Abstract
In Crypto’03, Blomer and May provided several partial key exposure attacks on CRT-RSA. In their attacks, they suppose that an attacker can either succeed to obtain the most significant bits (MSBs) or the least significant bits (LSBs) of d p = d mod (p − 1) in consecutive order. For the case of known LSBs of d p , their algorithm is polynomial-time only for small public exponents e (i.e. e = poly(logN)). However, in some practical applications, we prefer to use large e (Like e ≈ d p , to let the public and private operations with the same computational effort). In this paper, we propose some lattice-based attacks for this extended setting. For known LSBs case, we introduce two approaches that work up to \(e < N^{{3}\over{8}}\). Similar results (though not as strong) are obtained for MSBs case. We also provide detailed experimental results to justify our claims.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
