Estimating the Prime-Factors of an RSA Modulus and an Extension of the Wiener Attack

Abstract

In the RSA system, balanced modulus N denotes a product of two large prime numbers p and q, where q < p < 2q. Since Integer-Factorization is difficult, p and q are simply estimated as \({\sqrt{N}}\). In the Wiener attack, \(2\sqrt{N}\) is adopted to be the estimation of p + q in order to raise the security boundary of private-exponent d. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of N. The estimated values are called ”EPFs of N ”, and are denoted as p E and q E . Thus p E and q E can be adopted to estimate p + q more accurately than by simply adopting \(2\sqrt{N}\). In addition, we show that the Verheul and Tilborg’s extension of the Wiener attack can be considered to be brute-guessing for the MSBs of p + q. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustive-searching for 2r + 8 bits down to 2r − 10 bits, where r depends on N and the private key d. The security boundary of private-exponent d can be raised 9 bits again over Verheul and Tilborg’s result.KeywordsRSAcontinued fractionthe Wiener attackexhaustive-searchingmost significant bit