A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Reconstructing RSA Private Keys from Random Key Bits
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Fault Attacks on RSA Signatures with Partially Unknown Messages
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Cryptanalysis of RSA with more than one decryption exponent
Information Processing Letters
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Partial key exposure attacks on RSA up to full size exponents
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Fault attacks against EMV signatures
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Partial key exposure on RSA with private exponents larger than N
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
Hi-index | 0.00 |
In the domain of modern public key cryptography, RSA is the most popular system in use. Efficient factorization of the RSA modulus N, constituted as a product of two primes p, q of ‘large' bitsize, is a challenging problem in RSA cryptanalysis. The solution to this factorization is aided if the attacker gains partial knowledge about the decryption exponent of RSA. This line of attack is called the Partial Key Exposure attack, and there exists an extensive literature in this direction. In this paper, we study partial key exposure attacks on RSA where the number of unexposed blocks in the decryption exponent is more than one. The existing works have considered only one unexposed block and thus our work provides a generalization of the existing attacks. We propose lattice based approaches to factorize the RSA modulus N=pq (for large primes p, q) when the number of unexposed blocks is n≥1. We also analyze the ISO/IEC 9796-2 standard signature scheme (based on CRT-RSA) with partially known messages.