Another Generalization of Wiener's Attack on RSA
نویسنده
چکیده
A well-known attack on RSA with low secret-exponent d was given by Wiener in 1990. Wiener showed that using the equation ed − (p − 1)(q − 1)k = 1 and continued fractions, one can efficiently recover the secret-exponent d and factor N = pq from the public key (N, e) as long as d < 1 3 N 1 4 . In this paper, we present a generalization of Wiener’s attack. We show that every public exponent e that satisfies eX − (p− u)(q − v)Y = 1 with 1 ≤ Y < X < 2 1 4N 1 4 , |u| < N 1 4 , v = [ − qu p− u ] , and all prime factors of p − u or q − v are less than 10 yields the factorization of N = pq. We show that the number of these exponents is at least N 1 2−ε.
منابع مشابه
Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99
At Asiacrypt ’99, Sun, Yang and Laih proposed three RSA variants with short secret exponent that resisted all known attacks, including the recent Boneh-Durfee attack from Eurocrypt ’99 that improved Wiener’s attack on RSA with short secret exponent. The resistance comes from the use of unbalanced primes p and q. In this paper, we extend the Boneh-Durfee attack to break two out of the three prop...
متن کاملNew vulnerabilities in RSA
Let N = pq be the product of two large unknown primes of equal bit-size. Wiener’s famous attack on RSA shows that using a public key (N, e) satisfying ed− k(N + 1− (p+ q)) = 1 with d < 1 3 N makes RSA completely insecure. The number of such weak keys can be estimated as N 1 4−ε. In this paper, we present a generalization of Wiener’s attack. We study two new classes of exponents satisfying an eq...
متن کاملA Generalized Wiener Attack on RSA
We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N, e) with e ∈ ∗ φ(N) that satisfies ed − 1 = 0 mod φ(N) for some d < 1 3 N 1 4 yields the factorization of N = pq. Our new method finds p and q in polynomial time for every (N, e) satisfying ex + y = 0 mod φ(N) with x < 1 3 N 1 4 and |y| = O(N− 3 4 ex). In ot...
متن کاملWeak Keys in RSA over The Work of Blomer & May
In this paper we generalize the idea given by Weger and Maitra & Sarkar. This generalization is coming from the concept of x9.31−1997 standard for public key cryptography, Section 4.1.2, i.e., there are a number of recommendations for the generalization of the primes of an RSA modulus. Among them, the ratio of the primes shall not be close to the ratio of small integers. Also we try to improve ...
متن کاملContinued fractions and RSA with small secret exponent
Extending the classical Legendre’s result, we describe all solutions of the inequality |α − a/b| < c/b in terms of convergents of continued fraction expansion of α. Namely, we show that a/b = (rpm+1±spm)/(rqm+1±sqm) for some nonnegative integers m, r, s such that rs < 2c. As an application of this result, we describe a modification of Verheul and van Tilborg variant of Wiener’s attack on RSA cr...
متن کامل