# A New LSB Attack on Special-Structured RSA Primes

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

#### About This Paper

## 2. Preliminaries

**Lemma**

**1.**

**Proof.**

**Lemma**

**2.**

**Proof.**

**Definition**

**1**

**.**Let ${l}_{1},{l}_{2},m\in {\mathbb{Z}}^{+}$. Suppose $p={a}^{m}+{r}_{p}$ and $q={b}^{m}+{r}_{q}$ are primes. Suppose there exist unknown ${a}_{0}$ and ${b}_{0}$ such that

## 3. Our Attack

**Definition**

**2.**

**sufficiently small**value in this paper to be a value smaller than the largest feasible value of the lowest security level to be brute forced by current computing machine.

**Remark**

**1.**

**Theorem**

**1.**

**Proof.**

**Remark**

**2.**

**Example**

**1.**

**Remark**

**3.**

## 4. Numbers of Primes with Vulnerable Specialized Structures Against Random Reconstruction Algorithm

**Theorem**

**2.**

**Proof.**

**Theorem**

**3.**

**Proof.**

## 5. Comparative Analysis

## 6. Countermeasure of the Attack

**Example**

**2.**

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## Abbreviations

LSB | Least significant bits |

MSB | Most significant bits |

RRA | random reconstruction algorithm |

RSA | Rivest–Shamir–Adleman |

## References

- Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] - Buhler, J.P.; Lenstra, H.W.; Pomerance, C. Factoring integers with the number field sieve. In The Development of the Number Field Sieve; Springer: Berlin/Heidelberg, Germany, 1993; pp. 50–94. [Google Scholar]
- Pollard, J.M. Theorems on factorization and primality testing. Math. Proc. Camb. Philos. Soc.
**1974**, 76, 521–528. [Google Scholar] [CrossRef] - Boneh, D.; Durfee, G.; Frankel, Y. An attack on RSA given a small fraction of the private key bits. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 1998; pp. 25–34. [Google Scholar]
- Heninger, N.; Shacham, H. Reconstructing RSA private keys from random key bits. In Advances in Cryptology-CRYPTO 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 1–17. [Google Scholar]
- Maitra, S.; Sarkar, S.; Gupta, S.S. Factoring RSA modulus using prime reconstruction from random known bits. In International Conference on Cryptology in Africa; Springer: Berlin/Heidelberg, Germany, 2010; pp. 82–99. [Google Scholar]
- Kocher, P.; Jaffe, J.; Jun, B.; Rohatgi, P. Introduction to differential power analysis. J. Cryptogr. Eng.
**2011**, 1, 5–27. [Google Scholar] [CrossRef] [Green Version] - Kocher, P.C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1996; pp. 104–113. [Google Scholar]
- Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1999; pp. 388–397. [Google Scholar]
- Martinasek, Z.; Zeman, V.; Trasy, K. Simple electromagnetic analysis in cryptography. Int. J. Adv. Telecommun. Electrotech. Signals Syst.
**2012**, 1, 13–19. [Google Scholar] [CrossRef] [Green Version] - Cho, J.; Kim, T.; Kim, S.; Im, M.; Kim, T.; Shin, Y. Real-Time Detection for Cache Side Channel Attack using Performance Counter Monitor. Appl. Sci.
**2020**, 10, 984. [Google Scholar] [CrossRef] [Green Version] - Genkin, D.; Shamir, A.; Tromer, E. RSA key extraction via low-bandwidth acoustic cryptanalysis. In Annual Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2014; pp. 444–461. [Google Scholar]
- Ghafar, A.H.A.; Ariffin, M.R.K.; Asbullah, M.A. Extending Pollard Class of Factorable RSA Modulus. In Proceedings of the 6th International Cryptology and Information Security Conference 2018 (CRYPTOLOGY2018), Port Dickson, Negeri Sembilan, Malaysia, 9–11 July 2018; p. 103. [Google Scholar]
- Ghafar, A.; Ariffin, M.; Asbullah, M. A New Attack on Special-Structured RSA Primes. Malays. J. Math. Sci.
**2019**, 13, 111–125. [Google Scholar] - Barker, E.; Dang, Q. Recommendation for Key Management, Part 1: General; NIST Special Publication 800-57 Part 1, Revision 4; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2016. [Google Scholar]
- Rivest, R.L.; Shamir, A. Efficient factoring based on partial information. In Workshop on the Theory and Application of of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1985; pp. 31–34. [Google Scholar]
- Coppersmith, D. Finding a small root of a bivariate integer equation; factoring with high bits known. In International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1996; pp. 178–189. [Google Scholar]
- Herrmann, M.; May, A. Solving linear equations modulo divisors: On factoring given any bits. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 406–424. [Google Scholar]

Attacks | Position of Known Bits | Bits of Primes Need to Be Known | Comments/ Remarks | Advantages/ Disadvantages |
---|---|---|---|---|

Rivest and Shamir (1985) | LSBs or MSBs | $2/3$ of the bits of p or q | Solving integer programming problem | Advantages:Fast speed Disadvantages:Requires a lot of known bits |

Coppersmith (1996) | LSBs or MSBs | $1/2$ of the bits of p or q | Using lattice- based method | |

Herrmann and May (2008) | Any position (in blocks) | ${log}_{e}\left(2\right)\approx 0.7$ of the bits of p or q | Number of blocks $\approx loglogN$ | |

Heninger and Shacham (2009) | Any position | ${r}_{p}={N}^{{\delta}_{1}}$ ${r}_{q}={N}^{{\delta}_{2}}$ ${\delta}_{1}+{\delta}_{2}\ge 0.57$ of the bits of p or q | Using random reconstruction algorithm (RRA) | |

Maitra et al. (2010) | LSBs | ${r}_{p}={N}^{{\delta}_{1}}$ ${r}_{q}={N}^{{\delta}_{2}}$ ${\delta}_{1}+{\delta}_{2}\ge 0.5$ of the bits of p or q | Using RRA together with lattice-based method | |

Our method: Theorem 1 | LSBs | ${r}_{p},{r}_{q}<{2}^{k}$ where ${2}^{k}$ is sufficiently small as in Definition 2. That is ${r}_{p},{r}_{q}<{N}^{\frac{k}{{log}_{2}N}}$. | Side-channel attack of complexity $O\left({2}^{k}\right)$ where ${2}^{k}$ is sufficiently small as in Definition 2. | Advantages:Fast speed, requires less known bits Disadvantages:Requires specific hardware to conduct side-channel attack |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Abd Ghafar, A.H.; Kamel Ariffin, M.R.; Asbullah, M.A.
A New LSB Attack on Special-Structured RSA Primes. *Symmetry* **2020**, *12*, 838.
https://doi.org/10.3390/sym12050838

**AMA Style**

Abd Ghafar AH, Kamel Ariffin MR, Asbullah MA.
A New LSB Attack on Special-Structured RSA Primes. *Symmetry*. 2020; 12(5):838.
https://doi.org/10.3390/sym12050838

**Chicago/Turabian Style**

Abd Ghafar, Amir Hamzah, Muhammad Rezal Kamel Ariffin, and Muhammad Asyraf Asbullah.
2020. "A New LSB Attack on Special-Structured RSA Primes" *Symmetry* 12, no. 5: 838.
https://doi.org/10.3390/sym12050838