A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073
نویسندگان
چکیده
Wiener’s famous attack on RSA with d < N shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where dp = d mod (p − 1) and dq = d mod (q − 1) are chosen significantly smaller than p and q. The parameters dp, dq are called private CRT-exponents. Since Wiener’s proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if dp and dq are smaller than N .
منابع مشابه
New Attacks on RSA with Small Secret CRT-Exponents
It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p− 1 and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Dur...
متن کاملA New Attack on RSA and CRT-RSA
In RSA, the public modulus N = pq is the product of two primes of the same bit-size, the public exponent e and the private exponent d satisfy ed ≡ 1 (mod (p−1)(q−1)). In many applications of RSA, d is chosen to be small. This was cryptanalyzed by Wiener in 1990 who showed that RSA is insecure if d < N. As an alternative, Quisquater and Couvreur proposed the CRT-RSA scheme in the decryption phas...
متن کاملCommon modulus attacks on small private exponent RSA and some fast variants (in practice)
In this work we re-examine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N the attack can factor the modulus about 93% of the time in practice. The success rate of the attack can be increased up to almost 10...
متن کاملFounding and Former Series Editors:
It is well-known that there is an efficient method for decrypt-ing/signing with RSA when the secret exponent d is small modulo p− 1and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and B...
متن کاملAnother Look at Small RSA Exponents
In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller thanN which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRT-exponents and short public exponents. In addition, the number of bi...
متن کامل