Abstract

We show that if the private exponent d used in the RSA (Rivest-Shamir-Adleman (1978)) public-key cryptosystem is less than N/sup 0.292/ then the system is insecure. This is the first improvement over an old result of Wiener (1990) showing that when d is less than N/sup 0.25/ the RSA system is insecure. We hope our approach can be used to eventually improve the bound to d less than N/sup 0.5/.