A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Speeding Up Secret Computations with Insecure Auxiliary Devices
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
Generating RSA Moduli with a Predetermined Portion
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Short Proofs of Knowledge for Factoring
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
On Some Attacks on Multi-prime RSA
SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
On the uniformity of distribution of the decryption exponent in fixed encryption exponent RSA
Information Processing Letters
On the Improvement of the BDF Attack on LSBS-RSA
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Cryptanalysis of Short Exponent RSA with Primes Sharing Least Significant Bits
CANS '08 Proceedings of the 7th International Conference on Cryptology and Network Security
Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
On the uniformity of distribution of the decryption exponent in fixed encryption exponent RSA
Information Processing Letters
Small private-exponent attack on RSA with primes sharing bits
ISC'07 Proceedings of the 10th international conference on Information Security
Hi-index | 0.00 |
Let N = pq denote an RSA modulus of length n bits. Call N an (m - LSbS) RSA modulus if p and q have exactly m equal Least Significant (LS) bits. In Asiacrypt '98, Boneh, Durfee and Frankel (BDF) described several interesting 'partial key exposure' attacks on the RSA system. In particular, for low public exponent RSA, they show how to recover in time polynomial in n the whole secret-exponent d given only the n=4 LS bits of d. In this note, we relax a hidden assumption in the running time estimate presented by BDF for this attack. We show that the running time estimated by BDF for their attack is too low for (m- LSbS) RSA moduli by a factor in the order of 2m. Thus the BDF attack is intractable for such moduli with large m. Furthermore, we prove a general related result, namely that if low-exponent RSA using an (m - LSbS) modulus is secure against poly-time conventional attacks, then it is also secure against poly-time partial key exposure attacks accessing up to 2m LS bits of d. Therefore, if low-exponent RSA using (n=4(1 - 驴) - LSbS) moduli for small 驴 is secure, then this result (together with BDF's result on securely leaking the n=2 MS bits of d) opens the possibility of fast and secure public-server-aided RSA decryption/signature generation.