Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Atsushi Takayasu and Noboru Kunihiro

Abstract

Thus far, several lattice-based algorithms for partial key exposure attacks on RSA, i.e., given the most/least significant bits (MSBs/LSBs) of a secret exponent $d$ and factoring an RSA modulus $N$, have been proposed such as Blömer and May (Crypto'03), Ernst et al. (Eurocrypt'05), and Aono (PKC'09). Due to Boneh and Durfee's small secret exponent attack, partial key exposure attacks should always work for $d<N^{0.292}$ even without any partial information. However, it was difficult task to make use of the given partial information without losing the quality of Boneh-Durfee's attack. In particular, known partial key exposure attacks fail to work for $d<N^{0.292}$ with only few partial information. Such unnatural situation stems from the fact that the additional information makes underlying modular equations involved. In this paper, we propose improved attacks when a secret exponents $d$ is small. Our attacks are better than all known previous attacks in the sense that our attacks require less partial information. Specifically, our attack is better than all known ones for $d<N^{0.5625}$ and $d<N^{0.368}$ with the MSBs and the LSBs, respectively. Furthermore, our attacks fully cover the Boneh-Durfee bound, i.e., they always work for $d<N^{0.292}$. At a high level, we obtain the improved attacks by fully utilizing unravelled linearization technique proposed by Herrmann and May (Asiacrypt'09). Although Herrmann and May (PKC'10) already applied the technique to Boneh-Durfee's attack, we show elegant and impressive extensions to capture partial key exposure attacks. More concretely, we construct structured triangular matrices that enable us to recover more useful algebraic structures of underlying modular polynomials. We embed the given MSBs/LSBs to the recovered algebraic structures and construct our partial key exposure attacks. In this full version, we provide overviews and explicit proofs of the triangular matrix constructions. We believe that the additional explanations help readers to understand our techniques.

Available format(s)
Category
Public-key cryptography
Publication info
Published elsewhere. MAJOR revision.SAC 2014
Contact author(s)
takayasu @ mist i u-tokyo ac jp
History
Short URL
https://ia.cr/2018/516

CC BY

BibTeX

@misc{cryptoeprint:2018/516,
author = {Atsushi Takayasu and Noboru Kunihiro},
title = {Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound},
howpublished = {Cryptology ePrint Archive, Paper 2018/516},
year = {2018},
note = {\url{https://eprint.iacr.org/2018/516}},
url = {https://eprint.iacr.org/2018/516}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.