Estimating the Prime-Factors of an RSA Modulus and an Extension of the Wiener Attack

“…[23], around 7 MSBs of p may be known in polynomial time and hence we need 2 21−7 many guesses for p, which requires less than 7 hours in our experimental set-up. The existing works on partial key exposure attacks will not work with the knowledge of only 80 bits of MSBs that we achieve here.…”

“…According to experimental results in [10, Figure 5], this should require around 93 MSBs of d. In our case, we require only 53 MSBs of d and 21 MSBs of p to factor N that requires 46.25 seconds; thus the total requirement is 53 + 21 = 74 many bits. Considering that 7 many MSBs of p may be known using the idea of [23], the overall attack will take a day in a cluster of 9 machines.…”

“…Factoring N requires the knowledge of 572 many MSBs of d using the method of [10], whereas, our technique requires 517 many MSBs of d and 31 many MSBs of p. Both the techniques require around 7.5 seconds on our platform. Following the idea of [23], around 7 MSBs of p may be known in polynomial time and hence we need 2 31−7 many guesses for p, which requires around a day in a cluster of 2 10 machines. The existing works on partial key exposure attacks will not work with the knowledge of only 517 bits of MSBs that we achieve here.…”

“…Experimental results of [23] show that around 12 many MSBs of p + q can be estimated correctly for the 1024-bit N , whereas the estimation gives around 7 many MSBs for p. Consider that b 1 many MSBs of p are known (p is estimated by p ) and we estimate q by q = N p . Further, let us assume that the estimation p + q has b 2 many MSBs identical with the exact value p + q.…”

“…One may note that given the constraint q < p < 2q, a few bits of p, q can be known in polynomial time (e.g., around 7 bits for 1024 bit N and 9 bits for 2048 bit N following the work of [23]). This will indeed reduce the search effort further for guessing a few MSBs of p.…”

Partial Key Exposure Attacks on Rsa and Its Variant by Guessing a Few Bits of One of the Prime Factors

“…[23], around 7 MSBs of p may be known in polynomial time and hence we need 2 21−7 many guesses for p, which requires less than 7 hours in our experimental set-up. The existing works on partial key exposure attacks will not work with the knowledge of only 80 bits of MSBs that we achieve here.…”

“…According to experimental results in [10, Figure 5], this should require around 93 MSBs of d. In our case, we require only 53 MSBs of d and 21 MSBs of p to factor N that requires 46.25 seconds; thus the total requirement is 53 + 21 = 74 many bits. Considering that 7 many MSBs of p may be known using the idea of [23], the overall attack will take a day in a cluster of 9 machines.…”

“…Factoring N requires the knowledge of 572 many MSBs of d using the method of [10], whereas, our technique requires 517 many MSBs of d and 31 many MSBs of p. Both the techniques require around 7.5 seconds on our platform. Following the idea of [23], around 7 MSBs of p may be known in polynomial time and hence we need 2 31−7 many guesses for p, which requires around a day in a cluster of 2 10 machines. The existing works on partial key exposure attacks will not work with the knowledge of only 517 bits of MSBs that we achieve here.…”

“…Experimental results of [23] show that around 12 many MSBs of p + q can be estimated correctly for the 1024-bit N , whereas the estimation gives around 7 many MSBs for p. Consider that b 1 many MSBs of p are known (p is estimated by p ) and we estimate q by q = N p . Further, let us assume that the estimation p + q has b 2 many MSBs identical with the exact value p + q.…”

“…One may note that given the constraint q < p < 2q, a few bits of p, q can be known in polynomial time (e.g., around 7 bits for 1024 bit N and 9 bits for 2048 bit N following the work of [23]). This will indeed reduce the search effort further for guessing a few MSBs of p.…”

Partial Key Exposure Attacks on Rsa and Its Variant by Guessing a Few Bits of One of the Prime Factors

Cryptanalysis of Short Exponent RSA with Primes Sharing Least Significant Bits

Improved Partial Key Exposure Attacks on RSA by Guessing a Few Bits of One of the Prime Factors