Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q

Size: px

Start display at page:

Download "Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q"

Dominic Scott
5 years ago
Views:

1 Secet Exponent Attacks on RSA-type Schemes with Moduli N = p q Alexande May Faculty of Compute Science, Electical Engineeing and Mathematics Univesity of Padebon Padebon, Gemany alexx@uni-padebon.de Abstact. We conside RSA-type schemes with modulus N = p q fo 2. We pesent two new attacks fo small secet exponent d. Both appoaches ae applications of Coppesmith s method fo solving modula univaiate polynomial equations [5]. Fom these new attacks we diectly deive patial key exposue attacks, i.e. attacks when the secet exponent is not necessaily small but when a faction of the secet key bits is known to the attacke. Inteestingly, all of these attacks wok fo public exponents e of abitay size. Additionally, we pesent patial key exposue attacks fo the value d p = d mod p 1 which is used in CRT-vaiants like Takagi s scheme [11]. Ou esults show that RSA-type schemes that use moduli of the fom N = p q ae moe susceptible to attacks that leak bits of the secet key than the oiginal RSA scheme. Keywods: N = p q, Coppesmith s method, Patial Key Exposue Attacks 1 Intoduction We investigate attacks on cyptogaphic schemes that use public moduli of the fom N = p q fo some constant > 1. Moduli of this type have ecently been used in diffeent cyptogaphic designs. Fujioke, Okamoto and Uchiyama [6] pesented an electonic cash scheme using a modulus N = p 2 q. Futhemoe, Okamoto and Uchiyama [10] designed an elegant public-key cypto scheme that is povably as secue as factoing a modulus N = p 2 q. A fast CRT-RSA vaiant using moduli of the fom N = p q was intoduced by Takagi [11] in The lage one chooses in Takagi s scheme, the moe efficient is the scheme fo a fixed bit-size of the modulus N. Conside an RSA-type scheme with public key (N, e), whee N = p q fo some fixed > 1 and p, q ae of the same bit-size. The secet key d satisfies ed = 1 mod φ(n), whee φ(n) is Eule s totient function. We denote by φ(n) the multiplicative goup of invetible integes modulo φ(n). In 1999, Boneh, Dufee and Howgave-Gaham [3] showed that schemes with moduli of the fom N = p q ae moe susceptible to attacks that leak bits of p than the oiginal RSA-scheme. Using Coppesmith s method fo solving

2 univaiate modula equations [5], they showed that it suffices to know a faction 1 of +1 of the MSBs of p to facto the modulus. It is an inteesting task, whethe schemes with N = p q ae also moe susceptible to attacks that leak bits of the secet exponent d. In most side-channel attack scenaios (see fo instance [7, 8]), it is moe easonable to assume that an advesay gains knowledge of a faction of the secet key bits than knowledge of the pime facto bits. Intuitively, one should expect that cypto-systems with moduli of the fom N = p q, > 1 ae moe vulneable to secet key attacks than the oiginal RSAscheme, since fo a fixed bit-size of N the amount of secet infomation encoded in the pime factos is smalle than in RSA. Hence, these schemes should be moe susceptible to small secet key attacks like the Wiene attack [12] and the Boneh-Dufee attack [1]. Likewise, these schemes should be moe susceptible to so-called patial key exposue attacks that use the knowledge of a faction of the secet key bits like the Boneh-Dufee-Fankel attack [2] and the Blöme-May attack [4]. In contast to this intuition, it was stated in the wok of Takagi [11] that RSA-type schemes with N = p q seem to be less vulneable to attacks fo small decyption exponents d than the oiginal RSA-scheme. Namely, Takagi showed a genealized Wiene-bound of d N 1 2(+1). Howeve, we intoduce two attacks with impoved bounds fo the size of d. Both new attacks ae applications of Coppesmith s method fo solving modula univaiate polynomial equations [5]. Ou fist attack diectly uses the esults of Boneh, Dufee and Howgave- Gaham [2] fo factoing N = p q. It yields an impoved bound of d N (+1) 2 fo 2. Let us compae the esults fo = 2: Takagi equies that d N 1 6 wheeas ou new method woks wheneve d N 2 9. Ou second method makes use of Coppesmith s method in the univaiate case and leads to the bound d N ( 1 +1 ) = N (+1) 2 fo 2. Inteestingly in contast to the pevious bounds, this new bound conveges to N fo gowing instead of conveging to 1. It impoves upon ou fist attack fo all paamete choices 3: The second attack equies that d N 1 4 in the case = 3 compaed to d N 3 16 fo ou fist method. Thus, ou fist attack is only supeio to the othe methods in the case = 2. On the othe hand, moduli of the fom N = p 2 q ae fequently used in cyptogaphy and theefoe they epesent one of the most impotant cases. Inteestingly, the new attacks fo small decyption exponents d have two new featues which the oiginal Wiene attack and the Boneh-Dufee attack do not possess: One cannot counteact the new attacks by choosing lage public exponents e, since the attacks ae independent of the value of e. In compaison, the Wiene bound d N 1 4 and the Boneh-Dufee bound d N equie

