Improved Partial Key Exposure Attacks on RSA by Guessing a Few Bits of One of the Prime Factors
Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. This problem has been well studied in literature as evident from the works of Boneh et. al. in Asiacrypt 1998, Blömer et. al. in Crypto 2003 and Ernst et. al. in Eurocrypt 2005. In this paper, we achieve significantly improved results by modifying the techniques presented by Ernst et. al. Our novel idea is to guess a few MSBs of the secret prime p (may be achieved by exhaustive search over those bits in certain cases) that substantially reduces the requirement of MSBs of d for the key exposure attack.
KeywordsCryptanalysis Factorization Lattice LLL Algorithm RSA Side Channel Attacks Weak Keys
Unable to display preview. Download preview PDF.
- 11.Hastad, J.: On using RSA with low exponent in public key network. In: Advances in Cryplogy-CRYPTO 1985 Proceedings. LNCS, pp. 403–408. Springer, Heidelberg (1985)Google Scholar
- 12.Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 13.Jochemsz, E.: Cryptanalysis of RSA variants using small roots of polynomials. Ph. D. thesis, Technische Universiteit Eindhoven (2007)Google Scholar
- 15.Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar