Mathematica Function That Accepts an Rsa Key and Performs a Continued Fraction Low Exponent Attack

symmetry-logo

Article Menu

/ajax/scifeed/subscribe

Article

Small Private Exponent Attacks on RSA Using Continued Fractions and Multicore Systems

1

Department of Mathematics, Faculty of Science, Ain Shams University, Cairo 11566, Egypt

2

Information and Computer Science Department, College of Computer Science and Engineering, University of Ha'il, Hail, Ha'il 81481, Saudi Arabia

*

Author to whom correspondence should be addressed.

Academic Editors: Ioan Rașa, Takeshi Koshiba, Takeshi Koshiba, Yuan Ping and Yuri Borissov

Received: 5 August 2022 / Revised: 26 August 2022 / Accepted: 6 September 2022 / Published: 10 September 2022

Abstract

The RSA (Rivest–Shamir–Adleman) asymmetric-key cryptosystem is widely used for encryptions and digital signatures. Let

( n , e )

be the RSA public key and d be the corresponding private key (or private exponent). One of the attacks on RSA is to find the private key d using continued fractions when d is small. In this paper, we present a new technique to improve a small private exponent attack on RSA using continued fractions and multicore systems. The idea of the proposed technique is to find an interval that contains

ϕ ( n ) ,

and then propose a method to generate different points in the interval that can be used by continued fraction and multicore systems to recover the private key, where

ϕ

is Euler's totient function. The practical results of three small private exponent attacks on RSA show that we extended the previous bound of the private key that is discovered by continued fractions. When n is 1024 bits, we used 20 cores to extend the bound of d by

0.016

for de Weger, Maitra-Sarkar, and Nassr et al. attacks in average times 7.67 h, 2.7 h, and 44 min, respectively.

1. Introduction

In 1978, Rivest, Shamir and Adleman [1] proposed the first asymmetric-key cryptosystem (RSA) for encryptions and digital signatures. Its security is based on the difficulty of factoring a large integer

n = p 1 p 2

that is a product of two large prime numbers

p 1

and

p 2 ,

with

p 1 > p 2 ,

of the same bit-sizes, i.e.,

p 2 < p 1 < 2 p 2

. Although there is a quantum algorithm that factors integers in polynomial time [2], there is no polynomial time algorithm for factoring integers in classical computers.

The RSA encryption process of a message x is computing

x e ( mod n ) ,

where

( n , e )

is the RSA public key. The RSA decryption process of the ciphertext y is computing

y d ( mod n ) ,

where d is the private key and satisfies that

e d 1 = k ϕ ( n )

for some integer

k ,

where

ϕ ( n ) = ( p 1 1 ) ( p 2 1 )

is Euler's totient function. The RSA encryption and decryption processes take times

O ( log e log 2 n )

and

O ( log d log 2 n ) ,

respectively.

In order to speed up the decryption process, one might be tempted to use a small private exponent

d = n δ ,

, i.e.,

δ

is small. Wiener [3] showed that if

d < 1 3 n 1 / 4 ,

i.e.,

δ 1 / 4 ,

then d is one of the denominators of the convergents of the continued fraction expansion of

e n ,

and thus RSA is insecure. Boneh and Durfee [4] used the lattice reduction to improve the bound of d to be

n 0.292 ,

where their method is based on Coppersmith's [5] technique to find small roots of modular polynomial equations.

Many other strategies [6,7,8,9,10] for improving the bound of d were inspired by Wiener's result. They mainly try to find an approximation of

ϕ ( n )

better than n or to find a better lattice to recover large

d .

For example, de Weger [6] used

n + 1 2 n

as an estimation of

ϕ ( n )

to recover d when

δ < 3 / 4 β ,

where

p 1 p 2 = n β , 0.25 < β 0.5 .

Maitra and Sarkar [9] used

n + 1 3 2 2 n

as an estimation of

ϕ ( n )

to recover d when

| 2 p 2 p 1 |

is small. Note that if

p 1 p 2 = n β , 0 β 0.25 ,

then Fermat's factoring method [6,11,12,13] factorizes n in polynomial time.

In order to unify small private exponent attacks on RSA and to determine a universal attack using continued fractions or lattices, the authors in [14,15] proposed concepts of the Wiener and Coppersmith intervals using continued fractions and lattices, respectively. An integer interval I is called Wiener's interval if each

m I

satisfies Wiener's attack, i.e.,

| e m k d | < 1 2 d 2 .

While an interval I is called Coppersmith's interval if each

m I

satisfies that the tuple

( u 0 , v 0 ) = ( k , ϕ ( n ) m )

is a root of the polynomial

F ( u , v ) = u v + m u + 1 ( mod e ) .

In this paper, we are interested in improving the bound of d by:

  • Proposing an interval I that contains

    ϕ ( n ) ,

    Section 3. The proposed interval is not necessary a Wiener or Coppersmith interval. It is sufficient to find an approximation

    m I

    of

    ϕ ( n )

    such that

    | e m k d | < 1 2 d 2 ,

    i.e., Wiener's attack using continued fraction succeeds.

  • Proposing a new strategy to search for

    m I

    such that

    | e m k d | < 1 2 d 2 .
  • Using multicore systems to accelerate finding

    m I

    such that

    | e m k d | < 1 2 d 2 .

