Cryptanalysis of RSA with more than one decryption exponent

Cryptanalysis of RSA with more than one decryption exponent

Information Processing Letters 110 (2010) 336–340 Contents lists available at ScienceDirect Information Processing Letters www.elsevier.com/locate/i...
Download PDF
173KB Sizes 0 Downloads 51 Views
Report

Information Processing Letters 110 (2010) 336–340

Contents lists available at ScienceDirect

Information Processing Letters www.elsevier.com/locate/ipl

Cryptanalysis of RSA with more than one decryption exponent Santanu Sarkar, Subhamoy Maitra ∗ Applied Statistics Unit, Indian Statistical Institute, 203 B.T. Road, Kolkata 700 108, India

a r t i c l e

i n f o

a b s t r a c t

Article history: Received 15 December 2009 Received in revised form 25 February 2010 Accepted 25 February 2010 Available online 1 March 2010 Communicated by D. Pointcheval Keywords: Cryptanalysis Cryptography Factorization Lattice LLL Algorithm RSA

In this paper, we analyze the security of the RSA public key cryptosystem where multiple encryption and decryption exponents are considered with the same RSA modulus N. We consider N = pq, where p, q are of the same bit size, i.e., q < p < 2q. We show that if n many decryption exponents (d1 , . . . , dn ) are used with the same N, then RSA is 3n−1

insecure when di < N 4n+4 , for all i, 1  i  n and n  2. Our result improves the bound of Howgrave-Graham and Seifert (CQRE 1999) for n  42 and also generalizes our recent work for n = 2 (IPL 2010). © 2010 Elsevier B.V. All rights reserved.

1. Introduction RSA [6] is one of the most popular cryptosystems that received detailed attention in research as well as in commercial domain. Many important papers studied RSA to explore the weaknesses and the works of [8,1] identified that the decryption exponents of RSA should be larger than certain bounds for maintaining proper security. In [2], the security of RSA has been studied when more than one decryption exponents are available for a single RSA modulus N. It has been shown in [2] that in the presence of n many encryption exponents, one can factor N when the decryption exponents di < N δ , for 1  i  n, where

  (2n + 1)2n − (2n + 1) nn  2  , if n is even, δ< (2n − 2)2n + (4n + 2) nn 2 n−1 (2n + 1)2n − 4n n−1 2 < n−1 , if n is odd. (2n − 2)2n + 8n n−1

and

(1)

2

*

Corresponding author. E-mail addresses: [email protected] (S. Sarkar), [email protected] (S. Maitra). 0020-0190/$ – see front matter doi:10.1016/j.ipl.2010.02.016

© 2010

Elsevier B.V. All rights reserved.

Improvement over the work of [2] has been achieved recently in [7] for n = 2. However, the generalization could not be achieved for n > 2 in [7]. In this paper, we present a comprehensive generalization of the strategy presented −1 in [7]. We show that RSA is insecure when δ < 3n . This 4n+4 result improves the bound presented in [2] for n  42. The time complexity of our technique as well as the technique of [2] are polynomial in the bit size of N and exponential in the number of exponents n. Putting n = 2, we find that δ < 0.416, which is the same as presented in [7]. However, for this special case of n = 2, we show that our strategy can extend the bound till δ < 0.422. We present experimental results to support our claim. The study of RSA security with multiple decryption exponents has theoretical motivations which are explained in detail in [2,7]. Before proceeding further, we would like to refer to [3,4] for background on lattice based techniques that we exploit here. 2. The theoretical result We present the main result in this section. Let us first state a simple technical result that will be used later. Lemma 1. For any fixed positive integer r  1, and a large integer m,

m

t =1 t

r

=

mr +1 r +1

+ o(mr +1 ).

S. Sarkar, S. Maitra / Information Processing Letters 110 (2010) 336–340

Proof. Let S = 1r + 2r + · · · + mr . Then,

 m+1

m 0

xr dx < S <

r +1 xr dx. Thus, < S < (m+r1+) 1 −1 , which gives, 1 r + 1 r + 1 r +1 1) (m+1) mr +1 < S < (m+ . Now, − mr +1 contains the r +1 r +1 r +1

mr +1 r +1

terms mi for i  r. Thus, for a fixed r and large m, one r +1

can write S = mr +1 + o(mr +1 ).

2

0 j t

Assumption 1. Consider a set of polynomials { f 1 , f 2 , . . . , f i } on n + 2 variables having the roots over the integers of the form (x1,0 , x2,0 , . . . , xn+2,0 ), where i  n + 2. We assume that the roots can be recovered efficiently by calculating the resultants of these polynomials or by using the Gröbner basis computation.

