Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Similar documents
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

A new attack on RSA with a composed decryption exponent

New Partial Key Exposure Attacks on RSA

A New Attack on RSA with Two or Three Decryption Exponents

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

New Partial Key Exposure Attacks on RSA

New attacks on RSA with Moduli N = p r q

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e

Partial Key Exposure: Generalized Framework to Attack RSA

Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA

An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques

Partial Key Exposure Attacks on RSA Up to Full Size Exponents

Another Generalization of Wiener s Attack on RSA

On the Security of Multi-prime RSA

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

New Partial Key Exposure Attacks on RSA Revisited

A new lattice construction for partial key exposure attack for RSA

Applications of Lattice Reduction in Cryptography

Further Results on Implicit Factoring in Polynomial Time

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem

Cryptanalysis via Lattice Techniques

A Unified Framework for Small Secret Exponent Attack on RSA

Approximate Integer Common Divisor Problem relates to Implicit Factorization

Factoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore

Asymmetric Encryption

On estimating the lattice security of NTRU

A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073

Algorithmic Number Theory and Public-key Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Fault Attacks Against emv Signatures

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

New RSA Vulnerabilities Using Lattice Reduction Methods

A Partial Key Exposure Attack on RSA Using a 2-Dimensional Lattice

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Double-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls

Mathematics of Cryptography

Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Number Theory. Modular Arithmetic

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

THE RSA CRYPTOSYSTEM

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Breaking Plain ElGamal and Plain RSA Encryption

Factoring RSA Modulus with Primes not Necessarily Sharing Least Significant Bits

CIS 551 / TCOM 401 Computer and Network Security

MaTRU: A New NTRU-Based Cryptosystem

8.1 Principles of Public-Key Cryptosystems

Public Key Cryptography

Efficient RSA Cryptosystem with Key Generation using Matrix

An Approach Towards Rebalanced RSA-CRT with Short Public Exponent

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

COMP4109 : Applied Cryptography

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

RSA. Ramki Thurimella

Looking back at lattice-based cryptanalysis

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS

A New Generalization of the KMOV Cryptosystem

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side

How to Generalize RSA Cryptanalyses

Lattice Reduction of Modular, Convolution, and NTRU Lattices

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Cryptanalysis of RSA Signatures with Fixed-Pattern Padding

Computers and Mathematics with Applications

Twenty Years of Attacks on the RSA Cryptosystem

A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants

Theory of Computation Chapter 12: Cryptography

Introduction to Public-Key Cryptosystems:

10 Public Key Cryptography : RSA

Chapter 8 Public-key Cryptography and Digital Signatures

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

On the Design of Rebalanced RSA-CRT

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Public Key Algorithms

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

RSA Cryptosystem and Factorization

CRYPTANALYSIS OF RSA WITH LATTICE ATTACKS ANDREW HOON SUK

PSS Is Secure against Random Fault Attacks

Gurgen Khachatrian Martun Karapetyan

Public Key Encryption

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

CS March 17, 2009

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

On the Security of EPOC and TSH-ESIGN

The Shortest Vector Problem (Lattice Reduction Algorithms)

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Transcription:

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn, Germany alexx@uni-paderborn.de Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is well-known that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d < φ(n) and that the factors p, q are of the same bit-size. Our approach is an application of Coppersmith s technique for finding small roots of bivariate integer polynomials. Keywords: RSA, Coppersmith s method 1 Introduction One of the most important tasks in public key cryptography is to establish the polynomial time equivalence of the problem of computing the secret key from the public information to a well-known hard problem P that is believed to be computational infeasible. This reduction establishes the security of the secret key under the assumption that the problem P is computational infeasible. On the other hand, such a reduction does not provide any security for a public key system itself, since there might be ways to break a system without computing the secret key. Now let us look at the RSA scheme. We briefly define the RSA parameters: Let N = pq be a product of two primes of the same bit-size. Furthermore, let e, d be integers such that ed = 1 mod φ(n), where φ(n) is Euler s totient function. For the RSA scheme, we know that there exists a probabilistic polynomial time equivalence between the secret key computation and the problem of factoring the modulus N. The proof is given in the original RSA paper by Rivest, Shamir and Adleman [9] and is based on a work by Miller [8]. In this paper, we present a deterministic polynomial time algorithm that on input (N, e, d) outputs the factors p, q, provided that p and q are of the same bit-size and that ed N 2.

