Cryptanalysis of Variants of RSA with Multiple Small Secret Exponents

• Published in: Progress in Cryptology -- INDOCRYPT 2015 pp. 105 - 123
• Main Authors: Peng, Liqiang, Hu, Lei, Lu, Yao, Sarkar, Santanu, Xu, Jun, Huang, Zhangjie
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing 2015
• Series: Lecture Notes in Computer Science
• Subjects: Coppersmith’s method; Cryptanalysis; Lattice; RSA
• ISBN: 3319266160; 9783319266169
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-26617-6_6

In this paper, we analyze the security of two variants of the RSA public key cryptosystem where multiple encryption and decryption exponents are used with a common modulus. For the most well known variant, CRT-RSA, assume that n encryption and decryption exponents (el,dpl,dql) $$(e_l,d_{p_l},d_{q_l})$$ , where l=1,⋯,n $$l=1,\cdots ,n$$ , are used with a common CRT-RSA modulus N. By utilizing a Minkowski sum based lattice construction and combining several modular equations which share a common variable, we prove that one can factor N when dpl,dql<N2n-38n+2 $$d_{p_l},d_{q_l}<N^{\frac{2n-3}{8n+2}}$$ for all l=1,⋯,n $$l=1,\cdots ,n$$ . We further improve this bound to dpl(ordql)<N9n-1424n+8 $$d_{p_l}(\mathrm {or}\,d_{q_l})<N^{\frac{9n-14}{24n+8}}$$ for all l=1,⋯,n $$l=1,\cdots ,n$$ . Moreover, our experiments do better than previous works by Jochemsz-May (Crypto 2007) and Herrmann-May (PKC 2010) when multiple exponents are used. For Takagi’s variant of RSA, assume that n key pairs (el,dl) $$(e_l,d_l)$$ for l=1,⋯,n $$l=1,\cdots ,n$$ are available for a common modulus N=prq $$N=p^rq$$ where r≥2 $$r\ge 2$$ . By solving several simultaneous modular univariate linear equations, we show that when dl<N(r-1r+1)n+1n $$d_l<N^{(\frac{r-1}{r+1})^{\frac{n+1}{n}}}$$ , for all l=1,⋯,n $$l=1,\cdots ,n$$ , one can factor the common modulus N.