Cryptanalysis of an RSA variant with moduli N=prql

  • 1 The University of Tokyo, Tokyo, Japan
  • 2 Institute of Information Engineering, Beijing, P. R. China
  • 3 Indian Institute of Technology, Madras, India
Yao Lu, Liqiang Peng and Santanu Sarkar

Abstract

In this paper we study an RSA variant with moduli of the form N=prql (r>l2). This variant was mentioned by Boneh, Durfee and Howgrave-Graham []. Later Lim, Kim, Yie and Lee [] showed that this variant is much faster than the standard RSA moduli in the step of decryption procedure. There are two proposals of RSA variants when N=prql. In the first proposal, the encryption exponent e and the decryption exponent d satisfy ed1modpr-1ql-1(p-1)(q-1), whereas in the second proposal ed1mod(p-1)(q-1). We prove that for the first case if d<N1-(3r+l)(r+l)-2, one can factor N in polynomial time. We also show that polynomial time factorization is possible if d<N(7-27)/(3(r+l)) for the second case. Finally, we study the case when few bits of one prime are known to the attacker for this variant of RSA. We show that given min(lr+l,2(r-l)r+l)log2p least significant bits of one prime, one can factor N in polynomial time.

1 Introduction

Since the RSA public key cryptosystem has been proposed, this public key scheme is possibly the most studied topic in cryptology world. To achieve high efficiency in the decryption phase, many variants of RSA schemes have been proposed.

At Crypto 1997, Takagi [18] proposed an RSA-type cryptosystems using n-adic expansion. One important variant of RSA is multi-power RSA [19], proposed by Takagi in 1998. In multi-power RSA, the RSA modulus N is of the form N=prq, where r2. Compared to standard RSA, it is more efficient in both key generation and decryption. Besides, moduli of this type has been applied in many cryptographic designs, e.g., the Okamoto–Uchiyama cryptosystem [15], or better known via EPOC and ESIGN [21], which uses the modulus N=p2q.

At Indocrypt 2000, Lim, Kim, Yie and Lee [11] extended Takagi’s cryptosystem to include moduli of the form N=prql, where r,l2. They showed that the choice of either prqr+1, pr-1qr+1 or pr-2qr+2 is optimal under the assumption that the sum of exponents is fixed. For example, they claimed that 8192-bit RSA will be fifteen times faster than standard RSA if one takes N=p2q3. In Crypto 1999, Boneh, Durfee and Howgrave-Graham [2] also mentioned as an open problem to factor prql using lattice-based approach.

Surprisingly, there had been very little research into the security RSA-type schemes with moduli N=prql for r,l2. Therefore, it is important to investigate the safety parameters of their algorithm.

1.1 Related works

The security of this variant of RSA, like that of standard RSA, is based on the hardness of factoring large integers. Until now there is no known polynomial time algorithm to factorize large numbers except quantum algorithms. However, in a real-world implementation, partial information regarding the secret prime p can be leaked by side-channel attacks (known as factoring with known bits problem), hence it is crucial to study how this affects the factoring problem. In fact, there have been a number of results in this direction.

  1. For the case of standard RSA with modulus N=pq: In 1985, Rivest and Shamir [16] first studied this problem, they designed an algorithm to factor N given 23-fraction of the bits of p. In 1996, Coppersmith [3] improved this bound to 12. Note that for the above results, the unknown bits are within one consecutive block. The case of n(n2) blocks was first considered by Herrmann and May in [5].
  2. For the case of multi-power RSA with moduli N=prq (r2): In 1999, Boneh, Durfee and Howgrave-Graham [2] showed that N can be recovered efficiently given 1r+1-fraction of the most significant bits (MSBs) of p. In 2013, Lu, Zhang and Lin [12] considered the case of n(n2) blocks.

To speed up decryption, the small secret exponent d is often used in some cryptographic applications. However, it is well known that the RSA scheme is easily broken if the secret exponent d is too small (known as small secret exponent attack). In 1990, by utilizing the continued fraction method, Wiener [20] showed that the standard RSA scheme can be broken when dN0.25. Later, in 1999, Boneh and Durfee [1] improved Wiener’s bound to N0.292. Recently, in [6], Herrmann and May gave an elementary proof for the Boneh–Durfee’s bound, and in [9], Kunihiro, Shinohara and Izu also investigated this problem. However, N0.292 is still the best bound at present.

