New Finding on Factoring Prime Power RSA Modulus N = p r q

Similar documents
Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q

Chapter 3: Theory of Modular Arithmetic 38

Improved Factoring Attacks on Multi-Prime RSA with Small Prime Difference

AQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013

Construction and Analysis of Boolean Functions of 2t + 1 Variables with Maximum Algebraic Immunity

ONE-POINT CODES USING PLACES OF HIGHER DEGREE

arxiv: v1 [math.nt] 28 Oct 2017

9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic.

Stanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012

Enumerating permutation polynomials

New problems in universal algebraic geometry illustrated by boolean equations

The Congestion of n-cube Layout on a Rectangular Grid S.L. Bezrukov J.D. Chavez y L.H. Harper z M. Rottger U.-P. Schroeder Abstract We consider the pr

SOME GENERAL NUMERICAL RADIUS INEQUALITIES FOR THE OFF-DIAGONAL PARTS OF 2 2 OPERATOR MATRICES

10/04/18. P [P(x)] 1 negl(n).

ON SPARSELY SCHEMMEL TOTIENT NUMBERS. Colin Defant 1 Department of Mathematics, University of Florida, Gainesville, Florida

Introduction Common Divisors. Discrete Mathematics Andrei Bulatov

QIP Course 10: Quantum Factorization Algorithm (Part 3)

A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES

Chaos and bifurcation of discontinuous dynamical systems with piecewise constant arguments

ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE

NOTE. Some New Bounds for Cover-Free Families

Method for Approximating Irrational Numbers

QUANTUM ALGORITHMS IN ALGEBRAIC NUMBER THEORY

C/CS/Phys C191 Shor s order (period) finding algorithm and factoring 11/12/14 Fall 2014 Lecture 22

arxiv: v1 [math.co] 1 Apr 2011

Gradient-based Neural Network for Online Solution of Lyapunov Matrix Equation with Li Activation Function

Journal of Inequalities in Pure and Applied Mathematics

SOME SOLVABILITY THEOREMS FOR NONLINEAR EQUATIONS

Multiple Criteria Secretary Problem: A New Approach

Using Laplace Transform to Evaluate Improper Integrals Chii-Huei Yu

Semicanonical basis generators of the cluster algebra of type A (1)

Application of Parseval s Theorem on Evaluating Some Definite Integrals

arxiv: v1 [math.co] 6 Mar 2008

Berkeley Math Circle AIME Preparation March 5, 2013

ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0},

Some RSA-based Encryption Schemes with Tight Security Reduction

Quasi-Randomness and the Distribution of Copies of a Fixed Graph

Internet Appendix for A Bayesian Approach to Real Options: The Case of Distinguishing Between Temporary and Permanent Shocks

arxiv: v2 [math.ag] 4 Jul 2012

A New Attack on RSA with Two or Three Decryption Exponents

On the ratio of maximum and minimum degree in maximal intersecting families

On the Poisson Approximation to the Negative Hypergeometric Distribution

Lecture 25: Pairing Based Cryptography

KOEBE DOMAINS FOR THE CLASSES OF FUNCTIONS WITH RANGES INCLUDED IN GIVEN SETS

Vanishing lines in generalized Adams spectral sequences are generic

Math 301: The Erdős-Stone-Simonovitz Theorem and Extremal Numbers for Bipartite Graphs

Hua Xu 3 and Hiroaki Mukaidani 33. The University of Tsukuba, Otsuka. Hiroshima City University, 3-4-1, Ozuka-Higashi

Information Retrieval Advanced IR models. Luca Bondi

Fixed Argument Pairing Inversion on Elliptic Curves

Asymptotically Lacunary Statistical Equivalent Sequence Spaces Defined by Ideal Convergence and an Orlicz Function

Lifting Private Information Retrieval from Two to any Number of Messages

Solving Some Definite Integrals Using Parseval s Theorem

Chromatic number and spectral radius

CENTRAL INDEX BASED SOME COMPARATIVE GROWTH ANALYSIS OF COMPOSITE ENTIRE FUNCTIONS FROM THE VIEW POINT OF L -ORDER. Tanmay Biswas

A Bijective Approach to the Permutational Power of a Priority Queue

Identification of the degradation of railway ballast under a concrete sleeper

Journal of Number Theory

A STABILITY RESULT FOR p-harmonic SYSTEMS WITH DISCONTINUOUS COEFFICIENTS. Bianca Stroffolini. 0. Introduction

Numerical approximation to ζ(2n+1)

PROBLEM SET #1 SOLUTIONS by Robert A. DiStasio Jr.

Miskolc Mathematical Notes HU e-issn Tribonacci numbers with indices in arithmetic progression and their sums. Nurettin Irmak and Murat Alp

DonnishJournals

THE MAXIMUM SIZE OF A PARTIAL SPREAD II: UPPER BOUNDS

Quantum Fourier Transform

ON LACUNARY INVARIANT SEQUENCE SPACES DEFINED BY A SEQUENCE OF MODULUS FUNCTIONS

Computers and Mathematics with Applications

A Converse to Low-Rank Matrix Completion

Application of homotopy perturbation method to the Navier-Stokes equations in cylindrical coordinates

An Application of Fuzzy Linear System of Equations in Economic Sciences

A Power Method for Computing Square Roots of Complex Matrices

Do Managers Do Good With Other People s Money? Online Appendix

A Multivariate Normal Law for Turing s Formulae

Mean Curvature and Shape Operator of Slant Immersions in a Sasakian Space Form

(n 1)n(n + 1)(n + 2) + 1 = (n 1)(n + 2)n(n + 1) + 1 = ( (n 2 + n 1) 1 )( (n 2 + n 1) + 1 ) + 1 = (n 2 + n 1) 2.

