A New Lattice Construction for Partial Key Exposure Attack for RSA

  • Yoshinori Aono
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5443)


In this paper we present a new lattice construction for a lattice based partial key exposure attack for the RSA cryptography. We consider the situation that the RSA secret key d is small and a sufficient amount of the LSBs (least significant bits) of d are known by the attacker. We show that our lattice construction is theoretically more efficient than known attacks proposed in [2,7].


RSA cryptanalysis partial key exposure attack lattice basis reduction the Coppersmith technique 


  1. 1.
    Aono, Y.: Degree reduction of the lattice based attack for RSA. In: COMP2007-5, vol.107, no. 24(20070419), pp. 33–40 (2007) (in Japanese)Google Scholar
  2. 2.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Blömer, J., May, A.: New partial exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  6. 6.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Ernst, M., Jochemsz, E., May, A., Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Healy, A.D.: Resultants, Resolvents and the Computation of Galois Groups, http://www.alexhealy.net/papers/math250a.pdf
  9. 9.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Jochemz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Shoup, V.: NTL: A Library for doing Number Theory, http://www.shoup.net/ntl/index.html
  13. 13.
    Nguyen, P., Stehlé, D.: Floating-Point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Nguyen, P., Stehlé, D.: Floating-Point LLL (Full version), ftp://ftp.di.ens.fr/pub/users/pnguyen/FullL2.pdf
  15. 15.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptsystems. Communications of the ACM 21(2), 120–128 (1978)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Schnorr, C.P.: A more efficient algorithm for lattice basis reduction. Journal of algorithms 9(1), 47–62 (1988)MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yoshinori Aono
    • 1
  1. 1.Dept. of Mathematical and Computing SciencesTokyo Institute of TechnologyTokyoJapan

Personalised recommendations