    The interval I is divided into subintervals of the same length approximately. Then each core searches for such m in one subinterval. We choose that the number of subintervals is equal to the number of available cores.

We use the proposed strategy to study practically the possibility of attacking RSA when

d = n δ < n .

Estimating a small interval that contains

ϕ ( n )

is not simple. Therefore, we estimate the interval based on some conditions on the primes factors of n as we will see in Section 3. The practical study of the proposed method shows that we succeed to factor n with

δ

greater than previously discovered using continued fractions.

The organization of this paper is as follows. Section 2 includes a brief background on continued fractions and a review of some results on small private exponent attacks on RSA. In Section 3, we propose three intervals that contain

ϕ ( n )

for three attacks on RSA. Each attack has different conditions on the prime factors

p 1

and/or

p 2 .

In Section 4, we present a new technique to search for m in the estimated intervals to find a good approximation of

ϕ ( n ) .

Section 5 includes using multicore systems to study practically how the proposed technique can improve three attacks on RSA, i.e., extend the bound of

δ

in three attacks. The theoretical study of the complexity of the proposed attacks is presented in Section 6. The conclusion and future works are given in Section 7.

2. Preliminaries

This section presents a definition of continued fractions, how to calculate continued fractions and some theorems and lemmas necessary in this paper.

Given a non-negative rational number

r ,

a (finite) continued fraction expansion [16,17] of r (or simply we write

CF ( r ) )

is an expression of the form:

r = r 1 + 1 r 2 + 1 r 3 + + 1 r s .

This expansion is denoted by

s t u p l e

of non-negative integers

[ r 1 , r 2 , , r s ] .

The following steps are a polynomial time algorithm [18] of order

O ( l o g 2 y )

for computing a unique

CF ( r )

for the rational number

r = x y ,

where

x < y

are two positive integers such that

g c d ( x , y ) = 1 :
  • r 0 = x / y .

  • Compute

    r i = 1 r i 1 r i 1 , 1 i s ,

    where

    s 2 log y

    is the smallest value of i such that

    c i = c i .
  • Return

    [ r 1 , r 2 , , r s ] ,

    where

    r s > 1 .

The

CF ( r )

is infinite in case of r is irrational number, i.e.,

r 1 + 1 r 2 + 1 r 3 + + 1 .

In this case, we write the expansion as

[ r 1 , r 2 , ] .

Theorem 1.

((Legendre) [19]) Let λ be a real number, and u , v be two positive integers such that g c d ( u , v ) = 1 . If

then u v is a convergent of CF ( λ ) .

Lemma1

([20,21]). If n is a product of two primes p 1 and p 2 of the same size, then n + 1 3 2 2 n < ϕ ( n ) < n + 1 2 n .

Theorem 2.

([6]) Let n = p 1 p 2 be a product of two primes p 1 , p 2 of the same size, with p 1 > p 2 . Suppose that 1 < e , d < ϕ ( n ) satisfy e d 1 ( mod ϕ ( n ) ) and d = n δ . Given n and e , the integer n can be factored in polynomial time in log n if

δ < 3 4 β using continued fraction

δ < 1 6 ( 4 β + 5 ) 1 3 ( 4 β + 5 ) ( 4 β 1 ) using lattice

where p 1 p 2 = n β .

Proposition 1.

([9]) Suppose that l is a positive integer, and n = p 1 p 2 is a product of two primes p 1 and p 2 . If p 2 > 2 l + 2 4 l + 1 p 1 , then | 3 2 n ( p 1 + p 2 ) | < l ( 2 p 2 p 1 ) 2 ( 3 2 + 2 ) n .

Theorem 3.

([9]) Let l be a positive integer, and n = p 1 p 2 be a product of two primes p 1 and p 2 with p 2 > 2 l + 2 4 l + 1 p 1 , 2 p 2 p 1 = n θ , and d = n δ . Then n can be factored in polynomial time in log n  when

where 2 τ > ( log 4 l 3 2 + 2 ) ( 1 log n ) .

Theorem4

([14]). Let ( n = p 1 p 2 , e ) , and d = n δ be the public and private keys of RSA, respectively, where p 1 > p 2 and 2 p 1 < n 9 4 n . If p 0 n is an approximation for p 1 such that

| p 1 p 0 | 1 8 n α , α 1 2 , δ < 1 α 2

Then [ n + 1 λ 1 , n + 1 λ 2 ] is a Wiener's interval for ( n , e ) , where

λ 1 = p 0 + n p 0 + 1 8 n α , p 0 p 1 ; p 0 + n p 0 1 8 n α , p 1 p 0 a n d n p 0 1 8 n α ; 2 n + 1 8 n α , p 1 p 0 a n d p 0 1 8 n α < n .

λ 2 = p 0 + n p 0 + 1 8 n α , p 0 p 1 ; n p 0 + p 0 1 8 n α , p 1 p 0 a n d n p 0 1 8 n α ; n + n n + 1 8 n α , p 1 p 0 a n d p 0 1 8 n α < n .

3. Estimation of ϕ ( n )

The main problem of using CFs in small private exponent attacks of RSA is to find a good approximation of

ϕ ( n )

to use it in Theorem 1. In this section, we estimate an interval I that contains

ϕ ( n ) ,

i.e., determine the lower and upper bounds of

ϕ ( n ) .

In fact, estimating a small interval that contains

ϕ ( n )

is not easy. It is known that computing

ϕ ( n )

is computationally equivalent to factoring

n .

Thus, we try to estimate I based on some conditions on the prime factors

p 1

and

p 2

of

n .

In the following, we consider three cases for the prime factors

p 1

and

p 2 :

Attack 1: In [6], if

p 1 p 2 = n β

,

0.25 β 0.5 ,

then

n + 1 n 2 β + 4 n n + 1 ( p 1 p 2 ) 2 + 4 n = n + 1 ( p 1 + p 2 ) = ϕ ( n ) < n 2 n

Thus,

I = [ n + 1 n 2 β + 4 n , n 2 n ] .

Attack 2: Using Proposition 1 and Theorem 3 if for a positive integer l,

2 l + 2 4 l + 1 p 1

and

2 p 2 p 1 = n θ , δ < 3 4 θ τ , 2 τ > ( log 4 l 3 2 + 2 ) ( 1 log n ) ,

then

| 3 2 2 n ( p 1 + p 2 ) | < l ( 2 p 2 p 1 ) 2 ( 3 2 2 + 2 ) n

Therefore,

n + 1 3 2 2 n < ϕ ( n ) < n + 1 3 2 2 n + l ( 2 p 2 p 1 ) 2 ( 3 2 2 + 2 ) n

It is clear that if

l 3 2 2 + 2 < n ϵ ,

for a small value

ϵ ,

then

I = [ n + 1 3 2 2 n , n + 1 3 2 2 n + n 2 θ 0.5 + ϵ ] .

Attack 3: Based on the result in [22], an approximation

p 0

of the prime factor

p 1

may be obtained by some expectations in side-channel attacks. In [14], if

p 2 < p 1 < 2 p 2

and

p 0

be an approximation of the prime factor

p 1

where

| p 1 p 0 | 1 2 n α ,

then

ϕ ( n )

can be estimated to be in the interval

I = [ n + 1 ( p 0 + n p 0 ) 1 2 n α , n + 1 ( p 0 + n p 0 ) + 1 2 n α ] .

The proof is as follows:

Let

p 1 = c n 1 / 2 .

Then

p 2 = 1 c n 1 / 2 ,

where

1 < c < 2

. We have

p 1 + p 2 = c 2 + 1 c n 1 / 2 .

Since

| p 1 p 0 | 1 2 n α ,

we have either

p 0 p 1 p 0 + 1 2 n α

or

p 0 1 2 n α p 1 p 0

.

If

p 0 p 1 p 0 + 1 2 n α ,

then

p 0 n c p 0 + 1 2 n α n .

Therefore,

p 0 + n p 0 p 1 + p 2 p 0 + 1 2 n α + n p 0 + 1 2 n α .

Furthermore, if

p 0 1 2 n α p 1 p 0 ,

then

p 0 1 2 n α n c p 0 n .

Therefore,

p 0 1 2 n α + n p 0 1 2 n α p 1 + p 2 p 0 + n p 0 .

Therefore, either

p 0 p 1 p 0 + 1 2 n α

or

p 0 1 2 n α p 1 p 0 ,

we have

| p 1 + p 2 ( p 0 + n p 0 ) | 1 2 n α .

Thus,

I = [ n + 1 ( p 0 + n p 0 ) 1 2 n α , n + 1 ( p 0 + n p 0 ) + 1 2 n α ] .

4. The Proposed Strategy

In this section, we propose a new strategy to search for

m I ,

such that

| e m k d | < 1 2 d 2 .

In general, the proposed interval

I = [ a , b ]

that contain

ϕ ( n )

are large. Since I is large, it is not feasible in polynomial time to test all integers in

I .

The main problem is to determine the number of tested points, i.e., how many points are sufficient to find

ϕ ( n )

or to stop the search. Testing a fixed number L of points in I has a problem: if L is small, then we may not find the solution. Otherwise, i.e., if L is very large, then the distance between two consecutive points may be small and the time to find a solution may be large if the solution is in the last parts of

I .

For this reason, we propose a new method to generate test points in I as follows (see Algorithm 1):

We first test whether

k / d

is a convergent of

CF ( e / a )

or

CF ( e / b ) .

If

k / d

is not a convergent of

CF ( e / a )

or

CF ( e / b ) ,

we set the length

c = b a

,

x 1 = a , x 2 = x 1 + c ,

and then we repeat taking x as the midpoint between

x 1

and

x 2 ,

i.e.,

x = ( x 1 + x 2 ) / 2

and check whether

k / d

is a convergent of

CF ( e / x ) .

If not, we repeat the previous steps with the length

c = c / 2 ,

change

x 1

to be

x 2

and

x 2

to be

x 1 + c

until the midpoint x is greater than

b .

For each new midpoint

x ,

the counter is increased by 1 as long as it does not exceed the maximum number of iterations

L .

The loop is terminated either by:

  • Finding a solution, Lines 19–20 in Algorithm 1.

  • Exceed the maximum number of generated test points

    L ,

    Line 13 in Algorithm 1. This number can be replaced by a maximum time to find a solution.

  • The number of round

    i ,

    i.e., number of iterations in the first while loop (Line 13 in Algorithm 1), is

    i > log 2 ( b a ) ,

    i.e.,

    c 1 .

