Partial Key Exposure Attack on RSA

Partial Key Exposure Attack on RSA
Eirik Fosser
[email protected]
Eirik Klevstad
[email protected]
April 25, 2015
Abstract
For this project we aim to understand and give a tutorial in the
Partial Key Exposure Attack on RSA, based on [1]. We are going to
look at two types of attacks,
√ one where the public key exponent e is of
smaller size (smaller than N where N is the product of two primes p
n
n
and q) and one where the exponent is of medium size (2 4 < e < 2 2 ).
The idea of the attack is that if an adversary is exposed to a part of
the most significant(or least significant) bits of the private key, it may be
able to recover the key in its entirety. The attack is interesting as it shows
the importance of keeping every single bit of the private key hidden, as
well as ensuring that the public key is large.
The tutorial will have a focus on the two attacks, as well as looking
at improvements of the original attack, where the public key exponent e
may be even larger[2].
If time allows it, we’d like to implement the original attack in the
Python programming language. This would be for small exponents as
these are feasible to break in time O(e ∗ log2 (e)).
References
[1] D. Boneh, G. Durfee, and Y. Franke An attack on RSA given a fraction
of the private key bits., AsiaCrypt ’98, volume 1514 of Lecture Notes in
Computer Science, pages 25-34. 1998
[2] J. Blömer and A. May New Partial Key Exposure Attacks on RSA., Advances in Cryptography - Crypto ’03, 23rd Annual International Cryptology
Conference, pages 27-43. 2003
1