Partial Key Exposure Attack on CRT-RSA
Consider CRT-RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponents dp, dq. Jochemsz and May (Crypto 2007) presented that CRT-RSA is weak when dp, dq are smaller than N0.073. As a follow-up work of that paper, we study the partial key exposure attack on CRT-RSA when some Most Significant Bits (MSBs) of dp, dq are exposed. Further, better results are obtained when a few MSBs of p (or q) are available too. We present theoretical results as well as experimental evidences to justify our claim. We also analyze the case when the decryption exponents are of different bit sizes and it is shown that CRT-RSA is more insecure in this case (than the case of dp, dq having the same bit size) considering the total bit size of dp, dq.
KeywordsRSA CRT-RSA Cryptanalysis Factorization Lattice LLL Algorithm Side Channel Attacks Weak Keys
Unable to display preview. Download preview PDF.
- 7.Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1996)Google Scholar
- 13.Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 14.Jochemsz, E.: Cryptanalysis of RSA Variants Using Small Roots of Polynomials. Ph. D. thesis, Technische Universiteit Eindhoven (2007)Google Scholar
- 19.May, A.: Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey. LLL+ 25 Conference in honour of the 25th birthday of the LLL algorithm (2007), http://www.informatik.tu-darmstadt.de/KP/alex.html (last accessed 23 December, 2008)