    In this case, we exhausted most points in the interval and the total number of tested points is about

    2 + i = 0 log 2 ( b a ) 2 i

    which is large when

    b a

    is large.

Figure 1 shows the idea of generating uniformly distributed

2 i

test points in I for a round

i ,

where

c = ( b a ) / 2 i , i 0 .

For example, let

n = 802117 = 761 * 991

be an RSA modulus. We have I = [800218, 800326]. Figure 2 shows the generated test points in I for rounds

i = 0 , 1 ,

and

2 ,

i.e., we repeat the second while loop (Lines 17–25) of Algorithm 1 three times

i = 0 , 1 , 2 .

In Figure 3, we show the generation of the first fifty-five test points in the first 6 rounds (the sixth round is not completed).

Algorithm 1: Search for d
Symmetry 14 01897 i001

5. Implementation

In this section, we present the implementation of the proposed attack. The implementation is written in C/C++, compiled with GNU C++ Compiler, and run on an Intel(R) Xeon(R) E5645 CPU 2.40GHz running the Ubuntu operating system. We used GMP package [23], a free library for arbitrary precision arithmetic, and OpenMP (Open Multi-Processing) [24] to support multiprocessing programming in C.

The implementation considers the three attacks described in Section 3. If

ϕ ( n )

is expected to be in an interval

I = [ a , b ]

, then we distribute I on 20 threads. Let

S = { a 0 = a , a 1 , , a 20 = b }

be the set of end points of the 20 sub-intervals of

[ a , b ]

. Then thread number

i , 1 i 20 ,

independently runs Algorithm 1 on the sub-interval

[ a i 1 , a i [

. The size of the RSA modulus n conducted in the experimental study was 1024 bits, where each prime factor has 512 bits and was generated randomly. For most studied cases, the number of tested n is

100 .

The maximum value of test points was

L = 10 7 .

The First Attack: We consider the first attack in Section 3. We assume that

e n

,

d = n δ

and

p 1 p 2 = n β ,

i.e.,

ϕ ( n ) [ n + 1 n 2 β + 4 n , n + 1 2 n ] .

Based on Equations (1) and (2), we study the performance of using the proposed technique to attack RSA when

β

in the range

0.36 0.5 .

For each selected value of

β ,

we study the possibility of attack for different values of

δ .

Table 1 shows the average execution time and the (ceiling of) the average number of tested points of running the attack using single core and 20-cores. For

β = 0.5 , 0.46 , 044 , 0.4 ,

and

0.36

we study

δ

in the ranges 0.256∼0.268, 0.296∼0.308, 0.316∼0.328, 0.356∼0.368, 0.396∼0.408, respectively. All values of

δ

in the table are greater than the bound of de Weger [6] using continued fractions, Equation (1). This means that the proposed method using continued fractions and 20 cores succeeded to extend the bound of

d .

Furthermore, the results in the table show that

δ

is in the range of de Weger's results [6] using lattice, Equation (2) The parallel (multicore) implementation of the attack speeds up the sequential implementation by

18.1

on average.

The Second Attack: We consider the second attack in Section 3. We assume that

e n

,

d = n δ

and

2 p 2 p 1 n θ ,

i.e.,

ϕ ( n ) [ n + 1 3 2 2 n , n + 1 3 2 2 n + n 2 θ 0.5 + ϵ ] .

Based on Equation (3), we study the performance of using multicore systems to attack RSA when

θ

in the range

0.36 0.46 .

For each selected values of

θ ,

we study the possibility of attack for different values of

δ .

Table 2 shows the average execution time and the (ceiling of the) average number of tested points of running the attack using single core and 20-cores. For

θ = 0.46 , 0.44 , 0.4 ,

and

0.36 ,

we study

δ

in the ranges 0.296∼0.308, 0.316∼0.328, 0.356∼0.368 and 0.396∼0.408, respectively.

All values of

δ

in the table are greater than the bound of Maitra-Sarkar [9] using continued fractions, i.e.,

δ < 3 / 4 θ τ .

This means that the proposed method using continued fractions and 20 cores succeeded to extend the bound of

d .

The parallel (multicore) implementation of the attack speeds up the sequential implementation by

17.3

on average

The Third Attack: we consider the third attack in Section 3. We assume that an approximation

p 0

of

p 1

is obtained where

| p 0 p 1 | < 1 2 n α ,

i.e.,

ϕ ( n ) [ n + 1 ( p 0 + n p 0 ) 1 2 n α , n + 1 ( p 0 + n p 0 ) + 1 2 n α ] .

We study the performance of using multicore systems to attack RSA when

α > 0.25

, and and

δ

as in Equation (4). We choose

α

in the range 0.36∼0.46. For each selected value of

α ,

we study the possibility of the attack for different values of

δ .

Table 3 shows the average execution time and the (ceiling of the) average number of tested points of running the attack using single core and 20-cores. For

α = 0.46 , 0.44 , 0.4 ,

and

0.36

we study

δ

in the ranges 0.274∼0.286, 0.284∼0.296, 0.304∼0.316, and 0.324∼0.336, respectively.

All values of

δ

in the table are greater than the bound of Equation (4) using continued fractions. This means that the proposed method using continued fractions and 20 cores succeeded to extend the bound of

d .

The parallel (multicore) implementation of the attack speeds up the sequential implementation by

14.9

on average.

