We present lattice-based attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than Nβ and the decryption exponent d is small modulo p − 1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over Z that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to β < 3− √ 5/2 ≈ 0.382. Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p − 1 provided that β ≤ 0.23.
CITATION STYLE
May, A. (2002). Cryptanalysis of unbalanced RSA with small CRT-exponent. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 2442, pp. 242–256). Springer Verlag. https://doi.org/10.1007/3-540-45708-9_16
Mendeley helps you to discover research relevant for your work.