Professional Documents
Culture Documents
https://doi.org/10.1007/s00145-018-9282-3
Yao Lu
The University of Tokyo, Tokyo, Japan
Liqiang Peng
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
of Sciences, Beijing, China
Data Assurance and Communication Security Research Center, Chinese Academy of Sciences,
Beijing, China
lqpeng@is.ac.cn
∗ This paper is the full version of [56]. This research was supported by JST CREST Grant Number
JPMJCR14D6, Japan, JSPS KAKENHI Grant Number 17H06571, Japan, the National Natural Science
Foundation of China (Grants 61702505, 61472417, 61732021, 61502488, 61602471, 61772520), National
Cryptography Development Fund (MMJJ20170115, MMJJ20170124) and the Fundamental Theory and
Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grants
Y7Z0341103, Y7Z0321102).
† During the work, the author was supported by a JSPS Fellowship for Young Scientists.
exponent RSA: a small dq attack for p < N 0.5 (an improvement of Bleichenbacher–
May’s) and a small d p and dq attack for d p , dq < N 0.122 (an improvement of Jochemsz–
May’s). The latter result is also an improvement of our result in the proceeding version
(Eurocrypt ’17); d p , dq < N 0.091 . We use Coppersmith’s lattice-based method to solve
modular equations and obtain the improvements from a novel lattice construction by
exploiting useful algebraic structures of the CRT-RSA key generation equation. We ex-
plicitly show proofs of our attacks and verify the validities by computer experiments. In
addition to the two main attacks, we also propose small dq attacks on several variants
of RSA.
Keywords. CRT-RSA, Cryptanalysis, Coppersmith’s method, Lattices,
LLL algorithm.
1. Introduction
1.1. Background
Let N = pq be a public RSA modulus whose prime factors p and q are usually the same
bitsize. A public exponent e and a secret exponent d satisfy ed = 1 mod ( p −1)(q −1).
For encryption/verifying (resp. decryption/signing), the heavy modular exponentiation
of e (resp. d) modulo N has to be computed. To resolve the issue, using a small public
or secret exponent may be the most simple approach. However, Wiener [57] showed
that a public RSA modulus is factorized in polynomial time when the secret exponent
is too small such that d < N 0.25 . Boneh and Durfee [3] revisited the problem with
Coppersmith’s lattice-based method [8,20] and improved the bound to d < N 0.284 .
Furthermore, in the same work, the bound was improved to d < N 0.292 by exploiting
sublattice structures from the previous one although the proof is involved.
To simultaneously thwart the small secret exponent attack and achieve fast decryp-
tion/signing, the Chinese Remainder Theorem (CRT) is often used as described by
Quisquater and Couvreur [40]. Instead of the original secret exponent d, there are CRT-
exponents d p and dq that satisfy
ed p = 1 mod ( p − 1) and edq = 1 mod (q − 1).
The PKCS#1 standard [39] has specified that an RSA secret key should be ( p, q, d, d p ,
dq , q −1
p ), where d p and dq are the CRT-exponents.
Then a natural question to ask is whether there exist analogous attacks of the Boneh–
Durfee [3] to the small CRT-exponents. The first affirmative answer was given by May
(Crypto’02) [29]. May analyzed the unbalanced RSA whose prime factor p is signifi-
cantly smaller than the other prime factor q, and proposed an attack for a small dq with
an arbitrary large d p . The paper contains two attacks, where the former attack works for
p < N 0.382 . The latter attack works only for smaller p, however, is better than the former
attack for p < N 0.23 in the sense that a larger dq can be recovered. Since May’s attack
works only in the unbalanced setting, it is an interesting open question if the attacks can
be improved to cover the balanced RSA.
Subsequently, several improved attacks on the small CRT-exponent RSA have been
proposed. Bleichenbacher and May (PKC’06) [5] revisited May’s work [29] in the same
attack scenario and proposed an improved attack. The attack works for a larger p such
that p < N 0.468 , and recovers a larger dq than May’s attack for any size of p. However,
Small CRT-Exponent RSA Revisited 1339
Bleichenbacher–May’s improved attack could still not cover balanced prime factors.
To attack the balanced RSA, Bleichenbacher and May analyzed other attack scenarios,
where both d p and dq are small in the same work. They proposed an attack which works
when e is significantly smaller than N . Although the same situation was already studied
by Galbraith et al. [14], Sun and Wu [45], their attacks only work for a smaller e. Finally,
Jochemsz and May (Crypto’07) [22] proposed the first attack that works for a full size
e when d p , dq < N 0.073 .
In the past decade, no improved attacks of Bleichenbacher–May [5] and Jochemsz–
May [22] have been proposed. Hence, following these attacks seems to be the best way
to study the security of the CRT-RSA. Indeed, until recently, several papers followed the
attacks and reported the vulnerabilities of the CRT-RSA, e.g., an attack on Takagi’s RSA
[43], an attack on the RSA with multiple exponent pairs [35], and partial key exposure
attacks [4,27,44,49,51].
of the major open problems for the security of the small CRT-exponent RSA. More-
over, our attack can recover a larger dq than [5,29] for any size of p. In addition, our
attack requires less lattice dimensions than Bleichenbacher–May’s attack [5] since our
technique exploits sublattice structures from [5]’s lattice, where the approach is similar
to Boneh–Durfee [3]. Indeed, our experiments show that Bleichenbacher–May’s attack
works better than their theoretical analyses. Hence, our careful analysis successfully fills
the gap between theoretical and experimental behaviors.
We claim that our lattice construction is not limited to the small dq attack. The con-
struction is also applicable to a small d p and dq attack (Sect. 4) that improves Jochemsz–
May’s attack [22]. As we mentioned, small dq attacks [5,29] and small d p and dq attacks
[22] were studied with different approaches in previous works; the former attack used
Coppersmith’s modular method, whereas the latter attack used Coppersmith’s integer
method. However, our powerful lattice construction enables us to improve these attacks
in the same manner. Our attack works for d p , dq < N 0.122 with a full size e where
the exponent of N is about 40% larger than Jochemsz–May’s attack. Notice that our
proposed attack in this paper is much better than that in our proceeding version [56] that
works when d p , dq < N 0.091 .
Recently, numerous papers [13,17,26,28,34–36,41–43,47,50,52] have been studying
the security of RSA variants. Hence, we show several extensions for our small dq attack
on the RSA variants (Sect. 5), i.e., the Multi-Prime RSA, Takagi’s RSA, and the RSA
with multiple exponent pairs. Our attacks significantly improve previous attacks on these
variants [35,43].
Recall in May’s and Bleichenbacher–May’s attack scenario [5,29], the prime p is sig-
nificantly smaller than the other prime q. They solved the latter equation (2) modulo
e to recover unknown (k − 1, p). Since the prime p is significantly smaller than the
other prime q, to construct better attacks, solving Eq. (2) is more promising approach
than solving Eq. (1) to recover (k, q). Hence, only Eq. (2) is used in previous attacks.
However, it means that the constructions of previous attacks significantly rely on the fact
that p is much smaller than q. As a result, these attacks do not work when p is close to
N 0.5 .
What we focus on is a fact that Eqs. (1) and (2) are essentially the same; there are two
representations for the same CRT-RSA key generation. As opposed to previous works,
our improved lattice constructions utilize the algebraic structure of both Eqs. (1) and (2)
simultaneously, not only the equation (2). The two representations are compatible in the
sense that the combination enables us to exploit more useful algebraic structures. More
Small CRT-Exponent RSA Revisited 1341
specifically, we use Eqs. (1) and (2), where the proportion can be adaptively determined
by the sizes of p and q. Then, to solve the modulo e equation as previous works, our
framework always yields the better lattices than previous approaches. Our attacks are
better than Bleichenbacher–May’s attack for any size of p.
At a glance, our lattice construction technique is specialized to the improvement of
Bleichenbacher–May’s attack. As we pointed out, May’s attack and Bleichenbacher–
May’s attack used Coppersmith’s method to solve a modular equation [8,20], whereas
Jochemsz–May’s attack used the method to solve an integer equation [7,11]. The mod-
ular equation for the former attack and the integer equation for the latter attack have
completely different algebraic structures. However, surprisingly, our powerful lattice
construction enables us to construct better lattices and improves Jochemsz–May’s at-
tack, too. It suggests that the construction is quite useful to study the security of CRT-RSA
over a wide range.
2. Preliminaries
Consider a modular equation h(x1 , . . . , xr ) = 0 (mod W ), where all the absolute values
of the target solutions (x̃1 , . . . , x̃r ) are bounded above by X 1 , . . . , X r . When rj=1 X j
is reasonably smaller than W , Coppersmith’s method can find all the solutions in poly-
nomial time. In this section, we recall a simplified reformulation of the method proposed
by Howgrave–Graham [20] and its basis tools, i.e., Howgrave–Graham’s lemma and the
LLL algorithm.
Let h(x1 , . . . , xr ) denote the norm of a polynomial which represents the Euclidean
norm of the coefficient vector. The following Howgrave–Graham’s lemma reduces the
modular equations into integer equations.
3. Small dq Attack
In this section, we propose an attack for small dq where p is significantly smaller than
q. The attack improves Bleichenbacher–May’s attack [5].