Table 4 shows the upper bound of

δ

for the proposed attacks and previous attacks [6,9,14] using continued fractions. The proposed attack raises the previous bound of

δ

by

η .

As we can see from Table 1, Table 2 and Table 3, the value of

η

depends on the number of generated test points in

I .

The execution times required to complete the attacks depend on the number of cores, type of attack, and

η .

For example, if

η = 0.016 ,

then the execution time to find the private key for the third attack (Table 3) is 44 min on average, while the execution times are

7.67

h for the first attack (Table 1) and

2.7

h for the second attack (Table 2).

6. Complexity Analysis

Let

m 0

be an approximation for

ϕ ( n )

. In the following lemma, we show the relationship between the difference

m 0 ϕ ( n )

and the upper bounds of e and d.

Lemma2.

Let n be a positive composite integer, e = n ξ , d = n δ and e , d < ϕ ( n ) , where e d = 1 + k ϕ ( n ) . If | m ϕ ( n ) | = n γ and 8 ( 1 + ϵ ) < n 2 ( ξ + γ + 2 δ ) where m , ϕ ( n ) > n / 2 , then k / d is a convergent of CF ( e / m ) , i.e.,

Proof.

We have

e m k d = 1 + k ϕ ( n ) k m m d < 2 k ( n γ + 1 ) n d

Also, we have

k = e d 1 ϕ ( n ) < 2 e d n

,

k < 2 n ξ + δ 1

. Therefore, Equation (5) leads to

e m k d < 4 n ξ 2 ( n γ + 1 ) < 4 ( 1 + ϵ ) n ξ + γ 2 < 1 2 n 2 δ = 1 2 d 2

Suppose that

ϕ ( n )

is in an interval

[ a , b ]

, i.e.,

a ϕ ( n ) b

. We show, in the following theorem, the relationship between the length

b a

of this interval and the running time to retrieve the private exponent

d .

Theorem5.

Let ( n , e = n ξ ) be a public key of RSA and d = n δ be the corresponding private exponent. Suppose that we can estimate ϕ ( n ) [ a , b ] for two known values a and b and we divide [ a , b ] into S 1 subintervals of the same size such that

b a S 1 4 ( 1 + ϵ ) n 2 ( ξ + 2 δ )

for a small value ϵ . Then d can be obtained in time in l log n .

Proof.

Let

{ m 1 , m 2 , , m S }

be points of a subdivision for the interval

[ a , b ]

where

m i + 1 m i = b a S

for

i = 1 , 2 , , S 1

. We test for every

m i

whether

k / d

is a convergent of

CF ( e / m i ) .

Let

m i 0

satisfies that

m i 0 ϕ ( n ) m i ϕ ( n ) , 1 i S .

Thus,

| m i 0 ϕ ( n ) | b a 2 S

. Thus, we have

| m i 0 ϕ ( n ) | b a 2 S 1 8 ( 1 + ϵ ) n 2 ( ξ + 2 δ )

Let

b a 2 S = n γ ,

for some real number

γ .

Then, we have

8 ( 1 + ϵ ) < n 2 ( ξ + γ + 2 δ )

. By Lemma 2,

k / d

is a convergent of

CF ( e / m i 0 ) .

Since computing

CF ( e / m i )

takes a polynomial time in

log n

, so to test all

e / m i , i = 1 , 2 , , S ,

we need a time of order

S log n .

Theorem 5 shows that the complexity of the proposed method depends on the size of S besides the length of

I .

7. Conclusions and Future Works

The RSA cryptosystem is used in the most popular security products and protocols in use today. We have presented a new technique to improve a small private exponent attack on RSA. We have successfully raised the upper bound of the private exponent d by

η = 0.016

using continued fractions and multicore systems for three small private exponent attacks in RSA: de Weger [6], Maitra-Sarkar [9], and Nassr et al. [14]. The average execution times for the attacks are 7.67 h, 2.7 h, and 44 min, respectively. These results were obtained using 20 cores and for n with 1024 bits. The execution time and the value of

η

can be improved by

  • Finding a shorter interval for

    ϕ ( n ) ,

    , i.e., finding better lower and upper bounds of

    ϕ ( n ) .

    In particular, when the prime factors

    p 1

    and

    p 2

    satisfy some conditions as in the three attacks.

  • Improving test points generation to find a value close to

    ϕ ( n ) .

    We have presented a new strategy (Algorithm 1) to generate such points.

  • Increasing the number of cores.

Increasing the number of cores is necessary to complete the attack in a reasonable time, but it is expected that increasing the number of cores only will not increase

η

dramatically since the proposed interval for

ϕ ( n )

is not small.

The results presented in the paper can be extended to different variations of RSA such as [25,26,27,28,29,30]. The results can also be applied to different attacks [4,31] on the private exponent of RSA that use lattices instead of continued fractions. It is also possible to use cloud systems (with thousands of cores) to implement the attacks.

Thus, interesting research questions raised by this study are (1) how to get better lower and upper bounds of

ϕ ( n )

? (2) how to improve test point generation.

