在RSA系統中，一個平衡模數N代表是由兩個大質數p和q相乘而來的，其中q < p < 2q。由於對一個大的整數做因數分解是一件相當困難的事情，所以我們通常借用sqrt(N)來當作p和q的估計值。而在Wiener attack 中，為了提高私密金鑰d的安全界線，Weger採用了2*sqrt(N)當作p + q的估計值。在本論文裡，我們提出了一種新的方法去估計N的質因數，稱之為 EPF。在N = pq用pE和qE來分別表示p和q的估計值。用pE + qE來取代2*sqrt(N)的話，可更準確的估計p + q的值。此外，我們將證明Verheul 和Tilborg對於Wiener attack的延伸可以轉換為暴力搜尋p + q的MSBs。而和他們的研究結果做比較的話，EPF在於徹底搜尋所需花費的計算能力，將可由2r + 8位元下降到 2r - 2 位元，其中r的值是取決於模數N和私密金鑰d之間的關係。Verheul和 Tilborg所提出的私密金鑰d的安全邊界將可再擴大5位元。

In the RSA system, balanced modulus N denotes a product of two large prime numbers p and q, where q < p < 2q. Since Integer-Factorization is difficult, p and q are simply estimated as sqrt(N). In the Wiener attack, 2*sqrt(N) is adopted to be the estimation of p + q in order to raise the security boundary of private-exponent d. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of N. The estimated values are called “EPFs of N”, and are denoted as pE and qE. Thus pE and qE can be adopted to estimate p + q more accurately than by simply adopting 2*sqrt(N). In addition, we show that the Verheul and Tilborg’s extension of the Wiener attack can be considered to be brute-guessing for the MSBs of p + q. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustive-searching for 2r + 8 bits down to 2r - 2 bits, where r depends on N and the private key d. The security boundary of private-exponent d can be raised 5 bits again over Verheul and Tilborg’s result.

[1] R. Rivest, A. Shamir, and L. Aldeman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978.
[2] H.-M. Sun and C.-T. Yang, "RSA with Balanced Short Exponents and Its Application to Entity Authentication," Proceeding of Public Key Cryptography 05 - PKC’05, LNCS 3386, Springer-Verlag, pp. 199-215, 2005.
[3] H.-M. Sun, W.-C. Yang, and C.-S. Laih, "On the Design of RSA with Short secret-exponent," Proceedings of Cryptology - ASIACRYPT'99, LNCS 1716, Springer-Verlag, pp. 150-164, 1999.
[4] D. Boneh and H. Shacham, "Fast Variants of RSA," CryptoBytes, vol. 5, no. 1, pp. 1-9, 2002.
[5] D. Boneh, "Twenty Years Attacks on the RSA Cryptosystem," Notices of the American Mathematical Society, vol. 46, no. 2, pp. 203-213, 1999.
[6] G. Durfee and P. Q. Nguyen, "Cryptanalysis of the RSA Schemes with Short Secret Exponent form Asiacrypt '99," Proceedings of Cryptology - ASIACRYPT'00, LNCS 1976, Springer-Verlag, pp. 1-11, 2000.
[7] B. de Weger, "Cryptanalysis of RSA with small prime difference," Applicable Algebra in Engineering, Communication and Computing, vol. 13, pp. 17-28, 2002.
[8] M. J. Wiener, "Cryptanalysis of RSA with short secret-exponents," IEEE Trans. on Information Theory, vol. 36, pp. 553-558, 1990.
[9] H.-S. Hong, H.-K. Lee, H.-S. Lee, and H.-J. Lee, "The better bound of private key in RSA with unbalanced primes," Applied Mathematics and Computation, vol. 139, pp. 351-362, 2003.
[10] D. Boneh and G. Durfee, "Cryptanalysis of RSA with private key d less than N0.292," IEEE Trans. on Information Theory, vol. 46, no. 4, pp. 1339-1449, 2000.
[11] E. Verheul and H. v. Tilborg, "Cryptanalysis of less short RSA secret-exponents," Applicable Algebra in Engineering, Communication and Computing, Vol. 8, Springer-Verlag, pp. 425-435, 1997.
[12] W. Diffie and M. E. Hellman, "New Directions in Cryptography," Proceedings of the AFIPS National Computer Conference, June 1976.
[13] W. Diffie and M. E. Hellman, "Multiuser Cryptographic Techniques," IEEE Transactions on Information Theory, November 1976.
[14] P. Ribenboim, The New Book of Prime Number Records: New York: Springer-Verlag, 1996.
[15] D. Boneh and R. Venkatesan, "Breaking RSA may not be equivalent to factoring," Advances in Cryptology-ASIACRYPT '98 (Lecture Notes in Computer Science), vol. 1233, pp. 59-71, 1998.
[16] I. Niven and H. S. Zuckerman, An Introduction to the Theory of Number: John Wiley and Sons Inc, 1991.
[17] D. E. Knuth, The art of computer programming, Seminumerical algorithms. 2 ed. vol. 2, 1981.