Jounal of Mathematical Reseach with Applications Jul., 207, Vol. 37, o. 4, pp. 404 48 DOI:0.3770/j.issn:2095-265.207.04.003 Http://jme.dlut.edu.cn ew Finding on Factoing Pime Powe RSA Modulus = p q Sadiq SHEHU, Muhammad Rezal Kamel ARIFFI,2,. Al-Kindi Cyptogaphy Reseach Laboatoy, Institute fo Mathematical Reseach, Univesiti Puta Malaysia, 43400 UPM Sedang, Selango, Malaysia; 2. Depatment of Mathematics, Faculty of Science, Univesiti Puta Malaysia, 43400 UPM Sedang, Selango, Malaysia Abstact This pape poposes thee new attacks. In the fist attack we conside the class of the public exponents satisfying an equation ex Y + (ap + bq )Y = Z fo suitably small positive integes a, b. Applying continued factions we show that Y can be ecoveed among X the convegents of the continued faction expansion of e. Moeove, we show that the numbe of such exponents is at least 2 (+) ε whee ε 0 is abitaily small fo lage. The second and thid attacks woks upon k RSA public keys ( i, e i ) when thee exist k elations of the fom e ix iy i + (ap i + bqi )y i = z i o of the fom e ix i iy + (ap i + bqi )y = z i and the paametes x, x i, y, y i, z i ae suitably small in tems of the pime factos of the moduli. We apply the LLL algoithm, and show that ou stategy enables us to simultaneously facto k pime powe RSA moduli. Keywods RSA pime powe; factoization; LLL algoithm; simultaneous diophantine appoximations; continued faction MR(200) Subject Classification A5; A55; K60. Intoduction The undelying one-way function of RSA is the intege factoization poblem: Multiplying two lage pimes is computationally easy, but factoing the esulting poduct is vey had. It is also well known that the secuity of RSA is based on the difficulty of solving the so-called RSA poblem: Given an RSA public key (e, ) and a ciphetext c m e (mod ), compute the plaintext m. The RSA poblem is not hade to solve than the intege factoization poblem, because factoing the RSA modulus leads to computing the pivate exponent d, and to solving the RSA poblem. Howeve, it is not clea, if the convese is tue. In the RSA cyptosystem, the public modulus = pq is a poduct of two pimes of the same bit size. The public and pivate exponent e and d satisfy the conguence ed (mod ϕ()), whee ϕ() = (p )(q ) is the Eule totient function [,2]. Received July 8, 206; Accepted Septembe 7, 206 * Coesponding autho E-mail addess: ezal@upm.edu.my (Muhammad Rezal Kamel ARIFFI)
ew finding on factoing pime powe RSA modulus = p q 405 In 990, Wiene showed that RSA is insecue if d < 3 0.25 (see [3]). Late based on the lattice basis eduction, Boneh and Dufee impoved the bound to d < 0.292 (see [4]). The numbe of exponents fo which thei attack applies can be estimated as 0.292 ε. Wiene s attack as well as its genealization by Boneh and Dufee is based on the RSA key equation ed kϕ() = whee k is a positive intege. In 2004, Blome and May combined both Wiene method with Boneh and Dufee method to show that RSA is insecue if the public exponent e satisfies an equation ex kϕ() = y (see [5]). Applying the continued faction algoithm and Coppesmith s method [6], they showed that the RSA modulus can be factoed in polynomial time if the paametes x and y satisfy x < 3 4 and y 3 4 ex. Additionally, Blome and May poved that the numbe of such weak exponents is at least 3 4 ε (see [7,8,2]). Many RSA vaiants have been poposed in ode to ensue computational efficiency while maintaining the acceptable levels of secuity. One such impotant vaiant is the pime powe RSA. In pime powe RSA the modulus is in the fom = p q fo 2. In 998, Takagi showed how to use the pime powe RSA to speed up the decyption pocess when the public and pivate exponents satisfy an equation ed (mod (p )(q )) (see [9]). As