On the Security of Some Variants of RSA

The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA

Common Modulus Attacks on Small Private Exponent RSA and Some Fast Variants (in Practice)

In this work we re-examine two common modulus attacks on RSA. First, we show that Guo\u27s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus $N$ and private exponents each smaller than $N^{0.33}$ the attack can factor the modulus about $93\%$ of the time in practice. The success rate of the attack can be increased up to almost $100\%$ by including a relatively small exhaustive search. Next, we consider Howgrave-Graham and Seifert\u27s lattice-based attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once $n \geq 7$ instances of RSA are used. In particular, by construction, the attack can only succeed when the private exponents are each smaller than $N^{0.5-\epsilon}$, given sufficiently many instances, instead of the original bound of $N^{1-\epsilon}$. In addition, we also consider the effectiveness of the attacks when mounted against multi-prime RSA and Tagaki\u27s variant of RSA. For multi-prime RSA, we show three (or more) instances with a common modulus and private exponents smaller than $N^{1/3-\epsilon}$ is unsafe. For Takagi\u27s variant, we show that three or more instances with a common modulus $N=p^rq$ is unsafe when all the private exponents are smaller than $N^{2/(3(r+1))-\epsilon}$. The results, for both variants, is obtained using Guo\u27s method and are successful almost always with the inclusion of a small exhaustive search. When only two instances are available, Howgrave-Graham and Seifert\u27s attack can be mounted on multi-prime RSA when the private exponents are smaller than $N^{(3+r)/7r-\epsilon}$ when there are $r$ primes in the modulus

1.3 Algorithmic Problems...................... 8

In this work, we give a partial overview of lattice attacks in cryptography. While different kinds of attacks are considered, the emphasis of this work is given to attacks that are based on Coppersmith’s results for solving low degree multivariate modular equations and bivariat

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA

Given knowledge of one or more of the primes in a multiprime RSA modulus we show that the private exponent can be recovered provided it is sufficiently small. In particular, we present a simple and efficient method that given v of the u primes dividing the modulus N recovers any private exponent d satisfying d < N v/u−ɛ. When only one prime is known, this bound can be increased to approximately N 1/u+1/(2u2) using Boneh & Durfee’s techniques for small private exponent attacks on RSA. We also present experimental data which shows that the attack becomes more costly with increasing number of primes in the modulus and increasing modulus sizes.

Another Look at Small RSA Exponents

Abstract. In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller than N 1/4 which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRT-exponents and short public exponents. In addition, the number of bits required to store the private key information can be significantly reduced in this variant.

(Very) Large RSA Private Exponent Vulnerabilities

The dangers of using RSA with small private exponents has been known for more than a decade (see Wiener [7]). Knowing these dangers, but still wanting to substantially decrease decryption time, a user might try using a small negative private exponent which corresponds to a very large private exponent. We show that the attacks against small private exponent RSA by Wiener [7], Boneh & Durfee [3], and Blömer & May [1], and their corresponding attacks on multi-prime RSA, also work for very large private exponents.

New Partial Key Exposure Attacks on RSA Revisited

At CRYPTO 2003, Blömer and May presented new partial key exposure attacks against RSA. These were the first known polynomial-time partial key exposure attacks against RSA with public exponent e> N 1/2. Attacks for known most significant bits and known least significant bits were presented. In this work, we extend their attacks to multi-prime RSA. For r-prime RSA, these result in the first known partial key attacks for public exponent e> N 1/r. As with other attacks on RSA that have been extended to multi-prime RSA, we show that these attacks are weakened with each additional prime added to the RSA modulus. Some experimental bounds on the fraction of bits needed to mount the attacks are presented for some common RSA modulus sizes and small lattice dimensions. When using Coppersmith’s method for finding small roots of multivariate modular polynomials in cryptographic applications, it is often heuristically assumed that the polynomials resulting from the lattice basis reduction are algebraically independent. For some of Blömer and May’s attacks we have observed that this is not the case. Interestingly, even when the polynomials are algebraically dependent in these attacks we are still able to recover the private exponent by simply removing the common factors of the polynomials before computing any resultants.

On the Security of Multi-prime RSA

Abstract. In this work we collect the strongest known algebraic attacks on multi-prime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applies only to multi-prime RSA with more than two primes.