Extension of de Weger's Attack on RSA with Large Public Keys

RSA cryptosystem (Rivest et al., 1978) is the most widely deployed public-key cryptosystem for both encryption and digital signatures. Since its invention, lots of cryptanalytic efforts have been made which helped us to improve it, especially in the area of key selection. The security of RSA relies on the computational hardness of factoring large integers and most of the attacks exploit bad choice parameters or flaws in implementations. Two very important cryptanalytic efforts in this area have been made by Wiener (Wiener, 1990) and de Weger (Weger, 2002) who developed attacks based on small secret keys (Hinek, 2010).The main idea of Wiener’s attack is to approximate the fraction e j (N) by e N for large values of N and then make use of the continued fraction algorithm to recover the secret key d by computing the convergents of the fraction e N . He proved that the secret key d can be efficiently recovered if d < 3 N 1 4 and e < j (N) and then de Weger extended this attack from d < 1 3 N 1 4 to d < N 3 4−b , for any 4 < b < 1 2 such that |p− q| < N b . The aim of this paper is to investigate for which values of the variables s and D = |p− q|, RSA which uses public keys of the special structure E = e+ s j (N), where e < j (N), is insecure against cryptanalysis. Adding multiples of j (N) either to e or to d is called Exponent Blinding and it is widely used especially in case of encryption schemes or digital signatures implemented in portable devices such as smart cards (Schindler and Itoh, 2011). We show that an extension of de Weger’s attack from public keys e < j (N) to E > j (N) is possible if the security parameter s satisfies s ≤ N 2 .