A New Attack on Three Variants of the RSA Cryptosystem (original) (raw)
Related papers
Classical Attacks on a Variant of the RSA Cryptosystem
Progress in Cryptology – LATINCRYPT 2021, 2021
Let N = pq be an RSA modulus with balanced prime factors. In 2018, Murru and Saettone presented a variant of the RSA cryptosystem based on a cubic Pell equation in which the public key (N, e) and the private key (N, d) satisfy ed ≡ 1 (mod p 2 + p + 1 q 2 + q + 1). They claimed that the classical small private attacks on RSA such as Wiener's continued fraction attack do not apply to their scheme. In this paper, we show that, on the contrary, Wiener's method as well as the small inverse problem technique of Boneh and Durfee can be applied to attack their scheme. More precisely, we show that the proposed variant of RSA can be broken if d < N 0.5694. This shows that their scheme is in reality more vulnerable than RSA, where the bound of vulnerability is d < N 0.292 .
A generalized attack on RSA type cryptosystems
Theoretical Computer Science
Let N = pq be an RSA modulus with unknown factorization. Some variants of the RSA cryptosystem, such as LUC, RSA with Gaussian primes and RSA type schemes based on singular elliptic curves use a public key e and a private key d satisfying an equation of the form ed − k p 2 − 1 q 2 − 1 = 1. In this paper, we consider the general equation ex − p 2 − 1 q 2 − 1 y = z and present a new attack that finds the prime factors p and q in the case that x, y and z satisfy a specific condition. The attack combines the continued fraction algorithm and Coppersmith's technique and can be seen as a generalization of the attacks of Wiener and Blömer-May on RSA.
A new attack on the RSA cryptosystem based on continued fractions
2017
This paper presents a new improved attack on RSA based on Wiener's technique using continued fractions. In the RSA cryptosystem with public modulus N = pq, public key e and secret key d, if d < 1 3 N 1 4 , Wiener's original attack recovers the secret 3 2 , so if either d or e is relatively small the RSA encryption can be broken. For e ≈ N t , our method can recover the secret key if d < 2 √ 2 N 3 4 − t 2 and certainly for d < 2 √ 2 N 1 4. Our experiments demonstrate that for a 1024-bit modulus RSA, our method works for values of d of up to 270 bits compared to 255 bits for Wiener.
Journal of Information Security and Applications
In 1995, Kuwakado, Koyama and Tsuruoka presented a new RSA-type scheme based on singular cubic curves y 2 ≡ x 3 + bx 2 (mod N) where N = pq is an RSA modulus. Then, in 2002, Elkamchouchi, Elshenawy and Shaban introduced an extension of the RSA scheme to the field of Gaussian integers using a modulus N = P Q where P and Q are Gaussian primes such that p = |P | and q = |Q| are ordinary primes. Later, in 2007, Castagnos proposed a scheme over quadratic field quotients with an RSA modulus N = pq based on Lucas sequences. In the three schemes, the public exponent e is an integer satisfying the key equation ed − k p 2 − 1 q 2 − 1 = 1. In this paper, we apply the continued fraction method to launch an attack on the three schemes when the private exponent d is sufficiently small. Our experiments demonstrate that for a 1024-bit modulus, our method works for values of d of up to 520 bits. We also examine the effect of dropping the usual assumption that p and q have the same bit size.
Revisiting Wiener’s Attack – New Weak Keys in RSA
Lecture Notes in Computer Science
In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N δ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we show that the RSA keys are weak when d = N δ and δ < 1 2 − γ 2 , where |ρq − p| ≤ N γ 16. This presents additional results over the work of de Weger (AAECC 2002). We also discuss how the lattice based idea of Boneh-Durfee (IEEE-IT 2000) works better to find weak keys beyond the bound δ < 1 2 − γ 2. Further we show that, the RSA keys are weak when d < 1 2 N δ and e is O(N 3 2 −2δ) for δ ≤ 1 2. Using similar techniques we also present new results over the work of Blömer and May (PKC 2004).
