Cryptanalysis of short RSA secret exponents
نویسنده
چکیده
A cryptanalytic attack on the use of short RSA secret exponents is described. This attack makes use of an algorithm based on continued fractions which finds the numerator and denominator of a fraction in polynomial time when a close enough estimate of the fraction is known. The public exponent e and the modulus pq can be used to create an estimate of a fraction which involves the secret exponent d. The algorithm based on continued fractions uses this estimate to discover sufficiently short secret exponents. For a typical case where e < pq, GCD(p-1, q-1) is small, and p and q have approximately the same number of bits, this attack will discover secret exponents with up to approximately one-quarter as many bits as the modulus. Ways to combat this attack, ways to improve it, and two open problems are described. This attack poses no threat to the normal case of RSA where the secret exponent is approximately the same size as the modulus. This is because this attack uses information provided by the public exponent and, in the normal case, the public exponent can be chosen almost independently of the modulus.
منابع مشابه
Cryptanalysis of RSA with Small Prime Difference using Unravelled Linearization
R. Rivest, A. Shamir and L. Adleman," A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, vol. 21, No. 2, pp. 120-126,1978. Wiener, M. : Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory 36, 553-558 (1990). Boneh, D. , Durfee, G. : Cryptanalysis of RSA with Private Key d Less Than N^0. 292, Advances in ...
متن کاملMinkowski sum based lattice construction for solving simultaneous modular equations and applications to RSA
We investigate a lattice construction method for the Coppersmith technique for finding small solu-tions of a modular equation. We consider its variant for simultaneous equations and propose a methodto construct a lattice by combining lattices for solving single equations. As applications, we consider(i) a new RSA cryptanalysis for multiple short secret exponents, (ii) its partial ke...
متن کاملCryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99
At Asiacrypt ’99, Sun, Yang and Laih proposed three RSA variants with short secret exponent that resisted all known attacks, including the recent Boneh-Durfee attack from Eurocrypt ’99 that improved Wiener’s attack on RSA with short secret exponent. The resistance comes from the use of unbalanced primes p and q. In this paper, we extend the Boneh-Durfee attack to break two out of the three prop...
متن کاملNew Attacks on RSA with Small Secret CRT-Exponents
It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p− 1 and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Dur...
متن کاملMore on Correcting Errors in RSA Private Keys: Breaking CRT-RSA with Low Weight Decryption Exponents
Several schemes have been proposed towards the fast encryption and decryption in RSA and its variants. One popular idea is to use integers having low Hamming weight in the preparation of the decryption exponents. This is to reduce the multiplication effort in the square and multiply method in the exponentiation routine, both in encryption and decryption. In this paper we show that such schemes ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IEEE Trans. Information Theory
دوره 36 شماره
صفحات -
تاریخ انتشار 1990