Solving simultaneous modular equations of low degree
SIAM Journal on Computing - Special issue on cryptography
A course in computational algebraic number theory
A course in computational algebraic number theory
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
A polynomial time attack on RSA with private CRT-exponents smaller than N0.073
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
New attacks on RSA with small secret CRT-Exponents
PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography
Cryptanalysis of short RSA secret exponents
IEEE Transactions on Information Theory
Reduction in lossiness of RSA trapdoor permutation
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
| Hi-index | 0.00 |
In RSA, the public modulus N=pq is the product of two primes of the same bit-size, the public exponent e and the private exponent d satisfy $ed\equiv 1 \pmod{(p - 1)(q - 1)}$. In many applications of RSA, d is chosen to be small. This was cryptanalyzed by Wiener in 1990 who showed that RSA is insecure if dN0.25. As an alternative, Quisquater and Couvreur proposed the CRT-RSA scheme in the decryption phase, where $d_p = d \pmod{(p - 1)}$ and $d_q = d \pmod{(q - 1)}$ are chosen significantly smaller than p and q. In 2006, Bleichenbacher and May presented an attack on CRT-RSA when the CRT-exponents dp and dq are both suitably small. In this paper, we show that RSA is insecure if the public exponent e satisfies an equation $ex+y\equiv 0\pmod p$ with $|x||y|dp say, satisfies $d_pdp and dq are required to be suitably small.