Small CRT-Exponent RSA Revisited 1343
edq = 1 + k(q − 1)
whose root is (xq , yq ) = (k, q), a public modulus N can be factorized. However, since
the prime factor q is significantly larger than the other prime factor p, i.e., p = N β and
q = N 1−β for β ≤ 1/2, May [29] multiplied the above equation by p and obtained the
following equation:
Hence, if the following modular equation can be solved, the public modulus N can be
factorized:
f p (x p , y p ) = N + x p (N − y p ) = 0 (mod e)
e, ex p , f p (x p , y p ), ey p , y p f p (x p , y p ), ey 2p , y 2p f p (x p , y p ).
All the polynomials share the common root as f p (x p , y p ) modulo e. In addition to the
base polynomials, i.e., e, ex p , f p (x p , y p ), he added extra y p -shifts, i.e., ey p , y p f p (x p ,
y p ), ey 2p , y 2p f p (x p , y p ). Applying the LLL reduction to the above matrix, polynomials
derived from the LLL output vectors satisfy Howgrave–Graham’s lemma when
e, ex p , f p (x p , y p ), ey p , y p f p (x p , y p ), eyq , N −1 · yq f p (x p , y p ) .
Although the precise definition of the polynomial selection is slightly different from the
one in the original paper, they are essentially the same in the sense that the above matrix
yields the same bound as the original Bleichenbacher–May attack. Applying the LLL
Small CRT-Exponent RSA Revisited 1345
reduction to the above matrix, polynomials derived from the LLL output vectors satisfy
Howgrave–Graham’s lemma when
e, ex p , f p (x p , y p ), ey p , y p f p (x p , y p ), f q (xq , yq ) .
x + ey = 0 (mod q)
whose root is (k − 1, dq ). Since the modulo e and the modulo q approach is different,
we should check which method is better. Although our modulo e attacks are the better in
most cases, we will show in Sect. 5.2 that the modulo p approach outperforms modulo
e approach for small d p attack with a modulus N = pr q.
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
As opposed to previous results, when α = 1, the attack works to β < 1/2. Figure 1
shows comparison of our result and the Bleichenbacher–May for α = 1. Our attack
covers larger δ than the Bleichenbacher–May attack for all β.
Fig. 1. Comparison between our attack (Theorem 1) and the Bleichenbacher–May for α = 1.
j
g[i, j] (x p , y p ) := x p f pi (x p , y p )em−i ,
j
j] (x p , y p ) := y p f p (x p , y p )e ,
i m−i
g[i,
i− j j
g[i, j] (x p , x q , y p , yq ) := f p (x p , y p ) f q (xq , yq )em−i ,
with some positive integer m. For nonnegative integers i and j, all the shift-polynomials
share the same root as f p (x p , y p ) and f q (xq , yq ) modulo em . May [29] used the same
shift-polynomials as g[i, j] (x p , y p ) and g[i,
Lemma 2. Let all the polynomials be defined as above. Let τ p and τq be constants
such that τ p ≥ 0 and 0 ≤ τq ≤ 1. Define sets of indices
Ix := {i = 0, 1, . . . , m; j = 0, 1, . . . , m − i},
I y, p := {i = 0, 1, . . . , m; j = 1, 2, . . . , τ p m},
I y,q := {i = 1, 2, . . . , m; j = 1, 2, . . . , τq i}.
j] (x p X p ,
g[i, j] ≺ g[i
, j
] , g[i, j] ≺ g[i
, j
] , g[i, j] ≺ g[i
, j
] for i < i ,
g[i, j] ≺ g[i, j
] , g[i, j] ≺ g[i, j
] , g[i, j] ≺ g[i, j
] for j < j ,
and N −1 (mod em ) is multiplied appropriately, then the matrix becomes triangular with
diagonal entries
i+ j
• X p Y pi em−i for g[i, j] (x p X p , y p Y p ),
• X ip Y p
i+ j m−i
e for g[i, j] (x p X p , y p Y p ),
j
(x Y , x X , y Y , y Y ).
• X qi Yq em−i for g[i, j] p p q q p p q q
Here, we do not prove the lemma. In Sect. 3.4, we prove a more general form of the
statement, i.e., Lemma 3.
We compute the resulting condition of Theorem 1. The dimension n and the determi-
sY sY
nant of the lattice det(B) = X s X Y p p Yq q ese can be computed as:
1 + 2τ p + τq 2
n= 1+ 1+ 1= m + o(m 2 ),
2
(i, j)∈Ix (i, j)∈I y, p (i, j)∈I y,q
2 + 3τ p + 2τq 3
sX = (i + j) + i+ i= m + o(m 3 ),
6
(i, j)∈Ix (i, j)∈I y, p (i, j)∈I y,q
1 + 3τ p + 3τ p2
sY p = i+ (i + j) = m 3 + o(m 3 ),
6
(i, j)∈Ix (i, j)∈I y, p
τq2
sYq = j= m 3 + o(m 3 ),
6
(i, j)∈I y,q
se = (m − i) + (m − i) + (m − i)
(i, j)∈Ix (i, j)∈I y, p (i, j)∈I y,q
2 + 3τ p + τq 3
= m + o(m 3 ).
6
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy
sY sY
Howgrave–Graham’s lemma if X s X Y p p Yq q ese < enm , i.e.,
2 + 3τ p + 2τq 1 + 3τ p + 3τ p2 τq2
(α + β + δ − 1) +β + (1 − β)
6
6 6
2 + 3τ p + τq 1 + 2τ p + τq
+α − <0
6 2
Small CRT-Exponent RSA Revisited 1349
1 − 2β − δ 1−β −δ
τp = and τq = ,
2β 1−β
as required. To satisfy the restriction τ p ≥ 0, α > β/(1 − β) should hold. The other
parameter τq always satisfies 0 ≤ τq ≤ 1.
β
δ <1−β − αβ(1 − β) for β(1 − β) ≤ α ≤ ,
1−β
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
√
As we claimed, the bound of Theorem 2 is better than δ < 2(1−β)− (1 + α)(1 − β)
that can be obtained from the same algorithm construction as Theorem 1. We show the
proof of Theorem 2. The proof is more technical than that of Theorem 1; however, the
spirit is almost the same. In the subsequent sections, lattices that are similar to that of
Theorem 2 will be used.
j λi (1−λ)i
g[i, j],λ (x p , x q , y p , yq ) := yq f p (x p , y p ) f q (xq , yq )em−i ,
1350 A. Takayasu et al.
with some positive integer m and a parameter 0 < λ ≤ 1. For nonnegative integers i
and j, all the shift-polynomials share the common root as f p (x p , y p ) and f q (xq , yq )
modulo em . Here, notice that λi + (1 − λ)i = i for all i. The shift-polynomials
g[i, j] (x p , y p ) and g[i, j] (x p , y p ) used in the proof of Theorem 1 is the special case of
Lemma 3. Let all the polynomials be defined as above. Let τ be a constant such that
1 − λ < τ ≤ 1. Let m be a positive integer. Define sets of indices as
Ix := {i = 0, 1, . . . , m; j = 0, 1, . . . , m − i},
I yq := {i = 1, 2, . . . , m; j = 1, 2, . . . , τ i − (1 − λ)i}.
and N −1 (mod em ) is multiplied appropriately, then the matrix becomes triangular with
diagonal entries
i+ j λi
• X p Y p em−i for g[i, j],λ (x p X p , xq X q , y p Y p , yq Yq ) with i such that i = 0 or
λi − λ(i − 1) = 1,
i+ j (1−λ)i m−i
• X q Yq e for g[i, j],λ (x p X p , xq X q , y p Y p , yq Yq ) with i such that i = 0
and λi − λ(i − 1) = 0,
(1−λ)i+ j m−i
A proof of the lemma is the most technical part of this paper. We prove it in Sect. 3.4.
We compute the resulting condition of Theorem 2. The dimension n and the determi-
sY sY
nant of the lattice det(B) = X s X Y p p Yq q ese can be computed as:
λ+τ 2
n= 1+ 1= m + o(m 2 ),
2
(i, j)∈Ix (i, j)∈I yq
λ+τ 3
sX = (i + j) + i= m + o(m 3 ),
3
(i, j)∈Ix (i, j)∈I yq
λ2
sY p = λi = m 3 + o(m 3 ),
6
(i, j)∈Ix
Small CRT-Exponent RSA Revisited 1351
τ2 3
sYq = (1 − λ)i + ((1 − λ)i + j) = m + o(m 3 ),
6
(i, j)∈Ix (i, j)∈I yq
1+λ+τ 3
se = (m − i) + (m − i) = m + o(m 3 ).
