Partial Key Exposure Attacks on RSA up to Full Size Exponents

  • Matthias Ernst
  • Ellen Jochemsz
  • Alexander May
  • Benne de Weger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3494)


We present several attacks on RSA that factor the modulus in polynomial time under the condition that a fraction of the most significant bits or least significant bits of the private exponent is available to the attacker. Our new attacks on RSA are the first attacks of this type that work up to full size public or private exponent.


RSA cryptanalysis partial key exposure lattice reduction Coppersmith’s method 


  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less Than N 0.292. IEEE Transactions on Information Theory 46, 1339–1349 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Boneh, D., Durfee, G., Frankel, Y.: An Attack on RSA given a Small Fraction of the Private Key Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Coppersmith, D.: Small Solutions to Polynomial Equations and Low Exponent RSA Vulnerabilities. Journal of Cryptology 10, 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Lenstra, A., Lenstra Jr., H., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  8. 8.
    May, A.: Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    May, A.: Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Shoup, V.: NTL: A Library for doing Number Theory, online, available at
  11. 11.
    de Weger, B.: Cryptanalysis of RSA with Small Prime Difference. Applicable Algebra in Engineering, Communication and Computing 13, 17–28 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Wiener, M.: Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Matthias Ernst
    • 1
  • Ellen Jochemsz
    • 2
  • Alexander May
    • 1
  • Benne de Weger
    • 2
  1. 1.Faculty of Computer Science, Electrical Engineering and MathematicsUniversity of PaderbornPaderbornGermany
  2. 2.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenThe Netherlands

Personalised recommendations