Partial Key Exposure Attacks on Takagi’s Variant of RSA
We present several attacks on a variant of RSA due to Takagi when different parts of the private exponent are known to an attacker. We consider three cases when the exposed bits are the most significant bits, the least significant bits and the middle bits of the private exponent respectively. Our approaches are based on Coppersmith’s method for finding small roots of modular polynomial equations. Our results extend the results of partial key exposure attacks on RSA of Ernst, Jochemsz, May and Weger (EUROCRYPT 2005) for moduli from N = pq to N = p r q (r ≥ 2).
KeywordsRSA partial key exposure Coppersmith’s method lattice reduction LLL algorithm
- 10.Hinek, M.J.: Cryptanalysis of RSA and Its Variants, 1st edn. Chapman & Hall/CRC (2009)Google Scholar
- 11.Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 17.May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003)Google Scholar