A Generalized Wiener Attack on RSA

  • Johannes Blömer
  • Alexander May
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2947)


We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N,e) with \(e \in {\mathbb{Z}}_{\phi(N)}^*\) that satisfies ed − 1 = 0 mod φ(N) for some \(d<\frac 1 3 N^{\frac 1 4}\) yields the factorization of N=pq. Our new method finds p and q in polynomial time for every (N,e) satisfying ex + y = 0 mod φ(N) with
$$ x < \frac 1 3 N^{\frac 1 4} \quad \textrm{and} \quad |y| = {\cal O}(N^{- \frac 3 4}ex). $$
In other words, the generalization works for all secret keys d= – xy − 1, where x, y are suitably small. We show that the number of these weak keys is at least \(N^{\frac 3 4-\epsilon}\) and that the number increases with decreasing prime difference p-q. As an application of our new attack, we present the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim and Moon [11,12]. Our results point out again the warning for crypto-designers to be careful when using the RSA key generation process with special parameters.


RSA weak keys Wiener attack continued fractions 


  1. 1.
    Apostol, T.M.: Introduction to analytic number theory. Springer, Heidelberg (1980)Google Scholar
  2. 2.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4) (2000)Google Scholar
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Crépeau, C., Slakmon, A.: Simple Backdoors for RSA Key Generation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 403–416. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Hardy, G.H., Wright, E.M.: Introduction to the theory of numbers. Oxford University Press, Oxford (1979)zbMATHGoogle Scholar
  8. 8.
    Koblitz, N.: A course in number theory and cryptography. Springer, Heidelberg (1994)zbMATHCrossRefGoogle Scholar
  9. 9.
    deWeger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering. Communication and Computing 13(1), 17–28 (2002)CrossRefMathSciNetGoogle Scholar
  10. 10.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1998)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis. IEEE Transactions on Computers 52(4) (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Johannes Blömer
    • 1
  • Alexander May
    • 1
  1. 1.Faculty of Computer Science, Electrical Engineering and MathematicsUniversity of PaderbornPaderbornGermany

Personalised recommendations