More on Correcting Errors in RSA Private Keys: Breaking CRT-RSA with Low Weight Decryption Exponents

Several schemes have been proposed towards the fast encryption and decryption in RSA and its variants. One popular idea is to use integers having low Hamming weight in the preparation of the decryption exponents. This is to reduce the multiplication effort in the square and multiply method in the exponentiation routine, both in encryption and decryption. In this paper we show that such schemes are insecure in CRT-RSA when the encryption exponent is small (e.g., e = 2 + 1). In particular, we show that the CRT-RSA schemes presented in SAC 1996 and ACISP 2005 with low weight decryption exponents can be broken in a few minutes in certain cases. Further, the scheme of CT-RSA 2010, where the decryption exponents are not of low weight but they have large low weight factors, can also be cryptanalysed. To mount the attack, we exploit the heuristic proposed by Henecka et al (Crypto 2010) that is capable of correcting errors in the secret parameters when the encryption exponent is small. In the process, we identify a few modifications of the error correction strategy that provides significantly improved experimental outcome and also beats the theoretical bounds given in the work of Henecka et al.

[1]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[2]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[3]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[4]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[5]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[6]  Arjen K. Lenstra,et al.  Generating RSA Moduli with a Predetermined Portion , 1998, ASIACRYPT.

[7]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[8]  Kwok-Yan Lam,et al.  RSA Signature Algorithm for Microcontroller Implementation , 1998, CARDIS.

[9]  Hoonwei Lim,et al.  Sparse RSA Secret Keys and Their GenerationChae , 1996 .

[10]  Steven D. Galbraith,et al.  Tunable Balancing of RSA , 2005, ACISP.

[11]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[12]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[13]  Alexander May,et al.  A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 , 2007, CRYPTO.

[14]  Santanu Sarkar,et al.  Efficient CRT-RSA Decryption for Small Encryption Exponents , 2010, CT-RSA.

[15]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[16]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[17]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[18]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[19]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[20]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[21]  D. Boneh,et al.  Cryptanalysis of RSA with Private Key Less Than , 2000 .