Cryptanalysis of short RSA secret exponents

  title={Cryptanalysis of short RSA secret exponents},
  author={Michael J. Wiener},
  journal={IEEE Trans. Inf. Theory},
  • M. Wiener
  • Published 1 May 1990
  • Computer Science, Mathematics
  • IEEE Trans. Inf. Theory
A cryptanalytic attack on the use of short RSA secret exponents is described. The attack makes use of an algorithm based on continued fractions that finds the numerator and denominator of a fraction in polynomial time when a close enough estimate of the fraction is known. The public exponent e and the modulus pq can be used to create an estimate of a fraction that involves the secret exponent d. The algorithm based on continued fractions uses this estimate to discover sufficiently short secret… 

Tables from this paper

Cryptanalysis of ‘Less Short’ RSA Secret Exponents
  • E. VerheulH. V. Tilborg
  • Mathematics, Computer Science
    Applicable Algebra in Engineering, Communication and Computing
  • 1997
Here, it is described a general method to compute the CF-convergents of the continued fraction expansion of the same number as in Wiener up to the point where the denominator of the CF -convergent exceeds approximately n1/4.
New Attacks on RSA with Small Secret CRT-Exponents
The method can be used to attack two fast RSA variants recently proposed by Galbraith, Heneghan, McKee, and by Sun, Wu and also present a second result for balanced RSA primes in the case that the public exponent e is significantly smaller than N.
On the Design of RSA With Short Secret Exponent
It is shown that it is possible to use a short secret exponent which is below these bounds while not compromising with the security of RSA provided that p and q are differing in size and are large enough to combat factoring algorithms.
A variant of Wiener’s attack on RSA
  • A. Dujella
  • Computer Science, Mathematics
  • 2009
A new variant of Wiener’s attack is proposed, which uses results on Diophantine approximations of the form |α − p/q| <  c/q2, and “meet-in-the-middle” variant for testing the candidates (of the form rqm+1 +  sqm) for the secret exponent.
A new attack on the RSA cryptosystem based on continued fractions
This paper presents a new improved attack on RSA based on Wiener's technique using continued fractions, which works for values of d of up to 270 bits compared to 255 bits for Wiener.
Extension of de Weger's Attack on RSA with Large Public Keys
The aim of this paper is to investigate for which values of the variables σ and∆ = |p−q|, RSA which uses public keys of the special structure E = e+σφ(N), wheree< φ( N), is insecure against cryptanalysis.
Cryptanalysis of RSA with constrained keys
It is shown that instances of RSA with even large private exponents can be efficiently broken if there exist positive integers X, Y such that |eY - XF(u)| and Y are suitably small where F is a function of publicly known expression.
Thirty Years of Attacks on the RSA Cryptosystem
A survey on RSA attacks is intended to cover the attacks enabled by the weak private exponent, the weak public exponent,The partial key exposure and the implementation details of RSA respectively.
Secret Exponent Attacks on RSA-type Schemes with Moduli N= prq
  • Alexander May
  • Computer Science, Mathematics
    Public Key Cryptography
  • 2004
The results show that RSA-type schemes that use moduli of the form N=p r q are more susceptible to attacks that leak bits of the secret key than the original RSA scheme.


A method for obtaining digital signatures and public-key cryptosystems
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key, soriers or other secure means are not needed to transmit keys.
Fast decipherment algorithm for RSA public-key cryptosystem
A fast algorithm is presented for deciphering cryptograms involved in the public-key cryptosystem proposed by Rivest, Shamir and Adleman, based on the Chinese remainder theorem and on improved modular multiplication algorithms.
A $p+1$ method of factoring
Let N have a prime divisor p such that p + 1 has only small prime divisors. A method is described which will allow for the determination of p, given N. This method is analogous to the p — 1 method of
The art of computer programming. Vol.2: Seminumerical algorithms
This professional art of computer programming volume 2 seminumerical algorithms 3rd edition that has actually been written by is one of the best seller books in the world and is never late to read.
The Art of Computer Programming
The arrangement of this invention provides a strong vibration free hold-down mechanism while avoiding a large pressure drop to the flow of coolant fluid.
Theorems on factorization and primality testing
  • J. Pollard
  • Computer Science
    Mathematical Proceedings of the Cambridge Philosophical Society
  • 1974
This paper is concerned with the problem of obtaining theoretical estimates for the number of arithmetical operations required to factorize a large integer n or test it for primality and uses a multi-tape Turing machine for this purpose.
On Using RSA with Low Exponent in a Public Key Network
The problem of solving systems of equations Pi(x) ? 0 (mod ni) i = 1... k where Pi are polynomials of degree d and the ni are distinct relatively prime numbers is considered and it is shown that x can recover x in polynomial time provided ni ? 2k.
Art of Computer Programming Volume 2 / Seminumerical Algorithms
  • Art of Computer Programming Volume 2 / Seminumerical Algorithms
  • 1969
At? of Compiiter Programming Vol. Z/Semin~rmc~riccll algorithms
  • At? of Compiiter Programming Vol. Z/Semin~rmc~riccll algorithms
  • 1969
Art of Computer Programming Volume 2
  • Seminumerical Algorithms, Addison Wesley,
  • 1969