3 that e < φ(n). It is known that the attacks cannot be applied fo any size of d if e > N 1.5 o e > N 1.875, espectively. The new attacks immediately imply a patial key exposue attack fo d with known most significant bits (MSBs). Namely, it makes no diffeence in the attacks whethe the most significant bits of d ae zeo (and thus d is a small decyption exponent) o ae known to the attacke. In contast, Wiene s attack and the Boneh-Dufee attack fo small decyption exponents do not wok when the MSB s ae non-zeo but known. In addition, the new attacks also povide patial key exposue attacks fo known least significant bits (LSBs). Using the fist attack, we ae able to pove that a faction of 1 of the MSBs o LSBs of d ( + 1) 2 suffice to find the factoization of N = p q. The second attack yields patial key exposue attacks that equie only a faction of 4 of the MSBs o LSBs of d ( + 1) 2 in ode to facto N. The esulting patial key exposue attacks shae the same popety as the undelying attacks fo small decyption exponents d: They do not ely on the size of the public exponent e. Note that all patial key exposue attacks mentioned in the liteatue [2, 4] ae dependent on e and do not wok fo abitay e φ(n). The new methods ae the fist patial key exposue attacks that wok fo all public exponents e. The eason that all fome attacks on RSA-type schemes depend on the size of e is that they all compute the paamete k in the RSA key equation ed 1 = kφ(n). In contast, ou new attacks do not equie the computation of k. Thus, k must not be a small paamete and hence the paametes e and d can be inceased (theeby inceasing k) without affecting the usability of the attacks. The eason that ou new attacks do not equie the diect computation of k is mainly that fo moduli N = p q the goup ode of the multiplicative goup Z N is φ(n) = p 1 (p 1)(q 1). Thus fo 2, φ(n) and N shae the common divisos p and p 1, espectively, and this can be used in the attacks by constucting polynomials with small oots modulo p (ou fist attack) and modulo p 1 (ou second attack), espectively. But looking at the equation ed 1 = kφ(n) modulo p (espectively modulo p 1 ) emoves the unknown paamete k. We want to point out that these new attacks ae nomally not a theat to Takagi s scheme [11]. Since Takagi s CRT-decyption pocess only makes use of the values d p = d mod p 1 and d q = d mod q 1, it suffices to choose an d which satisfies ed = 1 mod (p 1)(q 1). Fo this kind of public-key/secet-key pai (e, d), ou pevious attacks do not apply. Even wose, nomally one would not even stoe the value of d but only the values of d p and d q fo the decyption

