In RSA public-key cryptosystem, a small private key is often preferred for efficiency but such a small key could degrade security. Thus the Chinese Remainder Theorem (CRT) is tactically used, especially in time-critical applications like smart cards. As for using the CRT in RSA, care must be taken to resist partial key exposure attacks. While it is common to choose two distinct primes with similar size in RSA, May has shown that a composite modulus N can be factored in the balanced RSA with the CRT of half of the least (or most) significant bits of a private key is revealed with a small public key. However, in the case that efficiency is more critical than security, such as smart cards, unbalanced primes might be chosen. Thus, we are interested in partial key exposure attacks to the unbalanced RSA with the CRT. In this paper, we obtain the similar results as the balanced RSA. We show that in the unbalanced RSA if the N1/4 least (or most) significant bits are revealed, a private key can be recovered in polynomial time under a small public key.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Hee Jung LEE, Young-Ho PARK, Taekyoung KWON, "Partial Key Exposure Attacks on Unbalanced RSA with the CRT" in IEICE TRANSACTIONS on Fundamentals,
vol. E89-A, no. 2, pp. 626-629, February 2006, doi: 10.1093/ietfec/e89-a.2.626.
Abstract: In RSA public-key cryptosystem, a small private key is often preferred for efficiency but such a small key could degrade security. Thus the Chinese Remainder Theorem (CRT) is tactically used, especially in time-critical applications like smart cards. As for using the CRT in RSA, care must be taken to resist partial key exposure attacks. While it is common to choose two distinct primes with similar size in RSA, May has shown that a composite modulus N can be factored in the balanced RSA with the CRT of half of the least (or most) significant bits of a private key is revealed with a small public key. However, in the case that efficiency is more critical than security, such as smart cards, unbalanced primes might be chosen. Thus, we are interested in partial key exposure attacks to the unbalanced RSA with the CRT. In this paper, we obtain the similar results as the balanced RSA. We show that in the unbalanced RSA if the N1/4 least (or most) significant bits are revealed, a private key can be recovered in polynomial time under a small public key.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1093/ietfec/e89-a.2.626/_p
Copy
@ARTICLE{e89-a_2_626,
author={Hee Jung LEE, Young-Ho PARK, Taekyoung KWON, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Partial Key Exposure Attacks on Unbalanced RSA with the CRT},
year={2006},
volume={E89-A},
number={2},
pages={626-629},
abstract={In RSA public-key cryptosystem, a small private key is often preferred for efficiency but such a small key could degrade security. Thus the Chinese Remainder Theorem (CRT) is tactically used, especially in time-critical applications like smart cards. As for using the CRT in RSA, care must be taken to resist partial key exposure attacks. While it is common to choose two distinct primes with similar size in RSA, May has shown that a composite modulus N can be factored in the balanced RSA with the CRT of half of the least (or most) significant bits of a private key is revealed with a small public key. However, in the case that efficiency is more critical than security, such as smart cards, unbalanced primes might be chosen. Thus, we are interested in partial key exposure attacks to the unbalanced RSA with the CRT. In this paper, we obtain the similar results as the balanced RSA. We show that in the unbalanced RSA if the N1/4 least (or most) significant bits are revealed, a private key can be recovered in polynomial time under a small public key.},
keywords={},
doi={10.1093/ietfec/e89-a.2.626},
ISSN={1745-1337},
month={February},}
Copy
TY - JOUR
TI - Partial Key Exposure Attacks on Unbalanced RSA with the CRT
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 626
EP - 629
AU - Hee Jung LEE
AU - Young-Ho PARK
AU - Taekyoung KWON
PY - 2006
DO - 10.1093/ietfec/e89-a.2.626
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E89-A
IS - 2
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - February 2006
AB - In RSA public-key cryptosystem, a small private key is often preferred for efficiency but such a small key could degrade security. Thus the Chinese Remainder Theorem (CRT) is tactically used, especially in time-critical applications like smart cards. As for using the CRT in RSA, care must be taken to resist partial key exposure attacks. While it is common to choose two distinct primes with similar size in RSA, May has shown that a composite modulus N can be factored in the balanced RSA with the CRT of half of the least (or most) significant bits of a private key is revealed with a small public key. However, in the case that efficiency is more critical than security, such as smart cards, unbalanced primes might be chosen. Thus, we are interested in partial key exposure attacks to the unbalanced RSA with the CRT. In this paper, we obtain the similar results as the balanced RSA. We show that in the unbalanced RSA if the N1/4 least (or most) significant bits are revealed, a private key can be recovered in polynomial time under a small public key.
ER -