Factoring RSA moduli with weak prime factors

Transcription

1 Fctoring RSA moduli with we prime fctors Abderrhmne Nitj 1 nd Tjjeeddine Rchidi 2 1 Lbortoire de Mthémtiques Nicols Oresme Université de Cen Bsse Normndie, Frnce bderrhmne.nitj@unicen.fr 2 School of Science nd Engineering Alhwyn University in Ifrne, Morocco T.Rchidi@ui.m Abstrct. In this pper, we study the problem of fctoring n RSA modulus N = pq in polynomil time, when p is we prime, tht is, p cn be expressed s p = u 0 + M 1u M u for some integers M 1,..., M nd + 2 suitbly smll prmeters, u 0,... u. We further compute lower bound for the set of we moduli, tht is, moduli mde of t lest one we prime, in the intervl [2 2n, 2 2n+1 ] nd show tht this number is much lrger thn the set of RSA prime fctors stisfying Coppersmith s conditions, effectively extending the lielihood for fctoring RSA moduli. We lso prolong our findings to moduli composed of two we primes. Keywords: RSA, Cryptnlysis, Fctoriztion, LLL lgorithm, We primes 1 Introduction The RSA cryptosystem, invented in 1978 by Rivest, Shmir nd Adlemn [17] is undoubtedly one of the most populr public ey cryptosystems. In the stndrd RSA [17], the modulus N = pq is the product of two lrge primes of the sme bit-size. The public exponent e is n integer such tht 1 e < φn nd gcde, φn = 1 where φn = p 1q 1 is the Euler totient function. The corresponding privte exponent is the integer d such tht ed 1 mod φn. In RSA, the encryption, decryption, signture genertion, nd signture verifiction require substntil CPU cycles becuse the time to perform these opertions is proportionl to the number of bits in public or secret exponents [17]. To reduce CPU time necessry for encryption nd signture verifiction, one my be tempted to use smll public exponent e. This sitution hs been proven to be insecure ginst some smll public exponent ttcs see [8] nd [9]. To reduce the decryption nd signture genertion time, one my lso be tempted to use smll privte exponent d. Unfortuntely, RSA is lso vulnerble to vrious powerful short secret exponent ttcs such s, the ttc of Wiener [20], Prtilly supported by the French SIMPATIC SIM nd PAiring Theory for Informtion nd Communictions security.

2 2 Abderrhmne Nitj nd Tjjeeddine Rchidi nd the ttc of Boneh nd Durfee [4] see lso [3]. An lternte wy for incresing the performnce of encryption, decryption, signture genertion, nd signture verifiction, without reverting to smll exponents, is to use the multiprime vrint of RSA. The multi-prime RSA is generliztion of the stndrd RSA cryptosystem in which the modulus is in the form N = p 1 p 2 p where 3 nd the p i s re distinct prime numbers. Combined with the Chinese Reminder Theorem, multi-prime RSA is much more efficient thn the stndrd RSA see [5]. In Section of the X stndrd for public ey cryptogrphy [1], some recommendtions re presented regrding the genertion of the prime fctors of n RSA modulus. For exmple, it is recommended tht the modulus should hve x bits for x 0. This requirement deters some fctoriztion ttcs, such s the Number Field Sieve NFS [12] nd the Elliptic Curve Method ECM [11]. Another recommendtion is tht the prime difference p q should be lrge, nd p q should not be ner the rtio of two smll integers. These requirements gurd ginst Fermt fctoring lgorithm [19], s well s Coppersmith s fctoring ttc on RSA [6] when one nows hlf of the bits of p. For exmple, [ if N = pq nd p, q re of the sme bit-size with p q < N 1/4, then N ] [ N ] p < N 1/4 see [16] where is the nerest integer to N, which mens tht hlf of the bits of p re those of [ N] which leds to the fctoriztion of N see [6] nd [19]. Observe tht the fctoriztion ttc of Coppersmith pplies provided tht one nows hlf of the bits of p, tht is p is in one of the forms { M 1 + u 0 with nown M 1 nd unnown u 0 N 1 4, p = M 1 u 1 + M 0 with nown M 1, M 0 nd unnown u 1 N 1 4. Such primes re clled Coppersmith s we primes. In the cse of p = M 1 u 1 +M 0 with nown M 1 nd M 0, the Eucliden division of q by M 1 is in the form q = M 1 v 1 +v 0. Hence N = pq = M 1 u 1 +M 0 M 1 v 1 +v 0 which gives M 0 v 0 N mod M 1. Hence, since gcdm 0, M 1 = 1, then v 0 NM0 1 mod M 1. This mens tht when p is in the form p = M 1 u 1 + M 0 with nown M nd u 0, then q is necessrily in the form q = M 1 v 1 + v 0 with nown v 0. Coppersmith s ttc is therefore pplicble only when smll enough prmeters M 0 nd v 0 cn be found such tht p = M 1 u 1 + M 0 nd q = M 1 v 1 + v 0. This reduces the pplicbility of the ttc to the set of moduli such tht p nd q re of the form defined bove. In this pper, we consider the generliztion of Coppersmith s ttc by considering more stisfible decomposition of ny of the multipliers of p or q, i.e., p or q not just p or q, effectively leding to n incresed set of moduli tht cn be fctored. We describe two new ttcs on RSA with modulus N = pq. The first ttc pplies in the sitution tht, for given positive integers M 1,..., M, one of the prime fctors, p sy, stisfies liner eqution p = u 0 + M 1 u M u with suitbly smll integers nd u 0,..., u. We cll such prime fctors we primes for the integers M 1,..., M. The second ttc pplies when both fctors p nd q re we for the integers M 1,..., M. We note

