Partial key exposure attacks on RSA: Achieving the Boneh–Durfee bound

Abstract Thus far, several lattice-based algorithms for partial key exposure attacks on RSA, i.e., given the most/least significant bits (MSBs/LSBs) of a secret exponent d and factoring an RSA modulus N , have been proposed such as Blomer and May (Crypto'03), Ernst et al. (Eurocrypt'05), and Aono (PKC'09). Due to Boneh and Durfee's small secret exponent attack, partial key exposure attacks should always work for d N 0.292 even without any partial information. However, it was difficult task to make use of the given partial information without losing the quality of Boneh–Durfee's attack. In particular, known partial key exposure attacks fail to work for d N 0.292 with only few partial information. Such unnatural situation stems from the fact that the additional information makes underlying modular equations involved. In this paper, we propose improved attacks when a secret exponent d is small. Our attacks are better than all known previous attacks in the sense that our attacks require less partial information. Specifically, our attack is better than all known ones for d N 0.5625 and d N 0.368 with the MSBs and the LSBs, respectively. Furthermore, our attacks fully cover the Boneh–Durfee bound, i.e., they always work for d N 0.292 . At a high level, we obtain the improved attacks by fully utilizing unraveled linearization technique proposed by Herrmann and May (Asiacrypt'09). Although Herrmann and May (PKC'10) already applied the technique to Boneh–Durfee's attack, we show elegant and impressive extensions to capture partial key exposure attacks. More concretely, we construct structured triangular matrices that enable us to recover more useful algebraic structures of underlying modular polynomials. We embed the given MSBs/LSBs to the recovered algebraic structures and construct our partial key exposure attacks. In this full version, we provide overviews and explicit proofs of the triangular matrix constructions. We believe that the additional explanations help readers to understand our techniques.