A New Vulnerable Class of Exponents in RSA

Transcription

1 A ew Vulnerable Class of Exponents in RSA Aberrahmane itaj Laboratoire e Mathématiues icolas Oresme Campus II, Boulevar u Maréchal Juin BP 586, 4032 Caen Ceex, France. nitaj@math.unicaen.fr Abstract. Let = p be an RSA moulus, i.e. the prouct of two large unknown primes of eual bit-size. We consier the class of the public exponents satisfying an euation ex Y = ( + bz with 0 < a <, b = ] (here x] enotes the nearest integer to x an XZ < 2( + b, an all prime factors of Z are less than Using the continue fraction algorithm an the Elliptic Curve Metho of factorization, we show that such exponents yiel the factorization of the RSA moulus. Further, we show that the number of such weak keys is at least 2 ε log. Thus, our attack plies to a relatively large class of weak keys in RSA. Keywors: RSA, Cryptanalysis, Factorization, Continue Fraction Introuction Invente by Rivest, Shamir an Aleman in 977, the RSA cryptosystem is most commonly use for proviing privacy an ensuring authenticity of igital ata. It is one of the most popular systems in use toay. Let = p be the prouct of two large primes of the same bit-size. Let e an be two positive integers satisfying e (mo φ( where φ( = (p ( is Euler s totient function. Commonly, is calle the RSA moulus, e the encryption exponent an the ecryption exponent. The moular euation e (mo φ( is sometimes use as an euation e kφ( =, where k is some positive integer an is calle the RSA key euation. Since its publication, RSA has been analyze for vulnerability by various methos (see 3] an 9]. The security of RSA is base on the well known problem of factoring large integers, which is wiely believe to be intractable. If one can factor = p, then one can calculate φ( = (p ( an the private exponent by solving the congruence e (mo φ(. Conversely, the recovery of the private exponent is euivalent to factoring (see 2]. Many attacks are base on trying to solve the key euation e kφ( = for

2 2 Aberrahmane itaj particular exponents. In 990, Wiener 6] showe that using continue fractions, one can efficiently recover the secret-exponent from the public key (, e as long as < 3 4. The number of such exponents can be estimate as 4 ε where ε > 0 is arbitrarily small for large. The ε term correspons to the number of exponents such that gc(, φ(. The lattice-base Boneh-Durfee attack 4] an its variant given by Blömer an May ] exploit the non-linear euation satisfie by the secret key ( + k + s 0 (mo e, 2 where k an s = p+ 2 are unknown integers. This gives an attack that heuristically succees in polynomial-time when < an the number of the exponents for which this attack works can be estimate as ε. Base on the continue fraction algorithm an a theorem ue to Coppersmith 7], Blömer an May 2] propose in 2004 an attack on( RSA using the variant euation ex + y = kφ( with x < 3 4 an y = O 3 4 ex. They showe that such exponents are vulnerable an that their number is at least 3 4 ε. At Africacrypt 2008, itaj presente an attack on the class of the exponents satisfying an euation ex (p u( vy = with Y X < 2 4 4, u < 4, v = u p u where x] enotes the nearest integer to the real number x. Combining the continue fraction algorithm, Coppersmith s metho 7] an the Elliptic Curve Metho of factorization 0], he showe that p, can be foun if all the prime factors of p u or v are less than The number of such exponents are estimate as 2 ε. In a similar irection, Maitra an Sarkar ] presente in 2008 an attack using the euation ex ( pu vy = with suitably small parameters X, Y, u an v. In contrast of the previous attacks, this attack uses only the techniue of Coppersmith 7]. The number of such exponents are estimate as 3 4 ε. In 2009, itaj 4] stuie the class of the exponents e satisfying ex ( ( + by = Z where a b is an unknown convergent of p an X, Y, Z are suitably small integers. He showe that such exponents form a weak class of size 3 4 ε. In this per, we introuce a new attack on RSA. The attack works for all public keys (, e satisfying an euation with b = ex Y = ( + bz, ], XZ < 2( + b, where a is an unknown positive integer satisfying a < (x] means the nearest integer of the real number x an all prime factors of Z are less than the Elliptic Curve Metho of factorization 0] boun B ECM = The new attack ],

