New Attacks on RSA with Small Secret CRT-Exponents
نویسندگان
چکیده
It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p− 1 and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus N = pq with unbalanced prime factors p and q. Based on Coppersmith’s method, he showed that there is a polynomial time attack provided that q < N. We will improve this bound to q < N . Thus, our result comes close to the desired normal RSA case with balanced prime factors. We also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N . More precisely, we show that there is a polynomial time attack if dp, dq ≤ min{(N/e) 5 , N 4 }. The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu.
منابع مشابه
Secret Exponent Attacks on RSA-type Schemes with Moduli N= prq
We consider RSA-type schemes with modulus N = pq for r ≥ 2. We present two new attacks for small secret exponent d. Both approaches are applications of Coppersmith’s method for solving modular univariate polynomial equations [5]. From these new attacks we directly derive partial key exposure attacks, i.e. attacks when the secret exponent is not necessarily small but when a fraction of the secre...
متن کاملSecret Exponent Attacks on RSA-type Schemes with Moduli N = pq
We consider RSA-type schemes with modulus N = pq for r ≥ 2. We present two new attacks for small secret exponent d. Both approaches are applications of Coppersmith’s method for solving modular univariate polynomial equations [5]. From these new attacks we directly derive partial key exposure attacks, i.e. attacks when the secret exponent is not necessarily small but when a fraction of the secre...
متن کاملAnother Look at Small RSA Exponents
In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller thanN which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRT-exponents and short public exponents. In addition, the number of bi...
متن کاملPractical Fault Countermeasures for Chinese Remaindering Based RSA
Most implementations of the widely-used RSA cryptosystem rely on Chinese remaindering (CRT) as this greatly improves the performances in both running times and memory requirements. Unfortunately, CRT-based implementations are also known to be more sensitive to fault attacks: a single fault in an RSA exponentiation may reveal the secret prime factors trough a GCD computation, that is, a total br...
متن کاملMore on Correcting Errors in RSA Private Keys: Breaking CRT-RSA with Low Weight Decryption Exponents
Several schemes have been proposed towards the fast encryption and decryption in RSA and its variants. One popular idea is to use integers having low Hamming weight in the preparation of the decryption exponents. This is to reduce the multiplication effort in the square and multiply method in the exponentiation routine, both in encryption and decryption. In this paper we show that such schemes ...
متن کامل