New attacks on RSA with Moduli N = p^r q

International audienceWe present three attacks on the Prime Power RSA with mod-ulus N = p^r q. In the first attack, we consider a public exponent e satisfying an equation ex − φ(N)y = z where φ(N) = p^(r−1 )(p − 1)(q − 1). We show that one can factor N if the parameters |x| and |z| satisfy |xz| < N r(r−1) (r+1)/ 2 thereby extending the recent results of Sakar [16]. In the second attack, we consider two public exponents e1 and e2 and their corresponding private exponents d1 and d2. We show that one can factor N when d1 and d2 share a suitable amount of their most significant bits, that is |d1 − d2| < N r(r−1) (r+1) /2. The third attack enables us to factor two Prime Power RSA moduli N1 = p1^r q1 and N2 = p2^r q2 when p1 and p2 share a suitable amount of their most significant bits, namely, |p1 − p2| < p1/(2rq1 q2)

Continued Fractions Applied to a Family of RSA-like Cryptosystems

Let $N=pq$ be the product of two balanced prime numbers $p$ and $q$. Murru and Saettone presented in 2017 an interesting RSA-like cryptosystem that uses the key equation $ed - k (p^2+p+1)(q^2+q+1) = 1$, instead of the classical RSA key equation $ed - k (p-1)(q-1) = 1$. The authors claimed that their scheme is immune to Wiener\u27s continued fraction attack. Unfortunately, Nitaj \emph{et. al.} developed exactly such an attack. In this paper, we introduce a family of RSA-like encryption schemes that uses the key equation $ed - k [(p^n-1)(q^n-1)]/[(p-1)(q-1)] = 1$, where $n>1$ is an integer. Then, we show that regardless of the choice of $n$, there exists an attack based on continued fractions that recovers the secret exponent

New vulnerability of RSA modulus type N = p2q

This paper proposes new attacks on modulus of type N = p2q. Given k moduli of the form Ni = p2iqi for k ≥ 2 and i = 1, …, k, the attack works when k public keys (Ni, ei) are such that there exist k relations of the shape eix – Niyi = zi – (ap2i + bq2i)yi or of the shape eixi – Niy = zi – (ap2i + bq2i)y where the parameters x, xi, y, yi and zi are suitably small in terms of the prime factors of the moduli. The proposed attacks utilizing the LLL algorithm enables one to factor the k moduli Ni simultaneously

Partial key exposure attacks on multi-power RSA

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.In this thesis, our main focus is a type of cryptanalysis of a variant of RSA, namely multi-power RSA. In multi-power RSA, the modulus is chosen as N = prq, where r ≥ 2. Building on Coppersmith’s method of finding small roots of polynomials, Boneh and Durfee show a very crucial result (a small private exponent attack) for standard RSA. According to this study, N = pq can be factored in polynomial time in log N when d < N 0.292 . In 2014, Sarkar improve the existing small private exponent attacks on multi-power RSA for r ≤ 5. He shows that one can factor N in polynomial time in log N if d < N 0.395 for r = 2 . Extending the ideas in Sarkar’s work, we develop a new partial key exposure attack on multi-power RSA. Prior knowledge of least significant bits (LSBs) of the private exponent d is required to realize this attack. Our result is a generalization of Sarkar’s result, and his result can be seen as a corollary of our result. Our attack has the following properties: the required known part of LSBs becomes smaller in the size of the public exponent e and it works for all exponents e (resp. d) when the exponent d (resp. e) has full-size bit length. For practical validation of our attack, we demonstrate several computer algebra experiments. In the experiments, we use the LLL algorithm and Gröbner basis computation. We achieve to obtain better experimental results than our theoretical result indicates for some cases.Declaration of Authorship ii Abstract iii Öz iv Acknowledgments v List of Figures viii List of Tables ix Abbreviations x 1 Introduction 1 1.1 A Short History of the Partial Key Exposure Attacks . . . . . . . . . . . . 4 1.2 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 The RSA Cryptosystem 8 2.1 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 RSA Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3 Multi-power RSA (Takagi’s Variant) . . . . . . . . . . . . . . . . . . . . . 10 2.4 Cryptanalysis of RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4.1 Factoring N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2 Implementation Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12 2.4.2.1 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . 12 2.4.2.2 Bleichenbacher’s Attack . . . . . . . . . . . . . . . . . . . 13 2.4.3 Message Recovery Attacks . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.1 Håstad’s Attack . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.3.2 Franklin-Reiter Attack . . . . . . . . . . . . . . . . . . . . 15 2.4.3.3 Coppersmith’s Short Pad Attack . . . . . . . . . . . . . . 15 2.4.4 Attacks Using Extra Knowledge on RSA Parameters . . . . . . . . 15 2.4.4.1 Wiener’s Attack . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.4.2 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . 17 3 Preliminaries 18 3.1 Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2 Finding Small Roots of Polynomials . . . . . . . . . . . . . . . . . . . . . 20 3.2.1 Finding Small Modular Roots . . . . . . . . . . . . . . . . . . . . . 21 3.2.2 Complexity of the Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.2.1 Polynomial Reduction . . . . . . . . . . . . . . . . . . . . 25 3.2.2.2 Root Extraction . . . . . . . . . . . . . . . . . . . . . . . 25 3.2.3 Boneh-Durfee Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4 Partial Key Exposure Attacks on Multi-Power RSA 28 4.1 Known Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.1 Attacks when ed ≡ 1 mod ( p−1)( q−1) . . . . . . . . . . . . . . . 29 4.1.2 Attacks when ed ≡ 1 mod ( pr −pr−1)( q−1) . . . . . . . . . . . . . 29 4.2 A New Attack with Known LSBs . . . . . . . . . . . . . . . . . . . . . . . 31 4.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5 Conclusion and Discussions 39 Bibliograph

Cryptanalysis of RSA: A Special Case of Boneh-Durfee’s Attack

Boneh-Durfee proposed (at Eurocrypt 1999) a polynomial time attacks on RSA small decryption exponent which exploits lattices and sub-lattice structure to obtain an optimized bounds d e = N^&#945; where &#949; and &#945; are the private and public key exponents respectively) for some &#945; &#8804; &#949;, which satisfy the condition d > &#966;(N) &#8722; N^&#949;. We analyzed lattices whose basis matrices are triangular and non-triangular using large decryption exponent and focus group attacks respectively. The core objective is to explore RSA polynomials underlying algebraic structure so that we can improve the performance of weak key attacks. In our solution, we implemented the attack and perform several experiments to show that an RSA cryptosystem successfully attacked and revealed possible weak keys which can ultimately enables an adversary to factorize the RSA modulus