论文信息 - An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits

An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits

Let N = pq denote an RSA modulus of length n bits. Call N an (m - LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits. In Asiacrypt '98, Boneh, Durfee and Frankel (BDF) described several interesting 'partial key exposure' attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n=4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m- LSbS) RSA moduli by a factor in the order of 2m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m - LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n=4(1 - ?) - LSbS) moduli for small ? is secure, then this result (together with BDF's result on securely leaking the n=2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.

Ron Steinfeld | Yuliang Zheng | Ron Steinfeld | Yuliang Zheng

[1] Dan Boneh,et al. An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[2] Jacques Stern,et al. The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure , 1998, ASIACRYPT.

[3] Adi Shamir,et al. A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[4] Alfred Menezes,et al. Handbook of Applied Cryptography , 2018 .

[5] Don Coppersmith,et al. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[6] Benne de Weger,et al. Cryptanalysis of RSA with Small Prime Difference , 2002, Applicable Algebra in Engineering, Communication and Computing.

[7] Hideki Imai,et al. Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[8] Arjen K. Lenstra,et al. Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[9] Kenneth H. Rosen,et al. Discrete Mathematics and its applications , 2000 .

[10] I. Niven,et al. An introduction to the theory of numbers , 1961 .

[11] Jacques Stern,et al. Short Proofs of Knowledge for Factoring , 2000, Public Key Cryptography.