Revisiting Wiener’s Attack – New Weak Keys in RSA

  • Subhamoy Maitra
  • Santanu Sarkar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5222)


In this paper we revisit Wiener’s method (IEEE-IT, 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(n δ ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. We use both the upper and lower bounds on φ(N) and then try to find out what are the cases when \(\frac{t}{d}\) is a convergent in the CF expression of \(\frac{e}{N - \frac{3}{\sqrt{2}} \sqrt{N} + 1}\). First we show that the RSA keys are weak when d = N δ and \(\delta < \frac{3}{4} - \gamma - \tau\), where 2q − p = N γ and τ is a small value based on certain parameters. This presents additional results over the work of de Weger (AAECC 2002). Further we show that, the RSA keys are weak when \(d < \frac{1}{2} N^\delta\) and e is \(O(N^{\frac{3}{2}-2\delta})\) for \(\delta \leq \frac{1}{2}\). Using similar idea we also present new results over the work of Blömer and May (PKC 2004).


Cryptanalysis RSA Factorization Weak Keys 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blömer, J., May, A.: A generalized Wiener attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Boneh, D.: Twenty Years of Attacks on the RSA Cryptosystem. Notices of the AMS 46(2), 203–213 (1999)zbMATHMathSciNetGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4), 1339–1349 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Copppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Coron, J.-S., May, A.: Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring. J. Cryptology 20(1), 39–50 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Duejella, A.: Continued fractions and RSA with small secret exponent. Tatra Mt. Math. Publ. 29, 101–112 (2004)MathSciNetGoogle Scholar
  7. 7.
    Jochemsz, E.: Cryptanalysis of RSA variants using small roots of polynomials. Ph. D. thesis, Technische Universiteit Eindhoven (2007)Google Scholar
  8. 8.
    Hastad, J.: On using RSA with low exponent in public key network. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 403–408. Springer, Heidelberg (1986)Google Scholar
  9. 9.
    Ibrahim, D., Bahig, H.M., Bhery, A., Daoud, S.S.: A new RSA vulnerability using continued fractions. In: 6th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA 2008), Doha, Qatar, March 31–April 4 (2008)Google Scholar
  10. 10.
    Jochemsz, E., May, A.: A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Pollard, J.M.: Theorems on factorization and primality testing. Proc. of Combridge Philos. Soc. 76, 521–528 (1974)zbMATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of ACM 21(2), 158–164 (1978)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Rosen, K.H.: Elementary Number Theory. Addison-Wesley, Reading (1984)zbMATHGoogle Scholar
  14. 14.
    Silverman, R.D.: Fast generation of random, strong RSA primes. Cryptobytes 3(1), 9–13 (1997)Google Scholar
  15. 15.
    Stinson, D.R.: Cryptography – Theory and Practice, 2nd edn. Chapman & Hall/CRC, Boca Raton (2002)Google Scholar
  16. 16.
    Steinfeld, R., Contini, S., Pieprzyk, J., Wang, H.: Converse results to the Wiener attack on RSA. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 184–198. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Verheul, E.R., van Tilborg, H.C.A.: Cryptanalysis of ‘less short’ RSA secret exponents. Applicable Algebra in Engineering, Communication and Computing 8, 425–435 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Williams, H.C.: A p + 1 method of factoring. Mathematics of Computation 39(159), 225–234 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    de Weger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering, Communication and Computing 13(1), 17–28 (2002)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Subhamoy Maitra
    • 1
  • Santanu Sarkar
    • 1
  1. 1.Indian Statistical InstituteKolkataIndia

Personalised recommendations