Cryptanalysis of RSA with private key d less than N0.292

Authors: D. Boneh and G. Durfee

We show that if the private exponent d used in the RSA system is less than N0.292 then the system is insecure. This is the first improvement of an old result of Wiener showing that when d < N0.25 RSA is insecure. We hope our approach can be used to eventually improve the bound to d < N0.5.

IEEE Transactions on Information Theory, Vol 46, No. 4, pp. 1339--1349, July 2000
Extended abstract in proceedings of Eurocrypt 1998

Full paper: PostScript         [first posted 10/2000 ]