Factoring RSA moduli with weak prime factors



Similar documents
Polynomial Functions. Polynomial functions in one variable can be written in expanded form as ( )

Factoring Polynomials

SPECIAL PRODUCTS AND FACTORIZATION

Novel Methods of Generating Self-Invertible Matrix for Hill Cipher Algorithm

Example 27.1 Draw a Venn diagram to show the relationship between counting numbers, whole numbers, integers, and rational numbers.

and thus, they are similar. If k = 3 then the Jordan form of both matrices is

Math 135 Circles and Completing the Square Examples

Lecture 3 Gaussian Probability Distribution

Graphs on Logarithmic and Semilogarithmic Paper

MATH 150 HOMEWORK 4 SOLUTIONS

19. The Fermat-Euler Prime Number Theorem

LINEAR TRANSFORMATIONS AND THEIR REPRESENTING MATRICES

Vectors Recap of vectors

4.11 Inner Product Spaces

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Reasoning to Solve Equations and Inequalities

9 CONTINUOUS DISTRIBUTIONS

Mathematics. Vectors. hsn.uk.net. Higher. Contents. Vectors 128 HSN23100

Babylonian Method of Computing the Square Root: Justifications Based on Fuzzy Techniques and on Computational Complexity

Lecture 5. Inner Product

EQUATIONS OF LINES AND PLANES

Binary Representation of Numbers Autar Kaw

5.2. LINE INTEGRALS 265. Let us quickly review the kind of integrals we have studied so far before we introduce a new one.

Use Geometry Expressions to create a more complex locus of points. Find evidence for equivalence using Geometry Expressions.

Operations with Polynomials

PHY 140A: Solid State Physics. Solution to Homework #2

The Mathematical Cryptography of the RSA Cryptosystem

Example A rectangular box without lid is to be made from a square cardboard of sides 18 cm by cutting equal squares from each corner and then folding

Helicopter Theme and Variations

Econ 4721 Money and Banking Problem Set 2 Answer Key

Section 7-4 Translation of Axes

g(y(a), y(b)) = o, B a y(a)+b b y(b)=c, Boundary Value Problems Lecture Notes to Accompany

MODULE 3. 0, y = 0 for all y

How To Understand The Theory Of Inequlities

Factoring N = p r q for Large r

Economics Letters 65 (1999) macroeconomists. a b, Ruth A. Judson, Ann L. Owen. Received 11 December 1998; accepted 12 May 1999

The Velocity Factor of an Insulated Two-Wire Transmission Line

Small Business Networking

Regular Sets and Expressions

Treatment Spring Late Summer Fall Mean = 1.33 Mean = 4.88 Mean = 3.

COMPARISON OF SOME METHODS TO FIT A MULTIPLICATIVE TARIFF STRUCTURE TO OBSERVED RISK DATA BY B. AJNE. Skandza, Stockholm ABSTRACT

CHAPTER 11 Numerical Differentiation and Integration

QUADRATURE METHODS. July 19, Kenneth L. Judd. Hoover Institution

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Unit 6: Exponents and Radicals

Small Business Networking

All pay auctions with certain and uncertain prizes a comment

A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers

Distributions. (corresponding to the cumulative distribution function for the discrete case).

Primality Testing and Factorization Methods

RIGHT TRIANGLES AND THE PYTHAGOREAN TRIPLETS

PROF. BOYAN KOSTADINOV NEW YORK CITY COLLEGE OF TECHNOLOGY, CUNY

FUNCTIONS AND EQUATIONS. xεs. The simplest way to represent a set is by listing its members. We use the notation

Basic Analysis of Autarky and Free Trade Models

Cryptosystem. Diploma Thesis. Mol Petros. July 17, Supervisor: Stathis Zachos

Second Term MAT2060B 1. Supplementary Notes 3 Interchange of Differentiation and Integration

Space Vector Pulse Width Modulation Based Induction Motor with V/F Control

How To Network A Smll Business

Physics 43 Homework Set 9 Chapter 40 Key

Warm-up for Differential Calculus

Integration by Substitution

Small Business Networking

Lectures 8 and 9 1 Rectangular waveguides

6.2 Volumes of Revolution: The Disk Method

Appendix D: Completing the Square and the Quadratic Formula. In Appendix A, two special cases of expanding brackets were considered:

AREA OF A SURFACE OF REVOLUTION

P.3 Polynomials and Factoring. P.3 an 1. Polynomial STUDY TIP. Example 1 Writing Polynomials in Standard Form. What you should learn

UNIVERSITY OF NOTTINGHAM. Discussion Papers in Economics STRATEGIC SECOND SOURCING IN A VERTICAL STRUCTURE

An Undergraduate Curriculum Evaluation with the Analytic Hierarchy Process

Project 6 Aircraft static stability and control

Review guide for the final exam in Math 233

Decision Rule Extraction from Trained Neural Networks Using Rough Sets

Integration. 148 Chapter 7 Integration

Small Business Networking

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

WEB DELAY ANALYSIS AND REDUCTION BY USING LOAD BALANCING OF A DNS-BASED WEB SERVER CLUSTER

Index Calculation Attacks on RSA Signature and Encryption

Rotating DC Motors Part II

Homework 3 Solutions

DlNBVRGH + Sickness Absence Monitoring Report. Executive of the Council. Purpose of report

TITLE THE PRINCIPLES OF COIN-TAP METHOD OF NON-DESTRUCTIVE TESTING

Euler Euler Everywhere Using the Euler-Lagrange Equation to Solve Calculus of Variation Problems

2 DIODE CLIPPING and CLAMPING CIRCUITS

Algebra Review. How well do you remember your algebra?