4 pocess. Theefoe, it is easonable to assume that an attacke may only get bits of d p o d q. Hence, it is an inteesting task to deive patial key exposue attacks fo known bits of d p (espectively d q ). We show that the patial key exposue attacks of Blöme and May [4] fo moduli N = pq genealize to the case N = p q. Inteestingly, the esults ae again much bette fo > 1. Namely, we pesent attacks that need only a faction of of the MSBs o LSBs of d p when the public exponent e is small. This shows that Takagi s scheme is also moe susceptible to attacks that leak bits of d p than nomal CRT-RSA. The pape is oganized as follows: In Section 2, we eview Coppesmith s method fo modula univaiate polynomial equations [5]. Hee, we intoduce a efomulation of Coppesmith s oginal theoem that unifies all known applications (see [2 5]) of the method in the univaiate case. As an example, we deive the esult of Boneh, Dufee and Howgave-Gaham [3] fo factoing N = p q as a diect application of Coppesmith s theoem. The fist attack fo small d and the coesponding patial key exposue attacks ae pesented in Section 3. In Section 4, we descibe ou second attack. The patial key exposue attacks fo d p ae pesented in Section 5. 2 Coppesmith s method and the esult of BDH Let us ecall Coppesmith s theoem fo solving modula univaiate polynomial equations [5]. Hee, we give the theoem in a slightly moe geneal fom than oiginally stated. Howeve, one can pove the theoem in a completely analogous way to the easoning in the oiginal poof of Coppesmith. We give the details of the poof in the full vesion of the pape. Theoem 1 (Coppesmith) Let N be an intege of unknown factoization, which has a diviso b N β. Let f b (x) be an univaiate, monic polynomial of degee δ. Futhemoe, let c N be a function that is uppe-bounded by a polynomial in log N. Then we can find all solutions x 0 fo the equation f b (x) = 0 mod b with in time polynomial in (log N, δ). x 0 c N N β2 δ Coppemith fomulated Theoem 1 fo the special case whee N = b. Then the bound fo the solutions becomes x 0 c N N 1 δ. Howeve, the above fomulation of Coppesmith s theoem has some advantages: Fo instance, it is not had to see that the esult of Boneh, Dufee and Howgave-Gaham [3] fo factoing N = p q with known bits is a diect application of Theoem 1 using the polynomial f p (x) = (x + p). In fact, the following theoem is stated in the oiginal wok of Boneh, Dufee and Howgave-Gaham fo the special case k = 1, but we fomulate it in a slightly moe geneal way, since we will use this genealization in Section 3.

5 Theoem 2 (BDH) Let N = p q, whee is a known constant and p, q ae of the same bit-size. Let k be an (unknown) intege that is not a multiple of p 1 q. Suppose we know an intege p with kp p N (+1) 2. Then N can be factoed in polynomial time. Let us intepet the esult of Theoem 2. In ode to facto N it suffices to find an intege p which is within the ange N (+1) 2 of some multiple of p (which is not a multiple of N). In the following section, we pesent ou fist new attack that constucts an intege p with the above popety wheneve d is sufficiently small. 3 The attack modulo p We pesent ou fist attack fo small decyption exponents d and aftewads extend this appoach to patial key exposue attacks. Theoem 3 Let N = p q, whee 2 is a known constant and p, q ae pimes of the same bit-size. Let (e, d) φ(n) be the public-key/secet-key pai satisfying ed = 1 mod φ(n). Suppose that d N (+1) 2. Then N can be factoed in pobabilistic polynomial time. Poof: We know that φ(n) = p 1 (p 1)(q 1) and theefoe the key pai (e, d) satisfies the equation ed 1 = kp 1 (p 1)(q 1) fo some k. (1) Let E be the invese of e modulo N, i.e. Ee = 1 + cn fo some c. If E does not exist then gcd(e, N) must be a non-tivial diviso of N. Note that each possible non-tivial diviso p s, p s q o q (1 s ) does immediately yield the complete factoization of N: p s can be easily factoed by guessing s and taking the s th oot ove the integes. On the othe hand, p s q yields N p s q = p s which educes this case to the pevious one. Similaly, q gives us p. Hence, let us assume wlog that the invese E of e modulo N exists. Multiplying equation (1) by E leads to d E = (Ekp 2 (p 1)(q 1) cp 1 qd)p. Thus, E is a multiple of p up to an additive eo of d N (+1) 2. In ode to apply Theoem 2, it emains to show that the expession Ekp 2 (p 1)(q 1) cp 1 qd is not a multiple of p 1 q. Since p 1 q divides the second tem, this is equivalent

