A generalised bound for the Wiener attack on RSA

Abstract

Since Wiener pointed out that the RSA can be broken if the private exponent d is relatively small compared to the modulus N, it has been a general belief that the Wiener attack works for d<N14. On the contrary, in [1], it was shown that the bound d<N14 is not accurate as it has been thought of. Specifically, for the standard assumption of the two primes p and q that q < p < 2q, the Wiener continued fraction technique is proven to work for d≤1184N14. In this paper, we consider a general condition on the RSA primes, namely q < p < α q, and we give the corresponding bound for the Wiener attack to work, which is d≤α42(α+1)N14. In a special case when α=2, this general bound agrees with the result of [1].