An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

Transcription

1 Article An Attack Bound for Sall Multiplicative Inverse of ϕn) od e with a Coposed Prie Su p + q Using Sublattice Based Techniques Pratha Anuradha Kaeswari * and Labadi Jyotsna Departent of Matheatics, Andhra University, Visakhapatna, Andhra Pradesh , India; srkjyotsna@gailco * Correspondence: panuradhakaeswari@yahooin or drpakaeswari@andhrauniversityeduin; Tel: Received: 8 July 208; Accepted: Noveber 208; Published: 22 Noveber 208 Abstract: In this paper, we gave an attack on RSA Rivest Shair Adlean) Cryptosyste when ϕn) has sall ultiplicative inverse odulo e and the prie su p + q is of the for p + q = 2 n k 0 + k, where n is a given positive integer and k 0 and k are two suitably sall unknown integers using sublattice reduction techniques and Coppersith s ethods for finding sall roots of odular polynoial equations When we copare this ethod with an approach using lattice based techniques, this procedure slightly iproves the bound and reduces the lattice diension Eploying the previous tools, we provide a new attack bound for the deciphering exponent when the prie su p + q = 2 n k 0 + k and perfored an analysis with Boneh and Durfee s deciphering exponent bound for appropriately sall k 0 and k Keywords: RSA; Cryptanalysis; lattices; LLL Lenstra Lenstra Lovász) algorith; Coppersith s ethod JEL Classification: T7; 94A60 Introduction RSA Cryptosyste [] is the first public key cryptosyste invented by Ronald Rivest, Adi Shair and Leonard Adlean in 977 The priary paraeters in RSA are the odulus N = pq, which is the product of two large distinct pries, a public exponent e such that gcde, ϕn)) = and a private exponent d, the ultiplicative inverse of e odulo ϕn) In this syste the encryption and decryption are based on the fact that for any essage in Z N, ed = od N The security of this syste depends on the difficulty of finding factors of a coposite positive integer, which is a product of two large pries In 990, M J Wiener [2] was the first one to describe a cryptanalytic attack on the use of short RSA deciphering exponent d This attack is based on continued fraction algorith which finds the fraction d t ed, where t = ϕn) in a polynoial tie when d is less than N025 for N = pq and q < p < 2q Using lattice reduction approach based on the Coppersith techniques [3] for finding sall solutions of odular bivariate integer polynoial equations, D Boneh and G Durfee [4] iproved the wiener result fro N 025 to N 0292 in 2000 and J Blöer and A May [5] has given an RSA attack for d less than N 029 in 200, which requires lattices of diension saller than the approach by Boneh and Durfee In 2006, E Jochesz and A May [6], described a strategy for finding sall odular and integer roots of ultivariate polynoial using lattice-based Coppersith techniques and by ipleenting this strategy they gave a new attack on an RSA variant called coon prie RSA In the paper [7], first we described an attack on RSA when ϕn) has sall ultiplicative inverse k of odulo e, the public encryption exponent by using lattice and sublattice based techniques Cryptography 208, 2, 36; doi:03390/cryptography wwwdpico/journal/cryptography

2 Cryptography 208, 2, 36 2 of 5 Let N = pq, q < p < 2q, p q = N β and e = N α > p + q As e, ϕn)) =, there exist unique r, s such that p )r od e) and q )s od e) For k = rsod e), kϕn) od e) and define gx, y) = xy + B) where B = N + 2 N Then the pair x 0, y 0 ) = k, p + q) 2 N )) is a solution for the odular polynoial equation gx, y) 0od e) Now applying the lattice based techniques given by Boneh-Durfee in [4] using x, y shifts and using only x shifts to the above odular polynoial equation, we get the attack bounds for δ, k N δ are δ < 3α+β 2 β3α+β) 3 and δ < α β 2, respectively Also, we iproved the bound for δ up to α αβ by ipleenting the sublattice based techniques given by Boneh and Durfee in [4] under the condition δ > α β + α) and iproved the bound for δ up to δ < 2α 6β+2 α 2 αβ+4β 2 5 by ipleenting the sublattice based techniques with lower diension given by J Blöer and A May in [5]; this bound is slightly less than the above bound but this ethod requires lattices of saller diension than the above ethod All these attack bounds are depending on the prie difference p q = N β and α αβ is the axiu upper bound for δ Later in paper [7], we described that, for β 05, the axiu bound for δ ay be iproved if the prie su p + q is in the for of the coposed su p + q = 2 n k 0 + k where n is a given positive integer and k 0 and k are two suitably sall unknown integers Define the polynoial congruence f x, y, z) 0ode) for where 2 n f x, y, z) = { N + )x + xy + 2 n )xz if k 0 k 2 n xn + ) + xy + 2 n xz 2 n if k k 0 is an inverse of 2 n od e By using lattice based techniques to the above polynoial 48α γ )γ γ2 2 congruence, the attack bound for δ is such that δ < 2 α 2 γ + 6 γ 2 6 where N γ, N γ 2 are the upper bounds for ax{ k 0, k }, in{ k 0, k } respectively Now, in this paper, we slightly iproved the above bound by using the sub-lattice based techniques given by J Blöer, A May in [5] to the above polynoial congruence and this ethod requires lattice of saller diension than the above ethod The new bound on δ is 2 α 2 γ 6 6α γ )γ 2 + 3γ2 2 and showed that this is a little bit greater than the forer bound graphically Note that this new attack bound is also an attack bound for the deciphering exponent d 2 Preliinaries In this section we state basic results on lattices, lattice basis reduction, Coppersith s ethod and Howgrave-Graha theore that are based on lattice reduction techniques Definition Let b, b 2,, b n R be a set of linearly independent vectors The lattice L generated by b, b 2,, b n is the set of linear cobinations of b, b 2,, b n with coefficients in Z A basis for L is any set of independent vectors that generates L The diension of L is the nuber of vectors in a basis for L Definition 2 Let L be a lattice of diension n and let b, b 2,, b n be a basis for L The fundaental doain for L corresponding to this basis is the set [8] Fb, b 2,, b n ) = {t b + t 2 b t n b n : 0 t i < } Definition 3 Let L be a lattice of diension n and let F be a fundaental doain for L Then the n-diensional volue of F is called the deterinant of L It is denoted by detl) [8] Reark If L is a full rank lattice, which eans n = then the deterinant of L is equal to the absolute value of the deterinant of the n n atrix whose rows are the basis vectors b, b 2,, b n