For the case of multi-power RSA, there exists two variants. In the first variant, ed1modpr-1(p-1)(q-1) while in the second variant, ed1mod(p-1)(q-1). For the first variant, in 1999, Takagi [19] showed that when the secret exponent dN1/(2(r+1)), one can factorize N. Later in 2004, May [14] improved Takagi’s bound to Nmax{r(r+1)-2,(r-1)2(r+1)-2}. Recently, Sarkar [17] used a lattice-based method to improve the previous bounds when r5. In [13], the authors further improved May’s bound to Nr(r-1)(r+1)-2, which is better than May’s result when r>2. For the second variant, in 2008, Itoh, Kunihiro and Kurosawa [8] showed that d can be recovered from if d<N(2-2)/(r+1).

1.2 Our contributions

In this paper,1 we analyze the security of RSA-type schemes with moduli N=prql, where r>l2 and gcd(r,l)=1. Admittedly, RSA-type schemes with moduli N=prql have very limited application. However, as rightly mentioned in [4] a significant fraction of cryptography is still based on RSA and so it is important to study these RSA-type moduli. Throughout the paper, we assume that q<p<2q, which means pq.

Small secret exponent attacks on RSA-type schemes with moduli N=prql.

Considering the form of the moduli N=prql, there are also two variants of encryption and decryption phases. In the first variant, e and d satisfy ed1modpr-1ql-1(p-1)(q-1). In the second variant, e and d satisfy ed1mod(p-1)(q-1). For these two variants, we give the analysis respectively.

For the equation ed1modpr-1ql-1(p-1)(q-1), we solve a small solution d of the modular equation ex-10modpr-1ql-1. We introduce a new technique to select more helpful polynomials which are used to construct a lattice. We show that when

d<N1-3r+l(r+l)2,

one can recover d in polynomial time. Note that when l=1, our result is the same as the result of [13].

For the equation ed1mod(p-1)(q-1), we solve a small solution (k,p,q) of the modular equation x(y-1)(z-1)+1=0mode, where k=ed-1(p-1)(q-1). By utilizing the property prql=N, we give a method of lattice construction and show that when

d<N7-273(r+l),

the small solution (k,p,q) can be found. Note that when l=1, our result is exactly the general bound of [8].

Factoring RSA moduli N=prql with partial known bits.

In the conclusion of Boneh, Durfee and Howgrave-Graham’s paper [2], the authors raised a question that whether one can generalize the factoring with partial known bits to the integers of the form N=prql. In this paper, we answered this question firmly that we only need a min(lr+l,2(r-l)r+l)-fraction of least significant bits (LSBs) of p in order to factor N in polynomial time. Independently, Coron, Faugère, Renault and Zeitoun [4] also studied this problem. We give a comparison with their method and give an improvement for certain parameters. Besides, we also extend to the case of the arbitrary number n (n2) of unknown blocks.

Experimental results.

To verify the correctness of our above attacks, we have performed the experiments in Magma 2.11 computer algebra system on a PC with Intel(R) Core(TM) Duo CPU (2.53 GHz, 1.9 GB RAM Windows 7). And the experimental results demonstrate that the performance of our algorithms is effective.

2 Preliminaries

Consider w linearly independent vectors 𝒃1,,𝒃wn. The set

={𝒃:𝒃=i=1wci𝒃i,c1,,cw}

is called an w-dimensional lattice with basis B={𝒃1,,𝒃w}. A lattice is of full rank when w=n and in this paper we only use such lattices. The determinant of L is defined as det()=det(M), where the rows of M are the vectors from B. When 𝒃1,,𝒃wn, the lattice is called an integer lattice.

In 1982, Lenstra, Lenstra and Lovász [10] proposed a polynomial time algorithm (known as LLL-Algorithm); let us first state the LLL-Algorithm.

Lemma 1 (LLL Algorithm).

Let L be a lattice of dimension w. Within polynomial time, LLL-Algorithm outputs a set of reduced basis vectors 𝐯i, 1iw, that satisfies

𝒗1𝒗2𝒗i2w(w-1)4(w+1-i)det()1w+1-i.

Let g(x1,,xk)=i1,,ikai1,,ikx1i1xkik. We define the norm of g by the Euclidean norm of its coefficient vector:

g2=i1,,ikai1,,ik2.

Also we need the following result due to Howgrave-Graham [7].

Lemma 2 (Howgrave-Graham).

Let g(x1,,xk)Z[x1,,xk] be an integer polynomial that consists of at most w monomials. Suppose that

  1. (i)g(y1,,yk)=0modem for |y1|X1,,|yk|Xk,
  2. (ii)g(x1X1,,xkXk)<emw.

Then g(y1,,yk)=0 holds over integers.

Suppose we have w(>k) polynomials b1,,bw in the variables x1,,xk such that

b1(y1,,yk)==bw(y1,,yk)=0modem

with

|y1|X1,,|yk|Xk.

