A New Attack on RSA and CRT-RSA

In RSA, the public modulus N = pq is the product of two primes of the same bit-size, the public exponent e and the private exponent d satisfy ed ≡ 1 (mod (p−1)(q−1)). In many applications of RSA, d is chosen to be small. This was cryptanalyzed by Wiener in 1990 who showed that RSA is insecure if d < N. As an alternative, Quisquater and Couvreur proposed the CRT-RSA scheme in the decryption phase, where dp = d (mod (p− 1)) and dq = d (mod (q− 1)) are chosen significantly smaller than p and q. In 2006, Bleichenbacher and May presented an attack on CRT-RSA when the CRT-exponents dp and dq are both suitably small. In this paper, we show that RSA is insecure if the public exponent e satisfies an equation ex+y ≡ 0 (mod p) with |x||y| < N √ 2−1 2 and ex+y 6≡ 0 (mod N). As an application of our new attack, we present the cryptanalysis of CRT-RSA if one of the private exponents, dp say, satisfies dp < N √ 2 4 √ e . This improves the result of Bleichenbacher and May on CRT-RSA where both dp and dq are required to be suitably small.