A Generalized Wiener Attack on RSA

We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N, e) with e ∈ ∗ φ(N) that satisfies ed − 1 = 0 mod φ(N) for some d < 1 3 N 1 4 yields the factorization of N = pq. Our new method finds p and q in polynomial time for every (N, e) satisfying ex + y = 0 mod φ(N) with x < 1 3 N 1 4 and |y| = O(N− 3 4 ex). In other words, the generalization works for all secret keys d = −xy, where x, y are suitably small. We show that the number of these weak keys is at least N 3 4 − and that the number increases with decreasing prime difference p − q. As an application of our new attack, we present the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim and Moon [11, 12]. Our results point out again the warning for cryptodesigners to be careful when using the RSA key generation process with special parameters.