Estimating the prime-factors of an RSA modulus and an extension of the wiener attack

Abstract

In the RSA system, balanced modulus N denotes a product of two large prime numbers p and q, where q < p < 2q. Since Integer-Factorization is difficult, p and q are simply estimated as √N. In the Wiener attack, 2√N is adopted to be the estimation of p + q in order to raise the security boundary of private-exponent d. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of N. The estimated values are called "EPFs of N", and are denoted as pE and qE. Thus pE and qE can be adopted to estimate p + q more accurately than by simply adopting 2√N. In addition, we show that the Verheul and Tilborg's extension of the Wiener attack can be considered to be brute-guessing for the MSBs of p + q. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustive-searching for 2r + 8 bits down to 2r - 10 bits, where r depends on N and the private key d. The security boundary of private-exponent d can be raised 9 bits again over Verheul and Tilborg's result. © Springer-Verlag Berlin Heidelberg 2007.