3 Cryptography 208, 2, 36 3 of 5 In 982, A K Lenstra, H W Lenstra, Jr and L Lovasz [9] invented the LLL lattice based reduction algorith to reduce a basis and to solve the shortest vector proble The general result on the size of individual LLL-reduced basis vectors is given in the following Theore Theore Let L be a lattice and b, b 2,, b n be an LLL-reduction basis of L Then for all i n [0] b b 2 b i 2 nn ) 4n+ i) detl) n+ i An iportant application of lattice reduction found by Coppersith in 996 [3] is finding sall roots of low-degree polynoial equations This includes odular univariate polynoial equations and bivariate integer equations In 997 Howgrave-Graha [] reforulated Coppersith s techniques and proposed a result which shows that if the coefficients of hx, y) are sufficiently sall, then the equality hx 0, y 0 ) = 0 holds not only odulo N, but also over integers The generalization of Howgrave-Graha result in ters of the Euclidean nor of a polynoial hx, x 2,, x n ) = a i i n x i x i n is defined by the Euclidean nor of its coefficient vector ie, hx, x 2,, x n ) = a 2 i i n given as follows: Theore 2 Howgrave-Graha): Let hx, x 2,, x n ) Z[x, x 2,, x n ] be an integer polynoial that consists of at ost ω onoials Suppose that h x 0) ) 2,, x0) n 0 od e for soe where x 0) < X, x 0) 2 < X 2 x n 0) < X n, and, x0) 2 hx X, x 2 X 2,, x n X n ) < e ω Then hx, x 2,, x n ) = 0 holds over the integers Definition 4 The resultant of two polynoials f x, x 2,, x n ) and gx, x 2,, x n ) with respect to the variable x i for soe i n, is defined as the deterinant of Sylvester atrix of f x, x 2,, x n ) and gx, x 2,, x n ) when considered as polynoials in the single indeterinate x i, for soe i n Reark 2 The resultant of two polynoials is non-zero if and only if the polynoials are algebraically independent Reark 3 If x 0) ), x0) 2,, x0) n is a coon solution of algebraically independent polynoials f, f 2,, f for n, then these polynoials yield g, g 2,, g n resultants in n variables and continuing so on the resultants yield a polynoial tx i ) in one variable with x i = x 0) i for soe i is a solution of tx i ) Note the polynoials considered to copute resultants are always assued to be algebraically independent 3 An Attack Bound Using Sublattice Reduction Techniques In this section, an attack bound for a sall ultiplicative inverse k of ϕn) odulo e when the prie su p + q is of the for p + q = 2 n k 0 + k, where n is a given positive integer and k 0 and k are two suitably sall unknown integers using sublattice reduction techniques is described In a previous paper [7], we proposed an attack on RSA when ϕn) has sall ultiplicative inverse odulo e and the prie su p + q is of the for p + q = 2 n k 0 + k, where n is a given positive integer and k 0 and k are two suitably sall unknown integers using lattice reduction techniques { N + )x + xy + 2 For 2 n is an inverse of 2 n n )xz if k 0 k od e, define f x, y, z)= 2 n xn + ) + xy + 2 n xz 2 n if k k 0 If k 0 k, then k, k, k 0 ) is a solution and if k k 0 then k, k 0, k ) is a solution for the odular polynoial equation f x, y, z) 0 od e)

4 Cryptography 208, 2, 36 4 of 5 Now define the set M k = 0 j t {x i y i 2z i 3+j x i y i 2z i 3 is a onoial of f and xi y i 2 z i 3 of f k }, where l is a leading onoial of f and define the shift polynoials as l k is a onoial g k,i,i 2,i 3 x, y, z) = xi y i 2z i 3 l k f x, y, z)) k e k, for k = 0,,, x i y i 2 z i 3 M k \ M k+ and f = a l f od e for the coefficient a l of l For 0 k, divide the above shift polynoials according to t = 0 and t Then for t = 0, the shift polynoials gx, y, z) are { z i 3 f x, y, z)) k e k, for i gx, y, z) = = i 2 = k, i 3 = 0 x i k z i 3 f x, y, z)) k e k, for k, i = k +,,, i 2 = k, i 3 = 0,, i i 2 ) and for t, the shift polynoials hx, y, z) are hx, y, z) = { z i 3 f x, y, z)) k e k, for i = i 2 = k, i 3 =,, t x i k z i 3 f x, y, z)) k e k, for k, i = k +,,, i 2 = k, i 3 = i i 2 ) +,, i i 2 ) + t Let L be the lattice spanned by the coefficient vectors gxx, ) yy, zz) and hxx, yy, zz) shifts with diension ) )t + + )t [7] Let M be the atrix of L with each row is the coefficients of the shift polynoial g shifts h shifts e, xe, xze, x 2 e, x 2 ze, x 2 z 2 e,, x e, x ze,, x z e, f e, x f e, xz f e,, x f e, x z f e,, x z f e, f e, x f e, xz f e, f, ze, z t e, xz 2 e,, xz +t e,, x z + e,, x z +t e, z f e, z t f e, xz 2 f e,, xz +t f e,, x z f e,, x z )+t f e, z f e,, z t f e, xz 2 f e,, xz +t f e, z f,, z t f and each colun is the coefficients of each variable in shift polynoials) first )coluns), x, xz, x 2, x 2 z, x 2 z 2,, x, x z,, x z, xy, x 2 y, x 2 yz, x 3 y, x 3 yz, x 3 yz 2,, x y, x yz,, x yz, x y, x y, x y z, x y, ) reaining )t + + )t coluns) z,, z t, xz 2,, xz +t,, x z +,, x z +t, xyz,, xyz t, x 2 yz 2,, x 2 yz +t,, x yz,, x yz )+t, x y z,, x y z t, x y z 2,, x y z +t, x y z,, x y z t

5 Cryptography 208, 2, 36 5 of 5 As xy is the leading onoial in f x, y, z) with coefficient, the diagonal eleents in the atrix M are e, Xe, XZe, X 2 e, X 2 Ze, X 2 Z 2 e,, X e, X Ze,, X Z e, XYe, X 2 Ye, X 2 YZe,, X Ye, X YZe,, X YZ e, g shifts X Y e, X Y e, X Y Ze, X Y, h shifts Ze,, Z t e, XZ 2 e,, XZ +t e,, X Z + e,, X Z +t e, XYZe,, XYZ t e, X 2 YZ 2 e,, X 2 YZ +t e,, X YZ e,, X YZ )+t e, X Y Ze,, X Y Z t e, X Y Z 2 e,, X Y Z +t e, X Y Z,, X Y Z t Note that the atrix M is lower triangular atrix Therefore, the deterinant is detl) = e ne) X nx) Y ny) Z nz) where ne), nx), ny) and nz) are the nuber of e s, X s, Y s and Z s in all diagonal eleents respectively, and ne) = /8) 4 + 3/4) 3 + /8) 2 + 3/4)) + /6) )t + /2) 2 + )t)) nx) = /8) 4 + 3/4) 3 + /8) 2 + 3/4)) + /6) )t + /2) 2 + )t)) ny) = /24) 4 + /4) 3 + /24) 2 + /4)) + /6) 3 )t + /2) 2 + )t)) nz) = /24) 4 + /4) 3 + /24) 2 + /4))+ /4) 2 + )t 2 + /2) + )t 2 + /2) )t + /2) + )t)) Let N δ, N γ and N γ 2 be the upper bounds for X, ax{k 0, k } and in{k 0, k } respectively, then the bound for δ in which the generalized Howgrave-Graha result holds given in the following theore Theore 3 [7] Let N = pq be an RSA odulus with q < p < 2q Let e = N α, X = N δ, Y = N γ, Z = N γ 2 and k be the ultiplicative inverse of ϕn) odulo e Suppose the prie su p + q is of the for p + q = 2 n k 0 + k, for a known positive integer n and for k X, ax{ k 0, k } Y and in{ k 0, k } Z one can factor N in polynoial tie if δ < 2 α 2 γ + 6 γ 2 48α γ 6 )γ γ2 2 ) To iprove this bound in a lower diension than the above diension, first we construct a sublattice S L of L and after that we apply the sublattice based techniques to the lattice S L given by J Blöer, A May in [5], and are described in the following sections 3 Construction of a Sublattice S L of L The construction of a sublattice S L of L in order to iprove the bound for δ is given in the following First reove following rows in M corresponding to g-shifts e, xe, xze,, x e,, x z e, f e, x f e, xz f e,, x 2 f e,, x 2 z 2 f e,

