Private Exponent Research Articles

New Cryptanalysis of Prime Power RSA with Two Private Exponents

Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus N=prq for r⩾2, where p,q are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes e·d≡1modpr−1(p−1)(q−1). Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, (e1,d1) and (e2,d2) with the same modulus N. Suppose that d1<Nβ1,d2<Nβ2. In 2015, Zheng and Hu showed that when β1β2<(r−1)3/(r+1)3, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that β1β2<r/(r+1)3. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition β1β2<r(r−1)2/(r+1)3 already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that pr is a divisor of N, while the attack of Zheng and Hu only assumes that pr−1 is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith’s method for finding small roots of bivariate modular polynomial equations.

Asymptotic Bound for RSA Variant with Three Decryption Exponents

This paper presents a cryptanalysis attack on the RSA variant with modulus $N=p^rq$ for $r\geq 2$ with three public and private exponents $(e_1,d_1),$ $(e_2,d_2),$ $(e_3,d_3)$ sharing the same modulus $N$ where $p$ and $q$ are consider to prime having the same bit size. Our attack shows that we get the private exponent $\sigma_1\sigma_2\sigma_3<\left(\frac{r-1}{r+1}\right)^4$, which makes the modulus vulnerable to Coppersmith's attacks and can lead to the factorization of $N$ efficiently where $d_1 The asymptotic bound of our attack is greater than the bounds for May \cite{May}, Zheng and Hu \cite{Z}, and Lu et al. \cite{Y} for $2\leq r \leq 10$ and greater than Sarkar's \cite{Sarkar1} and \cite{Sarkar} bounds for $5 \leq r \leq10$.

Small Private Exponent Attacks on RSA Using Continued Fractions and Multicore Systems

The RSA (Rivest–Shamir–Adleman) asymmetric-key cryptosystem is widely used for encryptions and digital signatures. Let (n,e) be the RSA public key and d be the corresponding private key (or private exponent). One of the attacks on RSA is to find the private key d using continued fractions when d is small. In this paper, we present a new technique to improve a small private exponent attack on RSA using continued fractions and multicore systems. The idea of the proposed technique is to find an interval that contains ϕ(n), and then propose a method to generate different points in the interval that can be used by continued fraction and multicore systems to recover the private key, where ϕ is Euler’s totient function. The practical results of three small private exponent attacks on RSA show that we extended the previous bound of the private key that is discovered by continued fractions. When n is 1024 bits, we used 20 cores to extend the bound of d by 0.016 for de Weger, Maitra-Sarkar, and Nassr et al. attacks in average times 7.67 h, 2.7 h, and 44 min, respectively.

Security limitations of Shamir’s secret sharing

The security is so important for both storing and transmitting the digital data, the choice of parameters is critical for a security system, that is, a weak parameter will make the scheme very vulnerable to attacks, for example the use of supersingular curves or anomalous curves leads to weaknesses in elliptic curve cryptosystems, for RSA cryptosystem there are some attacks for low public exponent or small private exponent. In certain circumstances the secret sharing scheme is required to decentralize the risk. In the context of the security of secret sharing schemes, it is known that for the scheme of Shamir, an unqualified set of shares cannot leak any information about the secret. This paper aims to show that the well-known Shamir’s secret sharing is not always perfect and that the uniform randomization before sharing is insufficient to obtain a secure scheme. The second purpose of this paper is to give an explicit construction of weak polynomials for which the Shamir’s (k, n) threshold scheme is insecure in the sense that there exist a fewer than k shares which can reconstruct the secret. Particular attention is given to the scheme whose threshold is less than or equal to 6. It also showed that for certain threshold k, the secret can be calculated by a pair of shares with the probability of 1/2. Finally, in order to address the mentioned vulnerabilities, several classes of polynomials should be avoided.

Security Issues of Novel RSA Variant

The RSA is one of the current default cryptosystems that provides security with applications such as encryptions and digital signatures. It is important to further study the weak characteristics of the RSA to ensure correct utilisation in order not to be susceptible to adversaries. In this paper, we give detailed analysis on security of the Murru-Saettone variant of the RSA cryptosystem that utilised a cubic Pell ed – k ( p2 + p + 1 ) ( q2 + q + 1 ) = 1 as key equation and N = pq as RSA modulus. We propose some attacks on this variant when the prime difference |p – q| is small. Our first approach is to utilise the continued fractions algorithm to determine the parameter d which enables us to determine the secret p and q. Our second approach considers the Coppersmith’s method and lattice basis reduction to factor the modulus N. Our attacks improve recent cryptanalyses on the cubic Pell equation variant of RSA. Furthermore, our attacks prove that under small prime difference scenario, the number of susceptible private exponents for the cubic Pell equation variant of RSA is much larger than the standard RSA.

