Recent Advances in Information SecurityView this Special Issue
On the Improvement of Wiener Attack on RSA with Small Private Exponent
RSA system is based on the hardness of the integer factorization problem (IFP). Given an RSA modulus , it is difficult to determine the prime factors and efficiently. One of the most famous short exponent attacks on RSA is the Wiener attack. In 1997, Verheul and van Tilborg use an exhaustive search to extend the boundary of the Wiener attack. Their result shows that the cost of exhaustive search is bits when extending the Weiner's boundary r bits. In this paper, we first reduce the cost of exhaustive search from bits to bits. Then, we propose a method named EPF. With EPF, the cost of exhaustive search is further reduced to bits when we extend Weiner's boundary bits. It means that our result is 214 times faster than Verheul and van Tilborg's result. Besides, the security boundary is extended 7 bits.
During the past 30 years, RSA  has been one of the most popular public-key cryptosystems worldwide. It has been widely used in several applications [2–4]. The security of RSA is often based on the hardness of the integer factorization problem (IFP), which remains a well-studied problem [5, 6]. Current RSA standards suggest that an RSA modulus should be at least 1024 bits long. Using the best-known factoring algorithms, the expected workload of factoring a bit modulus is , which is currently believed to be infeasible. However, although the use of a large RSA modulus achieves a high security level, the encryption and decryption procedures involve heavy exponential modular multiplications, which make RSA inefficient. Therefore, many approaches have been investigated for speeding-up the RSA encryption (or signature-verification) and RSA decryption (or signature-signing) [7–12]. Furthermore, since the signing task is often executed by lightweight devices, such as smart cards, mobile phones, or PDAs, the research on speeding-up signature-signing is more practical and important.
The most popular method for reducing the signing time is to apply a small private exponent since the complexity of signing depends on the bit-length of . In order to achieve this goal, the order of choosing and is exchanged. is first chosen in the RSA-key generation algorithm, and the corresponding public exponent satisfying is then calculated. These RSA variants are called RSA-Small-. Nevertheless, the variants of RSA-Small- have the security flaws [13–18]. In fact, instances of RSA with can be efficiently broken by Wiener attack . Besides, Boneh and Durfee’s lattice-based attack  indicated that an instance of RSA-Small- with should be considered to be an unsafe system.
In 1997, Verheul and van Tilborg  used an exhaustive search to further extend the boundary of the Wiener attack. Suppose ; their result shows that an exhaustive search for bits is required to extend the Wiener’s boundary bits. Assume that an exhaustive search for 64 bits is feasible in terms of current computational abilities; solving for the equation “” yields , which implies that the boundary of the Wiener attack should be raised up to .
In this paper, we attempt to reduce the cost of exhaustive search of Verheul and van Tilborg’s result. We propose an approach to reduce the cost of exhaustive search when we desire to extend Wiener’s boundary. This approach includes two steps.
Step 1. We investigate a method for searching as many MSBs (most significant bits) of as possible, which is equivalent to estimating as accurately as possible. In this step, to extend Wiener’s boundary bits, an exhaustive search requires bits. It means that our result is better than Verheul and van Tilborg’s cost, which requires an exhaustive search for bits.
Step 2. We develop an approach, called “Estimated Prime Factor (EPF),” to estimate , and then we derive two integers and , which are the estimations of and , respectively. Using EPF, the first MSBs of can be determined. This result is more accurate than the traditional estimation, which estimates by . Applying EPF can further reduce the cost of exhaustive search. More specifically, to extend Wiener’s boundary bits, an exhaustive search requires bits. As compared to Verheul and van Tilborg’s result, which requires an exhaustive search for bits, the security boundary is extended bits.
1.1. Our Contribution
The contributions of this paper are summarized as follows.(1)We first reduce the cost of exhaustive search from (Verheul and van Tilborg’s result) bits to bits when we extend Wiener’s boundary bits. It means that exhaustive search is times faster in Step 1. Besides, the security boundary is extended 3 bits.(2)We propose a novel approach, named EPF, for estimating the prime factors of . With EPF, the cost of the exhaustive search for bits (mentioned in contribution (1)) is further reduced to bits. Compared with Verheul and van Tilborg’s result, exhaustive search is times faster. Besides, the security boundary is extended 7 bits.
