Weak Keys in RSA with Primes Sharing Least Significant Bits

  • Xianmeng Meng
  • Jingguo Bi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6151)


Let N = p q be an LSBS-RSA modulus where primes p and q have the same bit-length and share the m least significant bits, and (p − 1, q − 1) = 2. Given (N, e) with \(e\in \mathbb{Z}_{\frac{\phi(N)}{4}}^*\) that satisfies \(e w+z\cdot 2^{2(m-1)} =0 \pmod{\phi(N)/4}\) with \(0<w\leq \frac{1}{9}\sqrt{\frac{\phi(N)}{e}}N^{\frac{1}{4}+\theta}\) and \(|z|\leq c\frac{e w}{\phi(N)}N^{\frac{1}{4}-\theta}\), we can find p and q in polynomial time. We show that the number of these weak keys e is at least \(N^{\frac{3}{4}+\theta-\varepsilon}\), where θ = m/log2 N, and there exists a probabilistic algorithm that can factor N in time \(O(N^{\frac{1}{4}-\theta+\varepsilon})\).


RSA Coppersmith’s theorem 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Rogaway, P.: The exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Blömer, J., May, A.: A generalized wiener attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Lenstra, H.W., Lenstra, A.K., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)CrossRefGoogle Scholar
  6. 6.
    May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. PhD thesis, University of Paderborn (2003)Google Scholar
  7. 7.
    May, A.: Using LLL-reduction for solving RSA and factorization problems: a survey. In: LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)Google Scholar
  8. 8.
    Minkowski, H.: Geometrie der Zahlen. Teubner Verlag (1912)Google Scholar
  9. 9.
    Shamir, A., Rivest, R.L., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. of the ACM 21, 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Steinfeld, R., Zheng, Y.: On the security of RSA with primes sharing least- significant bits. Appl. Algebra Eng. Commun. Comput. 15(3-4), 179–200 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Sun, H.-M., Wu, M.-E., Steinfeld, R., Guo, J., Wang, H.: Cryptanalysis of short exponent RSA with primes sharing significant bits. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 49–63. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Sun, H.-M., Wu, M.-E., Wang, H., Guo, J.: On the improvement of the BDF attack on LSBS-RSA. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 84–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering 13, 17–28 (2002)zbMATHCrossRefGoogle Scholar
  14. 14.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1998)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Zhao, Y.-D., Qi, W.-F.: Small private-exponent attack on RSA with primes sharing bits. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 221–229. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Xianmeng Meng
    • 1
  • Jingguo Bi
    • 2
  1. 1.Dept. of Mathematics and StatisticsShandong University of FinanceJinanP.R. China
  2. 2.Lab of Cryptographic Technology and Information SecurityShandong UniversityJinanP.R. China

Personalised recommendations