6 Cryptography 208, 2, 36 6 of 5 f 2 e 2, x f 2 e 2, xz f 2 e 2, f e Therefore the reaining rows in M corresponding to g-shifts are x e, x ze,, x z e, x f e,, x z f e, x f e, xz f e, f, and its corresponding g-shifts can be written as g s x, y, z) = x l z l 2 f x, y, z)) k e k for k = 0,,, l = k, l 2 = 0,, l Now reove soe rows in M corresponding to h-shifts are ze,, z t e,, x z e,, x z )+t e, z f e,, z t f e,, x 2 z f e,, x 2 z 2)+t f e, z f 2 e 2,, z t f 2 e 2, xz 2 f 2 e 2,, xz +t f 2 e 2, z f e,, z t f e Therefore the reaining rows in M corresponding to h-shifts are x z + e,, x z +t e, x z f e,, x z )+t f e, xz 2 f e,, xz t+ f e, z f,, z t f, and its corresponding h-shifts can be written as h s x, y, z) = x l z l 2 f x, y, z)) k e k for k = 0,,, l = k, l 2 = l +,, l + t Now, let S L be the sub-lattice of L spanned by the coefficients of the vectors g s xx, yy, zz) and h s xx, yy, zz) shifts and M s be the atrix of the lattice S L Note that the atrix M s is not square So apply the sublattice based techniques to the basis of S L or the rows of M s to get a square atrix Using that square atrix, the attack bound can be found and is given in the following section 32 Applying Sub-Lattice Based Techniques to Get an Attack Bound In [5], J Bloer, A May proposed a ethod to find an attack bound for low deciphering exponent in a saller diension than the approach by Boneh and Durfee s attack in [4] Apply their ethod based on sublattice reduction techniques to our lattice S L to get an attack bound and is described in the following In order to apply the Howgrave-Graha s theore [] by using Theore, we need three short vectors in S L as our polynoial consists of three variables However, note that M s is not a square atrix So, first construct a square atrix M sl by reoving soe coluns in M s, which are sall linear cobination of non-reoving coluns in M s Then the short vector in M sl lead to short reconstruction vector in S L Construction of a square sub-atrix M sl of M s Coluns in M and M s are sae and each colun in M is nothing but the coefficients of a variable, which is a leading onoial of the polynoial g or h-shifts The first ) and

7 Cryptography 208, 2, 36 7 of 5 reaining )t + + )t) coluns are corresponding to the leading onoial of the polynoials g and h-shifts respectively Therefore, the first ) coluns are the coefficients of the each variable xi y i 2z i 3 for i = i 2 = k, i 3 = 0 and i = k +,,, i 2 = k, i 3 = 0,, i i 2 ) and reaining )t + + )t) coluns are the coefficients of the each variable x i y i 2z i 3 for i = i 2 = k, i 3 =,, t and i = k +,,, i 2 = k, i 3 = i i 2 ) +,, i i 2 ) + t So the variable x i y i 2z i 3 corresponds a colun in first ) + ) coluns if i i 2 + i 3 and corresponds a colun in reaining )t + + )t coluns if i < i 2 + i 3 2 As, x, xy, xz are the onoials of f, the set of all onoials of f for 0 is {x i y i 2z i 3; i = 0,,, i 2 = 0,, i, i 3 = 0,, i i 2 } Therefore, the coefficient of the variable x i y i 2z i 3 in f is non-zero if and only if i 3 i i 2, ie, i i 2 + i 3 Reove coluns in M s corresponding to the coefficients ) of the variable x a y b z c for all 0 a and note that every such colun is X a Y a ultiple of a non-reoved colun, a b) a)!b! corresponding to the coefficients of x y a b) z c and is proved in the following theore Theore 4 Each colun in M s corresponding to the coefficients of ) the variable x a y b z c, a leading onoial of the polynoial g or h-shifts, for all 0 a is X a Y a ultiple of a non-reoved a b) a)!b! colun, represents the coefficients of the variable x y a b) z c Proof First assue that k 0 k, then f x, y, z) = N + )x + xy + 2 n xz For n = 0,,, k = n, k 2 = 0,, k, the g s -shifts x k z k 2 f n e k corresponds first ) rows in M s and for n = 0,,, k = n, k 2 = k +,, k + t, the h s -shifts x k z k 2 f n e k corresponds reaining rows in M s We prove this theore in two cases Casei): Any colun in first ) coluns of M s ie, a colun corresponding coefficients of a variable x a y b z c with a b + c, fro the above analysis in ) Given that 0 a Fro the above analysis in ) and 2), the coefficient of x a y b z c is non-zero in g s -shifts x k z k 2 f n e k if and only if a k, b k, c k 2 and a k b + c k 2 ) As k k 2, k 2 0 and a k b + c k 2 ), ax{0, k a b + c))} k 2 in{k, c} and also as a k < b + c k 2 ) for k > a b, k is such that 0 k a b Therefore, the coefficient of x a y b z c is non-zero in g s -shifts x k z k 2 f n e k if and only if a k, b k, c k 2 and k = 0,, a b, k 2 = ax{0, k a b + c))},, in{k, c} Siilarly we can prove that, the coefficient of x a y b z c is non-zero in h s -shifts x k z k 2 f n e k if and only if a k, b k, c k 2 and k = 0,, c, k 2 = k +,, in{c, k + t} using the inequalities k + k 2 k + t, a b + c and analysis in ) and 2), and say in{c, k + t} = l t The forula for finding a coefficient of a variable x l y l 2z l 3 = ) n l x l l 2 +l 3 ) xz) l 3xy) l 2 for l n in f n is n! n l )!l l 2 + l 3 ))!l 2!l 3!) )n l N + ) l l 2 +l 3 ) 2 n ) l 3 and coefficient of x a y b z c in x k y k 2 f n e k is nothing but a coefficient of x a k y b z c k 2 in f n Note that a colun corresponding to a variable x y a z c is in the non-reoving coluns in M s and coefficient of x y a z c is zero for k > a b in g s -shifts, k > c in h s -shifts The coluns corresponding to a variable x a y b z c and a variable x y a z c only with non-zero ters is depicted in Table Therefore, fro Table the result holds in this case Caseii): Any colun in reaining )t + + )t) coluns of M s, ie, a colun corresponding coefficients of a variable x a y b z c with a < b + c, fro the above analysis in )