In the normal RSA-case we have e, d < φ(n), since e, d are defined modulo φ(n). This implies that ed N 2 as required. Thus, our algorithm establishes the deterministic polynomial time equivalence between the secret key computation and the factorization problem in the most common RSA case. We reduce the problem of factoring N to the problem of computing d, the reduction in the opposite direction is trivial. Our approach is an application of Coppersmith s method [4] for finding small roots of bivariate integer polynomials. We want to point out that some cryptanalytic results [1, 2] are based on Coppersmith s technique for solving modular bivariate polynomial equations. In contrast to these, we make use of Coppersmith s algorithm for bivariate polynomials with a small root over the integers. Therefore, our result does not depend on the usual heuristic for modular multivariate polynomial equations but is rigorous. To the best of our knowledge, the only known application of Coppersmith s method for bivariate polynomials with a root over the integers is the so-called factoring with high bits known [4]: Given half of the most significant bits of p, one can factor N in polynomial time. Howgrave-Graham [6] showed that this problem can be solved alternatively using an univariate modular approach (see also [5]). Since our approach directly uses Coppersmith s method for bivariate integer polynomials, the proof of our reduction is brief and simple. The paper is organized as follows. First, we present in Sect. 2 a deterministic polynomial time algorithm that factors N on input (N, e, d) provided that ed N 3 2. This more restricted result is interesting, since RSA is frequently used with small e in practice. Additionally, we need only elementary arithmetic in order to prove the result. As a consequence, the underlying algorithm has running time O(log 2 N). Second, we show in Sect. 3 how to improve the previous result to the desired bound ed N 2 by applying Coppersmith s method for solving bivariate integer polynomials. We conclude by giving experimental results in Sect. 4. 2 An Algorithm for ed N 3 2 In this work, we always assume that N is a product of two different prime factors p, q of the same bitsize, wlog p < q. This implies p < N 1 2 < q < 2p < 2N 1 2. We obtain the following useful estimates: p + q < 3N 1 2 and φ(n) = N + 1 (p + q) > 1 2 N. Let us denote by k the smallest integer greater or equal to k. Furthermore, we denote by the ring of invertible integers modulo φ(n). φ(n)

In the following theorem, we present a very efficient algorithm that on input (N, e, d) outputs the factors of N provided that ed N 3 2. Theorem 1 Let N = pq be an RSA-modulus, where p and q are of the same bit-size. Suppose we know integers e, d with ed > 1, ed = 1 mod φ(n) and ed N 3 2. Then N can be factored in time O(log 2 N). Proof: Since ed = 1 mod φ(n), we know that ed = 1 + kφ(n) for some k. Next, we show that k can be computed up to a small constant for our choice of e and d. Therefore, let us define k = ed 1 N as an underestimate of k. We observe that k k = ed 1 φ(n) ed 1 N = = N(ed 1) (N p q + 1)(ed 1) φ(n)n (p + q 1)(ed 1) φ(n)n Using the inequalities p + q 1 < 3N 1 2 and φ(n) 1 2N, we conclude that k k < 6N 3 2 (ed 1). (1) Since ed N 3 2, we know that k k k < 6. Thus, one of the six values + i, i = 0, 1,... 5 must be equal to k. We test these six candidates successively. For the right choice k, we can compute N + 1 + 1 ed = p + q. k From the value p + q, we can easily find the factorization of N. Our approach uses only elementary arithmetic on integers of size log(n). Thus, the running time is O(log 2 N) which concludes the proof of the theorem. 3 The Main Result In this section, we present a polynomial time algorithm that on input (N, e, d) outputs the factorization of N provided that ed N 2. This improves upon the result of Theorem 1. However, the algorithm is less efficient, especially when we get close to the bound N 2. Our approach makes use of the following result of Coppersmith [4] for finding small roots of bivariate integer polynomials.