in the standad RSA cyptosystem, the secuity of the pime powe RSA depends on the difficulty of factoing integes of the fom = p q (see [0 2]). Containing the discussion of vaiants of RSA moduli by manipulating k instances of RSA moduli and public key pai ( i, e i ) via thei k equations. In 2007, Hinek, showed that it is possible to facto the k modulus i using k equations of the fom e i d k i ϕ( i ) = if d < δ k with δ = 2(k+) ε whee ε is a small constant depending on the size of max i (see [3]). Vey ecently in 204, with k RSA public keys ( i, e i ), itaj, et al. pesented a method that factos the k RSA moduli i using k equations of the shape e i x y i ϕ( i ) = z i o of the shape e i x i yϕ( i ) = z i whee i = p i q i, ϕ( i ) = (p i )(q i ) and the paametes x, x i, y, y i, z i ae suitably small in tems of the pime factos of the moduli [4]. Ou contibution, as motivated fom the ecent esult of [4] and [2]. This pape poposes thee new attacks on the Pime Powe RSA with a modulus = p q. In the fist attack, we conside an instance of the pime powe RSA with modulus = p q and public of exponent e satisfying the equation ex Y + (ap + bq )Y = Z fo suitable positive integes a, b. Using continued faction we show that Y X can be ecoveed among the convegents of the continued faction expansion of e 2. We show that the numbe of such exponents is at least (+) ε whee ε 0 is abitaily small fo lage. Hence one can facto the modulus = p q in polynomial time. Fo k 2, 2, let i = p i q i, i =,..., k. The second attack woks when k instances ( i, e i ) ae such that thee exist an intege x, k integes y i, and k integes z i satisfying e i x i y i + (ap i + bq i )y i = z i. We show that the k RSA moduli i can be factoed in polynomial
406 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI time if = min i i and x < δ, y i < δ, z i < ap i bq i 3(ap i + bq i ) 2 y i whee δ = k k2 αk 2 2. ( + k) In the thid attack we show that the k RSA moduli i can be factoed in polynomial time, when the k instance ( i, e i ) of RSA ae such that thee exist an intege y, and k integes x i and k integes z i satisfying e i x i i y + (ap i + bq i )y = z i with min i = min i i, e i = β and x i < δ, y < δ, z i < ap i bq i 3(ap i + bq i ) 2 y i whee δ = βk2 αk 2 k 2. ( + k) Fo the second and thid attack we tansfom the equations into simultaneous diophantine poblem and apply lattice basis eduction techniques to find the paametes (x, y i ) o (y, x i ) which leads to factoization of k RSA moduli i. The est of the pape is stuctued as follows. In Section 2, we give a bief eview of basic facts about the continued faction, lattice basis eduction and simultaneous diophantine appoximations with some useful esults needed fo the attack. In Section 3, we popose the fist attack with estimation of the numbe of exponents fo which ou attack woks. In Sections 4 and 5, we give the second and thid attack. We conclude this pape in Section 6. 2. Peliminaies We stat with definition and an impotant esult concening the continued faction, lattice basis eduction techniques and simultaneous diophantine equations as well as some useful lemmas needed fo the attacks. 2.. Continued faction Definition 2. (Continued faction) The continued faction of a eal numbe R is an expession of the fom R = a 0 + a + a 2 + a 3 + whee a 0 Z and a i 0 fo i. The numbes a 0, a, a 2,... ae called the patial quotients. We use the notation R = [a 0, a, a 2,...]. Fo i the ational i s i = [a 0, a, a 2,...] ae called the convegents of the continued faction expansion of R. If R = a b is a ational numbe such that gcd(a, b) =, then the continued faction expansion is finite. Hady and Wight (965) (see [5]). Let x = [a 0, a, a 2,..., a m ] be a continued faction expansion of x. If X and Y ae copime integes such that x Y < X 2X 2. Then Y = p n and X = q n fo some convegent p n qn of x with n 0. 2.2. Lattice
