Wiener's Attack

Introduction

The system of RSA is frequently used for security application such as email, credit card payments, login network access, etc. One of RSA attacks is suggested by Michael Wiener. He uses continued fraction method to exploit an error made in the use of RSA. The example of situation is when we are doing transactions using credit card or for mobile devices such as phone.

Before we discuss how Wiener's attack works, first we will explain how RSA works briefly. Let Alice and Bob be two people who want to make communication securely. In more specific, Alice wants to send a message to Bob which only Bob can read. First Bob chooses two primes p and q. Then he calculates the RSA modulus N = pq. This RSA modulus which is public and together with the encryption exponent e will form the public key pair (e,N). By making this information public, it will allow anyone to encrypt the message. The decryption exponent d is satisfied ${\displaystyle ed=1mod\varphi (N)}$ , where ${\displaystyle \varphi (N)=(p-1)(q-1)}$ , Euler’s phi function (note: this is the order of multiplicative group ${\displaystyle \mathbb {Z} _{N}^{*}}$ ). The encryption exponent e and ${\displaystyle \varphi (N)}$  also must be relatively prime so that there is a modular inverse. The factorization of N and the private key d are kept secret, so that only Bob can decrypt the message. We can the private key pair as (d, N). Using Chinese Remainder Theorem, one can efficiently recover the secret key d if (s)he knows the factorization of N. By having the secret key d, one can efficiently factor the modulus of N.

In RSA Cryptosystem, the one who sends the message might tend to use a small value of d, rather than a large random number to improve the RSA decryption performance in the matter of running-time. However, by using Wiener’s attack, we can see that choosing a small value for d will result an insecure system in which we can recover all secret information. Another person, called “the attacker” will break the RSA system. This break is based on Wiener’s Theorem, which in general provides a small value of d. Wiener has proved that the attacker may efficiently find d when ${\displaystyle d<{\frac {1}{3}}N^{\frac {1}{4}}}$ .
In addition to Wiener's finding in RSA-attack, he also found a number of techniques that allow fast decryption and does not apply to his attack. Two sampling techniques are described as follows.
Choosing large public key: By replacing ${\displaystyle e}$  by ${\displaystyle e'}$ , where ${\displaystyle e'=e+k.\varphi (N)}$  for some large of ${\displaystyle k}$ . When ${\displaystyle e'}$  is large enough, i.e. ${\displaystyle e'>N^{\frac {1}{2}}}$ , then Wiener’s attack can not be installed regardless of how small ${\displaystyle d}$  is.
Using Chinese Remainder Theorem: Suppose one chooses d such that both ${\displaystyle d_{p}=d{\bmod {\ }}(p-1)}$ and ${\displaystyle d_{q}=d{\bmod {\ }}(q-1)}$  are small, then a fast decryption of ${\displaystyle C}$  can be done as follows:
1. First compute ${\displaystyle M_{p}=C^{dp}{\bmod {\ }}p}$  and ${\displaystyle M_{q}=C^{dq}{\bmod {\ }}q}$ .
2. Use the Chinese Remainder Theorem to compute the unique value of ${\displaystyle M\in \mathbb {Z_{N}} }$  which satisfies ${\displaystyle M=M_{p}{\bmod {\ }}p}$  and ${\displaystyle M=M_{q}{\bmod {\ }}q}$ . The result of ${\displaystyle M}$  satisfies ${\displaystyle M=C^{d}{\bmod {\ }}N}$  as needed. The point is that the attack by Wiener’s attack does not apply here because the value of ${\displaystyle d{\bmod {\ }}\varphi (N)}$  can be large.

How Wiener's Attack Works

Since

${\displaystyle ed=1(mod(p-1)(q-1))}$ ,

There exist an integer K such that

${\displaystyle ed=K.(p-1)(q-1)+1}$ 

Define ${\displaystyle G=gcd(p-1,q-1)}$  to be included in the equation above which gives:

${\displaystyle ed={\frac {K}{G}}(p-1)(q-1)+1}$ 

Defining ${\displaystyle k={\frac {K}{gcd(K,G)}}}$  and ${\displaystyle g={\frac {G}{gcd(K,G)}}}$ , and substituting into the above gives:

${\displaystyle ed={\frac {k}{g}}(p-1)(q-1)+1}$ .

