New Attacks on RSA with Small Secret CRT-Exponents

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)


It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p–1 and q–1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus N=pq with unbalanced prime factors p and q. Based on Coppersmith’s method, he showed that there is a polynomial time attack provided that q < N 0.382. We will improve this bound to q < N 0.468. Thus, our result comes close to the desired normal RSA case with balanced prime factors. We also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N. More precisely, we show that there is a polynomial time attack if \(d_{p}, d_{q} \leq min\{(N/e)^{\frac{2}{5}},N^{\frac{1}{4}}\}\). The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu.


RSA small exponents lattices Coppersmith’s method 


  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Boneh, D., Shacham, H.: Fast Variants of RSA. CryptoBytes 5(1), 1–9 (2002)Google Scholar
  3. 3.
    Cohen, H., et al.: PARI/GP,
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable Balancing of RSA, full version of [5], online, available at
  7. 7.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    May, A.: Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Shoup, V.: NTL: A Library for doing Number Theory, online, available at
  11. 11.
    STORK, Strategic Roadmap for Crypto,
  12. 12.
    Sun, H.-M., Wu, M.-E.: An Approach Towards Rebalanced RSA-CRT with Short Public Exponent, Cryptology ePrint Archive: Report 2005/053, online, available at
  13. 13.
    Sun, H.-M., Hinek, M.J., Wu, M.-E.: An Approach Towards Rebalanced RSACRT with Short Public Exponent, revised version of [12], online, available at
  14. 14.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany

Personalised recommendations