分野別セミナー

We consider some attacks on multi-prime RSA (MPRSA) with a modulus $N=p_1p_2\dots p_r$ ($r \ge 3$). It is believed that the small private exponent attack on the MPRSA is less effective than that on RSA (see Hinek et al.'s work at SAC 2003), which means that one can use a smaller private exponent in the MPRSA than that in the original RSA. However, our attacks show that private exponents which are significantly beyond Hinek's bound may be insecure when the prime difference $\Delta$ ($\Delta=p_r-p_1=N^{\gamma}$, $0<\gamma<1/r$, suppose $p_1\leq p_2\leq\cdots\leq p_r$) is small. By exploring the relation between $\phi(N)$ and its upper bound, our proposed small private exponent attack can make full use of the benefit brought by small prime difference. It is shown that the MPRSA is insecure when $\delta<1-\sqrt{1+\gamma-2/r}$, where $\delta$ is the exponential of the private exponent $d$ with base $N$, i.e., $d=N^{\delta}$. This result is a perfect extension of the best known small private exponent attack. We also present a Fermat-like factoring attack on the MPRSA which can directly factor the modulus $N$ when $\Delta\leq N^{1/r^2}$. These results surpass those of Bahig et al. (ICICS 2012) and the attacks are experimentally proved effective in practice.