A well-known attack on RSA with low secret-exponent d was given by Wiener about 15 years ago. Wiener showed that using continued fractions, one can efficiently recover the secret-exponent d from the public key (N, e) as long as d < N1/4 . Interestingly, Wiener stated that his attack may sometimes also work when d is slightly larger than N1/4 . This raises the question of how much larger d can be: could the attack work with non-negligible probability for d = N1/4+ρ for some constant ρ > 0? We answer this question in the negative by proving a converse to Wiener’s result. Our result shows that, for any fixed > 0 and all sufficiently large modulus lengths, Wiener’s attack succeeds with negligible probability over a random choice of d < Nδ (in an interval of size Ω(Nδ )) as soon as δ > 1/4 + . Thus Wiener’s success bound d < N1/4 for his algorithm is essentially tight. We also obtain a converse result for a natural class of extensions of the Wiener attack, w...