Cryptanalysis of Unbalanced RSA with Small CRT-Exponent
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Partial Key Exposure Attack on CRT-RSA
ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Trading decryption for speeding encryption in Rebalanced-RSA
Journal of Systems and Software
Parallel Lattice Basis Reduction Using a Multi-threaded Schnorr-Euchner LLL Algorithm
Euro-Par '09 Proceedings of the 15th International Euro-Par Conference on Parallel Processing
Finding small roots of bivariate integer polynomial equations: a direct approach
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
A polynomial time attack on RSA with private CRT-exponents smaller than N0.073
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Security analysis of an RSA key generation algorithm with a large private key
ISC'11 Proceedings of the 14th international conference on Information security
Maximizing small root bounds by linearization and applications to small secret exponent RSA
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Efficient CRT-RSA decryption for small encryption exponents
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Partial key exposure on RSA with private exponents larger than N
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
A new attack on RSA and CRT-RSA
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
An efficient LLL gram using buffered transformations
CASC'07 Proceedings of the 10th international conference on Computer Algebra in Scientific Computing
Cryptanalytic results on `Dual CRT' and `Common Prime' RSA
Designs, Codes and Cryptography
On the improvement of fermat factorization
NSS'12 Proceedings of the 6th international conference on Network and System Security
On the improvement of Fermat factorization using a continued fraction technique
Future Generation Computer Systems
Hi-index | 0.00 |
It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p–1 and q–1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus N=pq with unbalanced prime factors p and q. Based on Coppersmith's method, he showed that there is a polynomial time attack provided that qN0.382. We will improve this bound to qN0.468. Thus, our result comes close to the desired normal RSA case with balanced prime factors. We also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N. More precisely, we show that there is a polynomial time attack if $d_{p}, d_{q} \leq min\{(N/e)^{\frac{2}{5}},N^{\frac{1}{4}}\}$. The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu.