Wiener's famous attack on RSA with d < N0.25 shows that using a small d for an efficient decryption process makes RSA completely insecure. As an alternative, Wiener proposed to use the Chinese Remainder Theorem in the decryption phase, where dp = d mod (p - 1) and dq = d mod (q - 1) are chosen significantly smaller than p and q. The parameters d p, dq are called private CRT-exponents. Since Wiener's proposal in 1990, it has been a challenging open question whether there exists a polynomial time attack on small private CRT-exponents. In this paper, we give an affirmative answer to this question, and show that a polynomial time attack exists if dp and dq are smaller than N0.073. © International Association for Cryptologic Research 2007.
CITATION STYLE
Jochemsz, E., & May, A. (2007). A polynomial time attack on RSA with private CRT-exponents smaller than N0.073. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4622 LNCS, pp. 395–411). Springer Verlag. https://doi.org/10.1007/978-3-540-74143-5_22
Mendeley helps you to discover research relevant for your work.