New Partial Key Exposure Attacks on RSA

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


In 1998, Boneh, Durfee and Frankel [4] presented several attacks on RSA when an adversary knows a fraction of the secret key bits. The motivation for these so-called partial key exposure attacks mainly arises from the study of side-channel attacks on RSA. With side channel attacks an adversary gets either most significant or least significant bits of the secret key. The polynomial time algorithms given in [4] only work provided that the public key e is smaller than \(N^{\frac{1}{2}}\). It was raised as an open question whether there are polynomial time attacks beyond this bound. We answer this open question in the present work both in the case of most and least significant bits. Our algorithms make use of Coppersmith’s heuristic method for solving modular multivariate polynomial equations [8]. For known most significant bits, we provide an algorithm that works for public exponents e in the interval [\(N^{\frac{1}{2}}\), N 0.725]. Surprisingly, we get an even stronger result for known least significant bits: An algorithm that works for all \(e < N^{\frac{7}{8}}\).

We also provide partial key exposure attacks on fast RSA-variants that use Chinese Remaindering in the decryption process (e.g. [20,21]). These fast variants are interesting for time-critical applications like smart-cards which in turn are highly vulnerable to side-channel attacks. The new attacks are provable. We show that for small public exponent RSA half of the bits of d p = d mod p-1 suffice to find the factorization of N in polynomial time. This amount is only a quarter of the bits of N and therefore the method belongs to the strongest known partial key exposure attacks.


RSA known bits lattice reduction Coppersmith’s method 


  1. 1.
    Bleichenbacher, D.: On the Security of the KMOV public key cryptosystem. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 235–248. Springer, Heidelberg (1997)Google Scholar
  2. 2.
    Blömer, J.: Closest vectors, successive minima, and dual HKZ-bases of lattices. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 248–259. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. IEEE Trans. on Information Theory 46(4) (2000)Google Scholar
  4. 4.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA Private Key Given a Small Fraction of its Bits. Full version of the work from Asiacrypt 1998 (1998), available at
  6. 6.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology 10(4) (1997)Google Scholar
  9. 9.
    Dhem, J.F., Koeune, F., Leroux, P.A., Mestre, P., Quisquater, J.J., Willems, J.L.: A practical implementation of the timing attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, Springer, Heidelberg (2000)Google Scholar
  10. 10.
    Durfee, G., Nguyen, P.: Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt 1999. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Gruber, M., Lekkerkerker, C.G.: Geometry of Numbers. North-Holland, Amsterdam (1987)zbMATHGoogle Scholar
  12. 12.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, Springer, Heidelberg (1997)Google Scholar
  13. 13.
    Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Jutla, C.: On finding small solutions of modular multivariate polynomial equations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 158–170. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  17. 17.
    Lenstra, A., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients, Mathematische Annalen (1982)Google Scholar
  18. 18.
    Lovász, L.: An Algorithmic Theory of Numbers, Graphs and Convexity. In: Conference Series in Applied Mathematics, SIAM (1986)Google Scholar
  19. 19.
    Shoup, V.: NTL: A Library for doing Number Theory, online, available at
  20. 20.
    Takagi, T.: Fast RSA-Type Cryptosystem Modulo pkq. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)Google Scholar
  21. 21.
    Quisquater, J.-J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters 18, 905–907 (1982)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Faculty of Computer Science, Electrical Engineering and MathematicsPaderborn UniversityPaderbornGermany

Personalised recommendations