Theorem 1. Consider n  2. Let (e 1 , . . . , en ) be n RSA encryption exponents with common modulus N. Suppose d1 , . . . , dn are the corresponding decryption exponents. Let d1 , d2 , . . . , dn < N δ . Then one can factor N in poly{log N , exp(n)} time when

δ < 0.422, when n = 2, 3n − 1 < , for n  3. 4n + 4 Proof. We have, e 1 d1 = 1 + k1 ( N + r ), e 2 d2 = 1 + k2 ( N+ r ), . . . , en dn = 1 + kn ( N + r ), where r = − p − q + 1. n E Let i =1 e i = E. Multiplying the first equation by e , the 1

second one by eE , . . . , and the last one by eE and then n 2 subtracting all  the other equations the first one, n from n E E E we get, E (d1 − i =2 di ) = e − j =2 e + ( N + r )( e k1 − 1

j

1

E j =2 e j k j ).

i

j =2

 − ( N + xn+2 )

E e1



n  E j =2

ej

x j +1 .

n

Since di < N δ , for 1  i  n, so |d1 − i =2 di | < N δ , treating n as a constant and neglecting it. Also, we have |r | <



1 2

i

i

i



i

i

⎧ i 1 = 0, . . . , m , ⎪ ⎪ ⎪ ⎨ i 2 = 0, . . . , m − i 1 , ... ⎪ ⎪ ⎪ i n +1 = 0, . . . , m − i 1 − · · · − i n , ⎩ i n +2 = 0, . . . , i 2 + · · · + i n +1 + t ,

and i

i

N δ for 1  i

(1 + 2) N , and ki <  n. Let X 1 = X 2 = · · · = 1 X n+1 = N δ , X n+2 = N 2 . Then X 1 , X 2 , . . . , X n+2 are the upn per bounds of (d1 − i =2 di , k1 , . . . , kn , r ), neglecting the

constant terms. Using the extended strategy of [4, Page 274], we define S and M as follows.

⎧ i 1 = 0, . . . , m + 1 , ⎪ ⎪ ⎪ ⎨ i 2 = 0, . . . , m + 1 − i 1 , ... ⎪ ⎪ ⎪ i n +1 = 0, . . . , m + 1 − i 1 − · · · − i n , ⎩ i n +2 = 0, . . . , i 2 + · · · + i n +1 + t .



Apart from f , we need to find at least n + 1 more polynomials f 1 , f 2 , . . . , f n+1 that share the same root (d1 − d2 − · · · − dn , k1 , . . . , kn , r ) over the integers. Considering a small fixed n, from [4], we know that these polynomials can be found by LLL [5] algorithm sn+2 s1 s2 s in  poly(log N ) time if X 1 X 2 . . . Xn+2 < W for s j = i j , where j = 1, . . . , n + 2, s = | S |, and W = in+2 i1 x1 ...xn+2 ∈ M \ S

 f (x1 X 1 , . . . , xn+2 Xn+2 )∞  Ne 2 . . . en X 2 ≈ N n+δ (assuming the e i ’s are of full bit-size for 2  i  n). The calculation of s, s1 , s2 , . . . , sn+1 , sn+2 are quite tedious and those are presented in Appendix A. From the structure of the polynomial f , it is clear that s2 , s3 , . . . , sn , sn+1 are equal. Thus we need to calculate s, s1 , s2 and sn+2 only. We get,

mn+2

1

(n − 1)! (n + 1)(n + 2)

s2 ≈

ej x2 −



i



s1 ≈

e1

i

i

i

f (x1 , x2 , . . . , xn+2 ) n  E

i

:

x11 x22 . . . xnn++22 ∈ S

s≈



i

+j

x11 x22 . . . xnn++22 is a monomial of f m ,



Thus, we want to find the solution (d1 − d2 − · · · − dn , k1 , . . . , kn , r ) of the polynomial

E

i

x11 x22 . . . xnn++22 ∈ M

Now we come to our main result.

