New weak RSA keys
نویسنده
چکیده
Let N = pq be an RSA modulus with q < p < 2q. In this paper, we analyze the security of RSA with the class of the exponents e satisfying an equation eX −NY = ap + bq + Z with |a| < q, b = ⌊ ap q ⌋ , X < N 3|ap + bq| and |Z| < |ap− bq| 3|ap + bq| N 1 4 , where bxc is the greatest integer less than or equal to x. Using the continued fraction algorithm and Coppersmith’s lattice reduction method for solving polynomial equations, we show that such exponents lead to the factorization of N in polynomial time. Additionally, we show that the class of such weak exponents is large, namely that their number is at least N 3 4 −ε where ε > 0 is a small constant depending only on N .
منابع مشابه
Revisiting Wiener's Attack - New Weak Keys in RSA
In this paper we revisit Wiener’s method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we sh...
متن کاملA New Vulnerable Class of Exponents in RSA
Let N = pq be an RSA modulus, i.e. the product of two large unknown primes of equal bit-size. We consider the class of the public exponents satisfying an equation eX − NY = (ap + bq)Z with 0 < a < q, b = [ ap q ] (here [x] denotes the nearest integer to x) and |XZ| < N 2(ap + bq) , and all prime factors of |Z| are less than 10. Using the continued fraction algorithm and the Elliptic Curve Metho...
متن کاملRSA Weak Public Keys Available on the Internet
It is common knowledge that RSA can fail when used with weak random number generators. In this paper we present two algorithms that we used to find vulnerable public keys together with a simple procedure for recovering the private key from a broken public key. Our study focused on finding RSA keys with 512 and 1024 bit length, which are not considered safe, and finding a GCD is relatively fast....
متن کاملA Generalized Wiener Attack on RSA
We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N, e) with e ∈ ∗ φ(N) that satisfies ed − 1 = 0 mod φ(N) for some d < 1 3 N 1 4 yields the factorization of N = pq. Our new method finds p and q in polynomial time for every (N, e) satisfying ex + y = 0 mod φ(N) with x < 1 3 N 1 4 and |y| = O(N− 3 4 ex). In ot...
متن کاملWeak Keys in RSA over The Work of Blomer & May
In this paper we generalize the idea given by Weger and Maitra & Sarkar. This generalization is coming from the concept of x9.31−1997 standard for public key cryptography, Section 4.1.2, i.e., there are a number of recommendations for the generalization of the primes of an RSA modulus. Among them, the ratio of the primes shall not be close to the ratio of small integers. Also we try to improve ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2010