On the Improvement of Wiener Attack on RSA with Small Private Exponent

RSA system is based on the hardness of the integer factorization problem (IFP). Given an RSA modulus N = pq, it is difficult to determine the prime factors p and q efficiently. One of the most famous short exponent attacks on RSA is the Wiener attack. In 1997, Verheul and van Tilborg use an exhaustive search to extend the boundary of the Wiener attack. Their result shows that the cost of exhaustive search is 2r + 8 bits when extending the Weiner's boundary r bits. In this paper, we first reduce the cost of exhaustive search from 2r + 8 bits to 2r + 2 bits. Then, we propose a method named EPF. With EPF, the cost of exhaustive search is further reduced to 2r − 6 bits when we extend Weiner's boundary r bits. It means that our result is 214 times faster than Verheul and van Tilborg's result. Besides, the security boundary is extended 7 bits.


Introduction
During the past 30 years, RSA [1] has been one of the most popular public-key cryptosystems worldwide. It has been widely used in several applications [2][3][4]. The security of RSA is often based on the hardness of the integer factorization problem (IFP), which remains a well-studied problem [5,6]. Current RSA standards suggest that an RSA modulus should be at least 1024 bits long. Using the best-known factoring algorithms, the expected workload of factoring a 1024 bit modulus is 2 80 , which is currently believed to be infeasible. However, although the use of a large RSA modulus achieves a high security level, the encryption and decryption procedures involve heavy exponential modular multiplications, which make RSA inefficient. Therefore, many approaches have been investigated for speeding-up the RSA encryption (or signature-verification) and RSA decryption (or signature-signing) [7][8][9][10][11][12]. Furthermore, since the signing task is often executed by lightweight devices, such as smart cards, mobile phones, or PDAs, the research on speeding-up signature-signing is more practical and important.
The most popular method for reducing the signing time is to apply a small private exponent since the complexity of signing depends on the bit-length of . In order to achieve this goal, the order of choosing and is exchanged. is first chosen in the RSA-key generation algorithm, and the corresponding public exponent satisfying ≡ 1(mod ( )) is then calculated. These RSA variants are called RSA-Small-. Nevertheless, the variants of RSA-Small-have the security flaws [13][14][15][16][17][18]. In fact, instances of RSA with < 1/4 can be efficiently broken by Wiener attack [16]. Besides, Boneh and Durfee's lattice-based attack [19] indicated that an instance of RSA-Small-with < 0.292 should be considered to be an unsafe system.
In 1997, Verheul and van Tilborg [20] used an exhaustive search to further extend the boundary of the Wiener attack. 2 The Scientific World Journal Suppose = log 2 − log 2 1/4 ; their result shows that an exhaustive search for 2 + 8 bits is required to extend the Wiener's boundary bits. Assume that an exhaustive search for 64 bits is feasible in terms of current computational abilities; solving for the equation "2 +8 = 64" yields = 28, which implies that the boundary of the Wiener attack should be raised up to 1/4 2 28 .
In this paper, we attempt to reduce the cost of exhaustive search of Verheul and van Tilborg's result. We propose an approach to reduce the cost of exhaustive search when we desire to extend Wiener's boundary. This approach includes two steps.
Step 1. We investigate a method for searching as many MSBs (most significant bits) of + as possible, which is equivalent to estimating + as accurately as possible. In this step, to extend Wiener's boundary bits, an exhaustive search requires 2 + 2 bits. It means that our result is better than Verheul and van Tilborg's cost, which requires an exhaustive search for 2 + 8 bits.
Step 2. We develop an approach, called "Estimated Prime Factor (EPF), " to estimate + , and then we derive two integers and , which are the estimations of and , respectively. Using EPF, the first 8 MSBs of + can be determined. This result is more accurate than the traditional estimation, which estimates + by 2 √ . Applying EPF can further reduce the cost of exhaustive search. More specifically, to extend Wiener's boundary bits, an exhaustive search requires 2 −6 bits. As compared to Verheul and van Tilborg's result, which requires an exhaustive search for 2 + 8 bits, the security boundary is extended 7 bits.
1.1. Our Contribution. The contributions of this paper are summarized as follows.
(1) We first reduce the cost of exhaustive search from 2 + 8 (Verheul and van Tilborg's result) bits to 2 + 2 bits when we extend Wiener's boundary bits. It means that exhaustive search is 2 6 times faster in Step 1. Besides, the security boundary is extended 3 bits.
(2) We propose a novel approach, named EPF, for estimating the prime factors of . With EPF, the cost of the exhaustive search for 2 + 2 bits (mentioned in contribution (1)) is further reduced to 2 − 6 bits. Compared with Verheul and van Tilborg's result, exhaustive search is 2 14 times faster. Besides, the security boundary is extended 7 bits.

