Skip to main content
Conference ProceedingsOPEN ACCESS

A polynomial time attack on RSA with private CRT-exponents smaller than N0.073

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2007) 4622 LNCS 395-411
DOI: 10.1007/978-3-540-74143-5_22
59Citations
Citations of this article
46Readers
Mendeley users who have this article in their library.

This article is free to access.

Abstract

Wiener's famous attack on RSA with d < N0.25 shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where dp = d mod (p - 1) and dq = d mod (q - 1) are chosen significantly smaller than p and q. The parameters d p, dq are called private CRT-exponents. Since Wiener's proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if dp and dq are smaller than N0.073. © International Association for Cryptologic Research 2007.

Author supplied keywords

Cite

CITATION STYLE

APA

Jochemsz, E., & May, A. (2007). A polynomial time attack on RSA with private CRT-exponents smaller than N0.073. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4622 LNCS, pp. 395–411). Springer Verlag. https://doi.org/10.1007/978-3-540-74143-5_22

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free