Cryptanalysis of RSA with more than one decryption exponent

doi:10.1016/j.ipl.2010.02.016

Information Processing Letters

Volume 110, Issues 8–9, 1 April 2010, Pages 336-340

https://doi.org/10.1016/j.ipl.2010.02.016 Get rights and content

Abstract

In this paper, we analyze the security of the RSA public key cryptosystem where multiple encryption and decryption exponents are considered with the same RSA modulus N. We consider $N = p q$ , where p, q are of the same bit size, i.e., $q < p < 2 q$ . We show that if n many decryption exponents $(d_{1}, \dots, d_{n})$ are used with the same N, then RSA is insecure when $d_{i} < N^{\frac{3 n - 1}{4 n + 4}}$ , for all i, $1 ⩽ i ⩽ n$ and $n ⩾ 2$ . Our result improves the bound of Howgrave-Graham and Seifert (CQRE 1999) for $n ⩽ 42$ and also generalizes our recent work for $n = 2$ (IPL 2010).

References (8)

S. Sarkar et al.
Cryptanalysis of RSA with two decryption exponents
Inform. Process. Lett.
(2010)
D. Boneh et al.
Cryptanalysis of RSA with private key d less than $N^{0.292}$
IEEE Trans. Inform. Theory
(2000)
N. Howgrave-Graham et al.
Extending Wiener's attack in the presence of many decryption exponents
E. Jochemsz, Cryptanalysis of RSA variants using small roots of polynomials, Ph.D. thesis, Technische Universiteit...

There are more references available in the full text version of this article.

Cited by (0)

View full text

Cryptanalysis of RSA with more than one decryption exponent

Abstract

Inform. Process. Lett.

Cryptanalysis of RSA with private key d less than N0.292

IEEE Trans. Inform. Theory

Extending Wiener's attack in the presence of many decryption exponents

Cryptanalysis of RSA with private key d less than $N^{0.292}$