applications. Taking this into account, the security analysis of such modulus is indeed paramount. This paper presents two cryptanalyses that use new enabling conditions to factor the modulus N=p2q of the factoring-based cryptosystem. The first cryptanalysis considers a single user with a public key pair (e,N) related via an arbitrary relation to equation er−(Ns+t)=αp2+βq2, where r,s,t are unknown parameters. The second cryptanalysis considers two distinct cases in the situation of k-users (i.e., multiple users) for k≥2, given the instances of (Ni,ei) where i=1,…,k. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of (Ni,ei) can be successfully factored in polynomial time

Solving Linear Equations Modulo Unknown Divisors: Revisited

We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor $p$ for a known composite integer $N$. In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt\u2708) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS\u2712). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc. In this paper, by introducing multiple parameters, we propose several generalizations of the above equations. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically, \begin{itemize} \item We improve May\u27s results (PKC\u2704) on small secret exponent attack on RSA variant with moduli $N = p^rq$ ($r\geq 2$). \item We experimentally improve Boneh et al.\u27s algorithm (Crypto\u2798) on factoring $N=p^rq$ ($r\geq 2$) with known bits problem. \item We significantly improve Jochemsz-May\u27 attack (Asiacrypt\u2706) on Common Prime RSA. \item We extend Nitaj\u27s result (Africacrypt\u2712) on weak encryption exponents of RSA and CRT-RSA. \end{itemize

How to Generalize RSA Cryptanalyses

Recently, the security of RSA variants with moduli N=p^rq, e.g., the Takagi RSA and the prime power RSA, have been actively studied in several papers. Due to the unusual composite moduli and rather complex key generations, the analyses are more involved than the standard RSA. Furthermore, the method used in some of these works are specialized to the form of composite integers N=p^rq. In this paper, we generalize the techniques used in the current best attacks on the standard RSA to the RSA variants. We show that the lattices used to attack the standard RSA can be transformed into lattices to attack the variants where the dimensions are larger by a factor of (r+1) of the original lattices. We believe the steps we took present to be more natural than previous researches, and to illustrate this point we obtained the following results: \begin{itemize} \item Simpler proof for small secret exponent attacks on the Takagi RSA proposed by Itoh et al. (CT-RSA 2008). Our proof generalizes the work of Herrmann and May (PKC 2010). \item Partial key exposure attacks on the Takagi RSA; generalizations of the works of Ernst et al. (Eurocrypt 2005) and Takayasu and Kunihiro (SAC 2014). Our attacks improve the result of Huang et al. (ACNS 2014). \item Small secret exponent attacks on the prime power RSA; generalizations of the work of Boneh and Durfee (Eurocrypt 1999). Our attacks improve the results of Sarkar (DCC 2014, ePrint 2015) and Lu et al. (Asiacrypt 2015). \item Partial key exposure attacks on the prime power RSA; generalizations of the works of Ernst et al. and Takayasu and Kunihiro. Our attacks improve the results of Sarkar and Lu et al. \end{itemize} The construction techniques and the strategies we used are conceptually easier to understand than previous works, owing to the fact that we exploit the exact connections with those of the standard RSA

Partial key exposure attacks on multi-power RSA

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.In this thesis, our main focus is a type of cryptanalysis of a variant of RSA, namely multi-power RSA. In multi-power RSA, the modulus is chosen as N = prq, where r ≥ 2. Building on Coppersmith’s method of finding small roots of polynomials, Boneh and Durfee show a very crucial result (a small private exponent attack) for standard RSA. According to this study, N = pq can be factored in polynomial time in log N when d < N 0.292 . In 2014, Sarkar improve the existing small private exponent attacks on multi-power RSA for r ≤ 5. He shows that one can factor N in polynomial time in log N if d < N 0.395 for r = 2 . Extending the ideas in Sarkar’s work, we develop a new partial key exposure attack on multi-power RSA. Prior knowledge of least significant bits (LSBs) of the private exponent d is required to realize this attack. Our result is a generalization of Sarkar’s result, and his result can be seen as a corollary of our result. Our attack has the following properties: the required known part of LSBs becomes smaller in the size of the public exponent e and it works for all exponents e (resp. d) when the exponent d (resp. e) has full-size bit length. For practical validation of our attack, we demonstrate several computer algebra experiments. In the experiments, we use the LLL algorithm and Gröbner basis computation. We achieve to obtain better experimental results than our theoretical result indicates for some cases.Declaration of Authorship ii Abstract iii Öz iv Acknowledgments v List of Figures viii List of Tables ix Abbreviations x 1 Introduction 1 1.1 A Short History of the Partial Key Exposure Attacks . . . . . . . . . . . . 4 1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 The RSA Cryptosystem 8 2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Multi-power RSA (Takagi’s Variant) . . . . . . . . . . . . . . . . . . . . . 10 2.4 Cryptanalysis of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4.1 Factoring N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2.1 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . 12 2.4.2.2 Bleichenbacher’s Attack . . . . . . . . . . . . . . . . . . . 13 2.4.3 Message Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.1 Håstad’s Attack . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.2 Franklin-Reiter Attack . . . . . . . . . . . . . . . . . . . . 15 2.4.3.3 Coppersmith’s Short Pad Attack . . . . . . . . . . . . . . 15 2.4.4 Attacks Using Extra Knowledge on RSA Parameters . . . . . . . . 15 2.4.4.1 Wiener’s Attack . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.4.2 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . 17 3 Preliminaries 18 3.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Finding Small Roots of Polynomials . . . . . . . . . . . . . . . . . . . . . 20 3.2.1 Finding Small Modular Roots . . . . . . . . . . . . . . . . . . . . . 21 3.2.2 Complexity of the Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.2.1 Polynomial Reduction . . . . . . . . . . . . . . . . . . . . 25 3.2.2.2 Root Extraction . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.3 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4 Partial Key Exposure Attacks on Multi-Power RSA 28 4.1 Known Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.1 Attacks when ed ≡ 1 mod ( p−1)( q−1) . . . . . . . . . . . . . . . 29 4.1.2 Attacks when ed ≡ 1 mod ( pr −pr−1)( q−1) . . . . . . . . . . . . . 29 4.2 A New Attack with Known LSBs . . . . . . . . . . . . . . . . . . . . . . . 31 4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 Conclusion and Discussions 39 Bibliograph

On the Security of Some Variants of RSA

The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA