Public Exponent Research Articles

Small Public Exponent Brings More: Improved Partial Key Exposure Attacks against RSA

Let (N,e) be a public key of the RSA cryptosystem, and d be the corresponding private key. In practice, we usually choose a small e for quick encryption. In this paper, we improve partial private key exposure attacks against RSA with a small public exponent e. The key idea is that under such a setting we can usually obtain more information about the prime factor of N and then by solving a univariate modular polynomial with Coppersmith's method, N can be factored in polynomial time. Compared to previous results, we reduce the number of d's leaked bits needed to mount the attack by log_2 (e) bits. Furthermore, our experiments show that for 1024-bit N, our attack can achieve the theoretical bound on a personal computer, which verified our attack.

Partial Exposure Attacks on a New RSA Variant

In 2022, Cotan and Teşeleanu presented a variant of the RSA cryptosystem where the modulus is of the form N=pq, and the private and the public exponents satisfy ed≡1(modψn(N)) with n≥2, and ψn(N)=pn−1qn−1(p−1)(q−1). This variant of RSA was recently cryptanalyzed by Nitaj, Adenan, and Ariffin at Africacrypt 2024. In this paper, we push further the cryptanalysis of the scheme of Cotan and Teşeleanu by presenting a method to solve the equation xH(y)+c≡0(mode) where c is a constant that is independent of x and y. This enables us to propose more attacks on the scheme, including a partial key exposure attack, an attack when the most significant bits of one of the prime factors are known, and an attack when the least significant bits of one of the prime factors are known.

Improved cryptanalysis of RSA

Let N = pq be an RSA modulus and e be a public exponent. Let j(N) = (p − 1)(q − 1) be the Euler’s totient function. The equation ex2 −j(N)y2 = z has infinitely many solutions in integers (x, y, z). We show that if x, y and z are suitably small, then one can factor the RSA modulus. Our bounds on the size of the solutions x, y, and z improve the existing bounds of some attacks on RSA such as Wiener’s continued fractions based attack, and Blömer-May’s lattice reduction based attack.

Concurrent factorization of RSA moduli via weak key equations

<p>The Rivest-Shamir-Adleman (RSA) algorithm is a widely utilized technique in asymmetric cryptography, primarily for verifying digital signatures and encrypting messages. Its security relies on the integer factorization problem's difficulty, which is computationally infeasible with large security parameters. However, this study revealed scenarios where an attacker can concurrently factorize multiple RSA moduli $ N_i = p_i q_i $ under specific conditions. The attack is feasible when the attacker possesses a set of RSA key pairs with certain flaws, allowing each $ N_i $ to be factored in polynomial time. We identified vulnerabilities in RSA keys that satisfy particular equations by applying Diophantine approximation and Coppersmith's lattice-based technique. For instance, the study demonstrates that if RSA public exponents $ e_i $ and moduli $ N_i $ adhere to $ e_i r - (N_i - p_i - q_i + u_i) s_i = t_i $, where $ r, s_i, u_i $, and $ t_i $ are small integers, then all $ N_i $ can be factorized simultaneously. Additionally, another vulnerability arises when RSA parameters satisfy $ e_i r_i - s(N_i - p_i - q_i + u_i) = t_i $, enabling concurrent factorization with small integers $ s, r_i, u_i $, and $ t_i $. This research expands the understanding of RSA security by identifying specific conditions under which RSA public-key pairs can be compromised. These findings are relevant to the broader field of cryptography and the ongoing efforts to secure communication systems against sophisticated adversaries.</p>

Incorrectly Generated RSA Keys: How I Learned To Stop Worrying And Recover Lost Plaintexts

Abstract When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that if $p-1$ and $q-1$ must be relatively prime to the public exponent $e$. If this is not done, then the decryption exponent is not well defined. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in a preview release of the Windows 10 operating system makes this question of more than purely theoretical. Without a well defined decryption exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decryption exponent is no longer well defined, it is in fact possible to recover the a small number of potential plaintexts, if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and derives a plaintext recovery algorithm. The runtime of this algorithm is $O(e)$ making it practical to use, and it has been implemented in python.

Security limitations of Shamir’s secret sharing

The security is so important for both storing and transmitting the digital data, the choice of parameters is critical for a security system, that is, a weak parameter will make the scheme very vulnerable to attacks, for example the use of supersingular curves or anomalous curves leads to weaknesses in elliptic curve cryptosystems, for RSA cryptosystem there are some attacks for low public exponent or small private exponent. In certain circumstances the secret sharing scheme is required to decentralize the risk. In the context of the security of secret sharing schemes, it is known that for the scheme of Shamir, an unqualified set of shares cannot leak any information about the secret. This paper aims to show that the well-known Shamir’s secret sharing is not always perfect and that the uniform randomization before sharing is insufficient to obtain a secure scheme. The second purpose of this paper is to give an explicit construction of weak polynomials for which the Shamir’s (k, n) threshold scheme is insecure in the sense that there exist a fewer than k shares which can reconstruct the secret. Particular attention is given to the scheme whose threshold is less than or equal to 6. It also showed that for certain threshold k, the secret can be calculated by a pair of shares with the probability of 1/2. Finally, in order to address the mentioned vulnerabilities, several classes of polynomials should be avoided.

Comment on “An enhanced and secured RSA public cryptosystem algorithm using Chinese remainder theorem (ESRPKC)”

In [1], Kumar et al. proposed an enhanced and secured RSA public key cryptosystem (ESRPKC) algorithm using Chinese remainder theorem. In their scheme, the public key is defined as (N,e,μ) where N is the product of four distinct large prime numbers, e is a public exponent, and μ is a parameter called encryption key to encrypt the message. Compared to the traditional RSA cryptosystem, the authors used the extra parameter μ, and claimed that security increased due to this extra parameter. They claimed that it is required to use a brute force attack to break the system even if the number N is factorized by an adversary to obtain the private parameters k1 and k2 which are components of μ. The authors claimed that ESRPKC is a highly secure and not easily breakable scheme compared to the traditional RSA scheme.In this paper, we do a cryptanalysis on Kumar et al.'s scheme given in [1] and demonstrate some major security weaknesses. We prove that if N is factorized, there is no need to use brute force to break the system. Additionally, choosing four prime numbers instead of two prime numbers decreases the security significantly and only increases the computation time. Therefore, the proposed system (ESRPKC) is not as efficient as the traditional RSA algorithm.

Decryption speed up of ElGamal with composite modulus.

Public key cryptosystems such as RSA, rebalanced RSA and ElGamal have the disadvantage of serious asymmetry between encryption and decryption speed. We reduced the CRT (Chinese Remainder Theorem) exponents maintaining full sized private exponent in ElGamal with composite modulus (CRT–ElGamal) for the fast decryption as in rebalanced RSA. In this case, unlike rebalanced RSA, decryption speed up can be obtained without losing of the fast encryption speed which is comparable to RSA with small public exponent. As a result, it is possible to propose the fast public key cryptosystem in which both encryption and decryption are fast, by reducing the asymmetry (i.e., fast encryption/slow decryption) in CRT–ElGamal encryption.

Divide and capture: An improved cryptanalysis of the encryption standard algorithm RSA

RSA is a well known standard algorithm used by modern computers to encrypt and decrypt messages. In some applications, to save the decryption time, it is desirable to have a short secret key d compared to the modulus N. The first significant attack that breaks RSA with short secret key given by Wiener in 1990 is based on the continued fraction technique and it works with d<1184N.25. A decade later, in 2000, Boneh and Durfee presented an improved attack based on lattice technique which works with d < N.292. Until this day, Boneh–Durfee attack remain as the best attack on RSA with short secret key. In this paper, we revisit the continued fraction technique and propose a new attack on RSA. Our main result shows that when d<t(22+8/3)N.75/e, where e is the public exponent and t is a chosen parameter, our attack can break the RSA with the running time of O(tlog (N)). Our attack is especially well suited for the case where e is much smaller than N. When e ≈ N, the Boneh–Durfee attack outperforms ours. As a result, we could simultaneously run both attacks, our new attack and the classical Boneh–Durfee attack as a backup.

Fast rebalanced RSA signature scheme with typical prime generation

In RSA, private exponent is usually obtained from the preselected public exponent by extended Euclid algorithm and is roughly the same bit size as a modulus number. If the private exponent is preselected as in rebalanced RSA, then the public exponent obtained by extended Euclid algorithm is roughly the same bit size as a modulus number. Hence, it is not easy to reduce both public exponent and private exponent (or CRT private exponents) in RSA key generation.In order to reduce both public exponent and CRT private exponents, the methods to search the modulus number after selecting proper public exponent and private exponent have been proposed in recent researches. However, these methods all have complicated key generation because prime generation module developed for RSA cannot be used.In this paper, we present a method to reduce both public exponent and CRT private exponents after selecting the prime numbers and propose a fast rebalanced RSA signature scheme with small public exponent.Our scheme is advantageous than other schemes in the aspect of using typical prime generation. That is, key generation is not complicated in our scheme.

Securely Outsource Modular Exponentiations With Single Untrusted Cloud Server

Modular exponentiation is one of the most fundamental operations in lots of encryption and signature systems. Due to the heavy computation cost of modular exponentiation, many schemes have been put forward to securely outsource modular exponentiation to cloud. However, most of the existing approaches need two non-colluded cloud servers to securely complete the modular exponentiation, which will result in private data leakage upon the cloud servers collude. Besides, most existing schemes assume both base and exponent in modular exponentiation are private, which does not conform to many real-world applications. For example, in public key encryption system that uses modular exponentiation, one of base and exponent is the public key, and the other is a message. Usually, only the message should be privately protected. In this paper, we propose two secure outsourcing schemes for fixed-base (public base and private exponent) and fixed-exponent (private base and public exponent), respectively. In the proposed schemes, we employ only one cloud server and can thus avoid collusion attack. Further, we achieve an efficient and secure Paillier encryption outsourcing scheme based on our secure modular exponentiation outsourcing methods. Additionally, we theoretically analyze our overheads and leverage simulation experiments to evaluate our proposed solutions, which show our schemes can achieve high efficiency.

An efficient public key secure scheme for cloud and IoT security

According to the National Institute of Standard and Technology (NIST), the security level of RSA is safe when it is N-bit modulus ≥2048 bits. Because of this, the processing time to generate asymmetric keys also increases. Taking this into account, an efficient and non-shareable Public Key Exponent Secure Scheme (ENPKESS) is proposed by using a non-linear Diophantine equation to have high security against side-channel attacks like timing attacks. This scheme has three-stage of encryption and two-stage of decryption, whereas other schemes like ESR and RSA has one level in encryption and decryption. Due to this, extraction of the secret key is extremely hard to determine from our public exponents α,R,N. Our methodology is well suited for secure cloud computing environments used in the Internet of Things (IoT). Here we have also applied the Knapsack method to encrypt our ENPKESS keys to enrich high security in cloud systems. We show a strong performance evaluation on standard RSA, Enhanced and Secured RSA Key Generation Scheme (ESRKGS), and ENPKESS on its key generation, encryption and decryption by varying the N-bit moduli size up to 10K bits. From the overall result, ENPKESS consumes 89% of standard RSA and 27% of ESRKGS.

Determining the Optimal Random-Padding Size for Rabin Cryptosystems

Rabin encryption and a secure ownership transfer protocol based on the difficulty of factorization of a public key use a small public exponent. Such encryption requires random number padding. The Coppersmith's shortpad attack works effectively on short padding, thereby allowing an adversary to extract the secret message. However, the criteria for determining the appropriate padding size remains unclear. In this paper, we derived the processing-time formula for the shortpad attack and determined the optimal random-padding size in order to achieve the desired security.

A new attack on RSA and Demytko’s elliptic curve cryptosystem

Let N = p q be an RSA modulus and e be a public exponent. Numerous attacks on RSA exploit the arithmetical properties of the key equation ed – k (p – 1)(q – 1) = 1. In this paper, we study the more general equation eu – (p – s)(p - r)v = w . We show that when the unknown integers u, v, w, r and s are suitably small and p - s or p - s is factorable using the Elliptic Curve Method for factorization ECM, then one can break the RSA system. As an application, we propose an attack on Demytko’s elliptic curve cryptosystem. Our method is based on Coppersmith’s technique for solving multivariate polynomial modular equations.

Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p

RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific ( s , r ) pairs can be found for which encryption and decryption will be correct for any ( e , d ) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r ∤ s . We give necessary and sufficient conditions for s with this property.

