An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits (original) (raw)

• 2055 Accesses
• 15 Citations

Abstract

Let N = pq denote an RSA modulus of length n bits. Call N an (m – LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits . In Asiacrypt &98, Boneh, Durfee and Frankel (BDF) described several interesting ‘partial key exposure’ attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n/4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m — LSbS) RSA moduli by a factor in the order of 2m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m – LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n/4(1 2013; E) – LSbS) moduli for small E is secure, then this result (together with BDF’s result on securely leaking the n/2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.

Preview

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

1. D. Boneh, G. Durfee, and Y. Frankel. An Attack on RSA Given a Small Fraction of the Private Key Bits. In ASIACRYPT’ 98, volume 1514 of LNCS, pages 25–34, Berlin, 1998. Springer-Verlag. See full paper, available from http://crypto.stanford.edu/~dabo/pubs.
   Google Scholar
2. D. Coppersmith. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. of Cryptology, 10:233–260, 1997.
   Article MATH MathSciNet Google Scholar
3. B. de Weger. Cryptanalysis of RSA with small prime difference. Cryptology ePrint Archive, Report 2000/016, 2000. http://eprint.iacr.org/.
4. A. Lenstra. Generating RSA Moduli with a Predetermined Portion. In ASIACRYPT’ 98, volume 1514 of LNCS, pages 1–10, Berlin, 1998. Springer-Verlag.
   Google Scholar
5. T. Matsumoto, K. Kato, and H. Imai. Speeding Up Secret Computations with Insecure Auxiliary Devices. In CRYPTO’ 88, volume 403 of LNCS, pages 497–506, Berlin, 1989. Springer-Verlag.
   Google Scholar
6. A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of applied cryptography. Discrete mathematics and its applications. CRC Press, 1997.
   Google Scholar
7. P. Nguyen and J. Stern. The Béguin-Quisquater Server-Aided RSA Protocol from Crypto’ 95 is not secure. In ASIACRYPT’ 98, volume 1514 of LNCS, pages 372–379, Berlin, 1998. Springer-Verlag.
   Google Scholar
8. I. Niven, H. Zuckerman, and H. Montgomery. An Introduction to the Theory of Numbers. John Wiley & Sons, fifth edition, 1991.
   Google Scholar
9. G. Poupard and J. Stern. Short Proofs of Knowledge for Factoring. In PKC 2000, volume 1751 of LNCS, pages 147–166, Berlin, 2000. Springer-Verlag.
   Google Scholar
10. D. Redmond. Number Theory: an introduction. Number 201 in Monographs and textbooks in pure and applied mathematics. Marcel Dekker, 1996.
    Google Scholar
11. R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2):120–128, 1978.
    Article MATH MathSciNet Google Scholar
12. R. Silverman. Fast Generation of Random, Strong RSA Primes. CryptoBytes, 3(1):9–13, 1997.
    Google Scholar

Download references

Author information

Authors and Affiliations

1. Laboratory for Information and Network Security, School of Network Computing Monash University, Frankston, 3199, Australia
   Ron Steinfeld & Yuliang Zheng

Authors

1. Ron Steinfeld
2. Yuliang Zheng

Editor information

Editors and Affiliations

1. Gemplus Card International, 34 rue Guynemer, 92447, Issy les Moulineaux, France
   David Naccache

Rights and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Steinfeld, R., Zheng, Y. (2001). An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits. In: Naccache, D. (eds) Topics in Cryptology — CT-RSA 2001. CT-RSA 2001. Lecture Notes in Computer Science, vol 2020. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45353-9\_5

Download citation

• .RIS
• .ENW
• .BIB
• DOI: https://doi.org/10.1007/3-540-45353-9\_5
• Published: 02 April 2001
• Publisher Name: Springer, Berlin, Heidelberg
• Print ISBN: 978-3-540-41898-6
• Online ISBN: 978-3-540-45353-6
• eBook Packages: Springer Book Archive

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Publish with us