Consider RSA with $N = pq$, $q < p < 2q$, public encryption exponent $e$ and private decryption exponent $d$. We first study cryptanalysis of RSA when certain amount of the Most Significant Bits (MSBs) or Least Significant Bits (LSBs) of $d$ is known. The basic lattice based technique is similar to that of Ernst et al. in Eurocrypt 2005. However, our idea of guessing a few MSBs of the secret prime $p$ substantially reduces the requirement of MSBs or LSBs of $d$ for the key exposure attack. Further, we consider the RSA variant proposed by Sun and Yang in PKC 2005 and show that the partial key exposure attack works significantly on this variant.
展开▼
机译:考虑具有$ N = pq $,$ q <2q $,公共加密指数$ e $和私有解密指数$ d $的RSA。当已知一定数量的$ d $的最高有效位(MSB)或最低有效位(LSB)时,我们首先研究RSA的密码分析。基本的基于格的技术类似于Ernst等人的技术。可以在Eurocrypt 2005中找到。但是,我们猜测一些秘密素数$ p $的MSB的想法大大降低了密钥暴露攻击中$ d $的MSB或LSB的需求。此外,我们考虑了Sun和Yang在PKC 2005中提出的RSA变体,并表明部分密钥暴露攻击对该变体有很大作用。
展开▼
