Abstract
Wiener has shown that when the RSA protocol is used with a decrypting exponent, d, which is less than N 1/4 and an encrypting exponent, e, approximately the same size as N, then d can usually be found from the continued fraction approximation of e/N. We extend this attack to the case when there are many ei for a given N, all with small d i . For the case of two such e i , the d i can (heuristically) be as large as N 5/14 and still be efficiently recovered. As the number of encrypting exponents increases the bound on the d i , which enables efficient recovery of the d i , increases (slowly) to N 1-∈. However, the complexity of our method is exponential in the number of exponents present, and therefore only practical for a relatively small number of them.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
B. D. Boneh, “Twenty years of attacks on RSA”, Notices of the AMS Vol. 46, pp. 203–213, 1999.
BD. D. Boneh, G. Durfee, “New results on the cryptanalysis of low exponent RSA”, to appear in Proc. of EUROCRYPT’ 99.
D. J. M. DeLaurentis, “A further weakness in the common modulus protocol for the RSA cryptoalgorithm”, Cryptologia Vol. 8, pp. 253–259, 1984.
G. C. R. Guo, “An application of diophantine approximation in computer security”, to appear in Mathematics of Computation.
HW. G. H. Hardy, E. M. Wright, An introduction to the theory of numbers, 5th edn., Oxford University Press, 1979.
LLL. A. K. Lenstra, H. W. Lenstra, L. Lovasz, “Factoring polynomials with integer coefficients”, Mathematische Annalen Vol. 261, pp. 513–534, 1982.
M. J. H. Moore, “Protocol failures in cryptosystems”, in G. J. Simmons (ed.), Contemporary Cryptology, IEEE Press, 1992.
RSA. R. L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, Commun. ACM Vol. 21, pp. 120–126, 1978.
Sh. V. Shoup, “Number Theory Library (NTL)”, http://www.cs.wisc.edu/~shoup.ntl.
Si. G. J. Simmons, “A `weak’ privacy protocol using the RSA cryptalgorithm”, Cryptologia Vol. 7, pp. 180–182, 1983.
VvT. E. R. Verheul, H. C. A. van Tilborg, “Cryptanalysis of `Less Short’ RSA secret exponents”, Applicable Algebra in Engeneering, Communication and Computing Vol. 8, pp. 425–435, 1997.
W. M. Wiener, “Cryptanalysis of short RSA exponents”, IEEE Trans. on Information Theory Vol. 36, pp. 553–558, 1990.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Howgrave-Graham, N., Seifert, JP. (1999). Extending Wiener’s Attack in the Presence of Many Decrypting Exponents. In: Secure Networking — CQRE [Secure] ’ 99. CQRE 1999. Lecture Notes in Computer Science, vol 1740. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46701-7_14
Download citation
DOI: https://doi.org/10.1007/3-540-46701-7_14
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66800-8
Online ISBN: 978-3-540-46701-4
eBook Packages: Springer Book Archive