Review Problems for the Final of Math 121, Fall 2014

Pure C4. Revision Notes

Brillouin Zones. Physics 3P41 Chris Wiebe

A Factoring and Discrete Logarithm based Cryptosystem

Computer and Network Security

9.3. The Scalar Product. Introduction. Prerequisites. Learning Outcomes

Section 1: Crystal Structure

Experiment 6: Friction

Transcription:

Fctoring RSA moduli with we prime fctors Abderrhmne Nitj 1 nd Tjjeeddine Rchidi 2 1 Lbortoire de Mthémtiques Nicols Oresme Université de Cen Bsse Normndie, Frnce bderrhmne.nitj@unicen.fr 2 School of Science nd Engineering Alhwyn University in Ifrne, Morocco T.Rchidi@ui.m Abstrct. In this pper, we study the problem of fctoring n RSA modulus N = pq in polynomil time, when p is we prime, tht is, p cn be expressed s p = u 0 + M 1u 1 +... + M u for some integers M 1,..., M nd + 2 suitbly smll prmeters, u 0,... u. We further compute lower bound for the set of we moduli, tht is, moduli mde of t lest one we prime, in the intervl [2 2n, 2 2n+1 ] nd show tht this number is much lrger thn the set of RSA prime fctors stisfying Coppersmith s conditions, effectively extending the lielihood for fctoring RSA moduli. We lso prolong our findings to moduli composed of two we primes. Keywords: RSA, Cryptnlysis, Fctoriztion, LLL lgorithm, We primes 1 Introduction The RSA cryptosystem, invented in 1978 by Rivest, Shmir nd Adlemn [17] is undoubtedly one of the most populr public ey cryptosystems. In the stndrd RSA [17], the modulus N = pq is the product of two lrge primes of the sme bit-size. The public exponent e is n integer such tht 1 e < φn nd gcde, φn = 1 where φn = p 1q 1 is the Euler totient function. The corresponding privte exponent is the integer d such tht ed 1 mod φn. In RSA, the encryption, decryption, signture genertion, nd signture verifiction require substntil CPU cycles becuse the time to perform these opertions is proportionl to the number of bits in public or secret exponents [17]. To reduce CPU time necessry for encryption nd signture verifiction, one my be tempted to use smll public exponent e. This sitution hs been proven to be insecure ginst some smll public exponent ttcs see [8] nd [9]. To reduce the decryption nd signture genertion time, one my lso be tempted to use smll privte exponent d. Unfortuntely, RSA is lso vulnerble to vrious powerful short secret exponent ttcs such s, the ttc of Wiener [20], Prtilly supported by the French SIMPATIC SIM nd PAiring Theory for Informtion nd Communictions security.

