{"title":"使用非连续块的 Prime Power RSA 部分密钥暴露攻击","authors":"Ziming Jiang , Yongbin Zhou , Yuejun Liu","doi":"10.1016/j.tcs.2024.114845","DOIUrl":null,"url":null,"abstract":"<div><p>Partial key exposure attacks pose a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. Such partial information is often located in non-consecutive blocks. However, the majority of the proposed attacks on Prime Power RSA have only considered a single unexposed block. Meanwhile, related attacks are incapable of being expanded to multiple unexposed blocks or achieving optimal results.</p><p>In this paper, we propose partial key exposure attacks on Prime Power RSA modulus <span><math><mi>N</mi><mo>=</mo><msup><mrow><mi>p</mi></mrow><mrow><mi>r</mi></mrow></msup><msup><mrow><mi>q</mi></mrow><mrow><mi>l</mi></mrow></msup></math></span> with <em>n</em> unknown blocks, where <span><math><mi>n</mi><mo>≥</mo><mn>2</mn></math></span>. We reduce this extended attack to solving multivariate linear modular equations and apply lattice-based approaches, including Herrmann-May's method (ASIACRYPT'08), Takayasu-Kunihiro's method (ACISP'13), and Lu-Zhang-Peng-Lin's method (ASIACRYPT'15), to solve them. Furthermore, we improve Lu et al.'s method by adding helpful polynomials and removing unhelpful polynomials to construct a better lattice basis. We also extend Lu et al.'s method by introducing a new parameter to make the lattice basis construction more flexible. Our improved and extended methods can be used for attacks when <span><math><mi>l</mi><mo>=</mo><mn>1</mn></math></span> and <span><math><mi>l</mi><mo>≥</mo><mn>1</mn></math></span>, respectively. These new attacks require less partial information than previous methods. For example, in the case where <span><math><mi>n</mi><mo>=</mo><mn>2</mn></math></span>, we reduce the amount of partial information needed from 80.7% to 77.8% when <span><math><mi>r</mi><mo>=</mo><mn>2</mn><mo>,</mo><mi>l</mi><mo>=</mo><mn>1</mn></math></span>, and from 64.0% to 44.9% when <span><math><mi>r</mi><mo>=</mo><mn>3</mn><mo>,</mo><mi>l</mi><mo>=</mo><mn>2</mn></math></span>.</p></div>","PeriodicalId":49438,"journal":{"name":"Theoretical Computer Science","volume":"1019 ","pages":"Article 114845"},"PeriodicalIF":0.9000,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Partial key exposure attacks on Prime Power RSA with non-consecutive blocks\",\"authors\":\"Ziming Jiang , Yongbin Zhou , Yuejun Liu\",\"doi\":\"10.1016/j.tcs.2024.114845\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Partial key exposure attacks pose a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. Such partial information is often located in non-consecutive blocks. However, the majority of the proposed attacks on Prime Power RSA have only considered a single unexposed block. Meanwhile, related attacks are incapable of being expanded to multiple unexposed blocks or achieving optimal results.</p><p>In this paper, we propose partial key exposure attacks on Prime Power RSA modulus <span><math><mi>N</mi><mo>=</mo><msup><mrow><mi>p</mi></mrow><mrow><mi>r</mi></mrow></msup><msup><mrow><mi>q</mi></mrow><mrow><mi>l</mi></mrow></msup></math></span> with <em>n</em> unknown blocks, where <span><math><mi>n</mi><mo>≥</mo><mn>2</mn></math></span>. We reduce this extended attack to solving multivariate linear modular equations and apply lattice-based approaches, including Herrmann-May's method (ASIACRYPT'08), Takayasu-Kunihiro's method (ACISP'13), and Lu-Zhang-Peng-Lin's method (ASIACRYPT'15), to solve them. Furthermore, we improve Lu et al.'s method by adding helpful polynomials and removing unhelpful polynomials to construct a better lattice basis. We also extend Lu et al.'s method by introducing a new parameter to make the lattice basis construction more flexible. Our improved and extended