Partial key exposure attacks on RSA have been intensively studied by using lattice-based Coppersmith's methods. Ernst et al. (Eurocrypt'05) studied the problem by considering three attack scenarios; (1) the most significant bits (MSBs) of a secret exponent d known, (2) the least significant bits (LSBs) of d known, (3) both the MSBs and the LSBs of d known. The proposed attacks were valuable since they were the first results to handle full size exponents e. Takayasu and Kunihiro (SAC'14, Theoretical Computer Science'19) proposed improved attacks for (1) and (2) when d is sufficiently small, i.e., $d<N^{0.5625}$ for (1) and $d<N^{0.368}$ for (2), by utilizing a linearization technique. In this paper, we extend Takayasu-Kunihiro's attacks and improve Ernst et al.'s attack for (3). In particular, our attack contains Takayasu-Kunihiro's attacks for (1) and (2) as special cases when the amount of given LSBs and MSBs are zero, respectively. Furthermore, as opposed to Takayasu-Kunihiro's attacks, our improvement against Ernst et al.'s attack is not limited to small secret exponents such as $d<N^{0.5625}$. Indeed, we are able to improve Ernst et al.'s attack almost up to full size decryption exponents, i.e., even when d is close to N. Technically, the extension is not straightforward. We first modify Takayasu-Kunihiro's lattice basis matrix for (2), so that it is compatible to embed the given MSBs. The modification is crucial for embedding both the MSBs and the LSBs simultaneously to the matrix.

通过使用基于格的Coppersmith方法，对RSA的部分密钥暴露攻击进行了深入研究。恩斯特（Ernst）等人。（Eurocrypt'05）通过考虑三种攻击情形研究了该问题。（1）的最显著比特的保密指数的（最高有效位）d已知，（2）的至少显著位（LSB）d已知，（3）两者的MSB和的LSB d是已知的。提出的攻击非常有价值，因为它们是处理全尺寸指数e的第一个结果。Takayasu和Kunihiro（SAC'14，理论计算机科学'19）提出了在d足够小的情况下针对（1）和（2）的改进攻击。$d<{ñ}^{0.5625}$ 对于（1）和 $d<{ñ}^{0.368}$对于（2），利用线性化技术。在本文中，我们针对（3）扩展了Takaayasu-Kunihiro的攻击并改进了Ernst等人的攻击。特别是，当给定的LSB和MSB的数量分别为零时，在特殊情况下，我们的攻击包含Takayasu-Kunihiro针对（1）和（2）的攻击。此外，与高安邦宏的攻击不同，我们对Ernst等人的攻击的改进不仅限于诸如$d<{ñ}^{0.5625}$。实际上，即使d接近N，我们也能够提高Ernst等人的攻击能力，几乎达到全尺寸解密指数。从技术上讲，扩展并不简单。我们首先修改（2）的Takaayasu-Kunihiro的晶格基础矩阵，使其兼容嵌入给定的MSB。修改对于将MSB和LSB同时嵌入到矩阵至关重要。