A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL.
The file type is `application/pdf`

.

##
###
New Attacks on RSA with Small Secret CRT-Exponents
[chapter]

2006
*
Lecture Notes in Computer Science
*

It is well-known that there is an efficient method for decrypting/signing with RSA when the secret exponent d is small modulo p − 1 and q − 1. We call such an exponent d a small CRT-exponent. It is one of the major open problems in attacking RSA whether there exists a polynomial time attack for small CRT-exponents, i.e. a result that can be considered as an equivalent to the Wiener and Boneh-Durfee bound for small d. At Crypto 2002, May presented a partial solution in the case of an RSA modulus

doi:10.1007/11745853_1
fatcat:slu7p6mlqnd6li37jzggn4aumq