3 A ew Vulnerable Class of Exponents in RSA 3 is base on the continue fraction algorithm an the Elliptic Curve Metho (ECM. In contrast to the previous attacks, it oes not make use of Coppersmith s techniue. We show that for integers X, a, b an Z within the given bouns, this attack yiels the factorization of the RSA moulus = p for the class of the public exponents e with the structure e ( + bzx (mo, where gc(x, (+bz =. Observe that this conition implies gc(x, Y = where Y satisfies ex Y = ( + bz. We show that the number of the exponents e with e < for which this metho works can be estimate as 2 ε. The new attack works as follows. We use the continue fraction algorithm to e recover X an Y among the convergents of. Then we use the Elliptic Curve Metho to recover Z among the ivisors of ex Y. Afterwars, we fin p an using the euation + b = ex Y Z an the ineuality b < 2. This yiels the factorization of. The remainer of this per is organize as follows. In Section 2, we begin with some notations an a brief review of basic facts about the continue fraction algorithm an the Elliptic Curve Metho of factorization. In Section 3, we present some useful lemmas neee for the attack. In Section 4 we present our attack on RSA. In section 5, we estimate the size of the exponents that are weak with this attack. We conclue in Section 6. 2 Preliminaries Let x be a real number. In this per, x] enotes the nearest integer to x an x the largest integer less than or eual to x. 2. The Continue Fraction Algorithm Here we recall some facts from the theory of continue fractions. Let x 0 be a real number. Put x 0 = x an a 0 = x 0. Recursively, for n, if x n a n, efine x n =, a n = x n. x n a n For n, since 0 < x n a n <, then x n > an a n. This process is calle the continue fraction algorithm an yiels an expression of the form x = a 0 + a + a 2 + which is calle the continue fraction expansion of x. This expression is often use in the form x = a 0, a, a 2, ]. Any rational number a b can be expresse as,

4 4 Aberrahmane itaj a finite continue fraction x = a 0, a, a 2,, a m ]. For i 0 (0 i m in the finite case, we efine the i th convergent of the continue fraction a 0, a, a 2, ] to be a 0, a, a 2,, a i ]. Each convergent is a rational number. The main results from the theory of continue fractions that we use in this per are the following two theorems (see, e.g. Theorem 64 an Theorem 84 of 8]. Theorem. Let x be a real number. If Y X is a convergent of x, then x Y X < X 2. Theorem 2. Let x be a real number. If X an Y are coprime integers such that x Y X < 2X 2, then Y X is a convergent of x. 2.2 The Elliptic Curve Factorization Metho (ECM The Elliptic Curve Metho of factoring (ECM was originally propose by H.W. Lenstra 0] an subseuently extene by Brent 5], 6] an Montgomery 2]. The first part of the metho propose by Lenstra is calle Phase, an the extension by Brent an Montgomery is calle Phase 2. ECM is suite to fin small prime factors of large numbers. Let n be an integer with a prime factor p. Let E be a ranom elliptic curve efine over Z/nZ by a projective euation y 2 z x 3 + axz 2 + bz 3 (mo n, where (x : y : z P 2 (Z/nZ, the projective plane over Z/nZ an a, b Z/nZ. The point at infinity is O = (0 : : 0. Let P E(Z/nZ. Let B an B 2 be two bouns for prime numbers with B < B 2. Phase an phase 2 of ECM work as follows: Phase : Calculate Q = (x Q : y Q : z Q = kp where k = B =2 prime log B e, e = log If the orer of E over Z/pZ ivies k, then Q coul be the point at infinity of E(Z/pZ, which means that z Q is a multiple of p. Thus p = gc(z Q, n. Phase 2: For each prime number k such that B < k < B 2, calculate Q = (x Q : y Q : z Q = kp an test if < gc(z Q, n < n. For similar reasons as in Phase, this can reveals a prime factor of n. Let M(n be the cost of one multiplication (mo n. Then ECM fins a factor p of n with the sub-exponentiel run time O ( exp { c log p log log p }. M(n,

5 A ew Vulnerable Class of Exponents in RSA 5 where c 2 is a constant. Accoring to Brent (see 6], the evolution of the ECM recor satisfies the euation Y D =, 9.3 where D is the ecimal igits in the largest factor foun by ECM up to the ate Y. Extrolating, a 69-igit factor coul be foun in 200. In( 7], it is announce that a 73-igit prime factor of the special number 2 8 was foun by J. Bos, T. Kleinjung, A. Lenstra an P. Montgomery in 200. Conseuently, in this per, we consier that ECM is efficient to fin prime factors up to the the boun B ECM = Useful Lemmas In this section, we prove three useful lemmas. We begin by a very simple lemma on the size of the primes of the RSA moulus = p. Lemma. Let = p be an RSA moulus with < p < 2. Then < < 2 < p < Proof. Multiplying < p < 2 by p we get < p 2 < 2, which gives 2 < p < Similarly, multiplying by we get 2 < < 2 2 which gives in turn < < 2. This terminates the proof. A key role in all our arguments is playe by the following lemma. Lemma 2. ] Let = p be an RSA moulus with < p < 2. Let a be an integer an b =. Set S = + b. Then S 2 ab = 4 S an b = S ] Proof. Let a be an integer an let b =. Set S = + b. Since b 2, then using Lemma, we get b 2 < 2 2. On the other han, S 2 4ab = ( + b 2 4ab = ( b 2 > 0. Hence 0 < S2 4 ab = S2 4ab 4 = ( b2 4 < ( = 6 <,