Now we construct a lattice with the coefficient vectors of b1(x1X1,,xkXk),,bw(x1X1,,xkXk). After lattice reduction, we get k polynomials v1(x1,,xk),,vk(x1,,xk) such that

v1(y1,,yk)==vk(y1,,yk)=0modem

which correspond to first k vectors of the reduced basis. Also by the property of the LLL-Algorithm, we have

v1(x1X1,,xkXk)vk(x1X1,,xkXk)2w(w-1)4(w+1-k)det()1w+1-k.

Hence by Lemma 2, if

2w(w-1)4(w+1-k)det()1w+1-k<emw,

then we have v1(y1,,yk)==vk(y1,,kk)=0. Next we want to find y1,,yk from v1,,vk.

Although our technique works in practice as noted from the experiments we perform, we need a heuristic assumption for theoretical results.

Assumption 3.

The lattice-based construction yields algebraically independent polynomials. The common roots of these polynomials can be efficiently computed using the Gröbner basis technique.

We also use the following theorem [13].

Theorem 4.

Let N be a sufficiently large composite integer (of unknown factorization) with a divisor pr (pNβ and an integer r1). Let f(x1,,xn)Z[x1,,xn] be a linear polynomial in n variables. Under Assumption 3, we can find all the solutions (x10,,xn0) of the equation f(x1,,xn)=0modp with |x10|Nγ1,,|xn0|Nγn if

i=1nγi<1r(1-(1-rβ)n+1n-(n+1)(1-rβ)(1-1-rβn)).

The running time of the algorithm is polynomial in logN but exponential in n.

3 Small secret exponent attacks on RSA-type schemes with moduli N=prql

In this section we consider the situation when the secret exponent d is small.

3.1 The first variant

At first, we study the first variant of encryption and decryption phases: e and d satisfy

ed1modpr-1ql-1(p-1)(q-1).

Theorem 1.

For every ϵ>0, let N=prql, where r,l (r>l) are two known positive integers and p,q are primes of the same bit-size. Let e be the public key exponent and let d be the private key exponent satisfying ed1modϕ(N). Suppose that

d<N1-3r+l(r+l)2-ϵ.

Then N can be factored in polynomial time.

Proof.

Since ϕ(N)=pr-1ql-1(p-1)(q-1), we have the following equation:

ed-1=kpr-1ql-1(p-1)(q-1)for some k.

Then we want to find the root x0=d of the polynomial

f1(x)=ex-1modpr-1ql-1.

Multiplying the inverse of e modulo N, we can obtain the equation

f(x)=(E-x)modpr-1ql-1,

where E denotes the inverse of e modulo N. Note that N (N0modprql) is a known multiple of the unknown pr-1ql-1.

Since r>l, we define the following collection of polynomials:

gi(x):=fi(x)Nmax{0,(r-1)(t1-i)r,(l-1)(t2-i)l}

for i=0,,m and positive integer parameters m, t1 and t2 with t1=τ1m,t2=τ2m(0τ1,τ2<1), which will be optimized later. Note that for all i, gi(d)0mod(p(r-1)t1q(l-1)t2).

Let X(X=Nγ) be the upper bound on the desired root d. We built a lattice of dimension d=m+1 using the coefficient vectors of gi(xX) as basis vectors. We sorted the polynomials according to the ascending order of g, i.e., gi<gj if i<j.

From the triangular matrix of the lattice basis, we can compute the determinant as the product of the entries on the diagonal as det()=XsNsN. We can calculate s as

s=i=0mi=m(m+1)2.

The computation of sN is somewhat complicated. At first, we have t1<t2. Otherwise, since r>l, we have

(r-1)(t1-i)r(l-1)(t2-i)l

for i=0,,t1, in this case, we only consider the exponents of p. Therefore, we let t1<t2 to consider the exponents of p and q at the same time.

Define Δ as

Δ:=l(r-1)t1-r(l-1)t2r-l.

Note that Δ<t1<t2. In order to get Δ>0, we have to satisfy the condition

l(r-1)t1>r(l-1)t2

Notice that for i=0,1,,Δ-1, we have

(r-1)(t1-i)r>(l-1)(t2-i)l;

however, for i=Δ,Δ+1,,t2, we have

(r-1)(t1-i)r<(l-1)(t2-i)l.

Then we can calculate sN as

sN=i=0Δ-1(r-1)(t1-i)r+i=Δt2(l-1)(t2-i)l
=(r-1)(2t1Δ-Δ2)2r+(l-1)(t2-Δ)22l+Δ(r-1)2r+(t2-Δ)(l-1)2l+i=0t2ci.

Here we rewrite

(r-1)(t1-i)r=(r-1)(t1-i)r+ci

for i=0,,Δ-1, and

(l-1)(t2-i)l=(l-1)(t2-i)l+ci

for i=Δ,,t2, where ci[0,1).

