Wiener's attack

Last updated April 21, 2024

The Wiener's attack, named after cryptologist Michael J. Wiener, is a type of cryptographic attack against RSA. The attack uses the continued fraction method to expose the private key d when d is small.

Background on RSA

Fictional characters Alice and Bob are people who want to communicate securely. More specifically, Alice wants to send a message to Bob which only Bob can read. First Bob chooses two secret primes p and q. Then he calculates the RSA modulus N = pq. This RSA modulus is made public together with the encryption exponent e. N and e form the public key pair (e, N). By making this information public, anyone can encrypt messages to Bob. The decryption exponent d satisfies ed ≡ 1 (mod λ(N)), where λ(N) denotes the Carmichael function, though sometimes φ(N), the Euler's totient function, is used (note: this is the order of the multiplicative group (Z‍/‍NZ)^×, which is not necessarily a cyclic group). The encryption exponent e and λ(N) also must be relatively prime so that there is a modular inverse. The factorization of N and the private key d are kept secret, so that only Bob can decrypt the message. We denote the private key pair as (d, N). The encryption of the message M is given by C ≡ M^e (mod N) and the decryption of cipher text C is given by C^d ≡ (M^e)^d ≡ M^ed ≡ M (mod N) (using Fermat's little theorem).

Using the Euclidean algorithm, one can efficiently recover the secret key d if one knows the factorization of N. By having the secret key d, one can efficiently factor the modulus of N.^[1]

Small private key

In the RSA cryptosystem, Bob might tend to use a small value of d, rather than a large random number to improve the RSA decryption performance. However, Wiener's attack shows that choosing a small value for d will result in an insecure system in which an attacker can recover all secret information, i.e., break the RSA system. This break is based on Wiener's theorem, which holds for small values of d. Wiener has proved that the attacker may efficiently find d when d < 1/3 N^1/4.^[2]

Wiener's paper also presented some countermeasures against his attack that allow fast decryption. Two techniques are described as follows.

Choosing large public key: Replace e by e′, where e′ = e + k ⋅ λ(N) for some large of k. When e′ is large enough, i.e. e′ > N^3/2, then Wiener's attack cannot be applied regardless of how small d is.

Using the Chinese remainder theorem : Suppose one chooses d such that both d_p ≡ d (mod (p − 1)) and d_q ≡ d (mod (q − 1)) are small but d itself is not, then a fast decryption of C can be done as follows:

First compute M_p ≡ C^d_p (mod p) and M_q ≡ C^d_q (mod q.
Use the Chinese remainder theorem to compute the unique value of 0 ≤ M < N that satisfies M ≡ M_p (mod p) and M ≡ M_q (mod q. The result of M satisfies M ≡ C^d (mod N) as needed. The point is that Wiener's attack does not apply here because the value of d mod λ(N) can be large.^[3]

How the attack works

Note that

\lambda (N)=\operatorname {lcm} (p-1,q-1)={\frac {(p-1)(q-1)}{G}}={\frac {\varphi (N)}{G}}

where G = gcd(p − 1, q − 1).

Since ed ≡ 1 (mod λ(N), there exists an integer K such that

ed=K\times \lambda (N)+1

ed={\frac {K}{G}}(p-1)(q-1)+1

Defining k = K/gcd(K, G) and g = G/gcd(K, G), and substituting into the above gives:

ed={\frac {k}{g}}(p-1)(q-1)+1

.

Divided by dpq:

{\frac {e}{pq}}={\frac {k}{dg}}(1-\delta )

, where

\delta ={\frac {p+q-1-{\frac {g}{k}}}{pq}}

.

So, e/pq is slightly smaller than k/dg, and the former is composed entirely of public information. However, a method of checking^{[ clarification needed ]} and guess is still required.

By using simple algebraic manipulations and identities, a guess can be checked for accuracy.^[1]

Wiener's theorem

Let N = pq with q < p < 2q. Let d < 1/3 N^1/4.