= Ex1 −

i

M = monomials of x11 x22 . . . xnn++22 f : x11 x22 . . . xnn++22 ∈ S ,

i



i

x11 x22 . . . xnn++22

where t is a non-negative integer. It follows that,

For our main result related to lattice based techniques, we need the following assumption.

n



S=

337

+

mn+2

(n − 1)!(n + 2)(n + 1) mn+2 n!(n + 2)

sn+2 ≈

+

(n − 1)! n(n + 1) tmn+1

(n − 1)!n(n + 1)

tmn+1

(n − 2)!n(n − 1)(n + 1)

mn+2

(n − 1)!2(n + 2) + t2

+

mn+1

t

mn

(n − 1)!2n

+t

, ,

,

mn+1

(n − 1)!(n + 1)

.

Consider t = τ m, where τ  0 is a real number. Putting the values of X 1 , X 2 , . . . , X n+2 , s1 , . . . , sn+2 , s and the s s s lower bound of W in the condition X 11 X 22 . . . X nn++22 < W s , we get

n2 τ 2 + 4n2 τ δ − 2n2 τ + 3nτ 2 + 4n2 δ + 8nτ δ − 3n2

− 4nτ + 2τ 2 + 4nδ + n < 0.

(2)

338

S. Sarkar, S. Maitra / Information Processing Letters 110 (2010) 336–340

Fig. 1. Comparison of our theoretical result [case (ii)] with that of [2] [case (i)].

The optimal value of may note that

τ to maximize δ is

(1−2δ)n . One 1+n

τ  0, when the maximum value of δ  12 .

For the cases n  3, we get that the upper bound of δ  12 , when τ = 0. Thus, in these cases, it is enough to consider τ = 0, i.e., t = 0. In these cases, putting τ = 0 in (2), we get −1 δ < 3n . For the cases n  3, extra shifts over the variable 4n+4 xn+2 does not provide any improvement in the theoretical bound. Thus, it is enough to consider in+2 = 0, . . . , i 2 + · · · + in+1 instead of in+2 = 0, . . . , i 2 + · · · + in+1 + t. For the case, n = 2, the extra shifts over x4 provide (1−2δ)n theoretical improvements. Putting τ = 1+n , we get δ < 0.422. This is better than the bound 0.416 obtained in [7], where no extra shift has been used. Using strategy of [4, p. 274], from S , M one can construct a lattice L. The bit size of the entries of L is +1)n+2 poly(log N ). The dimension of L is | M | = (n−11)! (n(m +1)(n+2) + (m+1)n+1 t (n−1)! n(n+1)

+ o((m + 1)n+2 ). The running time of our al-

gorithm is dominated by the LLL algorithm, which is polynomial in the dimension of the lattice and in the bitsize of the entries. Since the lattice dimension in our case is exponential in n, so the running time is polynomial in log N but exponential in n. 2

Proof. First consider the case when n is even. Let E = n i =1 e i . We have



n  E (−1)i +1 di



i =1

 n n   j +1 E j +1 E = (−1) + (N + r) (−1) kj . ej

j =1

j =1

ej

We want to find the solution (d1 − d2 + d3 − · · · − dn , k1 , . . . , kn , r ) of the polynomial

f (x1 , x2 , . . . , xn+2 )

= Ex1 −

n  j =1

(−1) j +1

E ej



n  j +1 E − ( N + xn+2 ) (−1) x j +1 . j =1

ej

In this case we have |d1 − d2 + d3 − · · · − dn | < N β , assuming n as a fixed small integer and negligible compared 1

That our bound in Theorem 1 is better than that of [2] (see also (1) in Section 1) for n  42 can be checked easily by numerical calculations. One may have a look at Fig. 1 for a graphical representation. Similar to [7], Theorem 1 may be extended when some of the most significant bits (MSBs) of the decryption exponents are same (but unknown). This implicit information increases the bound of decryption exponents further. This is a generalization of the case for n = 2 in [7]. Corollary 1. Let (e 1 , . . . , en ) (n  2) be RSA encryption exponents with common modulus N. Suppose d1 , . . . , dn are the corresponding decryption exponents. Let d1 , d2 , . . . , dn < N δ and |du − d v | < N β for u = v ∈ [1, n]. Then one can factor N in poly{log N , exp(n)} time when n2 τ 2 + 4n2 τ δ − 2n2 τ + 3nτ 2 + 4nτ β + 4n2 δ + 4nτ δ − 3n2 − 4nτ + 2τ 2 + 4nβ + 8τ β − 8τ δ + n < 0 where τ = −2nδ+n−2β+2δ max{0, }. n+1

