Partial Key Exposure Attack on RSA Eirik Fosser [email protected] Eirik Klevstad [email protected] April 25, 2015 Abstract For this project we aim to understand and give a tutorial in the Partial Key Exposure Attack on RSA, based on [1]. We are going to look at two types of attacks, √ one where the public key exponent e is of smaller size (smaller than N where N is the product of two primes p n n and q) and one where the exponent is of medium size (2 4 < e < 2 2 ). The idea of the attack is that if an adversary is exposed to a part of the most significant(or least significant) bits of the private key, it may be able to recover the key in its entirety. The attack is interesting as it shows the importance of keeping every single bit of the private key hidden, as well as ensuring that the public key is large. The tutorial will have a focus on the two attacks, as well as looking at improvements of the original attack, where the public key exponent e may be even larger[2]. If time allows it, we’d like to implement the original attack in the Python programming language. This would be for small exponents as these are feasible to break in time O(e ∗ log2 (e)). References [1] D. Boneh, G. Durfee, and Y. Franke An attack on RSA given a fraction of the private key bits., AsiaCrypt ’98, volume 1514 of Lecture Notes in Computer Science, pages 25-34. 1998 [2] J. Blömer and A. May New Partial Key Exposure Attacks on RSA., Advances in Cryptography - Crypto ’03, 23rd Annual International Cryptology Conference, pages 27-43. 2003 1