Wiener’s attack on RSA

E831738

Wiener’s attack on RSA is a cryptanalytic method that efficiently recovers the private key when the RSA decryption exponent is unusually small, exploiting properties of continued fractions.

All labels observed (1)

Label Occurrences
Wiener’s attack on RSA canonical 2

How this entity was disambiguated

Statements (47)

Predicate Object
instanceOf cryptanalytic attack
alsoKnownAs Wiener’s small private exponent attack NERFINISHED
appliesTo RSA cryptosystem NERFINISHED
assumes gcd(e,φ(n)) = 1
n = p*q with large primes p and q
standard RSA key generation
author Michael J. Wiener NERFINISHED
basedOn Diophantine approximation
properties of continued fractions
category attacks on public-key cryptosystems
number-theoretic cryptanalysis
complexity efficient
polynomial time
conditionOn d < n^0.25 / 3
d is unusually small
countermeasure avoid small private exponents in RSA key generation
choose d sufficiently large
exploits small private exponent
field cryptanalysis
cryptography
influenced subsequent small-exponent attacks on RSA
input public key (n,e)
methodStep compute continued fraction expansion of e/n
enumerate convergents k_i/d_i of e/n
recover φ(n) and then d
test convergents as candidates for k/φ(n)
motivated RSA key generation guidelines to avoid small d
namedAfter Michael J. Wiener NERFINISHED
output factorization of n in some variants
private exponent d
publishedIn Information and Computation NERFINISHED
recovers RSA private key (n,d)
private exponent d
relatedTo Boneh–Durfee attack NERFINISHED
Coppersmith’s method NERFINISHED
small private exponent attacks
requires public exponent e
public modulus n
securityImplication RSA implementations must avoid small d
targets RSA decryption exponent
RSA private key
threatens RSA with small private exponent NERFINISHED
uses continued fractions
convergents of continued fractions
vulnerableParameter RSA private exponent d
worksWhen d is less than approximately n^0.25
yearProposed 1990

How these facts were elicited

Referenced by (2)

Full triples — surface form annotated when it differs from this entity's canonical label.