A polynomial time attack on RSA with private CRT-exponents smaller than N0.073N^{0.073}

Wiener’s famous attack on RSA with d

On The Broadcast and Validity-Checking Security of PKCS #1 v1.5 Encryption

(article recompensé par le "Best Student Paper Award")International audienceThis paper describes new attacks on PKCS #1 v1.5, a deprecated but still widely used RSA encryption standard. The first cryptanalysis is a broadcast attack, allowing the opponent to reveal an identical plaintext sent to different recipients. This is nontrivial because different randomizers are used for different encryptions (in other words, plaintexts coincide only partially). The second attack predicts, using a single query to a validity checking oracle, which of two chosen plaintexts corresponds to a challenge ciphertext. The attack's success odds are very high. The two new attacks rely on different mathematical tools and underline the need to accelerate the phase out of PKCS #1 v1.5

Solving Generalized Small Inverse Problems

Abstract. We introduce a “generalized small inverse problem (GSIP)” and present an algorithm for solving this problem. GSIP is formulated as finding small solutions of f(x0, x1,..., xn) = x0h(x1,..., xn) + C = 0(mod M) for an n-variate polynomial h, non-zero integers C and M. Our algorithm is based on lattice-based Coppersmith technique. We pro-vide a strategy for construction of a lattice basis for solving f = 0, which are systematically transformed from a lattice basis for solving h = 0. Then, we derive an upper bound such that the target problem can be solved in polynomial time in logM in an explicit form. Since GSIPs in-clude some RSA-related problems, our algorithm is applicable to them. For example, the small key attacks by Boneh and Durfee are re-found automatically. This is a full version of [13]

A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants

We describe a strategy for finding small modular and integer roots of multivariate polynomials using lattice-based Coppersmith techniques. Applying our strategy, we obtain new polynomial-time attacks on two RSA variants. First, we attack the Qiao-Lam scheme that uses a Chinese Remaindering decryption process with a small difference in the private exponents. Second, we attack the so-called Common Prime RSA variant, where the RSA primes are constructed in a way that circumvents the Wiener attack

A polynomial time attack on RSA with private CRT-exponents smaller than N0.073N^{0.073}

Wiener’s famous attack on RSA with d

A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants

We describe a strategy for finding small modular and integer roots of multivariate polynomials using lattice-based Coppersmith techniques. Applying our strategy, we obtain new polynomial-time attacks on two RSA variants. First, we attack the Qiao-Lam scheme that uses a Chinese Remaindering decryption process with a small difference in the private exponents. Second, we attack the so-called Common Prime RSA variant, where the RSA primes are constructed in a way that circumvents the Wiener attack