| Summary: | The CRT-RSA cryptosystem is the most widely adopted RSA variant in digital applications. It exploits the properties of the Chinese remainder theorem (CRT) to elegantly reduce the size of the private keys. This significantly increases the efficiency of the RSA decryption algorithm. Nevertheless, an attack on RSA may also be applied to this RSA variant. One of the attacks is called partially known private key attack, that relies on the assumption that the adversary has knowledge of partial bits regarding RSA private keys. In this paper, we mount this type of attack on CRT-RSA. By using partial most significant bits (MSBs) of one of the RSA primes, <i>p</i> or <i>q</i> and its corresponding private exponent, <i>d</i>, we obtain an RSA intermediate. The intermediate is derived from <inline-formula><math display="inline"><semantics><mrow><mi>p</mi><mo>−</mo><mn>1</mn></mrow></semantics></math></inline-formula> and RSA public key, <i>e</i>. The analytical and novel reason on the success of our attack is that once the adversary has obtained the parameters: approximation of private exponent <inline-formula><math display="inline"><semantics><msub><mover accent="true"><mi>d</mi><mo>˜</mo></mover><mi>p</mi></msub></semantics></math></inline-formula>, approximation of <i>p</i>, <inline-formula><math display="inline"><semantics><mover accent="true"><mi>p</mi><mo>˜</mo></mover></semantics></math></inline-formula> and the public exponent <i>e</i> where <inline-formula><math display="inline"><semantics><mrow><msub><mover accent="true"><mi>d</mi><mo>˜</mo></mover><mi>p</mi></msub><mo>,</mo><mover accent="true"><mi>p</mi><mo>˜</mo></mover><mo>,</mo><mi>e</mi><mo>=</mo><msup><mi>N</mi><mrow><mi>α</mi><mo>/</mo><mn>2</mn></mrow></msup></mrow></semantics></math></inline-formula> where <inline-formula><math display="inline"><semantics><mrow><mn>0</mn><mo><</mo><mi>α</mi><mo>≤</mo><mn>1</mn><mo>/</mo><mn>4</mn></mrow></semantics></math></inline-formula> such that <inline-formula><math display="inline"><semantics><mrow><mrow><mo>|</mo></mrow><msub><mi>d</mi><mi>p</mi></msub><mo>−</mo><msub><mover accent="true"><mi>d</mi><mo>˜</mo></mover><mi>p</mi></msub><mrow><mo>|</mo><mo>,</mo><mo>|</mo><mi>p</mi></mrow><mo>−</mo><mover accent="true"><mi>p</mi><mo>˜</mo></mover><mrow><mo>|</mo><mo><</mo></mrow><msup><mi>N</mi><mfrac><mrow><mn>1</mn><mo>−</mo><mi>α</mi></mrow><mn>2</mn></mfrac></msup></mrow></semantics></math></inline-formula> and has determined the largest prime of <inline-formula><math display="inline"><semantics><mfenced separators="" open="⌊" close="⌋"><mfrac><mrow><mi>p</mi><mo>−</mo><mn>1</mn></mrow><mi>e</mi></mfrac></mfenced></semantics></math></inline-formula>, it will enable the adversary to factor the RSA modulus <inline-formula><math display="inline"><semantics><mrow><mi>N</mi><mo>=</mo><mi>p</mi><mi>q</mi></mrow></semantics></math></inline-formula>. Although the parameter space to find the prime factor is large, we show that one can adjust its “success appetite” by applying prime-counting function properties. By comparing our method with contemporary partial key attacks on CRT-RSA, upon determining a suitable predetermined “success appetite” value, we found out that our method required fewer bits of the private keys in order to factor <i>N</i>.
|
|---|
