Advertisement

A Generalized Wiener Attack on RSA

  • Johannes Blömer
  • Alexander May
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2947)

Abstract

We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N,e) with \(e \in {\mathbb{Z}}_{\phi(N)}^*\) that satisfies ed − 1 = 0 mod φ(N) for some \(d<\frac 1 3 N^{\frac 1 4}\) yields the factorization of N=pq. Our new method finds p and q in polynomial time for every (N,e) satisfying ex + y = 0 mod φ(N) with
$$ x < \frac 1 3 N^{\frac 1 4} \quad \textrm{and} \quad |y| = {\cal O}(N^{- \frac 3 4}ex). $$
In other words, the generalization works for all secret keys d= – xy − 1, where x, y are suitably small. We show that the number of these weak keys is at least \(N^{\frac 3 4-\epsilon}\) and that the number increases with decreasing prime difference p-q. As an application of our new attack, we present the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim and Moon [11,12]. Our results point out again the warning for crypto-designers to be careful when using the RSA key generation process with special parameters.

Keywords

RSA weak keys Wiener attack continued fractions 

References

  1. 1.
    Apostol, T.M.: Introduction to analytic number theory. Springer, Heidelberg (1980)Google Scholar
  2. 2.
    Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4) (2000)Google Scholar
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Crépeau, C., Slakmon, A.: Simple Backdoors for RSA Key Generation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 403–416. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Hardy, G.H., Wright, E.M.: Introduction to the theory of numbers. Oxford University Press, Oxford (1979)zbMATHGoogle Scholar
  8. 8.
    Koblitz, N.: A course in number theory and cryptography. Springer, Heidelberg (1994)zbMATHCrossRefGoogle Scholar
  9. 9.
    deWeger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering. Communication and Computing 13(1), 17–28 (2002)CrossRefMathSciNetGoogle Scholar
  10. 10.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1998)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Yen, S.-M., Kim, S., Lim, S., Moon, S.: RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis. IEEE Transactions on Computers 52(4) (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Johannes Blömer
    • 1
  • Alexander May
    • 1
  1. 1.Faculty of Computer Science, Electrical Engineering and MathematicsUniversity of PaderbornPaderbornGermany

Personalised recommendations