Exploiting the security of N = prqs through approximation of ϕ(N)

This paper reports new techniques that exploit the security of the prime power moduli [Formula: see text] using continued fraction method. Our study shows that the key equation [Formula: see text] can be exploited using [Formula: see text] as good approximation of [Formula: see text]. This enables us to get [Formula: see text] from the convergents of the continued fractions expansion of [Formula: see text] where the bound of the private exponent is [Formula: see text] which leads to the polynomial time factorization of the moduli [Formula: see text]. We further report the polynomial time attacks that can break the security of the generalized prime power moduli [Formula: see text] using generalized system of equation of the form [Formula: see text] and [Formula: see text] by applying simultaneous Diophantine approximations and LLL algorithm techniques where [Formula: see text] and [Formula: see text].

New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p2q

This paper describes an attack on the Rivest, Shamir and Adleman (RSA) cryptosystem utilizing the modulus N=p2q where p and q are two large balanced primes. Let e1,e2<Nγ be the integers such that d1,d2<Nδ be their multiplicative inverses. Based on the two key equations e1d1−k1ϕ(N)=1 and e2d2−k2ϕ(N)=1 where ϕ(N)=p(p−1)(q−1), our attack works when the primes share a known amount of least significant bits (LSBs) and the private exponents share an amount of most significant bits (MSBs). We apply the extended strategy of Jochemsz–May to find the small roots of an integer polynomial and show that N can be factored if δ<1110+94α−12β−12γ−130180γ+990α−180β+64. Our attack improves the bounds of some previously proposed attacks that makes the RSA variant vulnerable.

Partial Key Attack Given MSBs of CRT-RSA Private Keys

The CRT-RSA cryptosystem is the most widely adopted RSA variant in digital applications. It exploits the properties of the Chinese remainder theorem (CRT) to elegantly reduce the size of the private keys. This significantly increases the efficiency of the RSA decryption algorithm. Nevertheless, an attack on RSA may also be applied to this RSA variant. One of the attacks is called partially known private key attack, that relies on the assumption that the adversary has knowledge of partial bits regarding RSA private keys. In this paper, we mount this type of attack on CRT-RSA. By using partial most significant bits (MSBs) of one of the RSA primes, p or q and its corresponding private exponent, d, we obtain an RSA intermediate. The intermediate is derived from p−1 and RSA public key, e. The analytical and novel reason on the success of our attack is that once the adversary has obtained the parameters: approximation of private exponent d˜p, approximation of p, p˜ and the public exponent e where d˜p,p˜,e=Nα/2 where 0<α≤1/4 such that |dp−d˜p|,|p−p˜|<N1−α2 and has determined the largest prime of p−1e, it will enable the adversary to factor the RSA modulus N=pq. Although the parameter space to find the prime factor is large, we show that one can adjust its “success appetite” by applying prime-counting function properties. By comparing our method with contemporary partial key attacks on CRT-RSA, upon determining a suitable predetermined “success appetite” value, we found out that our method required fewer bits of the private keys in order to factor N.

Fault Injection as an Oscilloscope: Fault Correlation Analysis

Fault Injection (FI) attacks have become a practical threat to modern cryptographic implementations. Such attacks have recently focused more on exploitation of implementation-centric and device-specific properties of the faults. In this paper, we consider the parallel between SCA attacks and FI attacks; specifically, that many FI attacks rely on the data-dependency of activation and propagation of a fault, and SCA attacks similarly rely on data-dependent power usage. In fact, these are so closely related that we show that existing SCA attacks can be directly applied in a purely FI setting, by translating power FI results to generate FI ‘probability traces’ as an analogue of power traces. We impose only the requirements of the equivalent SCA attack (e.g., knowledge of the input plaintext for CPA on the first round), along with a way to observe the status of the target (whether or not it has failed and been “muted” after a fault). We also analyse existing attacks such as Fault Template Analysis in the light of this parallel, and discuss the limitations of our methodology. To demonstrate that our attacks are practical, we first show that SPA can be used to recover RSA private exponents using FI attacks. Subsequently, we show the generic nature of our attacks by performing DPA on AES after applying FI attacks to several different targets (with AVR, 32-bit ARM and RISC-V CPUs), using different software on each target, and do so with a low-cost (i.e., less than $50) power fault injection setup. We call this technique Fault Correlation Analysis (FCA), since we perform CPA on fault probability traces. To show that this technique is not limited to software, we also present FCA results against the hardware AES engine supported by one of our targets. Our results show that even without access to the ciphertext (e.g., where an FI redundancy countermeasure is in place, or where ciphertext is simply not exposed to an attacker in any circumstance) and in the presence of light jitter, FCA attacks can successfully recover keys on each of these targets.