Furthermore, we rewrite

Δ=l(r-1)t1-r(l-1)t2r-l+c,

where c[0,1); we have that

sN=(r-1)(l(r-1)t12-2r(l-1)t1t2+r(l-1)t22)2r(r-l)+c(r-l)-c2(r-l)+l(r-1)t12rl+i=0t2ci.

To obtain a polynomial with short coefficients that contains all small roots over integer, we apply the LLL-Basis Reduction Algorithm to the lattice . Lemma 1 gives us an upper bound on the norm of the shortest vector in the LLL-reduced basis; if the bound is smaller than the bound given in Lemma 2, we can obtain the desired polynomial. We require the following condition:

2ω-14ωdet()1ω<N(r-1)t1+(l-1)t2r+l,

where ω=m+1. When plug in the value for det() and ω, we have that

2m(m+1)4(m+1)m+12Xm(m+1)2<N(m+1)((r-1)t1+(l-1)t2)r+l-(r-1)(l(r-1)t12-2r(l-1)t1t2+r(l-1)t22)2r(r-l)-c(r-l)-c2(r-l)+l(r-1)t12rl-i=0t2ci.

To obtain the asymptotic bound, we let m grow to infinity. Note that for sufficiently large N the powers of 2 and m+1 are negligible. Thus we only consider the exponent of N. Then we obtain that

X<N2(r-1)τ1+2(l-1)τ2r+l-(r-1)(l(r-1)τ12-2r(l-1)τ1τ2+r(l-1)τ22)r(r-l)N(r-1)(l(r-1)τ12-2r(l-1)τ1τ2+r(l-1)τ22)(m+1)r(r-l)-c(r-l)-c2(r-l)m(m+1)rl-l(r-1)τ1(m+1)rl-2i=0t2cim(m+1),

where t1=τ1m and t2=τ2m.

Now we have to decide the optimized values of τ1 and τ2. We consider the exponent of N as a function h(τ1,τ2):

h(τ1,τ2)=2(r-1)τ1+2(l-1)τ2r+l-(r-1)(l(r-1)τ12-2r(l-1)τ1τ2+r(l-1)τ22)r(r-l).

Using hτ1(τ1,τ2)=0 and hτ2(τ1,τ2)=0, we have

l(r-1)(r+l)τ1-r(l-1)(r+l)τ2+r(l-r)=0,
(r-1)(r+l)τ1-(r-1)(r+l)τ2+r-l=0.

Solving the above equations, we get

τ1=r(r+l-2)(r+l)(r-1),τ2=1.

Putting the values of τ1 and τ2 into equation (3.1), we note that the condition is satisfied. Moreover, since i=0t2ci<t2+1, 1m21m and c-c2<14, inequality (3.2) can be reduced into,

X<N1-3r+l(r+l)2N-(15l+1)r4-(2l2-10l)r3-(l3-6l2+8l)r2+(2l3-12l2+6l)r+l4-4l3+l24(m+1)(r-l)(r+l)3.

We appropriate the terms m+1 by m, and obtain

X<N1-3r+l(r+l)2-(15l+1)r4-(2l2-10l)r3-(l3-6l2+8l)r2+(2l3-12l2+6l)r+l4-4l3+l24m(r-l)(r+l)3.

We can express how m depends on the error term ϵ:

m(15l+1)r4-(2l2-10l)r3-(l3-6l2+8l)r2+(2l3-12l2+6l)r+l4-4l3+l24ϵ(r-l)(r+l)3.

This concludes the proof of Theorem 1. ∎

Table 1 lists some theoretical and experimental results with 1000-bit N. In all experiments, we obtained an univariate integer equation with desired integer solution d. Thus we can obtain d.

Table 1

The first variant: experimental results for small d.

dim()=20dim()=40
(r,l)theoreticalexperimentaltime (in seconds)experimentaltime (in seconds)
(3,2)0.5600.52077.7510.5304433.798
(5,2)0.6530.60064.2570.6204177.972
(4,3)0.6940.65061.0590.6603209.409
(5,3)0.7190.65052.1200.6802894.411

3.2 The second variant

In the following we study the second variant of encryption and decryption phases: e and d satisfy

ed1mod(p-1)(q-1).

Theorem 2.

For every ϵ>0, let N=prql, where r,l (r>l) are two known positive integers and p,q are primes of the same bit-size. Let e be the public key exponent and let d be the private key exponent satisfying ed1mod(p-1)(q-1). Suppose that

d<N7-273(r+l)-ϵ.

Then N can be factored in polynomial time.

Proof.

