Abstract
Since May (Crypto’02) revealed the vulnerability of the small CRT-exponent RSA using Coppersmith’s lattice-based method, several papers have studied the problem and two major improvements have been made. (1) Bleichenbacher and May (PKC’06) proposed an attack for small \(d_q\) when the prime factor p is significantly smaller than the other prime factor q; the attack works for \(p<N^{0.468}\). (2) Jochemsz and May (Crypto’07) proposed an attack for small \(d_p\) and \(d_q\) when the prime factors p and q are balanced; the attack works for \(d_p, d_q<N^{0.073}\). Even a decade has passed since their proposals, the above two attacks are still considered as the state of the art, and no improvements have been made thus far. A novel technique seems to be required for further improvements since it seems that the attacks have been studied with all the applicable techniques for Coppersmith’s methods proposed by Durfee–Nguyen (Asiacrypt’00), Jochemsz–May (Asiacrypt’06), and Herrmann–May (Asiacrypt’09, PKC’10). Since it seems that the attacks have been studied with all the applicable techniques for Coppersmith’s methods proposed by Durfee–Nguyen (Asiacrypt’00), Jochemsz–May (Asiacrypt’06), and Herrmann–May (Asiacrypt’09, PKC’10), improving the previous results seem technically hard. In this paper, we propose two improved attacks on the small CRT-exponent RSA: a small \(d_q\) attack for \(p<N^{0.5}\) (an improvement of Bleichenbacher–May’s) and a small \(d_p\) and \(d_q\) attack for \(d_p, d_q < N^{0.122}\) (an improvement of Jochemsz–May’s). The latter result is also an improvement of our result in the proceeding version (Eurocrypt ’17); \(d_p, d_q < N^{0.091}\). We use Coppersmith’s lattice-based method to solve modular equations and obtain the improvements from a novel lattice construction by exploiting useful algebraic structures of the CRT-RSA key generation equation. We explicitly show proofs of our attacks and verify the validities by computer experiments. In addition to the two main attacks, we also propose small \(d_q\) attacks on several variants of RSA.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
1.1 Background
Let \(N=pq\) be a public RSA modulus whose prime factors p and q are usually the same bitsize. A public exponent e and a secret exponent d satisfy \(ed=1 \mod (p-1)(q-1)\). For encryption/verifying (resp. decryption/signing), the heavy modular exponentiation of e (resp. d) modulo N has to be computed. To resolve the issue, using a small public or secret exponent may be the most simple approach. However, Wiener [57] showed that a public RSA modulus is factorized in polynomial time when the secret exponent is too small such that \(d<N^{0.25}\). Boneh and Durfee [3] revisited the problem with Coppersmith’s lattice-based method [8, 20] and improved the bound to \(d<N^{0.284}\). Furthermore, in the same work, the bound was improved to \(d<N^{0.292}\) by exploiting sublattice structures from the previous one although the proof is involved.
To simultaneously thwart the small secret exponent attack and achieve fast decryption/signing, the Chinese Remainder Theorem (CRT) is often used as described by Quisquater and Couvreur [40]. Instead of the original secret exponent d, there are CRT-exponents \(d_p\) and \(d_q\) that satisfy
The PKCS#1 standard [39] has specified that an RSA secret key should be \((p,q,d,d_p,d_q,q_{p}^{-1})\), where \(d_p\) and \(d_q\) are the CRT-exponents.
Then a natural question to ask is whether there exist analogous attacks of the Boneh–Durfee [3] to the small CRT-exponents. The first affirmative answer was given by May (Crypto’02) [29]. May analyzed the unbalanced RSA whose prime factor p is significantly smaller than the other prime factor q, and proposed an attack for a small \(d_q\) with an arbitrary large \(d_p\). The paper contains two attacks, where the former attack works for \(p<N^{0.382}\). The latter attack works only for smaller p, however, is better than the former attack for \(p<N^{0.23}\) in the sense that a larger \(d_q\) can be recovered. Since May’s attack works only in the unbalanced setting, it is an interesting open question if the attacks can be improved to cover the balanced RSA.
Subsequently, several improved attacks on the small CRT-exponent RSA have been proposed. Bleichenbacher and May (PKC’06) [5] revisited May’s work [29] in the same attack scenario and proposed an improved attack. The attack works for a larger p such that \(p<N^{0.468}\), and recovers a larger \(d_q\) than May’s attack for any size of p. However, Bleichenbacher–May’s improved attack could still not cover balanced prime factors. To attack the balanced RSA, Bleichenbacher and May analyzed other attack scenarios, where both \(d_p\) and \(d_q\) are small in the same work. They proposed an attack which works when e is significantly smaller than N. Although the same situation was already studied by Galbraith et al. [14], Sun and Wu [45], their attacks only work for a smaller e. Finally, Jochemsz and May (Crypto’07) [22] proposed the first attack that works for a full size e when \(d_p,d_q<N^{0.073}\).
In the past decade, no improved attacks of Bleichenbacher–May [5] and Jochemsz–May [22] have been proposed. Hence, following these attacks seems to be the best way to study the security of the CRT-RSA. Indeed, until recently, several papers followed the attacks and reported the vulnerabilities of the CRT-RSA, e.g., an attack on Takagi’s RSA [43], an attack on the RSA with multiple exponent pairs [35], and partial key exposure attacks [4, 27, 44, 49, 51].
