[Resource Topic] 2018/516: Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Welcome to the resource topic for 2018/516

Title:
Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Authors: Atsushi Takayasu, Noboru Kunihiro

Abstract:

Thus far, several lattice-based algorithms for partial key exposure attacks on RSA, i.e., given the most/least significant bits (MSBs/LSBs) of a secret exponent d and factoring an RSA modulus N, have been proposed such as Blömer and May (Crypto’03), Ernst et al. (Eurocrypt’05), and Aono (PKC’09). Due to Boneh and Durfee’s small secret exponent attack, partial key exposure attacks should always work for d<N^{0.292} even without any partial information. However, it was difficult task to make use of the given partial information without losing the quality of Boneh-Durfee’s attack. In particular, known partial key exposure attacks fail to work for d<N^{0.292} with only few partial information. Such unnatural situation stems from the fact that the additional information makes underlying modular equations involved. In this paper, we propose improved attacks when a secret exponents d is small. Our attacks are better than all known previous attacks in the sense that our attacks require less partial information. Specifically, our attack is better than all known ones for d<N^{0.5625} and d<N^{0.368} with the MSBs and the LSBs, respectively. Furthermore, our attacks fully cover the Boneh-Durfee bound, i.e., they always work for d<N^{0.292}. At a high level, we obtain the improved attacks by fully utilizing unravelled linearization technique proposed by Herrmann and May (Asiacrypt’09). Although Herrmann and May (PKC’10) already applied the technique to Boneh-Durfee’s attack, we show elegant and impressive extensions to capture partial key exposure attacks. More concretely, we construct structured triangular matrices that enable us to recover more useful algebraic structures of underlying modular polynomials. We embed the given MSBs/LSBs to the recovered algebraic structures and construct our partial key exposure attacks. In this full version, we provide overviews and explicit proofs of the triangular matrix constructions. We believe that the additional explanations help readers to understand our techniques.

ePrint: https://eprint.iacr.org/2018/516

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .