A variant of Wiener's attack on RSA

TL;DR

This paper introduces a new variant of Wiener's attack on RSA that significantly reduces the computational complexity from quadratic to near-linear by leveraging Diophantine approximations and meet-in-the-middle techniques.

Contribution

The paper presents a novel attack method on RSA with small secret exponents, improving efficiency over previous extensions by using advanced number theory techniques.

Findings

Reduces attack complexity to O(D log D)

Effective for RSA with slightly larger secret exponents

Utilizes Diophantine approximation and meet-in-the-middle methods

Abstract

Wiener's attack is a well-known polynomial-time attack on a RSA cryptosystem with small secret decryption exponent d, which works if d<n^{0.25}, where n=pq is the modulus of the cryptosystem. Namely, in that case, d is the denominator of some convergent p_m/q_m of the continued fraction expansion of e/n, and therefore d can be computed efficiently from the public key (n,e). There are several extensions of Wiener's attack that allow the RSA cryptosystem to be broken when d is a few bits longer than n^{0.25}. They all have the run-time complexity (at least) O(D^2), where d=Dn^{0.25}. Here we propose a new variant of Wiener's attack, which uses results on Diophantine approximations of the form |\alpha - p/q| < c/q^2, and "meet-in-the-middle" variant for testing the candidates (of the form rq_{m+1} + sq_m) for the secret exponent. This decreases the run-time complexity of the attack to O(D log(D)) (with the space complexity O(D)).