The Wiener Attack on RSA Revisited: A Quest for the Exact Bound

Abstract

Since Wiener pointed out that the RSA can be broken if the private exponent d is relatively small compared to the modulus N (using the continued fraction technique), it has been a general belief that the Wiener attack works for \(d < N^{\frac{1}{4}}\). On the contrary, in this work, we give an example where the Wiener attack fails with \(d = \left\lfloor \frac{1}{2} N^{\frac{1}{4}} \right\rfloor + 1\), thus, showing that the bound \(d < N^{\frac{1}{4}}\) is not accurate as it has been thought of. By using the classical Legendre Theorem on continued fractions, in 1999 Boneh provided the first rigorous proof which showed that the Wiener attack works for \(d < \frac{1}{3} N^{\frac{1}{4}}\). However, the question remains whether \(\frac{1}{3} N^{\frac{1}{4}}\) is the best bound for the Wiener attack. Additionally, the question whether another rigorous proof for a better bound exists remains an elusive research problem. In this paper, we attempt to answer the aforementioned problems by improving Boneh’s bound after the two decades of research. By a new proof, we show that the Wiener continued fraction technique works for a wider range, namely, for \(d \le \frac{1}{\root 4 \of {18}} N^{\frac{1}{4}} = \frac{1}{2.06...} N^{\frac{1}{4}}\). Our new analysis is supported by an experimental result where it is shown that the Wiener attack can successfully perform the factorization on the RSA modulus N and determine a private key d where \(d = \left\lfloor \frac{1}{\root 4 \of {18}} N^{\frac{1}{4}} \right\rfloor \).