ew finding on factoing pime powe RSA modulus = p q 407 A lattice is a discete (additive) subgoup of R n. Equivalently, given m n linealy independent vectos b,..., b m R n, the set { m } L = L(b,..., b m ) = α i b i α i Z is a lattice. The b i ae called basis vectos of L and B = b,..., b m is called a lattice basis fo L. Thus, the lattice geneated by a basis B is the set of all intege linea combinations of the basis vectos in B. The dimension (o ank) of a lattice, denoted dim(l), is equal to the numbe of vectos making up the basis. The dimension of a lattice is equal to the dimension of the vecto subspace spanned by B. A lattice is said to be full dimensional (o full ank) when dim(l) = n (see [2]). A lattice L can be epesented by a basis matix. Given a basis B, a basis matix M fo the lattice geneated by B is the m n matix defined by the ows of the set b,..., b m b M =.. It is often useful to epesent the matix M by B. A vey impotant notion fo the lattice L is the deteminant. as b m Let L be a lattice geneated by the basis B = b,..., b m. The deteminant of L is defined det(l) = i= det(bb T ). If n = m, we have det(l) = det(bb T ) = det(b). Lensta et al. (982) (see [6]). Let L be a lattice of dimension ω with a basis v,..., v ω. The LLL algoithm poduces a educed basis b,..., b ω satisfying fo all i ω. b b 2 b i 2 ω(ω ) 4(ω+ i) detl ω+ i An application of the LLL algoithm is that it povides a solution to the simultaneous diophantine appoximations poblem which is defined as follows. Let α,..., α n be n eal numbes and ε a eal numbe such that 0 < ε <. A classical theoem of Diichlet assets that thee exist integes p,..., p n and a positive intege q ε n such that qα i p i < ε fo i n. A method to find simultaneous diophantine appoximations to ational numbes was descibed by [6]. In thei wok, they consideed a lattice with eal enties. The following is a simila esult fo a lattice with intege enties. Theoem 2.2 (Simultaneous diophantine appoximations) ([4]) Thee is a polynomial time algoithm, fo given ational numbes α,..., α n and 0 < ε <, to compute integes p,..., p n
408 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI and a positive intege q such that Poof See [4] Appendix A. max qα i p i < ε and q 2 n(n 3) 4. i Lemma 2.3 Let = p q be an RSA modulus pime powe with q < p < 2q. Then 2 + + < q < + < p < 2 + +. Poof Suppose = p q. Then multiplying q < p < 2q by p, we get p q < p p < 2p q which implies < p + < 2, that is + < p < 2 + +. Also since = p q, q = p which in tun implies 2 Lemma 2.4 + + < q < +, we have 2 + + < q < + < p < 2 + +. Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Let ap bq <. Let S be an appoximation of ap + bq such that Then abq = [ S2 4 ]. ap + bq S < ap bq 3(ap + bq ) 2. Poof Set S = ap + bq + k with k < ap bq 3(ap +bq ) 2. Obseve that (ap bq ) 2 = (ap bq )(ap bq ) = (ap + bq ) 2 4abq p = (ap + bq ) 2 4abq. Theefoe, we obtain (ap bq ) 2 = (ap + bq ) 2 4abq. () ow we conside S 2 4abq = (ap + bq + k) 2 4abq Theefoe using () above, we can ewite = a 2 p 2 + 2abq p + 2akp + b 2 q 2 + 2bkq 4abq = a 2 p 2 + 2abq p + b 2 q 2 + 2k(ap + bq ) + k 2 4abq = (ap + bq ) 2 4abq + 2k(ap + bq ) + k 2. S 2 4abq = (ap bq ) 2 + 2k(ap + bq ) + k 2. (2) Suppose that ap bq < and k < ap bq 3(ap +bq ) 2 < 2. Then, fom (2), we have S 2 4abq = (ap bq ) 2 + 2k(ap + bq ) + k 2 < ( ) 2 + 2(ap + bq ) ap bq 3(ap + bq ) 2 + ( 2 ) 2 < 2 + 2 3 ap bq 2 + ( 2 ) 2 < 2 + 2 3 2 + 2 2
