Exposing an RSA Private Key Given a Small Fraction of Its Bits

Abstract

We show that for low public exponent rsa, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N 1=4 ; N 1=2 ], half the bits of the private key suffice to reconstruct the entire private key. Our results point out the danger of partial key exposure in the rsa public key system. 1 Introduction Let N = pq be an rsa modulus and let e; d be encryption/decryption exponents, i.e. ed = 1 mod OE(N ). We study the following question: how many bits of d does an adversary require in order to reconstruct all of d? Surprisingly, we show that for low public exponent rsa, given only a quarter of the least significant bits of d, an adversary can efficiently recover all of d. We obtain similar results, summarized in the next subsection, for larger values of e as well. Our results show that rsa, and particularly low public exponent rsa,..