On the Extension of Wiener Attack on RSA with Short Secret-Exponents

Abstract

In 1999, Wiener took advantage of continued fraction technique to attack short secret-exponent RSA, which is called the Wiener attack. This attack is the rst proof to show that we can not choose too short secret-exponent d when using RSA. The secret- exponent d should be chosen larger than N0:25. After then, in 1997, Verheul and Tilborg proposed an extension of the Wiener attack which can work well over Wiener's boundary. Suppose r = log(d=N0:25), their technique costs an exhaustive search for 2r+8 bits in order to attack d which is smaller than N0:252r. In this paper, we provide a simpler method to demonstrate a result which is similar to Verheul and Tilborg's . With our method it only costs an exhaustive search for 2r + 2 bits, which is 6-bit fewer than Verheul and Tilborg's 2r + 8 bits