Small secret exponent attacks on RSA with unbalanced prime factors

Boneh and Durfee (Eurocrypt 1999) proposed two polynomial time attacks on small secret exponent RSA. The first attack works when d < N0.284 whereas the second attack works when d < N0.292. Both attacks are based on lattice based Coppersmith's method to solve modular equations. Durfee and Nguyen (Asiacrypt 2000) extended the attack to a variant of RSA where prime factors are not the same sizes. However, the attack extended only the first attack of the Boneh-Durfee. Hence, an open problem remains, i.e., if the Boneh-Durfee second attack can be extended to unbalanced RSA. In this paper, we propose a desired attack that extended the Boneh-Durfee second attack. Our proposed attack fully improves the Durfee-Nguyen attack for all size of prime factors. The improvement stems from our technical lattice construction. Although Durfee and Nguyen only analyzed lattices whose basis matrices are triangular, we analyze broader classes of lattices that contain non-triangular basis matrices. The analysis can be performed by using the unravelled linearization proposed by Herrmann and May (Asiacrypt 2009) and the transformation on the Boneh-Durfee lattices proposed by Takayasu and Kunihiro (PKC 2016). As a result, we can exploit useful algebraic structure compared with the Durfee-Nguyen.

[1]  Glenn Durfee,et al.  Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99 , 2000, ASIACRYPT.

[2]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[3]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[4]  Hung-Min Sun,et al.  On the Design of RSA With Short Secret Exponent , 2002, J. Inf. Sci. Eng..

[5]  Kaoru Kurosawa,et al.  Small Secret Key Attack on a Variant of RSA (Due to Takagi) , 2008, CT-RSA.

[6]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[8]  Alexander May,et al.  Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? , 2009, ASIACRYPT.

[9]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[10]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[11]  Noboru Kunihiro,et al.  General Bounds for Small Inverse Problems and Its Applications to Multi-Prime RSA , 2014, ICISC.

[12]  Johannes Blömer,et al.  Low Secret Exponent RSA Revisited , 2001, CaLC.

[13]  Noboru Kunihiro,et al.  Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound , 2014, Selected Areas in Cryptography.

[14]  Dongdai Lin,et al.  Solving Linear Equations Modulo Unknown Divisors: Revisited , 2015, ASIACRYPT.

[15]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[16]  Noboru Kunihiro,et al.  How to Generalize RSA Cryptanalyses , 2016, Public Key Cryptography.

[17]  B. D. de Weger,et al.  Cryptanalysis of RSA with Small Prime Difference , 2002, Applicable Algebra in Engineering, Communication and Computing.

[18]  Kaoru Kurosawa,et al.  Small Secret Key Attack on a Takagi's Variant of RSA , 2009, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[19]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[20]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[21]  Osamu Watanabe,et al.  On the optimality of lattices for the coppersmith technique , 2012, Applicable Algebra in Engineering, Communication and Computing.

[22]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[23]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[24]  Hui Zhang,et al.  Improved Attacks on Multi-Prime RSA with Small Prime Difference , 2014, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[25]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[26]  Noboru Kunihiro,et al.  A Unified Framework for Small Secret Exponent Attack on RSA , 2011, Selected Areas in Cryptography.

[27]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[28]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[29]  Alexander May,et al.  Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA , 2010, Public Key Cryptography.

[30]  Noboru Kunihiro,et al.  On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree , 2012, ISC.

[31]  Noboru Kunihiro,et al.  Cryptanalysis of RSA with Multiple Small Secret Exponents , 2014, ACISP.

[32]  Noboru Kunihiro,et al.  Better Lattice Constructions for Solving Multivariate Linear Equations Modulo Unknown Divisors , 2013, ACISP.