3 Fctoring RSA moduli with we prime fctors 3 tht, for = 1, the we primes re such tht p = u 0 + M 1 u 1. This includes the clss of Coppersmith s we primes. For both ttcs, we give n estimtion of the RSA moduli N = pq with prime fctor p [ 2 n, 2 n+1] which is we for the integers M, M 2,..., M where M = 2 n 2. We show tht the number of moduli with we prime fctor is much lrger thn the number of moduli with Coppersmith s we prime fctor. The rest of the pper is orgnized s follows. In Section 2, we give some bsic concepts on integer fctoriztion nd lttice reduction s well s n overview of Coppersmith s method. In Section 3, we present n ttc on n RSA modulus N = pq with one we prime fctor. In Section 4, we present the second ttc n RSA modulus N = pq with two we prime fctors. We conclude the pper in Section 5. 2 Preliminries In this section we give the definitions nd results tht we need to perform our ttcs. These preliminries include bsic concepts on integer fctoriztion nd lttice reduction techniques. 2.1 Integer fctoriztion: the stte of the rt Currently, the most powerful lgorithm for fctorizing lrge integers is the Number Field Sieve NFS [12]. The heuristic expected time T NF S N of the NFS depends on the bitsize of the integer N to be fctored: T NF S N = exp o1log N 1/3 log log N 2/3. If the integer N hs smll fctors, the Elliptic Curve Method ECM [11] for fctoring is substntilly fster thn the NFS. It cn compute non-trivil fctor p of composite integer N in n expected runtime T ECM : T ECM p = exp 2 + o1 log p 1/2 log log p 1/2, which is sub-exponentil in the bitsize of the fctor p. The lrgest fctor found so fr with the ECM is 83 deciml digits 275 bits prime fctor of the specil number see [18]. 2.2 Lttice reduction Let m nd n be positive integers with m n. Let u 1,..., u m R n be m linerly independent vectors. The lttice L spnned by u 1,..., u m is the set { m } L = i u i i Z. i=1

