Cryptanalysis of Exhaustive Search on Attacking RSA

摘要

In RSA equation: ed?=?k.Φ(N)?+?1, we may guess on partial bits of d or p?+?q by doing an exhaustive search to further extend the security boundary of d. In this paper, we discuss the following question: Does guessing on p?+?q bring more benefit than guessing on d? We provide the detailed analysis on this problem by using the lattice reduction technique. Our analysis shows that leaking partial most significant bits (MSBs) of p?+?q in RSA risks more than leaking partial MSBs of d. This result inspires us to further extend the boundary of the Boneh-Durfee attack to N 0.284?+?Δ, where "Δ" is contributed by the capability of exhaustive search. Assume that doing an exhaustive search for 64 bits is feasible in the current computational environment, the boundary of the Boneh-Durfee attack should be raised to d?