由于同等密钥长度的CRT-RSA算法比普通RSA算法的运算速度快4倍左右,因此得到广泛的应用,其算法实现的安全性也就尤为重要.该文针对用于数字签名的CRT-RSA算法,提出基于选择明文的两类攻击方法:一类是通过特殊的选择明文的方法,从而操控S_(q)的值,然后利用S_(q)的相关性分析得到p(q)或mmod p(q),进而破解CRT-RSA算法;一类是针对采用蒙哥马利模乘实现的CRT-RSA算法,利用蒙哥马利参数的特殊性,提出一种选择明文的攻击方法.第一类攻击方法又分为两种实现方式,对第二种实现方式进行了实验验证,实验中通过对p从低到高逐16bit进行相关性攻击,实验发现正确的密钥的相关性系数大部分排在第一位,并且与第二名有着0.01到0.03的差距,每16比特密钥的攻击时间约为20分钟,完整的1024位的p耗时约10小时.第二类攻击方法的仿真实验表明,密钥最高字段的值越大,越有利于攻击.第二类攻击方法实验结果表明,在20000多条有效曲线的情况下,正确密钥的相关性系数达到了0.15,比错误密钥的相关性系数高50%实验证明,该方法可以成功得到密钥.最后针对本文的攻击方法,提出了两种防御方案. Because of the same key length of the CRT-RSA algorithm than ordinary RSA algorithm computing speed about 4 times, it has been widely used, its algorithm is also very important to achieve security.This paper aims at the digital signature of the CRT-RSA Algorithm, we propose two types of attack methods based on the choice of plaintext: one is to manipulate the value of S q by a special method of selecting plaintext, and then use the correlation analysis of S q to obtain p (q) or mmod p (q), and then crack the CRT-RSA algorithm; one is for the CRT-RSA algorithm which is implemented by Montgomery Modular Multiplication, and uses the particularity of Montgomery’s parameters to propose a selective plaintext attack method. The first attack method is divided into Two ways to achieve, the second way to achieve an experimental verification, the experiment by p from low to high by 16bit correlation attack, the experiment found that most of the correct key correlation coefficient came in first place, And has a gap of 0.01 to 0.03 with the second name, the attack time per 16-bit key is about 20 minutes, and the complete 1024-bit p takes about 10 hours. The simulation results of the second attack method show that the key is the highest The larger the value of the field, the more conducive to attack The experimental results show that the correlation coefficient of the correct key reaches 0.15, and the correlation coefficient of the correct key is 50% higher than that of the false key. Experimental results show that this method can successfully obtain the key. At last, two kinds of defense schemes are proposed according to the attack methods in this paper.