Improved Partial Key Exposure Attacks on RSA by Guessing a Few Bits of One of the Prime Factors

  • Santanu Sarkar
  • Subhamoy Maitra
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5461)


Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. This problem has been well studied in literature as evident from the works of Boneh et. al. in Asiacrypt 1998, Blömer et. al. in Crypto 2003 and Ernst et. al. in Eurocrypt 2005. In this paper, we achieve significantly improved results by modifying the techniques presented by Ernst et. al. Our novel idea is to guess a few MSBs of the secret prime p (may be achieved by exhaustive search over those bits in certain cases) that substantially reduces the requirement of MSBs of d for the key exposure attack.


Cryptanalysis Factorization Lattice LLL Algorithm RSA  Side Channel Attacks Weak Keys 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blömer, J., May, A.: Low secret exponent RSA revisited. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 4–19. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Blömer, J., May, A.: A generalized wiener attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Boneh, D.: Twenty Years of Attacks on the RSA Cryptosystem. Notices of the AMS 46(2), 203–213 (1999)MathSciNetMATHGoogle Scholar
  5. 5.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA Private Key Given a Small Fraction of its Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  7. 7.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  8. 8.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Duejella, A.: Continued fractions and RSA with small secret exponent. Tatra Mt. Math. Publ. 29, 101–112 (2004)MathSciNetGoogle Scholar
  10. 10.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Hastad, J.: On using RSA with low exponent in public key network. In: Advances in Cryplogy-CRYPTO 1985 Proceedings. LNCS, pp. 403–408. Springer, Heidelberg (1985)Google Scholar
  12. 12.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  13. 13.
    Jochemsz, E.: Cryptanalysis of RSA variants using small roots of polynomials. Ph. D. thesis, Technische Universiteit Eindhoven (2007)Google Scholar
  14. 14.
    Jochemsz, E., May, A.: A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Pollard, J.M.: Theorems on factorization and primality testing. Proc. of Combridge Philos. Soc. 76, 521–528 (1974)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of ACM 21(2), 158–164 (1978)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Stinson, D.R.: Cryptography – Theory and Practice, 2nd edn. Chapman & Hall/CRC, Boca Raton (2002)MATHGoogle Scholar
  21. 21.
    Steinfeld, R., Contini, S., Pieprzyk, J., Wang, H.: Converse results to the Wiener attack on RSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 184–198. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Sun, H.-M., Wu, M.-E., Chen, Y.-H.: Estimating the prime-factors of an RSA modulus and an extension of the wiener attack. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 116–128. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Verheul, E.R., van Tilborg, H.C.A.: Cryptanalysis of ‘less short’ RSA secret exponents. Applicable Algebra in Engineering, Communication and Computing 8, 425–435 (1997)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Williams, H.C.: A p + 1 method of factoring. Mathematics of Computation 39(159), 225–234 (1982)MathSciNetMATHGoogle Scholar
  26. 26.
    de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering, Communication and Computing 13(1), 17–28 (2002)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Santanu Sarkar
    • 1
  • Subhamoy Maitra
    • 1
  1. 1.Indian Statistical InstituteKolkataIndia

Personalised recommendations