Trading decryption for speeding encryption in Rebalanced-RSA
Journal of Systems and Software
Protocols that hide user's preferences in electronic transactions
Computer Networks: The International Journal of Computer and Telecommunications Networking
On the uniformity of distribution of the decryption exponent in fixed encryption exponent RSA
Information Processing Letters
Cryptanalysis of RSA with more than one decryption exponent
Information Processing Letters
Weak keys in RSA with primes sharing least significant bits
Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
A public key cryptosystem based on three new provable problems
Theoretical Computer Science
A new attack on RSA and CRT-RSA
AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
Cryptanalysis of RSA with a small parameter
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Small private-exponent attack on RSA with primes sharing bits
ISC'07 Proceedings of the 10th international conference on Information Security
RSA vulnerabilities with small prime difference
WEWoRC'11 Proceedings of the 4th Western European conference on Research in Cryptology
On optimal bounds of small inverse problems and approximate GCD problems with higher degree
ISC'12 Proceedings of the 15th international conference on Information Security
Side channel attack to actual cryptanalysis: breaking CRT-RSA with low weight decryption exponents
CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
Cryptanalysis of multi-prime RSA with small prime difference
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Cryptanalytic results on `Dual CRT' and `Common Prime' RSA
Designs, Codes and Cryptography
Cryptanalysis of exhaustive search on attacking RSA
NSS'12 Proceedings of the 6th international conference on Network and System Security
On the improvement of fermat factorization
NSS'12 Proceedings of the 6th international conference on Network and System Security
Security pitfalls of an efficient threshold proxy signature scheme for mobile agents
Information Processing Letters
| Hi-index | 754.84 |
A cryptanalytic attack on the use of short RSA secret exponents is described. The attack makes use of an algorithm based on continued fractions that finds the numerator and denominator of a fraction in polynomial time when a close enough estimate of the fraction is known. The public exponent e and the modulus pq can be used to create an estimate of a fraction that involves the secret exponent d. The algorithm based on continued fractions uses this estimate to discover sufficiently short secret exponents. For a typical case where e>pq, GCD(p-1, q -1) is small, and p and q have approximately the same number of bits, this attack will discover secret exponents with up to approximately one-quarter as may bits as the modulus. Ways to combat this attack, ways to improve it, and two open problems are described. This attack poses no threat to the normal case of RSA where the secret exponent is approximately the same size as the modulus. This is because the attack uses information provided by the public exponent and, in the normal case, the public exponent can be chosen almost independently of the modulus