Alexander May

New partial key exposure attacks on RSA

In 1998, Boneh, Durfee and Frankel [4] presented several attacks on RSA when an adversary knows a fraction of the secret key bits. The motivation for these so-called partial key exposure attacks mainly arises from the study of side-channel attacks on RSA. With side channel attacks an adversary gets either most significant or least significant bits of the secret key. The polynomial time algorithms given in [4] only work provided that the public key e is smaller than N. It was raised as an open question whether there are polynomial time attacks beyond this bound. We answer this open question in the present work both in the case of most and least significant bits. Our algorithms make use of Coppersmiths heuristic method for solving modular multivariate polynomial equations [8]. For known most significant bits, we provide an algorithm that works for public exponents e in the interval [N, N 0.725 ]. Surprisingly, we get an even stronger result for known least significant bits: An algorithm that works for all e < N. We also provide partial key exposure attacks on fast RSA-variants that use Chinese Remaindering in the decryption process (e.g. [20,21]). These fast variants are interesting for time-critical applications like smart-cards which in turn are highly vulnerable to side-channel attacks. The new attacks are provable. We show that for small public exponent RSA half of the bits of dp = d mod p- 1 suffice to find the factorization of N in polynomial time. This amount is only a quarter of the bits of N and therefore the method belongs to the strongest known partial key exposure attacks.

A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants

We describe a strategy for finding small modular and integer roots of multivariate polynomials using lattice-based Coppersmith techniques. Applying our strategy, we obtain new polynomial-time attacks on two RSA variants. First, we attack the Qiao-Lam scheme that uses a Chinese Remaindering decryption process with a small difference in the private exponents. Second, we attack the so-called Common Prime RSA variant, where the RSA primes are constructed in a way that circumvents the Wiener attack.

Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring

AbstractWe address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret key pair (e,d) yield the factorization of N = pq in polynomial time? It is well known that there is a probabilistic polynomial-time algorithm that on input (N,e,d) outputs the factors p and q. We present the first deterministic polynomial-time algorithm that factors N given (e,d) provided that e,d < φ(N). Our approach is an application of Coppersmiths technique for finding small roots of univariate modular polynomials.

Dimension Reduction Methods for Convolution Modular Lattices

We describe a dimension reduction method for convolution modular lattices. Its effectiveness and implications for parallel and distributed computing are analyzed.

Low Secret Exponent RSA Revisited

We present a lattice attack on low exponent RSA with short secret exponent d = Nδ for every δ 0.265. Our method, as well as the method by Boneh and Durfee, is heuristic, since the method is based on Coppersmiths approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic must fail in some cases. We argue in this paper, that a (practically not interesting) variant of the Boneh/Durfee attack proposed in [4] always fails. Many authors have already stressed the necessity for rigorous proofs of Coppersmiths method in the multivariate case. This is even more evident in light of these results.

A polynomial time attack on RSA with private CRT-exponents smaller than N 0.073

Wieners famous attack on RSA with d < N0.25 shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where dp = d mod (p - 1) and dq = d mod (q - 1) are chosen significantly smaller than p and q. The parameters dp, dq are called private CRT-exponents. Since Wieners proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if dp and dq are smaller than N0.073.

New attacks on RSA with small secret CRT-Exponents

It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p–1 and q–1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus N=pq with unbalanced prime factors p and q. Based on Coppersmiths method, he showed that there is a polynomial time attack provided that q<N0.382. We will improve this bound to q<N0.468. Thus, our result comes close to the desired normal RSA case with balanced prime factors. We also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N. More precisely, we show that there is a polynomial time attack if

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

d_{p}, d_{q} \leq min\{(N/e)^{\frac{2}{5}},N^{\frac{1}{4}}\}

A Generalized Wiener Attack on RSA

. The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu.

Secret Exponent Attacks on RSA-type Schemes with Moduli N=prq

We present lattice-based attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than Ns and the decryption exponent d is small modulo p - 1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over Z that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to s < 3-?5/2 ? 0.382. Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p - 1 provided that s ? 0.23.