Abstract not found

Abstract. Batch verification can provide large computational savings when several signatures, or other constructs, are verified together. Several batch verification algorithms have been published in recent years, in particular for both DSA-type and RSA signatures. We describe new attacks on several of these published schemes. A general weakness is explained which applies to almost all known batch verifiers for discrete logarithm based signature schemes. It is shown how this weakness can be eliminated given extra properties about the underlying group structure. A new general batch verifier for exponentiation in any cyclic group is also described as well as a batch verifier for modified RSA signatures. 1 Introduction Modular exponentiation is a fundamental operation for most practical digital signature schemes. The computational expense of both signing and verifying signatures is mainly due to the modular exponentiation required. Several techniques have been proposed in the literature to reduce this expense, including use of small exponents, and multi-exponentiation techniques [21]. An alternative way to realize a computational reduction is through use of batch cryptography. Batch cryptography is relevant in settings where many signatures (or other primitives) need to be generated and/or verified together. Electronic commerce applications are prime examples, as typically many customers interact with the same merchant or banking server. Although techniques have been developed to improve signature generation [6, 16], the majority of the recent work in the area has focused on the batch verification of signatures. These techniques all exploit the homomorphic properties of exponentiation in various groups to combine a set of exponentiations into one equation whose computational effort is effectively divided amongst all the individual exponentiations required.

We present lattice-based attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than and the decryption exponent d is small modulo p-1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over Z that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to # 0.382. Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p-1.

Abstract. We propose a key generation method for RSA moduli which allows the cost of the public operations (encryption/verifying) and the private operations (decryption/signing) to be balanced according to the application requirements. Our method is a generalisation of using small public exponents and small Chinese remainder (CRT) private exponents. Our results are most relevant in the case where the cost of private operations must be optimised. We give methods for which the cost of private operations is the same as the previous fastest methods, but where the public operations are significantly faster. For example, the fastest known (1024 bit) RSA decryption is using small CRT private exponents and moduli which are a product of three primes. In this case we equal the fastest known decryption time and also make the encryption time around 4 times faster. The paper gives an analysis of the security of keys generated by our method, and several new attacks. The ingredients of our analysis include several ideas of Coppersmith and a new technique which exploits linearisation. We also present a new birthday attack on low Hamming-weight private exponents. 1

LSBS-RSA denotes an RSA system with modulus primes, p and q, sharing a large number of least signi…cant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we point out that there exist some errors in the calculation of Zhao & Qi’s attack. After re-calculating, the result shows that their attack is unable for attacking RSA with primes sharing bits. Consequently, we give a revised version to make their attack feasible. We also propose a new method to further extend the security boundary, compared with the revised version. The proposed attack also supports the result of analogue Fermat factoring on LSBS-RSA, which claims least signi…cant bits, where n is the bit-length of pq. In conclusion, it is a trade-o ¤ between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents. that p and q cannot share more than n 4 Keywords: RSA, least signi…cant bits (LSBs), LSBS-RSA, short exponent attack, lattice reduction technique, the Boneh-Durfee attack. 1

In 2000, Boneh-Durfee extended the bound for low private exponent from 0.25 (provided by wiener) to 0.292 with public exponent size is same as modulus size. They have used powerful lattice reduction algorithm (LLL) with coppersmith’s theory of polynomials. In this paper we generalize their attack to arbitrary public exponent.

Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA crypto system. With coppersmith’s theory of polynomials, these algorithms are searching for the weak instances of Number-theoretic cryptography, mainly RSA. In this paper we present several lattice based attacks on low private exponent of RSA.