Low Secret Exponent RSA Revisited

  • Johannes Blömer
  • Alexander May
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2146)


We present a lattice attack on low exponent RSA with short secret exponent d = N δ for every δ < 0.29. The attack is a variation of an approach by Boneh and Durfee [4] based on lattice reduction techniques and Coppersmith’s method for finding small roots of modular polynomial equations. Although our results are slightly worse than the results of Boneh and Durfee they have several interesting features. We partially analyze the structure of the lattices we are using. For most δ < 0.29 our method requires lattices of smaller dimension than the approach by Boneh and Durfee. Hence, we get a more practical attack on low exponent RSA. We demonstrate this by experiments, where δ < 0.265.

Our method, as well as the method by Boneh and Durfee, is heuristic, since the method is based on Coppersmith’s approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic must fail in some cases. We argue in this paper, that a (practically not interesting) variant of the Boneh/Durfee attack proposed in [4] always fails. Many authors have already stressed the necessity for rigorous proofs of Coppersmith’s method in the multivariate case. This is even more evident in light of these results.


Low secret exponent RSA cryptanalysis Coppersmith’s method lattice reduction 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    D. Bleichenbacher, “On the Security of the KMOV public key cryptosystem”, Proc. of Crypto’97Google Scholar
  2. 2.
    D. Boneh, “Twenty years of attacks on the RSA cryptosystem”, Notices of the AMS, 1999Google Scholar
  3. 3.
    D. Boneh, G. Durfee, “Cryptanalysis of RSA with private key d less than N0.292”, Proc. Eurocrypt’99Google Scholar
  4. 4.
    D. Boneh, G. Durfee, “Cryptanalysis of RSA with private key d less than N0.292”, IEEE Trans. on Information Theory, vol. 46(4), 2000Google Scholar
  5. 5.
    H. Cohen, “A Course in Computational Algebraic Number Theory”, Springer Verlag, 1996Google Scholar
  6. 6.
    D. Coppersmith, “Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities”, Journal of Cryptology 10(4), 1997Google Scholar
  7. 7.
    D. Cox, J. Little, D. O’Shea, “Ideals, Varieties and Algorithms”, Springer Verlag, 1992Google Scholar
  8. 8.
    G. Durfee, P. Nguyen, “Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt’99”, Proc. of Asiacrypt 2000Google Scholar
  9. 9.
    M. Gruber, C.G. Lekkerkerker, “Geometry of Numbers”, North-Holland, 1987Google Scholar
  10. 10.
    G.H. Hardy, E.M. Wright, “An Introduction to the Theory of Numbers”, Oxford University Press, 1979Google Scholar
  11. 11.
    N. Howgrave-Graham, “Finding small roots of univariate modular equations revisited”, Proc. of Cryptography and Coding, LNCS 1355, Springer-Verlag, 1997CrossRefGoogle Scholar
  12. 12.
    C. Jutla, “On finding small solutions of modular multivariate polynomial equations”, Proc. of Eurocrypt’98Google Scholar
  13. 13.
    A. Lenstra, H. Lenstra and L. Lovasz, “Factoring polynomials with rational coefficients”, Mathematische Annalen, 1982Google Scholar
  14. 14.
    P. Nguyen, J. Stern, “Lattice Reduction in Cryptology: An Update”, Algorithmic Number Theory Symposium ANTS-IV, 2000Google Scholar
  15. 15.
    R. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public key cryptosystems”, Communications of the ACM, volume 21, 1978Google Scholar
  16. 16.
    C.P. Schnorr, “A hierarchy of polynomial time lattice basis reduction algorithms”, Theoretical Computer Science, volume 53, 1987Google Scholar
  17. 17.
    C.L. Siegel, “Lectures on the Geometry of Numbers”, Springer Verlag, 1989Google Scholar
  18. 18.
    V. Shoup, Number Theory Library (NTL),
  19. 19.
    E. Verheul, H. van Tilborg, “Cryptanalysis of less short RSA secret exponents”, Applicable Algebra in Engineering, Communication and Computing, Springer Verlag, vol. 8, 1997Google Scholar
  20. 20.
    M. Wiener, “Cryptanalysis of short RSA secret exponents”, IEEE Transactions on Information Theory, vol. 36, 1990Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Johannes Blömer
    • 1
  • Alexander May
    • 1
  1. 1.Department of Mathematics and Computer ScienceUniversity of PaderbornPaderbornGermany

Personalised recommendations