The remainder of this paper is organized as follows. Section 2 presents the preliminaries of this paper. Section 3 describes Step 1 of our approach. In Section 4, we propose the EPF to estimate the prime factors of an RSA modulus. Next, Step 2 of our approach which is applying EPF is proposed in Section 5. Finally, we present our conclusions and future works in Section 6.
In this section, we introduce the preliminaries of this paper which include RSA and its variants and the Wiener attack.
2.1. RSA and Its Variants
The RSA cryptosystem  consists of three parts, RSA-key generation, encryption, and decryption which are described as follows.
2.1.1. RSA-Key Generation, Encryption, and Decryption
The RSA-key generation outputs the RSA key: , , . First, randomly choose two large prime numbers and and compute , where is called RSA modulus. Secondly, let , called public exponent, be a randomly chosen integer such that , , where is Euler’s phi function. Then, let , called private exponent, be the multiplicative inverse modulo (i.e., ()). The pair is the public key and the pair is the private key.
From the key relation (), there exists a unique positive integer satisfying We call (1) as the RSA-key equation. To encrypt a plaintext message , compute . The result is called the ciphertext of . To execute RSA decryption, a ciphertext is decrypted by raising it to the power modulo . From Lagrange’s theorem, it follows that
Usually, one often selects as small as possible due to the reason of efficient encryption (or signature-verification). The smallest is suggested to be rather than while a known affine relation between two messages exists . We call the RSA system with small public exponent as “RSA-Small-.” On the other hand, since the cost of decryption (or signature-signing) can be significantly reduced when the private exponent is much smaller than , in order to simply reduce the decryption (or signature-signing) time, one can select a small private exponent first in RSA-key generation. Such variant is called RSA-Small-, which is shown in the following.
Generating instances of RSA with a small private exponent is easy with the observation that the RSA-key equation (1) is symmetric with respect to the public and private exponents. We simply follow the same key generation of original RSA but exchange the choosing order of public and private exponents.
One of the drawbacks of RSA-Small- is its inefficient encryption. Since the public exponent in RSA-Small- is always computed as the inverse of modulo , it is expected with high probability that will be almost the same size as . In conclusion, RSA-Small- saves the decryption (or signature) cost while the encryption cost remains large.
2.2. The Wiener Attack
One of the most famous short exponent attacks on RSA is the Wiener attack. Boneh and Durfee  showed in that RSA-Small- should be considered insecure when . He achieved the attack through the technique of continued fractions. In the following paragraph, we briefly introduce the continued fractions and the Weiner attack. The details can be referenced in .
Definition 1 (continued fractions). For any positive real number , define , , for . Then can be expanded into the following form: The form of (3) is called the continued fraction expression of . For simplicity, we write (3) to be . In addition, denote as the convergent of the continued fraction expansion of , which means If is a rational number, then the process of computing its continued fraction expression, see (3), will cease in some index . That is, . If is irrational, then the process will go on unceasingly.
Theorem 2. Denote as the fraction form of (4); that is, , where and are positive integers. Then, and can be calculated by defining , , , and . And and , for .
Corollary 3. For any , Furthermore, if is an irrational number, then .
Theorem 4. If a real number and a reduced fraction satisfy then equals to one of the convergents of the continued fraction expression of .
2.2.1. The Wiener Attack.
The Wiener attack  is based on approximations using continued fractions to find the private exponent of RSA-Small- in polynomial time if , where and are of the same bit-length. Note that the RSA-key equation, , can be rewritten as which is similar to the form of the left-hand side of (6). In order to apply Theorem 4, we replace of (7) by , which is known for everyone, and set the difference between and to be smaller than ; that is, Therefore, according to Theorem 4, can be found by computing one of the convergents of the continued fraction expression of .
The security boundary of the Wiener attack is deduced from the sufficient condition for (8). Since and , the left-hand side of (8) is simplified to Hence, (8) is transformed to which gives the security boundary of the Wiener attack (after ignoring the constant term):
2.3. Verheul and van Tilborg’s Extension
The Wiener attack works very well and efficiently when the private exponent . However, what about if the bit-length of is slightly larger than the bit-length of ? In 1997, Verheul and van Tilborg  proposed a technique to solve this problem by performing an exhaustive search for bits, where means that the bit-length of is longer than the bit-length of by bits.