ew finding on factoing pime powe RSA modulus = p q 409 < 2 2 + 3 + 2 + 2 2 < 2. Thus we have S 2 4abq < 2. When dividing by 4, we obtain which implies that abq = [ S2 4 ]. S2 4 abq = S2 4abq < 2 4 4 = 2 3. The fist attack on pime powe RSA with moduli = p q Let (, e) be a public key satisfying an equation ex Y + (ap + bq )Y = Z with small paametes X, Y and Z whee a, b ae suitably small positive integes. In this section, we pesent a esult based on continued factions and show how to facto the Pime Powe RSA modulus. Lemma 3. Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Let e be a public key exponent satisfying the equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =, if Y X < 2 Z < ap bq e. 3(ap +bq ) 2. Then Y X 2(ap +bq ) 2 and is among the convegent of the continued faction expansion of Poof Assume that Z < ap bq 3(ap +bq ) 2 Y, thus Z < ap bq Y. Hence fom the equation we get e Y = X ex Y + (ap + bq )Y = Z, ex Y X < Z + (ap + bq )Y X (ap + bq )Y X 2(ap + bq )Y X = 2(ap + bq ). = Z (ap + bq )Y X Z X + (ap + bq )Y X + (ap + bq )Y X 2(ap + bq )X X Theefoe, if the condition 2(ap +bq ) < 2X holds, then fom the theoem of the continued 2 faction, Y X is one of the convegents of the continued faction of e. This is equivalent to Theoem 3.2 2(ap + bq ) < 2X 2, 4X2 (ap + bq ) <, X 2 < 4(ap + bq ), X < 2. 2(ap + bq ) 2 Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Suppose that e is a public key exponent satisfying the
40 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =, if Y X < 2 Z < ap bq 3(ap +bq ) 2 Y, then can be factoed in polynomial time. 2(ap +bq ) 2 and Poof Suppose that the public key e satisfies an equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =. Let Y X < 2 2(ap +bq ) 2 and Z < ap bq 3(ap +bq ) 2 Y satisfy the condition of Lemma 3. above. Then Y X is one of the convegents of the continued faction of e. Let us ewite equation ex Y + (ap + bq )Y = Z as This implies ex Y + (ap + bq ) = Z Y, (ap + bq ) + ex Y = Z Y. (ap + bq ) ( ex Y ) = Z Y. We define S = ex Y, theefoe by Lemma 2.4, S is an appoximation of ap + bq satisfying ap + bq S (ap + bq ) ( ex Y ) = Z Y ap bq 3(ap + bq )Y 2 Y < ap bq 3(ap + bq ) 2, which, by Lemma 2.4, implies that abq = [ S2 4 ], fo value of S = ex Y that q = gcd([ S2 4 ], ).. Theefoe, it follows Example 3.3 The following shows an illustation of ou attack fo = 3, given and e as = 358739209820385708, e = 283422759094640573. Suppose that the public key (e, ) satisfies = p q, q < p < 2q and ex Y +(ap +bq )Y = Z fo small paametes X, Y, Z as stated in the Theoem. Following the above algoithm, we fist e compute the continued faction expansion of. The list of fist convegents of the continued e faction expansion of ae [ 3 0,, 4, 4 5, 7 9, 4, 29 37, 40 5, 309 394, 349 445, 2054 269, 4457 5683, 5425 9668, 89557 24699, 394539 503066,... ]. Theefoe omitting the fist and second enty and stating with the convegent 3 4, we obtain S = ex Y = 497334069740568, 3 [ S 2 ] = 8723494352664627. 4 Hence gcd([ S2 4 ], ) = (8723494352664627, 358739209820385708) =. the factoization algoithm with the convegent 40 5, we obtain S = ex Y = 82076789887590959, 40 [ S 2 ] = 29342068566. 4 Theefoe applying We compute gcd([ S2 4 ], ) = (29342068566, 358739209820385708) = 6993. Finally with q = 6993, we compute p = 3 q = 8005, which leads to the factoization of.