6
(i, j)∈Ix (i, j)∈I yq
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy
sY sY
Howgrave–Graham’s lemma if X s X Y p p Yq q ese < enm , i.e.,
λ+τ λ2 τ2 1+λ+τ λ+τ
(α + β + δ − 1) +β + (1 − β) + α − <0
3 6 6 6 2
1−β −δ 1−β −δ
λ= and τ = ,
β 1−β
Theorem 3. Let N = pq be an RSA modulus, where the prime factors p and q are the
same bitsize. Let e = N α and dq < N δ be a public/CRT-exponent, respectively, such
that edq = 1 (mod (q − 1)). Given public elements N and e, if N is sufficiently large
and
√
1− α 1
δ< for α ≥ ,
2 4
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
Theorem 4. ([28]) Let N = pq be an RSA modulus, where the prime factors p and q
are the same bitsize. Let e = N α and dq < N δ be a public/CRT-exponent, respectively,
such that edq = 1 (mod (q − 1)). Given public elements N and e, if
1352 A. Takayasu et al.
Fig. 2. Comparison between our attack (Theorem 3) and the attack of Lu et al. (Theorem 4) [28].
3 − 4α
δ< ,
8
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
Figure 2 shows comparison of our attack (Theorem 3) and that of Lu et al. (Theorem 4).
Our attack is better for all 1/4 < α < 1.
1 xp x 2p x 3p x p yp x 2p y p
e3 e3
x p e3 X p e3
x 2p e3 X 2p e3
x 3p e3 X 3p e3
f p e2 N e2 N X p e2 −X p Y p e2
x p f p e2 N X p e2 N X 2p e2 −X 2p Y p e2
x 2p f p e2 N X 2p e2 N X 3p e2
f p fq e − 2X p e − 2X 2p e N −1 X 2p Y p e
x p f p fq e − 2X 2p e − 2X 3p e
f p2 f q − 3N 2 X p −6N 2 X 2p − 3N 2 X 3p 3N X 2p Y p
yq f p e2 −X p e2
yq f p2 f q 3X 2p 3X 3p
x 3p y p xq2 yq xq3 yq x 3p y 2p xq yq xq3 yq2
e3
x p e3
x 2p e3
x 3p e3
f p e2
x p f p e2
x 2p f p e2 −X 3p Y p e2
f p fq e X q2 Yq e
x p f p fq e N −1 X 3p Y p e −X q2 Yq e X q3 Yq e
f p2 f q 3N X 3p Y p N 2 X q3 Yq −X 3p Y p2
yq f p e2 X q Yq e2
yq f p2 f q − 3N −1 X 3p Y p 3X q2 Yq − 3X q3 Yq X q3 Yq2
j
for i = 0 have only one monomial x p em , these polynomials generate triangular basis
j
matrix with diagonal entries X p em . Then the remaining proof is inductive; we show that
the basis matrix is still triangular with other polynomials.
At first, we assume that polynomials g[i
, j
],λ (x p , xq , y p , yq ) such that g[i
, j
],λ (x p , xq ,
y p , yq ) ≺ g[i, j],λ (x p , xq , y p , yq ) generate a triangular matrix as stated in Lemma 3.
Then, we show that a matrix is still triangular with a new polynomial g[i, j],λ (x p , xq , y p ,
i+ j λi i+ j (1−λ)i m−i
yq ) whose diagonal is X p Y p em−i or X q Yq e . By definition,
= x p (N + N x p − x p y p )λi (1 − xq + xq yq )(1−λ)i em−i .
j
1354 A. Takayasu et al.
1 xp x 2p x 3p x p yp x 2p y p x 3p y p
e3 e3
x p e3 X p e3
x 2p e3 X 2p e3
x 3p e3 X 3p e3
f p e2 N e2 N X p e2 −X p Y p e2
x p f p e2 N X p e2 N X 2p e2 −X 2p Y p e2
x 2p f p e2 N X 2p e2 N X 3p e2 −X 3p Y p e2
f p2 e N 2e 2N 2 X p e N 2 X 2p e −2N X p Y p e −2N X 2p Y p e
x p f p2 e N 2 X pe 2N 2 X 2p e N 2 X 3p e −2N X 2p Y p e −2N X 3p Y p e
f p2 f q − 3X p −6X 2p − 3X 3p 3N −1 X 2p Y p 3N −1 X 3p Y p
yq f p e2 −X p e2
yq f p2 e − 2X p e − 2X 2p e N −1 X 2p Y p e
yq2 f p2 e X 2p e
yq f p2 f q 3X 2p 3X 3p −N −1 X 3p Y p
x 2p y 2p x 3p y 2p xq3 yq xq yq xq2 yq xq2 yq2 xq3 yq2
e3
x p e3
x 2p e3
x 3p e3
f p e2
x p f p e2
x 2p f p e2
f p2 e X 2p Y p2 e
x p f p2 e X 3p Y p2 e
f p2 f q −N −2 X 3p Y p2 X q3 Yq
yq f p e2 X q Yq e2
yq f p2 e X q2 Yq e
yq2 f p2 e 2X q Yq e − 2X q2 Yq e X q2 Yq2 e
yq f p2 f q −3X q3 Yq 3X q2 Yq X q3 Yq2
= x p (N xq − x p y p )λi (x p + xq yq )(1−λ)i em−i .
j
⎛ ⎞
λi
λi
= xp ⎝ (−x p y p )i p · (N xq )λi−i p ⎠
j
ip
i p =0
⎛ ⎞
(1 − λ)i
(1−λ)i
(1−λ)i−i
×⎝ (xq yq ) q · x p
i q ⎠ em−i
iq
i q =0
Small CRT-Exponent RSA Revisited 1355
λi (1−λ)i
λi (1 − λ)i
= (−1)i p
ip iq
i p =0 i q =0
(1−λ)i+i p −i q + j λi−i p +i q i q i p m−i
× N λi−i p x p xq yq y p e .
From the relation y p yq = N , we modify all the monomial so that y p and yq do not
appear in each monomial, simultaneously. Then, the polynomial becomes
(1−λ)i
λi
λi (1 − λ)i
= (−1)i p
ip iq
i q =0 i p =i q
(1−λ)i+i p −i q + j λi−i p +i q i p −i q m−i
× N λi−i p +iq x p xq yp e
(1−λ)i
(1−λ)i−1
λi (1 − λ)i
+ (−1)i p
ip iq
i p =0 i q =i p +1
(1−λ)i+i p −i q + j λi−i p +i q i q −i p m−i
× N λi x p xq yq e .
Notice that there are no monomials that have y p and yq , simultaneously. The exponents
of y p in the first summation are nonnegative, whereas the exponents of yq in the second
summation are positive. Hence, as we discussed above, we replace all xq in the first
summation by x p + 1 and replace all x p in the second summation by xq − 1. Then, the
polynomial becomes
(1−λ)i
λi
λi (1 − λ)i
= (−1)i p N λi−i p +iq
ip iq
i q =0 i p =i q
(1−λ)i+i p −i q + j i −i
× xp + 1)λi−i p +iq y pp q em−i
(x p
(1−λ)i
(1−λ)i−1
i p λi (1 − λ)i
+ (−1) N λi
ip iq
i p =0 i q =i p +1
λi−i p +i q i q −i p m−i
× (xq − 1)(1−λ)i+i p −iq + j xq yq e
(1−λ)i
λi λi−i
p +iq
λi (1 − λ)i λi − i p + i q
= (−1)i p N λi−i p +iq
ip iq kp
i q =0 i p =i q k p =0
i+ j−k p i p −i q m−i
× xp yp e
(1−λ)i
(1−λ)i−1 p −iq + j
(1−λ)i+i
i p +kq λi (1 − λ)i
+ (−1)
ip iq
i p =0 i q =i p +1 kq =0
(1 − λ)i + i p − i q + j i+ j−kq i q −i p m−i
× · N λi xq yq e .
kq
i i
• x ppx y ppy for i py = 0, 1, . . . , λi,
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i,
for some i px and i q x , respectively. When λi − λ(i − 1) = 1, all polynomials
g[i
, j
],λ (x p , xq , y p , yq ) that have diagonal entries for the following variables satisfy
g[i
, j
],λ (x p , xq , y p , yq ) ≺ g[i, j],λ (x p , xq , y p , yq ):
i i
• x ppx y ppy for i py = 0, 1, . . . , λi − 1,
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i.
Since the remaining monomial in g[i, j],λ (x p , xq , y p , yq ) is only one element for a vari-
i+ j λi
able x p y p . Hence, as stated in Lemma 3, the diagonal for g[i, j],λ (x p , xq , y p , yq )
i+ j λi
such that λi − λ(i − 1) = 1 is X p Y p em−i . As the same way, we can prove that
the diagonal for g[i, j],λ (x p , xq , y p , yq ) such that i = 0 and λi − λ(i − 1) = 1 is
i+ j (1−λ)i m−i
X q Yq e .
Next, we assume that polynomials g[i
, j
],λ (x p , xq , y p , yq ) and g[i
, j
],λ (x p , xq , y p , yq )
such that g[i
, j
],λ (x p , xq , y p , yq ) ≺ g[i,
jλi (1−λ)i
g[i, j],λ (x p , x q , y p , yq ) = yq f p (x p , y p ) f q (xq , yq )em−i
= yq (N + N x p − x p y p )λi (1 − xq + xq yq )(1−λ)i em−i .
j
= yq (N xq − x p y p )λi (x p + xq yq )(1−λ)i em−i .
j
⎛ ⎞
λi
λi
= ⎝ (−x p y p )i p · (N xq )λi−i p ⎠
j
yq
ip
i p =0
⎛ ⎞
(1 − λ)i
(1−λ)i
(1−λ)i−i
×⎝ (xq yq )iq · x p q ⎠ m−i
e
iq
i q =0
λi (1−λ)i
λi (1 − λ)i
= (−1) ip
ip iq
i p =0 i q =0
(1−λ)i+i p −i q λi−i p +i q i q + j i p m−i
× N λi−i p x p xq yq y p e .
