• Published : 2009.07.31


Consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. We first study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of d is known. The basic lattice based technique is similar to that of Ernst et al. in Eurocrypt 2005. However, our idea of guessing a few MSBs of the secret prime p substantially reduces the requirement of MSBs or LSBs of d for the key exposure attack. Further, we consider the RSA variant proposed by Sun and Yang in PKC 2005 and show that the partial key exposure attack works significantly on this variant.


  1. J. Blomer and A. May, New partial key exposure attacks on RSA, Advances in cryptology-CRYPTO 2003, 27–43, Lecture Notes in Comput. Sci., 2729, Springer, Berlin, 2003
  2. J. Blomer and A. May, A generalized Wiener attack on RSA, Public key cryptography-PKC 2004, 1–13, Lecture Notes in Comput. Sci., 2947, Springer, Berlin, 2004
  3. D. Boneh, Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math. Soc. 46 (1999), no. 2, 203–213
  4. D. Boneh, G. Durfee, and Y. Frankel, Exposing an RSA private key given a small fraction of its bits, AsiaCrypt'98, LNCS 1514, pp. 25–34, Springer-Verlag, 1998
  5. D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptology 10 (1997), no. 4, 233–260
  6. A. Duejella, Continued fractions and RSA with small secret exponent, Tatra Mt. Math. Publ. 29 (2004), 101–112
  7. M. Ernst, E. Jochemsz, A. May, and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in cryptology-EUROCRYPT 2005, 371–386, Lecture Notes in Comput. Sci., 3494, Springer, Berlin, 2005
  8. N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and coding (Cirencester, 1997), 131–142, Lecture Notes in Comput. Sci., 1355, Springer, Berlin, 1997
  9. E. Jochemsz, Cryptanalysis of RSA variants using small roots of polynomials, Ph. D. thesis, Technische Universiteit Eindhoven, 2007
  10. P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, CRYPTO '99, 388–397, Lecture Notes in Comput. Sci., 1666, Springer, 1999
  11. A. K. Lenstra, H. W. Lenstra, and L. Lov´asz, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534
  12. A. Nitaj, Another Generalization of Wiener's Attack on RSA, Progress in Cryptology-AFRICACRYPT 2008, 174–190, Lecture Notes in Comput. Sci., 5023, Springer-Verlag, 2008
  13. J. M. Pollard, Theorems on factorization and primality testing, Proc. Cambridge Philos. Soc. 76 (1974), 521–528
  14. R. Steinfeld, S. Contini, H.Wang, and J. Pieprzyk, Converse results to the Wiener attack on RSA, Public key cryptography-PKC 2005, 184–198, Lecture Notes in Comput. Sci., 3386, Springer, Berlin, 2005
  15. D. R. Stinson, Cryptography-Theory and Practice, 2nd Edition, 2nd Edition, 2002
  16. H.-M. Sun, M.-E.Wu, and Y.-H. Chen, Estimating the prime-factors of an RSA modulus and an extension of the Wiener attack, Applied Cryptography and Network Security, 116–128, Lecture Notes in Comput. Sci., 4521, Sprigner, 2007
  17. H.-M. Sun and C.-T. Yang, RSA with balanced short exponents and its application to entity authentication, Public key cryptography-PKC 2005, 199–215, Lecture Notes in Comput. Sci., 3386, Springer, Berlin, 2005
  18. B. de Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput. 13 (2002), no. 1, 17–28
  19. M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558
  20. H. C. Williams, A p+1 method of factoring, Math. Comp. 39 (1982), no. 159, 225–234
  21. J. Blomer and A. May, Low secret exponent RSA revisited, Cryptography and lattices (Providence, RI, 2001), 4–19, Lecture Notes in Comput. Sci., 2146, Springer, Berlin, 2001
  22. D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than $N^{0.292}$, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349
  23. D. Boneh, R. DeMillo, R. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract), Advances in cryptology-EUROCRYPT '97 (Konstanz), 37–51, Lecture Notes in Comput. Sci., 1233, Springer, Berlin, 1997
  24. J. Hastad, On using RSA with low exponent in a public key network, Advances in cryptology-CRYPTO '85 (Santa Barbara, Calif., 1985), 403–408, Lecture Notes in Comput. Sci., 218, Springer, Berlin, 1986
  25. P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems, Proc. Crypto'96, 104–113, Lecture Notes in Comput. Sci., 1109, Springer- Verlag, 1996
  26. A. May, Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey, LLL+25 Conference in honour of the 25th birthday of the LLL algorithm, 2007. Available at [last accessed 23 December, 2008]
  27. R. L. Rivest, A. Shamir, and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (1978), no. 2, 120–126
  28. E. R. Verheul and H. C. A. van Tilborg, Cryptanalysis of 'less short' RSA secret exponents, Appl. Algebra Engrg. Comm. Comput. 8 (1997), no. 5, 425–435