6 to show that Ek(p 1)(q 1) is not a multiple of pq. By assumption, we have gcd(e, N) = 1 and thus it emains to pove that pq does not divide k(p 1)(q 1). Assume k(p 1)(q 1) = c pq fo some c. Then equation (1) simplifies to ed 1 = c N. On the othe hand we know that ee 1 = cn. Combining both equalities we obtain that d = E mod N. Since d, E < N we have d = E even ove. It is a well-known fact that the knowledge of the secet key d yields the factoization of N in pobabilistic polynomial time (see fo instance [9], Chapte 4.6.1). We biefly summaize ou factoization algoithm. (Mod p)-attack fo small d using a modulus N = p q INPUT: N (+1) 2. (N, e), whee N = p q and ed = 1 mod φ(n) fo some d 1. Compute E = e 1 mod N. If the computation of E fails, output p, q. 2. Run the algoithm of Theoem 2 on input E. If the algoithm s output is p, q then EXIT. 3. Othewise set d = E and un a pobabilistic factoization algoithm on input (N, e, d). OUTPUT: p, q Since evey step of the algoithm uns in (pobabilistic) polynomial time, this concludes the poof of the theoem. Theoem 3 gives us a polynomial time factoing algoithm wheneve a cetain amount of the MSBs of d ae zeo. The following coollay shows how the poof of Theoem 3 can be easily genealized such that the esult does not only hold if the MSBs of d ae zeo but instead if they ae known to the attacke. This gives as a patial key exposue attack fo known MSBs with an analogous bound. Coollay 4 (MSB) Let N = p q, whee 2 is a known constant and p, q ae pimes of the same bit-size. Let (e, d) φ(n) be the public-key/secet-key pai satisfying ed = 1 mod φ(n). Given d such that d d N (+1) 2. Then N can be factoed in pobabilistic polynomial time. Poof: The key-pai (e, d) satisfies the equality e(d d) + e d 1 = kp 1 (p 1)(q 1) fo some k.

7 Let E = e 1 mod N, i.e. Ee = 1 + cn fo some c. If E does not exist, we obtain the factoization of N. Multiplying the above equation by E yields (d d) + E(e d 1) = (Ekp 2 (p 1)(q 1) cp 1 q(d d))p. Thus, E(e d 1) is a multiple of p up to an additive eo of d d N The est of the poof is completely analogous to the poof of Theoem 3. (+1) 2 (+1) 2. Coollay 4 implies that one has to know oughly a faction of 1 of the MSBs of d fo ou patial key exposue attack. We can also deive a patial key exposue attack fo known LSBs with an analogous bound. Coollay 5 (LSB) Let N = p q, whee 2 is a known constant and p, q ae pimes of the same bit-size. Let (e, d) φ(n) be the public-key/secet-key pai satisfying ed = 1 mod φ(n). Given d 0, M with d = d 0 mod M and M N 1 (+1) 2. Then N can be factoed in pobabilistic polynomial time. Poof: Let us wite d = d 1 M + d 0, wee the unknown d 1 satisfies d 1 = d d0 N M N (+1) 2. We have the key equation ed 1 M + ed 0 1 = kp 1 (p 1)(q 1) fo some k. M < Multiply the equation by E = (em) 1 mod N. We see that E(ed 0 1) is a multiple of p up to an additive eo of d 1 < N (+1) 2. The est of the poof is analogous to the poof of Theoem 3. 4 Attack modulo p 1 Ou fist attack applied Theoem 2 which in tun uses a polynomial with small oots modulo p. In ou second attack we will constuct a polynomial with a small oot modulo p 1 and diectly apply Coppesmith s method in the univaiate case (Theoem 1). This appoach yields bette esults than the fist one wheneve 3. Theoem 6 Let N = p q, whee 2 is a known constant and p, q ae pimes of the same bit-size. Let (e, d) φ(n) be the public-key/secet-key pai satisfying ed = 1 mod φ(n). Suppose that d N ( 1 +1 ) 2. Then N can be factoed in pobabilistic polynomial time.