Small CRT-Exponent RSA Revisited 1357
From the relation y p yq = N , we modify all the monomial so that y p and yq do not
appear in each monomial, simultaneously. Then, the polynomial becomes
λi min{i p −
j,(1−λ)i}
i p λi (1 − λ)i
= (−1)
ip iq
i p= j i p =0
(1−λ)i+i p −i q λi−i p +i q i p −i q − j m−i
× N λi−i p +iq + j x p xq yp e
min{iq +
(1−λ)i j−1,λi}
λi (1 − λ)i
+ (−1)i p
ip iq
i q =0 i p =0
(1−λ)i+i p −i q λi−i p +i q i q −i p + j m−i
× N λi x p xq yq e .
Notice that there are no monomials that have y p and yq , simultaneously. The exponents
of y p in the first summation are nonnegative, whereas the exponents of yq in the second
summation are positive. Hence, as we discussed above, we replace all xq in the first
summation by x p + 1 and replace all x p in the second summation by xq − 1. Then, the
polynomial becomes
λi min{i p −
j,(1−λ)i}
λi (1 − λ)i
= (−1) ip
N λi−i p +iq + j ·
ip iq
i p= j i p =0
(1−λ)i+i p −i q i −i − j
xp + 1)λi−i p +iq y pp q em−i
(x p
min{iq +
(1−λ)i j−1,λi}
λi (1 − λ)i
+ (−1)i p N λi ·
ip iq
i q =0 i p =0
λi−i p +i q i q −i p + j m−i
(xq − 1)(1−λ)i+i p −iq xq yq e
j,(1−λ)i} λi−(i p −i q )
λi min{i p −
λi (1 − λ)i λi − (i p − i q )
= (−1)i p
ip iq kp
i p= j i p =0 k p =0
λi−i p +i q + j
N ·
i−k i −i − j
x p p y pp q em−i
min{iq +
(1−λ)i j−1,λi} (1−λ)i−(i q −i p )
i p +kq λi (1 − λ)i
+ (−1)
ip iq
i q =0 i p =0 kq =0
(1 − λ)i − (i q − i p )
N λi ·
kq
i−kq i q −i p + j m−i
N λi xq yq e .
1358 A. Takayasu et al.
Table 3. For 1000-bit RSA moduli, asymptotic and experimental comparisons of small dq attacks.
j],λ (x p , x q , y p , yq ):
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i − 1.
Since the remaining monomial in g[i, j],λ (x p , xq , y p , yq ) is only one element for a vari-
(1−λ)i+ j
able xqi yq . Hence, as stated in Lemma 3, the diagonal for g[i, j],λ (x p , x q , y p , yq )
(1−λ)i+ j m−i
is X qi Yq e .
At the end of this section, we briefly show how to deduce Lemma 2 from Lemma 3. The
collection of shift-polynomials g[i, j] (x p , y p ) and g[i,
(x , x , y , y ) in Lemma 2 are
j] p q p q
essentially the same as g[i, j],λ (x p , xq , y p , yq ) and g[i,
(x , ,
j],λ p x q y p , yq ) in Lemma 3 for
λ = 1. Hence, by setting the parameters (λ, τ ) in Lemma 3 as (1, τq ), Lemma 3 shows
that g[i, j] (x p , y p ) and g[i,
Table 4. Asymptotic bounds and lattice dimension for small δ with fixed lattice dimensions.
β = 0.45
δ 0.010 0.020 0.030 0.040 0.052
dim. 110 180 335 1057 Asymptotic
β = 0.48
δ 0.002 0.005 0.010 0.015 0.020
dim. 462 650 1395 5262 Asymptotic
Fig. 3. Comparison of the achievable bound depending on the lattice dimension. The left and the right figures
are for β = 0.35 and β = 0.40, respectively.
In [5], the experimental results are much better than their theoretical analysis. For
example, for 440-bit factor q, with a lattice dimension of 63, in theory the attack should
not work (we can recover the small private key d p up to a size of N −0.083 ), however,
in practice, we succeed for d p with bitsize a 0.010-fraction of N . Since our lattice
construction captures the underlying sublattice structure of [5]’s desired lattice, we can
do better than [5]: with a lattice dimension of 66, experimentally we can reconstruct d p
with a size of N 0.012 .
Note that our result of Theorem 1 is an asymptotic improvement. In Table 4, we
present numerical values of δ for different values of β and lattice dimension. Moreover,
compared with [5], our method requires smaller lattice dimensions. For β = 0.35 and
β = 0.40, Fig. 3 shows a comparison of these two approaches in the terms of the bitsize
of small secret exponent d p that can be attacked.
In this section, we propose an attack when both d p and dq are small. The attack improves
Jochemsz–May’s attack [22] by utilizing our lattice construction technique. Furthermore,
the attack that we propose in this section is better than that in our proceeding version
[56].
1360 A. Takayasu et al.
edq = 1 + kq (q − 1) and ed p = 1 + k p ( p − 1)
with some integers kq and k p . Hence, if we can solve the following simultaneous modular
equations, RSA modulus N can be factorized:
where the root is (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) = (kq − 1, kq , k p , k p − 1, p, q). Let
e = N α , d p < N δ , and dq < N δ for a balanced RSA, i.e, q < p < 2q. The absolute
values of x p,1 , xq,1 , x p,2 , xq,2 are bounded above by X = N α+δ−1/2 within constant
factors, whereas the absolute values of y p and yq are bounded above by Y = N 1/2
within constant factors.
Unfortunately, an approach to solve the above four equations simultaneously does
not offer an improvement. The approach gives us only the same bound as Theorem 3.
Hence, we use an additional algebraic relation. From the CRT-RSA key generation,
h(x p,1 , xq,1 , x p,2 , xq,2 ) = (N − 1)x p,1 x p,2 + x p,1 + N x p,2 = 0 (mod e)
= (N − 1)xq,1 xq,2 + N xq,1 + xq,2 = 0 (mod e).
The polynomial also has two representations as the previous polynomials. Notice that
the same equation as h(x p,1 , xq,1 , x p,2 , xq,2 ) was already used by Galbraith et al. [14].
We make use of these equations and obtain the following result.
Theorem 5. Let N = pq be an RSA modulus, where p and q are the same bitsize. Let
e = N α and d p , dq < N δ be a public/CRT-exponent, respectively, such that edq = 1
(mod (q − 1)) and ed p = 1 (mod ( p − 1)). Given public elements N and e, if N is
sufficiently large and
1 α 7
δ< − for α ≥ ,
2 7 16
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
√
For the full size e, the attack works for δ < 1/2 − 1/ 7 = 0.122 · · · which is
better than Jochemsz–May’s bound [22], i.e., δ < 0.073. Our attack is better than all
existing attacks. Furthermore, the result proposed
√ in this paper is much better than our
proceeding version [56], i.e., δ < 1/2 − 1/ 6 = 0.091 · · · . We obtain the improvement
by exploiting sublattice structures from the lattice in [56]. Therefore, our proposed attack
in this paper is practically faster than our previous attack [56].
Proof of Theorem 5. To solve the above modular equations, we use the following shift-
polynomials:
with some positive integer m. For nonnegative integers i 1 , i 2 , j1 , i 2 , and u, all the shift-
polynomials share the common root as f p,1 (x p,1 , y p ), f p,2 (x p,2 , y p ), f q,1 (xq,1 , yq ),
f q,2 (xq,2 , yq ), and h(x p,1 , xq,1 , x p,2 , xq,2 ) modulo em . Then we can construct triangular
basis matrix as follows.