2 Abderrhmne Nitj nd Tjjeeddine Rchidi nd the ttc of Boneh nd Durfee [4] see lso [3]. An lternte wy for incresing the performnce of encryption, decryption, signture genertion, nd signture verifiction, without reverting to smll exponents, is to use the multiprime vrint of RSA. The multi-prime RSA is generliztion of the stndrd RSA cryptosystem in which the modulus is in the form N = p 1 p 2 p where 3 nd the p i s re distinct prime numbers. Combined with the Chinese Reminder Theorem, multi-prime RSA is much more efficient thn the stndrd RSA see [5]. In Section 4.1.2 of the X9.31-1998 stndrd for public ey cryptogrphy [1], some recommendtions re presented regrding the genertion of the prime fctors of n RSA modulus. For exmple, it is recommended tht the modulus should hve 1024 + 256x bits for x 0. This requirement deters some fctoriztion ttcs, such s the Number Field Sieve NFS [12] nd the Elliptic Curve Method ECM [11]. Another recommendtion is tht the prime difference p q should be lrge, nd p q should not be ner the rtio of two smll integers. These requirements gurd ginst Fermt fctoring lgorithm [19], s well s Coppersmith s fctoring ttc on RSA [6] when one nows hlf of the bits of p. For exmple, [ if N = pq nd p, q re of the sme bit-size with p q < N 1/4, then N ] [ N ] p < N 1/4 see [16] where is the nerest integer to N, which mens tht hlf of the bits of p re those of [ N] which leds to the fctoriztion of N see [6] nd [19]. Observe tht the fctoriztion ttc of Coppersmith pplies provided tht one nows hlf of the bits of p, tht is p is in one of the forms { M 1 + u 0 with nown M 1 nd unnown u 0 N 1 4, p = M 1 u 1 + M 0 with nown M 1, M 0 nd unnown u 1 N 1 4. Such primes re clled Coppersmith s we primes. In the cse of p = M 1 u 1 +M 0 with nown M 1 nd M 0, the Eucliden division of q by M 1 is in the form q = M 1 v 1 +v 0. Hence N = pq = M 1 u 1 +M 0 M 1 v 1 +v 0 which gives M 0 v 0 N mod M 1. Hence, since gcdm 0, M 1 = 1, then v 0 NM0 1 mod M 1. This mens tht when p is in the form p = M 1 u 1 + M 0 with nown M nd u 0, then q is necessrily in the form q = M 1 v 1 + v 0 with nown v 0. Coppersmith s ttc is therefore pplicble only when smll enough prmeters M 0 nd v 0 cn be found such tht p = M 1 u 1 + M 0 nd q = M 1 v 1 + v 0. This reduces the pplicbility of the ttc to the set of moduli such tht p nd q re of the form defined bove. In this pper, we consider the generliztion of Coppersmith s ttc by considering more stisfible decomposition of ny of the multipliers of p or q, i.e., p or q not just p or q, effectively leding to n incresed set of moduli tht cn be fctored. We describe two new ttcs on RSA with modulus N = pq. The first ttc pplies in the sitution tht, for given positive integers M 1,..., M, one of the prime fctors, p sy, stisfies liner eqution p = u 0 + M 1 u 1 +... + M u with suitbly smll integers nd u 0,..., u. We cll such prime fctors we primes for the integers M 1,..., M. The second ttc pplies when both fctors p nd q re we for the integers M 1,..., M. We note

Fctoring RSA moduli with we prime fctors 3 tht, for = 1, the we primes re such tht p = u 0 + M 1 u 1. This includes the clss of Coppersmith s we primes. For both ttcs, we give n estimtion of the RSA moduli N = pq with prime fctor p [ 2 n, 2 n+1] which is we for the integers M, M 2,..., M where M = 2 n 2. We show tht the number of moduli with we prime fctor is much lrger thn the number of moduli with Coppersmith s we prime fctor. The rest of the pper is orgnized s follows. In Section 2, we give some bsic concepts on integer fctoriztion nd lttice reduction s well s n overview of Coppersmith s method. In Section 3, we present n ttc on n RSA modulus N = pq with one we prime fctor. In Section 4, we present the second ttc n RSA modulus N = pq with two we prime fctors. We conclude the pper in Section 5. 2 Preliminries In this section we give the definitions nd results tht we need to perform our ttcs. These preliminries include bsic concepts on integer fctoriztion nd lttice reduction techniques. 2.1 Integer fctoriztion: the stte of the rt Currently, the most powerful lgorithm for fctorizing lrge integers is the Number Field Sieve NFS [12]. The heuristic expected time T NF S N of the NFS depends on the bitsize of the integer N to be fctored: T NF S N = exp 1.92 + o1log N 1/3 log log N 2/3. If the integer N hs smll fctors, the Elliptic Curve Method ECM [11] for fctoring is substntilly fster thn the NFS. It cn compute non-trivil fctor p of composite integer N in n expected runtime T ECM : T ECM p = exp 2 + o1 log p 1/2 log log p 1/2, which is sub-exponentil in the bitsize of the fctor p. The lrgest fctor found so fr with the ECM is 83 deciml digits 275 bits prime fctor of the specil number 7 337 + 1 see [18]. 2.2 Lttice reduction Let m nd n be positive integers with m n. Let u 1,..., u m R n be m linerly independent vectors. The lttice L spnned by u 1,..., u m is the set { m } L = i u i i Z. i=1