8 Poof: The key pai (e, d) satisfies the equation ed 1 = kp 1 (p 1)(q 1) fo some k. Let E be the invese of e modulo N, i.e. Ee = 1 + cn fo some c N. In the case that E does not exist, gcd(e, N) yields the complete factoization of N as shown in the poof of Theoem 3. Multiplying ou equation by E leads to d E = (Ek(p 1)(q 1) cdpq)p 1. This gives us a simple univaiate polynomial f p 1(x) = x E with the oot x 0 = d modulo p 1. Thus, we have a polynomial f p 1 of degee δ = 1 with a oot x 0 modulo p 1. In ode to apply Theoem 1, we have to find a lowe bound fo p 1 in tems of N. Since p and q ae of the same bit-size, we know that p 1 2 q. Hence p 1 = N pq N 2p. This gives us 2 p 1 ( ) N N Thus, we can choose β = log N and apply Theoem 1 with the paamete choice β, δ and c N = 4. We can find all oots x 0 that ae in absolute value smalle than 4N β2 δ = 4N ( 1 +1 )2 2( 1) (+1) log N + 1 log 2 N 4N ( 1 +1 )2 2 log N = N ( 1 +1 )2. Hence, we obtain the value x 0 = d. We can un a pobabilistic factoization algoithm on input (N, e, d) in ode to obtain the factoization of N in expected polynomial time. Remak 7 Anothe (deteministic) polynomial time method to find the factoization of N could be the computation of gcd(ed 1, N). Since ed 1 = kp 1 (p 1)(q 1), the computation yields a non-tivial diviso of N iff pq does not divide k(p 1)(q 1), which is unlikely to happen. As shown in the poof of Theoem 3, a non-tivial diviso of N eveals the complete factoization of the modulus. So in pactice, one might ty this altenative gcd-method fist and if it fails, one applies a pobabilistic algoithm on the key-pai (N, e, d). Let us summaize ou new factoization algoithm.

9 (Mod p )-attack fo small d using a modulus N = p q INPUT: (N, e), whee N = p q and ed = 1 mod φ(n) fo some d N ( 1 +1 ) Compute E = e 1 mod N. If E does not exist, compute gcd(e, N) and output p, q. 2. Apply the algoithm of Theoem 1 on input N, f p 1 = x E, β = log N and c N = 2. This gives us the value d. 3. If the computation gcd(ed 1, N) yields the factoization, EXIT. 4. Run a pobabilistic factoization algoithm on input (N, e, d). OUTPUT: p, q Evey step of the algoithm can be computed in pobabilistic polynomial time, which concludes the poof of Theoem 6 Simila to the fist attack (the (Mod p)-attack) fo small decyption exponent d, we can also easily deive patial key exposue attacks fo the new attack of Theoem 6. The poof of Theoem 6 shows that in ode to find the factoization of N, it suffice to find a linea, univaiate polynomial f p 1(x) = x + c with a oot x 0, x 0 N ( 1 +1 ) 2 modulo p 1. We will show that this equiement is satisfied in the following patial key exposue attacks. Instead of using small decyption exponents d < N ( 1 +1 ) 2 = N 1 4 (+1) 2, the attacke has to know a faction of oughly N in ode to succeed. 4 (+1) 2 of the bits of Coollay 8 (MSB) Let N = p q, whee 2 is a known constant and p, q ae pimes of the same bit-size. Let (e, d) φ(n) be the public-key/secet-key pai satisfying ed = 1 mod φ(n). Given d with d d N ( 1 +1 ) 2. Then N can be factoed in pobabilistic polynomial time. Poof: We know that e(d d) + e d 1 = 0 mod φ(n), and φ(n) is a multiple of p 1. Multiply the equation by E = e 1 mod N, which gives us the desied linea polynomial f p 1(x) = x + E(e d 1)