1.2.
Organization. The remainder of this paper is organized as follows. Section 2 presents the preliminaries of this paper. Section 3 describes Step 1 of our approach. In Section 4, we propose the EPF to estimate the prime factors of an RSA modulus. Next, Step 2 of our approach which is applying EPF is proposed in Section 5. Finally, we present our conclusions and future works in Section 6.

Preliminary
In this section, we introduce the preliminaries of this paper which include RSA and its variants and the Wiener attack.

RSA and Its
Variants. The RSA cryptosystem [1] consists of three parts, RSA-key generation, encryption, and decryption which are described as follows.
From the key relation ≡ 1 (mod ( )), there exists a unique positive integer satisfying We call (1) as the RSA-key equation. To encrypt a plaintext message ∈ Z , compute ≡ (mod ). The result is called the ciphertext of . To execute RSA decryption, a ciphertext ∈ Z is decrypted by raising it to the th power modulo . From Lagrange's theorem, it follows that (mod ) = (mod ) ≡ (mod ) = . (2) Usually, one often selects as small as possible due to the reason of efficient encryption (or signature-verification). The smallest is suggested to be 2 32 + 1 rather than 2 16 + 1 while a known affine relation between two messages exists [21]. We call the RSA system with small public exponent as "RSA-Small-. " On the other hand, since the cost of decryption (or signature-signing) can be significantly reduced when the private exponent is much smaller than ( ), in order to simply reduce the decryption (or signature-signing) time, one can select a small private exponent first in RSA-key generation. Such variant is called RSA-Small-, which is shown in the following.

RSA-Small-.
Generating instances of RSA with a small private exponent is easy with the observation that the RSAkey equation (1) is symmetric with respect to the public and private exponents. We simply follow the same key generation of original RSA but exchange the choosing order of public and private exponents.
One of the drawbacks of RSA-Small-is its inefficient encryption. Since the public exponent in RSA-Small-is always computed as the inverse of modulo ( ), it is expected with high probability that will be almost the same size as ( ). In conclusion, RSA-Small-saves the decryption (or signature) cost while the encryption cost remains large.
The Scientific World Journal 3 2.2. The Wiener Attack. One of the most famous short exponent attacks on RSA is the Wiener attack. Boneh and Durfee [22] showed in 1990 that RSA-Small-should be considered insecure when < 1/4 . He achieved the attack through the technique of continued fractions. In the following paragraph, we briefly introduce the continued fractions and the Weiner attack. The details can be referenced in [16].
Following the notations in Theorem 2, we have Corollary 3.

Theorem 4. If a real number and a reduced fraction / satisfy
then / equals to one of the convergents of the continued fraction expression of .
which is similar to the form of the left-hand side of (6). In order to apply Theorem 4, we replace / ( ) of (7) by / , which is known for everyone, and set the difference between / and / to be smaller than 1/2 2 ; that is, Therefore, according to Theorem 4, / can be found by computing one of the convergents of the continued fraction expression of / . The security boundary of the Wiener attack is deduced from the sufficient condition for (8). Since ≈ ≈ √ and ≈ , the left-hand side of (8) is simplified to Hence, (8) is transformed to which gives the security boundary of the Wiener attack (after ignoring the constant term):  [20] proposed a technique to solve this problem by performing an exhaustive search for 2 + 8 bits, where = log 2 − log 2 1/4 means that the bit-length of is longer than the bit-length of 1/4 by bits.
Verheul and van Tilborg observed that / in (8) can be represented as follows: where / is the th convergent of the continued fraction expression of / , Δ = 1 or 2, and and are two unknown integers with upper bounds as follows: Since Δ is a small integer, we can omit its uncertainty. The unknown parts of (12) are about 2 + 8 bits, which give the result of Verheul and van Tilborg's extension: extending Wiener's boundary by bits requires an exhaustive search for about 2 + 8 bits.
Assume that an exhaustive search for 64 bits is feasible in terms of the current computational capabilities. Solving for the equation "2 + 8 = 64" yields = 28, which implies that Wiener's boundary can be extended 28 bits over the bitlength of 1/4 . Therefore, RSA-Small-with < 1/4 2 28 can be totally broken by continued fraction attack plus the cost of 4 The Scientific World Journal performing an exhaustive search for 64 bits. In Section 3, we show that, in order to extend Wiener's boundary by bits, it requires only an exhaustive search for 2 + 2 bits, rather than that from Verheul and van Tilborg's extension for cost, which requires an exhaustive search for 2 + 8 bits.

Reducing the Cost of Exhaustive
Search to 2 +2 Bits Our approach contains two steps which are described in Sections 3 and 5, respectively. In this section, we investigate a method for searching as many MSBs (most significant bits) of + as possible, which is equivalent to estimating + as accurately as possible. With this method, we can reduce the cost of exhaustive search from 2 + 8 bits (Verheul and van Tilborg's extension) to 2 + 2 bits when we extend Wiener's boundary bits. Let be the estimation of + . Throughout this paper, we assume < + . Thus ( ) = ( + 1) − ( + ) is estimated as ( + 1) − , which implies Applying (14) to the Wiener attack, that is, replacing / of (8) by /(( + 1) − ), we have Note that if = + , then (15) always holds for any because Simplifying (15) yields which is Solving in (18), we get the upper bound of the private exponent: According to the above inequality, we know that the smaller the difference between + and , the higher the upper bound of . Consequently, in order to extend the security boundary of RSA-Small-, we attempt to estimate as precisely as possible such that + − becomes small. Equation (19) also shows that the complexity of further extending Wiener's boundary can be reduced to the complexity of estimating the MSBs of + . The relation is shown in the following.
Rearranging (18) we have Denote Λ as the difference between + and . That is, Λ = + − . Replacing in (20) by + − Λ conducts In (21), eliminating 2 ( + − 1) in both sides we get Now we consider the bit-length of each side. Assume that the bit-length of is /4 + bits, which is longer than Wiener's boundary by bits. Due to the key generation of RSA-Small-, the parameter is almost the same size as with a high probability; that is, log 2 ≈ log 2 . In addition, we perform an exhaustive search for the first MSBs of + . Thus the difference between + and can be reduced to ( /2 + 1) − bits; that is, log 2 Λ ≈ ( /2 + 1) − . Consequently, The term Λ⋅2 , which dominates the size in the left-hand side of (22), is about (( /2 + 1) − ) + 1 + 2 × ( /4 + ) bits long and the sufficient condition of (22) is which is simplified to Equation (24) gives the following conclusion. In order to extend Wiener's boundary by bits, we have to perform an exhaustive search for the first 2 + 2 MSBs of + , where = log 2 −log 2 1/4 . This result is better than that of Verheul and van Tilborg's cost [20], which requires an exhaustive search for 2 + 8 bits. Therefore, assume that an exhaustive search for 64 bits is feasible in terms of current computational abilities. Solving for 2 + 2 = 64 (25) yields = 31, which means that RSA-Small-is insecure when < 1/4 2 31 .

