Minkowski Sum Based Lattice Construction for Multivariate Simultaneous Coppersmith's Technique and Applications to RSA

We investigate a lattice construction method for the Coppersmith technique for finding small solutions of a modular equation. We consider its variant for simultaneous equations and propose a method to construct a lattice by combining lattices for solving single equations. As applications, we consider a new RSA cryptanalysis. Our algorithm can factor an RSA modulus from l ≥ 2 pairs of RSA public exponents with the common modulus corresponding to secret exponents smaller than N (9l − 5)/(12l + 4), which improves on the previously best known result by Sarkar and Maitra. For partial key exposure situation, we also can factor the modulus if β − δ/2 + 1/4 < (3l − 1)(3l + 1), where β and δ are bit-lengths / logN of the secret exponent and its exposed LSBs, respectively. Due to the spacing limit, some arguments are omitted; see the full-version [1].

[1]  Alexander May,et al.  Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? , 2009, ASIACRYPT.

[2]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[3]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[4]  Noboru Kunihiro,et al.  Solving Generalized Small Inverse Problems , 2010, ACISP.

[5]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[6]  Jean-Pierre Seifert,et al.  Extending Wiener's Attack in the Presence of Many Decrypting Exponents , 1999, CQRE.

[7]  Jean-Sébastien Coron,et al.  Fault Attacks Against emv Signatures , 2010, CT-RSA.

[8]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[9]  Alexander May,et al.  Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? , 2008, Public Key Cryptography.

[10]  Ping Luo,et al.  Cryptanalysis of RSA for a special case with d >e , 2009, Science in China Series F: Information Sciences.

[11]  Ronald Cramer,et al.  Public Key Cryptography - PKC 2008, 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain, March 9-12, 2008. Proceedings , 2008, Public Key Cryptography.

[12]  Johannes Blömer,et al.  A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers , 2005, EUROCRYPT.

[13]  Kazuo Ohta,et al.  Advances in Cryptology — ASIACRYPT’98 , 2002, Lecture Notes in Computer Science.

[14]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[15]  Santanu Sarkar,et al.  A New Class of Weak Encryption Exponents in RSA , 2008, INDOCRYPT.

[16]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[17]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[18]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[19]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[20]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[21]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[22]  Donal O'Shea,et al.  Ideals, varieties, and algorithms - an introduction to computational algebraic geometry and commutative algebra (2. ed.) , 1997, Undergraduate texts in mathematics.

[23]  Benne de Weger,et al.  A Partial Key Exposure Attack on RSA Using a 2-Dimensional Lattice , 2006, ISC.

[24]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[25]  Jean-Sébastien Coron,et al.  Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring , 2006, Journal of Cryptology.

[26]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[27]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[28]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[29]  Vincent Rijmen,et al.  Progress in Cryptology - INDOCRYPT 2008, 9th International Conference on Cryptology in India, Kharagpur, India, December 14-17, 2008. Proceedings , 2008, INDOCRYPT.

[30]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[31]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[32]  Mathias Herrmann Improved Cryptanalysis of the Multi-Prime φ - Hiding Assumption , 2011, AFRICACRYPT.

[33]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[34]  Dan Boneh,et al.  Exposing an RSA Private Key Given a Small Fraction of its Bits , 1998 .

[35]  Johannes Blömer,et al.  Low Secret Exponent RSA Revisited , 2001, CaLC.

[36]  Gerhard Goos,et al.  Secure Networking — CQRE [Secure] ’ 99 , 1999, Lecture Notes in Computer Science.

[37]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[38]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[39]  Josef Pieprzyk Topics in Cryptology - CT-RSA 2010, The Cryptographers' Track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010. Proceedings , 2010, CT-RSA.

[40]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[41]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[42]  Santanu Sarkar,et al.  Cryptanalysis of RSA with two decryption exponents , 2010, Inf. Process. Lett..

[43]  Alexander May,et al.  Cryptanalysis of Unbalanced RSA with Small CRT-Exponent , 2002, CRYPTO.

[44]  M. Jason Hinek,et al.  Common modulus attacks on small private exponent RSA and some fast variants (in practice) , 2010, J. Math. Cryptol..

[45]  Maike Ritzenhofen,et al.  On efficiently calculating small solutions of systems of polynomial equations: lattice-based methods and applications to cryptography , 2010 .

[46]  Yoshinori Aono,et al.  A New Lattice Construction for Partial Key Exposure Attack for RSA , 2009, Public Key Cryptography.

[47]  Kaoru Kurosawa,et al.  Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi's RSA , 2007, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[48]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[49]  Alexander D. Healy Resultants , Resolvents and the Computation of Galois Groups , 2002 .

[50]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[51]  Yoshinori Aono,et al.  Minkowski sum based lattice construction for solving simultaneous modular equations and applications to RSA , 2012, IACR Cryptol. ePrint Arch..

[52]  Santanu Sarkar,et al.  Cryptanalysis of RSA with more than one decryption exponent , 2010, Inf. Process. Lett..

[53]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[54]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[55]  David Naccache,et al.  Modulus fault attacks against RSA–CRT signatures , 2011, Journal of Cryptographic Engineering.

[56]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[57]  David Pointcheval,et al.  Progress in Cryptology - AFRICACRYPT 2011 - 4th International Conference on Cryptology in Africa, Dakar, Senegal, July 5-7, 2011. Proceedings , 2011, AFRICACRYPT.