10 with the small oot x 0 = d d, x 0 N ( 1 +1 ) 2 modulo p 1. The est of the poof is analogous to the poof of Theoem 6. In a simila fashion, we deive a patial key exposue attack fo known LSBs. Coollay 9 (LSB) Let N = p q, whee 2 is a known constant and p, q ae pimes of the same bit-size. Let (e, d) φ(n) be the public-key/secet-key pai satisfying ed = 1 mod φ(n). Given d 0, M with d = d 0 mod M and M N 4 (+1) 2. Then N can be factoed in pobabilistic polynomial time. Poof: d 1 < N M Let us wite d = d 1 M + d 0. Then the unknown paamete satisfies 1 N( +1 ) 2. Fo the key-pai (e, d) we have e(d 1 M + d 0 ) 1 = 0 mod φ(n), whee φ(n) is a multiple of p 1. Multiplying this equation by E = (em) 1 modulo N gives us the desied linea polynomial f p 1(x) = x + E(ed 0 1) with the small oot d 1 modulo p 1. The est of the poof is analogous to the poof of Theoem 6. 5 Patial Key Exposue Attacks fo d = d modulo p 1 The patial key exposue attacks that we conside in this section fo moduli N = p q can be consideed as a genealization of the esults of Blöme and May [4]. The attacks ae an application of the theoem of Boneh, Dufee and Howgave-Gaham (Theoem 2). We deive simple patial key exposue attacks fo small public exponents e in both cases: known MSBs and known LSBs. The new attacks ae a theat to schemes that use CRT-decoding (fo instance Takagi s scheme [11]) in combination with small public exponents. Let us state ou LSB-attack. Theoem 10 Let N = p q, whee 1 is a known constant and p, q ae pimes of the same bit-size. Let e be the public key and let d p satisfy ed p = 1 mod p 1. Given d 0, M with d 0 = d p mod M and M 2N 1 (+1) 2. Then N can be factoed in time e poly(log(n)).

11 Poof: Let us conside the RSA key equation ed p 1 = k(p 1) fo some k. Since d p < (p 1), we obtain the inequality k < e. Let us wite d p = d 1 M + d 0. We can bound the unknown d 1 by d 1 < p M N (+1) 2. Ou equation above can be ewitten as ed 1 M + ed 0 + k 1 = kp. Compute the invese E of em modulo N, i.e. EeM = 1 + cn fo some c. If E does not exist, we obtain fom gcd(em, N) the complete factoization of N as shown in Theoem 3. Multiplying ou equation with E leaves us with d 1 + E(ed 0 + k 1) = (Ek cp 1 qd 1 )p. (+1) 2. Thus, E(ed 0 + k 1) is a multiple of p up to some additive eo d 1 N Since the paamete k is unknown, we have to do a bute foce seach fo k in the inteval [1, e). In ode to apply Theoem 2, it emains to show that the tem (Ek cp 1 qd 1 ) is not a multiple of p 1 q. This is equivalent to the condition that p 1 q does not divide Ek, but we know that gcd(e, N) = 1 and thus p 1 q must not divide k. But p 1 q cannot divide k in the case e p 1 q and othewise we can easily check the condition by computing gcd(k, N) fo evey possible k. The algoithm of Theoem 2 yields the factoization of N fo the coect guess of k. We biefly summaize ou factoization algoithm. Algoithm LSB-Attack fo d and moduli N = p q INPUT: (N, e), whee N = p q and d p satisfies ed p = 1 mod p 1 d 0, M with d 0 = d p mod M and M 2N 1 (+1) 2 1. Compute E = (em) 1 mod N. If the computation of E fails, find the factos p, q of N using gcd(em, N). 2. FOR k = 1 TO e (a) If gcd(k, N) > 1 find the factos p, q. (b) Run the algoithm of Theoem 2 on input E(ed 0 + k 1). If the algoithm s output is p, q then EXIT. OUTPUT: p, q The unning time of the algoithm is e poly(log N), which concludes the poof. Note that ou method fom Theoem 10 is polynomial time fo public exponents of the size poly(log(n)) and equies only a 1 (+1) 2 -faction of the bits (in