Decryption speed up of ElGamal with composite modulus.

Public key cryptosystems such as RSA, rebalanced RSA and ElGamal have the disadvantage of serious asymmetry between encryption and decryption speed. We reduced the CRT (Chinese Remainder Theorem) exponents maintaining full sized private exponent in ElGamal with composite modulus (CRT–ElGamal) for the fast decryption as in rebalanced RSA. In this case, unlike rebalanced RSA, decryption speed up can be obtained without losing of the fast encryption speed which is comparable to RSA with small public exponent. As a result, it is possible to propose the fast public key cryptosystem in which both encryption and decryption are fast, by reducing the asymmetry (i.e., fast encryption/slow decryption) in CRT–ElGamal encryption.

Fast rebalanced RSA signature scheme with typical prime generation

In RSA, private exponent is usually obtained from the preselected public exponent by extended Euclid algorithm and is roughly the same bit size as a modulus number. If the private exponent is preselected as in rebalanced RSA, then the public exponent obtained by extended Euclid algorithm is roughly the same bit size as a modulus number. Hence, it is not easy to reduce both public exponent and private exponent (or CRT private exponents) in RSA key generation.In order to reduce both public exponent and CRT private exponents, the methods to search the modulus number after selecting proper public exponent and private exponent have been proposed in recent researches. However, these methods all have complicated key generation because prime generation module developed for RSA cannot be used.In this paper, we present a method to reduce both public exponent and CRT private exponents after selecting the prime numbers and propose a fast rebalanced RSA signature scheme with small public exponent.Our scheme is advantageous than other schemes in the aspect of using typical prime generation. That is, key generation is not complicated in our scheme.

A Unified Method for Private Exponent Attacks on RSA Using Lattices

Let [Formula: see text] be an RSA public key with private exponent [Formula: see text] where [Formula: see text] and [Formula: see text] are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding small roots of univariate modular equations based on lattice reduction and then succussed to factorize the RSA modulus. Since then, a series of attacks on the key equation [Formula: see text] of RSA have been presented. In this paper, we show that many of such attacks can be unified in a single attack using a new notion called Coppersmith’s interval. We determine a Coppersmith’s interval for a given RSA public key [Formula: see text] The interval is valid for any variant of RSA, such as Multi-Prime RSA, that uses the key equation. Then we show that RSA is insecure if [Formula: see text] provided that we have approximation [Formula: see text] of [Formula: see text] with [Formula: see text] [Formula: see text] The attack is an extension of Coppersmith’s result.

Securely Outsource Modular Exponentiations With Single Untrusted Cloud Server

Modular exponentiation is one of the most fundamental operations in lots of encryption and signature systems. Due to the heavy computation cost of modular exponentiation, many schemes have been put forward to securely outsource modular exponentiation to cloud. However, most of the existing approaches need two non-colluded cloud servers to securely complete the modular exponentiation, which will result in private data leakage upon the cloud servers collude. Besides, most existing schemes assume both base and exponent in modular exponentiation are private, which does not conform to many real-world applications. For example, in public key encryption system that uses modular exponentiation, one of base and exponent is the public key, and the other is a message. Usually, only the message should be privately protected. In this paper, we propose two secure outsourcing schemes for fixed-base (public base and private exponent) and fixed-exponent (private base and public exponent), respectively. In the proposed schemes, we employ only one cloud server and can thus avoid collusion attack. Further, we achieve an efficient and secure Paillier encryption outsourcing scheme based on our secure modular exponentiation outsourcing methods. Additionally, we theoretically analyze our overheads and leverage simulation experiments to evaluate our proposed solutions, which show our schemes can achieve high efficiency.

Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p

RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific ( s , r ) pairs can be found for which encryption and decryption will be correct for any ( e , d ) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r ∤ s . We give necessary and sufficient conditions for s with this property.