Lemma 4. Let all the polynomials be defined as above. Let τ be a constant such that
1/2 ≤ τ ≤ 1. Define sets of indices as
⎧ ⎫
⎪
⎪ i 1 = 0, 1, . . . , m2 ; i 2 = 0, 1, . . . , m2 ; j1 = 0; j2 = 0; ⎪
⎪
⎪
⎪ ⎪
⎪
⎪
⎪ u = 0, 1, . . . , min{ m
− i 1 , m
− i 2 }, and ⎪
⎪
⎪
⎪
2 2 ⎪
⎪
⎪
⎪ i 1 = 0, 1, . . . , m
− 1; i 2 = 1, 2, . . . , m
; j 1 = 1; j2 = 0; ⎪
⎪
⎨ 2 2 ⎬
u = 0, 1, . . . , min{ 2 − i 1 − 1, 2 − i 2 }, and
m m
Ix = ,
⎪ i 1 = 0, 1, . . . , 2 ; i m 2 = 0; j1 = 1, 2, . . . , 2 − i 1 ; j2 = 0; ⎪
m m
⎪ ⎪
⎪
⎪ ⎪
⎪
⎪
⎪ u = 0, 1, . . . , 2 − i 1 − j1 , and ⎪
⎪
⎪
⎪ ⎪
⎪
⎪
⎪ i 1 = 0; i 2 = 0, 1, . . . , m
; j1 = 0; j 2 = 1, 2, . . . , m
− i 2 ; ⎪
⎪
⎩ 2 2 ⎭
u = 0, 1, . . . , 2 − i 2 − j2 ,
m
m m
I y, p = i 1 = 0, 1, . . . , ; i 2 = 0, 1, . . . , ; j1 = 1, 2, . . . , τ (i 1 + i 2 )
2 2
−(i 1 + i 2 )/2, } ,
m m
I y,q = i 1 = 0, 1, . . . , ; i 2 = 0, 1, . . . , ; j2 = 1, 2, . . . , τ (i 1 + i 2 )
2 2
−(i 1 + i 2 )/2, } ,
Let B be a matrix whose rows consist of coefficients of g[i1 ,i2 , j1 , j2 ,u] (x p,1 X p,1 , xq,1
X q,1 , x p,2 X p,2 , xq,2 X q,2 , y p Y p , yq Yq ), g[i
1 ,i2 , j1 ], p (x p,1 X p,1 , xq,1 X q,1 , x p,2 X p,2 , xq,2
X q,2 , y p Y p , yq Yq ), and g[i
1 ,i2 , j2 ],q (x p,1 X p,1 , xq,1 X q,1 , x p,2 X p,2 , xq,2 X q,2 , y p Y p , yq Yq )
with indices in Ix , I y, p , and I y,q , respectively. If the shift-polynomials are ordered as
g[i
,i
, j
] ≺ g[i
1 ,i2 , j1 ], p for i 1
+ i 2
= i 1 + i 2 , j1
< j1 ,
1 2 1
g[i
,i
, j
],q ≺ g[i
1 ,i2 , j2 ],q for i 1
+ i 2
= i 1 + i 2 , j2
< j2 ,
1 2 2
and N −1 (mod em ) is multiplied appropriately, then the matrix becomes triangular with
diagonal entries
i + j1 +u i + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
• X p,1
1 2
X p,2 Yp e for g[i1 ,i2 , j1 , j2 ,u] if i 1 + i 2 is odd,
i 1 + j1 +u i 2 + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
• X q,1 X q,2 Yq e for g[i1 ,i2 , j1 , j2 ,u] if i 1 + i 2 is even,
Small CRT-Exponent RSA Revisited 1363
(i 1 +i 2 )/2+ j1 m−(i 1 +i 2 )
• X ip,1
1
X ip,2
2
Yp e for g[i
1 ,i2 , j1 ], p ,
(i 1 +i 2 )/2+ j2 m−(i 1 +i 2 )
i1
• X q,1 i2
X q,2 Yq e for g[i
1 ,i2 , j2 ],q .
τ 3
n= 1+ 1+ 1= m + o(m 3 ),
4
(i 1 ,i 2 , j1 , j2 ,u)∈Ix (i 1 ,i 2 , j1 )∈I y, p (i 1 ,i 2 , j2 )∈I y,q
sX = (i 1 + i 2 + j1 + j2 + 2u) + (i 1 + i 2 )
(i 1 ,i 2 , j1 , j2 ,u)∈Ix (i 1 ,i 2 , j1 )∈I y, p
+ (i 1 + i 2 )
(i 1 ,i 2 , j2 )∈I y,q
7τ 4
= m + o(m 4 ),
48
i1 + i2 i1 + i2
sY = +
(i 1 ,i 2 , j1 , j2 ,u)∈Ix
2 (i 1 ,i 2 , j1 , j2 ,u)∈Ix
2
s.t. i 1 +i 2 is odd s.t. i 1 +i 2 is even
i1 + i2 i1 + i2
+ + j1 + + j2
2 2
(i 1 ,i 2 , j1 )∈I y, p (i 1 ,i 2 , j2 )∈I y,q
7τ 2
= m 4 + o(m 4 ),
96
se = (m − (i 1 + i 2 + u))
(i 1 ,i 2 , j1 , j2 ,u)∈Ix
+ (m − (i 1 + i 2 )) + (m − (i 1 + i 2 ))
(i 1 ,i 2 , j1 )∈I y, p (i 1 ,i 2 , j2 )∈I y,q
1 + 5τ 4
= m + o(m 4 ).
48
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy
Howgrave–Graham’s lemma if X s X Y sY ese < enm , i.e.,
1 7τ 1 7τ 2 1 + 5τ τ
α+δ− · + · +α· <α· .
2 48 2 96 48 4
Notice that the polynomials are similar to g[i, j],λ (x p , xq , y p , yq ) for λ = 1/2 in
Lemma 3. Then, the polynomials generate triangular basis matrix as claimed in Lemma 4.
Similarly, the polynomials g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) for (i 1 , j1 , u) =
(0, 0, 0) generate triangular basis matrix. Since the proof is completely the same as that
of Lemma 3, we omit it here. Then, the remaining proof is inductive; we show that the
basis matrix is still triangular with other polynomials.
At first, we assume that polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) such
that g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) ≺ g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 ,
y p , yq ) generate a triangular matrix as stated in Lemma 4. Then, we show that a matrix is
still triangular with a new polynomial g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) whose
i 1 + j1 +u i 2 + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
diagonal is x p,1 x p,2 yp e . By definition,
From the relation xq,1 = x p,1 + 1, x p,2 = xq,2 + 1 and equivalently x p,1 = xq,1 − 1,
xq,2 = x p,2 − 1, the polynomial becomes
i i
By expanding N xq,1 − x p,1 y p 1 and −xq,2 + x p,2 y p 2 , the polynomial becomes
(i +i )/2
yq 1 2 h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
j j
= x p,1
1 2
x p,2
⎛ ⎞
i1
i i p,1
⎝ 1
−x p,1 y p (N xq,1 )i1 −i p,1 ⎠
i p,1
i p,1 =0
⎛ ⎞
i2
i i p,2
⎝ 2
x p,2 y p (−xq,2 )i2 −i p,2 ⎠
i p,2
i p,2 =0
(i +i )/2
yq 1 2 h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
j j
= x p,1
1 2
x p,2
⎛ ⎞
i1 i2
⎝ i1 i2 i p,1 i p,2 i 1 −i p,1 i 2 −i p,2 i p,1 +i p,2
⎠
(−1)i p,1 +i2 −i p,2 N i1 −i p,1 x p,1 x p,2 xq,1 xq,2 y p
i p,1 i p,2
i p,1 =0 i p,2 =0
(i +i 2 )/2 u
= yq 1 h (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
⎛
1 +i 2
i min{i 1 ,i p }
⎝ i2 i1
(−1)2i p,1 +i2 −i p N i1 −i p,1 ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i p,1 + j1 i p −i p,1 + j2 i 1 −i p,1 i 2 −i p +i p,1 i p
x p,1 x p,2 xq,1 xq,2 yp .
From the relation y p yq = N , we modify all the monomials so that y p and yq do not
appear in each monomial, simultaneously. Then, the polynomial becomes
Notice that there are no monomials that have y p and yq simultaneously. The exponents
of y p in the first summation are positive, whereas the exponents of yq in the second
summation are nonnegative.
By expanding
1 +i 2
i min{i 1 ,i p }
u
i2 i1 u
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0
Next, as we discussed above, we replace all xq,1 , xq,2 in the first summation by
x p,1 + 1, x p,2 − 1, respectively, and replace all x p,1 , x p,2 in the second summation by
xq,1 − 1, xq,2 + 1, respectively. Then, the polynomial becomes
1 +i 2
i min{i 1 ,i p }
u
i2 i1 u
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0
1 +i 2
i min{i 1 ,i p }
u
i2 i1 u
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0
1 +i 2
i min{i 1 ,i p } u i 1 −i p,1 + i 2 −i p +i p,1 +u−
i2 i1 u
= ·
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0 k p,1 =0 k p,2 =0
i 1 − i p,1 + i 2 − i p + i p,1 + u −
(−1)2i p,1 +i2 −i p +u−+k p,2 N i1 −i p,1 +(i1 +i2 )/2+ ·
k p,1 k p,2
i + j1 +u−k p,1 i 2 + j2 +u−k p,2 i p −(i 1 +i 2 )/2 m−(i 1 +i 2 +u)
1
x p,1 x p,2 yp e
(i 1
+i 2 )/2 min{i 1 ,i p } j1 +u− i p −i p,1 + j2 +
u i p,1 +
i2 i1 u
+ ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 } =0 kq,1 =0 kq,2 =0
i p,1 + j1 + u − i p + j2 + − i p,1
(−1)2i p,1 +i2 −i p +u−+kq,1 N i1 −i p,1 +i p + ·
kq,1 kq,2
i + j1 +u−kq,1 i 2 + j2 +u−kq,2 (i 1 +i 2 )/2−i p m−(i 1 +i 2 +u)
1
xq,1 xq,2 yq e .
1368 A. Takayasu et al.
Hence, we focus on the monomials in g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) for
variables
i i (i +i )/2
• x p,1
px,1 px,2
x p,2 yp 1 2 for i px,1 = i 1 + j1 , i 1 + j1 + 1, . . . , i 1 + j1 + u; i px,2 =
i 2 + j2 , i 2 + j2 + 1, . . . , i 2 + j2 + u.
All polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) that have the above diagonal
i + j +u i + j +u (i +i )/2
entries for variables except x p,1 1 1 2
x p,2 2
yp 1 2 satisfy g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 ,
x p,2 , xq,2 , y p , yq ) ≺ g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ). Hence, as stated in
Lemma 4, the polynomial g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) for odd (i 1 +i 2 ) has
i 1 + j1 +u i 2 + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
a diagonal X p,1 X p,2 Yp e . Similarly, we can prove the state-
ment when (i 1 +i 2 ) is even. Hence, polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p ,
yq ) generate triangular basis matrix as stated in Lemma 4.
Next, we assume that polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) and
g[i
,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) such that g[i
,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 , y p ,
1 2 1 1 2 1
yq ) ≺ g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) generate a triangular matrix as stated
in Lemma 4. Then, we show that a matrix is still triangular with a new polynomial
(i +i )/2+ j1
g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) whose diagonal is x ip,11
x ip,2
2
yp 1 2
em−(i1 +i2 ) . By definition,
g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )
(i 1 +i 2 )/2− j1
= yq i1
f p,1 i2
(x p,1 , y p ) f p,2 (x p,2 , y p )em−(i1 +i2 )
(i +i )/2− j1 i i
= yq 1 2 N + x p,1 (N − y p ) 1 1 + x p,2 (y p − 1) 2 em−(i1 +i2 ) .
From the relation x p,1 = xq,1 − 1 and x p,2 = xq,2 + 1, the polynomial becomes
i i
By expanding N xq,1 − x p,1 y p 1 and −xq,2 + x p,2 y p 2 , the polynomial becomes
From the relation y p yq = N , we modify all the monomial so that y p and yq do not
appear in each monomial, simultaneously. Then, the polynomial becomes
⎛
1 +i 2
i min{i 1 ,i p }
i2 i1
= ⎝ (−1)2i p,1 +i2 −i p
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 }
Notice that there are no monomials that have y p and yq , simultaneously. The exponents
of y p in the first summation are positive, whereas the exponents of yq in the second
summation are nonnegative.
Next, as we discussed above, we replace all xq,1 , xq,2 in the first summation by
x p,1 + 1, x p,2 − 1, respectively, and replace all x p,1 , x p,2 in the second summation by
xq,1 − 1, xq,2 + 1, respectively. Then, the polynomial becomes
1370 A. Takayasu et al.
1 +i 2
i min{i 1 ,i p }
i2 i1
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 }
1 +i 2
i min{i 1 ,i p }
i2 i1
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 }
1 +i 2
i min{i 1 ,i p } i 1 −i p,1 i 2 −i p +i p,1
i2 i1
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 } k p,1 =0 k p,2 =0
i 1 − i p,1 i 2 − i p + i p,1
·
k p,1 k p,2
Small CRT-Exponent RSA Revisited 1371
g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) or g[i
,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )
1 2 1
such that g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) ≺ g[i
,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 ,
1 2 1
y p , yq ), as stated in Lemma 4, the diagonal of g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) in
(i +i )/2+ j
1 m−(i 1 +i 2 )
the triangular basis matrix is X ip,1
1
X ip,2
2
Yp 1 2 e . Similarly, we can prove
that the polynomials generate triangular basis matrix and the diagonal of g[i
1 ,i2 , j2 ],q (x p,1 ,
i1 i2 (i 1 +i 2 )/2+ j2 m−(i 1 +i 2 )
xq,1 , x p,2 , xq,2 , y p , yq ) is X q,1 X q,2 Yq e .
In this section, we study small CRT-exponent attacks on the RSA variants, i.e., the Multi-
Prime RSA, Takagi’s RSA, and the RSA with multiple exponent pairs. We extend our
attack of Theorem 2 to the variants.
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for the Multi-Prime RSA in the sense that Theo-
rem 6 becomes the same as Theorem 3 for r = 2.
ed pi = 1 + k pi ( pi − 1)
Small CRT-Exponent RSA Revisited 1373
ed pi N / pi = N / pi + k pi (N − N / pi ) = (k pi − 1)(N − N / pi ) + N .
f N / pi (x N / pi , y N / pi ) := N + x N / pi (N − y N / pi ) = 0 (mod e),
f pi (x pi , y pi ) := 1 + x pi (y pi − 1) = 0 (mod e),
We also extend May’s modulo pi attack [29] for the Multi-Prime RSA as follows.
Theorem 7. (Adapted from [28]) Let N = ri=1 pi be an RSA modulus, where r ≥ 2
and all the prime factors p1 , . . . , pr are the same bitsize. Let e = N α and d pi < N δi
be a public/CRT-exponent, respectively such that ed pi = 1 (mod ( pi − 1)) for all
i = 1, . . . , r . Given public elements N and e, if
r + 1 − r 2α
min δi < ,
i∈{1,...,r } 2r 2
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for the Multi-Prime RSA in the sense that
Theorem 7 becomes the same as Theorem 4 for r = 2. We omit the proof since it is
almost the same as Theorem 9 of [28]. The bound of Theorem 6 is always better than or
equal to that of Theorem 7. Figure 4 shows comparison of the attack condition between
Theorem 6 and 7 for r = 3 and 4.
Fig. 4. Comparisons between our attacks of Theorem 6 and 7. The left and the right figures are for r = 3 and
4, respectively.
exponent, respectively, such that ed p = 1 (mod ( p − 1)) and edq = 1 (mod (q − 1)).
Given public elements N and e, if N is sufficiently large and
√
1 − rα r
min{δ p , δq } < for α > ,
r +1 (r + 1)2
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for Takagi’s RSA in the sense that Theorem 8
becomes the same as Theorem 3 for r = 1. Although Shinohara et al. [43] extended
Bleichenbacher–May’s attack, our attack is always better.
ed p = 1 + k p ( p − 1) and edq = 1 + kq (q − 1)
ed p pr −1 q = pr −1 q + k p (N − pr −1 q) = (k p − 1)(N − pr −1 q) + N and
edq pr = pr + kq (N − pr ) = (kq − 1)(N − pr ) + N .
f pr −1 q (x pr −1 q , y pr −1 q ) := N + x pr −1 q (N − y pr −1 q ) = 0 (mod e),
f p (x p , y p ) := 1 + x p (y p − 1) = 0 (mod e),
f pr (x pr , y pr ) := N + x pr (N − y pr ) = 0 (mod e),
f q (xq , yq ) := 1 + xq (yq − 1) = 0 (mod e),
Small CRT-Exponent RSA Revisited 1375
Fig. 5. Comparisons between our attacks of Theorems 8 and 9 . The left and the right figures are for r = 2
and 3, respectively.
1−(r +1)δ
We set the parameters λ = ,τ = 1 − (r + 1)δ and the condition becomes
√ r
1− r α
δ < (r +1) as required. To satisfy the restrictions of parameters, α > r
(r +1)2
should
hold.
We also extend May’s modulo a prime factor attack [29] for Takagi’s RSA as follows.
2r + 1 − (r + 1)2 α r + 2 − (r + 1)2 α
δp < or δq < ,
2(r + 1)2 2(r + 1)2
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for the Takagi’s RSA in the sense that Theorem 9
becomes the same as Theorem 4 for r = 1. We omit the proof since it is almost the same
as Theorem 9 of [28]. The bound for δq of Theorem 8 is always better than or equal to
that of Theorem 9; however, the bound for δ p of Theorem 9 is better than or equal to that
of Theorem 8. Figure 5 shows comparison of the attack condition for small d p between
Theorem 8 and 9 for r = 2 and 3.
1376 A. Takayasu et al.
Theorem 10. Let N = pq be an RSA modulus, where the prime factors p and q
are the same bitsize. Let e = N α and dq, < N δ for = 1, . . . , r be a public/CRT
exponent, respectively, such that e dq, = 1 (mod (q − 1)). Given public elements N
and e1 , . . . , er , if N is sufficiently large and
1 α
δ< − ,
2 3r + 1
We can successfully extend the attack for RSA with multiple exponent pairs in the
sense that Theorem 10 becomes the same as Theorem 3 for r = 1. We do not think
May’s modulo q approach is an appropriate way for the attack scenario, and hence, we
do not extend it. Peng et al. proposed the attack (Theorem 2 of [35]) which extended
Bleichenbacher–May’s [5] and works when δ < (9r − 14)/(24r + 8) for an α = 1.
Theorem 10 is always better than the attack of Peng et al. Indeed, even if there are
infinitely many exponent pairs r , the attack of Peng et al. works for δ < 3/8, whereas
our attack works for the same bound of δ with only 21 exponent pairs. Figure 6 shows
comparison of recoverable sizes of dq between our attack and that of Peng et al. [35].
Proof of Theorem 10. Recall the CRT-RSA key generation for dq, ;
e dq, = 1 + k (q − 1)
whose root is (x p, , xq, , y p , yq ) = (k −1, k , p, q). The absolute values of the root are
bounded above by X := N α+δ−1/2 for x p, and xq, , Y := N 1/2 for y p , yq , respectively,
within constant factors.
