New Attacks on RSA with Small Secret CRT-Exponents [chapter]

Daniel Bleichenbacher, Alexander May
2006 Lecture Notes in Computer Science  
It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p − 1 and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus
more » ... N = pq with unbalanced prime factors p and q. Based on Coppersmith's method, he showed that there is a polynomial time attack provided that q < N 0.382 . We will improve this bound to q < N 0.468 . Thus, our result comes close to the desired normal RSA case with balanced prime factors. We also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N . More precisely, we show that there is a polynomial time attack if dp, dq ≤ min{(N/e) 2 5 , N 1 4 }. The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu. 1 4 then the factorization of N can be found in polynomial time using only the public information (N, e). In 1999, Boneh and Durfee[1] improved the bound to d < N 0.292 . One can view these bounds as a benchmark for attacking RSA (see also the comments in the STORK-roadmap [12]). Thus, improving these bounds is a major research issue in public key cryptanalysis.
doi:10.1007/11745853_1 fatcat:slu7p6mlqnd6li37jzggn4aumq