Research Article On Alzer and Qiu s Conjecture for Complete Elliptic Integral and Inverse Hyperbolic Tangent Function

On the integration of the equations of hydrodynamics

Multiple Experts with Binary Features

Failure Probability of 2-within-Consecutive-(2, 2)-out-of-(n, m): F System for Special Values of m

q i i=1 p i ln p i Another measure, which proves a useful benchmark in our analysis, is the chi squared divergence of p, q, which is defined by

Results on the Commutative Neutrix Convolution Product Involving the Logarithmic Integral li(

Available online through ISSN

On Continued Fraction of Order Twelve

3.1 Random variables

On the Number of Rim Hook Tableaux. Sergey Fomin* and. Nathan Lulov. Department of Mathematics. Harvard University

Chapter 5 Linear Equations: Basic Theory and Practice

ON THE INVERSE SIGNED TOTAL DOMINATION NUMBER IN GRAPHS. D.A. Mojdeh and B. Samadi

( ) [ ] [ ] [ ] δf φ = F φ+δφ F. xdx.

Duality between Statical and Kinematical Engineering Systems

Integral operator defined by q-analogue of Liu-Srivastava operator

Localization of Eigenvalues in Small Specified Regions of Complex Plane by State Feedback Matrix

Functions Defined on Fuzzy Real Numbers According to Zadeh s Extension

arxiv: v1 [math.nt] 12 May 2017

On the Quasi-inverse of a Non-square Matrix: An Infinite Solution

A Short Combinatorial Proof of Derangement Identity arxiv: v1 [math.co] 13 Nov Introduction

On a generalization of Eulerian numbers

arxiv: v1 [math.co] 4 May 2017

Model and Controller Order Reduction for Infinite Dimensional Systems

Perturbation to Symmetries and Adiabatic Invariants of Nonholonomic Dynamical System of Relative Motion

Temporal-Difference Learning

Bounds for Codimensions of Fitting Ideals

Transcription:

Jounal of Mathematical Reseach with Applications Jul., 207, Vol. 37, o. 4, pp. 404 48 DOI:0.3770/j.issn:2095-265.207.04.003 Http://jme.dlut.edu.cn ew Finding on Factoing Pime Powe RSA Modulus = p q Sadiq SHEHU, Muhammad Rezal Kamel ARIFFI,2,. Al-Kindi Cyptogaphy Reseach Laboatoy, Institute fo Mathematical Reseach, Univesiti Puta Malaysia, 43400 UPM Sedang, Selango, Malaysia; 2. Depatment of Mathematics, Faculty of Science, Univesiti Puta Malaysia, 43400 UPM Sedang, Selango, Malaysia Abstact This pape poposes thee new attacks. In the fist attack we conside the class of the public exponents satisfying an equation ex Y + (ap + bq )Y = Z fo suitably small positive integes a, b. Applying continued factions we show that Y can be ecoveed among X the convegents of the continued faction expansion of e. Moeove, we show that the numbe of such exponents is at least 2 (+) ε whee ε 0 is abitaily small fo lage. The second and thid attacks woks upon k RSA public keys ( i, e i ) when thee exist k elations of the fom e ix iy i + (ap i + bqi )y i = z i o of the fom e ix i iy + (ap i + bqi )y = z i and the paametes x, x i, y, y i, z i ae suitably small in tems of the pime factos of the moduli. We apply the LLL algoithm, and show that ou stategy enables us to simultaneously facto k pime powe RSA moduli. Keywods RSA pime powe; factoization; LLL algoithm; simultaneous diophantine appoximations; continued faction MR(200) Subject Classification A5; A55; K60. Intoduction The undelying one-way function of RSA is the intege factoization poblem: Multiplying two lage pimes is computationally easy, but factoing the esulting poduct is vey had. It is also well known that the secuity of RSA is based on the difficulty of solving the so-called RSA poblem: Given an RSA public key (e, ) and a ciphetext c m e (mod ), compute the plaintext m. The RSA poblem is not hade to solve than the intege factoization poblem, because factoing the RSA modulus leads to computing the pivate exponent d, and to solving the RSA poblem. Howeve, it is not clea, if the convese is tue. In the RSA cyptosystem, the public modulus = pq is a poduct of two pimes of the same bit size. The public and pivate exponent e and d satisfy the conguence ed (mod ϕ()), whee ϕ() = (p )(q ) is the Eule totient function [,2]. Received July 8, 206; Accepted Septembe 7, 206 * Coesponding autho E-mail addess: ezal@upm.edu.my (Muhammad Rezal Kamel ARIFFI)