4 Abderrhmne Nitj nd Tjjeeddine Rchidi The set {u 1,..., u m } is clled lttice bsis for L. The dimension or rn of the lttice L is diml = m, nd L is clled full rn if m = n. It is often useful to represent the lttice L by the m n mtrix M whose rows re the coefficients of the vectors u 1,..., u m. The determinnt or volume of L is defined s detl = M M t. When L is full rn, the determinnt reduces to detl = detm. The Eucliden norm of vector v = m i=1 iu i L is defined s v = m i=1 2 i. As lttice hs infinitely mny bses, some bses re better thn others, nd very importnt ts is to find bsis with smll vectors {b 1,..., b m } clled the reduced bsis. This ts is very hrd in generl, however, the LLL lgorithm proposed by Lenstr, Lenstr, nd Lovász [13] finds bsis of lttice with reltively smll vectors in polynimil time. The following theorem determines the sizes of the reduced bsis vectors obtined with LLL see [15] for more detils. Theorem 1. Let L be lttice spnned by bsis {u 1,..., u m }. The LLL lgorithm pplied to L outputs reduced bsis {b 1,..., b m } with b 1 b 2... b i 2 mm 1 4m i+1 detl 1 m+i 1, for i = 1, 2,..., m. The existence of short nonzero vector in lttice is gurnteed by result of Minowsi stting tht every m-dimensionl lttice L contins non-zero vector v with v m detl 1 m. On the other hnd, the Gussin Heuristic sserts tht the norm γ 1 of the shortest vector of rndom lttice stisfies diml 1 γ 1 detl diml. 2πe Herefter, we will use this result s n estimtion for the expected minimum norm of non-zero vector in lttice. 2.3 Coppersmith s Method In 1996, Coppersmith [6] presented two techniques bsed on LLL to find smll integer roots of univrite modulr polynomils or of bivrite integer polynomils. Coppersmith showed how to pply his technique to fctorize n RSA modulus N = pq with q < p < 2q when hlf of the lest or the most significnt bits of p is nown. Theorem 2. Let N = pq be n RSA modulus with q < p < 2q. Let M 0 nd M 1 be two positif integers. If p = M 1 + u 0 with u 0 < N 1 4 or if p = M 1 u 1 + M 0 with u 1 < N 1 4, then N cn be fctored in time polynomil in log N. Coppersmith s technique extends to polynomils in more vribles, but the method becomes heuristic. The problem of finding smll roots of liner modulr polynomils fx 1,..., x n = 1 x 1 + 2 x 2 + + n x n + n+1 mod p for some unnown p tht divides the nown modulus N hs been studied using Coppersmith s technique by Herrmnn nd My [10]. The following result, due to Lu, Zhng nd Lin [14] gives sufficient condition under which modulr roots cn be found efficiently.

Fctoring RSA moduli with we prime fctors 5 Theorem 3 Lu, Zhng, Lin. Let N be composite integer with divisor p u such tht p N β. Let fx 1,..., x n Z[x 1,..., x n ] be homogenous liner polynomil. Then one cn find ll the solutions y 1,..., y n of the eqution fx 1,..., x n = 0 mod p v, v u with gcdy 1,..., y n = 1 nd y 1 < N δ1,..., y n < N δn if n δ i u 1 1 u n v v β n 1 n 1 n 1 1 u v β 1 u v β. i=1 The time complexity of the lgorithm for finding such sulution y 1,..., y n is polynomil in log N. 3 The Attc with One We Prime Fctor 3.1 The Attc In this section, we present n ttc to fctor n RSA modulus N = pq when p stisfies liner eqution in the form p = u 0 + M 1 u 1 +... M u for suitbly smll positive integer nd suitbly smll integers u 0, u 1,..., u where M 1,..., M re given positive integers. Such prime fctor p is clled we prime for the integers M 1,..., M. Theorem 4. Let N = pq be n RSA modulus such tht p > N β nd M 1,..., M be positive integers with M 1 < M 2 <... < M. Suppose tht there exists positive integer, nd + 1 integers u i, i = 0,..., such tht p = u 0 +M 1 u 1 +... + M u with mxu i < N δ nd δ < 1 + 1 1 1 β +1 + 1 Then one cn fctor N in polynomil time. 1 1 β 1 β. Proof. Let M 1,..., M be positive integers such tht M 1 < M 2 <... < M. Suppose tht p = u 0 + M 1 u 1 +... + M u, tht is u 0,..., u is solution of the modulr polynomil eqution x 0 + M 1 x 1 +... + M x = 0 mod p. 1 Suppose tht u i < N δ for i = 0,...,. Using n = + 1, u = 1 nd v = 1 in Theorem 3, mens tht the eqution 1 cn be solved in polynomil time, i.e., finding u 0,..., u if + 1δ < 1 1 β +1 + 1 1 1 β 1 β, which gives the bound δ < 1 + 1 This termintes the proof. 1 1 β +1 + 1 1 1 β 1 β.