Given ⟨N, e⟩ with ed ≡ 1 (mod λ(N)), the attacker can efficiently recover d.^[2]^{[ failed verification ]}

Example

Suppose that the public keys are ⟨N, e⟩ = ⟨90581, 17993⟩. The attack should determine d. By using Wiener's theorem and continued fractions to approximate d, first we try to find the continued fractions expansion of e/N. Note that this algorithm finds fractions in their lowest terms. We know that

{\frac {e}{N}}={\frac {17993}{90581}}={\cfrac {1}{5+{\cfrac {1}{29+\dots +{\cfrac {1}{3}}}}}}=\left[0,5,29,4,1,3,2,4,3\right]

According to the continued fractions expansion of e/N, all convergents k/d are:

{\frac {k}{d}}=0,{\frac {1}{5}},{\frac {29}{146}},{\frac {117}{589}},{\frac {146}{735}},{\frac {555}{2794}},{\frac {1256}{6323}},{\frac {5579}{28086}},{\frac {17993}{90581}}

We can verify that the first convergent does not produce a factorization of N. However, the convergent 1/5 yields

\varphi (N)={\frac {ed-1}{k}}={\frac {17993\times 5-1}{1}}=89964

Now, if we solve the equation

x^{2}-\left(\left(N-\varphi (N)\right)+1\right)x+N=0

x^{2}-\left(\left(90581-89964\right)+1\right)x+90581=0

x^{2}-618x+90581=0

then we find the roots which are x = 379; 239. Therefore we have found the factorization

N=90581=379\times 239=p\times q

.

Notice that, for the modulus N = 90581, Wiener's theorem will work if

d<{\frac {N^{1/4}}{3}}\approx 5.7828

.

Proof of Weiner's theorem

The proof is based on approximations using continued fractions.^[2]^[4]

Since ed = 1 (mod λ(N), there exists a k such that ed − kλ(N) = 1. Therefore

\left|{\frac {e}{\lambda (N)}}-{\frac {k}{d}}\right\vert ={\frac {1}{d\lambda (N)}}

.

Let G = gcd(p − 1, q − 1); note that if φ(N) is used instead of λ(N), then the proof can be replaced with G = 1 and φ(N) replaced with λ(N).

Then multiplying by 1/G,

\left|{\frac {e}{\varphi (N)}}-{\frac {k}{Gd}}\right\vert ={\frac {1}{d\varphi (N)}}

Hence, k/Gd is an approximation of e/φ(N). Although the attacker does not know φ(N), he may use N to approximate it. Indeed, since φ(N) = N − p − q + 1 and p + q − 1 < 3√N, we have:

\left\vert p+q-1\right\vert <3{\sqrt {N}}

\left\vert N-\varphi (N)\right\vert <3{\sqrt {N}}

Using N in place of φ(N) we obtain:

{\begin{aligned}\left\vert {\frac {e}{N}}-{\frac {k}{Gd}}\right\vert &=\left\vert {\frac {edG-kN}{NGd}}\right\vert \\&=\left\vert {\frac {edG-k\varphi (N)-kN+k\varphi (N)}{NGd}}\right\vert \\&=\left\vert {\frac {1-k(N-\varphi (N))}{NGd}}\right\vert \\&<\left\vert {\frac {-k(N-\varphi (N))}{NGd}}\right\vert (\because 0<|N-\varphi (N)|)\\&<\left\vert {\frac {3k{\sqrt {N}}}{NGd}}\right\vert ={\frac {3k{\sqrt {N}}}{{\sqrt {N}}{\sqrt {N}}Gd}}\leq {\frac {3k}{d{\sqrt {N}}}}\end{aligned}}

Now, kλ(N) = ed − 1 < ed, so kλ(N) < ed. Since e < λ(N), so kλ(N) < ed < λ(N)d, then we obtain:

k\lambda (N)<\lambda (N)d

k<d

Since k < d and d < 1/3 N^1/4. Hence we obtain:

(1)

\left\vert {\frac {e}{N}}-{\frac {k}{Gd}}\right\vert <{\frac {1}{dN^{\frac {1}{4}}}}

