Partial Key Exposure Attacks on Rsa and Its Variant by Guessing a Few Bits of One of the Prime Factors
نویسندگان
چکیده
Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We first study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. The basic lattice based technique is similar to that of Ernst et al. in Eurocrypt 2005. However, our idea of guessing a few MSBs of the secret prime p substantially reduces the requirement of MSBs or LSBs of d for the key exposure attack. Further, we consider the RSA variant proposed by Sun and Yang in PKC 2005 and show that the partial key exposure attack works significantly
منابع مشابه
New Partial Key Exposure Attacks on RSA Revisited
At CRYPTO 2003, Blömer and May presented new partial key exposure attacks against RSA. These were the first known polynomial-time partial key exposure attacks against RSA with public exponent e > N . Attacks for known most significant bits and known least significant bits were presented. In this work, we extend their attacks to multi-prime RSA. For r-prime RSA, these result in the first known p...
متن کاملA Tool Kit for Partial Key Exposure Attacks on RSA
Thus far, partial key exposure attacks on RSA have been intensively studied using lattice based Coppersmith's methods. In the context, attackers are given partial information of a secret exponent and prime factors of (Multi-Prime) RSA where the partial information is exposed in various ways. Although these attack scenarios are worth studying, there are several known attacks whose constructions ...
متن کاملOn the security of multi-prime RSA
In this work we collect the strongest known algebraic attacks on multi-prime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applies only to multi-prime RSA with more than two primes.
متن کاملInvestigation of Some Attacks on GAGE (v1), InGAGE (v1), (v1.03), and CiliPadi (v1) Variants
In this paper, we present some attacks on GAGE, InGAGE, and CiliPadi which are candidates of the first round of the NIST-LWC competition. GAGE and InGAGE are lightweight sponge based hash function and Authenticated Encryption with Associated Data (AEAD), respectively and support different sets of parameters. The length of hash, key, and tag are always 256, 128, and 128 bits, respec...
متن کاملAn Attack on RSA Using LSBs of Multiples of the Prime Factors
Let N = pq be an RSA modulus with a public exponent e and a private exponent d. Wiener’s famous attack on RSA with d < N and its extension by Boneh and Durfee to d < N show that using a small d makes RSA completely insecure. However, for larger d, it is known that RSA can be broken in polynomial time under special conditions. For example, various partial key exposure attacks on RSA and some att...
متن کامل