6 Abderrhmne Nitj nd Tjjeeddine Rchidi Remr 1. For blnced RSA modulus, the prime fctors p nd q re of the sme bit size. Then p > N β with β = 1 2. Hence, the condition on δ becomes δ < 1 1 + 1 1 2 +1 1 2 1 In Tble 1, we give the bound for δ for given β nd. 1 2 1. 2 = 1 = 2 = 3 = 4 = 5 = 6 = 7 = 8 = 9 = 10 β = 0.5 0.125 0.069 0.047 0.036 0.029 0.024 0.021 0.018 0.016 0.015 β = 0.6 0.180 0.101 0.071 0.054 0.044 0.037 0.032 0.028 0.025 0.022 β = 0.7 0.245 0.142 0.100 0.077 0.063 0.053 0.046 0.046 0.036 0.032 Tble 1. Upper bounds for δ by Theorem 4. Remr 2. We note tht Coppersmith s we primes correspond to moduli N = pq with q < p < 2q where one of the prime fctors is of the form p = M 1 + u 0 or p = M 1 u 1 + M 0 with u 0, u 1 < N 0.25 s mentioned in Theorem 2. This specil cse of the eqution of Theorem 4. Indeed, we cn solve the equtions p = M 1 +u 0 nd p = M 1 u 1 + M 0 when u 0, u 1 < N 1 4. Alterntively, Coppersmith s we primes correspond to the cell, 2β = 1, 0.25 in Tble 1. 3.2 Numericl Exmples Exmple 1. Let N =10009752886312109988022778227550577837081215192005129864784685 185744046801879577421186031638557426812962407688357511963709141, be 412-bit RSA modulus with N = pq where q < p < 2q. Then p nd q re blnced nd p N 1 2 2 206. Hence for β = 0.5, we hve p > N β. Suppose tht p stisfies n eqution of the form p = u 0 + Mu 1 + M 2 u 2. Typiclly, M 2 N 1 2, tht is M N 1 4. So let M = 2 100. For β = 0.5 nd = 2, Tble 1 gives the bound δ < 0.069. Assume therefore tht the prmeters u i stisfy u i < N 0.069 2 28 for i = 0, 1, 2. By pplying Theorem 4 we should find u 0, u 1 nd u 2 s long s u 0, u 1, u 2 < 2 28. We pply the method of Lu et l. [14] with m = 4 nd t = 1. This gives 35-dimensionl lttice. Applying the LLL lgorithm [13], we find reduced bsis with multivrite polynomils f i x 1, x 2, x 3 Z[x 1, x 2, x 3 ], i = 1,..., 3. Applying the Gröbner bsis technique for solving system of polynomil equtions, we get u 0 = 9005, u 1 = 7123,

Fctoring RSA moduli with we prime fctors 7 u 2 = 3915. Using these vlues, we cn compute p = u 0 + Mu 1 + M 2 u 2 from which we deduce p = gcdu 0 + Mu 1 + M 2 u 2, N, tht is p = 123356126338704841740132972382836883609800988209539117002682143. Finlly, we cn compute q = N p, tht is q = 81145162250214072465980396192562821802697970661432623765038987. Note here tht there is no liner decomposition of p in the form p = M 1 + u 0 nor p = M 1 u 1 + M 0 with u 0, u 1 < N 0.25 tht mes p vulnerble to the ttc of Coppersmith. This shows tht the modulus N is vulnerble to our ttc, while it is not vulnerble to Coppersmith s ttc. Finlly, the overll recorded execution time for our ttc using n off-the-shelf computer ws 17 seconds. Exmple 2. In [2], Bernstein et l. discovered mny prime fctors with specil forms. Mny of these primes were found by computing the gretest common divisor of collection of RSA moduli. Others were found by pplying Coppersmith s technique. We show below tht our ttc cn find some primes mong the list of Bernstein et l. One of these primes is p =0xc00000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000002f 9, =10055855947456947824680518748654384595609524365444295033292671082 79132302255516023260140572362517757076752389363986453814031541210 8959927459825236754563833. Using M = 2 510, we get p = 3M + 761 = Mu 1 + u 0 where u 1 = 3 nd u 0 = 761. We hve u 1, u 0 < N δ with δ 0.007 which is less thn the bound 0.125 in Tble 1 for 1024 bit-size RSA modulus N with β = 0.5, nd = 1. This implies tht the conditions for Theorem 4 re stisfied nd our method finds p when used in ny RSA modulus. Exmple 3. Now, consider this other exmple from the list of Bernstein et l. [2] p =0xc000b80000000000000000000000000000000000000000000000000000000000 0000068000000000000000000000000000000000000000000000000000000251 =1005600299430066190917858574741029677291519034741120712409376115 2520749216065545598886037221777994938111659319232428746318812487 609513837263772711701709393 Then p hs the form p = 3145774M 7 + 27262976M 3 + 593 = M 7 u 7 + M 3 u 3 + u 0 where M = 2 70. The coefficients u 7, u 3 nd u 0 stisfy u 7, u 3, u 0 < N δ with δ 0.016 while the bound of Theorem 4 is 0.021 see Tble 1 for = 7 nd β = 0.5. Agin, this shows tht our method will find the fctoriztion of ny RSA modulus tht is multiple of p.

8 Abderrhmne Nitj nd Tjjeeddine Rchidi 3.3 The Number of Single We Primes in n Intervl In this section, we consider two positive integers n nd M nd present study of the we primes with M, tht is the primes p [ 2 n, 2 n+1] such tht there exists positive integer tht gives the decomposition p = M i u i where u i < N δ nd δ stisfies Theorem 4. We show tht the number of the RSA moduli N in the intervl [2 2n, 2 2n+1 ] with we prime fctor p [ 2 n, 2 n+1] is polynomil in 2 n. Tht is, this number is lower bounded by 2 η where η > 1 2. We cll such clss we RSA Moduli in the intervl [2 2n, 2 2n+1 ]. Theorem 5. Let n be positive integer. For 1, define M = 2 n. Let N be the set of the we RSA moduli N [ 2 2n, 2 2n+1] such tht N = pq, p nd q re of the sme bitsize, p > q, nd p = + b [ 2 n, 2 n+1] for some M i u i smll integers b, < N δ nd u i < N δ for i = 0,..., with δ = 1 +1 1 1 1 1 1 1. + 1 2 2 2 Then the crdinlity of N stisfies #N 2 η where n 1 η = 1 + 2 + 1δn + log 2. nn + 1 log2 Proof. Let N be n RSA moduli. Suppose tht N [ 2 2n, 2 2n+1] with N = pq where p nd q re of the sme bitsize. Since p N 1 2, then p [ 2 n, 2 n+1]. Suppose further tht for some positive integer, we hve p = M i u i. Then M = p 1 M i u i p, u u which implies M p 1 N 1 2. Now, define M = N 1 2 = 2 n, where x is the integer greter or equl to x. This yields 2 n M 2 n+1. Consider the set { P = p = M i u i + b, p is prime, p [ } 2 n, 2 n+1], < N δ, u i < N δ, where δ stisfies 2. Here b is s smll s possible so tht M i u i + b is prime. Also, since M is the leding term, then observe tht M i u i M = u M i=1 + M i u i.