ew finding on factoing pime powe RSA modulus = p q 405 In 990, Wiene showed that RSA is insecue if d < 3 0.25 (see [3]). Late based on the lattice basis eduction, Boneh and Dufee impoved the bound to d < 0.292 (see [4]). The numbe of exponents fo which thei attack applies can be estimated as 0.292 ε. Wiene s attack as well as its genealization by Boneh and Dufee is based on the RSA key equation ed kϕ() = whee k is a positive intege. In 2004, Blome and May combined both Wiene method with Boneh and Dufee method to show that RSA is insecue if the public exponent e satisfies an equation ex kϕ() = y (see [5]). Applying the continued faction algoithm and Coppesmith s method [6], they showed that the RSA modulus can be factoed in polynomial time if the paametes x and y satisfy x < 3 4 and y 3 4 ex. Additionally, Blome and May poved that the numbe of such weak exponents is at least 3 4 ε (see [7,8,2]). Many RSA vaiants have been poposed in ode to ensue computational efficiency while maintaining the acceptable levels of secuity. One such impotant vaiant is the pime powe RSA. In pime powe RSA the modulus is in the fom = p q fo 2. In 998, Takagi showed how to use the pime powe RSA to speed up the decyption pocess when the public and pivate exponents satisfy an equation ed (mod (p )(q )) (see [9]). As in the standad RSA cyptosystem, the secuity of the pime powe RSA depends on the difficulty of factoing integes of the fom = p q (see [0 2]). Containing the discussion of vaiants of RSA moduli by manipulating k instances of RSA moduli and public key pai ( i, e i ) via thei k equations. In 2007, Hinek, showed that it is possible to facto the k modulus i using k equations of the fom e i d k i ϕ( i ) = if d < δ k with δ = 2(k+) ε whee ε is a small constant depending on the size of max i (see [3]). Vey ecently in 204, with k RSA public keys ( i, e i ), itaj, et al. pesented a method that factos the k RSA moduli i using k equations of the shape e i x y i ϕ( i ) = z i o of the shape e i x i yϕ( i ) = z i whee i = p i q i, ϕ( i ) = (p i )(q i ) and the paametes x, x i, y, y i, z i ae suitably small in tems of the pime factos of the moduli [4]. Ou contibution, as motivated fom the ecent esult of [4] and [2]. This pape poposes thee new attacks on the Pime Powe RSA with a modulus = p q. In the fist attack, we conside an instance of the pime powe RSA with modulus = p q and public of exponent e satisfying the equation ex Y + (ap + bq )Y = Z fo suitable positive integes a, b. Using continued faction we show that Y X can be ecoveed among the convegents of the continued faction expansion of e 2. We show that the numbe of such exponents is at least (+) ε whee ε 0 is abitaily small fo lage. Hence one can facto the modulus = p q in polynomial time. Fo k 2, 2, let i = p i q i, i =,..., k. The second attack woks when k instances ( i, e i ) ae such that thee exist an intege x, k integes y i, and k integes z i satisfying e i x i y i + (ap i + bq i )y i = z i. We show that the k RSA moduli i can be factoed in polynomial

406 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI time if = min i i and x < δ, y i < δ, z i < ap i bq i 3(ap i + bq i ) 2 y i whee δ = k k2 αk 2 2. ( + k) In the thid attack we show that the k RSA moduli i can be factoed in polynomial time, when the k instance ( i, e i ) of RSA ae such that thee exist an intege y, and k integes x i and k integes z i satisfying e i x i i y + (ap i + bq i )y = z i with min i = min i i, e i = β and x i < δ, y < δ, z i < ap i bq i 3(ap i + bq i ) 2 y i whee δ = βk2 αk 2 k 2. ( + k) Fo the second and thid attack we tansfom the equations into simultaneous diophantine poblem and apply lattice basis eduction techniques to find the paametes (x, y i ) o (y, x i ) which leads to factoization of k RSA moduli i. The est of the pape is stuctued as follows. In Section 2, we give a bief eview of basic facts about the continued faction, lattice basis eduction and simultaneous diophantine appoximations with some useful esults needed fo the attack. In Section 3, we popose the fist attack with estimation of the numbe of exponents fo which ou attack woks. In Sections 4 and 5, we give the second and thid attack. We conclude this pape in Section 6. 2. Peliminaies We stat with definition and an impotant esult concening the continued faction, lattice basis eduction techniques and simultaneous diophantine equations as well as some useful lemmas needed fo the attacks. 2.. Continued faction Definition 2. (Continued faction) The continued faction of a eal numbe R is an expession of the fom R = a 0 + a + a 2 + a 3 + whee a 0 Z and a i 0 fo i. The numbes a 0, a, a 2,... ae called the patial quotients. We use the notation R = [a 0, a, a 2,...]. Fo i the ational i s i = [a 0, a, a 2,...] ae called the convegents of the continued faction expansion of R. If R = a b is a ational numbe such that gcd(a, b) =, then the continued faction expansion is finite. Hady and Wight (965) (see [5]). Let x = [a 0, a, a 2,..., a m ] be a continued faction expansion of x. If X and Y ae copime integes such that x Y < X 2X 2. Then Y = p n and X = q n fo some convegent p n qn of x with n 0. 2.2. Lattice

