New Partial Key Exposure Attacks on CRT-RSA with Large Public Exponents

  • Yao Lu
  • Rui Zhang
  • Dongdai Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8479)


In Crypto’03, Blömer and May provided several partial key exposure attacks on CRT-RSA. In their attacks, they suppose that an attacker can either succeed to obtain the most significant bits (MSBs) or the least significant bits (LSBs) of d p  = d mod (p − 1) in consecutive order. For the case of known LSBs of d p , their algorithm is polynomial-time only for small public exponents e (i.e. e = poly(logN)). However, in some practical applications, we prefer to use large e (Like e ≈ d p , to let the public and private operations with the same computational effort). In this paper, we propose some lattice-based attacks for this extended setting. For known LSBs case, we introduce two approaches that work up to \(e < N^{{3}\over{8}}\). Similar results (though not as strong) are obtained for MSBs case. We also provide detailed experimental results to justify our claims.


lattices RSA Coppersmith’s method 


  1. 1.
    Bleichenbacher, D., May, A.: New attacks on RSA with small secret CRT-exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 1–13. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than \(\textit{{N}}^{0.292}\). IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G., Frankel, Y.: Exposing an RSA private key given a small fraction of its bits. In: Full Version of the work from Asiacrypt, vol. 98 (1998)Google Scholar
  4. 4.
    Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring n = p r q for large r. In: Advances in Cryptology–CRYPTO 1999, p. 787. Springer (1999)Google Scholar
  5. 5.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Galbraith, S.D., Heneghan, C., McKee, J.F.: Tunable balancing of RSA. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 280–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Herrmann, M.: Improved cryptanalysis of the multi-prime φ - hiding assumption. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 92–99. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Möhring, R.H. (ed.) WG 1997. LNCS, vol. 1335, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  11. 11.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(\textit{{N}}^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Joye, M., Lepoint, T.: Partial key exposure on RSA with private exponents larger than n. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 369–380. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Kunihiro, N., Shinohara, N., Izu, T.: A unified framework for small secret exponent attack on RSA. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 260–277. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    May, A.: Cryptanalysis of unbalanced RSA with small CRT-exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    May, A.: Secret exponent attacks on RSA-type schemes with moduli \(\textit{{N}}= p^{r}q\). In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Quisquater, J.-J.: Chantal Couvreur. Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters 18(21), 905–907 (1982)CrossRefGoogle Scholar
  19. 19.
    Sarkar, S., Maitra, S.: Partial key exposure attack on CRT-RSA. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 473–484. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Takagi, T.: Fast RSA-type cryptosystem modulo p k q. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  21. 21.
    Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013)Google Scholar
  22. 22.
    Tosu, K., Kunihiro, N.: Optimal bounds for multi-prime φ-hiding assumption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 1–14. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Cannon, J., Bosma, W., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997); Computational algebra and number theory, London (1993)Google Scholar
  24. 24.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Yao Lu
    • 1
    • 2
  • Rui Zhang
    • 1
  • Dongdai Lin
    • 1
  1. 1.State Key Laboratory of Information Security (SKLOIS), Institute of Information Engineering (IIE)Chinese Academy of Sciences (CAS)China
  2. 2.University of Chinese Academy of Sciences (UCAS)China

Personalised recommendations