8 Cryptography 208, 2, 36 8 of 5 The coefficient of x a y b z c is non-zero in g s -shifts x k z k 2 f n e k if and only if a k, b k, c k 2, a k b + c k 2 ) and note for a < b + c, a k < b + c k 2 ) as k k 2 in g s -shifts So the coefficient of x a y b z c is zero in all rows corresponding to g s -shifts The coefficient of x a y b z c is non-zero in h s -shifts x k z k 2 f n e k if and only if a k, b k, c k 2 and a k b + c k 2 ) For k > a b, a k < b + c k 2 ) and fro the inequalities k + k 2 k + t, a k b + c k 2 ), we have the coefficient of x a y b z c is non-zero in h s -shifts x k z k 2 f n e k if and only if a k, b k, c k 2 and k = 0,, a b, k 2 = ax{k +, k + b + c) a},, in{c, k + t} Take l t = in{c, k + t} Note that coefficient of x y a z c is zero in all g s -shifts as a > c and for k > a b in h s -shifts The coluns corresponding to a variable x a y b z c and a variable x y a z c only with non-zero ters is depicted in Table 2 Therefore, fro Table 2 the result holds in this case Now apply the above analysis to the polynoial f x, y, z) = 2 n xn + ) + xy + 2 n xz 2 n for k k 0, then this result is obtained Fro the above theore, all coluns corresponding to a variable x a y b z c for all 0 a are depending on a non-reoved colun, corresponding to a variable x y a b) z c in M s Let M sl be a atrix fored by reoving all above coluns fro the atrix M s and S l be a lattice spanned by rows of M sl Then the short vector in S l lead to short reconstruction vector in S L, ie, if u = c b b is a short vector in S l then this lead to a short vector ū = b B b B c b b sae coefficients c b ) in S L where B and B are the basis for S l and S L respectively As we reoved all depending coluns in M s to for a atrix M sl, apply the lattice based techniques to S l instead of S L to get an attack bound and this lattice reduction techniques gives a required short vectors in S L for a given bound The atrix M sl is lower triangular with rows sae as in M s and each colun corresponding to coefficients of one of the variables leading onoials of g s and h s -shifts) x, x z,, x z, x y,, x yz, g s shift h s shift x y, x y z, x y, x z +,, x z +t, x yz,, x yz )+t, x y z 2,, x y z +t, x y z,, x y z t

