Solving simultaneous modular equations of low degree
SIAM Journal on Computing - Special issue on cryptography
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
On the Design of RSA with Short Secret Exponent
ASIACRYPT '99 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
On the Security of RSA with Primes Sharing Least-Significant Bits
Applicable Algebra in Engineering, Communication and Computing
Finding a small root of a bivariate integer equation; factoring with high bits known
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Finding small roots of bivariate integer polynomial equations: a direct approach
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
RSA with balanced short exponents and its application to entity authentication
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Partial key exposure attacks on RSA up to full size exponents
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Small private-exponent attack on RSA with primes sharing bits
ISC'07 Proceedings of the 10th international conference on Information Security
Cryptanalysis of Short Exponent RSA with Primes Sharing Least Significant Bits
CANS '08 Proceedings of the 7th International Conference on Cryptology and Network Security
Weak keys in RSA with primes sharing least significant bits
Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
| Hi-index | 0.00 |
An $\left( \alpha ,\beta ,\gamma \right) $-LSBS RSA denotes an RSA system with primes sharing 驴least significant bits, private exponent dwith βleast significant bits leaked, and public exponent ewith bit-length 驴. Steinfeld and Zheng showed that LSBS-RSA with small eis inherently resistant to the BDF attack, but LSBS-RSA with large eis more vulnerable than standard RSA. In this paper, we improve the BDF attack on LSBS-RSA by reducing the cost of exhaustive search for k, where kis the parameter in RSA equation: $ed=k\cdot \varphi \left( N\right) +1$. Consequently, the complexity of the BDF attacks on LSBS-RSA can be further reduced. Denote 驴as the multiplicity of 2 in k. Our method gives the improvements, which depend on the two cases:1In the case $\gamma \leq \min \left\{ \beta ,2\alpha \right\} -\sigma $, the cost of exhaustive search for kin LSBS-RSA can be simplified to searching kin polynomial time. Thus, the complexity of the BDF attack is independent of 驴, but it still increases as 驴increases.1In the case $\gamma \min \left\{ \beta ,2\alpha \right\} -\sigma $, the complexity of the BDF attack on LSBS-RSA can be further reduced with increasing 驴or β.More precisely, we show that an LSBS-RSA is more vulnerable under the BDF attack as $\max \left\{ 2\alpha ,\beta \right\} $ increases proportionally with the size of N. In the last, we point out that although LSBS-RSA benefits the computational efficiency in some applications, one should be more careful in using LSBS-RSA.