ew finding on factoing pime powe RSA modulus = p q 4 Algoithm Input: A public key (e, ) satisfying = p q, q < p < 2q and ex Y + (ap + bq )Y = Z fo small paametes X, Y, Z Output: The pime factos p and q. : Compute the continued faction expansion of e. 2: Fo evey convegent Y X of e, compute S = ex Y. 3: Compute [ S2 4 ]. 4: Compute q = gcd([ S2 4 ], ). 5: If < q <, then p = q. 6: End if. 7: End fo. 3.. Estimation of the weak exponent Lemma 3.4 Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) = and ap bq <. Suppose that e is a public key exponent satisfying the two equations ex Y + (ap + bq )Y = Z, ex Y + (ap + bq )Y = Z with gcd(x, Y ) = = gcd(x, Y ), Y X < 2 Then X = X, Y = Y and Z = Z. 2(ap +bq ) 2 and Z, Z < ap bq 3(ap +bq ) 2 Y. Poof Suppose that e satisfies the two equations ex Y + (ap + bq )Y = Z, ex Y + (ap + bq )Y = Z with Y X < 2 2(ap +bq ) 2 and Z, Z < ap bq 3(ap +bq ) 2 Y. Then, fom ex Y + (ap + bq )Y = Z, we have e = Y + Z (ap + bq )Y X Also fom ex Y + (ap + bq )Y = Z, we get Equating the tem e yields e = Y + Z (ap + bq )Y X. Y + Z (ap + bq )Y X = Y + Z (ap + bq )Y X, Y X + ZX (ap + bq )Y X = Y X + Z X (ap + bq )Y X, (ap + bq )(Y X Y X ) + ZX Z X = (Y X Y X ). (3). ext we assume that X, X < 2 2(ap +bq ) 2 and Z, Z < ap bq 3(ap +bq ) 2 Y. Then the left hand
42 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI side of (3) becomes (ap + bq )(Y X Y X ) + ZX Z X < (ap + bq ) (Y X Y X ) + ZX Z X < (ap + bq )( Y X + Y X ) + ZX + Z X < (ap + bq 2 ) 2(ap + bq ) + 6(ap + bq ) 2 +2 2 < 2 2 + +2 + 2 <. 3+ 2 6(ap + bq ) 2 < 2 2 + 6(ap + bq ) 2 Hence fom the ight hand side of (3) we deduce that Y X Y X = 0. Since gcd(x, Y ) = gcd(x, Y ) =, it follows that X = X, Y = Y and Z = Z. Theoem 3.5 Let = p q be an RSA modulus pime powe with q < p < 2q. Let a, b be suitably small integes with gcd(a, b) =. Suppose that e < is a public key exponent satisfying the equation ex Y + (ap + bq )Y = Z with gcd(x, Y ) =, Y X < 2 and Z, Z < ap bq 2(ap +bq ) 2 3(ap +bq ) 2 Y is at least 2 (+) ε whee ε > 0 is abitaily small fo suitably lage. Poof Suppose that the exponent e satisfies an equation with gcd(x, Y ) = and Y X < 2 numbe of the exponent e satisfying ex Y + (ap + bq )Y = Z 2(ap +bq ) 2 e Z (ap + bq )Y X With the condition given in the theoem, we have ξ = ω Y Y = X= Z = gcd(x,y )=, Z, Z < ap bq 3(ap +bq ) 2 Y. Let ξ denote the mod. ω 2 whee ω = 2 and ω 2(ap +bq ) 2 2 = ap bq 3(ap +bq ) 2. Obseve that ω 2 Z = Substituting (5) into (4), we get, (4) = 2ω 2 > ap bq 3(ap + bq ) 2 > 2 3(ap + bq ) > +. (5) ξ > + ω X X= Y = gcd(x,y )=. (6)
ew finding on factoing pime powe RSA modulus = p q 43 Also by consideing the following identity fo < Y <, we have [5, Theoem 328] Y X= gcd(x,y )= = ϕ(y ) > CY log log Y > whee c is a positive constant. Substituting (7) into (6), we get Then fo ω Y = Y, we have ω Substituting into (8) gives Y = ξ > + C log log Y = ω (ω + ) 2 > ω Y = 8(ap + bq ). ξ > C + log log 8(ap + bq ), CY log log, (7) Y. (8) C ξ > 8 log log + (ap + bq ). (9) ext we assume that ap + bq < 2ap, then using the esult fom Lemma 2.3, we have (ap + bq ) < (2ap ) < (2a(2 + + ) ) < 2a(2 + + ). Substituting the above esult into (0), we get +2 (+) C ξ > 6 log log + C a2 = + + 6 log log a2 C = +2 C 6a2 (+) = 2 + log log 6a2 + log log = 2 (+) ε, + + (+) whee we set ε = C 6a2 + log log and ε > 0 is abitaily small fo lage. 4. The second attack on k pime powe RSA with moduli i = p i q i Suppose that the pime powe RSA moduli i = p i q i with the same size, satisfies the k equations of the fom e i x i y i + (ap i + bq i )y i = z i. In this section fo k 2, 2 we show that it is possible to facto the RSA moduli i if the unknown paametes x, y i, and z i ae suitably small. Theoem 4. Fo k 2, 2, let i = p i q i, i k be k RSA moduli. Let = min i i. Let e i, i =,..., k, be k public exponents. Define δ = k k2 αk 2 2 (+k). Let a, b be suitably small integes with gcd(a, b) = such that ap i + bq i < + +α. If thee exist an intege x < δ and k integes y i < δ and z i < ap i bq i 3(ap ) i +bq 2 y i such that e i x i y i + (ap i + bq i )y i = z i fo i i =,..., k, then one can facto the k RSA moduli,..., k in polynomial time. Poof Fo k 2, and 2, let i = p i q i, i k be k RSA moduli. Let = min i i and