Since ed-1=k(p-1)(q-1) for some k, we have the following modular equation:

f(x,y,z)=x(y-1)(z-1)+1mode.

Obviously, (k,p,q) is the desired solution. Then we have an estimation on the desired roots. Since N=prql and p,q are primes of the same bit-size, p and q can be estimated as N1r+l. Letting e=Nα, we have p,qe1α(r+l). Furthermore, let d<Nδ. Then k can be bounded as follows:

k=ed-1(p-1)(q-1)<2edpq<2e1+δα-2α(r+l).

Usually, α is chosen as 2r+l. In this case, we have p,qe12 and ker+l2δ. Let X(X=er+l2δ), Y(Y=e12) and Z(Z=e12) be the upper bounds of desired roots (p,q,k). In order to get desired solution, we define a list G of polynomials sharing the desired root modulo em,

gi,j,k,b(x,y,z)=xiyjzkf(x,y,z)bem-b.

To make the matrix triangular whose vectors are corresponding to the coefficients of polynomials, we need to append polynomials to list G as following ordered,

G=[] for u=0 to m for i=0 to u-1 do for j=0 to 1 do append gu-i,j,0,i to G for j=r-1 to 1 do append gu-i,j,1,i to G for j=l-1 to 1 do append gu-i,r,j,i to G for u=0 to m do for j=0 to s do append g0,j,0,u to G for i=l-1 in 1 do append g0,r+j,i,u to G for k=1 to t do for j=r-1 to 0 do append g0,j,k,u to G return G

where each occurrence of yrzl is replaced by N since N=prql, m,s,t are non-negative integers.

Then we construct a lattice 1 which is spanned by the coefficient vectors of gi,j,k,l(xX,yY,zZ). By some calculations, the determinant of 1 is det(1)=XSxYSyZSzeSe, where

Sx=(2r+2l+3τr+3σl6)m3+(r+2l+τr+σl2)m2+(r+4l6)m,
Sy=(l+3σl+3σ2l6)m3+(r2+2τr2+2rl+4σrl-3r+2l-2τr-4σr+2σ2l+4σl4)m2
+(3r2+6τr2+18rl+12σrl-21r+4l-6τr-12σr+6σl12)m-(r-rl),
Sz=(r+3τr+3τ2r6)m3+(l2+2σl2+2r-l+2τ2r+4τr-2σl4)m2
+(9l2+6σl2+4r-9l+6τr-6σl12)m+(l2-l2),
Se=(2r+2l+3τr+3σl6)m3+(r+2l+τr+σl2)m2+(r+4l6)m,

with s=σm and t=τm. On the other hand,

dim(1)=(r+l+2τr+2σl2)m2+(r+3l+2τr+2σl2)m+l.

Since there are three unknown variables, based on Lemma 1 and Lemma 2, one can obtain three polynomial equations which share the roots (k,p,q) over integers when

2dim(1)(dim(1)-1)4(dim(1)-2)(XSxYSyZSzeSe)1dim(1)-2<emdim(1).

Putting the upper bounds and the value of dim(1) into the above inequality and neglecting the terms that do not depend on N, we obtain that

e(r+l)δ2<em(dim(1)-2)-12(Sy+Sz)-SeSx,

or equivalently,

(r+l)δ2<m(dim(1)-2)-12(Sy+Sz)-SeSx.

Setting σ=τ, moreover, since m<m2, 0τ1 and l<r, the left side of the above inequality can be bounded by

(r+l)(1+3τ-3τ2)12m3-(2τ+1)r2+(2τ2-6τ+2l+4τl-1)r-3l-2τl+2τl2+l2+2τ2l8m2(r+l)(2+3τ)6m3+r+2l+τr+τl2m2+r+4l6m
-(6τ+3)r2-(13+12τ-18l-12τl)r+9l2+6τl2-17l+4824m+(2r+l)(l-1)4(r+l)(2+3τ)6m3+r+2l+τr+τl2m2+r+4l6m
<(r+l)(1+3τ-3τ2)12m3-(2τ+1)r2+(2τ2-6τ+2l+4τl-1)r-3l-2τl+2τl2+l2+2τ2l8m2(r+l)(2+3τ)6m3
=1+3τ-3τ22(2+3τ)-3((2τ+1)r2+(2τ2-6τ+2l+4τl-1)r-3l-2τl+2τl2+l2+2τ2l)4(r+l)(2+3τ)m
<1+3τ-3τ22(2+3τ)-3(r2+2rl+l2-7r-5l)20(r+l)m.

Putting an optimized value for τ, which is τ=7-23, into the above inequality, we obtain

7-276-3(r2+2rl+l2-7r-5l)20(r+l)m.