6 6 Aberrahmane itaj S from which we euce ab = 2 4 accoring to the efinition of the floor function. On the other han, using again S 2 4ab = ( b 2 > 0, we get b = S S 2 4ab = S This terminates the proof. We terminate with the following lemma which will be use for counting the number of exponents that are vulnerable to our attack. Lemma 3. Let m an n be positive integers. Then m φ(n n 2ω(n < m k= gc(k,n= < m φ(n n + 2ω(n, where ω(n is the number of istinct prime factors of n. Proof. Let µ( be the Möbius function which is efine by µ( =, µ( = 0 if is not suare-free an µ( = ( ω( if is suare-free where ω( is the number of istinct prime factors of. Then the Lengere Formula gives Since m m m k= gc(k,n= < m +, then µ( = µ(= > µ(= = > m = µ(. µ( + µ( µ( m µ( µ(= ( m + µ(= = m φ(n n 2ω(n. The Möbius function satisfies (see 6.3. of 8] µ( = φ(n n. µ( µ( µ(= µ( m

7 A ew Vulnerable Class of Exponents in RSA 7 It also satisfies µ( = 2ω(n (Theorem 264 of 8]. It follows that m k= gc(k,n= On the other han, using m m µ( = µ( µ(= < µ(= = < m > m φ(n n 2ω(n. < m +, we get + µ( m + µ( m + µ( µ(= µ(= µ(= + µ( µ( ( m µ( = m φ(n n + 2ω(n. where we use similar results. This conclues the proof. 4 The ew Class of Weak Keys in RSA In this section, we present a strategy to fin the prime factors p an of the moulus = p of an RSA instance with a public exponent e satisfying an euation ex Y = ( + bz for some a, b an Z satisfying 0 < a <, b = ], XZ < 2( + b. otice that if X < 0 then e( X ( Y = ( + b( Z where X > 0. Thus, for symmetrical reason, we will consier only on the scenario when X > The ew Attack We begin by linking the solutions of the euation ex Y = ( + bz with the convergents of e. Theorem 3. Let = p be an RSA moulus ] with < p < 2. Let a, b be integers such that 0 < a < an b =. Let e be an exponent satisfying the euation ex Y = ( + bz. If gc(x, Y = an X Z < Y X is a convergent of e. 2(+b, then

8 8 Aberrahmane itaj Proof. Assume 0 < a < an b = X > 0. Then e Y X Assume X Z < ]. Suppose ex Y = ( + bz with ( + bz =. X (+bz 2(+b. Then X < 2X. From this we euce 2 e Y X < 2X 2, an by Theorem 2, we conclue that Y X is one of the convergents of the continue e fraction expansion of. otice that the continue fraction algorithm is a polynomial time algorithm an e the number of convergents of is boune by O(log. This results in a very efficient metho for fining the solution (X, Y in the euation ex Y = ( + bz. The following lemma shows how to fin the parameter Z assuming the efficiency of the Elliptic Curve metho. Lemma 4. Let = p be an RSA moulus with < p < 2. Let e be an exponent satisfying the euation ex Y = ( + bz with positive integers a, b where Y X is a convergent of e. If all prime factors of Z are less than the ECM-boun B ECM, then Z can be foun efficiently. Proof. Suppose e satisfies ex Y = ( + bz where Y X is a convergent of e an all prime factors of Z are less than B ECM. Set M = ex Y. Let p, p 2,, p k enote the istinct prime factors of M that are less than B ECM. Such primes can be efficiently etermine by plying ECM to M, namely, let M = M k i= p αi i, be the factorization of M where M = or M has no prime factor less than B ECM. By results of Hary an Ramanujan (see, e.g., Theorem 430 an Theorem 43 of 8], we know that, in average, the number of prime ivisors of M is O(log log M if M is uniformly istribute. Since Y X is a convergent of e, then by Theorem, we have M = ( + b Z = ex Y < X. It follows that the average number of prime ivisors of M is boune by log log. On the other han, we know that M = ( + b Z where Z is B ECM -smooth. Hence Z is a ivisor of k. Thus Z = i= pαi i k i= p xi i, with 0 x i α i.