44 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI suppose that y i < δ and ap i +bq i < + +α. Then the equation e i x i y i +(ap i +bq i )y i = z i can be ewitten as e i i x y i = z i (ap i + bq i )y i i. (0) Let = min i i, and suppose that y i < δ, z i < 2 y i and ap i + bq i < + +α. Then z i (ap i + bq i )y i z i + (ap i + bq i )y i < 2 i < 2 +δ + δ+ + +α δ + + +α δ < 2 2 +δ+α < 2 2 +δ+α 2 δ+α < 2 2. Substituting into () gives e i x y i < 2 δ+α 2 2. i 2 δ+α Hence to show the existence of the intege x, we let ε = 2 2 with δ = k k2 αk 2. Then we have δ ε k = 2 k k k2 δ+δk+αk 2 2 (+k) = 2 k. Theefoe since 2 k < 2 k(k 3) 4 3 k fo k 2, we get δ ε k < 2 k(k 3) 4 3 k. It follows that if x < δ, then x < 2 k(k 3) 4 3 k ε k. Summaizing fo i =,..., k, we have e i i x y i < ε, x < 2 k(k 3) 4 3 k ε k. Hence it satisfies the conditions of [9], and we can obtain x and y i fo i =,..., k. ext fom the equation e i x i y i = z i (ap i + bq i )y i, we get (ap i + bq i ) ( i e ix y i ) = z i y i. Since z i < 2 y i and S i = i eix y i is an appoximation of ap i + bq i with an eo tem of at most 2, using Lemma 2.4 implies that abq i = [ S2 i 4 i ] with S i = i e ix y i. Fo i =,..., k, we compute q i = gcd( i, [ S2 i 4 i ]), which leads to factoization of k RSA moduli i,..., k. Example 4.2 As an illustation to ou second attack on k pime powe RSA, we conside the following thee RSA pime powe and thee public exponents = 959352994040260303674705656864609577056925072626, 2 = 69979222950004483722376596209277643482406926284, 3 = 3293797022204757780602762957005294709437843969479, e = 2996240345790368352093647567648842539689302303, e 2 = 2497597736909594770498763848253535538489609233, e 3 = 327725955079640008849238232953369784895666742. Then = max(, 2, 3 ) = 69979222950004483722376596209277643482406926284. Since k = 3 and = 3 with α < 3, we get δ = k k2 αk 2 2 (+k) = 0.2966666 and ε = 2 0.000006845463. Using [4, Eq. ()], with n = k = 3, we obtain C = [3 n+ 2 (n+)(n 4) 4 ε n ] = 3239348000000000000. 2 δ+α 2 =
ew finding on factoing pime powe RSA modulus = p q 45 Conside the lattice L spanned by the matix [Ce / ] [Ce 2 / 2 ] [Ce 3 / 3 ] M = 0 C 0 0 0 0 C 0. 0 0 0 C Theefoe applying the LLL algoithm to L, we obtain the educed basis with following matix 2322837 63282697847507 2428998735056 34785864973848 54466779782793 8874952379577 447499095466 5620827954759402 K = 5447740539054 203470542974549 269048299353808 56303690478674 3755566028807787 522950689657957 52327395553344 424353000573282 ext we compute K M = 2322837 4437 332829 2232 54466779782793 36347379 800308860 5490882644 5447740539054 36098886846 79958963793 54420924658 3755566028807787 9249768303 2028058404 368588847080 Then fom the fist ow we obtain x = 2322837, y = 4437, y 2 = 332829, y 3 = 2232. Hence, using x and y i fo i =, 2, 3, and defining S i = i eix y i, we get and Lemma 2.4 implies that abq i S = 287073984679857305098900272304343860, S 2 = 2645072690643579980767929248227553927, S 3 = 672669232850974844065580770240329434 = [ S2 i 4 i ] fo i =, 2, 3, which gives [ S 2 4 ] = 02679654842390385982096006, [ S 2 2 4 2 ] = 6890682926598440000469557334, [ S 2 3 4 3 ] = 343436364809792897793736334. Theefoe fo i =, 2, 3, we compute q i = gcd([ S2 i 4 i ], i ), that is q = 29953349999, q 2 = 33888746722667, q 3 = 23924755826333. Finally fo i =, 2, 3, we find p i = 3 i q i, hence p = 24705937446979, p 2 = 3687908272447, p 3 = 239675253467 which leads to the factoization of thee RSA moduli, 2 and 3... 5. The thid attack on k pime powe RSA with moduli i = p i q i In this section, we conside the scenaio when the k RSA moduli i = p i q fo k 2, and 2 satisfy k equations e i x i i y + (ap i + bq i )y = z i fo i =,..., k, with suitably small unknown paametes x i, y and z i.