Since d < 1/3 N^1/4, 2d < 3d, then 2d < 3d < N^1/4, we obtain:

2d<N^{1/4}

, so (2)

{\frac {1}{2d}}>{\frac {1}{N^{1/4}}}

From (1) and (2), we can conclude that

\left\vert {\frac {e}{N}}-{\frac {k}{Gd}}\right\vert <{\frac {3k}{d{\sqrt {N}}}}<{\frac {1}{d\cdot 2d}}={\frac {1}{2d^{2}}}

If |x − a/b| < 1/2b², then a/b is a convergent of x, thus k/Gd appears among the convergents of e/N. Therefore the algorithm will indeed eventually find k/Gd. ^{[ further explanation needed ]}

Related Research Articles

In integral calculus, an elliptic integral is one of a number of related functions defined as the value of certain integrals, which were first studied by Giulio Fagnano and Leonhard Euler. Their name originates from their originally arising in connection with the problem of finding the arc length of an ellipse.

In mathematics, the Fibonacci sequence is a sequence in which each number is the sum of the two preceding ones. Numbers that are part of the Fibonacci sequence are known as Fibonacci numbers, commonly denoted $F n$ . The sequence commonly starts from 0 and 1, although some authors start the sequence from 1 and 1 or sometimes from 1 and 2. Starting from 0 and 1, the sequence begins

In mathematics, an $n$ -sphere or hypersphere is an $n$ -dimensional generalization of the 1-dimensional circle and 2-dimensional sphere to any non-negative integer $n$ . The $n$ -sphere is the setting for $n$ -dimensional spherical geometry.

<span class="mw-page-title-main">Euler's totient function</span> Number of integers coprime to and not exceeding n

In number theory, Euler's totient function counts the positive integers up to a given integer $n$ that are relatively prime to $n$ . It is written using the Greek letter phi as $or, and may also be called Euler's phi function . In other words, it is the number of integers k in the range 1 \leq k \leq n for which the greatest common divisor gcd(n, k) is equal to 1. The integers k of this form are sometimes referred to as totatives of n .$

In mathematics and physical science, spherical harmonics are special functions defined on the surface of a sphere. They are often employed in solving partial differential equations in many scientific fields. A list of the spherical harmonics is available in Table of spherical harmonics.

In vector calculus, Green's theorem relates a line integral around a simple closed curve $C$ to a double integral over the plane region $D$ bounded by $C$ . It is the two-dimensional special case of Stokes' theorem.

The sine-Gordon equation is a nonlinear hyperbolic partial differential equation for a function $dependent on two variables typically denoted and, involving the wave operator and the sine of .$

In mathematics, the Jacobi elliptic functions are a set of basic elliptic functions. They are found in the description of the motion of a pendulum, as well as in the design of electronic elliptic filters. While trigonometric functions are defined with reference to a circle, the Jacobi elliptic functions are a generalization which refer to other conic sections, the ellipse in particular. The relation to trigonometric functions is contained in the notation, for example, by the matching notation $for . The Jacobi elliptic functions are used more often in practical problems than the Weierstrass elliptic functions as they do not require notions of complex analysis to be defined and/or understood. They were introduced by Carl Gustav Jakob Jacobi. Carl Friedrich Gauss had already studied special Jacobi elliptic functions in 1797, the lemniscate elliptic functions in particular, but his work was published much later.$

In physics and astronomy, the Reissner–Nordström metric is a static solution to the Einstein–Maxwell field equations, which corresponds to the gravitational field of a charged, non-rotating, spherically symmetric body of mass M. The analogous solution for a charged, rotating body is given by the Kerr–Newman metric.

In the theory of stochastic processes, the Karhunen–Loève theorem, also known as the Kosambi–Karhunen–Loève theorem states that a stochastic process can be represented as an infinite linear combination of orthogonal functions, analogous to a Fourier series representation of a function on a bounded interval. The transformation is also known as Hotelling transform and eigenvector transform, and is closely related to principal component analysis (PCA) technique widely used in image processing and in data analysis in many fields.

