New vulnerabilities in RSA

Let N = pq be the product of two large unknown primes of equal bit-size. Wiener’s famous attack on RSA shows that using a public key (N, e) satisfying ed− k(N + 1− (p+ q)) = 1 with d < 1 3 N makes RSA completely insecure. The number of such weak keys can be estimated as N 1 4−ε. In this paper, we present a generalization of Wiener’s attack. We study two new classes of exponents satisfying an equation eX − ( N − ( up± q u )) Y = Z, where X, Y are suitably small integers, u is an integer with |u| < 1 2 q and Z is a small rational. Using a combination of the continued fraction algorithm and Coppersmith’s lattice based technique for solving polynomial equations, we show that every exponent e in these classes yields the factorization of N . Moreover, we show that the number of such exponents is at least N 3 4−ε where ε > 0 is arbitrarily small for large N when p and q satisfy |p− q| = Ω (√ N ) .