Partial Key Exposure Attack on CRT-RSA

Consider CRT-RSA with N = pq , q < p < 2q , public encryption exponent e and private decryption exponents d p , d q . Jochemsz and May (Crypto 2007) presented that CRT-RSA is weak when d p , d q are smaller than N 0.073. As a follow-up work of that paper, we study the partial key exposure attack on CRT-RSA when some Most Significant Bits (MSBs) of d p , d q are exposed. Further, better results are obtained when a few MSBs of p (or q ) are available too. We present theoretical results as well as experimental evidences to justify our claim. We also analyze the case when the decryption exponents are of different bit sizes and it is shown that CRT-RSA is more insecure in this case (than the case of d p , d q having the same bit size) considering the total bit size of d p , d q .

[1]  Alexander May,et al.  A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 , 2007, CRYPTO.

[2]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[3]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[6]  László Csirmaz,et al.  The Size of a Share Must Be Large , 1994, Journal of Cryptology.

[7]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[8]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[9]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[10]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[11]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[12]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[13]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[14]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[15]  Antoine Joux,et al.  Cryptanalysis of the RSA Subgroup Assumption from TCC 2005 , 2010, IACR Cryptol. ePrint Arch..

[16]  Steven D. Galbraith,et al.  Tunable Balancing of RSA , 2005, ACISP.

[17]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[18]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[19]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[20]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[21]  Alexander May,et al.  Cryptanalysis of Unbalanced RSA with Small CRT-Exponent , 2002, CRYPTO.

[22]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[23]  Alexander May,et al.  New Attacks on RSA with Small Secret CRT-Exponents , 2006, Public Key Cryptography.

[24]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[25]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[26]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[27]  Jens Groth,et al.  Cryptography in Subgroups of Zn , 2005, TCC.

[28]  Jean-Sébastien Coron,et al.  Finding Small Roots of Bivariate Integer Polynomial Equations Revisited , 2004, EUROCRYPT.