Revisiting Wiener’s Attack – New Weak Keys in RSA

Abstract

In this paper we revisit Wiener’s method (IEEE-IT, 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(n ^δ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. We use both the upper and lower bounds on φ(N) and then try to find out what are the cases when \(\frac{t}{d}\) is a convergent in the CF expression of \(\frac{e}{N - \frac{3}{\sqrt{2}} \sqrt{N} + 1}\). First we show that the RSA keys are weak when d = N ^δ and \(\delta < \frac{3}{4} - \gamma - \tau\), where 2q − p = N ^γ and τ is a small value based on certain parameters. This presents additional results over the work of de Weger (AAECC 2002). Further we show that, the RSA keys are weak when \(d < \frac{1}{2} N^\delta\) and e is \(O(N^{\frac{3}{2}-2\delta})\) for \(\delta \leq \frac{1}{2}\). Using similar idea we also present new results over the work of Blömer and May (PKC 2004).