Partial Key Exposure: Generalized Framework to Attack RSA

In the domain of modern public key cryptography, RSA is the most popular system in use. Efficient factorization of the RSA modulus V, constituted as a product of two primes p, q of 'large' bitsize, is a challenging problem in RSA cryptanalysis. The solution to this factorization is aided if the attacker gains partial knowledge about the decryption exponent of RSA. This line of attack is called the Partial Key Exposure attack, and there exists an extensive literature in this direction. In this paper, we study partial key exposure attacks on RSA where the number of unexposed blocks in the decryption exponent is more than one. The existing works have considered only one unexposed block and thus our work provides a generalization of the existing attacks. We propose lattice based approaches to factorize the RSA modulus N = pq (for large primes p, q) when the number of unexposed blocks is n >= 1. We also analyze the ISO/IEC 9796-2 standard signature scheme (based on CRT-RSA) with partially known messages.