# A Generalization of de Weger's Method.

**ABSTRACT** This paper generalizes de Weger's method if the ratio of two RSA primes p/q is close to a simple fraction b/a. We can discover the secret exponent d < N3/4gamma from the convergents of e/(N+1-(a+b)/radic(ab) radicN) for |ap- bq| = Ngamma. Our method is thus reduced to de Weger's method if a=b=1. When b/a = 1/2, our method is reduced to Maitra and Sarkar's method.

**0**Bookmarks

**·**

**93**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**In this paper we improve the range of weak keys of RSA cryptosystem for the Generalized Wiener's attack given by Blomer & May. We have shown that the range of weak keys can be extended by more than 8 times than the range given by Blomer & May. Further we have shown that for some special condition, N can be factored in (O poly(log N)) time.01/2010;

Page 1

A Generalization of de Weger’s Method

Chien-Yuan Chen

Department of Computer Science and

Information Engineering

National University of Kaohsiung

Kaohsiung 811, Taiwan

E-mail: cychen07@nuk.edu.tw

Chih-Cheng Hsueh

Department of Information and

Commerce

Aletheia University

Tainan,72147, Taiwan

E-mail: jrcheng@mt.au.edu.tw

Yu-Feng Lin

Department of Computer Science and

Information Engineering

National University of Kaohsiung

Kaohsiung 811, Taiwan

E-mail: aorborcord@gmail.com

Abstract—This paper generalizes de Weger’s method if the

p is close to a simple fraction a

ratio of two RSA primes q

b.

We can discover the secret exponent d <

??

4

3

N

from the

convergents of

N

ab

ba

N

e

?

??1

for

?

N bqap

??

. Our

method is thus reduced to de Weger’s method if a=b=1. When

b=2

a

1, our method is reduced to Maitra and Sarkar’s method.

Keywords- RSA; continued fraction attack

I.

INTRODUCTION

When the smart card uses RSA [9] for communications,

it would be desirable for the smart card to have a short

secret exponent. However, the short secret exponent d can

be easily attacked by Wiener’s method [13] if

4

1

3

1Nd ?

and

e <N, where d , e, and N denote the secret exponent, the

public exponent, and the modulus, respectively. Extending

Wiener’s method, Verheul and van Tilborg [11] attacked

1

by using an exhaustive search of about

Dujella [3] proposed a variant of Wiener’s method similar to

Verheul and van Tilborg’s attack.

In 2002, de Weger [12] improved Wiener’s bound to

3

Nd

assuming that N has a small difference between

t

Nd

?

?

4

t 28?

bits.

??

?

4

its prime factors

?

Npq

??

for

2

1

4

1

? ? ?

. When

?

Npq

??

is too large, de Weger’s method is in vain.

Maitra and Sarkar [6] found that

??

?

Nqp

??

2

?

is small for

large

?

Npq

because

pqp2

?

. So, they attack

????

?

4

3

Nd

from the convergents of

NN

e

2

3

1??

for a

small number ? . For simplicity, we round off the

denominator when computing the convergents. For more

variants of Wiener’s method, refer to [1, 2, 7, 8].

The de Weger method motivates us to discuss the

security of RSA when the ratio of two RSA primes q

b, where a and b are positive

p is

close to a simple fraction a

integers less than

??

apab

.logN Let

.

?

Nbq ap

?

??

Assume that

0) )() 1

?

( ) 1((

22

?

bq apqb

. We can discover d <

e

?

??1

??

4

3

N from the convergents of

N

ab

ba

N

. Our

method is thus reduced to de Weger’s method if a=b=1.

b=2

method.

The remainder of this paper is organized as follows. In

Section 2, we briefly review de Weger’s method. Section 3

presents a generalization of de Weger’s method and Section

4 gives the discussion. Finally, we draw the conclusions in

Section 5.

When a

1, our method is reduced to Maitra and Sarkar’s

II.

REVIEW OF DE WEGER’S METHODS

Let p and q be RSA primes satisfying

pqp2

??

. This

implies that

2

3

2NqpN

???

[6]. In RSA, the

public exponent e and the secret exponent d satisfy the

relationship

ed = 1 mod )(N

?

