An Attack on RSA Using LSBs of Multiples of the Prime Factors
نویسنده
چکیده
Let N = pq be an RSA modulus with a public exponent e and a private exponent d. Wiener’s famous attack on RSA with d < N and its extension by Boneh and Durfee to d < N show that using a small d makes RSA completely insecure. However, for larger d, it is known that RSA can be broken in polynomial time under special conditions. For example, various partial key exposure attacks on RSA and some attacks using additional information encoded in the public exponent e are efficient to factor the RSA modulus. These attacks were later improved and extended in various ways. In this paper, we present a new attack on RSA with a public exponent e satisfying an equation ed−k(N+1−ap−bq) = 1 where a b is an unknown approximation of q p . We show that RSA is insecure when certain amount of the Least Significant Bits (LSBs) of ap and bq are known. Further, we show that the existence of good approximations a b of q p with small a and b substantially reduces the requirement of LSBs of ap and bq.
منابع مشابه
Implicit factorization of unbalanced RSA moduli
Let N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 shar...
متن کاملPartial Key Exposure Attacks on Rsa and Its Variant by Guessing a Few Bits of One of the Prime Factors
Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We first study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. The basic lattice based technique is similar to that of Ernst et al. in Eurocrypt 2005. However, our idea of guessing a few MSBs of the secret prime p subs...
متن کاملOn the Improvement of the BDF Attack on LSBS-RSA
An (α, β, γ)-LSBS RSA denotes an RSA system with primes sharing α least significant bits, private exponent d with β least significant bits leaked, and public exponent e with bit-length γ. Steinfeld and Zheng showed that LSBS-RSA with small e is inherently resistant to the BDF attack, but LSBS-RSA with large e is more vulnerable than standard RSA. In this paper, we improve the BDF attack on LSBS...
متن کاملCryptanalysis of Short Exponent RSA with Primes Sharing Least Significant Bits
LSBS-RSA denotes an RSA system with modulus primes, p and q, sharing a large number of least signi cant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we point out that there exist some errors in the calculation of Zhao & Qis attack. Af...
متن کاملNew Attacks on the RSA Cryptosystem
This paper presents three new attacks on the RSA cryptosystem. The first two attacks work when k RSA public keys (Ni, ei) are such that there exist k relations of the shape eix−yiφ(Ni) = zi or of the shape eixi − yφ(Ni) = zi where Ni = piqi, φ(Ni) = (pi − 1)(qi − 1) and the parameters x, xi, y, yi, zi are suitably small in terms of the prime factors of the moduli. We show that our attacks enabl...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2013