to N β . Let X 1 = N β , X 2 = · · · = X n+1 = N δ , X n+2 = N 2 . Then X 1 , X 2 , . . . , X n+2 are the upper bounds of (d1 − d2 + d3 − · · · − dn , k1 , . . . , kn , r ), neglecting the constant terms. Now proceeding as the proof of Theorem 1, we get the above result. The situation can be handled in a similar manner for n odd as |2d1 − d2 + d3 − · · · − dn−1 − dn | = |(d1 − d2 + d3 − · · · − dn−1 ) + (d1 − dn )| can be bounded by N β . 2 Let us now present the experimental results. We have implemented the programs in SAGE 3.1.1 over Linux Ubuntu 8.04 on a laptop with Dual CORE Intel(R) Pentium(R) D CPU 1.83 GHz, 2 GB RAM and 2 MB Cache. We have extensively studied the case n = 3. In this case, we take m = 2, i.e., the lattice dimension 98. We consider 1000-bit N and three decryption exponents d1 , d2 , d3 , each of 420 bits. We could factor N under Assumption 1 in time 12 390 seconds. The previous work of [2] could achieve the solution with three decryption exponents of 400 bits each.

S. Sarkar, S. Maitra / Information Processing Letters 110 (2010) 336–340

Thus we get experimental advantage too for the case n = 3 over that of [2]. We could not attempt experiments for n > 3 as in that case the lattice dimension is becoming quite high.

i 1 +1  m +1 m −  

r +n−1

i 1 +1 m +1 m −  



3. Conclusion In this paper we prove that if n many decryption exponents are used with the same RSA modulus N, then 3n−1 4n+4

, for each i, 1  RSA becomes insecure when di < N i  n and n  2. This improves the currently best known bound presented in [2] for n  42. Experimentally we have demonstrated better results than that of [2] for the case n = 3. We also improve the theoretical bound of [7] for n = 2. Our results present a complete generalization of the work presented in [7].

Detailed comments from the anonymous reviewer improved the technical as well as editorial quality of this paper. The first author likes to acknowledge the Council of Scientific and Industrial Research (CSIR), India for supporting his research fellowship.



m +1  i 1 =0



m +1 



m 

m +1 

t

T n (m − T + 1)

(n − 1)!n

T =0

(m + 1) (n − 1)!(n + 3)(n + 2)(n + 1)



+

(m + 1)n+2 . (n − 1)! n(n + 1)(n + 2) t

So

(m + 1)n+3 (n − 1)!(n + 3)(n + 2)(n + 1)

s1 ≈

+ −

r n −1

r =0

(n − 1)!(n + 1)

+

n +3



(m + 1)n+2 (n − 1)! n(n + 1)(n + 2) t

mn+3

(n − 1)!(n + 3)(n + 2)(n + 1) mn+2

t

(n − 1)! n(n + 1)(n + 2) mn+2



(n − 1)!

(r + t + 1)i 1

T n+1 (m − T + 1)

T =0

r

(1 + r + t )(m + 1 − r )



r

r =0

  r +n−1 (1 + r + t )(m + 1 − r )

r =0

i 1 =0

r +n−1

One may note that s is the number of solutions of 0  i 1 + · · · + in+1  m, 0  in+2  i 2 + · · · + in+1 + t. Thus,

s=

m +1

 (m − i 1 + 1)n (m − i 1 + 1)n+1 i1 + ti 1 (n − 1)!(n + 1) (n − 1)!n

i 1 +1  m +1 m −  

A.1. Calculation of s

m 

(r + t )i 1

(using Lemma 1 and neglecting the lower order terms). Let T = m − i 1 + 1. Then

Appendix A. Detailed calculations related to Theorem 1 Here we present the detailed calculations for s, s1 , s2 , sn+2 .

r n −1

(neglecting the lower order terms)

i 1 =0

Acknowledgements

(r + t + 1)i 1

(n − 1)!

r =0

i 1 =0



r

r =0

i 1 =0

339

+

(n − 1)!(n + 2)(n + 1)

tmn+1

(n − 1)!n(n + 1)

.

(neglecting the lower order terms)



m 

(r + t )(m − r )

r =0



(n − 1)!

n +2

1

A.3. Calculation of s2

r n −1

m

Let us now consider s2 . We have,

+

(n − 1)! (n + 1)(n + 2)

t

i 1 +1 m+1−i 1 −i 2 r +t +i 2  m +1 m −    

n +1

m

(n − 1)! n(n + 1)

i 1 =0

(using Lemma 1 and neglecting the lower order terms).