9 A ew Vulnerable Class of Exponents in RSA 9 is k i= ( + α i. evertheless, by results of The number of ivisors of k i= pαi i Dirichlet on the istribution of ivisors of a ranom integer (see, e.g., Theorem 432 of 8], the number of ivisors of M is O(log M where M <. This shows that the average number of caniates for Z is polynomially boune by O(log. This results in an efficient way to fin Z epening the efficiency of ECM. Given X, Y an Z satisfying ex Y = ( + bz. The following theorem shows how to fin the remainer parameters, namely a, b, p an. Theorem 4. Let = p be an RSA moulus with < p < 2. Let e be a public exponent ] satisfying the euation ex Y = ( + bz with 0 < a < an b =. If Y X is a convergent of e an Z is a B ECM -smooth integer, then p an can be foun in polynomial time. Proof. Suppose that e satisfies the euation ex Y = ( + bz with known parameters X, Y an Z where p,, a an ] b are the unknown parameters. Assume in aition that 0 < a < an b =. Define By Lemma 2 we get S 2 ab = 4 S = + b = ex Y Z S an b = S Combining with + b = S, we fin = S ± S 2 4 S Since 0 < a <, we recover p using p = gc(,. Hence = p. Since every calculation can be one in polynomial time, this conclues the proof. ow, we give the factorization algorithm. 5 Estimation of Weak Keys In this section, we give a very conservative estimation of the number of exponents for which our attack works. To be more precise, let a be an integer with 0 < a < an let b =. Define α such that +b = 2 +α. Let us consier the number of exponents e satisfying an euation ex Y = + b,

10 0 Aberrahmane itaj Algorithm The new attack Input: a public key (, e satisfying = p, < p < 2 an ex Y = ( + ] bz for small parameters X, Y, Z where gc(x, Y =, 0 < a < an b =. Output: the prime factors p an. : Compute the continue fraction expansion of 2: For every convergent Y of e with X < 2 X 2 o 3: Compute M = ex Y an ply ECM to fin the B ECM -smooth part M 0 of M. 4: Compute the ivisors of M 0. e. 5: For every ivisor Z of M 0 with Z < o 2X 6: Compute S = M, Z 0 = S 2 an D = S : If D then 8: Compute p = gc (, S+D 2. 9: If < p < then 0: Output p, =, Stop p : En if 2: En if 3: En for 4: En for with gc(x, + b =, e < an X < 2(+b. Observe that since gc(x, =, then reucing the euation ex Y = + b moulo yiels e ( + bx (mo. We begin by the following result. It shows that for fixe a an b, ifferent parameters X, X 2 with X, X 2 < X < 2(+b efine ifferent exponents e, e 2 of the esire form. Lemma 5. Let = p be an RSA moulus with < p < 2. Let a an b be positive integers such that a < an b < p. For i =, 2, let e i be exponents satisfying e i < an e i X i Y i = + b with gc(x i, + b = an X i < 2(+b. If X X 2 then e e 2. Proof. Suppose that for i =, 2, we have e i X i Y i = + b. Assume for contraiction that e = e 2. Then ( + bx ( + bx 2 (mo, which can be rewritten as ( + b ( X X2 0 (mo. otice that, since gc( + b, =, then X2 X 0 (mo an X 2 X 0 (mo. On the other han, we have ( X 2 X X 2 + X < 2 2( + b <.

11 A ew Vulnerable Class of Exponents in RSA Hence X 2 X = 0 an X = X 2. This terminates the proof. ow we present a result which will be reuire for counting the weak exponents e with the structure e ( + bx (mo where gc(x, ( + b = an X < 2(+b. Lemma 6. Let = p be an RSA moulus ] with < p < 2. Let a an b be fixe positive integers such that a < an b. Define α by +b = 2 +α. The number of the exponents e of the form e ( + bx (mo with gc(x, + b = an X < 2 2 α is O ( 2 α ε where ε > 0 is arbitrary small for suitably large. Proof. Let a be a positive integer. Define α by + b = 2 +α an let X 0 = 2 2 α. Let (a enote the number of the exponents e satisfying e ( + bx (mo with gc(x, + b = an X < 2 2 α. We have (a = X 0 X= gc(x,+b= Using Lemma 3 with n = + b an m = X 0, we get X 0 φ( + b + b 2 ω(+b < (a < X 0 φ( + b + b. ( + 2 ω(+b, (2 Here, 2 ω(+b is the number of suare free ivisors of + b which is upper boune by the total number τ( + b of ivisors of + b. We recall that τ(n satisfies τ(n = O(log log n (Theorems of 8]. It follows that the φ(+b ominant term in (2 is X 0 +b. Using this with n = + b = 2 +α an X 0 = 2 2, α this leas to (a = O ( 2α φ ( + b. On the other han, for n 2, we have (see Theorem 328 of 8] φ(n > cn log log n, where c is a positive constant. Taking n = + b = 2 +α, this implies ( 2 α ( (a = O = O α ε log log 2 +α 2, where ε satisfies ε = log log an epens only on. This terminates the proof.