Security Issues of Novel RSA Variant
IEEE Access
The RSA is one of the current default cryptosystems that provides security with applications such as encryptions and digital signatures. It is important to further study the weak characteristics of the RSA to ensure correct utilisation in order not to be susceptible to adversaries. In this paper, we give detailed analysis on security of the Murru-Saettone variant of the RSA cryptosystem that utilised a cubic Pell ed − k p 2 + p + 1 q 2 + q + 1 = 1 as key equation and N = pq as RSA modulus. We propose some attacks on this variant when the prime difference |p−q| is small. Our first approach is to utilise the continued fractions algorithm to determine the parameter d which enables us to determine the secret p and q. Our second approach considers the Coppersmith's method and lattice basis reduction to factor the modulus N. Our attacks improve recent cryptanalyses on the cubic Pell equation variant of RSA. Furthermore, our attacks prove that under small prime difference scenario, the number of susceptible private exponents for the cubic Pell equation variant of RSA is much larger than the standard RSA.
A new attack on RSA and Demytko’s elliptic curve cryptosystem
Journal of Discrete Mathematical Sciences and Cryptography
Let N = pq be an RSA modulus and e be a public exponent. Numerous attacks on RSA exploit the arithmetical properties of the key equation ed − k(p − 1)(q − 1) = 1. In this paper, we study the more general equation eu − (p − s)(q − r)v = w. We show that when the unknown integers u, v, w, r and s are suitably small and p − s or q − r is factorable using the Elliptic Curve Method for factorization ECM, then one can break the RSA system. As an application, we propose an attack on Demytko's elliptic curve cryptosystem. Our method is based on Coppersmith's technique for solving multivariate polynomial modular equations.
Short private exponent attacks on fast variants of RSA
2002
In this report, we study the adaptation of existing attacks on short private exponent on fast variants of the well-known RSA public-key cryptosystem, namely the RSA Multiprime and the Takagi family cryptosystems. The first one consists in a variant whose modulus is made up with strictly more than two primes, which permits to quickly decipher or sign using the Chinese Remainder Theorem. The second scheme has been introduced by Takagi in and generalized by Lim, Kim, Yie and Lee, in . A fast algorithm, involving some n-adic expansion of the modulus of the form p r q s , permits the decryption process to be very efficient. The use of short secret exponent may increase decryption or signature, but must be balanced with the risk to give rise to some powerful attacks, namely Wiener's continued fraction algorithm and Boneh-Durfee's methods. We study these attacks applied on the two fast variants of RSA.
New Attacks on the RSA Cryptosystem
Progress in Cryptology – AFRICACRYPT 2014, 2014
This paper presents three new attacks on the RSA cryptosystem. The first two attacks work when k RSA public keys (Ni, ei) are such that there exist k relations of the shape eix − yiφ(Ni) = zi or of the shape eixi − yφ(Ni) = zi where Ni = piqi, φ(Ni) = (pi − 1)(qi − 1) and the parameters x, xi, y, yi, zi are suitably small in terms of the prime factors of the moduli. We show that our attacks enable us to simultaneously factor the k RSA moduli Ni. The third attack works when the prime factors p and q of the modulus N = pq share an amount of their least significant bits (LSBs) in the presence of two decryption exponents d1 and d2 sharing an amount of their most significant bits (MSBs). The three attacks improve the bounds of some former attacks that make RSA insecure.
Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99
International Conference on the Theory and Application of Cryptology and Information Security, 2000
At Asiacrypt '99, Sun, Yang and Laih proposed three RSA variants with short secret exponent that resisted all known attacks, including the recent Boneh-Durfee attack from Eurocrypt '99 that improved Wiener's attack on RSA with short secret exponent. The resistance comes from the use of unbalanced primes p and q. In this paper, we extend the Boneh-Durfee attack to break two out of the three proposed variants. While the Boneh-Durfee attack was based on Coppersmith's lattice-based technique for finding small roots to bivariate modular polynomial equations, our attack is based on its generalization to trivariate modular polynomial equations. The attack is heuristic but works well in practice, as the Boneh-Durfee attack. In particular, we were able to break in a few minutes the numerical examples proposed by Sun, Yang and Laih. The results illustrate once again the fact that one should be very cautious when using short secret exponent with RSA.