To solve the modular equations, we use the following shift-polynomials
j i/2 i/2
g[i, j] (x p, , xq, , y p , yq ) := x p, f p, (x p, , y p ) f q, (xq, , yq )em−i ,
Small CRT-Exponent RSA Revisited 1377
Fig. 6. Comparison between our attack (Theorem 10) and the attack of Peng et al. [35].
i/2+ j i/2− j
g[i, j] (x p, , x q, , y p , yq ) := f p, (x p, , y p ) f q, (xq, , yq )em−i ,
i/2− j i/2+ j
g[i, j] (x p, , x q, , y p , yq ) := f p, (x p, , y p ) f q, (xq, , yq )em−i ,
with some positive odd integer m. All the shift-polynomials share the common root
modulo em . Let τ be a constant such that 0 < τ ≤ 1. We use the shift-polynomials
!
1
g[i, j] (x p, , xq, , y p , yq ) for i = 0, 1, . . . , m; j = min 0, − 1 i , . . . , m − i,
2τ
τ (i X 1 +···+i X r ) τ (i X 1 +···+i X r )
m
m
m
m
n= ··· 1+ ··· 1
i X 1 =0 i X r =0 i Y =1 i X 1 =0 i X r =0 i Y =0
= r τ m r +1 + o(m r +1 ),
1378 A. Takayasu et al.
τ (i X 1 +···+i X r )
r
m
m r (3r + 1)τ r +2
sX = 2 ··· i X = m + o(m r +2 ),
6
=1 i X 1 =0 i X r =0 i Y =0
τ (i X 1 +···+i X r )
m
m r (3r + 1)τ 2 r +2
sY = 2 ··· iY = m + o(m r +2 ),
12
i X 1 =0 i X k =0 i Y =0
τ (i X 1 +···+i X r )
r
m
m
se = ··· (m − min{i X , 2i Y − 1})
=1 i X 1 =0 i X r =0 i Y =1
τ (i X 1 +···+i X r )
r
m
m
+ ··· (m − min{i X , 2i Y })
=1 i X 1 =0 i X r =0 i Y =0
(3r − 1)τ + 1 k+2
= m + o(m k+2 ).
6
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy
Howgrave–Graham’s lemma if X s X Y sY ese < enm , i.e.,
1 r (3r + 1)τ 1 r (3r + 1)τ 2 (3r − 1)τ + 1
α+δ− + · +α·r − rτ < 0
2 6 2 12 6
as required.
in [56], there still exists a gap. In other words, it seems that there is still room for im-
provements of the bound N 0.122 by this approach. Specifically, for the 31-dimensional
lattices (resp. 84-dimensional lattices), the theoretically predicted bound δ should be
0.00 (resp. 0.03), however, we successfully find integer equations when δ ≤ 0.03 (resp.
δ ≤ 0.05). We think that the reason for this gap derives from that to make the matrix
triangular, we can not only remove the unhelpful polynomials. The open problem is how
to further improve this bound to fill the gap between achievable bound in experiments
and the theoretically predicted bound. We hope our novel lattice construction can be
fully analyzed and lead to a better results.
Acknowledgements
We would like to thank Shuichi Katsumata for his helpful comments. We also thank the
anonymous reviewers for their useful comments and suggestions.
References
[1] Y. Aono, Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s tech-
nique and applications to RSA. in Colin Boyd and Leonie Simpson, editors, Information Security and
Privacy—18th Australasian Conference, ACISP 2013, Volume 7959 of Lecture Notes in Computer Sci-
ence (Springer, 2013), pp. 88–103
[2] W. Bosma, J.J. Cannon, Catherine Playoust, The magma algebra system I: the user language. J. Symb.
Comput., 24(3/4), 235–265, 1997.
[3] D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 . IEEE Trans. Information
Theory, 46(4), 1339–1349 (2000).
[4] J. Blömer, A. May, New partial key exposure attacks on RSA, in Dan Boneh, editor, Advances in
Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Volume 2729 of Lecture
Notes in Computer Science (Springer, 2003), pp. 27–43
[5] D. Bleichenbacher, A. May, New attacks on RSA with small secret CRT-exponents, in Moti Yung,
Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Public Key Cryptography—PKC 2006, 9th
International Conference on Theory and Practice of Public-Key Cryptography, volume 3958 of Lecture
Notes in Computer Science (Springer, 2006), pp. 1–13
[6] A. Bauer, D. Vergnaud, J.-C. Zapalowicz, Inferring sequences produced by nonlinear pseudorandom
number generators using Coppersmith’s methods, in Marc Fischlin, Johannes A. Buchmann, and Mark
Manulis, editors, Public Key Cryptography-PKC 2012—15th International Conference on Practice and
Theory in Public Key Cryptography, volume 7293 of Lecture Notes in Computer Science (Springer,
2012), pp. 609–626
[7] D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known,
in Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on
the Theory and Application of Cryptographic Techniques, volume 1070 of Lecture Notes in Computer
Science (Springer, 1996), pp. 178–189
[8] D. Coppersmith, Finding a small root of a univariate modular equation, in Ueli M. Maurer, editor,
Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application
of Cryptographic Techniques, Volume 1070 of Lecture Notes in Computer Science (Springer, 1996), pp.
155–165
[9] D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J.
Cryptology, 10(4), 233–260 (1997)
1380 A. Takayasu et al.
[10] D. Coppersmith, Finding small solutions to small degree polynomials, in Joseph H. Silverman, editor,
Cryptography and Lattices, International Conference, CaLC 2001, Volume 2146 of Lecture Notes in
Computer Science (Springer, 2001), pp. 20–31
[11] J. Coron, Finding small roots of bivariate integer polynomial equations revisited, in Christian Cachin
and Jan Camenisch, editors, Advances in Cryptology—EUROCRYPT 2004, International Conference on
the Theory and Applications of Cryptographic Techniques, Volume 3027 of Lecture Notes in Computer
Science (Springer, 2004), pp. 492–505
[12] G. Durfee, P.Q. Nguyen, Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt
’99, in Tatsuaki Okamoto, editor, Advances in Cryptology—ASIACRYPT 2000, 6th International Con-
ference on the Theory and Application of Cryptology and Information Security, Volume 1976 of Lecture
Notes in Computer Science (Springer, 2000), pp. 14–29
[13] M.F. Esgin, M.S. Kiraz, O. Uzunkol, A new partial key exposure attack on multi-power RSA, in Andreas
Maletti, editor, Algebraic Informatics—6th International Conference, CAI 2015, Volume 9270 of Lecture
Notes in Computer Science (Springer, 2015), pp. 103–114
[14] S.D. Galbraith, C. Heneghan, J.F. McKee, Tunable balancing of RSA, in Colin Boyd and Juan
Manuel González Nieto, editors, Information Security and Privacy, 10th Australasian Conference, ACISP
2005, Volume 3574 of Lecture Notes in Computer Science (Springer, 2005), pp. 280–292
[15] M. Herrmann, Lattice-Based Cryptanalysis Using Unravelled Linearization. Ph.D. thesis, der Ruhr-
University Bochum (2011)
[16] Z. Huang, L. Hu, J. Xu, Attacking RSA with a composed decryption exponent using unravelled lineariza-
tion, in Dongdai Lin, Moti Yung, and Jianying Zhou, editors, Information Security and Cryptology—10th
International Conference, Inscrypt 2014, Volume 8957 of Lecture Notes in Computer Science (Springer,
2014), pp. 207–219
[17] Z. Huang, L. Hu, J. Xu, L. Peng, Y. Xie, Partial key exposure attacks on Takagi’s variant of RSA,
in Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, Applied Cryptography and Net-
work Security—12th International Conference, ACNS 2014, Volume 8479 of Lecture Notes in Computer
Science (Springer, 2014), pp. 134–150
[18] M. Herrmann, A. May, Attacking power generators using unravelled linearization: when do we output
too much? in Mitsuru Matsui, editor, Advances in Cryptology - ASIACRYPT 2009, 15th International
Conference on the Theory and Application of Cryptology and Information Security, Volume 5912 of
Lecture Notes in Computer Science (Springer, 2009), pp. 487–504
[19] M. Herrmann, A. May, Maximizing small root bounds by linearization and applications to small secret
exponent RSA, in Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography—PKC
2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Volume 6056
of Lecture Notes in Computer Science (Springer, 2010), pp. 53–69
[20] N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, in Michael Darnell,
editor, Cryptography and Coding, 6th IMA International Conference, Volume 1355 of Lecture Notes in
Computer Science (Springer, 1997), pp. 131–142
[21] E. Jochemsz, A. May, A strategy for finding roots of multivariate polynomials with new applications in
attacking RSA variants, in Xuejia Lai and Kefei Chen, editors, Advances in Cryptology—ASIACRYPT
2006, 12th International Conference on the Theory and Application of Cryptology and Information
Security, Volume 4284 of Lecture Notes in Computer Science (Springer, 2006), pp. 267–282
[22] E. Jochemsz, A. May, A polynomial time attack on RSA with private CRT-exponents smaller than
N 0.073 , in Alfred Menezes, editor, Advances in Cryptology—CRYPTO 2007, 27th Annual International
Cryptology Conference, Volume 4622 of Lecture Notes in Computer Science (Springer, 2007), pp. 395–
411
[23] N. Kunihiro, N. Shinohara, T. Izu, A unified framework for small secret exponent attack on RSA. IEICE
Transactions97-A(6), 1285–1295 (2014)
[24] N. Kunihiro, On optimal bounds of small inverse problems and approximate GCD problems with higher
degree, in Dieter Gollmann and Felix C. Freiling, editors, Information Security—15th International
Conference, ISC 2012, Volume 7483 of Lecture Notes in Computer Science (Springer, 2012), pp. 55–69
[25] A.K. Lenstra, H.W.jun. Lenstra, Lászlo Lovász, Factoring polynomials with rational coefficients. Math.
