Abstract | ||
---|---|---|
In RSA, the public modulus N=pq is the product of two primes of the same bit-size, the public exponent e and the private exponent d satisfy $ed\equiv 1 \pmod{(p - 1)(q - 1)}$. In many applications of RSA, d is chosen to be small. This was cryptanalyzed by Wiener in 1990 who showed that RSA is insecure if dN0.25. As an alternative, Quisquater and Couvreur proposed the CRT-RSA scheme in the decryption phase, where $d_p = d \pmod{(p - 1)}$ and $d_q = d \pmod{(q - 1)}$ are chosen significantly smaller than p and q. In 2006, Bleichenbacher and May presented an attack on CRT-RSA when the CRT-exponents dp and dq are both suitably small. In this paper, we show that RSA is insecure if the public exponent e satisfies an equation $ex+y\equiv 0\pmod p$ with $|x||y|dp say, satisfies $d_pdp and dq are required to be suitably small. |
Year | DOI | Venue |
---|---|---|
2012 | 10.1007/978-3-642-31410-0_14 | AFRICACRYPT |
Keywords | Field | DocType |
decryption phase,new attack,public modulus n,crt-exponents dp,private exponent,crt-rsa scheme,public exponent e,pmod p,cryptanalysis | Discrete mathematics,Exponent,Mathematics | Conference |
Citations | PageRank | References |
2 | 0.39 | 12 |
Authors | ||
1 |
Name | Order | Citations | PageRank |
---|---|---|---|
Abderrahmane Nitaj | 1 | 72 | 15.00 |