Short Private Exponent Attacks on Fast Variants of RSA
نویسندگان
چکیده
In this report, we study the adaptation of existing attacks on short private exponent on fast variants of the well-known RSA public-key cryptosystem, namely the RSA Multiprime and the Takagi family cryptosystems. The first one consists in a variant whose modulus is made up with strictly more than two primes, which permits to quickly decipher or sign using the Chinese Remainder Theorem. The second scheme has been introduced by Takagi in [21] and generalized by Lim, Kim, Yie and Lee, in [23]. A fast algorithm, involving some n-adic expansion of the modulus of the form prqs, permits the decryption process to be very efficient. The use of short secret exponent may increase decryption or signature, but must be balanced with the risk to give rise to some powerful attacks, namely Wiener’s continued fraction algorithm and Boneh-Durfee’s methods. We study these attacks applied on the two fast variants of RSA.
منابع مشابه
Short-Exponent RSA
In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However, in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order of magnitude as φ(N). Sun et al. devised three RSA variants using unbalanced prime factors p and q to lower the computational cost. Unfort...
متن کاملCommon modulus attacks on small private exponent RSA and some fast variants (in practice)
In this work we re-examine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N the attack can factor the modulus about 93% of the time in practice. The success rate of the attack can be increased up to almost 10...
متن کامل(Very) Large RSA Private Exponent Vulnerabilities
The dangers of using RSA with small private exponents has been known for more than a decade (see Wiener [7]). Knowing these dangers, but still wanting to substantially decrease decryption time, a user might try using a small negative private exponent which corresponds to a very large private exponent. We show that the attacks against small private exponent RSA by Wiener [7], Boneh & Durfee [3],...
متن کاملLattice based Attacks on Small Private Exponent RSA: A Survey
Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA crypto system. With coppersmith’s theory of polynomials, these algorithms are searching for the weak instances of Number-theoretic cryptography, mainly RSA. In this paper we present several lattice based attacks on low private exponent of RSA.
متن کاملAnother Look at Small RSA Exponents
In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller thanN which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRT-exponents and short public exponents. In addition, the number of bi...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2002