In this paper, we study partial key exposure attacks on RSA where the number of unexposed blocks of the private key is greater than or equal to one. This situation, called generalized framework of partial key exposure attack, was first shown by Sarkar [22] in 2011. Under a certain condition for the values of exposed bits, we present a new attack which needs fewer exposed bits and thus improves the result in [22]. Our work is a generalization of [28], and the approach is based on Coppersmith's method and the technique of unravelled linearization.

In RSA public-key cryptosystem, a small private key is often preferred for efficiency but such a small key could degrade security. Thus the Chinese Remainder Theorem (CRT) is tactically used, especially in time-critical applications like smart cards. As for using the CRT in RSA, care must be taken to resist partial key exposure attacks. While it is common to choose two distinct primes with similar size in RSA, May has shown that a composite modulus N can be factored in the balanced RSA with the CRT of half of the least (or most) significant bits of a private key is revealed with a small public key. However, in the case that efficiency is more critical than security, such as smart cards, unbalanced primes might be chosen. Thus, we are interested in partial key exposure attacks to the unbalanced RSA with the CRT. In this paper, we obtain the similar results as the balanced RSA. We show that in the unbalanced RSA if the N1/4 least (or most) significant bits are revealed, a private key can be recovered in polynomial time under a small public key.