9 Cryptography 208, 2, 36 9 of 5 Table A colun in first ) coluns of M s and a colun corresponding to coefficients of a variable x y a z c only with non-zero ters Rows Corresponding to g and h Shifts Colun Corresponding to x a y b z c Colun Corresponding to x y a z c x a b z c f a b) e a b x a b z c f a b ) e a b x a b z c f a b ) e a b x a b c ) z f a b) c )) e a b c ) x a b c ) z c f a b) c )) e a b c ) x a b c f a b)+c e a b+c) x a b c z c f a b)+c e a b+c) a b))! ) a X a Y b Z c e a b a)!b! a b)+)! ) a 2 n X a Y b Z c e a b a)!b! a b)+)! ) a N + )X a Y b Z c e a b a)!b! a b)+c ))! ) a 2 n ) c X a Y b Z c e a b c ) a)!b!c )! a b)+c ))! ) a N + ) c X a Y b Z c e a b c ) a)!b!c )! a b)+c)! ) a 2 n ) c X a Y b Z c e a b c a)!b!c! a b)+c)! ) a N + ) c X a Y b Z c e a b c a)!b!c! X Y a b) Z c e a b a b)+)! 2 n X Y a b) Z c e a b a b))! a b)+)! N + )X Y a b) Z c e a b a b))! a b)+c ))! a b))!c )! 2n ) c X Y a b) Z c e a b c ) a b)+c ))! a b))!c )! N + )c X Y a b) Z c e a b c ) a b)+c)! a b))!c! 2n ) c X Y a b) Z c e a b c a b)+c)! a b))!c! N + )c X Y a b) Z c e a b c f! a)!b!c!a b+c))! ) a N + ) a b+c)) 2 n ) c X a Y b Z c! a b))!c!a b+c))! N + )a b+c) 2 n ) c X Y a b) Z c x c z c f c ) e c xz 2 f e xz lt f e c ))! a)!b!a b+c)+)! ) a N + ) a b+c)+ X a Y b Z c e c )! a)!b!c 2)!a b+c)+)! ) a N + ) a b+c)+ 2 n ) c 2 X a Y b Z c e )! a)!b!c l t)!a b+c)+l t )! ) a N + ) a b+c)+lt 2 n ) c lt X a Y b Z c e c ))! a b))!a b+c)+)! N + )a b+c)+ X Y a b) Z c e c )! a b))!c 2)!a b+c)+)! N + )a b+c)+ 2 n ) c 2 X Y a b) Z c e )! a b)!c l t)!a b+c)+l t )! N + )a b+c)+lt 2 n ) c lt X Y a b) Z c e z f! a)!b!c )!a b+c)+)! ) a N + ) a b+c)+ 2 n ) c X a Y b Z c! a b))!c )!a b+c)+)! N + )a b+c)+ 2 n ) c X Y a b) Z c z lt f! a)!b!c l t)!a b+c)+l t)! ) a N + ) a b+c)+lt 2 n ) c lt X a Y b Z c! a b))!c l t)!a b+c)+l t)! ) a N + ) a b+c)+lt 2 n ) c lt X Y a b) Z c

10 Cryptography 208, 2, 36 0 of 5 ) Table 2 A colun in the last )t + + )t coluns of M s and a colun corresponding to coefficients of a variable x y a z c only with non-zero ters Rows Corresponding to g and h Shifts Colun Corresponding to x a y b z c Colun Corresponding to x y a z c x a b z c f a b) e a b a b))! ) a X a Y b Z c e a b a)!b! X Y a b) Z c e a b x 2 z b+c) a+2 f 2 e 2 2)! a)!b!a b) 2)! ) a 2 n ) a b) 2 X a Y b Z c e 2 2)! a b))!a b) 2)! 2n ) a b) 2 X Y a b) Z c e 2 x 2 z lt f 2 e 2 xz b+c a+ f e 2)! a)!b!c l t)!l t b+c) a+2))! ) a N + ) lt b+c) a+2) 2 n ) c lt X a Y b Z c e 2 )! a)!b!a b) )! ) a 2 n ) a b) X a Y b Z c e 2)! a b))!c l t)!l t b+c) a+2))! N + )lt b+c) a+2) 2 n ) c lt X Y a b) Z c e 2 )! a b))!a b) )! 2n ) a b) X Y a b) Z c e xz lt f e )! a)!b!c l t)!l t b+c a+))! ) a N + ) lt b+c a+) 2 n ) c lt X a Y b Z c e )! a b))!c l t)!l t b+c a+))! N + )lt b+c a+) 2 n ) c lt X Y a b) Z c e z b+c a f! a)!b!a b)! ) a 2 n ) a b X a Y b Z c! a b))!a b)! 2n ) a b X Y a b) Z c z lt f! a)!b!c l t)!l t b+c) a))! ) a N + ) lt b+c) a) 2 n ) c lt X a Y b Z c! a b))!c l t)!l t b+c) a))! ) a N + ) lt b+c) a) 2 n ) c lt X Y a b) Z c

