Continued fractions and RSA with small secret exponent

2017

This paper presents a new improved attack on RSA based on Wiener's technique using continued fractions. In the RSA cryptosystem with public modulus N = pq, public key e and secret key d, if d < 1 3 N 1 4 , Wiener's original attack recovers the secret 3 2 , so if either d or e is relatively small the RSA encryption can be broken. For e ≈ N t , our method can recover the secret key if d < 2 √ 2 N 3 4 − t 2 and certainly for d < 2 √ 2 N 1 4. Our experiments demonstrate that for a 1024-bit modulus RSA, our method works for values of d of up to 270 bits compared to 255 bits for Wiener.

Computing, 2009

Wiener's attack is a well-known polynomial-time attack on a RSA cryptosystem with small secret decryption exponent d, which works if d < n 0.25 , where n = pq is the modulus of the cryptosystem. Namely, in that case, d is the denominator of some convergent p m /q m of the continued fraction expansion of e/n, and therefore d can be computed efficiently from the public key (n, e). There are several extensions of Wiener's attack that allow the RSA cryptosystem to be broken when d is a few bits longer than n 0.25 . They all have the run-time complexity (at least) O(D 2 ), where d = Dn 0.25 . Here we propose a new variant of Wiener's attack, which uses results on Diophantine approximations of the form |α -p/q| < c/q 2 , and "meet-in-the-middle" variant for testing the candidates (of the form rq m+1 + sq m ) for the secret exponent. This decreases the run-time complexity of the attack to O(D log(D)) (with the space complexity O(D)).

ACM Communications in Computer Algebra, 2008

Lecture Notes in Computer Science

In this paper we revisit Wiener's method (IEEE-IT 1990) of continued fraction (CF) to find new weaknesses in RSA. We consider RSA with N = pq, q < p < 2q, public encryption exponent e and private decryption exponent d. Our motivation is to find out when RSA is insecure given d is O(N δ), where we are mostly interested in the range 0.3 ≤ δ ≤ 0.5. Given ρ (1 ≤ ρ ≤ 2) is known to the attacker, we show that the RSA keys are weak when d = N δ and δ < 1 2 − γ 2 , where |ρq − p| ≤ N γ 16. This presents additional results over the work of de Weger (AAECC 2002). We also discuss how the lattice based idea of Boneh-Durfee (IEEE-IT 2000) works better to find weak keys beyond the bound δ < 1 2 − γ 2. Further we show that, the RSA keys are weak when d < 1 2 N δ and e is O(N 3 2 −2δ) for δ ≤ 1 2. Using similar techniques we also present new results over the work of Blömer and May (PKC 2004).

2005

A well-known attack on RSA with low secret-exponent d was given by Wiener about 15 years ago. Wiener showed that using continued fractions, one can efficiently recover the secret-exponent d from the public key (N, e) as long as d < N 1/4 . Interestingly, Wiener stated that his attack may sometimes also work when d is slightly larger than N 1/4 . This raises the question of how much larger d can be: could the attack work with non-negligible probability for d = N 1/4+ρ for some constant ρ > 0? We answer this question in the negative by proving a converse to Wiener's result. Our result shows that, for any fixed > 0 and all sufficiently large modulus lengths, Wiener's attack succeeds with negligible probability over a random choice of d < N δ (in an interval of size Ω(N δ )) as soon as δ > 1/4 + . Thus Wiener's success bound d < N 1/4 for his algorithm is essentially tight. We also obtain a converse result for a natural class of extensions of the Wiener attack, which are guaranteed to succeed even when δ > 1/4. The known attacks in this class (by Verheul and Van Tilborg and Dujella) run in exponential time, so it is natural to ask whether there exists an attack in this class with subexponential run-time. Our second converse result answers this question also in the negative.

Lecture Notes in Computer Science, 2016

In 1995, Kuwakado, Koyama and Tsuruoka presented a new RSAtype scheme based on singular cubic curves y 2 ≡ x 3 + bx 2 (mod N) where N = pq is an RSA modulus. Then, in 2002, Elkamchouchi, Elshenawy and Shaban introduced an extension of the RSA scheme to the field of Gaussian integers using a modulus N = P Q where P and Q are Gaussian primes such that p = |P | and q = |Q| are ordinary primes. Later, in 2007, Castagnos's proposed a scheme over quadratic fields quotients with an RSA modulus N = pq. In the three schemes, the public exponent e is an integer satisfying the key equation ed − k p 2 − 1 q 2 − 1 = 1. In this paper, we apply the continued fraction method to launch an attack on the three schemes when the private exponent d is sufficiently small. Our attack can be considered as an extension of the famous Wiener attack on RSA.

Mathematical Communications

The LUC cryptosystem is a modification of the RSA cryptosystem based on Lucas sequences. In this paper we extend the Verheul - van Tilborg and Dujella variants of the Wiener attack on RSA to the LUC cryptosystem. We describe an algorithm for finding a secret key $d$ of the form $d = r q_{m+1} pm s q_m$, for some $mgeq -1$ and nonnegative integers $r$ and $s$, using continued fractions. We derive bounds for $r$ and $s$ using results on Diophantine approximations.

Progress in Cryptology – LATINCRYPT 2021, 2021

Let N = pq be an RSA modulus with balanced prime factors. In 2018, Murru and Saettone presented a variant of the RSA cryptosystem based on a cubic Pell equation in which the public key (N, e) and the private key (N, d) satisfy ed ≡ 1 (mod p 2 + p + 1 q 2 + q + 1). They claimed that the classical small private attacks on RSA such as Wiener's continued fraction attack do not apply to their scheme. In this paper, we show that, on the contrary, Wiener's method as well as the small inverse problem technique of Boneh and Durfee can be applied to attack their scheme. More precisely, we show that the proposed variant of RSA can be broken if d < N 0.5694. This shows that their scheme is in reality more vulnerable than RSA, where the bound of vulnerability is d < N 0.292 .

Springer eBooks, 2004

We present an extension of Wiener's attack on small RSA secret decryption exponents . Wiener showed that every RSA public key tuple (N, e) with e ∈ Z * φ(N) that satisfies ed -1 = 0 mod φ(N ) for some d < 1 3 N 1 4 yields the factorization of N = pq. Our new method finds p and q in polynomial time for every (N, e) satisfying ex + y = 0 mod φ(N ) with In other words, the generalization works for all secret keys d = -xy -1 , where x, y are suitably small. We show that the number of these weak keys is at least N 3 4and that the number increases with decreasing prime difference pq. As an application of our new attack, we present the cryptanalysis of an RSA-type scheme presented by Yen, Kim, Lim and Moon [11,. Our results point out again the warning for cryptodesigners to be careful when using the RSA key generation process with special parameters.

We prove a conjecture of Drake and Kim on a continued fraction. Comment: 6 pages, 2 figures