Estimating the Prime-Factors of an RSA Modulus and an Extension of the Wiener Attack

In the RSA system, balanced modulus N denotes a product of two large prime numbers p and q, where q < p < 2q. Since IntegerFactorization is difficult, p and q are simply estimated as √ N . In the Wiener attack, 2 √ N is adopted to be the estimation of p+ q in order to raise the security boundary of private-exponent d. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of N . The estimated values are called ”EPFs of N”, and are denoted as pE and qE . Thus pE and qE can be adopted to estimate p + q more accurately than by simply adopting 2 √ N . In addition, we show that the Verheul and Tilborg’s extension of the Wiener attack can be considered to be brute-guessing for the MSBs of p+ q. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustivesearching for 2r+8 bits down to 2r−10 bits, where r depends on N and the private key d. The security boundary of private-exponent d can be raised 9 bits again over Verheul and Tilborg’s result.