A.2. Calculation of s1

r =0

i 2 =0

−i 1 m m  

i 1 +1  m +1 m −   i 1 =0



r =0

r

r





r =0

i n +2 =0

r +n−2 r

i2

 i2.

Now,

(r + t + 1)i 1

 −i 1  m m   r +n−1

i 1 =0 r =0

Now,



r +n−1

r

i n +2 =0

m−i 1 −i 2 r +t +i 2 

i 1 =0 i 2 =0

s1 =



r +n−2

s2 =

(r + t + 1)i 1 .

i 1 +1 m+1−i 1 −i 2 r +t +i 2  m +1 m −    

r +n−2

i 1 =0

=

r =0

i 2 =0

r

i n +2 =0

i 1 +1 m +1 − i 1 − i 2  m +1 m −   

r +n−2

i 1 =0

i 2 =0

r =0



r

i2

 i 2 (r + t + i 2 + 1)

340

S. Sarkar, S. Maitra / Information Processing Letters 110 (2010) 336–340



i 1 +1 m +1 − i 1 − i 2 m +1 m −    i 1 =0



r n −1

i2 +

(n − 2)!

(n − 2)! 

i 22

r n −2 

(n − 2)!

i 1 +1 m +1 m −  

1

+

r =0

i 2 =0



×

i 1 +1 m +1 m −  

i 1 =0

+ ti 2

i2

i 22 + ti 2



i 1 =0



=

i 2 =0

 (m + 1 − i 1 − i 2 )n−1





n−1

=

(n − 2)!

i2

+ i 22 + ti 2

 (r1 − i 2 )n−1

1

(n − 2)!





n−1

+ (r1 − T )2

T

n −1

n−1

+ t (r1 − T )

T

n −1



n−1

n!(n + 2)

tmn+1

(n − 2)!n(n − 1)(n + 1)

.

A.4. Calculation of sn+2

sn+2 =

i 1 +1 m +1 m −   i 1 =0



r =0

 r +t   r +n−1 i n +2 =0

i n +2

 −i 1  r +t  m m   r +n−1 i 1 =0 r =0 i n +2 =0

Then,

r

r



(m + 1)n+3 (n − 1)!2(n + 2)(n + 3) (m + 1)n+2 (m + 1)n+1 + t2 . (n − 1)!2(n + 2)(n + 1) (n − 1)!2(n + 1)n

sn+2 ≈

mn+2

(n − 1)!2(n + 2) mn

(n − 1)!2n

+t

mn+1

(n − 1)!(n + 1)

.

References

Hence,

+

(m − i 1 + 1)n+1 (m − i 1 + 1)n + t2 n+1 n

+ t2

(m + 1)n+3 ≈ n!(n + 2) n+3 (m + 1)n+2 t . + (n − 2)! (n − 1)n(n + 1)(n + 2) mn+2

i 1 =0

(m − i 1 + 1)n+2 n+2

Hence,

1

s2 ≈

2(n − 1)!

n

r 1 =0 T =0

m +1  

1

2

r

r =0

+ 2t

r1   Tn (r1 − T )

m +1 



(using Lemma 1 and neglecting lower order terms)

n

r 1 =0 i 2 =0



=

r1   (r1 − i 2 )n

m +1 

1

i n +2

r + n − 1 (r + t )(r + t + 1)

+ 2t

(using Lemma 1 and neglecting lower order terms)

r

i n +2 =0

i 1 +1  m +1 m −   i 1 =0

(m + 1 − i 1 − i 2 )n n

r =0

 r +t   r +n−1

i n +2 .

[1] D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 , IEEE Trans. Inform. Theory 46 (4) (2000) 1339–1349. [2] N. Howgrave-Graham, J.-P. Seifert, Extending Wiener’s attack in the presence of many decryption exponents, in: CQRE 1999, in: Lecture Notes in Comput. Sci., vol. 1740, 1999, pp. 153–166. [3] E. Jochemsz, Cryptanalysis of RSA variants using small roots of polynomials, Ph.D. thesis, Technische Universiteit Eindhoven, 2007. [4] E. Jochemsz, A. May, A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants, in: Asiacrypt 2006, in: Lecture Notes in Comput. Sci., vol. 4284, 2006, pp. 267–282. [5] A.K. Lenstra, H.W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982) 513–534. [6] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Comm. ACM 21 (2) (1978) 158–164. [7] S. Sarkar, S. Maitra, Cryptanalysis of RSA with two decryption exponents, Inform. Process. Lett. 110 (5) (2010) 178–181. [8] M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (3) (1990) 553–558.