A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N0.073

  • Ellen Jochemsz
  • Alexander May
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


Wiener’s famous attack on RSA with d < N0.25 shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where dp = dmod (p − 1) and dq = dmod (q − 1) are chosen significantly smaller than p and q. The parameters dp, dq are called private CRT-exponents. Since Wiener’s proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if dp and dq are smaller than N0.073.


RSA CRT cryptanalysis small exponents Coppersmith’s method 


  1. 1.
    Bauer, A., Joux, A.: Toward a Rigorous Variation of Coppersmith’s Algorithm on Three Variables. In: Proceedings of Eurocrypt 2007. LNCS, vol. 4515, pp. 361–378. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Boneh, D.: Twenty Years of Attacks on the RSA Cryptosystem. Notices of the American Mathematical Society 46, 203–213 (1999)MATHGoogle Scholar
  4. 4.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less Than N 0.292. IEEE Transactions on Information Theory 46, 1339–1349 (2000)MATHCrossRefGoogle Scholar
  5. 5.
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology 10, 233–260 (1997)MATHCrossRefGoogle Scholar
  6. 6.
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach. In: Proceedings Crypto 2007 (2007)Google Scholar
  8. 8.
    Cox, D., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms, 2nd edn. Springer, Heidelberg (1998)Google Scholar
  9. 9.
    ECRYPT - Hardness of the Main Computational Problems Used in Crypto-graphy, IST-2002-507932, available at http://www.ecrypt.eu.org/documents/D.AZTEC.4-1.1.pdf
  10. 10.
    Galbraith, S., Heneghan, C., McKee, J.: Tunable Balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Galbraith, S., Heneghan, C., McKee, J.: Tunable Balancing of RSA, full version of [10] http://www.isg.rhul.ac.uk/~sdg/full-tunable-rsa.pdf
  12. 12.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M. (ed.) Cryptography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Jutla, C.S.: On Finding Small Solutions of Modular Multivariate Polynomial Equations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 158–170. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Lenstra, A., Lenstra Jr., H., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  16. 16.
    May, A.: Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)Google Scholar
  17. 17.
    Nguyen, P., Stehlé, D.: Floating-Point LLL Revisited. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2006)Google Scholar
  18. 18.
    Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystems. Electronic Letters 18, 905–907 (1982)CrossRefGoogle Scholar
  19. 19.
    STORK - Strategic Roadmap for Crypto, IST-2002-38273, available at http://www.stork.eu.org/documents/RUB-D6-2_1.pdf
  20. 20.
    Sun, H.-M., Wu, M.-E.: An Approach Towards RSA-CRT with Short Public Exponent IACR eprint, http://eprint.iacr.org/2005/053
  21. 21.
    Sun, H.-M., Hinek, M.J., Wu, M.-E.: On the Design of Rebalanced RSA-CRT, revised version of [20], http://www.cacr.math.uwaterloo.ca/techreports/2005/cacr2005-35.pdf
  22. 22.
    Wiener, M.: Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)MATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Ellen Jochemsz
    • 1
  • Alexander May
    • 2
  1. 1.Department of Mathematics and Computer Science, TU Eindhoven, 5600 MB EindhovenThe Netherlands
  2. 2.Faculty of Computer Science, TU Darmstadt, 64289 DarmstadtGermany

Personalised recommendations