46 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI Theoem 5. Fo k 2, and 2 let i = p i q i, i k be k RSA moduli with the same size. Let e i, i =,..., k, be k public exponents with min i, e i = β. Let δ = βk2 αk 2 k 2 (+k). Let a, b be suitably small integes with gcd(a, b) = such that ap i + bq i < + +α. If thee exist an intege y < δ and k integes x i < δ such that e i x i i y + (ap i + bq i )y = z i fo i =,..., k, then one can facto the k RSA moduli,..., k in polynomial time. Poof Fo k 2, and 2, let i = p i q i, i k be k RSA moduli. Then the equation e i x i i y + (ap i + bq i )y = z i can be ewitten as i e i y x i = z i (ap i + bq i )y e i. () Let = max i i, z i < 2 y i and suppose that y < δ, min i, e i = β and ap i + bq i < + +α. Then z i (ap i + bq i )y e i z i + (ap i + bq i )y β = 2 +δ + δ+ β + +α < 2 < 2 δ + + +α δ β 2 +δ+α β < 2 2 +δ+α β. (2) Substituting into (2) yields i e i y x i < 2 2 +δ+α β. Hence to show the existence of the intege y and integes x i, we let ε = 2 2 +δ+α β, with δ = βk2 αk 2 k. Then we have δ ε k = 2 k δ+δk+ k 2 +αk βk = 2 k. 2 (+k) Theefoe since 2 k < 2 k(k 3) 4 3 k fo k 2, we get δ ε k < 2 k(k 3) 4 3 k. It follows that if y < δ, then y < 2 k(k 3) 4 3 k ε k. Summaizing fo i =,..., k, we have i e i y x i < ε, y < 2 k(k 3) 4 3 k ε k. Hence it satisfies the conditions of [4], and we can obtain y and x i fo i =,..., k. ext fom the equation e i x i i y = z i (ap i + bq i )y, we get (ap i + bq i ) ( i e ix i y ) = z i y. Since S i = i eixi y is an appoximation of ap i + bq i with an eo tem of at most 2, using Lemma 2.4 implies that abq i = [ S2 i 4 i ] with S i = i e ix i y. Fo i =,..., k, we compute q i = gcd( i, [ S2 i 4 i ]), which leads to factoization of k RSA moduli i,..., k. Example 5.2 As an illustation to ou thid attack on k pime powe RSA, we conside the following thee RSA pime powe and thee public exponents = 29478007378670970234065724703794392595272944304237, 2 = 36973929473379945233476042307862747078089798550506834, 3 = 4022889522992383798554829036007795633057727825833, e = 39036363953698903837834420297452383993998454508584,
ew finding on factoing pime powe RSA modulus = p q 47 e 2 = 34626248493006339985868689644809069995027400936262830, e 3 = 26583325939372777962385295698235588558327623443708400. Then = max(, 2, 3 ) = 36973929473379945233476042307862747078089798550506834. Also min(e, e 2, e 3 ) = β with β = 0.99487. Since k = 3 and = 3 with α < 3, we get δ = βk 2 αk 2 k 2 (+k) = 0.28789968 and ε = 2 2 +δ+α β = 0.000063556867. Using [4, Eq. ()], with n = k = 3, we obtain C = [3 n+ 2 (n+)(n 4) 4 ε n ] = 220955374000000000000. Conside the lattice L spanned by the matix [C /e ] [C 2 /e 2 ] [C 3 /e 3 ] M = 0 C 0 0 0 0 C 0. 0 0 0 C Theefoe applying the LLL algoithm to L, we obtain the educed basis with following matix 24235457 233358736850290 26550428557594 29722975882437 M = 068964380265 339525855002550 832820287728430 824462735525985 883362666735622 499575960505860 700689507637804 854668408378342. 32300839768097 727477806244890 499800273833246 3224674493987 ext we compute 24235457 2973 3457 3442 K M = 068964380265 93958943953 00578699230 2566537643 883362666735622 74070866389 203834803065 208480277532. 32300839768097 2224202540996 4388699479 46459586308 Then fom the fist ow we obtain y = 24235457, x = 2973, x 2 = 3457, x 3 = 3442. Hence, by using x and y i fo i =, 2, 3, and defining S i = i e ix i y, we get and Lemma 2.4 implies that abq i S = 2774962940524703792266443297632834895, S 2 = 338073957594699297080435393762464576, S 3 = 4023675389233039664270226833404082558525 = [ S2 i 4 i ] fo i =, 2, 3, which gives [ S 2 4 ] = 653064776420286604649502254, [ S 2 2 4 2 ] = 772802847959674598896447094, [ S 2 3 4 3 ] = 35087677697085566557376866. Theefoe fo i =, 2, 3 we compute q i = gcd([ S2 i 4 i ], i ), that is q = 3299533672047, q 2 = 35888746722707, q 3 = 248252733459
