An Approach Towards Rebalanced RSA-CRT with Short Public Exponent

Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener suggested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA encryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with dp and dq of 198 bits. This variant has the public exponent e = 2 + 1 such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.

[1]  Eric R. Verheul,et al.  Cryptanalysis of ‘Less Short’ RSA Secret Exponents , 1997, Applicable Algebra in Engineering, Communication and Computing.

[2]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[3]  Alexander May,et al.  Cryptanalysis of Unbalanced RSA with Small CRT-Exponent , 2002, CRYPTO.

[4]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[5]  Johan Håstad,et al.  On Using RSA with Low Exponent in a Public Key Network , 1985, CRYPTO.

[6]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..

[7]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[8]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[9]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[10]  Matthew K. Franklin,et al.  Low-Exponent RSA with Related Messages , 1996, EUROCRYPT.

[11]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[12]  Dan Boneh,et al.  Exposing an RSA Private Key Given a Small Fraction of its Bits , 1998 .

[13]  Johannes Blömer,et al.  Low Secret Exponent RSA Revisited , 2001, CaLC.

[14]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[15]  Hung-Min Sun,et al.  On the Design of RSA With Short Secret Exponent , 2002, J. Inf. Sci. Eng..

[16]  E. Wright,et al.  An Introduction to the Theory of Numbers , 1939 .

[17]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[18]  Glenn Durfee,et al.  Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99 , 2000, ASIACRYPT.

[19]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[20]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[21]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[22]  Dan Boneh,et al.  Fast Variants of RSA , 2007 .

[23]  Scott A. Vanstone,et al.  Short RSA keys and their generation , 2004, Journal of Cryptology.

[24]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.