Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA
نویسندگان
چکیده
We present an elementary method to construct optimized lattices that are used for finding small roots of polynomial equations. Former methods first construct some large lattice in a generic way from a polynomial f and then optimize via finding suitable smaller dimensional sublattices. In contrast, our method focuses on optimizing f first which then directly leads to an optimized small dimensional lattice. Using our method, we construct the first elementary proof of the Boneh-Durfee attack for small RSA secret exponents with d ≤ N. Moreover, we identify a sublattice structure behind the Jochemsz-May attack for small CRT-RSA exponents dp, dq ≤ N. Unfortunately, in contrast to the Boneh-Durfee attack, for the Jochemsz-May attack the sublattice does not help to improve the bound asymptotically. Instead, we are able to attack much larger values of dp, dq in practice by LLL reducing smaller dimensional lattices.
منابع مشابه
A Unified Framework for Small Secret Exponent Attack on RSA
We address a lattice based method on small secret exponent attack on RSA scheme. Boneh and Durfee reduced the attack into finding small roots of a bivariate modular equation: x(N+1+y)+1 ≡ 0( mod e), where N is an RSA moduli and e is the RSA public key. Boneh and Durfee proposed a lattice based algorithm for solving the problem. When the secret exponent d is less than N, their method breaks RSA ...
متن کاملGeneral Bounds for Small Inverse Problems and Its Applications to Multi-Prime RSA
In 1999, Boneh and Durfee introduced the small inverse problem, which solves the bivariate modular equation x(N + y) ≡ 1 (mod e). Absolute values of solutions for x and y are bounded above by X = N δ and Y = N β , respectively. They solved the problem for β = 1/2 in the context of small secret exponent attacks on RSA and proposed a polynomial time algorithm that works when δ < (7 − 2 √ 7) /6 ≈ ...
متن کاملSecret Exponent Attacks on RSA-type Schemes with Moduli N= prq
We consider RSA-type schemes with modulus N = pq for r ≥ 2. We present two new attacks for small secret exponent d. Both approaches are applications of Coppersmith’s method for solving modular univariate polynomial equations [5]. From these new attacks we directly derive partial key exposure attacks, i.e. attacks when the secret exponent is not necessarily small but when a fraction of the secre...
متن کاملSecret Exponent Attacks on RSA-type Schemes with Moduli N = pq
We consider RSA-type schemes with modulus N = pq for r ≥ 2. We present two new attacks for small secret exponent d. Both approaches are applications of Coppersmith’s method for solving modular univariate polynomial equations [5]. From these new attacks we directly derive partial key exposure attacks, i.e. attacks when the secret exponent is not necessarily small but when a fraction of the secre...
متن کاملNew Attacks on RSA with Small Secret CRT-Exponents
It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p− 1 and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Dur...
متن کامل