48 Sadiq SHEHU and Muhammad Rezal Kamel ARIFFI and finally fo i =, 2, 3, we find p i = 3 i q i, hence p = 4470593744349, p 2 = 4687908272467, p 3 = 38696272470943 which leads to the factoization of thee RSA moduli, 2 and 3. 6. Conclusion This pape shows thee new attacks on RSA-type modulus of = p q fo 2 and q < p < 2q. Fo the fist attack, using continued faction we show that Y X can be ecoveed e among the convegents of the continued faction expansion of. Futhemoe we show that the set of such weak exponents is elatively lage, namely that thei numbe is at least 2 (+) ε whee ε 0 is abitaily small fo suitably lage. Hence one can facto the pime powe RSA modulus = p q in polynomial time. Fo k 2, 2, we pesent second and thid attacks on the pime powe RSA with moduli i = p i q i fo i =,..., k. The attacks wok when k RSA public keys ( i, e i ) ae such that thee exist k elations of the shape e i x i y i +(ap i +bq i )y i = z i o of the shape e i x i i y + (ap i + bq i )y = z i whee the paametes x, x i, y, y i, z i ae suitably small in tems of the pime factos of the moduli. Applying LLL algoithm, we show that ou appoach enables us to simultaneously facto the k pime powe RSA moduli i. Refeences [] A. ITAJ. Diophantine and Lattice Cyptanalysis of the RSA Cyptosystem. Atificial Intelligence, Evolutionay Computing and Metaheuistics. Spinge Belin Heidelbeg, 203. [2] A. ITAJ. A new vulneable class of exponents in RSA. JP J. Algeba umbe Theoy Appl., 20, 2(2): 203 220. [3] M. WIEER. Cyptanalysis of shot RSA secet exponents. IEEE Tans. Infom. Theoy, 990, 36(3): 553 558. [4] D. BOEH, G. DURFEE. Cyptanalysis of RSA with Pivate Key d Less than 0.292. Spinge, Belin, 999. [5] J. BLOMER, A. MAY. A genealized Wiene Attack on RSA. Spinge, Belin, 2004. [6] R. RIVEST, A. SHAMIR, L. ADLEMA. A method fo obtaining digital signatues and public-key cyptosystems. Comm. ACM, 978, 2(2): 20 26. [7]. HOWGRAVE-GRAHAM, J. P. SEIFERT. Extending Wienes Attack in the Pesence of Many Decypting Exponents. Spinge-Velag, 999. [8] A. ITAJ. Cyptanalysis of RSA Using the Ratio of the Pimes. Spinge, Belin, 2009. [9] T. TAKAGI. Fast RSA-Type Cyptosystem Modulo p k q. Spinge, Belin, 998. [0] S. SARKAR. Small secet exponent attack on RSA vaiant with modulus = p q. Des. Codes Cyptog., 204, 73(2): 383 392. [] A. MAY. ew RSA Vulneabilities Using Lattice Reduction Methods. Ph.D. Thesis, Univesity of Padebon, 2003. [2] M. J. HIEK. Lattice attacks in cyptogaphy: A patial oveview. School of Compute Science, Univesity of Wateloo, Canada, 2004. [3] J. HIEK. On the Secuity of Some Vaiants of RSA. Ph.D. Thesis, Wateloo, Ontaio, Canada, 2007. [4] A. ITAJ, M. R. K. ARIFFI, D. I. ASSR, et al. ew Attacks on the RSA Cyptosystem. Spinge, Cham, 204. [5] G. H. HARDY, E. M. WRIGHT. An Intoduction to the Theoy of umbes. Oxfod Univesity Pess, London, 965. [6] A. K. LESTRA, H. W. LESTRA, L. LOVASZ. Factoing polynomials with ational coefficients. Math. Ann., 982, 26(4): 55 534.