Author Contributions

Conceptualization, H.M.B. (Hatem M. Bahig) and D.I.N.; methodology, H.M.B. (Hatem M. Bahig), D.I.N. and H.M.B. (Hazem M. Bahig); software, D.I.N. and M.A.M.; validation, H.M.B. (Hatem M. Bahig), D.I.N. and H.M.B. (Hazem M. Bahig); formal analysis, H.M.B. (Hatem M. Bahig) and D.I.N.; data curation, D.I.N. and H.M.B. (Hatem M. Bahig); writing—original draft preparation, H.M.B. (Hatem M. Bahig) and D.I.N.; writing—review and editing, H.M.B. (Hazem M. Bahig); visualization, H.M.B. (Hatem M. Bahig), D.I.N. and M.A.M.; supervision, H.M.B. (Hazem M. Bahig); project administration, H.M.B. (Hazem M. Bahig); funding acquisition, H.M.B. (Hazem M. Bahig). All authors have read and agreed to the published version of the manuscript.

Funding

This research has been funded by Scientific Research Deanship at University of Ha'il—Saudi Arabia through project number RG-21 124.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Acknowledgments

The authors are grateful to the referees for their valuable comments and remarks. The authors would like to acknowledge the support provided by Scientific Research Deanship at University of Ha'il—Saudi Arabia through project number RG-21 124.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Rivest, R.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  2. Shor, P. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef]
  3. Wiener, M. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef]
  4. Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N0.292. IEEE Trans. Inf. Theory 2000, 46, 1339–1349. [Google Scholar] [CrossRef]
  5. Coppersmith, D. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. Cryptol. 1997, 10, 233–260. [Google Scholar] [CrossRef]
  6. De Weger, B. Cryptanalysis of RSA with Small Prime Difference. Appl. Algebra Eng. Commun. Comput. 2002, 13, 17–28. [Google Scholar] [CrossRef]
  7. Blömer, J.; May, A. A Generalized Wiener Attack on RSA. In Public Key Cryptography—PKC 2004, Proceedings of the 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 1–4 March 2004; Lecture Notes in Computer Science (Volume 2947); Springer: Berlin/Heidelberg, Germany, 2004; pp. 1–13. [Google Scholar]
  8. Jochemsz, E.; May, A. A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In Advances in Cryptology—ASIACRYPT 2006, Proceedings of the 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, 3–7 December 2006; Lecture Notes in Computer Science (Volume 4284); Springer: Berlin/Heidelberg, Germany, 2006; pp. 267–282. [Google Scholar]
  9. Maitra, S.; Sarkar, S. Revisiting Wiener's Attack—New Weak Keys in RSA. In Information Security, Proceedings of the 11th International Conference, ISC 2008, Taipei, Taiwan, 15–18 September 2008; Lecture Notes in Computer Science (Volume 5222); Springer: Berlin/Heidelberg, Germany, 2008; pp. 228–243. [Google Scholar]
  10. Nitaj, A.; Ariffin, M.R.K.; Nassr, D.I.; Bahig, H.M. New Attacks on the RSA Cryptosystem. In Progress in Cryptology—AFRICACRYPT 2014, Proceedings of the P7th International Conference on Cryptology in Africa, Marrakesh, Morocco, 28–30 May 2014; Springer International Publishing: Cham, Switzerland, 2014; pp. 178–198. [Google Scholar]
  11. Bahig, H.M.; Mahdi, M.A.; Alutaibi, K.A.; AlGhadhban, A.; Bahig, H.M. Performance Analysis of Fermat Factorization Algorithms. Int. J. Adv. Comput. Sci. Appl. 2020, 11, 51–60. [Google Scholar] [CrossRef]
  12. Bahig, H.M.; Bahig, H.M.; Kotb, Y. Fermat Factorization using a Multi-Core System. Int. J. Adv. Comput. Sci. Appl. 2020, 11. [Google Scholar] [CrossRef]
  13. Bahig, H.M. Speeding Up Fermat's Factoring Method using Precomputation. Ann. Emerg. Technol. Comput. 2022, 6, 51–60. [Google Scholar] [CrossRef]
  14. Nassr, D.I.; Bahig, H.M.; Bhery, A.; Daoud, S.S. A new RSA vulnerability using continued fractions. In Proceedings of the 2008 IEEE/ACS International Conference on Computer Systems and Applications, Doha, Qatar, 31 March–4 April 2008; pp. 694–701. [Google Scholar]
  15. Bahig, H.M.; Nassr, D.I.; Bhery, A.; Nitaj, A. A Unified Method for Private Exponent Attacks on RSA Using Lattices. Int. J. Found. Comput. Sci. 2020, 31, 207–231. [Google Scholar] [CrossRef]
  16. Jones, W.B.; Thron, W.J. Continued Fractions: Analytic Theory and Applications. In Encyclopedia of Mathematics and Its Applications; Cambridge University Press: Cambridge, UK, 1984; pp. 17–26. [Google Scholar]
  17. Cuyt, A.A.; Petersen, V.; Verdonk, B.; Waadeland, H.; Jones, W.B. Handbook of Continued Fractions for Special Functions, 1st ed.; Springer: Dordrecht, The Netherlands, 2008. [Google Scholar]
  18. Steinfeld, R.; Contini, S.; Pieprzyk, J.; Wang, H. Converse Results to the Wiener Attack on RSA; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2005; pp. 184–198. [Google Scholar]
  19. Stein, W. Elementary Number Theory: Primes, Congruences, and Secrets: A Computational Approach; Undergraduate Texts in Mathematics; Springer: Berlin/Heidelberg, Germany, 2008. [Google Scholar]
  20. Dujella, A. Continued fractions and RSA with small secret exponent. Tatra Mt. Math. Publ. 2004, 29, 101–112. [Google Scholar]
  21. May, A. New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. Thesis, University of Paderborn, Paderborn, Germany, 2003. Available online: http://www.cs.uni-paderborn.de/uploads/tx_sibibtex/bp.pdf (accessed on 6 March 2022).
  22. Kaedi, S.; Doostari, M.; Ghaznavi-Ghoushchi, M.B.; Yusefi, H. A New Side-Channel Attack on Reduction of RSA CRT Montgomery Method Based. J. Circuits Syst. Comput. 2020, 30, 2150038. [Google Scholar] [CrossRef]
  23. GNU, MP. The GNU Multiple Precision Arithmetic Library, 6.2.1 ed. 2020. Available online: http://gmplib.org/ (accessed on 1 August 2022).
  24. OpenMP Architecture Review Board. OpenMP Application Program Interface Version 5.2. 2021. Available online: https://www.openmp.org/wp-content/uploads/OpenMP-API-Specification-5-2.pdf (accessed on 1 August 2022).
  25. Bahig, H.; Bhery, A.; Nassr, D. Cryptanalysis of Multi-Prime RSA with Small Prime Difference. In Information and Communications Security, Proceedings of the 14th International Conference, ICICS 2012, Hong Kong, China, 29–31 October 2012; Lecture Notes in Computer Science (Volume 7618); Springer: Berlin/Heidelberg, Germany, 2012; pp. 33–44. [Google Scholar]
  26. Nassr, D.I.; Anwar, M.; Bahig, H.M. Improving small private exponent attack on the Murru-Saettone cryptosystem. Theor. Comput. Sci. 2022, 923, 222–234. [Google Scholar] [CrossRef]
  27. Bunder, M.; Nitaj, A.; Susilo, W.; Tonien, J. A generalized attack on RSA type cryptosystems. Theor. Comput. Sci. 2017, 704, 74–81. [Google Scholar] [CrossRef]
  28. Nitaj, A.; Kamel Ariffin, M.R.; Hanisah Adenan, N.N.; Azman Abu, N. Classical Attacks on a Variant of the RSA Cryptosystem. In Progress in Cryptology—LATINCRYPT 2021, Proceeding of the 7th International Conference on Cryptology and Information Security in Latin America, Bogotá, Colombia, 6–8 October 2021; Lecture Notes in Computer Science (Volume 12912); Springer: Berlin/Heidelberg, Germany, 2021; pp. 151–167. [Google Scholar]
  29. Nitaj, A.; Kamel Ariffin, M.R.; Hanisah Adenan, N.N.; Chien Lau, T.S.; Chen, J. Security Issues of Novel RSA Variant. IEEE Access 2022, 10, 53788–53796. [Google Scholar] [CrossRef]
  30. Abd Ghafar, A.H.; Kamel Ariffin, M.R.; Asbullah, M.A. A New LSB Attack on Special-Structured RSA Primes. Symmetry 2020, 12, 838. [Google Scholar] [CrossRef]
  31. Durfee, G. Cryptanalysis of RSA Using Algebraic and Lattice Methods. Ph.D. Thesis, Stanford University, Stanford, CA, USA, 2002. Available online: http://theory.stanford.edu/~gdurf/durfee-thesis-phd.pdf (accessed on 6 March 2022).

