Another Look at Small RSA Exponents

  • M. Jason Hinek
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3860)


In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller than N 1/4 which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRT-exponents and short public exponents. In addition, the number of bits required to store the private key information can be significantly reduced in this variant.


Continue Fraction Expansion Public Exponent Lattice Basis Reduction Modulus Size Private Exponent 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blömer, J., May, A.: Low secret exponent RSA revisited. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 4–19. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)Google Scholar
  4. 4.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA private key given a small fraction of its bits. Revised and extended version of proceedings of ASIACRYPT 1998 [5] (2001), Available at
  7. 7.
    Boneh, D., Shacham, H.: Fast variants of RSA. Cryptobytes 5(1), 1–9 (2002)Google Scholar
  8. 8.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Dujella, A.: Continued fractions and RSA with small secret exponent. Tatra Mt. Math. Publ. 29, 101–112 (2004)zbMATHMathSciNetGoogle Scholar
  11. 11.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–387. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Girault, M.: An identity-based identification scheme based on discrete logorithms modulo a composite number. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 481–486. Springer, Heidelberg (1991)Google Scholar
  14. 14.
    Howgrave-Graham, N.A.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  15. 15.
    Lenstra, A.K.: Unbelievable security: Matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Lim, C.H., Lee, P.J.: Security and performance of server-aided RSA computation protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 70–83. Springer, Heidelberg (1995)Google Scholar
  17. 17.
    May, A.: Cryptanalysis of unbalanced RSA with small CRT-exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    May, A.: Secret exponent attacks on RSA-type schemes with moduli N = p r q. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    McKee, J., Pinch, R.G.E.: Further attacks on server-aided RSA cryptosystems (1998), Available at
  20. 20.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Commun. of the ACM 21, 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Steinfeld, R., Contini, S., Wang, H., Pieprzyk, J.: Converse results to the Wiener attack on RSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 184–198. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Sun, H.-M., Hinek, M.J., Wu, M.-E.: On the design of rebalanced RSA-CRT. Technical Report CACR 2005-35, Centre for Applied Cryptographic Research, University of Waterloo (2005),
  23. 23.
    Sun, H.-M., Wu, M.-E.: An approach towards rebalanced RSA-CRT with short public exponent. Cryptology ePrint Archive, Report 2005/053 (2005),
  24. 24.
    Sun, H.-M., Yang, C.-T.: RSA with balanced short exponents and its application to entity authentication. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 199–215. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Verheul, E.R., van Tilborg, H.C.A.: Cryptanalysis of ‘less short’ RSA secret exponents. Appl. Algebra Eng. Commun. Comput. 8(5), 425–435 (1997)zbMATHCrossRefGoogle Scholar
  26. 26.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Zimmerman, P.: Integer factoring records (May 2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • M. Jason Hinek
    • 1
  1. 1.School of Computer ScienceUniversity of WaterlooWaterlooCanada

Personalised recommendations