Extending Wiener’s Attack in the Presence of Many Decrypting Exponents
Wiener has shown that when the RSA protocol is used with a decrypting exponent, d, which is less than N 1/4 and an encrypting exponent, e, approximately the same size as N, then d can usually be found from the continued fraction approximation of e/N. We extend this attack to the case when there are many ei for a given N, all with small d i . For the case of two such e i , the d i can (heuristically) be as large as N 5/14 and still be efficiently recovered. As the number of encrypting exponents increases the bound on the d i , which enables efficient recovery of the d i , increases (slowly) to N 1-∈. However, the complexity of our method is exponential in the number of exponents present, and therefore only practical for a relatively small number of them.
Unable to display preview. Download preview PDF.
- BD. D. Boneh, G. Durfee, “New results on the cryptanalysis of low exponent RSA”, to appear in Proc. of EUROCRYPT’ 99.Google Scholar
- G. C. R. Guo, “An application of diophantine approximation in computer security”, to appear in Mathematics of Computation.Google Scholar
- HW. G. H. Hardy, E. M. Wright, An introduction to the theory of numbers, 5th edn., Oxford University Press, 1979.Google Scholar
- M. J. H. Moore, “Protocol failures in cryptosystems”, in G. J. Simmons (ed.), Contemporary Cryptology, IEEE Press, 1992.Google Scholar
- Sh. V. Shoup, “Number Theory Library (NTL)”, http://www.cs.wisc.edu/~shoup.ntl.