Figure 1. Generating test points in a round i.

Figure 1. Generating test points in a round i.

Symmetry 14 01897 g001

Figure 2. Generating test points in

I = [ 800218 , 800323 ] ,

with rounds

0 , 1 ,

and

2 .

Figure 2. Generating test points in

I = [ 800218 , 800323 ] ,

with rounds

0 , 1 ,

and

2 .

Symmetry 14 01897 g002

Figure 3. The scatter of test points.

Figure 3. The scatter of test points.

Symmetry 14 01897 g003

Table 1. Performance of the first attack (

p 1 p 2 = n β

and

d = n δ

) using 20 cores where t is the average of execution time (seconds) and l is the ceiling of the average number of test points.

Table 1. Performance of the first attack (

p 1 p 2 = n β

and

d = n δ

) using 20 cores where t is the average of execution time (seconds) and l is the ceiling of the average number of test points.

β δ Nu. One Thread 20 Threads Speedup
Samples (in Time)
0.5 0.256 100 t = 0.043, l = 94 t = 0.002, l = 4 21.5
0.26 100 t = 7.77, l = 15877 t = 0.42, l = 856 18.5
0.264 100 t = 2002.6, l = 3097665 t = 111.7, l = 112900 17.9
0.268 20 - t = 39739.6, l = 500482
0.46 0.296 100 t = 0.063, l = 118 t = 0.003, l = 7 21
0.3 100 t = 10.854, l = 23867 t = 0.5781, l = 1153 19
0.304 100 t = 3296.8, l = 3660146 t = 173.93, l = 137063 18.9
0.308 20 - t = 57539.5, l = 555210
0.44 0.316 100 t = 0.031, l = 63 t = 0.002, l = 4 15.5
0.32 100 t = 5.22, l = 11104 t = 0.28, l = 576 18.6
0.324 100 t = 1000.23, l = 1406319 t = 56.68, l = 57944 17.6
0.328 20 - t = 13288.79, l = 172930
0.4 0.356 100 t = 0.034, l = 71 t = 0.002, l = 4 17
0.36 100 t = 5.024, l = 12147 t = 0.28, l = 574 17.9
0.364 100 t = 1926.7, l = 2158924 t = 115.7, l = 85716 16.6
0.368 20 - t = 10148.54, l = 130304
0.36 0.396 100 t = 0.069, l = 68 t = 0.004, l = 3 17.25
0.4 100 t = 5.37, l = 12993 t = 0.29, l = 605 18.5
0.404 100 t = 1319.3, l = 2102342 t = 77.32, l = 79480 17.0
0.408 20 - t = 17501.6, l = 222104

