An advantage of low-exponent RSA with modulus primes sharing least significant bits

Ron Steinfeld; Yuliang Zheng

doi:10.1007/3-540-45353-9_5

An advantage of low-exponent RSA with modulus primes sharing least significant bits

Ron Steinfeld, Yuliang Zheng

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

20 Citations (Scopus)

Abstract

Let N = pq denote an RSA modulus of length n bits. Call N an (m − LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits. In Asiacrypt `98, Boneh, Durfee and Frankel (BDF) described several interesting `partial key exposure' attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n=4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m− LSbS) RSA moduli by a factor in the order of 2^m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m − LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n=4(1 − ɛ) − LSbS) moduli for small ɛ is secure, then this result (together with BDF's result on securely leaking the n=2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.

Original language	English
Title of host publication	Topics in Cryptology - CT-RSA 2001 - The Cryptographers’ Track at RSA Conference 2001, Proceedings
Editors	David Naccache
Place of Publication	Berlin Germany
Publisher	Springer
Pages	52-62
Number of pages	11
ISBN (Electronic)	3540418989, 9783540418986
DOIs	https://doi.org/10.1007/3-540-45353-9_5
Publication status	Published - 2001
Event	Cryptographers Track held at the RSA Conference (CT-RSA) 2001 - San Francisco, United States of America Duration: 8 Apr 2001 → 12 Apr 2001 https://link.springer.com/book/10.1007/3-540-45353-9 (Proceedings)

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	2020
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	Cryptographers Track held at the RSA Conference (CT-RSA) 2001
Abbreviated title	CT-RSA 2001
Country/Territory	United States of America
City	San Francisco
Period	8/04/01 → 12/04/01
Internet address	https://link.springer.com/book/10.1007/3-540-45353-9 (Proceedings)

Access to Document

10.1007/3-540-45353-9_5

Cite this

@inproceedings{fb7552768df54d36985b2b3fde29ec4d,

title = "An advantage of low-exponent RSA with modulus primes sharing least significant bits",

abstract = "Let N = pq denote an RSA modulus of length n bits. Call N an (m − LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits. In Asiacrypt `98, Boneh, Durfee and Frankel (BDF) described several interesting `partial key exposure' attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n=4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m− LSbS) RSA moduli by a factor in the order of 2m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m − LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n=4(1 − ɛ) − LSbS) moduli for small ɛ is secure, then this result (together with BDF's result on securely leaking the n=2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.",

author = "Ron Steinfeld and Yuliang Zheng",

year = "2001",

doi = "10.1007/3-540-45353-9\_5",

language = "English",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "52--62",

editor = "David Naccache",

booktitle = "Topics in Cryptology - CT-RSA 2001 - The Cryptographers{\textquoteright} Track at RSA Conference 2001, Proceedings",

address = "Switzerland",

note = "Cryptographers Track held at the RSA Conference (CT-RSA) 2001, CT-RSA 2001 ; Conference date: 08-04-2001 Through 12-04-2001",

url = "https://link.springer.com/book/10.1007/3-540-45353-9",

}

Steinfeld, R & Zheng, Y 2001, An advantage of low-exponent RSA with modulus primes sharing least significant bits. in D Naccache (ed.), Topics in Cryptology - CT-RSA 2001 - The Cryptographers’ Track at RSA Conference 2001, Proceedings. Lecture Notes in Computer Science, vol. 2020, Springer, Berlin Germany, pp. 52-62, Cryptographers Track held at the RSA Conference (CT-RSA) 2001, San Francisco, California, United States of America, 8/04/01. https://doi.org/10.1007/3-540-45353-9_5

An advantage of low-exponent RSA with modulus primes sharing least significant bits. / Steinfeld, Ron; Zheng, Yuliang.
Topics in Cryptology - CT-RSA 2001 - The Cryptographers’ Track at RSA Conference 2001, Proceedings. ed. / David Naccache. Berlin Germany: Springer, 2001. p. 52-62 (Lecture Notes in Computer Science; Vol. 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - An advantage of low-exponent RSA with modulus primes sharing least significant bits

AU - Steinfeld, Ron

AU - Zheng, Yuliang

PY - 2001

Y1 - 2001

N2 - Let N = pq denote an RSA modulus of length n bits. Call N an (m − LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits. In Asiacrypt `98, Boneh, Durfee and Frankel (BDF) described several interesting `partial key exposure' attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n=4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m− LSbS) RSA moduli by a factor in the order of 2m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m − LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n=4(1 − ɛ) − LSbS) moduli for small ɛ is secure, then this result (together with BDF's result on securely leaking the n=2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.

AB - Let N = pq denote an RSA modulus of length n bits. Call N an (m − LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits. In Asiacrypt `98, Boneh, Durfee and Frankel (BDF) described several interesting `partial key exposure' attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n=4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m− LSbS) RSA moduli by a factor in the order of 2m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m − LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n=4(1 − ɛ) − LSbS) moduli for small ɛ is secure, then this result (together with BDF's result on securely leaking the n=2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.

UR - https://www.scopus.com/pages/publications/84937575840

U2 - 10.1007/3-540-45353-9_5

DO - 10.1007/3-540-45353-9_5

M3 - Conference Paper

AN - SCOPUS:84937575840

T3 - Lecture Notes in Computer Science

SP - 52

EP - 62

BT - Topics in Cryptology - CT-RSA 2001 - The Cryptographers’ Track at RSA Conference 2001, Proceedings

A2 - Naccache, David

PB - Springer

CY - Berlin Germany

T2 - Cryptographers Track held at the RSA Conference (CT-RSA) 2001

Y2 - 8 April 2001 through 12 April 2001

ER -

An advantage of low-exponent RSA with modulus primes sharing least significant bits

Abstract

Publication series

Conference

Access to Document

Other files and links

Cite this