Verheul and van Tilborg observed that in (8) can be represented as follows: where is the convergent of the continued fraction expression of , or , and and are two unknown integers with upper bounds as follows: Since is a small integer, we can omit its uncertainty. The unknown parts of (12) are about bits, which give the result of Verheul and van Tilborg’s extension: extending Wiener’s boundary by bits requires an exhaustive search for about bits.
Assume that an exhaustive search for bits is feasible in terms of the current computational capabilities. Solving for the equation “” yields , which implies that Wiener’s boundary can be extended bits over the bit-length of . Therefore, RSA-Small- with can be totally broken by continued fraction attack plus the cost of performing an exhaustive search for bits. In Section 3, we show that, in order to extend Wiener’s boundary by bits, it requires only an exhaustive search for bits, rather than that from Verheul and van Tilborg’s extension for cost, which requires an exhaustive search for bits.
3. Reducing the Cost of Exhaustive Search to Bits
Our approach contains two steps which are described in Sections 3 and 5, respectively. In this section, we investigate a method for searching as many MSBs (most significant bits) of as possible, which is equivalent to estimating as accurately as possible. With this method, we can reduce the cost of exhaustive search from bits (Verheul and van Tilborg’s extension) to bits when we extend Wiener’s boundary bits.
Let be the estimation of . Throughout this paper, we assume . Thus is estimated as , which implies Applying (14) to the Wiener attack, that is, replacing of (8) by , we have Note that if , then (15) always holds for any because Simplifying (15) yields which is Solving in (18), we get the upper bound of the private exponent:
According to the above inequality, we know that the smaller the difference between and , the higher the upper bound of . Consequently, in order to extend the security boundary of RSA-Small-, we attempt to estimate as precisely as possible such that becomes small. Equation (19) also shows that the complexity of further extending Wiener’s boundary can be reduced to the complexity of estimating the MSBs of . The relation is shown in the following.
Rearranging (18) we have Denote as the difference between and . That is, . Replacing in (20) by conducts In (21), eliminating in both sides we get Now we consider the bit-length of each side. Assume that the bit-length of is bits, which is longer than Wiener’s boundary by bits. Due to the key generation of RSA-Small-, the parameter is almost the same size as with a high probability; that is, . In addition, we perform an exhaustive search for the first MSBs of . Thus the difference between and can be reduced to bits; that is, . Consequently, The term , which dominates the size in the left-hand side of (22), is about bits long and the sufficient condition of (22) is which is simplified to Equation (24) gives the following conclusion. In order to extend Wiener’s boundary by bits, we have to perform an exhaustive search for the first MSBs of, where . This result is better than that of Verheul and van Tilborg’s cost , which requires an exhaustive search for bits. Therefore, assume that an exhaustive search for bits is feasible in terms of current computational abilities. Solving for yields , which means that RSA-Small- is insecure when .
4. Estimated Prime Factor (EPF)
In this section, a novel approach called Estimated Prime Factor (EPF), which is used to estimate the prime factors of an RSA modulus , is proposed.
Without loss of generality, we assume that , where . Denote and as the distances between & and & , respectively. That is, Applying (26) to yields Eliminating in both sides of (27) we have which leads to Equation (30) is quite interesting because the irrational fraction reveals partial information of and . Note that with and we can compute by and solve and as follows: Now we use continued fractions to construct a rational sequence to approximate . Suppose that the convergent of the continued fraction expansion of is . According to Theorem 2, we know that Since the sizes of and grow with increase of the index (see Theorem 2), there exists an index such that We use and as the estimations of and , respectively, instead of using the larger ones. That is, From (31), is estimated as And thus and are estimated as Finally, we define the estimated prime factors of as
4.2. Theoretical Estimation and Experimental Result on Searching the Index
The process of computing the convergent of the continued fraction expression of should be ceased at the index satisfying (34). Thus, we have to estimate the size of in order to determine the index . Since and , should not be set larger than bits at least. Next, we investigate the method to estimate the index theoretically and experimentally.
4.2.1. Theoretical Estimation
Problem. Randomly select two prime numbers and of bits; what is the expected value of the number of MSBs of and that are identical?
