A generalized Wiener attack on RSA

Abstract

We present an extension of Wiener's attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N, e) with e ∈ ℤφ*,(N) that satisfies ed - 1 = 0 mod φ(N) for some d < 1/3N1/4 yields the factorization of N = pq. Our new method finds p and g in polynomial time for every (N, e) satisfying ex + y = 0 mod φ(N} with x < 1/3N1/4 and |y| = O(N-3/4ex). In other words, the generalization works for all secret keys d = -xy-1, where x, y are suitably small. We show that the number of these weak keys is at least N3/4-ε and that the number increases with decreasing prime difference p - q. As an application of our new attack, we present the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim and Moon [11,12]. Our results point out again the warning for cryptodesigners to be careful when using the RSA key generation process with special parameters. © International Association for Cryptologic Research 2004.