ew finding on factoing pime powe RSA modulus = p q 407 A lattice is a discete (additive) subgoup of R n. Equivalently, given m n linealy independent vectos b,..., b m R n, the set { m } L = L(b,..., b m ) = α i b i α i Z is a lattice. The b i ae called basis vectos of L and B = b,..., b m is called a lattice basis fo L. Thus, the lattice geneated by a basis B is the set of all intege linea combinations of the basis vectos in B. The dimension (o ank) of a lattice, denoted dim(l), is equal to the numbe of vectos making up the basis. The dimension of a lattice is equal to the dimension of the vecto subspace spanned by B. A lattice is said to be full dimensional (o full ank) when dim(l) = n (see [2]). A lattice L can be epesented by a basis matix. Given a basis B, a basis matix M fo the lattice geneated by B is the m n matix defined by the ows of the set b,..., b m b M =.. It is often useful to epesent the matix M by B. A vey impotant notion fo the lattice L is the deteminant. as b m Let L be a lattice geneated by the basis B = b,..., b m. The deteminant of L is defined det(l) = i= det(bb T ). If n = m, we have det(l) = det(bb T ) = det(b). Lensta et al. (982) (see [6]). Let L be a lattice of dimension ω with a basis v,..., v ω. The LLL algoithm poduces a educed basis b,..., b ω satisfying fo all i ω. b b 2 b i 2 ω(ω ) 4(ω+ i) detl ω+ i An application of the LLL algoithm is that it povides a solution to the simultaneous diophantine appoximations poblem which is defined as follows. Let α,..., α n be n eal numbes and ε a eal numbe such that 0 < ε <. A classical theoem of Diichlet assets that thee exist integes p,..., p n and a positive intege q ε n such that qα i p i < ε fo i n. A method to find simultaneous diophantine appoximations to ational numbes was descibed by [6]. In thei wok, they consideed a lattice with eal enties. The following is a simila esult fo a lattice with intege enties. Theoem 2.2 (Simultaneous diophantine appoximations) ([4]) Thee is a polynomial time algoithm, fo given ational numbes α,..., α n and 0 < ε <, to compute integes p,..., p n

408 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI and a positive intege q such that Poof See [4] Appendix A. max qα i p i < ε and q 2 n(n 3) 4. i Lemma 2.3 Let = p q be an RSA modulus pime powe with q < p < 2q. Then 2 + + < q < + < p < 2 + +. Poof Suppose = p q. Then multiplying q < p < 2q by p, we get p q < p p < 2p q which implies < p + < 2, that is + < p < 2 + +. Also since = p q, q = p which in tun implies 2 Lemma 2.4 + + < q < +, we have 2 + + < q < + < p < 2 + +. Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Let ap bq <. Let S be an appoximation of ap + bq such that Then abq = [ S2 4 ]. ap + bq S < ap bq 3(ap + bq ) 2. Poof Set S = ap + bq + k with k < ap bq 3(ap +bq ) 2. Obseve that (ap bq ) 2 = (ap bq )(ap bq ) = (ap + bq ) 2 4abq p = (ap + bq ) 2 4abq. Theefoe, we obtain (ap bq ) 2 = (ap + bq ) 2 4abq. () ow we conside S 2 4abq = (ap + bq + k) 2 4abq Theefoe using () above, we can ewite = a 2 p 2 + 2abq p + 2akp + b 2 q 2 + 2bkq 4abq = a 2 p 2 + 2abq p + b 2 q 2 + 2k(ap + bq ) + k 2 4abq = (ap + bq ) 2 4abq + 2k(ap + bq ) + k 2. S 2 4abq = (ap bq ) 2 + 2k(ap + bq ) + k 2. (2) Suppose that ap bq < and k < ap bq 3(ap +bq ) 2 < 2. Then, fom (2), we have S 2 4abq = (ap bq ) 2 + 2k(ap + bq ) + k 2 < ( ) 2 + 2(ap + bq ) ap bq 3(ap + bq ) 2 + ( 2 ) 2 < 2 + 2 3 ap bq 2 + ( 2 ) 2 < 2 + 2 3 2 + 2 2

ew finding on factoing pime powe RSA modulus = p q 409 < 2 2 + 3 + 2 + 2 2 < 2. Thus we have S 2 4abq < 2. When dividing by 4, we obtain which implies that abq = [ S2 4 ]. S2 4 abq = S2 4abq < 2 4 4 = 2 3. The fist attack on pime powe RSA with moduli = p q Let (, e) be a public key satisfying an equation ex Y + (ap + bq )Y = Z with small paametes X, Y and Z whee a, b ae suitably small positive integes. In this section, we pesent a esult based on continued factions and show how to facto the Pime Powe RSA modulus. Lemma 3. Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Let e be a public key exponent satisfying the equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =, if Y X < 2 Z < ap bq e. 3(ap +bq ) 2. Then Y X 2(ap +bq ) 2 and is among the convegent of the continued faction expansion of Poof Assume that Z < ap bq 3(ap +bq ) 2 Y, thus Z < ap bq Y. Hence fom the equation we get e Y = X ex Y + (ap + bq )Y = Z, ex Y X < Z + (ap + bq )Y X (ap + bq )Y X 2(ap + bq )Y X = 2(ap + bq ). = Z (ap + bq )Y X Z X + (ap + bq )Y X + (ap + bq )Y X 2(ap + bq )X X Theefoe, if the condition 2(ap +bq ) < 2X holds, then fom the theoem of the continued 2 faction, Y X is one of the convegents of the continued faction of e. This is equivalent to Theoem 3.2 2(ap + bq ) < 2X 2, 4X2 (ap + bq ) <, X 2 < 4(ap + bq ), X < 2. 2(ap + bq ) 2 Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Suppose that e is a public key exponent satisfying the