methods can be used for attacks when <span><math><mi>l</mi><mo>=</mo><mn>1</mn></math></span> and <span><math><mi>l</mi><mo>≥</mo><mn>1</mn></math></span>, respectively. These new attacks require less partial information than previous methods. For example, in the case where <span><math><mi>n</mi><mo>=</mo><mn>2</mn></math></span>, we reduce the amount of partial information needed from 80.7% to 77.8% when <span><math><mi>r</mi><mo>=</mo><mn>2</mn><mo>,</mo><mi>l</mi><mo>=</mo><mn>1</mn></math></span>, and from 64.0% to 44.9% when <span><math><mi>r</mi><mo>=</mo><mn>3</mn><mo>,</mo><mi>l</mi><mo>=</mo><mn>2</mn></math></span>.</p></div>\",\"PeriodicalId\":49438,\"journal\":{\"name\":\"Theoretical Computer Science\",\"volume\":\"1019 \",\"pages\":\"Article 114845\"},\"PeriodicalIF\":0.9000,\"publicationDate\":\"2024-09-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Theoretical Computer Science\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0304397524004626\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Theoretical Computer Science","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0304397524004626","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
摘要
部分密钥暴露攻击对 RSA 类密码系统构成重大威胁。这些攻击利用解密指数的部分知识对 RSA 模进行因式分解,而解密指数通常是通过侧信道攻击、冷启动攻击等方式泄露的。这些部分信息通常位于非连续块中。然而,针对 Prime Power RSA 提出的大多数攻击都只考虑了单个未暴露的区块。本文提出了对具有 n 个未知块(其中 n≥2 )的 Prime Power RSA 模 N=prql 的部分密钥暴露攻击。我们将这种扩展攻击简化为解多元线性模块方程,并应用基于网格的方法,包括 Herrmann-May 方法(ASIACRYPT'08)、Takayasu-Kunihiro 方法(ACISP'13)和 Lu-Zhang-Peng-Lin 方法(ASIACRYPT'15)来解决它们。此外,我们还改进了 Lu 等人的方法,增加了有用的多项式,删除了无用的多项式,从而构建了更好的网格基础。我们还对 Lu 等人的方法进行了扩展,引入了一个新参数,使网格基础的构建更加灵活。我们改进和扩展的方法可分别用于 l=1 和 l≥1 时的攻击。与以前的方法相比,这些新的攻击方法所需的局部信息更少。例如,在 n=2 的情况下,当 r=2,l=1 时,我们将所需的局部信息量从 80.7% 减少到 77.8%;当 r=3,l=2 时,我们将所需的局部信息量从 64.0% 减少到 44.9%。
Partial key exposure attacks on Prime Power RSA with non-consecutive blocks
Partial key exposure attacks pose a significant threat to RSA-type cryptosystems. These attacks factorize the RSA modulus by utilizing partial knowledge of the decryption exponent, which is typically revealed by side-channel attacks, cold boot attacks, etc. Such partial information is often located in non-consecutive blocks. However, the majority of the proposed attacks on Prime Power RSA have only considered a single unexposed block. Meanwhile, related attacks are incapable of being expanded to multiple unexposed blocks or achieving optimal results.
In this paper, we propose partial key exposure attacks on Prime Power RSA modulus with n unknown blocks, where . We reduce this extended attack to solving multivariate linear modular equations and apply lattice-based approaches, including Herrmann-May's method (ASIACRYPT'08), Takayasu-Kunihiro's method (ACISP'13), and Lu-Zhang-Peng-Lin's method (ASIACRYPT'15), to solve them. Furthermore, we improve Lu et al.'s method by adding helpful polynomials and removing unhelpful polynomials to construct a better lattice basis. We also extend Lu et al.'s method by introducing a new parameter to make the lattice basis construction more flexible. Our improved and extended methods can be used for attacks when and , respectively. These new attacks require less partial information than previous methods. For example, in the case where , we reduce the amount of partial information needed from 80.7% to 77.8% when , and from 64.0% to 44.9% when .
期刊介绍:
Theoretical Computer Science is mathematical and abstract in spirit, but it derives its motivation from practical and everyday computation. Its aim is to understand the nature of computation and, as a consequence of this understanding, provide more efficient methodologies. All papers introducing or studying mathematical, logic and formal concepts and methods are welcome, provided that their motivation is clearly drawn from the field of computing.