我們討論RSA 密碼體系在低指數私鑰時的安全性。首先介紹
RSA 的定義與加解密方式。接著是本篇的第一種攻擊法Wiener’s
Attack 的運作。以Wiener’s Attack 作為啟發，第二個要介紹的是
Dan Boneh & Glenn Durfee 所提出的改良，他們將Wiener 的結果
加以優化。Dan Boneh & Glenn Durfee 同時也提出一個新的RSA 攻
擊法。而在最後的小節裡，會給出一些建議以避免這些低指數攻擊法。

We discuss the security of RSA cryptosystem with low-exponent pri-
vate key. Firstly, we give a brief de nition for RSA. Sencondly, we
show how does Wiener's Attack work. An improvement of the result of
Wiener's Attack is given by Dan Boneh & Glenn Durfee in 2000. They
propose a di erent view for RSA cryptosystem. Some suggestions for
avoiding these attacks are include in the last section.

[1] C. Henri. A course in computational algebraic number theory. Springer, 2000.
[2] D. Boneh and G. Durfee. Cryptanalysis of RSA with private key d less than N0:292.IEEE
Transactions on Information Theory, vol. 46, no. 4, pp.1339-1349,2000.
[3] D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities.
Journal of Cryptology, vol.10, pp.233-260, 1997.
[4] D. Micciancio and S. Goldwasser. Springer, 2002
[5] D. R. Stinson. Cryptography: Theory and Practice Third Edition. Chapman & Hall, United
States, 2005.
[6] M. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information
Theory, vol. 36, no. 3 , pp.553-558, 1990.
[7] N. Howgrave-Graham. Finding small roots of univariarte modular equations revisted. In proceedings
Cryptography and Coding, Lecture Notes in Computer Science, vol. 1355, Springer-
Verlag, pp.131-142, 1997.
[8] R.Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and publickey
cryptosystems. Communications of the ACM, vol. 21, no. 2, pp.120-126,1978.