40 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =, if Y X < 2 Z < ap bq 3(ap +bq ) 2 Y, then can be factoed in polynomial time. 2(ap +bq ) 2 and Poof Suppose that the public key e satisfies an equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =. Let Y X < 2 2(ap +bq ) 2 and Z < ap bq 3(ap +bq ) 2 Y satisfy the condition of Lemma 3. above. Then Y X is one of the convegents of the continued faction of e. Let us ewite equation ex Y + (ap + bq )Y = Z as This implies ex Y + (ap + bq ) = Z Y, (ap + bq ) + ex Y = Z Y. (ap + bq ) ( ex Y ) = Z Y. We define S = ex Y, theefoe by Lemma 2.4, S is an appoximation of ap + bq satisfying ap + bq S (ap + bq ) ( ex Y ) = Z Y ap bq 3(ap + bq )Y 2 Y < ap bq 3(ap + bq ) 2, which, by Lemma 2.4, implies that abq = [ S2 4 ], fo value of S = ex Y that q = gcd([ S2 4 ], ).. Theefoe, it follows Example 3.3 The following shows an illustation of ou attack fo = 3, given and e as = 358739209820385708, e = 283422759094640573. Suppose that the public key (e, ) satisfies = p q, q < p < 2q and ex Y +(ap +bq )Y = Z fo small paametes X, Y, Z as stated in the Theoem. Following the above algoithm, we fist e compute the continued faction expansion of. The list of fist convegents of the continued e faction expansion of ae [ 3 0,, 4, 4 5, 7 9, 4, 29 37, 40 5, 309 394, 349 445, 2054 269, 4457 5683, 5425 9668, 89557 24699, 394539 503066,... ]. Theefoe omitting the fist and second enty and stating with the convegent 3 4, we obtain S = ex Y = 497334069740568, 3 [ S 2 ] = 8723494352664627. 4 Hence gcd([ S2 4 ], ) = (8723494352664627, 358739209820385708) =. the factoization algoithm with the convegent 40 5, we obtain S = ex Y = 82076789887590959, 40 [ S 2 ] = 29342068566. 4 Theefoe applying We compute gcd([ S2 4 ], ) = (29342068566, 358739209820385708) = 6993. Finally with q = 6993, we compute p = 3 q = 8005, which leads to the factoization of.

ew finding on factoing pime powe RSA modulus = p q 4 Algoithm Input: A public key (e, ) satisfying = p q, q < p < 2q and ex Y + (ap + bq )Y = Z fo small paametes X, Y, Z Output: The pime factos p and q. : Compute the continued faction expansion of e. 2: Fo evey convegent Y X of e, compute S = ex Y. 3: Compute [ S2 4 ]. 4: Compute q = gcd([ S2 4 ], ). 5: If < q <, then p = q. 6: End if. 7: End fo. 3.. Estimation of the weak exponent Lemma 3.4 Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) = and ap bq <. Suppose that e is a public key exponent satisfying the two equations ex Y + (ap + bq )Y = Z, ex Y + (ap + bq )Y = Z with gcd(x, Y ) = = gcd(x, Y ), Y X < 2 Then X = X, Y = Y and Z = Z. 2(ap +bq ) 2 and Z, Z < ap bq 3(ap +bq ) 2 Y. Poof Suppose that e satisfies the two equations ex Y + (ap + bq )Y = Z, ex Y + (ap + bq )Y = Z with Y X < 2 2(ap +bq ) 2 and Z, Z < ap bq 3(ap +bq ) 2 Y. Then, fom ex Y + (ap + bq )Y = Z, we have e = Y + Z (ap + bq )Y X Also fom ex Y + (ap + bq )Y = Z, we get Equating the tem e yields e = Y + Z (ap + bq )Y X. Y + Z (ap + bq )Y X = Y + Z (ap + bq )Y X, Y X + ZX (ap + bq )Y X = Y X + Z X (ap + bq )Y X, (ap + bq )(Y X Y X ) + ZX Z X = (Y X Y X ). (3). ext we assume that X, X < 2 2(ap +bq ) 2 and Z, Z < ap bq 3(ap +bq ) 2 Y. Then the left hand

42 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI side of (3) becomes (ap + bq )(Y X Y X ) + ZX Z X < (ap + bq ) (Y X Y X ) + ZX Z X < (ap + bq )( Y X + Y X ) + ZX + Z X < (ap + bq 2 ) 2(ap + bq ) + 6(ap + bq ) 2 +2 2 < 2 2 + +2 + 2 <. 3+ 2 6(ap + bq ) 2 < 2 2 + 6(ap + bq ) 2 Hence fom the ight hand side of (3) we deduce that Y X Y X = 0. Since gcd(x, Y ) = gcd(x, Y ) =, it follows that X = X, Y = Y and Z = Z. Theoem 3.5 Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Suppose that e < is a public key exponent satisfying the equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =, Y X < 2 and Z, Z < ap bq 2(ap +bq ) 2 3(ap +bq ) 2 Y is at least 2 (+) ε whee ε > 0 is abitaily small fo suitably lage. Poof Suppose that the exponent e satisfies an equation with gcd(x, Y ) = and Y X < 2 numbe of the exponent e satisfying ex Y + (ap + bq )Y = Z 2(ap +bq ) 2 e Z (ap + bq )Y X With the condition given in the theoem, we have ξ = ω Y Y = X= Z = gcd(x,y )=, Z, Z < ap bq 3(ap +bq ) 2 Y. Let ξ denote the mod. ω 2 whee ω = 2 and ω 2(ap +bq ) 2 2 = ap bq 3(ap +bq ) 2. Obseve that ω 2 Z = Substituting (5) into (4), we get, (4) = 2ω 2 > ap bq 3(ap + bq ) 2 > 2 3(ap + bq ) > +. (5) ξ > + ω X X= Y = gcd(x,y )=. (6)

