Article

Partial key exposure on RSA with private exponents larger than N

Authors:

Tancrède LepointAuthors Info & Claims

ISPEC'12: Proceedings of the 8th international conference on Information Security Practice and Experience

Pages 369 - 380

https://doi.org/10.1007/978-3-642-29101-2_25

Published: 09 April 2012 Publication History

Abstract

In 1998, Boneh, Durfee and Frankel described several attacks against RSA enabling an attacker given a fraction of the bits of the private exponent d to recover all of d. These attacks were later improved and extended in various ways. They however always consider that the private exponent d is smaller than the RSA modulus N. When it comes to implementation, d can be enlarged to a value larger than N so as to improve the performance (by lowering its Hamming weight) or to increase the security (by preventing certain side-channel attacks). This paper studies this extended setting and quantifies the number of bits of d required to mount practical partial key exposure attacks. Both the cases of known most significant bits (MSBs) and least significant bits (LSBs) are analyzed. Our results are based on Coppersmith's heuristic methods and validated by practical experiments run through the SAGE computer-algebra system.

References

[1]

Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRTExponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1-13. Springer, Heidelberg (2006)

Digital Library

[2]

Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27-43. Springer, Heidelberg (2003)

[3]

Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. IEEE Transactions on Information Theory 46(4), 1339-1349 (2000), extended abstract in Proc. of EUROCRYPT 1998

Digital Library

[4]

Boneh, D., Durfee, G., Frankel, Y.: An Attack on RSA Given a Small Fraction of the Private Key Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25-34. Springer, Heidelberg (1998)

Digital Library

[5]

Cohen, G. D., Lobstein, A., Naccache, D., Zémor, G.: How to Improve an Exponentiation Black-Box. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 211-220. Springer, Heidelberg (1998)

[6]

Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U. M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178-189. Springer, Heidelberg (1996)

Digital Library

[7]

Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U. M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155-165. Springer, Heidelberg (1996)

Digital Library

[8]

Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233-260 (1997)

[9]

Coron, J. S.: Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç. K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292-302. Springer, Heidelberg (1999)

Digital Library

[10]

Coron, J. S.: Finding Small Roots of Bivariate Integer Polynomial Equations Revisited. In: Cachin, C., Camenisch, J. L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492-505. Springer, Heidelberg (2004)

[11]

Coron, J. S.: Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379-394. Springer, Heidelberg (2007)

Digital Library

[12]

Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371-386. Springer, Heidelberg (2005)

Digital Library

[13]

Heninger, N., Shacham, H.: Reconstructing RSA Private Keys from Random Key Bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1-17. Springer, Heidelberg (2009)

Digital Library

[14]

Herrmann, M., May, A.: Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In: Nguyen, P. Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53-69. Springer, Heidelberg (2010)

Digital Library

[15]

Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M. J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131-142. Springer, Heidelberg (1997)

Digital Library

[16]

Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267-282. Springer, Heidelberg (2006)

Digital Library

[17]

Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRTexponents smaller than N0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395-411. Springer, Heidelberg (2007)

Digital Library

[18]

Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388-397. Springer, Heidelberg (1999)

Digital Library

[19]

Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. Journal of Cryptographic Engineeering 1(1), 5-27 (2011)

[20]

Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104-113. Springer, Heidelberg (1996)

Digital Library

[21]

Lenstra, A. K., Lenstra Jr., H. W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515-534 (1982)

[22]

May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. Ph. D. thesis, University of Paderborn (2003)

[23]

Miller, G. L.: Riemann's hypothesis and tests for primality. Journal of Computer and System Sciences 13(3), 300-317 (1976)

Digital Library

[24]

Sarkar, S.: Partial Key Exposure: Generalized Framework to Attack RSA. In: Bernstein, D. J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 76-92. Springer, Heidelberg (2011)

Digital Library

[25]

Sarkar, S., Sen Gupta, S., Maitra, S.: Partial Key Exposure Attack on RSA - Improvements for Limited Lattice Dimensions. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 2-16. Springer, Heidelberg (2010)

[26]

Shoup, V.: Number Theory Library (Version 5.5.2). A library for doing Number Theory (2011), http://www.shoup.net/ntl

[27]

Simmons, G. J.: The prisoners' problem and the subliminal channel. In: Chaum, D. (ed.) Advances in Cryptology, Proceedings of CRYPTO 1983, pp. 51-67. Plenum Press (1984)

[28]

Simmons, G. J.: The Subliminal Channel and Digital Signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364-378. Springer, Heidelberg (1985)

Digital Library

[29]

Stein, W. A., et al.: Sage Mathematics Software (Version 4.7). The Sage Development Team (2011), http://www.sagemath.org

[30]

Wiener, M. J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553-558 (1990)

[31]

Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. John Wiley & Sons (2004)

Digital Library

Cited By

Zhou Yvan de Pol JYu YStandaert F(2022)A Third is All You Need: Extended Partial Key Exposure Attack on CRT-RSA with Additive Exponent BlindingAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22972-5_18(508-536)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-22972-5_18
Takayasu AKunihiro N(2016)Partial Key Exposure Attacks on RSA with Multiple Exponent PairsProceedings, Part II, of the 21st Australasian Conference on Information Security and Privacy - Volume 972310.1007/978-3-319-40367-0_15(243-257)Online publication date: 4-Jul-2016
https://dl.acm.org/doi/10.1007/978-3-319-40367-0_15

Recommendations

On the Security of RSA with Primes Sharing Least-Significant Bits

We investigate the security of a variant of the RSA public-key cryptosystem called LSBS-RSA, in which the modulus primes share a large number of least-significant bits. We show that low public-exponent LSBS-RSA is inherently resistant to Partial Key ...
Identity-based chameleon hashing and signatures without key exposure

The notion of chameleon hash function without key exposure plays an important role in designing secure chameleon signatures. However, all of the existing key-exposure free chameleon hash schemes are presented in the setting of certificate-based systems. ...
Protecting against key escrow and key exposure in identity-based cryptosystem
TAMC'07: Proceedings of the 4th international conference on Theory and applications of models of computation

Standard identity-based cryptosystems typically rely on the assumption that secret keys are kept perfectly secure. However, in practice, there are two threats to the key security in identity-based cryptosystems. One inherent problem is key escrow, that ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ISPEC'12: Proceedings of the 8th international conference on Information Security Practice and Experience

April 2012

404 pages

ISBN:9783642291005

Editors:
Mark D. Ryan
School of Computer Science, University of Birmingham, UK
,
Ben Smyth
School of Computer Science, Toshiba Corporation, 1, Komukai-Toshiba–Cho, Saiwai-ku, Kawasaki, Japan
,
Guilin Wang
School of Computer Science & Software Engineering, University of Wollongong, Northfields Avenue, Wollongong, NSW, Australia

Sponsors

Hangzhou Normal Univ.: Hangzhou Normal University, China

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 09 April 2012

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou Yvan de Pol JYu YStandaert F(2022)A Third is All You Need: Extended Partial Key Exposure Attack on CRT-RSA with Additive Exponent BlindingAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22972-5_18(508-536)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-22972-5_18
Takayasu AKunihiro N(2016)Partial Key Exposure Attacks on RSA with Multiple Exponent PairsProceedings, Part II, of the 21st Australasian Conference on Information Security and Privacy - Volume 972310.1007/978-3-319-40367-0_15(243-257)Online publication date: 4-Jul-2016
https://dl.acm.org/doi/10.1007/978-3-319-40367-0_15

View Options

View options

Figures

Tables

Media

View Table of Conten