Private Exponent Research Articles

CRYPTANALYSIS OF RSA WITH CONSTRAINED KEYS

Let n = pq be an RSA modulus with unknown prime factors of equal bit-size. Let e be the public exponent and d be the secret exponent satisfying ed ≡ 1 mod ϕ(n) where ϕ(n) is the Euler totient function. To reduce the decryption time or the signature generation time, one might be tempted to use a small private exponent d. Unfortunately, in 1990, Wiener showed that private exponents smaller than [Formula: see text] are insecure and in 1999, Boneh and Durfee improved the bound to n0.292. In this paper, we show that instances of RSA with even large private exponents can be efficiently broken if there exist positive integers X, Y such that |eY - XF(u)| and Y are suitably small where F is a function of publicly known expression for which there exists an integer u ≠ 0 satisfying F(u) ≈ n and pu or qu is computable from F(u) and n. We show that the number of such exponents is at least O(n3/4-ε) when F(u) = p(q - u).

On the security of multi-prime RSA

In this work we collect the strongest known algebraic attacks on multi-prime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applies only to multi-prime RSA with more than two primes.

Dual RSA and Its Security Analysis

We present new variants of an RSA whose key generation algorithms output two distinct RSA key pairs having the same public and private exponents. This family of variants, called dual RSA, can be used in scenarios that require two instances of RSA with the advantage of reducing the storage requirements for the keys. Two applications for dual RSA, blind signatures and authentication/secrecy, are proposed. In addition, we also provide the security analysis of dual RSA. Compared to normal RSA, the security boundary should be raised when applying dual RSA to the types of small-d, small-e, and rebalanced-RSA.

Efficient generation of shared RSA keys

We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N . In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious scenario (passive adversary).