Let N = pq be an RSA modulus with a public exponent e and a private exponent d. Wiener's famous attack on RSA with d < N 0.25 and its extension by Boneh and Durfee to d < N 0.292 show that using a small d makes RSA completely insecure. However, for larger d, it is known that RSA can be broken in polynomial time under special conditions. For example, various partial key exposure attacks on RSA and some attacks using additional information encoded in the public exponent e are efficient to factor the RSA modulus. These attacks were later improved and extended in various ways. In this paper, we present a new attack on RSA with a public exponent e satisfying an equation ed - k(N + 1 - ap - bq) = 1 where is an unknown approximation of. We show that RSA is insecure when certain amount of the Least Significant Bits (LSBs) of ap and bq are known. Further, we show that the existence of good approximations of with small a and b substantially reduces the requirement of LSBs of ap and bq. © 2013 Springer-Verlag Berlin Heidelberg.
CITATION STYLE
Nitaj, A. (2013). An attack on RSA using LSBs of multiples of the prime factors. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 7918 LNCS, pp. 297–310). Springer Verlag. https://doi.org/10.1007/978-3-642-38553-7_17
Mendeley helps you to discover research relevant for your work.