Cryptanalysis of Unbalanced RSA with Small CRT-Exponent
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Finding small roots of bivariate integer polynomial equations: a direct approach
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
New attacks on RSA with small secret CRT-Exponents
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Revisiting Wiener's Attack --- New Weak Keys in RSA
ISC '08 Proceedings of the 11th international conference on Information Security
Improved Partial Key Exposure Attacks on RSA by Guessing a Few Bits of One of the Prime Factors
Information Security and Cryptology --- ICISC 2008
Partial Key Exposure Attack on CRT-RSA
ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Low-cost client puzzles based on modular exponentiation
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Privacy-preserving outsourcing of brute-force key searches
Proceedings of the 3rd ACM workshop on Cloud computing security workshop
Security analysis of an RSA key generation algorithm with a large private key
ISC'11 Proceedings of the 14th international conference on Information security
Maximizing small root bounds by linearization and applications to small secret exponent RSA
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Efficient CRT-RSA decryption for small encryption exponents
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Partial key exposure on RSA with private exponents larger than N
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
A new attack on RSA and CRT-RSA
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
Reduction in lossiness of RSA trapdoor permutation
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
Cryptanalytic results on `Dual CRT' and `Common Prime' RSA
Designs, Codes and Cryptography
| Hi-index | 0.00 |
Wiener's famous attack on RSA with d N0.25 shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where dp = d mod (p - 1) and dq = d mod (q - 1) are chosen significantly smaller than p and q. The parameters dp, dq are called private CRT-exponents. Since Wiener's proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if dp and dq are smaller than N0.073.