4 4 Abderrhmne Nitj nd Tjjeeddine Rchidi The set {u 1,..., u m } is clled lttice bsis for L. The dimension or rn of the lttice L is diml = m, nd L is clled full rn if m = n. It is often useful to represent the lttice L by the m n mtrix M whose rows re the coefficients of the vectors u 1,..., u m. The determinnt or volume of L is defined s detl = M M t. When L is full rn, the determinnt reduces to detl = detm. The Eucliden norm of vector v = m i=1 iu i L is defined s v = m i=1 2 i. As lttice hs infinitely mny bses, some bses re better thn others, nd very importnt ts is to find bsis with smll vectors {b 1,..., b m } clled the reduced bsis. This ts is very hrd in generl, however, the LLL lgorithm proposed by Lenstr, Lenstr, nd Lovász [13] finds bsis of lttice with reltively smll vectors in polynimil time. The following theorem determines the sizes of the reduced bsis vectors obtined with LLL see [15] for more detils. Theorem 1. Let L be lttice spnned by bsis {u 1,..., u m }. The LLL lgorithm pplied to L outputs reduced bsis {b 1,..., b m } with b 1 b 2... b i 2 mm 1 4m i+1 detl 1 m+i 1, for i = 1, 2,..., m. The existence of short nonzero vector in lttice is gurnteed by result of Minowsi stting tht every m-dimensionl lttice L contins non-zero vector v with v m detl 1 m. On the other hnd, the Gussin Heuristic sserts tht the norm γ 1 of the shortest vector of rndom lttice stisfies diml 1 γ 1 detl diml. 2πe Herefter, we will use this result s n estimtion for the expected minimum norm of non-zero vector in lttice. 2.3 Coppersmith s Method In 1996, Coppersmith [6] presented two techniques bsed on LLL to find smll integer roots of univrite modulr polynomils or of bivrite integer polynomils. Coppersmith showed how to pply his technique to fctorize n RSA modulus N = pq with q < p < 2q when hlf of the lest or the most significnt bits of p is nown. Theorem 2. Let N = pq be n RSA modulus with q < p < 2q. Let M 0 nd M 1 be two positif integers. If p = M 1 + u 0 with u 0 < N 1 4 or if p = M 1 u 1 + M 0 with u 1 < N 1 4, then N cn be fctored in time polynomil in log N. Coppersmith s technique extends to polynomils in more vribles, but the method becomes heuristic. The problem of finding smll roots of liner modulr polynomils fx 1,..., x n = 1 x x n x n + n+1 mod p for some unnown p tht divides the nown modulus N hs been studied using Coppersmith s technique by Herrmnn nd My [10]. The following result, due to Lu, Zhng nd Lin [14] gives sufficient condition under which modulr roots cn be found efficiently.

5 Fctoring RSA moduli with we prime fctors 5 Theorem 3 Lu, Zhng, Lin. Let N be composite integer with divisor p u such tht p N β. Let fx 1,..., x n Z[x 1,..., x n ] be homogenous liner polynomil. Then one cn find ll the solutions y 1,..., y n of the eqution fx 1,..., x n = 0 mod p v, v u with gcdy 1,..., y n = 1 nd y 1 < N δ1,..., y n < N δn if n δ i u 1 1 u n v v β n 1 n 1 n 1 1 u v β 1 u v β. i=1 The time complexity of the lgorithm for finding such sulution y 1,..., y n is polynomil in log N. 3 The Attc with One We Prime Fctor 3.1 The Attc In this section, we present n ttc to fctor n RSA modulus N = pq when p stisfies liner eqution in the form p = u 0 + M 1 u M u for suitbly smll positive integer nd suitbly smll integers u 0, u 1,..., u where M 1,..., M re given positive integers. Such prime fctor p is clled we prime for the integers M 1,..., M. Theorem 4. Let N = pq be n RSA modulus such tht p > N β nd M 1,..., M be positive integers with M 1 < M 2 <... < M. Suppose tht there exists positive integer, nd + 1 integers u i, i = 0,..., such tht p = u 0 +M 1 u M u with mxu i < N δ nd δ < β Then one cn fctor N in polynomil time. 1 1 β 1 β. Proof. Let M 1,..., M be positive integers such tht M 1 < M 2 <... < M. Suppose tht p = u 0 + M 1 u M u, tht is u 0,..., u is solution of the modulr polynomil eqution x 0 + M 1 x M x = 0 mod p. 1 Suppose tht u i < N δ for i = 0,...,. Using n = + 1, u = 1 nd v = 1 in Theorem 3, mens tht the eqution 1 cn be solved in polynomil time, i.e., finding u 0,..., u if + 1δ < 1 1 β β 1 β, which gives the bound δ < This termintes the proof. 1 1 β β 1 β.

