The subliminal channel and digital signatures
Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theory and application of cryptographic techniques
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Malicious Cryptography: Exposing Cryptovirology
Malicious Cryptography: Exposing Cryptovirology
Reconstructing RSA Private Keys from Random Key Bits
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Riemann's hypothesis and tests for primality
Journal of Computer and System Sciences
Finding a small root of a univariate modular equation
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Finding a small root of a bivariate integer equation; factoring with high bits known
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Finding small roots of bivariate integer polynomial equations: a direct approach
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
A polynomial time attack on RSA with private CRT-exponents smaller than N0.073
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Partial key exposure attacks on RSA up to full size exponents
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Maximizing small root bounds by linearization and applications to small secret exponent RSA
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
New attacks on RSA with small secret CRT-Exponents
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Partial key exposure: generalized framework to attack RSA
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
| Hi-index | 0.00 |
In 1998, Boneh, Durfee and Frankel described several attacks against RSA enabling an attacker given a fraction of the bits of the private exponent d to recover all of d. These attacks were later improved and extended in various ways. They however always consider that the private exponent d is smaller than the RSA modulus N. When it comes to implementation, d can be enlarged to a value larger than N so as to improve the performance (by lowering its Hamming weight) or to increase the security (by preventing certain side-channel attacks). This paper studies this extended setting and quantifies the number of bits of d required to mount practical partial key exposure attacks. Both the cases of known most significant bits (MSBs) and least significant bits (LSBs) are analyzed. Our results are based on Coppersmith's heuristic methods and validated by practical experiments run through the SAGE computer-algebra system.