Low Secret Exponent RSA Revisited
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
A variant of Wiener's attack on RSA with small secret exponent
ACM Communications in Computer Algebra
Revisiting Wiener's Attack --- New Weak Keys in RSA
ISC '08 Proceedings of the 11th international conference on Information Security
Improved Partial Key Exposure Attacks on RSA by Guessing a Few Bits of One of the Prime Factors
Information Security and Cryptology --- ICISC 2008
Another look at small RSA exponents
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
Cryptanalysis of multi-prime RSA with small prime difference
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Hi-index | 0.00 |
A well-known attack on RSA with low secret-exponent d was given by Wiener about 15 years ago. Wiener showed that using continued fractions, one can efficiently recover the secret-exponent d from the public key (N,e) as long as d N1/4. Interestingly, Wiener stated that his attack may sometimes also work when d is slightly larger than N1/4. This raises the question of how much larger d can be: could the attack work with non-negligible probability for d=N1/4+ρ for some constant ρ 0? We answer this question in the negative by proving a converse to Wiener's result. Our result shows that, for any fixed ε 0 and all sufficiently large modulus lengths, Wiener's attack succeeds with negligible probability over a random choice of d Nδ (in an interval of size Ω(Nδ)) as soon as δ 1/4 + ε. Thus Wiener's success bound dN1/4 for his algorithm is essentially tight. We also obtain a converse result for a natural class of extensions of the Wiener attack, which are guaranteed to succeed even when δ 1/4. The known attacks in this class (by Verheul and Van Tilborg and Dujella) run in exponential time, so it is natural to ask whether there exists an attack in this class with subexponential run-time. Our second converse result answers this question also in the negative.