ew finding on factoing pime powe RSA modulus = p q 43 Also by consideing the following identity fo < Y <, we have [5, Theoem 328] Y X= gcd(x,y )= = ϕ(y ) > CY log log Y > whee c is a positive constant. Substituting (7) into (6), we get Then fo ω Y = Y, we have ω Substituting into (8) gives Y = ξ > + C log log Y = ω (ω + ) 2 > ω Y = 8(ap + bq ). ξ > C + log log 8(ap + bq ), CY log log, (7) Y. (8) C ξ > 8 log log + (ap + bq ). (9) ext we assume that ap + bq < 2ap, then using the esult fom Lemma 2.3, we have (ap + bq ) < (2ap ) < (2a(2 + + ) ) < 2a(2 + + ). Substituting the above esult into (0), we get +2 (+) C ξ > 6 log log + C a2 = + + 6 log log a2 C = +2 C 6a2 (+) = 2 + log log 6a2 + log log = 2 (+) ε, + + (+) whee we set ε = C 6a2 + log log and ε > 0 is abitaily small fo lage. 4. The second attack on k pime powe RSA with moduli i = p i q i Suppose that the pime powe RSA moduli i = p i q i with the same size, satisfies the k equations of the fom e i x i y i + (ap i + bq i )y i = z i. In this section fo k 2, 2 we show that it is possible to facto the RSA moduli i if the unknown paametes x, y i, and z i ae suitably small. Theoem 4. Fo k 2, 2, let i = p i q i, i k be k RSA moduli. Let = min i i. Let e i, i =,..., k, be k public exponents. Define δ = k k2 αk 2 2 (+k). Let a, b be suitably small integes with gcd(a, b) = such that ap i + bq i < + +α. If thee exist an intege x < δ and k integes y i < δ and z i < ap i bq i 3(ap ) i +bq 2 y i such that e i x i y i + (ap i + bq i )y i = z i fo i i =,..., k, then one can facto the k RSA moduli,..., k in polynomial time. Poof Fo k 2, and 2, let i = p i q i, i k be k RSA moduli. Let = min i i and

44 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI suppose that y i < δ and ap i +bq i < + +α. Then the equation e i x i y i +(ap i +bq i )y i = z i can be ewitten as e i i x y i = z i (ap i + bq i )y i i. (0) Let = min i i, and suppose that y i < δ, z i < 2 y i and ap i + bq i < + +α. Then z i (ap i + bq i )y i z i + (ap i + bq i )y i < 2 i < 2 +δ + δ+ + +α δ + + +α δ < 2 2 +δ+α < 2 2 +δ+α 2 δ+α < 2 2. Substituting into () gives e i x y i < 2 δ+α 2 2. i 2 δ+α Hence to show the existence of the intege x, we let ε = 2 2 with δ = k k2 αk 2. Then we have δ ε k = 2 k k k2 δ+δk+αk 2 2 (+k) = 2 k. Theefoe since 2 k < 2 k(k 3) 4 3 k fo k 2, we get δ ε k < 2 k(k 3) 4 3 k. It follows that if x < δ, then x < 2 k(k 3) 4 3 k ε k. Summaizing fo i =,..., k, we have e i i x y i < ε, x < 2 k(k 3) 4 3 k ε k. Hence it satisfies the conditions of [9], and we can obtain x and y i fo i =,..., k. ext fom the equation e i x i y i = z i (ap i + bq i )y i, we get (ap i + bq i ) ( i e ix y i ) = z i y i. Since z i < 2 y i and S i = i eix y i is an appoximation of ap i + bq i with an eo tem of at most 2, using Lemma 2.4 implies that abq i = [ S2 i 4 i ] with S i = i e ix y i. Fo i =,..., k, we compute q i = gcd( i, [ S2 i 4 i ]), which leads to factoization of k RSA moduli i,..., k. Example 4.2 As an illustation to ou second attack on k pime powe RSA, we conside the following thee RSA pime powe and thee public exponents = 959352994040260303674705656864609577056925072626, 2 = 69979222950004483722376596209277643482406926284, 3 = 3293797022204757780602762957005294709437843969479, e = 2996240345790368352093647567648842539689302303, e 2 = 2497597736909594770498763848253535538489609233, e 3 = 327725955079640008849238232953369784895666742. Then = max(, 2, 3 ) = 69979222950004483722376596209277643482406926284. Since k = 3 and = 3 with α < 3, we get δ = k k2 αk 2 2 (+k) = 0.2966666 and ε = 2 0.000006845463. Using [4, Eq. ()], with n = k = 3, we obtain C = [3 n+ 2 (n+)(n 4) 4 ε n ] = 3239348000000000000. 2 δ+α 2 =

