Abstract
We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N,e) with \(e \in {\mathbb{Z}}_{\phi(N)}^*\) that satisfies ed − 1 = 0 mod φ(N) for some \(d<\frac 1 3 N^{\frac 1 4}\) yields the factorization of N=pq. Our new method finds p and q in polynomial time for every (N,e) satisfying ex + y = 0 mod φ(N) with
In other words, the generalization works for all secret keys d= – xy − 1, where x, y are suitably small. We show that the number of these weak keys is at least \(N^{\frac 3 4-\epsilon}\) and that the number increases with decreasing prime difference p-q. As an application of our new attack, we present the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim and Moon [11,12]. Our results point out again the warning for crypto-designers to be careful when using the RSA key generation process with special parameters.
Chapter PDF
Similar content being viewed by others
References
Apostol, T.M.: Introduction to analytic number theory. Springer, Heidelberg (1980)
Boneh, D., DeMillo, R., Lipton, R.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Trans. on Information Theory 46(4) (2000)
Coppersmith, D.: Small solutions to polynomial equations and low exponent vulnerabilities. Journal of Cryptology 10(4), 223–260 (1997)
Crépeau, C., Slakmon, A.: Simple Backdoors for RSA Key Generation. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 403–416. Springer, Heidelberg (2003)
Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 51. Springer, Heidelberg (2001)
Hardy, G.H., Wright, E.M.: Introduction to the theory of numbers. Oxford University Press, Oxford (1979)
Koblitz, N.: A course in number theory and cryptography. Springer, Heidelberg (1994)
deWeger, B.: Cryptanalysis of RSA with small prime difference. Applicable Algebra in Engineering. Communication and Computing 13(1), 17–28 (2002)
Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36, 553–558 (1998)
Yen, S.-M., Kim, S., Lim, S., Moon, S.: Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 397–413. Springer, Heidelberg (2002)
Yen, S.-M., Kim, S., Lim, S., Moon, S.: RSA Speedup with Chinese Remainder Theorem Immune against Hardware Fault Cryptanalysis. IEEE Transactions on Computers 52(4) (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Blömer, J., May, A. (2004). A Generalized Wiener Attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds) Public Key Cryptography – PKC 2004. PKC 2004. Lecture Notes in Computer Science, vol 2947. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24632-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-24632-9_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-21018-4
Online ISBN: 978-3-540-24632-9
eBook Packages: Springer Book Archive