, (2.1)

where

1)-1)(-()(

qpN ??

. It means that

ed = 1+ )(Nk?

, (2.2)

where k is an integer. Dividing both sides of Equation (2.2)

by

)(Nd?

, we get

k

NdN)()(

??

d

e

??

1

. (2.3)

In the above equation, de Weger used

NN

e

21??

to

estimate

)(N

e

?

and obtained that

2009 Fifth International Conference on Information Assurance and Security

978-0-7695-3744-3/09 $25.00 © 2009 IEEE

DOI 10.1109/IAS.2009.153

344

Page 2

d

k

NN

e

?

?

?

21

d

k

N

e

NNN

NNN

(

e

??

??

?

)

?

1

?

?

)(

)(2

)(21

?

?

?

??

?

2

6

1

d

)(21

2

)(

NNN

Nqp

N

?

??

??

?

?

. (2.4)

Because

??

N

pq

4

Nqp2

2

?

???

[12] and

qpNNN

??????

121

>

N

4

3

?Inequality (2.4) can be

rewritten as

d

k

NN

e

?

?

?

21

?

3

?

2

2

6

1

d

NN

pq

?

?

?

. (2.5)

To satisfy Legendre’s theorem [10], we set

??

2

3

3

d

NN

The de Weger method shows that d can be discovered from

2

1pq

?

?

. (2.6)

the convergents of

NN

e

21??

if

)(

4

3

pq

N

?

d

?

.

III.OUR METHOD

In this section, we assume that the ratio q

b, where a and b are positive integers

p is close to a

simple fraction a

less than

that a is coprime to b and

Legendre’s theorem to find the fraction whose convergents

contain the secret exponent d.

Proposition 1.

p is close to

a

Nlog. This assumption comes from [5, 12]. Note

ba ?

. In the following, we use

If

q

b such that 0

??bq ap for two

positive integers a and b, then ? ?

N

ab

ba

NN

?

???

1

?

.

Proof.

Because ? ???

?

b

?

0

???

a

?

aq

pq

?

q)

bp

?

?

p(

a

?

bqap

, we get

0

?

abq

pq)

. By adding 2abpq in both

pqba)(

?

. So we get

2222

?

b

(

?

b

pq

q

ab

abp

ab

.

Then,

sides, we have

ap)(

2222

22

N

ab

1

?

qp)()(

??

.

Since ? ?

)(

a

qpNN

???

?

, we have

? ?

N

?

N

ab

b

N

?

???

1

. ?

Proposition 2.

Let p and q be RSA primes satisfying

pqp2

??

. If q

p

is close to a

(

b

a

b such that

, 0) )() 1

?

( ) 1

?

(

22

?

)

??

bq

bq

?

ap

ap

(

?

qbapa

?

then

N

ab

ba

qpN

ab

b

) 2(

)(

2

?

???

.

Proof.

We first compute

a

2)())())(((bqapqpN

ab

ba

qpN

ab

?

a

b

????

?

??

?

?

ab

a

bqapabqpabNb

22

2

)()(

?????

?

????

ab

q )(

qababpqbabpabba

23222223

)2(

??????

??

ab

a(

?

ab

bqapbapab)) 1

?

() 1

?

((

22

??

??

.

Because

?

ab

Since

,bqapqbpab0))() 1

?

) 1

?

((

22

???

we get

. 0)())( ))(((

2???????

bq apqpN

ba

qpN

ba

Nq

b

p

a

2

??

?

, we have

N

ab

ba

bqap

?

qpN

ab

) 2 (

)(

)(

2

?

?

???

. ?

Theorem 1.

Let p and q be RSA primes satisfying

pqp2

??

. Let

?

N bqap

??

. If

q

p

is close to

a

b

such that

0))() 1

?

() 1

?

((

22

???

bqapqbapab, then the secret

exponent d <

?

?

4

3

N

can be discovered from the convergents

of

1

?

?

ab

?

N

ba

N

e

.

Proof.

Since

ap

?

a

?

0) )() 1

?

( ) 1

?

