Cryptanalysis of RSA with a small parameter

Authors:
Xianmeng Meng;Xuexin Zheng
Affiliations:
School of Mathematics, Shandong University of Finance and Economics, Jinan, P.R. China;Key Lab of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, P.R. China
Venue:
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Year:
2012

Citing 11
Cited 0

A space efficient algorithm for group structure computation

Mathematics of Computation
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
On random walks for Pollard's Rho method

Mathematics of Computation
On the Design of RSA with Short Secret Exponent

ASIACRYPT '99 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99

ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Speeding Up Pollard's Rho Method for Computing Discrete Logarithms

ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
On the efficiency of Pollard's rho method for discrete logarithms

CATS '08 Proceedings of the fourteenth symposium on Computing: the Australasian theory - Volume 77
Cryptanalysis of RSA with private key d less than N0:292

EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
RSA with balanced short exponents and its application to entity authentication

PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Cryptanalysis of RSA with private key d less than N0.292

IEEE Transactions on Information Theory
Cryptanalysis of short RSA secret exponents

IEEE Transactions on Information Theory

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper investigates the security of RSA system with short exponents. Let N=pq be an RSA modulus with balanced primes p and q. Denote the public exponent by e and the private exponent by d. Then e and d satisfy ed−1=kφ(N), which is usually called the RSA equation. When e and d are both short, and parameter k is the smallest unknown variable in RSA equation, we prove that there exist two new square root attacks. One attack applies the baby-step giant-step method, the other applies the Pollard's ρ method. We show that if K is a known upper bound of k, then k can be recovered in time $\tilde{O}(\sqrt{K})$ and memory $\tilde{O}(\sqrt{K})$ by using the baby-step giant-step method, and in time $\tilde{O}(\sqrt{K})$ and negligible memory by applying Pollard ρ method. As an application of our new attacks, we present the cryptanalysis on an RSA-type scheme proposed by Sun et al.