Generalized cryptanalysis of small CRT-exponent RSA

Abstract

There have been several works for studying the security of CRT-RSA with small CRT exponents dp and dq by using lattice-based Coppersmith's method. Thus far, two attack scenarios have been mainly studied: (1) dq is small with unbalanced prime factors p≪q. (2) Both dp and dq are small for balanced p≈q. The best attacks for the both scenarios were proposed by Takayasu-Lu-Peng (Eurocrypt'17, Journal of Cryptology'19) and the attack conditions are much better than the other known attacks. Although the attacks have been very useful for studying the security of CRT-RSA, the structures of their proposed lattices are not well understood. In this paper, to further study the security of CRT-RSA, we first define a generalized attack scenario to unify the previous ones. Specifically, all p,q,dp, and dq can be of arbitrary sizes. Furthermore, we propose improved attacks in this paper when dp and/or p is sufficiently small. Technically, we construct a lattice whose basis vectors are chosen flexibly depending on the sizes of p,q,dp, and dq. Since the attack scenarios (1) and (2) are simpler than our general scenario, the previous Takayasu-Lu-Peng's lattices are simple special cases of ours. We are able to achieve the flexible lattice constructions by exploiting implicit but essential structures of Takayasu-Lu-Peng's lattices. We check the validity of our proposed attacks by computer experiments. We believe that the deeper understanding of the lattice structures will be useful for studying the security of CRT-RSA even in other scenarios.