Abstract
A well-known attack on RSA with low secret-exponent d was given by Wiener about 15 years ago. Wiener showed that using continued fractions, one can efficiently recover the secret-exponent d from the public key (N,e) as long as d 0? We answer this question in the negative by proving a converse to Wiener's result. Our result shows that, for any fixed e > 0 and all sufficiently large modulus lengths, Wiener's attack succeeds with negligible probability over a random choice of d 1/4 + e. Thus Wiener's success bound d 1/4. The known attacks in this class (by Verheul and Van Tilborg and Dujella) run in exponential time, so it is natural to ask whether there exists an attack in this class with subexponential run-time. Our second converse result answers this question also in the negative.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
