Partial Prime Factor Exposure Attacks on RSA and Its Takagi’s Variant

  • Liqiang PengEmail author
  • Lei Hu
  • Zhangjie Huang
  • Jun Xu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)


There are many partial key exposure attacks on RSA or its variants under the assumption that a portion of the bits of the decryption exponent d is exposed. Sarkar and Maitra presented a further attack when some bits of the private prime factor q in the modulus N = pq are simultaneously revealed and the total number of bits of q and d required to be known is reduced compared to previous partial key exposure attacks. In this paper, for both the standard RSA with moduli N = pq and the Takagi’s variant of RSA with moduli N = p 2 q, we propose partial key exposure attacks when most significant bits (MSBs) or least significant bits of q are exposed. Compared with previous results, our theoretical analysis and experimental results show a substantial improvement in reducing the number of known bits of the private key to factor N.


RSA partial key exposure attack lattice Coppersmith’s method 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)zbMATHMathSciNetCrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)zbMATHMathSciNetCrossRefGoogle Scholar
  5. 5.
    Ernst, M., Jochemsz, E., May, A., De Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent rsa. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Huang, Z., Hu, L., Xu, J., Peng, L., Xie, Y.: Partial key exposure attacks on Takagi’s variant of RSA. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 134–150. Springer, Heidelberg (2014)Google Scholar
  9. 9.
    Itoh, K., Kunihiro, N., Kurosawa, K.: Small secret key attack on a variant of RSA (due to Takagi). In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 387–406. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)zbMATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    Nguyen, P.Q., Valle, B.: The LLL algorithm: survey and applications. Springer Publishing Company, Incorporated (2009)Google Scholar
  13. 13.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 26(1), 96–99 (1983)CrossRefGoogle Scholar
  14. 14.
    Sarkar, S., Maitra, S.: Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 37–51. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Sarkar, S., Maitra, S., Sarkar, S.: Rsa cryptanalysis with increased bounds on the secret exponent using less lattice dimension. Cryptology ePrint Archive, Report 2008/315 (2008),
  16. 16.
    Takagi, T.: Fast RSA-type cryptosystem modulo p k q. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  17. 17.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Liqiang Peng
    • 1
    • 2
    • 3
    Email author
  • Lei Hu
    • 1
    • 2
  • Zhangjie Huang
    • 1
    • 2
  • Jun Xu
    • 1
    • 2
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.University of Chinese Academy of SciencesBeijingChina

Personalised recommendations