Divided by ${\displaystyle dpq}$ :

${\displaystyle {\frac {e}{pq}}={\frac {k}{dg}}(1-\delta )}$ , where ${\displaystyle \delta ={\frac {p+q-1-{\frac {g}{k}}}{pq}}}$ .

So, ${\displaystyle {\frac {e}{pq}}}$  is close underestimate of ${\displaystyle {\frac {k}{dg}}}$ , and the former is composed entirely of public information. Note that this algorithm finds fractions in their lowest terms. However, a method of checking a guess is still required. Assuming that ${\displaystyle ed>pq}$  (a reasonable asumption unles ${\displaystyle G}$  is large) the last equation above may be written as:

${\displaystyle edg=k.(p-1)(q-1)+g}$ 

By using simple algebraic manipulation and identities, a guess can be checked for accuracy.

Example

Suppose that the public keys are ${\displaystyle \left\langle N,e\right\rangle =\left\langle 90581,17993\right\rangle }$ 
If we want to attack, we have to determine ${\displaystyle d}$ .
By using Wiener Theorem and continued fractions to approx ${\displaystyle d}$ , first we try to find the continued fractions of ${\displaystyle {\frac {e}{N}}}$ .

We know that

${\displaystyle {\frac {e}{N}}={\frac {17993}{90581}}={\cfrac {1}{5+{\cfrac {1}{29+...+{\cfrac {1}{3}}}}}}=\left[0,5,29,4,1,3,2,4,3\right]}$ 

According to the continued fractions expansion of ${\displaystyle {\frac {e}{N}}}$ , the all convergents ${\displaystyle {\frac {k}{d}}}$  are:

${\displaystyle {\frac {k}{d}}=0,{\frac {1}{5}},{\frac {29}{146}},{\frac {117}{589}},{\frac {146}{735}},{\frac {555}{2794}},{\frac {1256}{6323}},{\frac {5579}{28086}},{\frac {17993}{90581}}}$ 

We can verify that the first convergents do not produce a factorizations of ${\displaystyle N}$ . However, the convergent ${\displaystyle {\frac {1}{5}}}$  yield

${\displaystyle \varphi (N)={\frac {e.d-1}{k}}={\frac {17993.5-1}{1}}=89964}$ 

Now, if we solve the equation

${\displaystyle x^{2}-\left(\left(N-\varphi (N)\right)+1\right)x+N=0}$ 

${\displaystyle x^{2}-\left(\left(90581-89964\right)+1\right)x+90581=0}$ 

${\displaystyle x^{2}-\left(618\right)x+90581=0}$ 

Then we find the roots which are ${\displaystyle x=379;239}$ . Therefore we have found the factorization.

${\displaystyle N=90581=379\times 239=p\times q}$ .

Notice that, for the modulus ${\displaystyle N=90581}$ , the Wiener's Theorem will work if

${\displaystyle d<{\frac {N^{\frac {1}{4}}}{3}}\approx 5,783}$ .

Theorem (M. Wiener)

Let ${\displaystyle \ N=pq}$  with ${\displaystyle \ q<p<2q}$ . Let ${\displaystyle d<{\frac {1}{3}}N^{\frac {1}{4}}}$ .
Given ${\displaystyle \left\langle N,e\right\rangle }$  with ${\displaystyle ed=1{\bmod {\ }}\varphi (N)}$ , the attacker can efficiently recover ${\displaystyle d}$ .