6 6 Abderrhmne Nitj nd Tjjeeddine Rchidi Remr 1. For blnced RSA modulus, the prime fctors p nd q re of the sme bit size. Then p > N β with β = 1 2. Hence, the condition on δ becomes δ < In Tble 1, we give the bound for δ for given β nd = 1 = 2 = 3 = 4 = 5 = 6 = 7 = 8 = 9 = 10 β = β = β = Tble 1. Upper bounds for δ by Theorem 4. Remr 2. We note tht Coppersmith s we primes correspond to moduli N = pq with q < p < 2q where one of the prime fctors is of the form p = M 1 + u 0 or p = M 1 u 1 + M 0 with u 0, u 1 < N 0.25 s mentioned in Theorem 2. This specil cse of the eqution of Theorem 4. Indeed, we cn solve the equtions p = M 1 +u 0 nd p = M 1 u 1 + M 0 when u 0, u 1 < N 1 4. Alterntively, Coppersmith s we primes correspond to the cell, 2β = 1, 0.25 in Tble Numericl Exmples Exmple 1. Let N = , be 412-bit RSA modulus with N = pq where q < p < 2q. Then p nd q re blnced nd p N Hence for β = 0.5, we hve p > N β. Suppose tht p stisfies n eqution of the form p = u 0 + Mu 1 + M 2 u 2. Typiclly, M 2 N 1 2, tht is M N 1 4. So let M = For β = 0.5 nd = 2, Tble 1 gives the bound δ < Assume therefore tht the prmeters u i stisfy u i < N for i = 0, 1, 2. By pplying Theorem 4 we should find u 0, u 1 nd u 2 s long s u 0, u 1, u 2 < We pply the method of Lu et l. [14] with m = 4 nd t = 1. This gives 35-dimensionl lttice. Applying the LLL lgorithm [13], we find reduced bsis with multivrite polynomils f i x 1, x 2, x 3 Z[x 1, x 2, x 3 ], i = 1,..., 3. Applying the Gröbner bsis technique for solving system of polynomil equtions, we get u 0 = 9005, u 1 = 7123,

7 Fctoring RSA moduli with we prime fctors 7 u 2 = Using these vlues, we cn compute p = u 0 + Mu 1 + M 2 u 2 from which we deduce p = gcdu 0 + Mu 1 + M 2 u 2, N, tht is p = Finlly, we cn compute q = N p, tht is q = Note here tht there is no liner decomposition of p in the form p = M 1 + u 0 nor p = M 1 u 1 + M 0 with u 0, u 1 < N 0.25 tht mes p vulnerble to the ttc of Coppersmith. This shows tht the modulus N is vulnerble to our ttc, while it is not vulnerble to Coppersmith s ttc. Finlly, the overll recorded execution time for our ttc using n off-the-shelf computer ws 17 seconds. Exmple 2. In [2], Bernstein et l. discovered mny prime fctors with specil forms. Mny of these primes were found by computing the gretest common divisor of collection of RSA moduli. Others were found by pplying Coppersmith s technique. We show below tht our ttc cn find some primes mong the list of Bernstein et l. One of these primes is p =0xc f 9, = Using M = 2 510, we get p = 3M = Mu 1 + u 0 where u 1 = 3 nd u 0 = 761. We hve u 1, u 0 < N δ with δ which is less thn the bound in Tble 1 for 1024 bit-size RSA modulus N with β = 0.5, nd = 1. This implies tht the conditions for Theorem 4 re stisfied nd our method finds p when used in ny RSA modulus. Exmple 3. Now, consider this other exmple from the list of Bernstein et l. [2] p =0xc000b = Then p hs the form p = M M = M 7 u 7 + M 3 u 3 + u 0 where M = The coefficients u 7, u 3 nd u 0 stisfy u 7, u 3, u 0 < N δ with δ while the bound of Theorem 4 is see Tble 1 for = 7 nd β = 0.5. Agin, this shows tht our method will find the fctoriztion of ny RSA modulus tht is multiple of p.

