Revisiting Wiener's Attack - New Weak Keys in RSA

In this paper we revisit Wiener’s method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we show that the RSA keys are weak when d = N δ and δ < 1 2 − γ 2 , where |ρq − p| ≤ N γ 16 . This presents additional results over the work of de Weger (AAECC 2002). We also discuss how the lattice based idea of Boneh-Durfee (IEEE-IT 2000) works better to find weak keys beyond the bound δ < 1 2 − γ 2 . Further we show that, the RSA keys are weak when d < 1 2 N and e is O(N 3 2 −2δ) for δ ≤ 1 2 . Using similar techniques we also present new results over the work of Blömer and May (PKC 2004).