Fctoring RSA moduli with we prime fctors 9 To ensure p [ 2 n, 2 n+1], we consider only the sitution where u. Hence, using the bounds < N δ nd u i < N δ for i = 0,..., 1, we get lower bound for the number of possibilities for nd for u i, which themselves set lower bound for the crdinlity of P s follows: #P N δ N δ N +1δ 2 2+1nδ. 3 On the other hnd, the prime number theorem sserts tht the number πx of the primes less thn x is πx x logx. Hence, the number of primes in the intervl [ 2 n, 2 n+1] is pproximtely π 2 n+1 π 2 n 2n+1 log 2 n+1 2n n 12n log 2 n = nn + 1 log2. 4 It follows tht the number of RSA moduli N = pq [ 2 2n, 2 2n+1] with we fctor p P nd q [ 2 n, 2 n+1] is t lest #N #P π 2 n+1 π 2 n. Using 3 nd 4, we get #N 2 2+1nδ n 12n nn + 1 log2 n 1 = nn + 1 log2 21+2+1δn = 2 η, where n 1 η = 1 + 2 + 1δn + log 2. nn + 1 log2 This termintes the proof. Tble 2 presents list of vlues of the bound η in terms of nd n. In Tble 2, = 1 = 2 = 3 = 4 = 5 = 6 = 7 n = 1 log 2 2 N = 512 759 715 698 689 684 680 677 n = 1 2 log 2N = 1024 1526 1438 1404 1386 1375 1368 1362 n = 1 2 log 2N = 2048 3061 2885 2818 2782 2759 2744 2733 Tble 2. Lower bounds for η under Theorem 5. we see tht in the sitution β, = 0.5, 1, the number #N of 1024-bits RSA moduli N = pq [ 2 1024, 2 1026] with we fctor p is t lest #N 2 759. This is much lrger thn the number of RSA moduli with we Coppersmith prime fctor in the sme intervl, which is ctully N 0.25 2 256. This remr is lso vlid for 2048-bits nd 4096-bits RSA moduli.

10 Abderrhmne Nitj nd Tjjeeddine Rchidi 4 The Attc with Two We Prime fctors 4.1 The Attc In this section, we present n ttc on RSA with modulus N = pq when both the prime fctors p nd q re we primes. Theorem 6. Let N = pq be n RSA modulus nd M be positive integer. Let 1. Suppose tht there exist integers, b, u i nd v i, i = 1,..., such tht p = M i u i nd bq = M i v i with u i, v i < N δ nd δ < 1 2 + 1 + log 2 3 22 + 1 logn Then one cn fctor N in polynomil time. + log2 + 1 log2πe 4 logn log 4 3 4 logn. Proof. Suppose tht p = M i u i nd bq = M i v i. Then multiplying p nd bq, we get bn = 2 M i w i, with w i = This cn be trnsformed into the eqution i u j v i j. M 2 x 2 + M 2 1 x 2 1 +... + Mx 1 yn = x 0, 5 with the solution x 2, x 2 1,..., x 1, y, x 0 = w 2, w 2,..., w 1, b, u 0 v 0. For i = 0,...,, suppose tht u i, v i < N δ. Since for i = 0,..., 2, the mximl number of terms in w i is, we get x i = w i mx j j=0 u j mx v j < N 2δ. 6 Let C be constnt to be fixed lter. Consider the lttice L generted by the row vectors of the mtrix 1 0 0... 0 CM 2 0 1... 0 0 CM 2 1 ML =......... 7 0 0 0... 1 CM 0 0 0... 0 CN The dimension of the lttice L is diml = 2+1 nd its determinnt is detl = CN. According to the Gussin Heuristic, the length of the shortest non-zero vector of the lttice L is pproximtely σl with diml 1 σl detl diml 2 + 1 = 2πe 2πe CN 1 2+1. j

