More Small Private Exponent Attacks

The small private exponent attacks from Chapter 5 show that instances of RSA with private exponents smaller than about N0.293 should be considered insecure regardless of the size of the modulus. This bound on the private exponent can be increased by incorporating an exhaustive search. For example, as discussed in Chapter 6, the bound for RSA with a 1024-bit modulus can feasibly be increased to about N0.3. In this chapter, we show that private exponents significantly larger than these bounds can be insecure when two or more instances of small private exponent RSA share a common modulus or share the same private exponent. In particular, given enough instances, the attacks show that private exponents up to N0.5− can be insecure.