Table 2. Performance of the second attack (

2 p 2 p 1 = n θ

and

d = n δ

) using 20 cores where t is the average execution time (seconds) and l is the ceiling of the average number of test points.

Table 2. Performance of the second attack (

2 p 2 p 1 = n θ

and

d = n δ

) using 20 cores where t is the average execution time (seconds) and l is the ceiling of the average number of test points.

θ δ Nu. One Thread 20 Threads Speedup
Samples (in Time)
0.46 0.296 100 t = 0.035, l = 53 t = 0.002, l = 4 17.5
0.3 100 t = 3.69, l = 6639 t = 0.23, l = 486 16.0
0.304 100 t = 973.7, l = 394798 t = 61.38, l = 15819 15.8
0.308 20 - t = 20716.3, l = 266455
0.44 0.316 100 t = 0.020, l = 38 t = 0.001, l = 2 20
0.32 100 t = 1.91, l = 4488 t = 0.10, l = 207 19.1
0.324 100 t = 543.2, l = 213884 t = 30.19, l = 7812 17.9
0.328 20 - t = 7901.3, l = 101421
0.4 0.356 100 t = 0.019, l = 34 t = 0.001, l = 2 19
0.36 100 t = 1.50, l = 3096 t = 0.09, l = 202 16.6
0.364 100 t = 501.4, l = 220657 t = 27.43, l = 7077 18.2
0.368 20 - t = 6355.7 l = 82008
0.36 0.396 100 t = 0.019, l = 37 t = 0.001, l = 2 19
0.4 100 t = 1.52, l = 2551 t = 0.10, l = 203 15.2
0.404 100 t = 464.9, l = 311345 t = 32.83, l = 8331 14.1
0.408 20 - t = 4624.7, l = 58978

Table 3. Performance of the third attack (

p 2 < p 1 < 2 p 2

,

| p 0 p 1 | = 1 2 n α

and

d = n δ

) using 20 cores where t is the average of execution time (seconds) and l is the ceiling of the average number of test points.

Table 3. Performance of the third attack (

p 2 < p 1 < 2 p 2

,

| p 0 p 1 | = 1 2 n α

and

d = n δ

) using 20 cores where t is the average of execution time (seconds) and l is the ceiling of the average number of test points.

α δ Nu. One Thread 20 Threads Speedup
Samples (in Time)
0.46 0.274 100 t = 0.013, l = 26 t = 0.001, l = 2 13
0.278 100 t = 0.44, l = 1121 t = 0.03, l = 53 14.6
0.282 100 t = 91.64, l = 57602 t = 5.189, l = 1342 17.6
0.286 20 - t = 966.6, l = 13539
0.44 0.284 100 t = 0.012, l = 21 t = 0.001, l = 2 12
0.288 100 t = 0.28, l = 610 t = 0.02 l = 35 14
0.292 100 t = 250.3, l = 144888 t = 13.49, l = 3480 18.5
0.296 20 - t = 3324.8, l = 41458
0.4 0.304 100 t = 0.015, l = 31 t = 0.001, l = 2 15
0.308 100 t = 0.50, l = 1441 t = 0.03, l = 71 16.6
0.312 100 t = 144.0, l = 97241 t = 8.39, l = 2185 17.1
0.316 20 - t = 1818.5, l = 24390
0.36 0.324 100 t = 0.012, l = 25 t = 0.001, l = 2 12
0.328 100 t = 0.27, l = 515 t = 0.02, l = 34 13.5
0.332 100 t = 58.12, l = 36556 t = 3.81, l = 997 15.2
0.336 20 - t = 4342.7, l = 52888

Table 4. Comparison in the upper bound of

δ

between the proposed and previous attacks using continued fractions, where

η

is a small positive number.

Table 4. Comparison in the upper bound of

δ

between the proposed and previous attacks using continued fractions, where

η

is a small positive number.

Conditions of Attacks Bound of δ Our Result
| p 1 p 2 | n β [6]
0.25 β 0.5 δ < 3 / 4 β δ < 3 / 4 β + η
| 2 p 2 p 1 | n θ [9]
0.25 θ 0.5 δ < 3 / 4 θ δ < 3 / 4 θ + η
p 0 n is an approximation for p 1 [14]
| p 1 p 0 | 1 8 n α , α 1 2 δ < 1 α 2 δ < 1 α 2 + η

Publisher's Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

reyesprots1989.blogspot.com

Source: https://www.mdpi.com/2073-8994/14/9/1897/htm

0 Response to "Mathematica Function That Accepts an Rsa Key and Performs a Continued Fraction Low Exponent Attack"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel