Partial Key Exposure Attacks on RSA with Multiple Exponent Pairs

Abstract

So far, several papers have analyzed attacks on RSA when attackers know the least significant bits of a secret exponent d as well as a public modulus N and a public exponent e, the so-called partial key exposure attacks. Aono ACISP 2013, and Takayasu and Kunihiro ACISP 2014 generalized the attacks when there are multiple pairs of a public/secret exponent $$e_1,d_1,\ldots ,e_n,d_n$$ for the same public modulus N. The standard RSA is a special case of the generalization, i.e., $$n=1$$. They revealed that RSA becomes more vulnerable when there are more exponent pairs. However, their results have two obvious drawbacks. First, partial key exposure situations which they considered are restrictive. They have proposed the attacks only for small secret exponents, although attacks for large secret exponents have also been analyzed for the standard RSA. Second, they could not generalize the attacks perfectly. More concretely, their attacks for $$n=1$$ do not correspond to the currently known best attacks on the standard RSA. In this paper, we propose improved partial key exposure attacks on RSA with multiple exponent pairs. Our results completely solve the above drawbacks. Our attacks are the first results for large exponents, and our attacks for $$n=1$$ correspond to the currently known best attacks on the standard RSA. Our results for small secret exponents are superior to previous results when $$n=1$$ and 2, and when $$n \ge 3$$ and $$d_1,\ldots ,d_n>N^{3n-1/3n+1}$$.