8 8 Abderrhmne Nitj nd Tjjeeddine Rchidi 3.3 The Number of Single We Primes in n Intervl In this section, we consider two positive integers n nd M nd present study of the we primes with M, tht is the primes p [ 2 n, 2 n+1] such tht there exists positive integer tht gives the decomposition p = M i u i where u i < N δ nd δ stisfies Theorem 4. We show tht the number of the RSA moduli N in the intervl [2 2n, 2 2n+1 ] with we prime fctor p [ 2 n, 2 n+1] is polynomil in 2 n. Tht is, this number is lower bounded by 2 η where η > 1 2. We cll such clss we RSA Moduli in the intervl [2 2n, 2 2n+1 ]. Theorem 5. Let n be positive integer. For 1, define M = 2 n. Let N be the set of the we RSA moduli N [ 2 2n, 2 2n+1] such tht N = pq, p nd q re of the sme bitsize, p > q, nd p = + b [ 2 n, 2 n+1] for some M i u i smll integers b, < N δ nd u i < N δ for i = 0,..., with δ = Then the crdinlity of N stisfies #N 2 η where n 1 η = δn + log 2. nn + 1 log2 Proof. Let N be n RSA moduli. Suppose tht N [ 2 2n, 2 2n+1] with N = pq where p nd q re of the sme bitsize. Since p N 1 2, then p [ 2 n, 2 n+1]. Suppose further tht for some positive integer, we hve p = M i u i. Then M = p 1 M i u i p, u u which implies M p 1 N 1 2. Now, define M = N 1 2 = 2 n, where x is the integer greter or equl to x. This yields 2 n M 2 n+1. Consider the set { P = p = M i u i + b, p is prime, p [ } 2 n, 2 n+1], < N δ, u i < N δ, where δ stisfies 2. Here b is s smll s possible so tht M i u i + b is prime. Also, since M is the leding term, then observe tht M i u i M = u M i=1 + M i u i.

9 Fctoring RSA moduli with we prime fctors 9 To ensure p [ 2 n, 2 n+1], we consider only the sitution where u. Hence, using the bounds < N δ nd u i < N δ for i = 0,..., 1, we get lower bound for the number of possibilities for nd for u i, which themselves set lower bound for the crdinlity of P s follows: #P N δ N δ N +1δ 2 2+1nδ. 3 On the other hnd, the prime number theorem sserts tht the number πx of the primes less thn x is πx x logx. Hence, the number of primes in the intervl [ 2 n, 2 n+1] is pproximtely π 2 n+1 π 2 n 2n+1 log 2 n+1 2n n 12n log 2 n = nn + 1 log2. 4 It follows tht the number of RSA moduli N = pq [ 2 2n, 2 2n+1] with we fctor p P nd q [ 2 n, 2 n+1] is t lest #N #P π 2 n+1 π 2 n. Using 3 nd 4, we get #N 2 2+1nδ n 12n nn + 1 log2 n 1 = nn + 1 log δn = 2 η, where n 1 η = δn + log 2. nn + 1 log2 This termintes the proof. Tble 2 presents list of vlues of the bound η in terms of nd n. In Tble 2, = 1 = 2 = 3 = 4 = 5 = 6 = 7 n = 1 log 2 2 N = n = 1 2 log 2N = n = 1 2 log 2N = Tble 2. Lower bounds for η under Theorem 5. we see tht in the sitution β, = 0.5, 1, the number #N of 1024-bits RSA moduli N = pq [ , ] with we fctor p is t lest #N This is much lrger thn the number of RSA moduli with we Coppersmith prime fctor in the sme intervl, which is ctully N This remr is lso vlid for 2048-bits nd 4096-bits RSA moduli.

10 10 Abderrhmne Nitj nd Tjjeeddine Rchidi 4 The Attc with Two We Prime fctors 4.1 The Attc In this section, we present n ttc on RSA with modulus N = pq when both the prime fctors p nd q re we primes. Theorem 6. Let N = pq be n RSA modulus nd M be positive integer. Let 1. Suppose tht there exist integers, b, u i nd v i, i = 1,..., such tht p = M i u i nd bq = M i v i with u i, v i < N δ nd δ < log logn Then one cn fctor N in polynomil time. + log2 + 1 log2πe 4 logn log logn. Proof. Suppose tht p = M i u i nd bq = M i v i. Then multiplying p nd bq, we get bn = 2 M i w i, with w i = This cn be trnsformed into the eqution i u j v i j. M 2 x 2 + M 2 1 x Mx 1 yn = x 0, 5 with the solution x 2, x 2 1,..., x 1, y, x 0 = w 2, w 2,..., w 1, b, u 0 v 0. For i = 0,...,, suppose tht u i, v i < N δ. Since for i = 0,..., 2, the mximl number of terms in w i is, we get x i = w i mx j j=0 u j mx v j < N 2δ. 6 Let C be constnt to be fixed lter. Consider the lttice L generted by the row vectors of the mtrix CM CM 2 1 ML = CM CN The dimension of the lttice L is diml = 2+1 nd its determinnt is detl = CN. According to the Gussin Heuristic, the length of the shortest non-zero vector of the lttice L is pproximtely σl with diml 1 σl detl diml = 2πe 2πe CN j