Cryptanalysis of Prime Power RSA with two private exponents

In this paper, we consider a variant of RSA schemes called Prime Power RSA with modulus N = prq for r ≥ 2, where p, q are of the same bit-size. May showed that when private exponent \(d < {N^{\frac{r}{{{{\left( {r + 1} \right)}^2}}}}}\) or \(d < {N^{{{\left( {\frac{{r - 1}}{{r + 1}}} \right)}^2}}}\), N can be factored in polynomial time in PKC 2004. Later in 2014, Sarkar improved the bound for r ≤ 5. We propose a new cryptanalytic method to attack this RSA variant when given two pairs of public and private exponents, namely (e1, d1) and (e2, d2) with the same modulus N. Suppose that we know d1 < Nδ1 and d2 < Nδ2. Our results show that when \({\delta _1}{\delta _2} < {\left( {\frac{{r - 1}}{{r + 1}}} \right)^3}\), Prime Power RSA is insecure.

On the improvement of Wiener attack on RSA with small private exponent.

RSA system is based on the hardness of the integer factorization problem (IFP). Given an RSA modulus N = pq, it is difficult to determine the prime factors p and q efficiently. One of the most famous short exponent attacks on RSA is the Wiener attack. In 1997, Verheul and van Tilborg use an exhaustive search to extend the boundary of the Wiener attack. Their result shows that the cost of exhaustive search is 2r + 8 bits when extending the Weiner's boundary r bits. In this paper, we first reduce the cost of exhaustive search from 2r + 8 bits to 2r + 2 bits. Then, we propose a method named EPF. With EPF, the cost of exhaustive search is further reduced to 2r − 6 bits when we extend Weiner's boundary r bits. It means that our result is 214 times faster than Verheul and van Tilborg's result. Besides, the security boundary is extended 7 bits.

Lattice based Attacks on Small Private Exponent of RSA: A Survey

basis reduction algorithms have contributed a lot to cryptanalysis of RSA crypto system. With coppersmith's theory of polynomials, these algorithms are searching for the weak instances of Number-theoretic cryptography, mainly RSA. In this paper we present several lattice based attacks on low private exponent of RSA.

Generalization of Boneh and Durfee&amp;apos;s Attack for Arbitrary Public Exponent RSA

Boneh-Durfee extended the bound for low private exponent from 0.25 (provided by wiener) to 0.292 with public exponent size is same as modulus size. They have used powerful lattice reduction algorithm (LLL) with coppersmith's theory of polynomials. In this paper we generalize their attack to arbitrary public exponent.

Efficient variant of RSA cryptosystem

The performance of RSA decryption has direct relationship with the efficiency of modular exponentiation implementation. The authors proposed a variant of RSA cryptosystem by transferring some decryption computations to encryption and multi-prime principle to reduce modules and private exponents in modular exponentiation. The experimental results show that the decryption speed and security level of RSA have been substantially improved. The variant can be efficiently implemented in parallel and the parallel implementation of the variant on multi-core devices can further improve the overall performance of RSA system.

Common modulus attacks on small private exponent RSA and some fast variants (in practice)

In this work we re-examine two common modulus attacks on RSA. First, we show that Guo's continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a commonmodulus N and private exponents each smaller than N 0.33 , the attack can factor the modulus about 93% of the time in practice. The success rate of the attack can be increased up to almost 100% by including a relatively small exhaustive search. Next, we consider Howgrave-Graham and Seifert's lattice-based attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once n ≥ 7 instances of RSA are used. In particular, by construction, the attack is limited to private exponents at most N 0.5– ε , given sufficiently many instances, instead of the original bound of N 1– ε . In addition, we also consider the effectiveness of the attacks when mounted against multi-prime RSA and Takagi's variant of RSA. For multi-prime RSA, we show three (or more) instances with a common modulus and private exponents smaller than N 1/3– ε is unsafe. For Takagi's scheme, we show that three or more instances with a common modulus N = p t q is unsafe when all the private exponents are smaller than N 2/(3( t +1))– ε . The results, for both variants, is obtained using Guo's method and are almost always successful with the inclusion of a small exhaustive search. When only two instances are available, Howgrave-Graham and Seifert's attack can be successfully mounted on multiprime RSA, with r primes in the modulus, when the private exponents are both smaller than N (3+ r )/7 r – ε .