A space efficient algorithm for group structure computation
Mathematics of Computation
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
On random walks for Pollard's Rho method
Mathematics of Computation
On the Design of RSA with Short Secret Exponent
ASIACRYPT '99 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Speeding Up Pollard's Rho Method for Computing Discrete Logarithms
ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
On the efficiency of Pollard's rho method for discrete logarithms
CATS '08 Proceedings of the fourteenth symposium on Computing: the Australasian theory - Volume 77
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
RSA with balanced short exponents and its application to entity authentication
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Cryptanalysis of short RSA secret exponents
IEEE Transactions on Information Theory
Hi-index | 0.00 |
This paper investigates the security of RSA system with short exponents. Let N=pq be an RSA modulus with balanced primes p and q. Denote the public exponent by e and the private exponent by d. Then e and d satisfy ed−1=kφ(N), which is usually called the RSA equation. When e and d are both short, and parameter k is the smallest unknown variable in RSA equation, we prove that there exist two new square root attacks. One attack applies the baby-step giant-step method, the other applies the Pollard's ρ method. We show that if K is a known upper bound of k, then k can be recovered in time $\tilde{O}(\sqrt{K})$ and memory $\tilde{O}(\sqrt{K})$ by using the baby-step giant-step method, and in time $\tilde{O}(\sqrt{K})$ and negligible memory by applying Pollard ρ method. As an application of our new attacks, we present the cryptanalysis on an RSA-type scheme proposed by Sun et al.