A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Low-cost client puzzles based on modular exponentiation
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Hi-index | 0.00 |
Wiener has shown that when the RSA protocol is used with a decrypting exponent, d, which is less than N1/4 and an encrypting exponent, e, approximately the same size as N, then d can usually be found from the continued fraction approximation of e/N. We extend this attack to the case when there are many ei for a given N, all with small di. For the case of two such ei, the di can (heuristically) be as large as N5/14 and still be efficiently recovered. As the number of encrypting exponents increases the bound on the di, which enables efficient recovery of the di, increases (slowly) to N1-Ɛ. However, the complexity of our method is exponential in the number of exponents present, and therefore only practical for a relatively small number of them.