11 Cryptography 208, 2, 36 of 5 Therefore S l is a lattice spanned by coefficient vectors of the shift polynoials g sl xx, yy, zz) and h sl xx, yy, zz) where g sl x, y, z) = x l z l 2 f x, y, z) constant ter of f ) n e l for n = 0,,, l = n, l 2 = 0,, l and h sl x, y, z) = x l z l 2 f x, y, z) constant ter of f ) n e l for n = 0,,, l = n, l 2 = l +,, l + t Since S l is full-rank lattice, det S l = det M sl = e ne) X nx) Y ny) Z nz) where ne), nx), ny), nz) are denotes the nuber of e s, X s, Y s, Z s in all the diagonal eleents of M sl respectively As x n y n is a leading onoial of f n with coefficient, we have ne) = nx) = ny) = nz) = and dis l ) = ω = l n=0 l = n l 2 =0 l + l +t l n=0 l = n l 2 =l + = /3) /2) 2 + )t + 2/3), l n=0 l = n l 2 =0 n + l + l +t n=0 l = n l 2 =l + = /2) 3 + 3/2) )t +, l n=0 l = n l 2 =0 n + l +t n=0 l = n l 2 =l + n n + l = /6) 3 + /2) 2 + /2) 2 + )t + /3), l n=0 l = n l 2 =0 l 2 + l +t l 2 n=0 l = n l 2 =l + = /6) 3 + /2) + )t 2 + /2) 2 + /2) )t + /3) l n=0 l = n l 2 =0 + l +t n=0 l = n l 2 =l + = /2) )t + 3/2) + Take t = τ, then for sufficiently large, the exponents ne), nx), ny), nz) and the diension ω reduce to ) ω = 2 + τ 2 + o 2 ), ne) = 3 + ) 2 τ 3 + o 3 ), ) nx) = 2 + τ 3 + o 3 ), ny) = 6 + ) 2 τ ), nz) = τ + ) 2 τ2 3 + o 3 ) Applying the LLL algorith to the basis vectors of the lattice S l, ie, coefficient vectors of the shift polynoials, we get a LLL-reduced basis say {v, v 2,, v ω } and fro the Theore we have v v 2 v 3 2 ωω ) 4ω 2) dets l ) ω 2

12 Cryptography 208, 2, 36 2 of 5 In order to apply the generalization of Howgrave-Graha result in Theore 2, we need the following inequality fro this, we deduce 2 ωω ) 4ω 2) dets l ) ω 2 < e ω dets l ) < 2 ωω ) ) ω 2 e ω 2) < 4ω 2) ω 2 ωω ) 4ω 2) ω ) ω 2 e ω As the diension ω is not depending on the public encryption exponent e, ωω ) 2 4ω 2) ω ) ω 2 is a fixed constant, so we need the inequality dets l ) < e ω, ie, e ne) X nx) Y ny) Z nz) < e ω Substitute all values and taking logariths, neglecting the lower order ters and after siplifying by 3 we get 3τ)α τ)δ + + 3τ)γ + + 3τ + 3τ 2 )γ 2 < 0 The left hand side inequality is iniized at τ = α 2δ+γ +γ 2 ) 2γ 2 and putting this value in the above inequality we get δ < 2 α 2 γ 6 6α γ )γ 2 + 3γ 2 2 Fro the first three short vectors v, v 2 and v 3 in LLL reduced basis of a basis B in S l we consider three polynoials g x, y, z), g 2 x, y, z) and g 3 x, y, z) over Z such that g x 0, y 0, z 0 ) = g 2 x 0, y 0, z 0 ) = g 3 x 0, y 0, z 0 ) = 0 These short vectors v, v 2 and v 3 lead to a short vector v, v 2 and v 3 respectively and g x, y, z), g 2 x, y, z) and g 3 x, y, z) its corresponding polynoials Apply the sae analysis in paper [7] to the above polynoials to get the factors p and q of RSA odulus N Theore 5 Let N = pq be an RSA odulus with q < p < 2q Let e = N α, X = N δ, Y = N γ, Z = N γ 2 and k be the ultiplicative inverse of ϕn) odulo e Suppose the prie su p + q is of the for p + q = 2 n k 0 + k, for a known positive integer n and for k X, ax{ k 0, k } Y and in{ k 0, k } Z one can factor N in polynoial tie if δ < 2 α 2 γ 6α γ 6 )γ 2 + 3γ2 2 2) Proof Follows fro the above arguent and the LLL lattice basis reduction algorith operates in polynoial tie [9] Note that for any given pries p and q with q < p < 2q, we can always find a positive integer n such that p + q = 2 n k 0 + k where 0 k 0, k 025 A typical exaple is 2 n 3 N 025 as 2 p + q < 3 2 N 05 [2] So take γ and γ 2 in the range 0, 025) Let δ L and δ sl be the bounds for δ in inequalities ) and 2) respectively Then note that δ sl is slightly larger than δ L and is depicted in Figure for α = 05, 055, 0750 and In the Figure, x, y, z-axis represents γ, γ 2, bound for δ respectively and yellow, red regions represents δ sl, δ L receptively Fro this figure, it is noted that the yellow region is slightly above the red region, ie, δ sl is slightly grater than δ L and this iproveent increases when the values of α increases

