## On the Security of Multi-prime RSA (2006)

Citations: | 2 - 1 self |

### BibTeX

@MISC{Hinek06onthe,

author = {M. Jason Hinek},

title = {On the Security of Multi-prime RSA},

year = {2006}

}

### OpenURL

### Abstract

Abstract. In this work we collect the strongest known algebraic attacks on multi-prime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applies only to multi-prime RSA with more than two primes. 1

### Citations

178 |
Small solutions to polynomial equations, and low exponent RSA vulnerabilities
- Coppersmith
- 1997
(Show Context)
Citation Context ...nomials and will only be used as tools to prove some of the results found later in this work. For more information about Coppersmith’s techniques, we refer the reader to Coppersmith’s original papers =-=[10,11,12]-=-, Howgrave-Graham’s simplification of the univariate modular case [19] and Coron’s simplification of the bivariate case [13]. In addition to these provable results, there are many heuristic extensions... |

128 | Twenty years of attacks on the RSA cryptosystem
- Boneh
- 1999
(Show Context)
Citation Context ...to the modulus (for a fixed modulus size). Thus, multi-prime RSA might be a practical alternative to RSA when decryption costs need to be lowered. The security of RSA has been well studied (see Boneh =-=[3]-=-) since it was invented. If multi-prime RSA is to be actually implemented and used, its security must be investigated further. The aim of this work is to present the current state of security of multi... |

114 | Cryptanalysis of RSA with private key d less than
- Boneh, Durfee
(Show Context)
Citation Context ...lification of the bivariate case [13]. In addition to these provable results, there are many heuristic extensions of Coppersmith’s techniques to multivariate modular polynomials (see Boneh and Durfee =-=[4]-=- for example) and multivariate integer polynomials with more than two variables (see Ernst et al. [14] for a recent example). All of the heuristic extensions rely on the assumption that the first few ... |

87 |
Finding a small root of a univariate modular equation
- Coppersmith
- 1996
(Show Context)
Citation Context ...nomials and will only be used as tools to prove some of the results found later in this work. For more information about Coppersmith’s techniques, we refer the reader to Coppersmith’s original papers =-=[10,11,12]-=-, Howgrave-Graham’s simplification of the univariate modular case [19] and Coron’s simplification of the bivariate case [13]. In addition to these provable results, there are many heuristic extensions... |

66 |
Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known
- Coppersmith
- 1996
(Show Context)
Citation Context ...nomials and will only be used as tools to prove some of the results found later in this work. For more information about Coppersmith’s techniques, we refer the reader to Coppersmith’s original papers =-=[10,11,12]-=-, Howgrave-Graham’s simplification of the univariate modular case [19] and Coron’s simplification of the bivariate case [13]. In addition to these provable results, there are many heuristic extensions... |

42 |
An attack on RSA given a small fraction of the private key bits
- Boneh, Durfee, et al.
- 1998
(Show Context)
Citation Context ... the public key (N, e) and � d satisfying |d − � d| ≤ N δ , if 1. α > 1 − δ, δ ≤ β − 1/r and 2. α > 1 + 1/r − β, δ ≥ β − 1/r and δ ≤ α + β − 1 3 δ ≤ 3r2 + 6αr + 3 − r 2 α 2 − 6r − 2αr 2 4αr 2 − ɛ, or =-=(5)-=- + 2 2 � − (αr + βr − r − 1)(αr + βr + 2r − 4) − ɛ, (6) 3r 3r then d can be recovered in time polynomial in log N and 1/ɛ, provided the algebraic independence assumption holds. Proof: First we use N, ... |

40 |
Factoring N = p r q for large r
- Boneh, Durfee, et al.
- 1999
(Show Context)
Citation Context ...ks on multi-prime RSA that recover the private exponent. The factoring attacks are simple applications of the lattice-based factoring results of Coppersmith [10] and Boneh, Durfee and Howgrave-Graham =-=[7]-=-. The attacks apply to any composite integer having the same form as a balanced r-prime RSA modulus. Of the attacks that recover the private exponent, the first attack recovers sufficiently small priv... |

23 | New Partial Key Exposure Attacks on RSA
- Blömer, May
- 1997
(Show Context)
Citation Context ... see Ernst et al. [14]. 5s2 Factoring Attacks The best generic factoring method is the general number field sieve (NFS). Following Lenstra [20], we will use L[N] = e 1.923(log N)1/3 (log log N) 2/3 , =-=(2)-=- as the heuristic expected runtime of the NFS to compute a non-trivial factor of the composite number N. Notice that the runtime depends only on the bitsize of the integer to be factored. Thus, when u... |

22 | Frankel.,”Exposing an RSA private key given a small fraction of its bits
- Boneh, Durfee, et al.
- 1998
(Show Context)
Citation Context ...4α2 + 2α − 2 − ɛ. 3 3 3 When the public exponent is smaller than N 1/r , an attack that is not based on lattice basis reduction can be used. The original attack on RSA is by Boneh, Durfee and Frankel =-=[6]-=- and was extended to the multi-prime case by Hinek, Low and Teske [18]. The main result of the attack follows. Attack 6 For every integer r ≥ 2 there exists an N0 such that for every N > N0 the follow... |

21 | Low Secret Exponent RSA Revisited
- Blömer, May
- 2001
(Show Context)
Citation Context ... give bounds on the volume of the sublattices used. Before giving the multi-prime extension of this attack, we first consider a simpler approach to using sublattices which was given by Blömer and May =-=[1]-=-. The bound obtained by Blömer and May gives the second strongest attack against small private exponent RSA. Their result was extended to multi-prime RSA (as well as arbitrary public exponent) by Hine... |

16 | B.Weger, ”Partial key exposure attacks on RSA up to full size exponents
- Ernst, Jochemsz, et al.
- 2005
(Show Context)
Citation Context ...onsider partial key exposure attacks in which some of the bits of the private exponent are known. We present three new attacks which are extensions of the partial key exposure attacks of Ersnt et al. =-=[14]-=-. Two of the attacks require some of the most significant bits of the private exponent and one requires some of the least significant bits. In Section 6, we consider partial key exposure attacks in wh... |

14 | Finding small roots of bivariate integer polynomial equations: A direct approach
- Coron
- 2007
(Show Context)
Citation Context ...th’s techniques, we refer the reader to Coppersmith’s original papers [10,11,12], Howgrave-Graham’s simplification of the univariate modular case [19] and Coron’s simplification of the bivariate case =-=[13]-=-. In addition to these provable results, there are many heuristic extensions of Coppersmith’s techniques to multivariate modular polynomials (see Boneh and Durfee [4] for example) and multivariate int... |

8 | Short private exponent attacks on fast variants
- Ciet, Koeune, et al.
- 2002
(Show Context)
Citation Context ... fraction expansion of e/N, Wiener is able to recover the private exponent if it is sufficiently small. The attack was extended to multi-prime RSA by Hinek, Low and Teske [18] and also by Ciet et al. =-=[8]-=-. The result of the attack on multi-prime RSA, [18, Theorem 2], is given below. Attack 1 For every integer r ≥ 2 the following holds: Let N be an r-prime RSA modulus with balanced primes. Given a vali... |