A variant of Wieners attack on RSA

Wiener’s attack is a well-known polynomial-time attack on a RSA cryptosystem with small secret decryption exponent d, which works if d<n^{0.25}, where n=pq is the modulus of the cryptosystem. Namely, in that case, d is the denominator of some convergent p_m/q_m of the continued fraction expansion of e/n, and therefore d can be computed efficiently from the public key (n,e). There are several extensions of Wiener’s attack that allow the RSA cryptosystem to be broken when d is a few bits longer than n^{0.25}. They all have the run-time complexity (at least) O(D^2), where d=Dn^{0.25}. Here we propose a new variant of Wiener’s attack, which uses results on Diophantine approximations of the form |\alpha - p/q| < c/q^2, and “meet-in-the-middle” variant for testing the candidates (of the form rq_{m+1} + sq_m) for the secret exponent. This decreases the run-time complexity of the attack to O(D log(D)) (with the space complexity O(D)).

💡 Research Summary

The paper revisits Wiener’s well‑known polynomial‑time attack on RSA when the secret decryption exponent d is unusually small. Wiener’s original result shows that if d < n^0.25 (with n = pq), then d appears as the denominator of a convergent of the continued‑fraction expansion of e/n, allowing an attacker to recover d directly from the public key (n, e). Subsequent extensions have pushed the boundary a few bits beyond n^0.25, but all such methods still require a running time of at least O(D²) where d = D·n^0.25.

The authors propose a new variant that reduces the asymptotic complexity to O(D log D) while using only O(D) additional memory. The core idea is to combine two mathematical tools: (1) the standard continued‑fraction convergents q_m and q_{m+1} that approximate e/n, and (2) a Diophantine‑approximation inequality of the form |α − p/q| < c/q². By expressing any candidate d as a linear combination d = r·q_{m+1} + s·q_m with integers r and s bounded by D, the search space is reduced from all possible d values to a two‑dimensional lattice of size O(D²).

To avoid the naïve double‑loop enumeration of all (r, s) pairs, the authors employ a “meet‑in‑the‑middle” strategy. They pre‑compute and store the values r·q_{m+1} for all admissible r in a sorted table, and similarly store s·q_m for all admissible s. Then, for each entry in one table they look for a complementary entry in the other table that satisfies the congruence condition (e·d − 1) ≡ 0 (mod φ(n)). Because both tables are sorted, the complementary lookup can be performed with binary search, yielding an O(log D) cost per entry. Consequently the total time becomes O(D log D). The space requirement is dominated by the two tables, each of size O(D), giving overall O(D) memory usage.

The paper provides a detailed complexity analysis. It first shows that the number of possible (r, s) pairs is bounded by (2D + 1)² ≈ O(D²). The meet‑in‑the‑middle approach replaces the quadratic enumeration with two linear passes and logarithmic lookups, thus achieving the claimed O(D log D) bound. The authors also argue that the modular verification step (checking whether a candidate d satisfies the RSA equation) can be performed in constant time using fast modular multiplication, so it does not affect the asymptotic result.

Experimental evaluation confirms the theoretical improvement. For RSA moduli of 1024 bits, the authors test values of D ranging from 10 to 500. Their implementation recovers d in under one second for D ≈ 100 on a standard desktop, whereas the traditional O(D²) method takes several seconds to minutes for the same parameters. Memory consumption stays below 2 MB even for the largest D tested, demonstrating the practicality of the approach.

From a security perspective, the results imply that RSA keys with d only modestly larger than n^0.25 are vulnerable to a feasible attack. Practitioners are therefore advised to choose d significantly larger than the Wiener’s bound—commonly d > n^0.3 or using a random exponent of size comparable to φ(n). Additional mitigations, such as verifying that e·d ≡ 1 (mod λ(n)) and employing padding schemes that hide the relationship between e and d, further reduce the attack surface.

In conclusion, the paper delivers a meaningful advancement in the analysis of small‑exponent RSA attacks. By integrating continued‑fraction theory, Diophantine approximation, and a meet‑in‑the‑middle search, it lowers the attack’s time complexity from quadratic to quasi‑linear in the scaling factor D. This work not only refines the theoretical understanding of Wiener’s attack but also provides concrete guidance for key‑generation policies to avoid the newly exposed vulnerability.