Atsushi Takayasu

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Several algorithms have been proposed for factoring RSA modulus \(N\) when attackers know the most or the least significant \((\beta -\delta )\log N\) bits of secret exponents \(d<N^{\beta }\). The attacks are expected to work when \( \beta <1-1/\sqrt{2}\) with full size public exponent \(e\) considering Boneh and Durfee’s result for small secret exponent attacks on RSA. However, previous attacks do not always work in this condition when attackers know only a small amount of information on secret exponent, that is, \( \delta \) is close to \( \beta \). In this paper, we propose the improved algorithms for partial key exposure attacks which cover Boneh and Durfee’s bound when \( \delta =\beta \). Our algorithms are the best among all known results when attackers know the most significant bits of \(d \le N^{9/16}\) or the least significant bits of \(d \le N^{(9-\sqrt{21})/12}\). In our algorithm constructions, we construct basis matrices for lattices which are not triangular and analyze the determinant by using unravelled linearization. The analysis enables us to make better use of the algebraic structures of modular polynomials, that is, we can select appropriate lattice bases or construct appropriate lattice bases.

Better Lattice Constructions for Solving Multivariate Linear Equations Modulo Unknown Divisors

At CaLC 2001, Howgrave-Graham proposed the polynomial time algorithm for solving univariate linear equations modulo an unknown divisor of a known composite integer, the so-called partially approximate common divisor problem. So far, two forms of multivariate generalizations of the problem have been considered in the context of cryptanalysis. The first is simultaneous modular univariate linear equations, whose polynomial time algorithm was proposed at ANTS 2012 by Cohn and Heninger. The second is modular multivariate linear equations, whose polynomial time algorithm was proposed at Asiacrypt 2008 by Herrmann and May. Both algorithms cover Howgrave-Graham’s algorithm for univariate cases. On the other hand, both multivariate problems also become identical to Howgrave-Graham’s problem in the asymptotic cases of root bounds. However, former algorithms do not cover Howgrave-Graham’s algorithm in such cases. In this paper, we introduce the strategy for natural algorithm constructions that take into account the sizes of the root bounds. We work out the selection of polynomials in constructing lattices. Our algorithms are superior to all known attacks that solve the multivariate equations and can generalize to the case of arbitrary number of variables. Our algorithms achieve better cryptanalytic bounds for some applications that relate to RSA cryptosystems.

Cryptanalysis of RSA with Multiple Small Secret Exponents

In this paper, we study the security of RSA when there are multiple public/secret exponents (e 1,d 1), …, (e n ,d n ) with the same public modulus N. We assume that all secret exponents are smaller than N β . When n = 1, Boneh and Durfee proposed a polynomial time algorithm to factor the public modulus N. The algorithm works provided that \( \beta<1-1/\sqrt{2}\). So far, several generalizations of the attacks for arbitrary n have been proposed. However, these attacks do not achieve Boneh and Durfee’s bound for n = 1. In this paper, we propose an algorithm which is the exact generalization of Boneh and Durfee’s algorithm. Our algorithm works when \( \beta<1-\sqrt{2/(3n+1)}\). Our bound is better than all previous results for all n ≥ 2. We construct the lattices by collecting as many helpful polynomials as possible. The collections reduce the volume of the lattices and enable us to improve the bound.

Partial Key Exposure Attacks on RSA with Multiple Exponent Pairs

So far, several papers have analyzed attacks on RSA when attackers know the least significant bits of a secret exponent d as well as a public modulus N and a public exponent e, the so-called partial key exposure attacks. Aono ACISP 2013, and Takayasu and Kunihiro ACISP 2014 generalized the attacks when there are multiple pairs of a public/secret exponent

A Tool Kit for Partial Key Exposure Attacks on RSA

e_1,d_1,\ldots ,e_n,d_n

General Bounds for Small Inverse Problems and Its Applications to Multi-Prime RSA

for the same public modulus N. The standard RSA is a special case of the generalization, i.e.,

Lattice-Based Revocable Identity-Based Encryption with Bounded Decryption Key Exposure Resistance

n=1