Extending Wiener’s Attack in the Presence of Many Decrypting Exponents
- 11 Citations
- 361 Downloads
Abstract
Wiener has shown that when the RSA protocol is used with a decrypting exponent, d, which is less than N 1/4 and an encrypting exponent, e, approximately the same size as N, then d can usually be found from the continued fraction approximation of e/N. We extend this attack to the case when there are many ei for a given N, all with small d i . For the case of two such e i , the d i can (heuristically) be as large as N 5/14 and still be efficiently recovered. As the number of encrypting exponents increases the bound on the d i , which enables efficient recovery of the d i , increases (slowly) to N 1-∈. However, the complexity of our method is exponential in the number of exponents present, and therefore only practical for a relatively small number of them.
Preview
Unable to display preview. Download preview PDF.
References
- B. D. Boneh, “Twenty years of attacks on RSA”, Notices of the AMS Vol. 46, pp. 203–213, 1999.zbMATHMathSciNetGoogle Scholar
- BD. D. Boneh, G. Durfee, “New results on the cryptanalysis of low exponent RSA”, to appear in Proc. of EUROCRYPT’ 99.Google Scholar
- D. J. M. DeLaurentis, “A further weakness in the common modulus protocol for the RSA cryptoalgorithm”, Cryptologia Vol. 8, pp. 253–259, 1984.CrossRefMathSciNetGoogle Scholar
- G. C. R. Guo, “An application of diophantine approximation in computer security”, to appear in Mathematics of Computation.Google Scholar
- HW. G. H. Hardy, E. M. Wright, An introduction to the theory of numbers, 5th edn., Oxford University Press, 1979.Google Scholar
- LLL. A. K. Lenstra, H. W. Lenstra, L. Lovasz, “Factoring polynomials with integer coefficients”, Mathematische Annalen Vol. 261, pp. 513–534, 1982.CrossRefMathSciNetGoogle Scholar
- M. J. H. Moore, “Protocol failures in cryptosystems”, in G. J. Simmons (ed.), Contemporary Cryptology, IEEE Press, 1992.Google Scholar
- RSA. R. L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Commun. ACM Vol. 21, pp. 120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
- Sh. V. Shoup, “Number Theory Library (NTL)”, http://www.cs.wisc.edu/~shoup.ntl.
- Si. G. J. Simmons, “A `weak’ privacy protocol using the RSA cryptalgorithm”, Cryptologia Vol. 7, pp. 180–182, 1983.zbMATHCrossRefGoogle Scholar
- VvT. E. R. Verheul, H. C. A. van Tilborg, “Cryptanalysis of `Less Short’ RSA secret exponents”, Applicable Algebra in Engeneering, Communication and Computing Vol. 8, pp. 425–435, 1997.zbMATHCrossRefGoogle Scholar
- W. M. Wiener, “Cryptanalysis of short RSA exponents”, IEEE Trans. on Information Theory Vol. 36, pp. 553–558, 1990.zbMATHCrossRefMathSciNetGoogle Scholar