A well-known attack on RSA with low secret-exponent d was given by Wiener in 1990. Wiener showed that using the equation ed - (p - 1)(q - 1)k = 1 and continued fractions, one can efficiently recover the secret-exponent d and factor N = pq from the public key (N,e) as long as d < 1/3N~(1/4). In this paper, we present a generalization of Wiener's attack. We show that every public exponent e that satisfies eX -(p - u)(q - v)Y = 1 with 1 ≤ Y < X < 2~(-1/4)N~(1/4), |u|展开▼