From our theoretical estimation, the expected value is about , and it is almost independent of the bit-length of . This implies that, for any two randomly selected prime numbers and of bits each, the first MSBs of and are identical on average. Consequently, according to (40), the size of is expected to be bits, which increases linearly with the bit-length of .
4.2.2. Experimental Results
Table 1 shows the experimental results for the index in EPF. Suppose that and are two randomly generated prime numbers of bits each; we then compute , , and , which denote the bit-lengths of , , and , respectively. Each block in the table is evaluated from the average value of experimental instances. As can be observed from the first row, the bit-length of is approximately equal to bits long for all and is greater than that of by at least bit on average. This result is slightly different from the result in the previous version at ACNS’07  due to the reason of using different samples in the experiments. Note that in this paper we implement EPF with uniformly distributed samples which are more objective. Moreover, the values of in Table 1 are slightly smaller than the theoretical estimation bits; the reason may be that we ignore the usage of prime-counting function in the calculation. However, the values in Table 1 actually increase linearly with the bit-length of .
In EPF, we simply estimate the value of , which is, however, smaller than the actual value. On the other hand, up to now, there is no theory to justify the difference between the bit-lengths of and ; in fact, this would be an interesting subject of inquiry.
4.3. Accuracy and Further Improvement
We demonstrate the accuracy of EPF in Table 2. Each entry in the table is the data averaged over samples. The first row shows the difference of the bit-length between and its estimation by using . The second row shows the difference of the bit-length between and its estimation by using EPF. As can be seen in Table 2, using as the estimation is more accurate than using at least one bit on average. This result shows that EPF is better than the traditional estimation method.
To further raise the accuracy rate of EPF, we may employ the properties of continued fractions. According to Theorem 2, we know that where is the component of the continued fraction expression of (see Definition in Section 2.2). Consequently, for any real number , we have Since and are also in the intervals and , respectively, and might be better estimations of and . Hence, an interesting question would be how to find a suitable value of that yields better estimations of and . Note that, from the properties of continued fractions, we have Equation (43) implies that there exists an irrational number , such that To find an appropriate number , one method could be to choose , which is very close to , which might yield better estimations of and . However, we leave this concept as the subject of future work on EPF.
5. Applying EPF to Reduce the Cost of Exhaustive Search to Bits
In this section, we apply EPF proposed in Section 4 to further reduce the cost of exhaustive search.
From the results of Section 3, the security boundary of RSA-Small- depends on the known MSBs of . In EPF, the experimental results show that the 1 to the 8 MSB of , denoted as , can be correctly determined with high probability (see Table 2). Consequently, setting , where , then where denotes the binary representation of . Setting , (45) also shows that is about bits long. Hence, representing (22) according to the bit-length of the items, , , , and yields Moreover, by performing an exhaustive search for bits after the 8 MSB of , that is, , we can further reduce the size of to bits. This implies that the 1 to the MSB of can be correctly determined and the size of is reduced to bits. Hence, (46) is revised to which is simplified to Equation (48) is the improved result when applying EPF to the method presented in Section 3. As a conclusion, extending Wiener’s boundary by bits requires only an exhaustive search for bits, which results in a lower computational cost than that with Verheul and van Tilborg’s extension. We summarize the improvements in each type of attack in Table 3.
With the progress of technology, the ability of machines to perform exhaustive searches will only increase. Figure 1 shows the relations between the security boundaries of the extensions of the Wiener attack and machines with different computational abilities. The symbol denotes the required number of bits for an exhaustive search to extend Wiener’s boundary, and the symbol denotes the upper bound of the insecure private exponent. In terms of the current computational capabilities, an exhaustive search for bits is feasible. Hence, the lines yield the improvements of bits, bits, and bits, respectively, over Wiener’s boundary. The boundaries of the extensions of the Wiener attack (see V-T. Ext., Ext. W., and EPF in Figure 1) can be raised to bits, bits, and bits, respectively, when the RSA modulus is bits long. Furthermore, if an exhaustive search for bits is feasible, the upper bound of the extension of the Wiener attack through EPF is raised to , which is bits when is bits long (see : EPF). This result is comparable to the boundary of the lattice attack proposed by Boneh and Durfee , which has a best upper bound, but heuristic, at the present. Note that there is no guaranty that a heuristic algorithm can output the solution. One may concern whether the assumption that an exhaustive search for bits is feasible or not. In the opinion of current development, it will not be a difficult task to achieve such computational capability in the near future. According to Moore’s Law, computers will double in speed approximately every months, which further supports our assumption. Moreover, paralleling techniques and special-purpose machines can help in speeding-up the computation.