,

((

22

?

shows

??

bqapqbap

Proposition

N

?

ab

and

that

?

N bq

b

?

2

.

) 2(

)(

2

N

ab

ba

qpN

ab

?

???

?

This implies that

.

) 2(

1- )(

2

N

ab

ba

N

NNN

ab

ba

?

?

???

?

?

?

Now, we have

345

Page 3

d

k

N

ab

ba

N

e

?

?

?

?

1

d

k

N

e

N

e

N

ab

b

ba

N

e

???

?

?

?

?

)()(

1

??

)(

1

) 1

?

)((

) 1

?

- )((

Nd

N

ab

ba

NN

NNN

ab

a

e

?

?

?

?

?

?

?

?

?

)(

1

) 2)(1)((

2

Nd

N

ab

ba

N

ab

N

ba

NN

eN

?

?

?

?

?

?

?

?

?

?

)(

1

) 2)(1(

2

Nd

N

ab

ba

N

ab

ba

N

?

?

?

?

?

?

?

?

?

.

Because a and b are less than

, logN we further assume that

N

ba

ab

?

N

ab

d8

ba

N

2)(

3

1

??

?

?

,

NN

4

3

)(

??

and

N

?

. We thus have

??

?

?

ab

?

d

k

N

ba

N

e

1

)(

1

3

2

Nd

NN

N

?

?

?

2

2

3

2

6

1

d

3

N

??

?

?

.

Let

?

?

?

4

3

Nd

. We get

??

?

?

ab

?

d

k

N

ba

N

e

1

2

2

1

d

which

satisfies Legendre’s theorem. We have showed that

?

?

?

4

3

Nd

can be discovered from the convergents of

1

?

?

ab

?

N

ba

N

e

. ?

According to Theorem 1, we design the following

algorithm to discover the secret exponent d .

Algorithm 1.

Input: the RSA public key

,( Ne

Output: the secret exponent d

Step 1. Choose two coprime positive integers a and b which

are less than Nlog. (We can use the Stern-Brocot

tree [4] to generate a and b .)

)

Step 2. Compute convergents of

1

?

?

ab

?

N

ba

N

e

.

Step 3. For each convergent

i

i

s

r

, solve the equation

0)

1

1(

2

??

?

???

Nx

r

es

Nx

i

i

. If its roots are

positive integers less than N, then return the secret

exponent

Step 4. Return (Failure).

For the sake of clarity, as shown in Table 1, we can

recover the secret exponent d = 13049 using the continued

e

, where e = 61198413967689 ,

is .

fraction of

1

?

?

ab

?

N

ba

N

N = 95764272829453, a = 3 and b = 2. It is worth noting that

three presented methods [6, 12, 13] are in vain because d

cannot be discovered from the convergents of N

e

e(Wiener’s

method),

12

??

NN

(de Weger’s method), or

1

2

3

??

NN

e

(Maitra and Sarkar’s method).

346

Page 4

IV.DISCUSSION

In this section, we compare our method with de Weger’s

method and Maitra and Sarkar’s method. If a=b=1, we

)() 1() 1((

????

pqpqp. 0)( 2))(22 (

)

2

22

??

????

q

bqapqbapab

Our method can discover

e

?

?

?

4

3

Nd from the convergents of

12

??

NN

for

?

Nqp

??

. Obviously, de Weger’s

method and ours has the same result. When a

( ) 1((bapab

??

Because

02

??qp

, we must set

j

p

14

?

main difference between Maitra and Sarkar’s method and

b=2

p

?

0

?

1, we get

)2)(4

. Thus, the

5 (

4

))() 1

?

22

qpq bq

5

apq

??

? q

?

.

p

inequality

q

j

22

?

?

in [6] is satisfied for

1

?

j

. The

ours is the estimated value of

1

2

3

??

NN

. In Maitra and

Sarkar’s method, they assume that

NNN

4

3

1

2

3

???

.

We assume that

?

. Therefore, Maitra and

?

NNN

2

12

23

1

2

3

?

???

. In fact, our

assumption is verified if

60

?

N

Sarkar’s method can use our assumption to get that

?

?

?