13 Cryptography 208, 2, 36 3 of 5 a) b) c) d) Figure The region of δ sl and δ L for α = 050, 055, 075, ; a) α = 050; b) α = 055; c) α = 075; d) α = 0 As the diension ) of L is /6) 3 + /2) 2 t + 2) + /6)9t + ) + t + ) ) for t = α 2δ+γ +γ 2 ) 3γ 2 [7] and S l is /2) )t + 3/2) + for t = α 2δ+γ +γ 2 ) 2γ 2, note the ) diension of S l is /6) 3 + /3)t 2 ) + /2) 2 + /3), for t = α 2δ+γ +γ 2 ) 2γ 2 saller than the diension of L 33 A New Attack Bound for Deciphering Exponent d with a Coposed Prie Su In this section, we apply the sae analysis for getting bound for d which we have earlier obtained resultant bound for k Fro the relation ed od ϕn)), we get tn + 2 n k 0 + k )) + 0od e) 3) for t = ed ϕn) and the prie su p + q = 2n k 0 + k Now define { N + )x + xy + 2 f n )xz + if k 0 k x, y, z) = 2 n xn + ) + xy + 2 n xz + 2 n if k k 0 Fro Equation 3), note that if k 0 k then t, k, k 0 ) is a solution and if k k 0 then t, k 0, k ) is a solution for the odular polynoial equation f x, y, z) 0od e)

14 Cryptography 208, 2, 36 4 of 5 As the polynoials f x, y, z), f x, y, z) differ by signs only, we can ipleent the above arguent for f x, y, z) to f x, y, z) and obtained new bound on d for t < d = N δ, ax k 0, k N γ, in k 0, k N γ 2 and for e = N α is δ < 2 α 2 γ 6 6α γ )γ 2 + 3γ 2 2 4) For α =, the Boneh and Durfee s bound for d = N δ is N 0292 The new bound on d ay overcoe this bound for α = and for soe values of γ and γ 2 and that values are depicted in Table 3 Table 3 For α =, the values of bound on δ in ters of γ and γ 2 γ γ 2 δ New Bound Conclusions In this paper, another attack bound for k, a sall ultiplicative inverse of ϕn) odulo e is given when the prie su p + q is of the for p + q = 2 n k 0 + k where n is a given positive integer and k 0 and k are two suitably sall unknown integers using sublattice reduction techniques and Coppersith s ethods for finding sall roots of odular polynoial equations This attack bound is slightly larger than the bound, in the approach using lattice based techniques and requires lattice of saller diension than the approach given by using lattice based techniques Also, we gave a new attack bound for the deciphering exponent d with above coposed prie su and copare it to Boneh and Durfee s bound Author Contributions: Conceptualization PAK and LJ; Methodology PAK; Software LJ; Foral Analysis PAK and LJ; Investigation LJ; Writing Original Draft Preparation PAK and LJ; Writing Review & Editing PAK and LJ; Supervision PAK Funding: This research is part of research project funded by the University Grants Coision UGC) under Major Research Project MRP) with P Anuradha Kaeswari as Principal Investigator and L Jyotsna as the Project Fellow Conflicts of Interest: The authors declare no conflict of interest References Kobliz, N A Course in Nuber Theory and Cryprography; Springer: Berlin, Gerany, 994; ISBN Wiener, M Cryptanalysis of Short RSA Secret Exponents IEEE Trans Inf Theory 990, 36, [CrossRef] 3 Coppersith, D Sall solutions to polynoial equations, and low exponent RSA vulnerabilities J Cryptol 997, 0, [CrossRef] 4 Boneh, D; Durfee, G Cryptanalysis of RSA with Private Key D Less than N 0292 In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, 2 6 May 999; Springer: Berlin, Gerany, 999; Volue 592, p 5 Bloer, J; May, A Low Secret Exponent RSA Revisited In Cryptography and Lattice; Springer: Berlin, Gerany, 200; Volue 246, p 49 6 Jochesz, E; May, A A Strategy for Finding Roots of Multivariate Polynoials with New Applications in Attacking RSA Variant In Proceedings of the 2th International Conference on the Theory and Application of Cryptology and Inforation Security, Shanghai, China, 3 7 Deceber 2006; Springer: Berlin, Gerany, 2006; Volue 4284, pp Anuradha Kaeswari, P; Jyotsna, L Cryptanalysis of RSA with Sall Multiplicative Inverse of ϕn) Modulo e and with a Coposed Prie Su p + q Int J Math Appl 208, 6,

15 Cryptography 208, 2, 36 5 of 5 8 Hoftstein, J; Pipher, J; Silveran, JH An Introduction to Matheatical Cryptography; Springer: Berlin, Gerany, Lenstra, AK; Lenstra, HW; Lovasz, L Factoring polynoials with rational coefficients Math Annalen 982, 26, [CrossRef] 0 May, A New RSA Vulnerabilities Using Lattice Reduction Methods PhD Thesis, University of Paderborn, Paderborn, Gerany, 2003 Available online: accessed on 9 October 2003) Howgrave-Graha, N Finding sall roots of univariate odular equations revisited In Cryptography and Coding; LNCS 355; Springer: Berlin, Gerany, 997; pp Nitaj, A Another Generalization of Wieners Attack on RSA In Proceedings of the First International Conference on Cryptology in Africa, Casablanca, Morocco, 4 June 2008; Vaudenay, S, Ed; Springer: Berlin, Gerany, 2008; Volue 5023, pp c 208 by the authors Licensee MDPI, Basel, Switzerland This article is an open access article distributed under the ters and conditions of the Creative Coons Attribution CC BY) license