A New Class of Weak Encryption Exponents in RSA

Abstract

Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We concentrate on the cases when e ( = N ^α) satisfies eX − ZY = 1, given |N − Z| = N ^τ. Using the idea of Boneh and Durfee (Eurocrypt 1999, IEEE-IT 2000) we show that the LLL algorithm can be efficiently applied to get Z when |Y| = N ^γ and \(\gamma < 4\alpha \tau \left(\frac{1}{4\tau} + \frac{1}{12\alpha} - \sqrt{(\frac{1}{4\tau} +\frac{1}{12\alpha})^2 + \frac{1}{2\alpha \tau} (\frac{1}{12} + \frac{\tau}{24\alpha} - \frac{\alpha}{8\tau})}\right)\). This idea substantially extends the class of weak keys presented by Nitaj (Africacrypt 2008) when Z = ψ(p, q, u, v) = (p − u)(q − v). Further, we consider Z = ψ(p, q, u, v) = N − pu − v to provide a new class of weak keys in RSA. This idea does not require any kind of factorization as used in Nitaj’s work. A very conservative estimate for the number of such weak exponents is N ^{0.75 − ε}, where ε> 0 is arbitrarily small for suitably large N.