6. Conclusion and Future Works
With the rapid growth of different network environments such as wireless sensor networks [24–27], security is normally the most concerned issue. In this paper, we propose a method, called EPF, to estimate the prime factors of an RSA modulus. With EPF, the cost of exhaustive search can further reduce to bits. It means that the cost is times faster than Verheul and van Tilborg’s result and the security boundary is extended 7 bits. It should be noted that their method for an exhaustive search is heuristic since this method is based on the results of distribution of small partial quotient in the continued fraction expansions.
An interesting problem in EPF is whether there exists a deterministic algorithm for finding an index satisfying . In this paper, we use the theoretical estimation to determine the index . The success rate is according to our experiments. Now, another question arises—how to increase the success rate of the process of finding the index when the deterministic algorithm is not developed. In addition, the other researchable question is how to improve the accuracy rate of MSBs of , which brings a greater contributive effort of EPF.
We should point out that EPF can be applied to Dujella’s refinement  and the generalized Wiener attack . Moreover, we foresee that EPF could be applied to other cryptogrammic aspects, especially to the attacks for cryptosystems based on the integer factorization problem (IFP). For example, the lattice technique is commonly used for the cryptanalysis of RSA [17, 28–30] or for the attacks on RSA with small exponents [15, 18, 19, 21, 22, 31, 32]. We expect EPF to be a supportive tool for assisting the lattice technique to increase the effort on the cryptanalysis of RSA. As a conclusion, we would like to point out that with the continuous improvements in computational capability, the security levels are expected to be higher with the assistance of EPF, and the security analysis should be considered more carefully.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions, which certainly led to improvements of this paper. Chien-Ming Chen was partially supported by the Shenzhen Peacock Project, China, under Contract no. KQC201109020055A and the Shenzhen Strategic Emerging Industries Program under Grant no. ZDSY20120613125016389. Hung-Min Sun was partially supported by the National Science Council, Taiwan, under Grant NSC 100-2628-E-007-018-MY3.
C. Patsakis, “Number theoretic SETUPs for RSA like factoring based algorithms,” Journal of Information Hiding and Multimedia Signal Processing, vol. 3, no. 2, pp. 191–204, 2012.View at: Google Scholar
Q. Kong, P. Li, and Y. Ma, “On the feasibility and security of image secret sharing scheme to identify cheaters,” Journal of Information Hiding and Multimedia Signal Processing, vol. 4, no. 4, pp. 2073–4212, 2013.View at: Google Scholar
D. Boneh and H. Shacham, “Fast variants of RSA,” CryptoBytes, vol. 5, no. 1, pp. 1–9, 2002.View at: Google Scholar
D. Boneh, R. Rivest, A. Shamir et al., “Twenty years of attacks on the RSA cryptosystem,” Notices of the American Mathematical Society, vol. 46, no. 2, pp. 203–213, 1999.View at: Google Scholar
A. Dujella, “Continued fractions and RSA with small secret exponent,” Tatra Mountains Mathematical Publications, vol. 29, pp. 101–112, 2004.View at: Google Scholar
D. Boneh and G. Durfee, “Cryptanalysis of RSA with private key d less than ,” in Advances in Cryptology-EUROCRYPT '99, vol. 1592 of Lecture Notes in Computer Science, pp. 1–11, Springer, Berlin, Germany, 1999.View at: Google Scholar
H. M. Sun, M. E. Wu, and Y. H. Chen, “Estimating the prime-factors of an rsa modulus and an extension of the wiener attack,” in Applied Cryptography and Network Security, vol. 4521 of Lecture Notes in Computer Science, pp. 116–128, Springer, Berlin, Germany, 2007.View at: Publisher Site | Google Scholar
K. Wei-Chi, C. Chien-Ming, and L. Hui-Lung, “Cryptanalysis of a variant of Peyravian-Zunic's password authentication scheme,” IEICE Transactions on Communications, vol. 86, no. 5, pp. 1682–1684, 2003.View at: Google Scholar