Paper 2008/459

A variant of Wiener's attack on RSA

Andrej Dujella

Abstract

Wiener's attack is a well-known polynomial-time attack on a RSA cryptosystem with small secret decryption exponent d, which works if d<n^{0.25}, where n=pq is the modulus of the cryptosystem. Namely, in that case, d is the denominator of some convergent p_m/q_m of the continued fraction expansion of e/n, and therefore d can be computed efficiently from the public key (n,e). There are several extensions of Wiener's attack that allow the RSA cryptosystem to be broken when d is a few bits longer than n^{0.25}. They all have the run-time complexity (at least) O(D^2), where d=Dn^{0.25}. Here we propose a new variant of Wiener's attack, which uses results on Diophantine approximations of the form |\alpha - p/q| < c/q^2, and "meet-in-the-middle" variant for testing the candidates (of the form rq_{m+1} + sq_m) for the secret exponent. This decreases the run-time complexity of the attack to O(D log(D)) (with the space complexity O(D)).

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
RSAcontinued fractionscryptanalysis
Contact author(s)
duje @ math hr
History
2008-11-02: received
Short URL
https://ia.cr/2008/459
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2008/459,
      author = {Andrej Dujella},
      title = {A variant of Wiener's attack on RSA},
      howpublished = {Cryptology ePrint Archive, Paper 2008/459},
      year = {2008},
      note = {\url{https://eprint.iacr.org/2008/459}},
      url = {https://eprint.iacr.org/2008/459}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.