RSA attack - Open problem in Wiener's paper

From: yer mammy (yer_mammy_at_yahoo.com)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 21:41:51 -0600

The following is posed as an open problem in M.J. Wiener's excellent
paper, "Cryptanalysis of Short RSA Secret Exponents" (published in 1989):

PROBLEM: Let <N, e> be an RSA public key with N = pq. Let d be the
corresponding RSA private exponent and write r1 = d mod (p-1) and r2 = d
mod (q-1). Then given only <N, e>, is there an efficient attack on RSA
if r1 and r2 are small and not equal?

Here an efficient attack on RSA could mean factoring N, or even just
obtaining the plaintext of some ciphertext in a reasonable amount of time.

The also excellent paper of Dan Boneh, "Twenty Years of Attacks on the
RSA Cryptosystem", and two papers that he co-authored, "Cryptanalysis of
RSA with Private Key d Less than N^(0.292)" and "Fast Variants of RSA"
mention the problem and state that there is an attack that factors N in
time O(min(sqrt(r1), sqrt(r2))).

QUESTION: Can anyone sketch a proof of this or give a reference to a
proof? Boneh does niether (maybe it's not that difficult and I'm just a
big dummy).