<span class="mw-page-title-main">Carmichael function</span> Function in mathematical number theory

In number theory, a branch of mathematics, the Carmichael function $λ (n)$ of a positive integer $n$ is the smallest member of the set of positive integers $m$ having the property that

In quantum field theory, a quartic interaction is a type of self-interaction in a scalar field. Other types of quartic interactions may be found under the topic of four-fermion interactions. A classical free scalar field $satisfies the Klein-Gordon equation. If a scalar field is denoted, a quartic interaction is represented by adding a potential energy term to the Lagrangian density. The coupling constant is dimensionless in 4-dimensional spacetime.$

In general relativity, Schwarzschild geodesics describe the motion of test particles in the gravitational field of a central fixed mass $that is, motion in the Schwarzschild metric. Schwarzschild geodesics have been pivotal in the validation of Einstein's theory of general relativity. For example, they provide accurate predictions of the anomalous precession of the planets in the Solar System and of the deflection of light by gravity.$

In mathematics, the plastic ratio is a geometrical proportion close to $53/40$ . Its true value is the real solution of the equation $x 3 = x + 1.$

In algebra, the Bring radical or ultraradical of a real number a is the unique real root of the polynomial

A ratio distribution is a probability distribution constructed as the distribution of the ratio of random variables having two other known distributions. Given two random variables X and Y, the distribution of the random variable Z that is formed as the ratio Z = X/Y is a ratio distribution.

In mathematics, the spectral theory of ordinary differential equations is the part of spectral theory concerned with the determination of the spectrum and eigenfunction expansion associated with a linear ordinary differential equation. In his dissertation, Hermann Weyl generalized the classical Sturm–Liouville theory on a finite closed interval to second order differential operators with singularities at the endpoints of the interval, possibly semi-infinite or infinite. Unlike the classical case, the spectrum may no longer consist of just a countable set of eigenvalues, but may also contain a continuous part. In this case the eigenfunction expansion involves an integral over the continuous part with respect to a spectral measure, given by the Titchmarsh–Kodaira formula. The theory was put in its final simplified form for singular differential equations of even degree by Kodaira and others, using von Neumann's spectral theorem. It has had important applications in quantum mechanics, operator theory and harmonic analysis on semisimple Lie groups.

Common integrals in quantum field theory are all variations and generalizations of Gaussian integrals to the complex plane and to multiple dimensions. Other integrals can be approximated by versions of the Gaussian integral. Fourier integrals are also considered.

For computer science, in statistical learning theory, a representer theorem is any of several related results stating that a minimizer $of a regularized empirical risk functional defined over a reproducing kernel Hilbert space can be represented as a finite linear combination of kernel products evaluated on the input points in the training set data.$

In representation theory of mathematics, the Waldspurger formula relates the special values of two L-functions of two related admissible irreducible representations. Let $k$ be the base field, $f$ be an automorphic form over $k$ , $π$ be the representation associated via the Jacquet–Langlands correspondence with f. Goro Shimura (1976) proved this formula, when $and f is a cusp form; Günter Harder made the same discovery at the same time in an unpublished paper. Marie-France Vignéras (1980) proved this formula, when and f is a newform. Jean-Loup Waldspurger, for whom the formula is named, reproved and generalized the result of Vignéras in 1985 via a totally different method which was widely used thereafter by mathematicians to prove similar formulas.$

References

1 2 L. Render, Elaine (2007). Wiener's Attack on Short Secret Exponents. ^{[ dead link ]}
1 2 3 Boneh, Dan (1999). Twenty Years of attacks on the RSA Cryptosystem. Notices of the American Mathematical Society (AMS) 46 (2).
↑ Cui, Xiao-lei (2005). Attacks On the RSA Cryptosystem.
↑ Salah, Imad Khaled; Darwish, Abdullah; Oqeili, Saleh (2006). "Mathematical Attacks on RSA Cryptosystem" (PDF). Journal of Computer Science. 2 (8): 665–671. doi:10.3844/jcssp.2006.665.671.