ew finding on factoing pime powe RSA modulus = p q 45 Conside the lattice L spanned by the matix [Ce / ] [Ce 2 / 2 ] [Ce 3 / 3 ] M = 0 C 0 0 0 0 C 0. 0 0 0 C Theefoe applying the LLL algoithm to L, we obtain the educed basis with following matix 2322837 63282697847507 2428998735056 34785864973848 54466779782793 8874952379577 447499095466 5620827954759402 K = 5447740539054 203470542974549 269048299353808 56303690478674 3755566028807787 522950689657957 52327395553344 424353000573282 ext we compute K M = 2322837 4437 332829 2232 54466779782793 36347379 800308860 5490882644 5447740539054 36098886846 79958963793 54420924658 3755566028807787 9249768303 2028058404 368588847080 Then fom the fist ow we obtain x = 2322837, y = 4437, y 2 = 332829, y 3 = 2232. Hence, using x and y i fo i =, 2, 3, and defining S i = i eix y i, we get and Lemma 2.4 implies that abq i S = 287073984679857305098900272304343860, S 2 = 2645072690643579980767929248227553927, S 3 = 672669232850974844065580770240329434 = [ S2 i 4 i ] fo i =, 2, 3, which gives [ S 2 4 ] = 02679654842390385982096006, [ S 2 2 4 2 ] = 6890682926598440000469557334, [ S 2 3 4 3 ] = 343436364809792897793736334. Theefoe fo i =, 2, 3, we compute q i = gcd([ S2 i 4 i ], i ), that is q = 29953349999, q 2 = 33888746722667, q 3 = 23924755826333. Finally fo i =, 2, 3, we find p i = 3 i q i, hence p = 24705937446979, p 2 = 3687908272447, p 3 = 239675253467 which leads to the factoization of thee RSA moduli, 2 and 3... 5. The thid attack on k pime powe RSA with moduli i = p i q i In this section, we conside the scenaio when the k RSA moduli i = p i q fo k 2, and 2 satisfy k equations e i x i i y + (ap i + bq i )y = z i fo i =,..., k, with suitably small unknown paametes x i, y and z i.

46 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI Theoem 5. Fo k 2, and 2 let i = p i q i, i k be k RSA moduli with the same size. Let e i, i =,..., k, be k public exponents with min i, e i = β. Let δ = βk2 αk 2 k 2 (+k). Let a, b be suitably small integes with gcd(a, b) = such that ap i + bq i < + +α. If thee exist an intege y < δ and k integes x i < δ such that e i x i i y + (ap i + bq i )y = z i fo i =,..., k, then one can facto the k RSA moduli,..., k in polynomial time. Poof Fo k 2, and 2, let i = p i q i, i k be k RSA moduli. Then the equation e i x i i y + (ap i + bq i )y = z i can be ewitten as i e i y x i = z i (ap i + bq i )y e i. () Let = max i i, z i < 2 y i and suppose that y < δ, min i, e i = β and ap i + bq i < + +α. Then z i (ap i + bq i )y e i z i + (ap i + bq i )y β = 2 +δ + δ+ β + +α < 2 < 2 δ + + +α δ β 2 +δ+α β < 2 2 +δ+α β. (2) Substituting into (2) yields i e i y x i < 2 2 +δ+α β. Hence to show the existence of the intege y and integes x i, we let ε = 2 2 +δ+α β, with δ = βk2 αk 2 k. Then we have δ ε k = 2 k δ+δk+ k 2 +αk βk = 2 k. 2 (+k) Theefoe since 2 k < 2 k(k 3) 4 3 k fo k 2, we get δ ε k < 2 k(k 3) 4 3 k. It follows that if y < δ, then y < 2 k(k 3) 4 3 k ε k. Summaizing fo i =,..., k, we have i e i y x i < ε, y < 2 k(k 3) 4 3 k ε k. Hence it satisfies the conditions of [4], and we can obtain y and x i fo i =,..., k. ext fom the equation e i x i i y = z i (ap i + bq i )y, we get (ap i + bq i ) ( i e ix i y ) = z i y. Since S i = i eixi y is an appoximation of ap i + bq i with an eo tem of at most 2, using Lemma 2.4 implies that abq i = [ S2 i 4 i ] with S i = i e ix i y. Fo i =,..., k, we compute q i = gcd( i, [ S2 i 4 i ]), which leads to factoization of k RSA moduli i,..., k. Example 5.2 As an illustation to ou thid attack on k pime powe RSA, we conside the following thee RSA pime powe and thee public exponents = 29478007378670970234065724703794392595272944304237, 2 = 36973929473379945233476042307862747078089798550506834, 3 = 4022889522992383798554829036007795633057727825833, e = 39036363953698903837834420297452383993998454508584,

