Partial Prime Factor Exposure Attacks on RSA and Its Takagi’s Variant
There are many partial key exposure attacks on RSA or its variants under the assumption that a portion of the bits of the decryption exponent d is exposed. Sarkar and Maitra presented a further attack when some bits of the private prime factor q in the modulus N = pq are simultaneously revealed and the total number of bits of q and d required to be known is reduced compared to previous partial key exposure attacks. In this paper, for both the standard RSA with moduli N = pq and the Takagi’s variant of RSA with moduli N = p 2 q, we propose partial key exposure attacks when most significant bits (MSBs) or least significant bits of q are exposed. Compared with previous results, our theoretical analysis and experimental results show a substantial improvement in reducing the number of known bits of the private key to factor N.
KeywordsRSA partial key exposure attack lattice Coppersmith’s method
Unable to display preview. Download preview PDF.
- 1.Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013)CrossRefGoogle Scholar
- 7.Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 8.Huang, Z., Hu, L., Xu, J., Peng, L., Xie, Y.: Partial key exposure attacks on Takagi’s variant of RSA. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 134–150. Springer, Heidelberg (2014)Google Scholar
- 12.Nguyen, P.Q., Valle, B.: The LLL algorithm: survey and applications. Springer Publishing Company, Incorporated (2009)Google Scholar
- 15.Sarkar, S., Maitra, S., Sarkar, S.: Rsa cryptanalysis with increased bounds on the secret exponent using less lattice dimension. Cryptology ePrint Archive, Report 2008/315 (2008), http://eprint.iacr.org/