Estimated Prime Factor (EPF)
In this section, a novel approach called Estimated Prime Factor (EPF), which is used to estimate the prime factors of an RSA modulus , is proposed.
Applying (26) to = yields Eliminating in both sides of (27) we have which leads to Equation (30) is quite interesting because the irrational fraction 1/ √ reveals partial information of − and ⋅ . Note that with − and ⋅ we can compute + by and solve and as follows: Now we use continued fractions to construct a rational sequence to approximate 1/ √ . Suppose that the th convergent of the continued fraction expansion of 1/ √ is ℎ / . According to Theorem 2, we know that Since the sizes of ℎ and grow with increase of the index (see Theorem 2), there exists an index such that We use ℎ and as the estimations of − and , respectively, instead of using the larger ones. That is, From (31), + is estimated as ] . (38)

Theoretical Estimation and Experimental Result on
Searching the Index . The process of computing the convergent of the continued fraction expression of 1/ √ should be ceased at the index satisfying (34). Thus, we have to estimate the size of − in order to determine the index . Since < and < , ℎ should not be set larger than /2 bits at least. Next, we investigate the method to estimate the index theoretically and experimentally. (26), we have

Theoretical Estimation. From the definitions of and in
which is equivalent to Equation (40) shows that the bit-length of − is twice the bit-length of √ − √ . Consider the following problem.
Problem. Randomly select two prime numbers and of /2 bits; what is the expected value of the number of MSBs of √ and √ that are identical? From our theoretical estimation, the expected value is about 2.6, and it is almost independent of the bit-length of . This implies that, for any two randomly selected prime numbers and of /2 bits each, the first 2.6 MSBs of √ and √ are identical on average. Consequently, according to (40), the size of − is expected to be 2 × ( /4 − 2.6) = /2 − 5.2 bits, which increases linearly with the bit-length of . Table 1 shows the experimental results for the index in EPF. Suppose that and are two randomly generated prime numbers of /2 bits each; we then compute log 2 ( − ), log 2 (ℎ ), and log 2 (ℎ +1 ), which denote the bit-lengths of − , ℎ , and ℎ +1 , respectively. Each block in the table is evaluated from the average value of 1000 experimental instances. As can be observed from the first row, the bit-length of − is approximately equal to ( /2 − 7) bits long for all and is greater than that of ℎ by at least 1 bit on average. This result is slightly different from the result in the previous version at ACNS'07 [23] due to the reason of using different samples in the experiments. Note that in this paper we implement EPF with uniformly distributed samples which are more objective. Moreover, the values of log 2 ( − ) in Table 1 are slightly smaller than the theoretical estimation /2 − 5.2 bits; the reason may be that 6 The Scientific World Journal  we ignore the usage of prime-counting function (⋅) in the calculation. However, the values in Table 1 actually increase linearly with the bit-length of .

Experimental Results.
In EPF, we simply estimate the value of − , which is, however, smaller than the actual value. On the other hand, up to now, there is no theory to justify the difference between the bit-lengths of ℎ and − ; in fact, this would be an interesting subject of inquiry.

Accuracy and Further Improvement.
We demonstrate the accuracy of EPF in Table 2. Each entry in the table is the data averaged over 1000 samples. The first row shows the difference of the bit-length between + and its estimation by using 2 √ . The second row shows the difference of the bitlength between + and its estimation by using EPF. As can be seen in Table 2, using + as the estimation is more accurate than using 2 √ at least one bit on average. This result shows that EPF is better than the traditional estimation method.
To further raise the accuracy rate of EPF, we may employ the properties of continued fractions. According to Theorem 2, we know that where is the th component of the continued fraction expression of 1/ √ (see Definition in Section 2.2). Consequently, for any real number ∈ [1, ], we have Since − and ⋅ are also in the intervals (ℎ , ℎ +1 ) and ( , +1 ), respectively, ℎ +ℎ −1 and + −1 might be better estimations of − and ⋅ . Hence, an interesting question would be how to find a suitable value of that yields better estimations of − and ⋅ . Note that, from the properties of continued fractions, we have Equation (43) implies that there exists an irrational number 1 , such that To find an appropriate number , one method could be to choose , which is very close to 1 , which might yield better estimations of − and ⋅ . However, we leave this concept as the subject of future work on EPF.

