Elsevier

Information Processing Letters

Volume 92, Issue 3, 15 November 2004, Pages 143-147
Information Processing Letters

On the uniformity of distribution of the decryption exponent in fixed encryption exponent RSA

https://doi.org/10.1016/j.ipl.2004.07.004Get rights and content

Abstract

Let us fix a security parameter n and a sufficiently large encryption exponent e. We show that for a random choice of the RSA modulus m=pq, where p and q are n-bit primes, the decryption exponent d, defined by ed1(modφ(m)) is uniformly distributed modulo φ(m). It is known, due to recent work of Boneh, Durfee and Frankel, that additional information about some bits of d may turn out to be dramatic for the security of the whole cryptosystem. Our uniformity of distribution result implies that sufficiently long strings of the most and the least significant bits of d, which are vulnerable to such attacks, behave as random binary vectors.

References (15)

  • J. Blömer et al.

    Low exponent RSA revisited

  • D. Boneh

    Twenty years of attacks on the RSA cryptosystem

    Notices Amer. Math. Soc.

    (1999)
  • D. Boneh et al.

    Cryptanalysis of RSA with private key d less than N0.292

    IEEE Trans. Inform. Theory

    (2000)
  • D. Boneh et al.

    An attack on RSA given a small fraction of the private key bits

  • M. Drmota et al.

    Sequences, Discrepancies and Applications

    (1997)
  • G. Durfee et al.

    Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt'99

  • H. Halberstam et al.

    Sieve Methods

    (1974)
There are more references available in the full text version of this article.

Cited by (0)

View full text