Extended partial key exposure attacks on RSA: Improvement up to full size decryption exponents

Abstract

Partial key exposure attacks on RSA have been intensively studied by using lattice-based Coppersmith's methods. Ernst et al. (Eurocrypt'05) studied the problem by considering three attack scenarios; (1) the most significant bits (MSBs) of a secret exponent d known, (2) the least significant bits (LSBs) of d known, (3) both the MSBs and the LSBs of d known. The proposed attacks were valuable since they were the first results to handle full size exponents e. Takayasu and Kunihiro (SAC'14, Theoretical Computer Science'19) proposed improved attacks for (1) and (2) when d is sufficiently small, i.e., d<N0.5625 for (1) and d<N0.368 for (2), by utilizing a linearization technique. In this paper, we extend Takayasu-Kunihiro's attacks and improve Ernst et al.'s attack for (3). In particular, our attack contains Takayasu-Kunihiro's attacks for (1) and (2) as special cases when the amount of given LSBs and MSBs are zero, respectively. Furthermore, as opposed to Takayasu-Kunihiro's attacks, our improvement against Ernst et al.'s attack is not limited to small secret exponents such as d<N0.5625. Indeed, we are able to improve Ernst et al.'s attack almost up to full size decryption exponents, i.e., even when d is close to N. Technically, the extension is not straightforward. We first modify Takayasu-Kunihiro's lattice basis matrix for (2), so that it is compatible to embed the given MSBs. The modification is crucial for embedding both the MSBs and the LSBs simultaneously to the matrix.