| The RSA cryptosystem ,invented byRivest, Shamir and Adleman [41], is the most widely known and widely used public key cryptosystem in the world today.The main drawback of using RSA, however, is the relatively costly encryption and decryption oprations. Multi-prime RSA is a generalization of the standard RSA cryptosystem in which the modulus contains more than two primes. When decryption operations are done modulo each prime and then combined using the Chinese Remainder theorem, the cost of decryption is reduced with each additional prime added to the modulus (for a fixed modulus size). Thus, multi-prime RSA mighe be a practical alternative to RSA when decryption costs need to be lowered, the ssecurity of RSA has been well studied (see Boneh [6]) since it was invented. If multi-prime RSA is to be actually implementde and used, its security musu be investigated further.There have been a number of attacks on RSA named partial key exposure attacks, where an attacker has some knowledge of the bits of the private key and uses it to break the system. The results are of practical interest, since implementations may leak bits of the private key.In 1998, Boneh, Durfee and Frankel presented several partial key exposure attacks on RSA in [2]. Some of these attacks require knowledge of the least significant bits (LSBs) of the private exponent, others of the most significant bits (MSBs). Additionally, in their attacks, the public exponent must be relatively small. Wiener's attack [17] and the improvement by Boneh and Durfee [4] can be seen as partial key exposure attacks where the most significant bits of the private exponent are known to be equal to zero.In[2] the question is posed whether there exist partial key exposure attacks on RSA that work for public exponents larger than the square root of the modulus. In 2003,Blomer and May[1] described a number of attacks that do allow larger public exponents, but not yet to the full size of the modulus. Then Ernst,Jochemsz etc. present attacks for full size private exponent that work up to full size public exponent in[17].At Eurocrypt'96. Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. Based on it, a factoring attack applies to integers of the same form as multi-prime RSA moduli with known partial factorization. This attack is a generalization of Boneh, Durfee and Howgrave-Graham's lattice-based factoring method for moduli of the form N = prq. For balanced r-prime RSA we assume that the adversary knows v of the r primes in N, for some 1≤v≤r - 2, in addition to zero or more of the most or least significant bits of the remaining unknown primes and the private exponent.Coppersmith's algorithm for solving univariate modular polynomial equations was further simplified by Howgrave-Graham in [24]. Apart from being simpler to understand and implement, a significant advantage of Howgrave-Graham's approach is the heuristic extension to multivariate modular polynomial. Jean-SebastienCoron is analogous the simplification in [15]. They can illustrate the new algorithm with the problem of finding the factors of n = pq if they are given the high order log2 n/4 bits of p.This paper based on the simplification brought byJeon - SebastienCoronto find small roots of ternary integer polynomial equation, we can illustrate the new algorithm with the problem of finding the factors of n = pqr if they are given the high order log2 n/5 bits of p, q. The main results are the following theorems.Theorem 3.1: letp(x,y.z) be an irreducible polynomial in three variables enter Z, of maximum degreeδin each variable separately. Let X, Y and Z be upper bounds on the desired integer solution (x0, y0,z0). and letW = maxi,j,k|pijk|XiYjZk.If for someε> 0,then in time polynomial in(logW, 2δ), one can find all integer pair (x0,y0,z0) such that p(x0,y0,z0) = 0, |x0|≤X, |y0|≤Y, |z0|≤Z.This attack, like all of the other lattice-based attacks on multi-prime RSA, rely in the algebraic independence assumption .Theorem 3.3: In polynomial time we can find the factorization of N = PQR if we know the high-order or the low-order 1/5 log2N bits of P,Q.Theorem 4.1: let p(x1,x2,...,xr) be an irreducible polynomial in r variables over Z, of maximum degree 5 in each variable separately. Let X1, X2,..., Xr be upper bounds on the desired integer solution x10,x20,...,xr0 and let W =maxi1,i2,...,ir|pi1,i2,...,ir|X1i1X2i2...Xrir. If for someε> 0then in time polynomial, one can find all integer pair(x10,x20,...,xr0) such thatp(x10,x20,...,xr0) =0, |x10|≤X1,|x20|≤X2,...,|xr0|≤Xr.Theorem 4.2: We can find the factorization of N = P1P2... Prin polynomial time , if we know the high-order or the low-order 1/r+2 log2 N bits of P1,P2,...,Pr-1. |
PDF Full Text Request