11 Fctoring RSA moduli with we prime fctors 11 Consider the vector v = x 2, x 2 1,..., x 1, Cx 0. Then, using 5, we get x 2, x 2 1,..., x 1, Cx 0 = x 2, x 1,..., x 1, y ML. This mens tht v L. Consequently, if C stisfies v σl, then, by the Gussin Heuristic, v is the shortest vector of L. Using the bound 6, the length of the vector v stisfies v 2 = C 2 x i=1 x 2 i C i=1 2 N 4δ = C N 4δ. Let C be positive integer stisfying C 2 3. Then the norm of the vector v stisfies v 2 < 4 3 N 4δ. Hence, using the Gussin pproximtion σl, the inequlity v σl is stisfied if N 2δ πe N. Solving for δ, we get δ < log 2 3 log2 + 1 log2πe + log logn 4 logn 4 logn. If δ stisfies the former bound, then the LLL lgorithm, pplied to the lttice L will output the vector v = x 2, x 2 1,..., x 1, Cx 0 from which, we deduce w 2 = x 2, w 2 1 = x 2 1,..., w 1 = x 1, w 0 = Cx 0. C Using the coefficients w i, i = 1,..., 2, we construct the polynomil P X = w 2 X 2 + w 2 1 X w 1 X + w 0. Fctoring P X, we get P X = M i u i M i v i from which we deduce ll the vlues u i nd v i for i = 1,...,. Using ech u i nd v i for i = 1,...,, we get p = M i u i nd finlly obtin p = gcd M i u i, N which in turn gives q = N q. This termintes the proof. In Tble 3, we give the bound for δ for given nd given size of the RSA modulus., 4.2 Exmples Exmple 4. Consider the 234 bits RSA modulus N =

12 12 Abderrhmne Nitj nd Tjjeeddine Rchidi = 1 = 2 = 3 = 4 = 5 log 2 N = log 2 N = Tble 3. Upper bounds for δ with Theorem 6. Let M = Suppose further tht the prime fctors p nd q re such tht p = M 2 u 2 + Mu 1 + u 0 nd bq = M 2 v 2 + Mv 1 + v 0, tht is = 2 with the nottion of Theorem 6. We built the mtrix 7 with C = 2 3 = 4 nd pplied the LLL lgorithm [13]. We got new bsis, where the lst row is: w 4, w 3, w 2, w 1, Cw 0 = , , , , From this, we form the polynomil P X = w 4 X 4 +w 3 X 3 +w 2 X 2 +w 1 X 1 +w 0. which fctors s: P X = X X X X From this, we deduce Using these vlues, we compute u 2 = , u 1 = , u 0 = , v 2 = , v 1 = , v 0 = p = M 2 u 2 + Mu 1 + u 0 = , bq = M 2 v 2 + Mv 1 + v 0 = nd obtin p = gcdp, N = , q = gcdbq, N = This leds to the fctoriztion of N = pq. We note tht the first ttc described in Section 3 does not succeed to fctor N. Indeed, we hve logmxi vi log N which is lrger thn the vlue δ = for = 2 nd β = 0.5 in Tble 1. Finlly, the overll recorded execution time for our ttc using n off-the-shelf computer ws 12 seconds. 4.3 The Number of Double We Primes in n Intervl In this section, we consider two positive integers n nd M nd present study of the double we primes with M, tht is the primes p, q [ 2 n, 2 n+1] such tht there exists positive integer nd b tht give the decompositions: p = M i u i, bq = M i v i

