TY - GEN

T1 - On the improvement of the BDF attack on LSBS-RSA

AU - Sun, Hung Min

AU - Wu, Mu En

AU - Wang, Huaxiong

AU - Guo, Jian

PY - 2008

Y1 - 2008

N2 - An (α β, γ)-LSBS RSA denotes an RSA system with primes sharing α least significant bits, private exponent d with β least significant bits leaked, and public exponent e with bit-length γ. Steinfeld and Zheng showed that LSBS-RSA with small e is inherently resistant to the BDF attack, but LSBS-RSA with large e is more vulnerable than standard RSA. In this paper, we improve the BDF attack on LSBS-RSA by reducing the cost of exhaustive search for k, where k is the parameter in RSA equation: . Consequently, the complexity of the BDF attacks on LSBS-RSA can be further reduced. Denote σ as the multiplicity of 2 in k. Our method gives the improvements, which depend on the two cases: 1 In the case , the cost of exhaustive search for k in LSBS-RSA can be simplified to searching k in polynomial time. Thus, the complexity of the BDF attack is independent of γ, but it still increases as α increases. 1 In the case \min \left\{ \beta ,2\alpha \right\} -\sigma]] , the complexity of the BDF attack on LSBS-RSA can be further reduced with increasing α or β. More precisely, we show that an LSBS-RSA is more vulnerable under the BDF attack as increases proportionally with the size of N. In the last, we point out that although LSBS-RSA benefits the computational efficiency in some applications, one should be more careful in using LSBS-RSA.

AB - An (α β, γ)-LSBS RSA denotes an RSA system with primes sharing α least significant bits, private exponent d with β least significant bits leaked, and public exponent e with bit-length γ. Steinfeld and Zheng showed that LSBS-RSA with small e is inherently resistant to the BDF attack, but LSBS-RSA with large e is more vulnerable than standard RSA. In this paper, we improve the BDF attack on LSBS-RSA by reducing the cost of exhaustive search for k, where k is the parameter in RSA equation: . Consequently, the complexity of the BDF attacks on LSBS-RSA can be further reduced. Denote σ as the multiplicity of 2 in k. Our method gives the improvements, which depend on the two cases: 1 In the case , the cost of exhaustive search for k in LSBS-RSA can be simplified to searching k in polynomial time. Thus, the complexity of the BDF attack is independent of γ, but it still increases as α increases. 1 In the case \min \left\{ \beta ,2\alpha \right\} -\sigma]] , the complexity of the BDF attack on LSBS-RSA can be further reduced with increasing α or β. More precisely, we show that an LSBS-RSA is more vulnerable under the BDF attack as increases proportionally with the size of N. In the last, we point out that although LSBS-RSA benefits the computational efficiency in some applications, one should be more careful in using LSBS-RSA.

UR - http://www.scopus.com/inward/record.url?scp=70349850769&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-70500-0-7

DO - 10.1007/978-3-540-70500-0-7

M3 - Conference proceeding contribution

SN - 3540699716

SN - 9783540699712

VL - 5107 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 84

EP - 97

BT - Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings

A2 - Mu, Yi

A2 - Susilo, Willy

A2 - Seberry, Jennifer

PB - Springer, Springer Nature

CY - Berlin; New York

ER -