Cryptanalysis of RSA with Private Key d Less Than N^0.292 (Extended Abstract)

Abstract

) Dan Boneh Glenn Durfee y [email protected] [email protected] Abstract We show that if the private exponent d used in the RSA public-key cryptosystem is less than N 0:292 then the system is insecure. This is the rst improvement over an old result of Wiener showing that when d < N 0:25 the RSA system is insecure. We hope our approach can be used to eventually improve the bound to d < N 0:5 . 1 Introduction To provide fast RSA signature generation one is tempted to use a small private exponent d. Unfortunately, Wiener [10] showed over ten years ago that if one uses d < N 0:25 then the RSA system can be broken. Since then there have been no improvements to this bound. Verheul and Tilborg [9] showed that as long as d < N 0:5 it is possible to expose d in less time than an exhaustive search; however, their algorithm requires exponential time as soon as d > N 0:25 . In this paper we give the rst substantial improvement to Wiener's result. We show that as long as..