Extending Wiener’s Attack in the Presence of Many Decrypting Exponents

  • Nicholas Howgrave-Graham
  • Jean-Pierre Seifert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1740)


Wiener has shown that when the RSA protocol is used with a decrypting exponent, d, which is less than N 1/4 and an encrypting exponent, e, approximately the same size as N, then d can usually be found from the continued fraction approximation of e/N. We extend this attack to the case when there are many ei for a given N, all with small d i . For the case of two such e i , the d i can (heuristically) be as large as N 5/14 and still be efficiently recovered. As the number of encrypting exponents increases the bound on the d i , which enables efficient recovery of the d i , increases (slowly) to N 1-∈. However, the complexity of our method is exponential in the number of exponents present, and therefore only practical for a relatively small number of them.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. B. D. Boneh, “Twenty years of attacks on RSA”, Notices of the AMS Vol. 46, pp. 203–213, 1999.zbMATHMathSciNetGoogle Scholar
  2. BD. D. Boneh, G. Durfee, “New results on the cryptanalysis of low exponent RSA”, to appear in Proc. of EUROCRYPT’ 99.Google Scholar
  3. D. J. M. DeLaurentis, “A further weakness in the common modulus protocol for the RSA cryptoalgorithm”, Cryptologia Vol. 8, pp. 253–259, 1984.CrossRefMathSciNetGoogle Scholar
  4. G. C. R. Guo, “An application of diophantine approximation in computer security”, to appear in Mathematics of Computation.Google Scholar
  5. HW. G. H. Hardy, E. M. Wright, An introduction to the theory of numbers, 5th edn., Oxford University Press, 1979.Google Scholar
  6. LLL. A. K. Lenstra, H. W. Lenstra, L. Lovasz, “Factoring polynomials with integer coefficients”, Mathematische Annalen Vol. 261, pp. 513–534, 1982.CrossRefMathSciNetGoogle Scholar
  7. M. J. H. Moore, “Protocol failures in cryptosystems”, in G. J. Simmons (ed.), Contemporary Cryptology, IEEE Press, 1992.Google Scholar
  8. RSA. R. L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Commun. ACM Vol. 21, pp. 120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  9. Sh. V. Shoup, “Number Theory Library (NTL)”,
  10. Si. G. J. Simmons, “A `weak’ privacy protocol using the RSA cryptalgorithm”, Cryptologia Vol. 7, pp. 180–182, 1983.zbMATHCrossRefGoogle Scholar
  11. VvT. E. R. Verheul, H. C. A. van Tilborg, “Cryptanalysis of `Less Short’ RSA secret exponents”, Applicable Algebra in Engeneering, Communication and Computing Vol. 8, pp. 425–435, 1997.zbMATHCrossRefGoogle Scholar
  12. W. M. Wiener, “Cryptanalysis of short RSA exponents”, IEEE Trans. on Information Theory Vol. 36, pp. 553–558, 1990.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Nicholas Howgrave-Graham
    • 1
  • Jean-Pierre Seifert
    • 2
  1. 1.Mathematical Sciences DepartmentUniversity of BathUK
  2. 2.Department of MathematicsJohann Wolfgang Goethe-UniversityFrankfurt am MainGermany

Personalised recommendations