4

3

Nd

is discovered from the convergents of

1

2

3

??

NN

e

for

?

Nqp

??

2

. Obviously, Maitra and Sarkar’s method and

b=2

ours has the same result if a

1.

V.CONCLUSIONS

This paper aims at extending de Weger’s method if the

p is close to a simple fraction a

Based on

)() 1() 1((

????

bqapqbapab

ratio of two RSA primes q

b.

our

?

assumption

0)

22

, we have showed that

?

?

?

4

3

Nd

can be discovered from the convergents of

1

?

?

ab

?

N

ba

N

e

for

?

Nbqap

??

. If a=b=1, our method

can discover

e

?

?

?

4

3

Nd

from the convergents of

12

??

NN

for

?

Nqp

??

. The de Weger method has

the same result. When a

3

Nd from the convergents of

b=2

1, our method can discover

?

?

?

4

1

2

3

??

NN

e

for

?

Nqp

??

2

. The same result will be found in Maitra and

Sarkar’s method.

ACKNOWLEDGMENT

This research was supported partially by the National

Science Council of the Republic of China under grant NSC

97-2221-E-390 -012.

REFERENCES

[1] J. Blömer, and A. May, “A Generalized Wiener Attack on RSA,”

Practice and Theory in Public Key Cryptography – PKC 2004, Lecture

Notes in Computer Science 2947, Springer-Verlag, 2004, pp. 1–13.

[2] C. Y. Chen, C. C. Chang, and W. P. Yang, “Cryptanalysis of the Secret

Exponent of the RSA Scheme,” Journal of Information Science and

Engineering, vol. 12, 1996, pp. 277-290.

[3] A. Dujella, “Continued Fractions and RSA with Small Secret Exponent,”

Tatra Mt. Math. Publ., vol. 29, 2004, pp. 101-112.

[4] R. L. Graham, D. E. Knuth and O. Patashnik, Concrete Mathematics—A

foundation For Computer Science, 2nd edition, Addison-Wesley, 1994.

[5] D. Knuth, The art of computer programming: vol 2, Seminumerical

Algorithms, 2nd edition, Addison-Wesley, 1981.

[6] S. Maitra and S. Sarkar, “Revisiting Wiener’s Attack–New Weak Keys

in RSA,” ISC 2008, Lecture Notes in Computer Science 5222, Springer-

Verlag, 2008, pp. 228-243.

[7] D. I. Nassr, H. M. Bahig, A. Bhery and S. S. Daoud, “A New RSA

Vulnerability Using Continued Fractions,” In the 6th ACS/IEEE

International Conference on Computer Systems and applications

(AICCSA 2008), Doha, Qatar, March 31–April 4, 2008, pp. 694-701.

[8] A. Nitaj, “Another Generalization of Wiener's Attack on RSA,”

AFRICACRYPT2008, In Serge Vaudenay (Ed.): Progress in

Cryptology-AFRICACRYPT 2008, Lecture Notes in Computer Science

5023, Springer-Verlag, 2008, pp. 174-190.

[9] R. L. Rivest, A. Shamir and L. M. Adleman, “A Method for Obtaining

Digital Signatures and Public-Key Cryptosystems,” Comm. of the ACM,

vol. 21(2), 1978, pp. 120-126.

[10] K. H. Rosen, Elementary Number Theory, Addison-Wesley, Reading

Mass, 1984.

[11] E. R. Verheul and H. C. A. van Tilborg, “Cryptanalysis of ‘Less

Short’s RSA Secret Exponents,” Applicable Algebra in Engineering,

Communication and Computing, vol.8, 1997, pp.425-435.

[12] B. de Weger, “Cryptanalysis of RSA with Small Prime Difference,”

Applicable Algebra in Engineering,

Computing,vol. 13(1), 2002, pp. 17–28.

[13] M. J. Wiener, “Cryptanalysis of Short RSA Secret Exponents,” IEEE

Trans. on Information Theory, vol. IT-36, 1990, pp. 553-558.

Communication and

347

#### View other sources

#### Hide other sources

- Available from Chih-Cheng Hsueh · Jun 5, 2014
- Available from ccf.org.cn