CryptoBook
  • CryptoBook
  • Book Plan
  • Style Guide
    • Sample Page
  • Contributors
  • Fundamentals
    • Mathematical Notation
    • Division and Greatest common divisor
      • Euclidean Algorithm
    • Modular Arithmetic
      • Theorems of Wilson, Euler, and Fermat
        • Fermat's Little Theorem in Detail
        • Euler's Theorem in Detail
      • Quadratic Residues
    • Continued Fractions
  • Number Theory
  • Ideals
  • Polynomials With Shared Roots
  • Integer Factorization
    • Pollard rho
    • Sieves
  • Abstract algebra
    • Groups
      • Another take on groups
      • Discrete Log Problem
    • Rings
    • Fields
    • Polynomials
  • Elliptic Curves
    • Untitled
  • Lattices
    • Introduction
    • LLL reduction
      • Gram-Schmidt Orthogonalization
      • Lagrange's algorithm
      • LLL reduction
    • Lattice reduction
      • Minkowski reduced
      • HKZ reduced
      • LLL reduced
    • Applications
      • Coppersmith algorithm
      • Extensions of Coppersmith algorithm
    • Hard lattice problems
    • Lattices of interest
    • Cryptographic lattice problems
      • Short integer solutions (SIS)
      • Learning with errors (LWE)
      • Ring-LWE
      • NTRU
    • Interactive fun
    • Resources and notations
  • Asymmetric Cryptography
  • RSA
    • Proof of correctness
    • RSA application
    • Low Private Component Attacks
      • Wiener's Attack
      • Boneh-Durfee Attack
    • Common Modulus Attack
    • Recovering the Modulus
  • Diffie-Hellman
    • MITM
  • Elliptic Curve Cryptography
  • Symmetric Cryptography
    • Encryption
    • The One Time Pad
    • AES
      • Rijndael Finite Field
      • Round Transformations
  • Hashes
    • Introduction / overview
    • The Birthday paradox / attack
  • Isogeny Based Cryptography
    • Introduction to Isogeny Cryptography
    • Isogenies
    • Isogeny and Ramanujan Graphs
  • Appendices
    • Sets and Functions
    • Probability Theory
Powered by GitBook
On this page
  • What is Boneh-Durfee Attack
  • Sage Implementation

Was this helpful?

Export as PDF
  1. RSA
  2. Low Private Component Attacks

Boneh-Durfee Attack

PreviousWiener's AttackNextCommon Modulus Attack

Last updated 3 years ago

Was this helpful?

What is Boneh-Durfee Attack

Boneh-Durfee attack is an extension of Wiener's attack. That is, it also attacks on low private component dddwith a further relaxed condition. If dddsatisfies:

d<N0.292d < N^{0.292} d<N0.292

Then we can use Boneh-Durfee attack to retrive ddd

this, using a graphical directed point of view, can be seen as:

{E,n}→d<N0.292P{d}\{E, n\} \xrightarrow[d < N^{0.292}]{P} \{d\} {E,n}Pd<N0.292​{d}

Consider d<Nid < N^{i}d<Nifor first, see that

1=ed+kϕ(N)21=ed + \frac{k \phi(N)}{2}\\ 1=ed+2kϕ(N)​

As stated above, the RSA's totient function can be espressed as:

ϕ(N)=(p−1)(q−1)=N−q−p+1 \phi(N) = (p-1)(q-1) = N-q-p+1ϕ(N)=(p−1)(q−1)=N−q−p+1

continuing with the equation, we see that

Sage Implementation

1=ed+k(N+12−p+q2)1 = ed + k(\frac{N+1}{2}-\frac{p+q}{2} )1=ed+k(2N+1​−2p+q​)

and if we decide to consider x=N+12x = \frac{N+1}{2} x=2N+1​and y=p+q2y = \frac{p+q}{2} y=2p+q​, we will have:

1=ed+k(x+y)1 = ed + k(x+y)1=ed+k(x+y)

At this point, finding dddis equivalent to find the 2 small solutions xxxand yyyto the congruence

f(x,y)≡k(x+y)≡1 (mod e)k(x+y)≡1( mod e)f(x,y) \equiv k(x+y) \equiv 1 \space (mod \space e) \\ k(x + y) \equiv 1 (\space mod \space e)f(x,y)≡k(x+y)≡1 (mod e)k(x+y)≡1( mod e)

now let s=−p+q2s = -\frac{p+q}{2}s=−2p+q​and A=N+12A = \frac{N+1}{2}A=2N+1​this will preserve the scomposed ϕ(N)\phi(N) ϕ(N)subtraction

k(A+s)≡1( mod e)k(A+s) \equiv 1 (\space mod \space e)k(A+s)≡1( mod e)

consider e=Nαe=N^{\alpha}e=Nα(with any α\alphaα), we deduct that α\alphaαmust be really closed to 111because eeeis in the same order of the length of NNN(so e=N∼1−e=N^{\sim 1^{-}}e=N∼1−), we will get

∣s∣<2N=p+q2<2N=2e12α∼e∣k∣<2edϕ(N)≤3edN<3e1+α+1α<ei| s | < 2\sqrt{N} = \\ \frac{p+q}{2} < 2\sqrt{N} =2e^{\frac{1}{2\alpha}} \sim \sqrt{e} \\ |k| < \frac{2ed}{\phi{(N)}} \leq\frac{3ed}{N}< 3e^{1+\frac{\alpha+1}{\alpha}} < e^{i}∣s∣<2N​=2p+q​<2N​=2e2α1​∼e​∣k∣<ϕ(N)2ed​≤N3ed​<3e1+αα+1​<ei
LogoRSA-and-LLL-attacks/boneh_durfee.sage at master · mimoo/RSA-and-LLL-attacksGitHub
Boneh-Durfee attack Sage implementation