Low secret exponent RSA revisited

Abstract

We present a lattice attack on low exponent RSA with short secret exponent d = Nδ for every δ < 0.29. The attack is a variation of an approach by Boneh and Durfee [4] based on lattice reduction techniques and Coppersmith’s method for finding small roots of modular polynomial equations. Although our results are slightly worse than the results of Boneh and Durfee they have several interesting features. We partially analyze the structure of the lattices we are using. For most δ < 0.29 our method requires lattices of smaller dimension than the approach by Boneh and Durfee. Hence, we get a more practical attack on low exponent RSA. We demonstrate this by experiments, where δ > 0.265. Our method, as well as the method by Boneh and Durfee, is heuristic, since the method is based on Coppersmith’s approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic must fail in some cases. We argue in this paper, that a (practically not interesting) variant of the Boneh/Durfee attack proposed in [4] always fails. Many authors have already stressed the necessity for rigorous proofs of Coppersmith’s method in the multivariate case. This is even more evident in light of these results.