Fctoring RSA moduli with we prime fctors 11 Consider the vector v = x 2, x 2 1,..., x 1, Cx 0. Then, using 5, we get x 2, x 2 1,..., x 1, Cx 0 = x 2, x 1,..., x 1, y ML. This mens tht v L. Consequently, if C stisfies v σl, then, by the Gussin Heuristic, v is the shortest vector of L. Using the bound 6, the length of the vector v stisfies v 2 = C 2 x 2 0 + 2 i=1 x 2 i C 2 + 2 i=1 2 N 4δ = C 2 + 2 3 N 4δ. Let C be positive integer stisfying C 2 3. Then the norm of the vector v stisfies v 2 < 4 3 N 4δ. Hence, using the Gussin pproximtion σl, the inequlity v σl is stisfied if 2 3 2 N 2δ 2 + 1 2πe 2 1 1 3 2+1 2 2 N. Solving for δ, we get δ < 1 2 + 1 + log 2 3 log2 + 1 log2πe + log 4 3 22 + 1 logn 4 logn 4 logn. If δ stisfies the former bound, then the LLL lgorithm, pplied to the lttice L will output the vector v = x 2, x 2 1,..., x 1, Cx 0 from which, we deduce w 2 = x 2, w 2 1 = x 2 1,..., w 1 = x 1, w 0 = Cx 0. C Using the coefficients w i, i = 1,..., 2, we construct the polynomil P X = w 2 X 2 + w 2 1 X 2 1 +... + w 1 X + w 0. Fctoring P X, we get P X = M i u i M i v i from which we deduce ll the vlues u i nd v i for i = 1,...,. Using ech u i nd v i for i = 1,...,, we get p = M i u i nd finlly obtin p = gcd M i u i, N which in turn gives q = N q. This termintes the proof. In Tble 3, we give the bound for δ for given nd given size of the RSA modulus., 4.2 Exmples Exmple 4. Consider the 234 bits RSA modulus N = 18128727522177729435347634587168292968987318316812435932174117774340029.

12 Abderrhmne Nitj nd Tjjeeddine Rchidi = 1 = 2 = 3 = 4 = 5 log 2 N = 1024 0.332 0.199 0.141 0.109 0.089 log 2 N = 2048 0.333 0.199 0.142 0.110 0.090 Tble 3. Upper bounds for δ with Theorem 6. Let M = 2 50. Suppose further tht the prime fctors p nd q re such tht p = M 2 u 2 + Mu 1 + u 0 nd bq = M 2 v 2 + Mv 1 + v 0, tht is = 2 with the nottion of Theorem 6. We built the mtrix 7 with C = 2 3 = 4 nd pplied the LLL lgorithm [13]. We got new bsis, where the lst row is: w 4, w 3, w 2, w 1, Cw 0 = 30223231819936, 68646317659290, 109044283791446, 80821741694637, 162291153390444. From this, we form the polynomil P X = w 4 X 4 +w 3 X 3 +w 2 X 2 +w 1 X 1 +w 0. which fctors s: P X = 4678994X 2 + 5832048X + 4871673 6459344X 2 + 6620037X + 8328307. From this, we deduce Using these vlues, we compute u 2 = 4678994, u 1 = 5832048, u 0 = 4871673, v 2 = 6459344, v 1 = 6620037, v 0 = 8328307. p = M 2 u 2 + Mu 1 + u 0 = 5931329552564290566528965219451557369, bq = M 2 v 2 + Mv 1 + v 0 = 8188191298680619668680362464158618739. nd obtin p = gcdp, N = 126198501118389160989977983392586327, q = gcdbq, N = 143652478924221397696146709897519627. This leds to the fctoriztion of N = pq. We note tht the first ttc described in Section 3 does not succeed to fctor N. Indeed, we hve logmxi vi log N 0.098 which is lrger thn the vlue δ = 0.069 for = 2 nd β = 0.5 in Tble 1. Finlly, the overll recorded execution time for our ttc using n off-the-shelf computer ws 12 seconds. 4.3 The Number of Double We Primes in n Intervl In this section, we consider two positive integers n nd M nd present study of the double we primes with M, tht is the primes p, q [ 2 n, 2 n+1] such tht there exists positive integer nd b tht give the decompositions: p = M i u i, bq = M i v i