Then we have

δ<7-273(r+l)-3(r2+2rl+l2-7r-5l)10(r+l)2m.

The relation between the error term ϵ and m can be expressed as

m3(r2+2rl+l2-7r-5l)10(r+l)2ϵ.

This concludes the proof of Theorem 2. ∎

Table 2 lists some theoretical and experimental results. In all experiments, we obtained several integer equations which share desired roots and successfully obtained the roots by using Gröbner basis technique.

Table 2

The second variant: experimental results for small d.

dim(1)=81dim(1)=148
(r,l)log2Ntheoretical dexperimental dtime of L3 (in seconds)experimental dtime of L3 (in seconds)
(3,2)2000200 bits29 bits35.35071 bits2573.002
(3,2)3000300 bits47 bits103.600110 bits5197.392

4 Factoring RSA moduli N=prql with partial known bits

In this section, we assume that we are given the number of k LSBs of p: p~=pmod2k. Our goal is to determinate the minimal amount of bits of p that one has to know in order to factor N in polynomial time. Below we present two methods to solve this problem.

4.1 The attack modulo p

The above problem can be reduced to solve modular univariate polynomial equation

f(x)=p~+2kx=0modp.

We can apply Theorem 4 with n=1, β=1r+l. Therefore, we can find all root y if

|y|Nr(r+l)2.

When l=1, the bound

Nr(r+l)2=Nr(r+1)2=prr+1.

This bound is exactly the same as in [2]. As Nr(r+l)2=prr+l, the attacker has to guess (1-rr+l)log2p=lr+llog2p LSBs of p. Thus the total complexity to factor N=prql is 2(lr+llog2p)P(logN), where P is a polynomial. This method is very suitable for the case of rl.

4.2 The attack modulo pq

Let us start with the following lemma.

Lemma 1.

For a given integer k, consider the modular function f(x)=xwmod2k whose domain is the set {1,3,,2k-1}. When w is odd and x0wamod 2k, then one can get x0.

Proof.

Since the domain of f(x) is {1,3,,2k-1}, the range of f(x) is also {1,3,,2k-1}. On the other hand, assume that x1,x2{1,3,,2k-1} and x1wx2w(mod 2k). Then we can obtain that 2kx1w-x2w, namely 2k(x1-x2)(x1w-1+x1w-2x2++x2w-1). Since x1,x2,w are odd integers, x1w-1+x1w-2x2++x2w-1 is odd and x1-x2{-2k+2,2k-2}. Then one can get that x1=x2, namely f(x) is bijective.

Above all, the solution x0 is unique and it can be obtained as

x0aw-1mod 2k-1mod 2k.

This concludes the proof of Lemma 1. ∎

We rewrite N by N=(pq)lpr-l. Notice that at least one of r and l must be odd; we may assume without loss of generality that l is odd. Suppose that we have k LSBs of p and let us denote it as p~. So p~=pmod2k. Thus ql=N(p~r)-1modN. Then by Lemma 1 we can calculate the number of k LSBs of q: q~=qmod2k. Using p~ and q~, we can get the number of k LSBs of pq: c=p~q~mod2k. Now we reduce the above problem to solve a modular univariate polynomial equation

f(x)=c+2kx=0modpq.

Now apply Theorem 4 with n=1, β=2r+l. Then we can find y if

|y|N4l(r+l)2.

After we get the value of pq, we can calculate

pr-l=N(pq)l.

Then we can get p. Since N4l(r+l)2=(pq)2lr+l, the attacker has to guess

(1-2lr+l)log2pq=r-lr+llog2pq=2(r-l)r+llog2p

LSBs of p. Thus the total complexity to the factor N=prql is 2(2(r-l)r+llog2p)P(logN), where P is a polynomial. This method is very suitable for the case of rl.

Comparison between the two methods.

In the first method, the attacker has to guess lr+llogp bits whereas in the second method it is required to guess 2(r-l)r+llogp bits. Since lr+l<2(r-l)r+l if 2r>3l, our first attack (modulo p) is superior to our second attack (modulo pq) in the case 2r>3l.

We present our bounds min(lr+l,2(r-l)r+l) in Figure 1. In Table 3, we give some experimental results of the above two methods.

Figure 1
Figure 1

Our bounds for different r,l.

Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0025

Table 3

Factoring N with partial known bits of p.

attack modulo pattack modulo pq
(r,l)log2Nlog2ptheo.expt.dim.time (sec.)theo.expt.dim.time (sec.)
(3,2)25005002002602119.09520026021760.661
(3,2)250050020023041832.9832002304142447.935
(5,2)35005001432602121.85642921
(5,2)3500500143200411205.5914294974186495.347
(5,4)45005002233302132.245112260214018.133
(5,4)4500500223280411413.46311223041163533.305

4.3 Comparison with the work of Coron, Faugère, Renault and Zeitoun

Independently, Coron, Faugère, Renault and Zeitoun [4] also studied this problem; they showed that N=prql can be factored in polynomial time when r or l is at least (logp)3. In the following remark, we will briefly discuss their idea. Moreover, based on an observation of the short vectors in a two-dimensional lattice which has been introduced in [4], we further improved Coron–Faugère–Renault–Zeitoun’s bound for the moduli with form of N=prql, where r=2k+1,l=k+1 and k+.

In [4, p. 5], for the modulus N=prql, r and l are first expressed as r=uα+a and l=uβ+b, where the integers u,α,β,a,b should satisfy certain conditions. To find such integers, it is required to apply the LLL-Algorithm on the two-dimensional lattice which is spanned by the row vectors of the following matrix:

(r13-l0r).

After lattice reduction, suppose that the short vector is v=(r13α,-lα+rβ) for some β. Now if β=0 or rαlβ, u is taken as rα. On the other hand if β0 and rα>lβ, u is set as rα. Finally, a is taken as r-uα and b is taken as l-uβ. It has been proved in [4, Lemma 1] that either both a,b0 or a,b0.

  1. First suppose that both a,b0. Now N can be expressed as N=prql=puα+aquβ+b=PuQ, where P=pαqβ and Q=paqb. It has been proved in [4, p. 18] that to factor N=PrQ in polynomial time, the attacker has to guess cu+c many bits of P to find P, where Q<Pc. Thus if a,b0, it is required to guess cu+clogP many bits of P. Here we can take c=a+bα+β as Ppα+β and Qpa+b. Thus in this case the attacker has to guess a+b(α+β)u+a+b(α+β)logp many bits.
  2. Next suppose that a,b0. Now express N=PuQ, where P=pαqβ and Q=p-aq-b. In this case it has been proved in [4, p. 8] that the attacker has to search over [0,2Q1u]. So the required guess in this case will be approximately -(a+b)ulogp bits.

Although in most of the cases the bounds of [4] may found the optimal expressions of N=prql, for some values of r,l they could not give the best bound. For example, based on Coron–Faugère–Renault–Zeitoun’s method, the modulus N of the form p2k+1qk+1, k2, should be expresses as N=PkQ, where P=p2q and Q=pq; however, when we express N in the form Pk+1Q, where P=p2q and Q=p, the less number of known bits is required to factor N.

More specifically, for the modulus of the form N=p2k+1qk+1, it is required in [4] to apply the LLL-Algorithm on the lattice which is spanned by the row vectors of the following matrix:

((2k+1)13-(k+1)02k+1).

It is easily checked that λ1()=(2(2k+1)13,-1) and λ2()=((2k+1)13,k), where the minima λi() denotes the i-th minimum of lattice .

According to λ1(), we have that α=2,β=1. Furthermore, since 2k+1α=kk+1β, based on Coron–Faugère–Renault–Zeitoun’s method [4], u is taken as 2k+1α=k. Furthermore, the modulus N should be expressed as PkQ, where P=p2q and Q=pq. Moreover, for the second shortest vector λ2(), the modulus N will be expressed as P2k+1Q, where P=pq and Q=qk.

Then for the first expression of N, it is required to guess 63k+2logp bits. And for the second expression, the number of required known bits is k2k+1logp bits of p.

Based on our two methods of Section 3.1 and Section 3.2, the number of known LSBs of p which is required to factor N=p2k+1qk is

min(k+12k+1+k+1,2(2k+1-(k+1))2k+1+k+1)=k+13k+2.

However, when we express N as Pk+1Q, where P=p2q and Q=p, in this case the attacker has to search over [0,2p1k+1]. Namely, the required guess in this case will be approximately 1k+1logp bits.

Actually, there does not exist any vector in the two-dimensional which will express N=p2k+1qk as Pk+1Q, where P=p2q and Q=p. Since according to Coron–Faugère–Renault–Zeitoun’s method [4], if one wants to express N=p2k+1qk as Pk+1Q, where P=p2q and Q=p, one should have that α=2, β=1 and u=k+1. However, for α=2 and β=1, we have 2k+1αk+1β; then u should be taken as 2k+1α=k, which contradicts u=k+1.

Thus in general, the Coron–Faugère–Renault–Zeitoun approach cannot give optimal u,α,β. For r20 and 2l<r, we search exhaustively to find optimal u,α,β. Optimal bounds are presented in Figure 2.

Figure 2
Figure 2

Optimal bound for some values of r,l.

Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0025

4.4 Extend to more unknown blocks

We also consider the case of the number of n (n2) unknown blocks.

