STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
A New Class of Weak Encryption Exponents in RSA
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Cryptanalysis of RSA Using the Ratio of the Primes
AFRICACRYPT '09 Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology
| Hi-index | 0.00 |
A well-known attack on RSA with low secret-exponent d was given by Wiener in 1990. Wiener showed that using the equation ed - (p - 1)(q - 1)k = 1 and continued fractions, one can efficiently recover the secret-exponent d and factor N = pq from the public key (N, e) as long as d N1/4. In this paper, we present a generalization of Wiener's attack. We show that every public exponent e that satisfies eX - (p - u)(q - v)Y = 1 with 1 ≤ Y X -1/4 N1/4, |u| N1/4, v = [-qu/p - u], and all prime factors of p - u or q - v are less than 1050 yields the factorization of N = pq. We show that the number of these exponents is at least N1/2-Ɛ.