The improvement of the private key exponent in the M.Weiner Attack

Question

I am working on attacks on RSA and came across the M. Weiner attack.

The limit for $d$ in order for the attack to apply is $d <= (\frac{1}{3})N^{0.25}$. The paper states that Boneh and Durfee improved this limit… but to what? What's the limit they reach for the attack to still apply?

I'd expect you to do more research on your own before asking here (on this site we expect you to do a significant amount of research before asking). In the future, one way to answer this sort of thing on your own is to do a literature search. — D.W., May 31 '14 at 02:11

score 2 · Accepted Answer · answered May 29 '14 at 14:55

Quoting the abstract:

Abstract: We show that if the private exponent d used in the RSA system is less than $N^{0.292}$ then the system is insecure. This is the first improvement of an old result of Wiener showing that when $d < N^{0.25}$ RSA is insecure. We hope our approach can be used to eventually improve the bound to $d < N^{0.5}$.

https://crypto.stanford.edu/~dabo/abstracts/lowRSAexp.html

The improvement of the private key exponent in the M.Weiner Attack

1 Answers1