Ann., 261, 515–534 (1982).
Small CRT-Exponent RSA Revisited 1381
[26] Y. Lu, R. Zhang, D. Lin, Factoring multi-power RSA modulus N = pr q with partial known bits, in Colin
Boyd and Leonie Simpson, editors, Information Security and Privacy—18th Australasian Conference,
ACISP 2013, Volume 7959 of Lecture Notes in Computer Science (Springer, 2013), pp. 57–71
[27] Y. Lu, R. Zhang, D. Lin, New partial key exposure attacks on CRT-RSA with large public exponents,
in Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, Applied Cryptography and Net-
work Security—12th International Conference, ACNS 2014, Volume 8479 of Lecture Notes in Computer
Science (Springer, 2014), pp. 151–162
[28] Y. Lu, R. Zhang, L. Peng, D. Lin, Solving linear equations modulo unknown divisors: Revisited, in Tetsu
Iwata and Jung Hee Cheon, editors, Advances in Cryptology—ASIACRYPT 2015—21st International
Conference on the Theory and Application of Cryptology and Information Security, Volume 9452 of
Lecture Notes in Computer Science (Springer, 2015), pp. 189–213
[29] A. May, Cryptanalysis of unbalanced RSA with small CRT-exponent, in Moti Yung, editor, Advances
in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Volume 2442 of
Lecture Notes in Computer Science (Springer, 2002), pp. 242–256
[30] A. May, New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn
(2003)
[31] A. May, Using LLL-reduction for solving RSA and factorization problems, in Phong Q. Nguyen and
Brigitte Vallée, editors, The LLL Algorithm-Survey and Applications, Information Security and Cryp-
tography (Springer, 2010), pp. 315–348
[32] P.Q. Nguyen, J. Stern, The two faces of lattices in cryptology, in Joseph H. Silverman, editor, Cryptog-
raphy and Lattices, International Conference, CaLC 2001, Volume 2146 of Lecture Notes in Computer
Science (Springer, 2001), pp. 146–180
[33] Phong Q. Nguyen, Damien Stehlé, An LLL algorithm with quadratic complexity. SIAM J. Comput.,
39(3), 874–903 (2009).
[34] L. Peng, L. Hu, Z. Huang, J. Xu, Partial prime factor exposure attacks on RSA and its Takagi’s vari-
ant, in Javier Lopez and Yongdong Wu, editors, Information Security Practice and Experience—11th
International Conference, ISPEC 2015, Volume 9065 of Lecture Notes in Computer Science (Springer,
2015), pp. 96–108
[35] L. Peng, L. Hu, Y. Lu, S. Sarkar, J. Xu, Z. Huang, Cryptanalysis of variants of RSA with multiple small
secret exponents, in Alex Biryukov and Vipul Goyal, editors, Progress in Cryptology-INDOCRYPT
2015—16th International Conference on Cryptology in India, Volume 9462 of Lecture Notes in Computer
Science (Springer, 2015), pp. 105–123
[36] L. Peng, L. Hu, Y. Lu, Improved results on cryptanalysis of prime power RSA, in Seokhie Hong and
Jong Hwan Park, editors, Information Security and Cryptology-ICISC 2016—19th International Con-
ference, Volume 10157 of Lecture Notes in Computer Science (2016), pp. 287–303
[37] L. Peng, L. Hu, Y. Lu, H. Wei, An improved analysis on three variants of the RSA cryptosystem, in Kefei
Chen, Dongdai Lin, and Moti Yung, editors, Information Security and Cryptology—12th International
Conference, Inscrypt 2016, Volume 10143 of Lecture Notes in Computer Science (Springer, 2016), pp.
140–149
[38] L. Peng, L. Hu, Y. Lu, J. Xu, Z. Huang, Cryptanalysis of dual RSA. Des. Codes Cryptography83(1),
1–21 (2017).
[39] PKCS#1, RSA cryptography specifications version 2.0. http://www.ietf.org/rfc/rfc2437.txt
[40] J.-J. Quisquater, C. Couvreur, Fast decipherment algorithm for RSA public-key cryptosystem. Electron-
ics Letters, 18(2), 905–907 (1982)
[41] S. Sarkar, Small secret exponent attack on RSA variant with modulus N = pr q. Des. Codes Cryptog-
raphy, 73(2), 383–392 (2014)
[42] S. Sarkar, Revisiting prime power RSA. Discrete Applied Mathematics, 203, 127–133 (2016)
[43] N. Shinohara, T. Izu, N. Kunihiro, Small secret CRT-exponent attacks on Takagi’s RSA. IEICE Trans-
actions, 94-A(1), 19–27 (2011)
[44] S. Sarkar, S. Maitra, Partial key exposure attack on CRT-RSA, in Michel Abdalla, David Pointcheval,
Pierre-Alain Fouque, and Damien Vergnaud, editors, Applied Cryptography and Network Security, 7th
International Conference, ACNS 2009, Volume 5536 of Lecture Notes in Computer Science (2009), pp.
473–484
[45] H.-M. Sun, M.-E. Wu, An approach towards rebalanced RSA-CRT with short public exponent. IACR
Cryptology ePrint Archive, 2005, 53 (2005)
1382 A. Takayasu et al.
[46] A. Takayasu, N. Kunihiro, Better lattice constructions for solving multivariate linear equations modulo
unknown divisors. IEICE Transactions, 97-A(6), 1259–1272 (2014).
[47] A. Takayasu, N. Kunihiro, Cryptanalysis of RSA with multiple small secret exponents, in Willy Susilo
and Yi Mu, editors, Information Security and Privacy—19th Australasian Conference, ACISP 2014,
Volume 8544 of Lecture Notes in Computer Science (Springer, 2014), pp. 176–191
[48] A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA: achieving the boneh-durfee bound, in
Antoine Joux and Amr M. Youssef, editors, Selected Areas in Cryptography-SAC 2014—21st Interna-
tional Conference, Volume 8781 of Lecture Notes in Computer Science (Springer, 2014), pp. 345–362
[49] A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: better cryptanalysis to full size
encryption exponents, in Tal Malkin, Vladimir Kolesnikov, Allison Bishop Lewko, and Michalis Poly-
chronakis, editors, Applied Cryptography and Network Security—13th International Conference, ACNS
2015, Volume 9092 of Lecture Notes in Computer Science (Springer, 2015), pp. 518–537
[50] A. Takayasu, N. Kunihiro, How to generalize RSA cryptanalyses, in Chen-Mou Cheng, Kai-Min Chung,
Giuseppe Persiano, and Bo-Yin Yang, editors, Public-Key Cryptography-PKC 2016—19th IACR Inter-
national Conference on Practice and Theory in Public-Key Cryptography, Volume 9615 of Lecture Notes
in Computer Science (Springer, 2016), pp. 67–97
[51] A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: general improvement for the
exposed least significant bits, in Matt Bishop and Anderson C. A. Nascimento, editors, Information
Security—19th International Conference, ISC 2016, Volume 9866 of Lecture Notes in Computer Science,
(Springer, 2016), pp. 35–47
[52] A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA with multiple exponent pairs, in Joseph K.
Liu and Ron Steinfeld, editors, Information Security and Privacy—21st Australasian Conference, ACISP
2016, Volume 9723 of Lecture Notes in Computer Science (Springer, 2016), pp. 243–257
[53] A. Takayasu, N. Kunihiro, Small secret exponent attacks on RSA with unbalanced prime factors, in 2016
International Symposium on Information Theory and Its Applications, ISITA 2016 (IEEE, 2016), pp.
236–240
[54] A. Takayasu, N. Kunihiro, General bounds for small inverse problems and its applications to multi-prime
RSA. IEICE Transactions, 100-A(1), 50–61 (2017)
[55] A. Takayasu, N. Kunihiro, A tool kit for partial key exposure attacks on RSA, in Helena Handschuh,
editor, Topics in Cryptology-CT-RSA 2017—The Cryptographers’ Track at the RSA Conference 2017,
Volume 10159 of Lecture Notes in Computer Science (Springer, 2017), pp. 58–73
[56] A. Takayasu, Y. Lu, L. Peng, Small CRT-exponent RSA revisited, in Jean-Sébastien Coron and Jes-
per Buus Nielsen, editors, Advances in Cryptology-EUROCRYPT 2017—36th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, Volume 10211 of Lecture
Notes in Computer Science (2017), pp. 130–159
[57] M.J. Wiener, Cryptanalysis of short RSA secret exponents. IEEE Trans. Information Theory, 36(3),
553–558 (1990)