Extension of de Weger’s Attack on RSA with Large Public Keys

Nicolas T. Courtois, Theodosis Mourouzis, Pho V. Le


RSA cryptosystem (Rivest et al., 1978) is the most widely deployed public-key cryptosystem for both encryption and digital signatures. Since its invention, lots of cryptanalytic efforts have been made which helped us to improve it, especially in the area of key selection. The security of RSA relies on the computational hardness of factoring large integers and most of the attacks exploit bad choice parameters or flaws in implementations. Two very important cryptanalytic efforts in this area have been made by Wiener (Wiener, 1990) and de Weger (Weger, 2002) who developed attacks based on small secret keys (Hinek, 2010).The main idea of Wiener’s attack is to approximate the fraction e j(N) by eN for large values of N and then make use of the continued fraction algorithm to recover the secret key d by computing the convergents of the fraction eN. He proved that the secret key d can be efficiently recovered if d < 1 3N 1 4 and e < j(N) and then de Weger extended this attack from d < 1 3N 1 4 to d < N 3 4−b, for any 1 4 < b < 1 2 such that |p−q| < Nb. The aim of this paper is to investigate for which values of the variables s and D = |p−q|, RSA which uses public keys of the special structure E = e+sj(N), where e < j(N), is insecure against cryptanalysis. Adding multiples of j(N) either to e or to d is called Exponent Blinding and it is widely used especially in case of encryption schemes or digital signatures implemented in portable devices such as smart cards (Schindler and Itoh, 2011). We show that an extension of de Weger’s attack from public keys e < j(N) to E > j(N) is possible if the security parameter s satisfies s ≤ N 12 .


  1. Boneh, D. and Durfee, G. (2000). Cryptanalysis of rsa with private key d less than n0.292. In Information Theory, IEEE Transactions, 46: 1339 - 1349.
  2. Crandall, R. and Pomerance, C. (2005). Prime Numbers: A Computational Perspective. Springer. ISBN 0-387- 25282-7.
  3. Dujell, A. and Ibrahimpasic, B. (2008). On worleys theorem in diophantine approximations. In Ann. Math. Inform. 35 (2008), 61-73.
  4. Goldreich, O. (2008). Computational Complexity: A conceptual Perspective. Cambridge University Press, New York, 1st edition.
  5. Hardy, G. H. and Wright, E. M. (2008). An introduction to the theory of numbers. Oxford University Press, Oxford, 6th edition.
  6. Hinek, J. (2010). Cryptanalysis of RSA and its variants. CRC Press, New York, 1st edition.
  7. Joux, A. (2009). Algorithmic Cryptanalysis. CRC Press, New York, 1st edition.
  8. Lenstra, A. K., Hughes, J. P., Augier, M., Bos, J. W., Kleinjung, T., and Wachte, C. (2011). Ron was wrong, whit is right. In Available at: http://eprint.iacr.org/2012/064.
  9. Lenstra, A. K. and Verheul, E. R. (2000). Selecting cryptographic key sizes. In PKC2000: p. 446-465, 01/2000.
  10. May, A. (2003). New RSA vulnerabilities using Lattice Reduction Methods. PhD thesis, University of Paderborn.
  11. McKee, J. (1999). Speeding fermat's factoring method. In Mathematics of Computation, 68:1729-1737.
  12. Rivest, R., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. In Communications of the ACM, 21 Issue 2: 120 - 126.
  13. Schindler, W. and Itoh, K. (2011). Exponent blinding does not always lift (partial) spa resistance to higher-level security. In Lecture Notes in Computer Science, Volume 6715/2011, 73-90.
  14. Schneier, B. (1996). Applied Cryptography: Protocols, Algorithms and Source Code in C. John Willey, New York, 2nd edition.
  15. Shoup, V. (2009). Number theory library. http://www.shoup.net/ntl/.
  16. Weger, B. (2002). Cryptanalysis of rsa with small prime difference. In IACR Eprint archive.
  17. Wiener, M. (1990). Cryptanalysis of short rsa secret exponents. In Information Theory, IEEE Transactions,36: 553 - 558.

Paper Citation

in Harvard Style

T. Courtois N., Mourouzis T. and V. Le P. (2012). Extension of de Weger’s Attack on RSA with Large Public Keys . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 145-153. DOI: 10.5220/0004054201450153

in Bibtex Style

author={Nicolas T. Courtois and Theodosis Mourouzis and Pho V. Le},
title={Extension of de Weger’s Attack on RSA with Large Public Keys},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - Extension of de Weger’s Attack on RSA with Large Public Keys
SN - 978-989-8565-24-2
AU - T. Courtois N.
AU - Mourouzis T.
AU - V. Le P.
PY - 2012
SP - 145
EP - 153
DO - 10.5220/0004054201450153