ew finding on factoing pime powe RSA modulus = p q 47 e 2 = 34626248493006339985868689644809069995027400936262830, e 3 = 26583325939372777962385295698235588558327623443708400. Then = max(, 2, 3 ) = 36973929473379945233476042307862747078089798550506834. Also min(e, e 2, e 3 ) = β with β = 0.99487. Since k = 3 and = 3 with α < 3, we get δ = βk 2 αk 2 k 2 (+k) = 0.28789968 and ε = 2 2 +δ+α β = 0.000063556867. Using [4, Eq. ()], with n = k = 3, we obtain C = [3 n+ 2 (n+)(n 4) 4 ε n ] = 220955374000000000000. Conside the lattice L spanned by the matix [C /e ] [C 2 /e 2 ] [C 3 /e 3 ] M = 0 C 0 0 0 0 C 0. 0 0 0 C Theefoe applying the LLL algoithm to L, we obtain the educed basis with following matix 24235457 233358736850290 26550428557594 29722975882437 M = 068964380265 339525855002550 832820287728430 824462735525985 883362666735622 499575960505860 700689507637804 854668408378342. 32300839768097 727477806244890 499800273833246 3224674493987 ext we compute 24235457 2973 3457 3442 K M = 068964380265 93958943953 00578699230 2566537643 883362666735622 74070866389 203834803065 208480277532. 32300839768097 2224202540996 4388699479 46459586308 Then fom the fist ow we obtain y = 24235457, x = 2973, x 2 = 3457, x 3 = 3442. Hence, by using x and y i fo i =, 2, 3, and defining S i = i e ix i y, we get and Lemma 2.4 implies that abq i S = 2774962940524703792266443297632834895, S 2 = 338073957594699297080435393762464576, S 3 = 4023675389233039664270226833404082558525 = [ S2 i 4 i ] fo i =, 2, 3, which gives [ S 2 4 ] = 653064776420286604649502254, [ S 2 2 4 2 ] = 772802847959674598896447094, [ S 2 3 4 3 ] = 35087677697085566557376866. Theefoe fo i =, 2, 3 we compute q i = gcd([ S2 i 4 i ], i ), that is q = 3299533672047, q 2 = 35888746722707, q 3 = 248252733459

48 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI and finally fo i =, 2, 3, we find p i = 3 i q i, hence p = 4470593744349, p 2 = 4687908272467, p 3 = 38696272470943 which leads to the factoization of thee RSA moduli, 2 and 3. 6. Conclusion This pape shows thee new attacks on RSA-type modulus of = p q fo 2 and q < p < 2q. Fo the fist attack, using continued faction we show that Y X can be ecoveed e among the convegents of the continued faction expansion of. Futhemoe we show that the set of such weak exponents is elatively lage, namely that thei numbe is at least 2 (+) ε whee ε 0 is abitaily small fo suitably lage. Hence one can facto the pime powe RSA modulus = p q in polynomial time. Fo k 2, 2, we pesent second and thid attacks on the pime powe RSA with moduli i = p i q i fo i =,..., k. The attacks wok when k RSA public keys ( i, e i ) ae such that thee exist k elations of the shape e i x i y i +(ap i +bq i )y i = z i o of the shape e i x i i y + (ap i + bq i )y = z i whee the paametes x, x i, y, y i, z i ae suitably small in tems of the pime factos of the moduli. Applying LLL algoithm, we show that ou appoach enables us to simultaneously facto the k pime powe RSA moduli i. Refeences [] A. ITAJ. Diophantine and Lattice Cyptanalysis of the RSA Cyptosystem. Atificial Intelligence, Evolutionay Computing and Metaheuistics. Spinge Belin Heidelbeg, 203. [2] A. ITAJ. A new vulneable class of exponents in RSA. JP J. Algeba umbe Theoy Appl., 20, 2(2): 203 220. [3] M. WIEER. Cyptanalysis of shot RSA secet exponents. IEEE Tans. Infom. Theoy, 990, 36(3): 553 558. [4] D. BOEH, G. DURFEE. Cyptanalysis of RSA with Pivate Key d Less than 0.292. Spinge, Belin, 999. [5] J. BLOMER, A. MAY. A genealized Wiene Attack on RSA. Spinge, Belin, 2004. [6] R. RIVEST, A. SHAMIR, L. ADLEMA. A method fo obtaining digital signatues and public-key cyptosystems. Comm. ACM, 978, 2(2): 20 26. [7]. HOWGRAVE-GRAHAM, J. P. SEIFERT. Extending Wienes Attack in the Pesence of Many Decypting Exponents. Spinge-Velag, 999. [8] A. ITAJ. Cyptanalysis of RSA Using the Ratio of the Pimes. Spinge, Belin, 2009. [9] T. TAKAGI. Fast RSA-Type Cyptosystem Modulo p k q. Spinge, Belin, 998. [0] S. SARKAR. Small secet exponent attack on RSA vaiant with modulus = p q. Des. Codes Cyptog., 204, 73(2): 383 392. [] A. MAY. ew RSA Vulneabilities Using Lattice Reduction Methods. Ph.D. Thesis, Univesity of Padebon, 2003. [2] M. J. HIEK. Lattice attacks in cyptogaphy: A patial oveview. School of Compute Science, Univesity of Wateloo, Canada, 2004. [3] J. HIEK. On the Secuity of Some Vaiants of RSA. Ph.D. Thesis, Wateloo, Ontaio, Canada, 2007. [4] A. ITAJ, M. R. K. ARIFFI, D. I. ASSR, et al. ew Attacks on the RSA Cyptosystem. Spinge, Cham, 204. [5] G. H. HARDY, E. M. WRIGHT. An Intoduction to the Theoy of umbes. Oxfod Univesity Pess, London, 965. [6] A. K. LESTRA, H. W. LESTRA, L. LOVASZ. Factoing polynomials with ational coefficients. Math. Ann., 982, 26(4): 55 534.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback