Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Abstract

Several algorithms have been proposed for factoring RSA modulus \(N\) when attackers know the most or the least significant \((\beta -\delta )\log N\) bits of secret exponents \(d<N^{\beta }\). The attacks are expected to work when \( \beta <1-1/\sqrt{2}\) with full size public exponent \(e\) considering Boneh and Durfee’s result for small secret exponent attacks on RSA. However, previous attacks do not always work in this condition when attackers know only a small amount of information on secret exponent, that is, \( \delta \) is close to \( \beta \). In this paper, we propose the improved algorithms for partial key exposure attacks which cover Boneh and Durfee’s bound when \( \delta =\beta \). Our algorithms are the best among all known results when attackers know the most significant bits of \(d \le N^{9/16}\) or the least significant bits of \(d \le N^{(9-\sqrt{21})/12}\). In our algorithm constructions, we construct basis matrices for lattices which are not triangular and analyze the determinant by using unravelled linearization. The analysis enables us to make better use of the algebraic structures of modular polynomials, that is, we can select appropriate lattice bases or construct appropriate lattice bases.