On Some Attacks on Multi-prime RSA (original) (raw)
Related papers
New Attacks on the RSA Cryptosystem
Progress in Cryptology – AFRICACRYPT 2014, 2014
This paper presents three new attacks on the RSA cryptosystem. The first two attacks work when k RSA public keys (Ni, ei) are such that there exist k relations of the shape eix − yiφ(Ni) = zi or of the shape eixi − yφ(Ni) = zi where Ni = piqi, φ(Ni) = (pi − 1)(qi − 1) and the parameters x, xi, y, yi, zi are suitably small in terms of the prime factors of the moduli. We show that our attacks enable us to simultaneously factor the k RSA moduli Ni. The third attack works when the prime factors p and q of the modulus N = pq share an amount of their least significant bits (LSBs) in the presence of two decryption exponents d1 and d2 sharing an amount of their most significant bits (MSBs). The three attacks improve the bounds of some former attacks that make RSA insecure.
A New Factoring Attack on Multi-Prime RSA with Small Prime Difference
IACR Cryptol. ePrint Arch., 2015
In this paper, we study the security of multi-prime RSA whose modulus is N = p1p2 · · · pr for r ≥ 3 with small prime difference of size N . In ACISP 2013, Zhang and Takagi showed a Fermat-like factoring attack, which can directly factor N for γ < 1 r2 . We improve this bound to theoretically achieve γ < 2 r(r+2) by a new factoring attack. Furthermore, we also analyse specific MPRSA with imbalanced prime factors. Experimental results are provided to show the efficiency of our attack.
2013
The RSA cryptosystem, named after Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described it in 1978, is a cryptographic public-key system based on the presumed difficulty of factoring integers. To receive an RSA-encrypted message a user selects two large prime numbers and publishes the product, along with an auxiliary value, as public key. The prime factors must be kept secret. Anyone can use this public key to encrypt a message. Someone knowing the prime factors can feasibly decode the message. But there exist several approaches to break the cryptographic system without this knowledge. In this project, we implement and study the efficiency and effectiveness of three RSA attacks - Integer Factorisation, Guessing plaintext, and Guessing φ(N) attack. In order to achieve this aim, we study the RSA algorithm and implement our version of the RSA algorithm. In our study of the RSA algorithm, we look at various algorithms and number theory relevant for the implementation of RSA.
Improved Factoring Attacks on Multi-prime RSA with Small Prime Difference
Information Security and Privacy, 2017
In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of the same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is to combine all the equations and solve one multivariate equation by generic lattice approaches. Since the equation form is similar to multi-prime Φ-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.
Common modulus attacks on small private exponent RSA and some fast variants (in practice)
Journal of Mathematical Cryptology, 2010
In this work we reexamine two common modulus attacks on RSA. First, we show that Guo's continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N 0:33 , the attack can factor the modulus about 93% of the time in practice. The success rate of the attack can be increased up to almost 100% by including a relatively small exhaustive search. Next, we consider Howgrave-Graham and Seifert's lattice-based attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once n 7 instances of RSA are used. In particular, by construction, the attack is limited to private exponents at most N 0:5 , given sufficiently many instances, instead of the original bound of N 1. In addition, we also consider the effectiveness of the attacks when mounted against multi-prime RSA and Takagi's variant of RSA. For multi-prime RSA, we show three (or more) instances with a common modulus and private exponents smaller than N 1=3 is unsafe. For Takagi's scheme, we show that three or more instances with a common modulus N D p t q is unsafe when all the private exponents are smaller than N 2=.3.t C1//. The results, for both variants, is obtained using Guo's method and are almost always successful with the inclusion of a small exhaustive search. When only two instances are available, Howgrave-Graham and Seifert's attack can be successfully mounted on multiprime RSA, with r primes in the modulus, when the private exponents are both smaller than N .3Cr/=7r .
A generalized attack on RSA type cryptosystems
Theoretical Computer Science
Let N = pq be an RSA modulus with unknown factorization. Some variants of the RSA cryptosystem, such as LUC, RSA with Gaussian primes and RSA type schemes based on singular elliptic curves use a public key e and a private key d satisfying an equation of the form ed − k p 2 − 1 q 2 − 1 = 1. In this paper, we consider the general equation ex − p 2 − 1 q 2 − 1 y = z and present a new attack that finds the prime factors p and q in the case that x, y and z satisfy a specific condition. The attack combines the continued fraction algorithm and Coppersmith's technique and can be seen as a generalization of the attacks of Wiener and Blömer-May on RSA.
Short private exponent attacks on fast variants of RSA
2002
In this report, we study the adaptation of existing attacks on short private exponent on fast variants of the well-known RSA public-key cryptosystem, namely the RSA Multiprime and the Takagi family cryptosystems. The first one consists in a variant whose modulus is made up with strictly more than two primes, which permits to quickly decipher or sign using the Chinese Remainder Theorem. The second scheme has been introduced by Takagi in and generalized by Lim, Kim, Yie and Lee, in . A fast algorithm, involving some n-adic expansion of the modulus of the form p r q s , permits the decryption process to be very efficient. The use of short secret exponent may increase decryption or signature, but must be balanced with the risk to give rise to some powerful attacks, namely Wiener's continued fraction algorithm and Boneh-Durfee's methods. We study these attacks applied on the two fast variants of RSA.
Cryptanalysis Attacks on Multi Prime Power Modulus Through Analyzing Prime Difference
International Journal of Science for Global Sustainability
The Security of Rivest, Shamir and Adleman Cryptosystem known as RSA and its variants rely on the difficulty of integer factorization problem. This paper presents a short decryption exponent attack on RSA variant based on the key equation where prime difference was carefully analyzed and came up with an approximation of as which enabled us to obtain an improved bound that led to the polynomial time factorization of the variant .
A New Partial Key Exposure Attack on Multi-power RSA
Lecture Notes in Computer Science, 2015
An important attack on multi-power RSA (N = p r q) was introduced by Sarkar in 2014, by extending the small private exponent attack of Boneh and Durfee on classical RSA. In particular, he showed that N can be factored efficiently for r = 2 with private exponent d satisfying d < N 0.395. In this paper, we generalize this work by introducing a new partial key exposure attack for finding small roots of polynomials using Coppersmith's algorithm and Gröbner basis computation. Our attack works for all multi-power RSA exponents e (resp. d) when the exponent d (resp. e) has full size bit length. The attack requires prior knowledge of least significant bits (LSBs), and has the property that the required known part of LSB becomes smaller in the size of e. For practical validation of our attack, we demonstrate several computer algebra experiments.
ijser.org
The RSA cryptosystem is most widely used cryptosystem it may be used to provide both secrecy and digital signatures and its security is based on the intractability of the integer factorization. The security of RSA algorithm depends on the ability of the hacker to factorize numbers. New, faster and better methods for factoring numbers are constantly being devised. The Trent best for long numbers is the Number Field Sieve. Although the past work has proven that none of the attacks on RSA cryptosystem were dangerous. Indeed most of the dangers were because of improper use of RSA. In this paper what I am trying to do is to analyze the different types of possible attacks on RSA Cryptosystem.