Cryptanalysis of RSA with a Small Parameter

  • Xianmeng Meng
  • Xuexin Zheng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)


This paper investigates the security of RSA system with short exponents. Let N = pq be an RSA modulus with balanced primes p and q. Denote the public exponent by e and the private exponent by d. Then e and d satisfy ed − 1 = (N), which is usually called the RSA equation. When e and d are both short, and parameter k is the smallest unknown variable in RSA equation, we prove that there exist two new square root attacks. One attack applies the baby-step giant-step method, the other applies the Pollard’s ρ method. We show that if K is a known upper bound of k, then k can be recovered in time \(\tilde{O}(\sqrt{K})\) and memory \(\tilde{O}(\sqrt{K})\) by using the baby-step giant-step method, and in time \(\tilde{O}(\sqrt{K})\) and negligible memory by applying Pollard ρ method. As an application of our new attacks, we present the cryptanalysis on an RSA-type scheme proposed by Sun et al.


RSA square root attack cryptanalysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bai, S., Brent, R.P.: On the efficiency of Pollards rho method for discrete logarithms. In: Harland, J., Manyem, P. (eds.) CATS 2008, pp. 125–131. Australian Computer Society (2008)Google Scholar
  2. 2.
    Blömer, J., May, A.: A Generalized Wiener Attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)Google Scholar
  4. 4.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Crandall, R., Pomerance, C.: Prime Number, 2nd edn. Springer (2005)Google Scholar
  7. 7.
    Durfee, G., Nguyên, P.Q.: Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    May, A.: Using LLL-reduction for solving RSA and factorization problems: a survey. In: LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)Google Scholar
  9. 9.
    Pollard, J.M.: Monte Carlo methods for index computation (\(\mod p\)). Math. Comp. 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  10. 10.
    Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electronic Letters 18, 905–907 (1982)CrossRefGoogle Scholar
  11. 11.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. of the ACM 21, 120–126 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Sarkar, S., Maitra, S.: Partial key exposure attacks on RSA and its variant by guessing a few bits of one of the prime factors. Bull. Korean Math. Soc. 46(4), 721–741 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Shanks, D.: Class number, a theory of factorization and genera. In: 1969 Number Theory Institute (Proc. Sympos. Pure Math., vol. XX, State Univ. New York, Stony Brook, NY, 1969), pp. 415–440 (1969)Google Scholar
  14. 14.
    Sun, H.-M., Yang, W.-C., Laih, C.-S.: On the Design of RSA with Short Secret Exponent. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 150–164. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  15. 15.
    Sun, H.M., Yang, C.T., Lai, C.S.: On the design of RSA with short secret exponent. Journal of Information Science and Engineering 18(1), 1–18 (2002)Google Scholar
  16. 16.
    Sun, H.-M., Yang, C.-T.: RSA with Balanced Short Exponents and Its Application to Entity Authentication. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 199–215. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Sun, H.M., Yang, C.T., Wu, M.: Short exponent RSA. IEICE Trans. Fundamentals E92-A(3), 912–918 (2009)CrossRefGoogle Scholar
  18. 18.
    Teske, E.: Speeding Up Pollard’s Rho Method for Computing Discrete Logarithms. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 541–554. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Teske, E.: A space efficient algorithm for group structure computation. Mathematics Computation 67(224), 1637–1663 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  20. 20.
    Teske, E.: On random walks for Pollards rho method. Mathematics of Computation 70(234), 809–825 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering 13, 17–28 (2002)zbMATHCrossRefGoogle Scholar
  22. 22.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1990)MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Xianmeng Meng
    • 1
  • Xuexin Zheng
    • 2
  1. 1.School of MathematicsShandong University of Finance and EconomicsJinanP.R. China
  2. 2.Key Lab of Cryptologic Technology and Information Security,Ministry of EducationShandong UniversityJinanP.R. China

Personalised recommendations