12 2 Aberrahmane itaj ow we are able to prove an estimation for the number of exponents for which our attack works. Actually, we give a very ] conservative estimation with a =. Observe that since < p < 2, then b = p satisfies ] p 2, so that b = or b = 2. Theorem 5. Let = p be an RSA moulus with < p < 2. An estimation of the number of exponents e < such that e (p+x (mo is O ( 2 ε where ε > 0 is arbitrarily small for suitably large. Proof. Let enote the number of exponents e < with the structure e (p + X (mo for some X < 2(p+. Using Lemma 6, we get = O ( 2 α ε, where α satisfies p + = 2 +α. Using Lemma, we get ( < p + < ( It follows that α satisfies log ( log < α < ( log log This implies that α is arbitrarily small for large. Conseuently, we get ( = O ε 2, where ε = ε + α is arbitrarily small for large. This terminates the proof. 6 Conclusion In this per, we stuie the class of exponents e satisfying an euation ex Y = ( + bz, where X, Y, Z, a an b are integers satisfying 0 < a <, b = ], X Z < 2( + b, an all prime factors of Z are less than the Elliptic Curve Metho of factorization boun B ECM = Using the continue fraction algorithm an the Elliptic Curve Metho of factorization (ECM, we showe that such exponents are vulnerable an lea to the factorization of the RSA moulus = p. We also showe that the new class of weak exponents is sufficiently large since the size of this class can be estimate as 2 ε where ε > 0 is arbitrary small for suitably large.

13 A ew Vulnerable Class of Exponents in RSA 3 References. Blömer, J., May, A.: Low secret exponent RSA revisite. In: Silverman, J.H. (e. CaLC 200. LCS, vol. 246, pp. 49. Springer, Heielberg ( Blömer, J., May, A.: A generalize Wiener attack on RSA. In Public Key Cryptogrhy - PKC 2004, volume 2947 of Lecture otes in Computer Science, Springer- Verlag (2004, Boneh, D.: Twenty years of attacks on the RSA cryptosystem. otices of the American Mathematical Society (AMS 46 (2 (999, Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key less than 0.292, Avances in Cryptology Eurocrypt 99, Lecture otes in Computer Science Vol. 592, Springer-Verlag (999, Brent, R.P.: Some integer factorization algorithms using elliptic curves, Australian Computer Science Communications, vol. 8 (986, Brent, R.P.: Recent progress an prospects for integer factorisation algorithms, Springer-Verlag LCS 858 (2000, Coppersmith, D.: Small solutions to polynomial euations, an low exponent RSA vulnerabilities. Journal of Cryptology, 0(4 (997, Hary, G.H., Wright, E.M.: An Introuction to the Theory of umbers. Oxfor University Press, Lonon ( Hinek, J.M.: Cryptanalysis of RSA an Its Variants, Chman & Hall/CRC Press ( Lenstra, H.W.: Factoring integers with elliptic curves, Annals of Mathematics, vol. 26 (987, Maitra, S., Sarkar, S.: Revisiting Wiener s Attack - ew Weak Keys in RSA. ISC 2008 (2008, Montgomery, P.L.: Speeing the Pollar an elliptic curve methos of factorization, Mathematics of Computation, vol. 48 (987, itaj, A.: Another generalization of Wiener s attack on RSA, In: Vauenay, S. (e. Africacrypt LCS, vol. 5023, Springer, Heielberg (2008, itaj, A.: Cryptanalysis of RSA using the ratio of the primes, In: B. Preneel (E. Africacrypt 2009, LCS 5580, Springer-Verlag, Berlin Heielberg (2009, Rivest, R., Shamir A., Aleman, L.: A Metho for Obtaining Digital Signatures an Public-Key Cryptosystems, Communications of the ACM, Vol. 2 (2 (978, Wiener, M.: Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, Vol. 36 (990, Zimmermann, P.: 50 largest factors foun by ECM ~zimmerma/recors/top50.html.