12 tems of the size of N), which is a faction of the bits of d p. The following theoem gives us a simila esult fo patial key exposue attacks with known MSBs, but in contast the method is polynomial time fo all public exponents e < N (+1) 2. We show that an appoximation of d p up to N (+1) 2 α suffices to find the factoization of N. Note that d p is of size oughly N Hence in the case α = 0, 1 a faction of +1 (+1) = 1 2 (+1) of the bits is enough (in tems of the size of 2 N). Theoem 11 Let N = p q, whee 1 is a known constant and p, q ae pimes of the same bit-size. Let e = N α, α [0, (+1) ] be the public key and let 2 d p satisfy ed p = 1 mod p 1. Given d with d p d N (+1) 2 α. Then N can be factoed in polynomial time. Poof: We know that ed p 1 = k(p 1) fo some k, with k < e. The tem e d is an appoximation of kp up to an additive eo of kp e d = e(d p d) + k 1 e(d p d) + k 1 N (+1) 2 + N α 2N (+1) 2. Thus, one of the tems e d ± N (+1) 2 satisfies the bound of Theoem 2. Note that the algoithm of Theoem 2 can be applied since k < e < N (+1) 2 and thus k cannot be a multiple of p 1 q = Ω(N +1 ). Let us biefly summaize the factoization algoithm. MSB-Attack fo d and moduli N = p q INPUT: (N, e), whee N = p q and d p satisfies ed p = 1 mod p 1 d with d p d N (+1) 2 α, whee α = log N (e). 1. Compute p = e d. 2. Run the algoithm of Theoem 2 on input p+n (+1) 2. If the algoithm s output is p, q then EXIT. 3. Othewise un the algoithm of Theoem 2 on input p N (+1) 2. OUTPUT: p, q The algoithm uns in time polynomial in log(n), which concludes the poof.

13 Refeences 1. D. Boneh, G. Dufee, Cyptanalysis of RSA with pivate key d less than N 0.292, IEEE Tans. on Infomation Theoy, Vol. 46(4), D. Boneh, G. Dufee, Y. Fankel, An attack on RSA given a small faction of the pivate key bits, Advances in Cyptology - AsiaCypt 98, Lectue Notes in Compute Science Vol. 1514, Spinge-Velag, pp , D. Boneh, G. Dufee, and N. Howgave-Gaham, Factoing N = p q fo lage, Advances in Cyptology - Cypto 99, Lectue Notes in Compute Science Vol. 1666, Spinge-Velag, pp , J. Blöme, A. May, New Patial Key Exposue Attacks on RSA, Advances in Cyptology - Cypto 2003, Lectue Notes in Compute Science Vol. 2729, pp , Spinge Velag, D. Coppesmith, Small solutions to polynomial equations and low exponent vulneabilities, Jounal of Cyptology, Vol. 10(4), pp , A. Fujioke, T. Okamoto, Miyaguchi, ESIGN: An Efficient Digital Signatue Implementation fo Smatcads, Advances in Cyptology - Euocypt 91, Lectue Notes in Compute Science Vol. 547, Spinge Velag, pp , P. Koche, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and othe systems, Advances in Cyptology - Cypto 96, Lectue Notes in Compute Science Vol. 1109, Spinge Velag, pp , P. Koche, J. Jaffe and B. Jun, Diffeential powe analysis, Advances in Cyptology Cypto 99, Lectue Notes in Compute Science Vol. 1666, Spinge Velag, pp , D. Stinson, Cyptogaphy Theoy and Pactice, Second Edition, CRC Pess, T. Okamoto, S. Uchiyama, A new public key cyptosystem as secue as factoing, Advances in Cyptology - Euocypt 98, Lectue Notes in Compute Science Vol. 1403, Spinge Velag, pp , T. Takagi, Fast RSA-type cyptosystem modulo p k q, Advances in Cyptology - Cypto 98, Lectue Notes in Compute Science Vol. 1462,Spinge-Velag, pp , M. Wiene, Cyptanalysis of shot RSA secet exponents, IEEE Tansactions on Infomation Theoy, Vol. 36, pp , 1998.

New Finding on Factoring Prime Power RSA Modulus N = p r q

New Finding on Factoring Prime Power RSA Modulus N = p r q Jounal of Mathematical Reseach with Applications Jul., 207, Vol. 37, o. 4, pp. 404 48 DOI:0.3770/j.issn:2095-265.207.04.003 Http://jme.dlut.edu.cn ew Finding on Factoing Pime Powe RSA Modulus = p q Sadiq