13 Fctoring RSA moduli with we prime fctors 13 where u i < N δ, v i < N δ nd δ stisfies Theorem 6. We show tht the number of the RSA moduli N in the intervl [2 2n, 2 2n+1 ] with we prime fctors p, q [ 2 n, 2 n+1] is lower bounded by 2 η2 where η 2 > 1 2. Theorem 7. Let n be positive integer. For 1, define M = 2 n. Let N be the set of the we RSA moduli N [ 2 2n, 2 2n+1] such tht N = pq with p = + u, q = + v, p, q [ 2 n, 2 n+1] for some smll M i u i M i v i b integers u, v, < N δ, b < N δ, u i < N δ nd v i < N δ for i = 0,..., with δ = Then the crdinlity of N is t lest #N 2 η2 where η 2 = 4 + 1nδ. Proof. As in the proof of Theorem 5, the number of prime numbers p [ 2 n, 2 n+1] such tht p = M i u i + u with u i < 2 2nδ is #P 2 2+1nδ. Then, the number N 2 of RSA modulus N [ 2 2n, 2 2n+1] with N = pq, where both p nd q re we primes is t lest #N nδ = 2 η2, where η 2 = 4 + 1nδ. This termintes the proof. In Tble 3, we present list of vlues of the bound η 2 in terms of nd n. = 1 = 2 = 3 = 4 = 5 = 6 = 7 n = n = n = Tble 4. Lower bounds for η 2 under Theorem 7. 5 Conclusions In this pper we presented nd illustrted two ttcs bsed on fctoring RSA moduli with we primes. We further computed lower bounds for the sets of we moduli -tht is, moduli mde of t lest one or two we prime respectively- in the intervl [2 2n, 2 2n+1 ] nd showed tht these sets re much lrger thn the set of RSA prime fctors stisfying Coppersmith s conditions, which effectively extending the lielihood for fctoring RSA moduli.

14 14 Abderrhmne Nitj nd Tjjeeddine Rchidi References 1. ANSI Stndrd X , Digitl Signtures Using Reversible Public Key Cryptogrphy for the Finncil Services Industry rdsa. 2. Bernstein, D.J., Chng, Y.A., Cheng, C.M., Chou, L.P., Heninger, N., Lnge, T., vn Someren, N.: Fctoring RSA eys from certified smrt crds: Coppersmith in the wild. In Advnces in Cryptology-ASIACRYPT Springer, 2013, pp Boneh, D.: Twenty yers of ttcs on the RSA cryptosystem, Notices Amer. Mth. Soc. 46 2, pp , Boneh, D., Durfee, G.: Cryptnlysis of RSA with privte ey d less thn N 0.292, Advnces in Cryptology-Eurocrypt 99, Lecture Notes in Computer Science Vol. 1592, Springer-Verlg, pp Compq Computer Corpertion. Cryptogrphy using Compq multiprime technology in prllel processing environment, Avilbe online t ftp://ftp.compq.com/pub/solutions/compqmultiprimewp.pdf 6. Coppersmith, D.: Smll solutions to polynomil equtions, nd low exponent RSA vulnerbilities. Journl of Cryptology, 104, pp Hrdy, G.H., Wright, E.M.: An Introduction to the Theory of Numbers. Oxford University Press, London Hstd, J.: On Using RSA with Low Exponent in Public Key Networ, in Proceedings of CRYPTO 85, Springer-Verlg, pp Hstd, J.: Solving simultneous modulr equtions of low degree, SIAM J. of Computing, Vol. 17, pp Herrmnn, M., My, A.: Solving liner equtions modulo divisors: On fctoring given ny bits. In Advnces in Cryptology-ASIACRYPT Springer, 2008, pp Lenstr, H.: Fctoring integers with elliptic curves, Annls of Mthemtics, Vol. 126, pp Lenstr, A.K., Lenstr, H.W. Jr. eds.: The Development of the Number Field Sieve, Lecture Notes in Mthemtics, vol. 1554, Berlin, Springer-Verlg, Lenstr, A.K., Lenstr, H.W., Lovász, L.: Fctoring polynomils with rtionl coefficients, Mthemtische Annlen, Vol. 261, pp , Y. Lu, Y., Zhng, R., Lin, D.: New Results on Solving Liner Equtions Modulo Unnown Divisors nd its Applictions, Cryptology eprint Archive, Report 2014/343, My, A.: New RSA Vulnerbilities Using Lttice Reduction Methods. PhD thesis, University of Pderborn Nitj, A.: Another generliztion of Wieners ttc on RSA, In: Vudeny, S. ed. Africcrypt LNCS, vol. 5023, pp Springer, Heidelberg Rivest, R., Shmir, A., Adlemn, L.: A Method for Obtining digitl signtures nd public-ey cryptosystems, Communictions of the ACM, Vol. 21 2, pp Zimmermnn, P.: 50 lrgest fctors found by ECM, de Weger, B.: Cryptnlysis of RSA with smll prime difference, Applicble Algebr in Engineering, Communiction nd Computing,Vol. 131, pp Wiener, M.: Cryptnlysis of short RSA secret exponents, IEEE Trnsctions on Informtion Theory, Vol. 36, pp