A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Low-exponent RSA with related messages
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Partial key exposure attacks on RSA up to full size exponents
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Cryptanalysis of short RSA secret exponents
IEEE Transactions on Information Theory
On the improvement of Fermat factorization using a continued fraction technique
Future Generation Computer Systems
| Hi-index | 0.00 |
In RSA equation: ed=k·φ(N)+1, we may guess on partial bits of d or p+q by doing an exhaustive search to further extend the security boundary of d. In this paper, we discuss the following question: Does guessing on p+q bring more benefit than guessing on d? We provide the detailed analysis on this problem by using the lattice reduction technique. Our analysis shows that leaking partial most significant bits (MSBs) of p+q in RSA risks more than leaking partial MSBs of d. This result inspires us to further extend the boundary of the Boneh-Durfee attack to N0.284+Δ, where "Δ" is contributed by the capability of exhaustive search. Assume that doing an exhaustive search for 64 bits is feasible in the current computational environment, the boundary of the Boneh-Durfee attack should be raised to dN0.328 for an 1024-bit RSA modulus. This is a 37 bits improvement over Boneh and Durfee's boundary.