Proof

The proof is based on approximations using continued fractions. Since ${\displaystyle ed=1{\bmod {\varphi }}(N)}$ , there exists a ${\displaystyle {\mathit {k}}}$  such that ${\displaystyle ed-k\varphi (N)=1}$ . Therefore

${\displaystyle \left|{\frac {e}{\varphi (N)}}-{\frac {k}{d}}\right\vert ={\frac {1}{d\varphi (N)}}}$ 

Hence, ${\displaystyle {\frac {k}{d}}}$  is an approximation of ${\displaystyle {\frac {e}{\varphi (N)}}}$ . Although the attacker does not know ${\displaystyle \varphi (N)}$ , he may use ${\displaystyle N}$  to approximate it. Indeed, since

${\displaystyle \varphi (N)=N-p-q+1}$  and ${\displaystyle p+q-1<3{\sqrt {N}}}$ , we have:

${\displaystyle \left\vert p+q-1\right\vert <3{\sqrt {N}}}$ 

${\displaystyle \left\vert N+1-\varphi (N)-1\right\vert <3{\sqrt {N}}}$ 

Using N in place of ${\displaystyle \varphi (N)}$  we obtain:

${\displaystyle \left\vert {\frac {e}{N}}-{\frac {k}{d}}\right\vert =\left\vert {\frac {ed-kN}{Nd}}\right\vert }$ 

${\displaystyle \qquad =\left\vert {\frac {ed-k\varphi (N)-kN+k\varphi (N)}{Nd}}\right\vert }$ 

${\displaystyle =\left\vert {\frac {1-k(N+\varphi (N))}{Nd}}\right\vert }$ 

${\displaystyle \leq \left\vert {\frac {3k{\sqrt {N}}}{Nd}}\right\vert ={\frac {3k{\sqrt {N}}}{{\sqrt {N}}{\sqrt {N}}d}}={\frac {3k}{d{\sqrt {N}}}}}$ 

Now, ${\displaystyle k\varphi (N)=ed-1<ed}$ , so ${\displaystyle k\varphi (N)<ed}$ . Since ${\displaystyle e<\varphi (N)}$ , so ${\displaystyle k\varphi (N)<ed<\varphi (N)d}$ , then we obtain:

${\displaystyle k\varphi (N)<\varphi (N)d}$ 

${\displaystyle k<d}$ 

Since ${\displaystyle k<d}$  and ${\displaystyle d<{\frac {1}{3}}N^{\frac {1}{4}}}$ . Hence we obtain:

${\displaystyle \left\vert {\frac {e}{N}}-{\frac {k}{d}}\right\vert \leq {\frac {1}{dN^{\frac {1}{4}}}}.......(1)}$ 

Since ${\displaystyle d<{\frac {1}{3}}N^{\frac {1}{4}},2d<3d,}$  then ${\displaystyle 2d<3d<N^{\frac {1}{4}}}$ , we obtain:

${\displaystyle 2d<N^{\frac {1}{4}},}$ , so ${\displaystyle {\frac {1}{2d}}>{\frac {1}{N^{\frac {1}{4}}}}......(2)}$ 

From (1) and (2), we can conclude that

${\displaystyle \left\vert {\frac {e}{N}}-{\frac {k}{d}}\right\vert \leq {\frac {3k}{d{\sqrt {N}}}}<{\frac {1}{d.2d}}={\frac {1}{2d^{2}}}\blacksquare }$ 

Notes

• Boneh, Dan (1999). Twenty Years of attacks on the RSA Cryptosystem. Notices of the American Mathematical Society (AMS) 46 (2).
  

• Coppersmith, Don (1996). Low-Exponent RSA with Related Messages. Springer-Verlag Berlin Heidelberg. <br\>

• Cui, Xiao-lei (2005). Attack On the RSA Cryptosystem.<br\>

• Khaled Salah, Imad (2006). Mathematical Attacks on RSA Cryptosystem. Journal of Computer Science 2 (8)). pp. 665-671.
  

• L. Render, Elaine (2007). Wiener's Attack on Short Secret Exponents.
  

• Jose, Justin (2010). Study of RSA and Proposed Variant Against Wiener's Attack. International Journal of Computer Applications.
  

• DUJELLA, ANDREJ (2004). CONTINUED FRACTIONS AND RSA WITH SMALL SECRET EXPONENT.
  

References

• R. Stinson, Douglas (2002). Cryptography Theory and Practice (2e ed.). A CRC Press Company. pp. 200–204. ISBN 1-58488-206-9.