Factoring RSA moduli when a message is close to a multiple of the primes

ABSTRACTLet N=pq be an RSA modulus. Assume that we are given the ciphertext of a message that is close to a multiple of the divisors of N. We show that it is possible to factor N in polynomial time in when a low public exponent is used. The idea is generalized to some RSA variants and Rabin system.

Factoring RSA moduli with primes sharing bits in the middle

We address the problem of factoring a large RSA modulus $$N=pq$$ with p and q sharing a portion of bits in the middle. New polynomial time algorithms for computing the prime decomposition of N under certain conditions are presented. As an application, several attacks against RSA system using this class of moduli with low public exponent are described. Our results suggest that such integers are not appropriate for cryptographic purposes.

A secure and efficient public auditing scheme using RSA algorithm for cloud storage

Cloud storage is widely used by both individual and organizational users due to the many benefits, such as scalability, ubiquitous access, and low maintenance cost (and generally free for individual users). However, there are known security and privacy issues in migrating data to the cloud. To ensure or verify data integrity, a number of cloud data integrity checking schemes with different properties have been presented in the literature. Most existing schemes were subsequently found to be insecure or have high computation and communication costs. More recently in 2016, Yu et al. (Future Gener Comput Syst 62:85–91, 2016) proposed an identity-based auditing scheme for checking the integrity of cloud data. However, in this paper, we reveal that the scheme is vulnerable to data recovery attack. We also present a new identity-based public auditing scheme and formally prove the security of the scheme under the RSA assumption with large public exponents in the random oracle model. We then evaluate the performance of our proposed scheme and demonstrate that in comparison with Yu et al.’s scheme, our proposal is more practical in real-world applications.

Cryptanalysis on prime power RSA modulus of the form \(N = p^r q\)

Let \(N = p^r q\) be an RSA prime power modulus for \(r \geq 2\) and \(q &lt; p &lt; 2 q\). This paper propose three new attacks. In the first attack we consider the class of public exponents satisfying an equation \(e X - N Y = u p^r + \frac{q^r}{u} + Z\) for suitably small positive integer \(u\). Using continued fraction we show that \(\frac{Y}{X}\) can be recovered among the convergents of the continued fraction expansion of \(\frac{e}{N}\) and leads to the successful factorization of \(N p^r q\). Moreover we show that the number of such exponents is at least \(N^{\frac{r+3}{2(r+1)}-\varepsilon}\) where \(\varepsilon \geq 0\) is arbitrarily small for large \(N\). The second and third attacks works when \(k\) RSA public keys \((N_i,e_i)\) are such that there exist \(k\) relations of the shape \(e_i x - N_i y_i = p_i^r u + \frac{q_i^r}{u} + z_i\) or of the shape \(e_i x_i - N_i y = p_i^r u + \frac{q_i^r}{u} + z_i\) where the parameters \(x\), \(x_i\), \(y\), \(y_i\), \(z_i\) are suitably small in terms of the prime factors of the moduli. We apply the LLL algorithm, and show that our strategy enable us to simultaneously factor the \(k\) prime power RSA moduli \(N_i\).

Cloud data integrity checking with an identity-based auditing mechanism from RSA

Cloud data auditing is extremely essential for securing cloud storage since it enables cloud users to verify the integrity of their outsourced data efficiently. The computation overheads on both the cloud server and the verifier can be significantly reduced by making use of data auditing because there is no necessity to retrieve the entire file but rather just use a spot checking technique. A number of cloud data auditing schemes have been proposed recently, but a majority of the proposals are based on Public Key Infrastructure (PKI). There are some drawbacks in these protocols: (1) It is mandatory to verify the validity of public key certificates before using any public key, which makes the verifier incur expensive computation cost. (2) Complex certificate management makes the whole protocol inefficient. To address the key management issues in cloud data auditing, in this paper, we propose ID-CDIC, an identity-based cloud data integrity checking protocol which can eliminate the complex certificate management in traditional cloud data integrity checking protocols. The proposed concrete construction from RSA signature can support variable-sized file blocks and public auditing. In addition, we provide a formal security model for ID-CDIC and prove the security of our construction under the RSA assumption with large public exponents in the random oracle model. We demonstrate the performance of our proposal by developing a prototype of the protocol. Implementation results show that the proposed ID-CDIC protocol is very practical and adoptable in real life.