Cryptanalysis of RSA with a Small Parameter [chapter]

Xianmeng Meng, Xuexin Zheng
2012 Lecture Notes in Computer Science  
This paper investigates the security of RSA system with short exponents. Let N = pq be an RSA modulus with balanced primes p and q. Denote the public exponent by e and the private exponent by d. Then e and d satisfy ed − 1 = kφ(N ), which is usually called the RSA equation. When e and d are both short, and parameter k is the smallest unknown variable in RSA equation, we prove that there exist two new square root attacks. One attack applies the baby-step giant-step method, the other applies the
more » ... ollard's ρ method. We show that if K is a known upper bound of k, then k can be recovered in timeÕ( √ K) and memorỹ O( √ K) by using the baby-step giant-step method, and in timeÕ( √ K) and negligible memory by applying Pollard ρ method. As an application of our new attacks, we present the cryptanalysis on an RSA-type scheme proposed by Sun et al.
doi:10.1007/978-3-642-31448-3_9 fatcat:6sgoquh7tzetbon5axygs4i5fm