Theorem 2 (Coppersmith) Let f(x, y) be an irreducible polynomial in two variables over, of maximum degree δ in each variable separately. Let X, Y be bounds on the desired solution (x 0, y 0 ). Let W be the absolute value of the largest entry in the coefficient vector of f(xx, yy ). If XY W 2 3δ then in time polynomial in log W and 2 δ we can find all integer pairs (x 0, y 0 ) with f(x 0, y 0 ) = 0, x 0 X and y 0 Y. Now, let us prove our main theorem. Theorem 3 Let N = pq be an RSA-modulus, where p and q are of the same bit-size. Suppose we know integers e, d with ed > 1, ed = 1 mod φ(n) and ed N 2. Then N can be factored in time polynomial in the bit-size of N. Proof: Let us start with the equation ed = 1 + kφ(n) for some k. (2) Analogous to the proof of Theorem 1, we define the underestimate k = ed 1 N k. Using (1), we know that of k k < 6N 3 2 (ed 1) < 6N 1 2. Let us denote x = k k. Therefore, we have an approximation k for the unknown parameter k in (2) up to an additive error of x. Next, we also want to find an approximation for the second unknown parameter φ(n) in (2). Note that N φ(n) = p + q 1 < 3N 1 2. That is, φ(n) lies in the interval [N 3N 1 2, N]. We can easily guess an estimate of φ(n) with additive error at most 1 4 N 1 2 by doing a brute-force search on the most significant bits of φ(n). More precisely, we divide the interval [N 3N 1 2, N] into 6 sub-interval of length 1 2 N 1 2 with centers N 2i 1 4 N 1 2, i = 1, 2,..., 6. For the correct choice of i we have N 2i 1 N 1 2 φ(n) 1 4 4 N 1 2. Let g denote the term 2i 1 4 N 1 2 for the right choice of i. That is, we know φ(n) = N g y for some unknown y with y 1 4 N 1 2. Plugging our approximations for k and φ(n) in (2) leads to ed 1 ( k + x)(n g y) = 0.

Let us round k and g to the next integers. Here we omit the rounding brackets k, g for ease of simplicity. Notice that the effect of this rounding on the bounds of the estimation errors x and y can be neglected (x becomes even smaller). Thus, we assume in the following that k, g are integers. Therefore, we can define the following bivariate integer polynomial f(x, y) = xy (N g)x + ky k(n g) + ed 1 with a root (x 0, y 0 ) = (k k, p + q 1 g) over the integers. In order to apply Coppersmith s theorem (Theorem 2), we have to bound the size of the root (x 0, y 0 ). We define X = 6N 1 2 and Y = 1 4 N 1 2. Then, x 0 X and y 0 Y. Let W denote the l -norm of the coefficient vector of f(xx, yy ). We have W (N g)x 3N 3 2. By Coppersmith s theorem, we have to satisfy the condition XY W 2 3. Using our bounds, we obtain XY = 3 2 N < (3N 3 2 ) 2 3 W 2 3. Thus, we can find the root (x 0, y 0 ) in time polynomial in the bit-size of W using Coppersmith s method. Note that the running time is also polynomial in the bit-size of N since W NX = 6N 3 2. Finally, the term y0 = p + q 1 g yields the factorization of N. This concludes the proof of the theorem. We want to point out that Theorem 3 can be easily generalized to the case, where p + q poly(log N) N 1 2. I.e., we do not necessarily need that p and q are of the same bit-size. All that we have to require is that they are balanced up to some polylogarithmic factor in N. The following theorem is a direct consequence of Theorem 3. It establishes the polynomial time equivalence of computing d and factoring N in the common RSA case, where e, d φ(n). Theorem 4 Let N = pq be an RSA-modulus, where p and q are of the same bit-size. Furthermore, let e φ(n) be an RSA public exponent. Suppose we have an algorithm that on input (N, e) outputs in deterministic polynomial time the RSA secret exponent d φ(n) satisfying ed = 1 mod φ(n). Then N can be factored in deterministic polynomial time. 4 Experiments We want to provide some experimental results. We implemented the algorithm introduced in the previous section on an 1GHz Linux-PC. Our implementation of Coppersmith s method follows the description given by Coron [4]. L 3 -lattice reduction [7] is done using Shoup s NTL library [10].

We choose e < φ(n) randomly. Therefore, in every experiment the product ed is very close to the bound N 2. Notice that in Theorem 3, we have to do a small brute-force search on the most significant bits of φ(n) in order to prove the desired bound. The polynomial time algorithm of Coppersmith given by Theorem 2 requires a similar brute-force search on the most significant bits. In Table 1, we added a column that states the total number c of bits that one has to guess in order to find a sufficiently small lattice vector. Thus, we have to multiply the running time of the lattice reduction algorithm by a factor of 2 c. As the results indicate, the number c heavily depends on the lattice dimension. Coppersmith s technique yields a polynomial time algorithm when the lattice dimension is of size θ(log W ). However, we only tested our algorithm for lattices of small fixed dimensions 16, 25 and 36. Our experiments compare well to the experimental results of Coron [3]: One cannot come close to the bounds of Coppersmith s theorem without reducing lattices of large dimension. Notice that we have to guess a large number of bits. In contrast, by the proof of Coppersmith s theorem (see [4]) the number of bits that one has to guess for lattice dimension θ(log W ) is a small constant. However, it is a non-trivial task to handle lattices of these dimensions in practice. Table 1. Results for ed N 2 N c dim L 3 -time 512 bit 55 bit 16 0.5 min 512 bit 43 bit 25 6 min 512 bit 36 bit 36 53 min 768 bit 80 bit 16 1 min 768 bit 63 bit 25 13 min 768 bit 53 bit 36 128 min 1024 bit 105 bit 16 2.5 min 1024 bit 82 bit 25 26 min 1024 bit 67 bit 36 242 min

One might conclude that our method is of purely theoretical interest. But let us point out that we have a worst case for our approach when the product ed is very close to the bound N 2. In Table 2, we provide some more practical results for the case ed N 1.75. Table 2. Results for ed N 1.75 N c dim L 3 -time 512 bit 10 bit 25 6 min 768 bit 13 bit 25 13 min 1024 bit 18 bit 25 26 min References 1. D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292, IEEE Trans. on Information Theory, Vol. 46(4), pp. 1339 1349, 2000 2. J. Blömer, A. May, New Partial Key Exposure Attacks on RSA, Advances in Cryptology Crypto 2003, Lecture Notes in Computer Science Vol. 2729, pp. 27 43, Springer-Verlag, 2003 3. Jean-Sébastien Coron, Finding Small Roots of Bivariate Integer Polynomial Equations Revisited, Advances in Cryptology Eurocrypt 04, Lecture Notes in Computer Science Vol. 3027, pp. 492 505, Springer-Verlag, 2004 4. D. Coppersmith, Small solutions to polynomial equations and low exponent vulnerabilities, Journal of Cryptology, Vol. 10(4), pp. 223 260, 1997. 5. D. Coppersmith, Finding Small Solutions to Small Degree Polynomials, Cryptography and Lattice Conference (CaLC 2001), Lecture Notes in Computer Science Volume 2146, Springer-Verlag, pp. 20 31, 2001. 6. N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Proceedings of Cryptography and Coding, Lecture Notes in Computer Science Vol. 1355, Springer-Verlag, pp. 131 142, 1997 7. A. K. Lenstra, H. W. Lenstra, and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, Vol. 261, pp. 513 534, 1982 8. G. L. Miller, Riemann s hypothesis and tests for primality, Seventh Annual ACM Symposium on the Theory of Computing, pp. 234 239, 1975 9. R. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, Vol. 21(2), pp.120 126, 1978 10. V. Shoup, NTL: A Library for doing Number Theory, online available at http:// www.shoup.net/ntl/index.html

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback