Handbook of Applied Cryptography
Handbook of Applied Cryptography
An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Note: Fixed points of the RSA encryption algorithm
Theoretical Computer Science
| Hi-index | 0.90 |
Let us fix a security parameter n and a sufficiently large encryption exponent e. We show that for a random choice of the RSA modulus m = pq, where p and q are n-bit primes, the decryption exponent d, defined by ed = 1 (mod ϕ(m)) is uniformly distributed modulo ϕ(m). It is known, due to recent work of Boneh, Durfee and Frankel, that additional information about some bits of d may turn out to be dramatic for the security of the whole cryptosystem. Our uniformity of distribution result implies that sufficiently long strings of the most and the least significant bits of d, which are vulnerable to such attacks, behave as random binary vectors.