Cryptanalysis of Short Exponent RSA with Primes Sharing Least Significant Bits

  • Hung-Min Sun
  • Mu-En Wu
  • Ron Steinfeld
  • Jian Guo
  • Huaxiong Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5339)


LSBS-RSA denotes an RSA system with modulus primes, p and q, sharing a large number of least significant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than \(\frac{n}{4}\) least significant bits, where n is the bit-length of pq. In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.


RSA least significant bits (LSBs) LSBS-RSA short exponent attack lattice reduction technique the Boneh-Durfee attack 


  1. 1.
    Boneh, D., Durfee, G., Frankel, Y.: An Attacks on RSA Given a Small Fraction of the Private Key Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA Private Key Given a Small Fraction of its Bits, Full version of the work from Asiacrypt 1998 (1998),
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: The exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  7. 7.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  8. 8.
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Polynomial Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Durfee, G., Nguyen, P.Q.: Cryptanalysis of the RSA Schemes with Short Secret Exponent form Asiacrypt 1999. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–11. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Hastad, J.: Solving simultaneous modular equations of low degree. SIAM J. of Computing 17, 336–341 (1988)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  14. 14.
    Shoup, V.: NTL: A Library for doing Number Theory,
  15. 15.
    Lenstra, A., Lenstra, H., Lovasz, L.: Factoring Polynomials with Rational Coefficients. Mathematiche Annalen 261, 515–534Google Scholar
  16. 16.
    Sun, H.-M., Yang, W.-C., Laih, C.-S.: On the design of RSA with short secret exponent. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 150–164. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Sun, H.-M., Yang, C.-T.: RSA with balanced short exponents and its application to entity authentication. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 199–215. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Sun, H.-M., Wu, M.-E., Chen, Y.-H.: Estimating the Prime Factors of an RSA Modulus and an Extension of the Wiener Attack. In: Katz, J., et al. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 116–128. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Sun, H.-M., Wu, M.-E., Wang, H., Guo, J.: On the Improvement of the BDF Attack on LSBS-RSA. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 84–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Rivest, R., Shamir, A., Aldeman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Steinfeld, R., Zheng, Y.: An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 52–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Steinfeld, R., Zheng, Y.: On the Security of RSA with Primes Sharing Least-Significant Bits. Appl. Algebra Eng. Commun. Comput. 15(3-4), 179–200 (2004)MathSciNetCrossRefMATHGoogle Scholar
  23. 23.
    Verheul, E.R., van Tilborg, H.C.A.: Cryptanalysis of less short RSA secret exponents. Appl. Algebra Eng. Commun.Google Scholar
  24. 24.
    de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering, Communication and Computing 13, 17–28 (2002)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Information Theory 36(3), 553–559 (1990)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Zhao, Y.-D., Qi, W.-F.: Small Private-Exponent Attack on RSA with Primes Sharing Bits. In: Garay, J., et al. (eds.) ISC 2007. LNCS, vol. 4779, pp. 221–229. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Hung-Min Sun
    • 1
  • Mu-En Wu
    • 1
  • Ron Steinfeld
    • 3
  • Jian Guo
    • 2
  • Huaxiong Wang
    • 2
    • 3
  1. 1.Department of Computer ScienceNational Tsing Hua UniversityTaiwanTaiwan
  2. 2.School of Physical & Mathematical SciencesNanyang Technological UniversitySingapore
  3. 3.Centre for Advanced Computing - Algorithms and Cryptography, Department of ComputingMacquarie UniversityAustralia

Personalised recommendations