Extended partial key exposure attacks on RSA: Improvement up to full size decryption exponents

Abstract Partial key exposure attacks on RSA have been intensively studied by using lattice-based Coppersmith's methods. Ernst et al. (Eurocrypt'05) studied the problem by considering three attack scenarios; (1) the most significant bits (MSBs) of a secret exponent d known, (2) the least significant bits (LSBs) of d known, (3) both the MSBs and the LSBs of d known. The proposed attacks were valuable since they were the first results to handle full size exponents e. Takayasu and Kunihiro (SAC'14, Theoretical Computer Science'19) proposed improved attacks for (1) and (2) when d is sufficiently small, i.e., d N 0.5625 for (1) and d N 0.368 for (2), by utilizing a linearization technique. In this paper, we extend Takayasu-Kunihiro's attacks and improve Ernst et al.'s attack for (3). In particular, our attack contains Takayasu-Kunihiro's attacks for (1) and (2) as special cases when the amount of given LSBs and MSBs are zero, respectively. Furthermore, as opposed to Takayasu-Kunihiro's attacks, our improvement against Ernst et al.'s attack is not limited to small secret exponents such as d N 0.5625 . Indeed, we are able to improve Ernst et al.'s attack almost up to full size decryption exponents, i.e., even when d is close to N. Technically, the extension is not straightforward. We first modify Takayasu-Kunihiro's lattice basis matrix for (2), so that is is compatible to embed the given MSBs. The modification is crucial for embedding both the MSBs and the LSBs simultaneously to the matrix.

[1]  Osmanbey Uzunkol,et al.  A New Partial Key Exposure Attack on Multi-power RSA , 2015, CAI.

[2]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[3]  Noboru Kunihiro,et al.  How to Generalize RSA Cryptanalyses , 2016, Public Key Cryptography.

[4]  Yoshinori Aono,et al.  A New Lattice Construction for Partial Key Exposure Attack for RSA , 2009, Public Key Cryptography.

[5]  M. Jason Hinek,et al.  On the security of multi-prime RSA , 2008, J. Math. Cryptol..

[6]  Noboru Kunihiro,et al.  Small secret exponent attacks on RSA with unbalanced prime factors , 2016, 2016 International Symposium on Information Theory and Its Applications (ISITA).

[7]  Santanu Sarkar,et al.  Partial Key Exposure Attack on CRT-RSA , 2009, ACNS.

[8]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[9]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[10]  Kaoru Kurosawa,et al.  Small Secret Key Attack on a Variant of RSA (Due to Takagi) , 2008, CT-RSA.

[11]  Yao Lu,et al.  Small CRT-Exponent RSA Revisited , 2018, Journal of Cryptology.

[12]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[13]  Kaoru Kurosawa,et al.  Small Secret Key Attack on a Takagi's Variant of RSA , 2009, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[14]  Alexander May,et al.  Cryptanalysis of Unbalanced RSA with Small CRT-Exponent , 2002, CRYPTO.

[15]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[16]  Yoshinori Aono,et al.  Minkowski Sum Based Lattice Construction for Multivariate Simultaneous Coppersmith's Technique and Applications to RSA , 2013, ACISP.

[17]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[18]  Glenn Durfee,et al.  Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99 , 2000, ASIACRYPT.

[19]  Yao Lu,et al.  Recent Progress on Coppersmith's Lattice-Based Method: A Survey , 2017, CREST Crypto-Math Project.

[20]  Noboru Kunihiro,et al.  Partial key exposure attacks on RSA: Achieving the Boneh-Durfee bound , 2019, Theor. Comput. Sci..

[21]  Santanu Sarkar,et al.  Small secret exponent attack on RSA variant with modulus N=prq\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$N=p^rq$$ , 2014, Designs, Codes and Cryptography.

[22]  Alexander May,et al.  New Attacks on RSA with Small Secret CRT-Exponents , 2006, Public Key Cryptography.

[23]  Dongdai Lin,et al.  New Partial Key Exposure Attacks on CRT-RSA with Large Public Exponents , 2014, ACNS.

[24]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[25]  Noboru Kunihiro,et al.  Partial Key Exposure Attacks on CRT-RSA: Better Cryptanalysis to Full Size Encryption Exponents , 2015, ACNS.

[26]  Osamu Watanabe,et al.  On the optimality of lattices for the coppersmith technique , 2012, Applicable Algebra in Engineering, Communication and Computing.

[27]  Noboru Kunihiro,et al.  Cryptanalysis of RSA Variants with Modified Euler Quotient , 2018, AFRICACRYPT.

[28]  Lei Hu,et al.  Partial Key Exposure Attacks on Takagi's Variant of RSA , 2014, ACNS.

[29]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[30]  Alexander May,et al.  A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 , 2007, CRYPTO.

[31]  Dongdai Lin,et al.  Solving Linear Equations Modulo Unknown Divisors: Revisited , 2015, ASIACRYPT.

[32]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[33]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[34]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[35]  Santanu Sarkar,et al.  Partial Key Exposure Attack on RSA - Improvements for Limited Lattice Dimensions , 2010, INDOCRYPT.

[36]  N. Kunihiro Solving Generalized Small Inverse Problems , 2011 .

[37]  Noboru Kunihiro,et al.  Partial Key Exposure Attacks on RSA with Multiple Exponent Pairs , 2016, ACISP.

[38]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[39]  T. Izu,et al.  A Unified Framework for Small Secret Exponent Attack on RSA , 2014 .

[40]  Noboru Kunihiro,et al.  Cryptanalysis of RSA with Multiple Small Secret Exponents , 2014, ACISP.

[41]  Noboru Kunihiro,et al.  A Tool Kit for Partial Key Exposure Attacks on RSA , 2017, CT-RSA.

[42]  Santanu Sarkar,et al.  Revisiting Prime Power RSA , 2016, Discret. Appl. Math..

[43]  Alexander May,et al.  Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA , 2010, Public Key Cryptography.

[44]  Noboru Kunihiro,et al.  On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree , 2012, ISC.

[45]  Noboru Kunihiro,et al.  Partial Key Exposure Attacks on CRT-RSA: General Improvement for the Exposed Least Significant Bits , 2016, ISC.

[46]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[47]  Alexander May,et al.  Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? , 2009, ASIACRYPT.

[48]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .