I've heard that textbook RSA is insecure when decryption exponent $d$ is smaller than $N^{1/4}$ where $N$ is the public modulus. Why is it the case and what would be a simple explanation of the attack ?
Asked
Active
Viewed 1,007 times
1 Answers
2
RSA without proper padding using randomness (plain old RSA) is not to be used in practice, and the attacks on small exponents assume plain old RSA, or a means of getting past the padding, such as the so-called million message attack.
The original attack on plain old RSA using such small exponents was due to Wiener. There has been further work showing that an even larger $d$ than $d>N^{1/4}$ is required, such as work by Maitra and Sarkar.
In addition, please see the extensive discussion in the question RSA with small exponents.
kodlu
- 25,146
- 2
- 30
- 63