Fctoring RSA moduli with we prime fctors 13 where u i < N δ, v i < N δ nd δ stisfies Theorem 6. We show tht the number of the RSA moduli N in the intervl [2 2n, 2 2n+1 ] with we prime fctors p, q [ 2 n, 2 n+1] is lower bounded by 2 η2 where η 2 > 1 2. Theorem 7. Let n be positive integer. For 1, define M = 2 n. Let N be the set of the we RSA moduli N [ 2 2n, 2 2n+1] such tht N = pq with p = + u, q = + v, p, q [ 2 n, 2 n+1] for some smll M i u i M i v i b integers u, v, < N δ, b < N δ, u i < N δ nd v i < N δ for i = 0,..., with δ = 1 +1 1 1 1 1 1 1. + 1 2 2 2 Then the crdinlity of N is t lest #N 2 η2 where η 2 = 4 + 1nδ. Proof. As in the proof of Theorem 5, the number of prime numbers p [ 2 n, 2 n+1] such tht p = M i u i + u with u i < 2 2nδ is #P 2 2+1nδ. Then, the number N 2 of RSA modulus N [ 2 2n, 2 2n+1] with N = pq, where both p nd q re we primes is t lest #N 2 2 4+1nδ = 2 η2, where η 2 = 4 + 1nδ. This termintes the proof. In Tble 3, we present list of vlues of the bound η 2 in terms of nd n. = 1 = 2 = 3 = 4 = 5 = 6 = 7 n = 512 512 424 390 372 361 353 348 n = 1024 1024 848 780 744 722 707 696 n = 2048 2048 1696 1560 1489 1444 1414 1392 Tble 4. Lower bounds for η 2 under Theorem 7. 5 Conclusions In this pper we presented nd illustrted two ttcs bsed on fctoring RSA moduli with we primes. We further computed lower bounds for the sets of we moduli -tht is, moduli mde of t lest one or two we prime respectively- in the intervl [2 2n, 2 2n+1 ] nd showed tht these sets re much lrger thn the set of RSA prime fctors stisfying Coppersmith s conditions, which effectively extending the lielihood for fctoring RSA moduli.

14 Abderrhmne Nitj nd Tjjeeddine Rchidi References 1. ANSI Stndrd X9.31-1998, Digitl Signtures Using Reversible Public Key Cryptogrphy for the Finncil Services Industry rdsa. 2. Bernstein, D.J., Chng, Y.A., Cheng, C.M., Chou, L.P., Heninger, N., Lnge, T., vn Someren, N.: Fctoring RSA eys from certified smrt crds: Coppersmith in the wild. In Advnces in Cryptology-ASIACRYPT 2013. Springer, 2013, pp. 341 360 2013 3. Boneh, D.: Twenty yers of ttcs on the RSA cryptosystem, Notices Amer. Mth. Soc. 46 2, pp. 203 213, 1999 4. Boneh, D., Durfee, G.: Cryptnlysis of RSA with privte ey d less thn N 0.292, Advnces in Cryptology-Eurocrypt 99, Lecture Notes in Computer Science Vol. 1592, Springer-Verlg, pp. 1 11 1999 5. Compq Computer Corpertion. Cryptogrphy using Compq multiprime technology in prllel processing environment, 2002. Avilbe online t ftp://ftp.compq.com/pub/solutions/compqmultiprimewp.pdf 6. Coppersmith, D.: Smll solutions to polynomil equtions, nd low exponent RSA vulnerbilities. Journl of Cryptology, 104, pp. 233 260 1997 7. Hrdy, G.H., Wright, E.M.: An Introduction to the Theory of Numbers. Oxford University Press, London 1975 8. Hstd, J.: On Using RSA with Low Exponent in Public Key Networ, in Proceedings of CRYPTO 85, Springer-Verlg, pp. 403 408 1986 9. Hstd, J.: Solving simultneous modulr equtions of low degree, SIAM J. of Computing, Vol. 17, pp. 336 341 1988 10. Herrmnn, M., My, A.: Solving liner equtions modulo divisors: On fctoring given ny bits. In Advnces in Cryptology-ASIACRYPT 2008. Springer, 2008, pp. 406 424 2008 11. Lenstr, H.: Fctoring integers with elliptic curves, Annls of Mthemtics, Vol. 126, pp. 649 673 1987 12. Lenstr, A.K., Lenstr, H.W. Jr. eds.: The Development of the Number Field Sieve, Lecture Notes in Mthemtics, vol. 1554, Berlin, Springer-Verlg, 1993 13. Lenstr, A.K., Lenstr, H.W., Lovász, L.: Fctoring polynomils with rtionl coefficients, Mthemtische Annlen, Vol. 261, pp. 513 534, 1982 14. Y. Lu, Y., Zhng, R., Lin, D.: New Results on Solving Liner Equtions Modulo Unnown Divisors nd its Applictions, Cryptology eprint Archive, Report 2014/343, 2014 https://eprint.icr.org/2014/343. 15. My, A.: New RSA Vulnerbilities Using Lttice Reduction Methods. PhD thesis, University of Pderborn 2003 16. Nitj, A.: Another generliztion of Wieners ttc on RSA, In: Vudeny, S. ed. Africcrypt 2008. LNCS, vol. 5023, pp. 174 190. Springer, Heidelberg 2008 17. Rivest, R., Shmir, A., Adlemn, L.: A Method for Obtining digitl signtures nd public-ey cryptosystems, Communictions of the ACM, Vol. 21 2, pp. 120 126 1978 18. Zimmermnn, P.: 50 lrgest fctors found by ECM, http://www.lori.fr/~zimmerm/records/top50.html 19. de Weger, B.: Cryptnlysis of RSA with smll prime difference, Applicble Algebr in Engineering, Communiction nd Computing,Vol. 131, pp. 17 28 2002 20. Wiener, M.: Cryptnlysis of short RSA secret exponents, IEEE Trnsctions on Informtion Theory, Vol. 36, pp. 553 558 1990

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information