Applying EPF to Reduce the Cost of Exhaustive Search to 2 −6 Bits
In this section, we apply EPF proposed in Section 4 to further reduce the cost of exhaustive search. From the results of Section 3, the security boundary of RSA-Small-depends on the known MSBs of + . In EPF, the experimental results show that the 1st to the 8th MSB of + , denoted as MSB 1 ∼ 8 ( + ), can be correctly determined with high probability (see Table 2). Consequently, setting + = 2 ( /2+1)−8 1 + 2 , where 2 < 2 /2−7 , then where ( Moreover, by performing an exhaustive search for bits after the 8th MSB of + , that is, MSB 9 ∼ 8+ ( + ), we can further reduce the size of Λ to ( /2 + 1) − (8 + ) bits. This implies that the 1st to the (8+ )th MSB of + can be correctly determined and the size of Λ is reduced to ( /2 + 1) − (8 + ) bits. Hence, (46) is revised to which is simplified to Equation (48) is the improved result when applying EPF to the method presented in Section 3. As a conclusion, extending Wiener's boundary by bits requires only an exhaustive search for 2 − 6 bits, which results in a lower computational cost than that with Verheul and van Tilborg's extension. We summarize the improvements in each type of attack in Table 3.
With the progress of technology, the ability of machines to perform exhaustive searches will only increase. Figure 1 shows the relations between the security boundaries of the extensions of the Wiener attack and machines with different computational abilities. The symbol denotes the required number of bits for an exhaustive search to extend Wiener's boundary, and the symbol | | denotes the upper The Scientific World Journal 7  [19], which has a best upper bound, but heuristic, at the present. Note that there is no guaranty that a heuristic algorithm can output the solution. One may concern whether the assumption that an exhaustive search for 80 bits is feasible or not. In the opinion of current development, it will not be a difficult task to achieve such computational capability in the near future. According to Moore's Law, computers will double in speed approximately every 18 months, which further supports our assumption. Moreover, paralleling techniques and specialpurpose machines can help in speeding-up the computation.

Conclusion and Future Works
With the rapid growth of different network environments such as wireless sensor networks [24][25][26][27], security is normally the most concerned issue. In this paper, we propose a method, called EPF, to estimate the prime factors of an RSA modulus. With EPF, the cost of exhaustive search can further reduce to 2 − 6 bits. It means that the cost is 2 14 times faster than Verheul and van Tilborg's result and the security boundary is extended 7 bits. It should be noted that their method for an exhaustive search is heuristic since this method is based on the results of distribution of small partial quotient in the continued fraction expansions. An interesting problem in EPF is whether there exists a deterministic algorithm for finding an index satisfying ℎ < − < ℎ +1 . In this paper, we use the theoretical estimation to determine the index . The success rate is 85.1% according to our experiments. Now, another question arises-how to increase the success rate of the process of finding the index when the deterministic algorithm is not developed. In addition, the other researchable question is how to improve the accuracy rate of MSBs of + , which brings a greater contributive effort of EPF.  [20]), the extension of the Wiener attack (Step 1) (Ext. W.) (see (24)), and the extension of the Wiener attack through EPF (EPF) (see (48)).
We should point out that EPF can be applied to Dujella's refinement [14] and the generalized Wiener attack [18]. Moreover, we foresee that EPF could be applied to other cryptogrammic aspects, especially to the attacks for cryptosystems based on the integer factorization problem (IFP). For example, the lattice technique is commonly used for the cryptanalysis of RSA [17,[28][29][30] or for the attacks on RSA with small exponents [15,18,19,21,22,31,32]. We expect EPF to be a supportive tool for assisting the lattice technique to increase the effort on the cryptanalysis of RSA. As a conclusion, we would like to point out that with the continuous improvements in computational capability, the security levels are expected to be higher with the assistance of EPF, and the security analysis should be considered more carefully.