Theorem 2.

Let N=prql, where p and q are of equal length. Suppose that a lrln(r+ll)-fraction of the bits is known for n blocks in p (n is large). Then, under Assumption 3, we can recover p. The running time of the algorithm is polynomial in logN but exponential in n.

Proof.

We can reduce the above problem to solve the following multivariate linear polynomial equation:

f(x1,x2,,xn)=a0+a1x1+a2x2++anxn=0modp,

where ak=2l if the k-th unknown blocks start on the l-th bit position. Moreover, if n goes to infinity, from Theorem 4, we have

limn(1r(1-(1-rβ)n+1n-(n+1)(1-rβ)(1-1-rβn)))=β+(1-rβ)ln(1-rβ)r.

It shows that if n is very large, we can recover p regardless of n. Conversely, once a (1-1rβ)ln(1-rβ) portion of the bits from p together with their positions are given, we are able to recover the missing bits. Suppose that |p|=|q|, i.e. β=1r+l. Then we need a

(1-1rβ)ln(1-rβ)=(1-r+lr)ln(1-rr+l)=-lrln(lr+l)=lrln(r+ll)

portion of known bits from p. ∎

Note that for l=1, this is exactly the result of [12].

5 Conclusion

In this paper, we have considered the RSA variant with moduli of the form N=prql, where r>l2, and we have given some cryptanalytic results for this kind of RSA variant. For the small secret exponent attacks, we have two cases of encryption and decryption exponents: ed1modpr-1ql-1(p-1)(q-1) and ed1mod(p-1)(q-1). For these two cases, we have given the lattice-based attacks and obtained the upper bounds of decryption exponents d such that d can be recovered in polynomial time. Then we have presented the partial known bits attacks and successfully factored N=prql when least significant bits of one prime are known.

References

  • [1]

    D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 {{{N}}^{0.292}}, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349.

  • [2]

    D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N = p r q {{N}=p^{r}q} for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787.

  • [3]

    D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260.

  • [4]

    J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring N = p r q s {{N}=p^{r}q^{s}} for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

  • [5]

    M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424.

  • [6]

    M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69.

  • [7]

    N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142.

  • [8]

    K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406.

  • [9]

    N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277.

  • [10]

    A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.

  • [11]

    S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294.

  • [12]

    Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus N = p r q {{N}=p^{r}q} with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71.

  • [13]

    Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

  • [14]

    A. May, Secret exponent attacks on RSA-type schemes with moduli N = p r q {N=p^{r}q}, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.

  • [15]

    T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.

  • [16]

    R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34.

  • [17]

    S. Sarkar, Small secret exponent attack on RSA variant with modulus N = p r q {N=p^{r}q}, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392.

  • [18]

    T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384.

  • [19]

    T. Takagi, Fast RSA-type cryptosystem modulo p k q {p^{k}q}, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.

  • [20]

    M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558.

  • [21]

    The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

Footnotes

1

This is a thoroughly revised and extended version of the paper “Cryptanalysis of an RSA variant with moduli N=prql” that has been presented at WCC 2015, April 13–17, 2015, Paris, France. There is no formal proceedings for WCC 2015. Section 4.3 of this paper is the additional contribution that was not appeared in the workshop version.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1]

    D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 {{{N}}^{0.292}}, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349.

  • [2]

    D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N = p r q {{N}=p^{r}q} for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787.

  • [3]

    D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260.

  • [4]

    J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring N = p r q s {{N}=p^{r}q^{s}} for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

  • [5]

    M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424.

  • [6]

    M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69.

  • [7]

    N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142.

  • [8]

    K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406.

  • [9]

    N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277.

  • [10]

    A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.

  • [11]

    S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294.

  • [12]

    Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus N = p r q {{N}=p^{r}q} with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71.

  • [13]

    Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

  • [14]

    A. May, Secret exponent attacks on RSA-type schemes with moduli N = p r q {N=p^{r}q}, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.

  • [15]

    T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.

  • [16]

    R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34.

  • [17]

    S. Sarkar, Small secret exponent attack on RSA variant with modulus N = p r q {N=p^{r}q}, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392.

  • [18]

    T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384.

  • [19]

    T. Takagi, Fast RSA-type cryptosystem modulo p k q {p^{k}q}, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.

  • [20]

    M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558.

  • [21]

    The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

OPEN ACCESS

Journal + Issues

JMC is a forum for original research articles in the area of mathematical cryptology. Works in the theory of cryptology and articles linking mathematics with cryptology are welcome. Submissions from all areas of mathematics significant for cryptology are published, including but not limited to, algebra, algebraic geometry, coding theory, combinatorics, number theory, probability and stochastic processes.

Search