Abstract
At Asiacrypt’ 99, Sun, Yang and Laih proposed three RSA variants with short secret exponent that resisted all known attacks, including the recent Boneh-Durfee attack from Eurocrypt ’99 that improved Wiener’s attack on RSA with short secret exponent. The resistance comes from the use of unbalanced primes p and q. In this paper, we extend the Boneh-Durfee attack to break two out of the three proposed variants. While the Boneh-Durfee attack was based on Coppersmith’s lattice-based technique for finding small roots to bivariate modular polynomial equations, our attack is based on its generalization to trivariate modular polynomial equations. The attack is heuristic but works well in practice, as the Boneh-Durfee attack. In particular, we were able to break in a few minutes the numerical examples proposed by Sun, Yang and Laih. The results illustrate once again the fact that one should be very cautious when using short secret exponent with RSA.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto’ 97, volume 1294 of LNCS, pages 235–248. IACR, Springer-Verlag, 1997.
D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 46(2):203–213, 1999.
D. Boneh and G. Durfee. Cryptanalysis of RSA with private key d less than N0.292. In Proc. of Eurocrypt’ 99, volume 1592 of LNCS, pages 1–11. IACR, Springer-Verlag, 1999.
S. Cavallar, B. Dodson, A. K. Lenstra, W. Lioen, P. L. Montgomery, B. Murphy, H. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, P. Leyland, J. Marchand, F. Morain, A. Muffett, C. Putnam, C. Putnam, and P. Zimmermann. Factorization of 512-bit RSA key using the number field sieve. In Proc. of Eurocrypt’2000, volume 1807 of LNCS. IACR, Springer-Verlag, 2000. Factorization announced in August, 1999.
D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233–260, 1997. Final version of two articles from Eurocrypt’ 96.
M. Gruber and C. G. Lekkerkerker. Geometry of Numbers. North-Holland, 1987.
N. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Cryptography and Coding, volume 1355 of LNCS, pages 131–142. Springer-Verlag, 1997.
C. S. Jutla. On finding small solutions of modular multivariate polynomial equations. In Proc. of Eurocrypt’ 98, volume 1403 of LNCS, pages 158–170. IACR, Springer-Verlag, 1998.
A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Ann., 261:513–534, 1982.
Waterloo Maple. The Maple computational algebra system for algebra, number theory and geometry. Information available at http://www.maplesoft.com/products/Maple6/maple6info.html .
W. Meier. Private communication. June, 2000.
P. Q. Nguyen and J. Stern. Lattice reduction in cryptology: An update. In Algorithmic Number Theory-Proc. of ANTS-IV, volume 1838 of LNCS. Springer-Verlag, 2000.
R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.
R. Sakai, M. Morii, and M. Kasahara. New key generation algorithm for RSA cryptosystem. IEICE Trans. Fundamentals, E77-A(1):89–97, 1994.
A. Shamir. RSA for paranoids. RSA Laboratories CryptoBytes, 1(3):1–4, 1995.
V. Shoup. Number Theory C++ Library (NTL) version 3.6. Available at http://www.shoup.net/ntl/ .
C. L. Siegel. Lectures on the Geometry of Numbers. Springer-Verlag, 1989.
H.-M. Sun, W-C. Yang, and C.-S. Laih. On the design of RSA with short secret exponent. In Proc. of Asiacrypt’ 99, volume 1716 of LNCS, pages 150–164. IACR, Springer-Verlag, 1999.
E. Verheul and H. van Tilborg. Cryptanalysis of less short RSA secret exponents. Applicable Algebra in Engineering, Communication and Computing, 8:425–435, 1997.
M. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inform. Theory, 36(3):553–558, 1990.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Durfee, G., Nguyen, P.Q. (2000). Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99. In: Okamoto, T. (eds) Advances in Cryptology — ASIACRYPT 2000. ASIACRYPT 2000. Lecture Notes in Computer Science, vol 1976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44448-3_2
Download citation
DOI: https://doi.org/10.1007/3-540-44448-3_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41404-9
Online ISBN: 978-3-540-44448-0
eBook Packages: Springer Book Archive