Revisiting Wiener's Attack - New Weak Keys in RSA


In this paper we revisit Wiener’s method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we show that the RSA keys are weak when d = N δ and δ < 1 2 − γ 2 , where |ρq − p| ≤ N γ 16 . This presents additional results over the work of de Weger (AAECC 2002). We also discuss how the lattice based idea of Boneh-Durfee (IEEE-IT 2000) works better to find weak keys beyond the bound δ < 1 2 − γ 2 . Further we show that, the RSA keys are weak when d < 1 2 N and e is O(N 3 2 −2δ) for δ ≤ 1 2 . Using similar techniques we also present new results over the work of Blömer and May (PKC 2004).

DOI: 10.1007/978-3-540-85886-7_16

Extracted Key Phrases

1 Figure or Table


Citations per Year

123 Citations

Semantic Scholar estimates that this publication has 123 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@article{Maitra2008RevisitingWA, title={Revisiting Wiener's Attack - New Weak Keys in RSA}, author={Subhamoy Maitra and Santanu Sarkar}, journal={IACR Cryptology ePrint Archive}, year={2008}, volume={2008}, pages={228} }