An attack on RSA using LSBs of multiples of the prime factors

Abstract

Let N = pq be an RSA modulus with a public exponent e and a private exponent d. Wiener's famous attack on RSA with d < N 0.25 and its extension by Boneh and Durfee to d < N 0.292 show that using a small d makes RSA completely insecure. However, for larger d, it is known that RSA can be broken in polynomial time under special conditions. For example, various partial key exposure attacks on RSA and some attacks using additional information encoded in the public exponent e are efficient to factor the RSA modulus. These attacks were later improved and extended in various ways. In this paper, we present a new attack on RSA with a public exponent e satisfying an equation ed - k(N + 1 - ap - bq) = 1 where is an unknown approximation of. We show that RSA is insecure when certain amount of the Least Significant Bits (LSBs) of ap and bq are known. Further, we show that the existence of good approximations of with small a and b substantially reduces the requirement of LSBs of ap and bq. © 2013 Springer-Verlag Berlin Heidelberg.