A new attack on RSA with a composed decryption exponent
نویسندگان
چکیده
In this paper, we consider an RSA modulus N = pq, where the prime factors p, q are of the same size. We present an attack on RSA when the decryption exponent d is in the form d = Md1 + d0 where M is a given positive integer and d1 and d0 are two suitably small unknown integers. In 1999, Boneh and Durfee presented an attack on RSA when d < N. When d = Md1 + d0, our attack enables one to overcome Boneh and Durfee’s bound and to factor the RSA modulus.
منابع مشابه
A New Attack on RSA and CRT-RSA
In RSA, the public modulus N = pq is the product of two primes of the same bit-size, the public exponent e and the private exponent d satisfy ed ≡ 1 (mod (p−1)(q−1)). In many applications of RSA, d is chosen to be small. This was cryptanalyzed by Wiener in 1990 who showed that RSA is insecure if d < N. As an alternative, Quisquater and Couvreur proposed the CRT-RSA scheme in the decryption phas...
متن کاملRevisiting Prime Power RSA
Recently Sarkar (DCC 2014) has proposed a new attack on small decryption exponent when RSA Modulus is of the form N = pq for r ≥ 2. This variant is known as Prime Power RSA. The work of Sarkar improves the result of May (PKC 2004) when r ≤ 5. In this paper, we improve the existing results for r = 3, 4. We also study partial key exposure attack on Prime Power RSA. Our result improves the work of...
متن کاملPartial Key Exposure Attack on RSA - Improvements for Limited Lattice Dimensions
Consider the RSA public key cryptosystem with the parameters N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. In this paper, cryptanalysis of RSA is studied given that some amount of the Most Significant Bits (MSBs) of d is exposed. In Eurocrypt 2005, a lattice based attack on this problem was proposed by Ernst, Jochemsz, May and de Weger. In this paper, we pr...
متن کاملMore on Correcting Errors in RSA Private Keys: Breaking CRT-RSA with Low Weight Decryption Exponents
Several schemes have been proposed towards the fast encryption and decryption in RSA and its variants. One popular idea is to use integers having low Hamming weight in the preparation of the decryption exponents. This is to reduce the multiplication effort in the square and multiply method in the exponentiation routine, both in encryption and decryption. In this paper we show that such schemes ...
متن کاملSmall secret exponent attack on RSA variant with modulus N=prq
We consider an RSA variant with Modulus N = p2q. This variant is known as Prime Power RSA. In PKC 2004 May proved when decryption exponent d < N0.22, one can factor N in polynomial time. In this paper, we improve this bound upto N0.395. We provide detailed experimental results to justify our claim.
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2014 شماره
صفحات -
تاریخ انتشار 2013