Cryptanalysis of RSA with a Small Parameter

This paper investigates the security of RSA system with short exponents. Let N=pq be an RSA modulus with balanced primes p and q. Denote the public exponent by e and the private exponent by d. Then e and d satisfy ed−1=kφ(N), which is usually called the RSA equation. When e and d are both short, and parameter k is the smallest unknown variable in RSA equation, we prove that there exist two new square root attacks. One attack applies the baby-step giant-step method, the other applies the Pollard's ρ method. We show that if K is a known upper bound of k, then k can be recovered in time $\tilde{O}(\sqrt{K})$ and memory $\tilde{O}(\sqrt{K})$ by using the baby-step giant-step method, and in time $\tilde{O}(\sqrt{K})$ and negligible memory by applying Pollard ρ method. As an application of our new attacks, we present the cryptanalysis on an RSA-type scheme proposed by Sun et al.

[1]  Edlyn Teske,et al.  Speeding Up Pollard's Rho Method for Computing Discrete Logarithms , 1998, ANTS.

[2]  László Csirmaz,et al.  The Size of a Share Must Be Large , 1994, Journal of Cryptology.

[3]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[4]  Hung-Min Sun,et al.  On the Design of RSA With Short Secret Exponent , 2002, J. Inf. Sci. Eng..

[5]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[6]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7]  Hung-Min Sun,et al.  RSA with Balanced Short Exponents and Its Application to Entity Authentication , 2005, Public Key Cryptography.

[8]  S. Maitra,et al.  PARTIAL KEY EXPOSURE ATTACKS ON RSA AND ITS VARIANT BY GUESSING A FEW BITS OF ONE OF THE PRIME FACTORS , 2009 .

[9]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[10]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[11]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[12]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[13]  Glenn Durfee,et al.  Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99 , 2000, ASIACRYPT.

[14]  Hung-Min Sun,et al.  Short-Exponent RSA , 2009, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[15]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[16]  Johannes Blömer,et al.  A Generalized Wiener Attack on RSA , 2004, Public Key Cryptography.

[17]  Robert H. Deng,et al.  Public Key Cryptography – PKC 2004 , 2004, Lecture Notes in Computer Science.

[18]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[19]  Arjen K. Lenstra,et al.  Factorization of RSA-140 Using the Number Field Sieve , 1999, ASIACRYPT.

[20]  Edlyn Teske On random walks for Pollard's rho method , 2001, Math. Comput..

[21]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[22]  Shi Bai,et al.  On the Efficiency of Pollard's Rho Method for Discrete Logarithms , 2008, CATS.

[23]  Benne de Weger,et al.  Cryptanalysis of RSA with Small Prime Difference , 2002, Applicable Algebra in Engineering, Communication and Computing.

[24]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[25]  Edlyn Teske,et al.  A space efficient algorithm for group structure computation , 1998, Math. Comput..

[26]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.