1.2 Technical Hardness
Coppersmith introduced two lattice-based methods, to solve a modular equation [8] and an integer equation [7]. May’s attack and Bleichenbacher–May’s attack used the former method, whereas Jochemsz–May’s attack used the latter method. Both methods first construct a lattice and then solve equations with a small root in polynomial time using the LLL lattice reduction [25]. In this research area, constructing better attacks is equivalent to designing better lattices that contain the more useful algebraic structure of the equation. For the purpose, several useful strategies and techniques for lattice constructions have been introduced thus far. Currently best known small CRT-exponent attacks [5, 22, 29] are based on the state of the art lattice constructions: the Durfee–Nguyen technique (Asiacrypt’00) [12] and the Jochemsz–May strategy (Asiacrypt’06) [21]. Since the Durfee–Nguyen technique is useful to handle the relation \(N=pq\) and the Jochemsz–May construction yields good lattices for arbitrary polynomials, these approaches [5, 29] seem appropriate to study the attack. Moreover, to the best of our knowledge, there remained no useful strategies to analyze the attack scenarios at that time. After the proposals of [5, 22, 29], a new technique called unravelled linearization was introduced by Herrmann and May (Asiacrypt’09) [18]. The technique has been used to study various attack scenarios on RSA, e.g., [6, 15, 16, 19, 23, 24, 37, 38, 47, 48, 50, 52,53,54,55], and drastically developed the research area. For example, Herrmann and May [19] showed an elementary proof of Boneh–Durfee’s stronger attack [3] for \(d<N^{0.292}\) by exploiting the sublattice structures. However, unfortunately, unravelled linearization could not improve small CRT-exponent attacks. Although Herrmann and May (PKC’10) [19] tried to exploit sublattice structures, they could not obtain better asymptotic bounds. Therefore, obtaining better bounds seems technically hard.
1.3 Our Results
In this paper, we develop a novel lattice construction that enables us to exploit more useful algebraic structures of the CRT-RSA key generation equation. A basic application of the technique is an improved small \(d_q\) attack for unbalanced prime factors (Sect. 3). As opposed to the previous results by May [29] and Bleichenbacher–May [5], our attack is the first result to reach a meaningful bound, i.e., \(p<N^{0.5}\). Hence, we solve one of the major open problems for the security of the small CRT-exponent RSA. Moreover, our attack can recover a larger \(d_q\) than [5, 29] for any size of p. In addition, our attack requires less lattice dimensions than Bleichenbacher–May’s attack [5] since our technique exploits sublattice structures from [5]’s lattice, where the approach is similar to Boneh–Durfee [3]. Indeed, our experiments show that Bleichenbacher–May’s attack works better than their theoretical analyses. Hence, our careful analysis successfully fills the gap between theoretical and experimental behaviors.
We claim that our lattice construction is not limited to the small \(d_q\) attack. The construction is also applicable to a small \(d_p\) and \(d_q\) attack (Sect. 4) that improves Jochemsz–May’s attack [22]. As we mentioned, small \(d_q\) attacks [5, 29] and small \(d_p\) and \(d_q\) attacks [22] were studied with different approaches in previous works; the former attack used Coppersmith’s modular method, whereas the latter attack used Coppersmith’s integer method. However, our powerful lattice construction enables us to improve these attacks in the same manner. Our attack works for \(d_p,d_q<N^{0.122}\) with a full size e where the exponent of N is about \(40\%\) larger than Jochemsz–May’s attack. Notice that our proposed attack in this paper is much better than that in our proceeding version [56] that works when \(d_p,d_q<N^{0.091}\).
Recently, numerous papers [13, 17, 26, 28, 34,35,36, 41,42,43, 47, 50, 52] have been studying the security of RSA variants. Hence, we show several extensions for our small \(d_q\) attack on the RSA variants (Sect. 5), i.e., the Multi-Prime RSA, Takagi’s RSA, and the RSA with multiple exponent pairs. Our attacks significantly improve previous attacks on these variants [35, 43].
1.4 Key Technique
We show an overview of our technique. The CRT-RSA key generation for \(d_q\) is written as
with some integer k. By multiplying the equation by p, we obtain
Recall in May’s and Bleichenbacher–May’s attack scenario [5, 29], the prime p is significantly smaller than the other prime q. They solved the latter equation (2) modulo e to recover unknown \((k-1,p)\). Since the prime p is significantly smaller than the other prime q, to construct better attacks, solving Eq. (2) is more promising approach than solving Eq. (1) to recover (k, q). Hence, only Eq. (2) is used in previous attacks. However, it means that the constructions of previous attacks significantly rely on the fact that p is much smaller than q. As a result, these attacks do not work when p is close to \(N^{0.5}\).
What we focus on is a fact that Eqs. (1) and (2) are essentially the same; there are two representations for the same CRT-RSA key generation. As opposed to previous works, our improved lattice constructions utilize the algebraic structure of both Eqs. (1) and (2) simultaneously, not only the equation (2). The two representations are compatible in the sense that the combination enables us to exploit more useful algebraic structures. More specifically, we use Eqs. (1) and (2), where the proportion can be adaptively determined by the sizes of p and q. Then, to solve the modulo e equation as previous works, our framework always yields the better lattices than previous approaches. Our attacks are better than Bleichenbacher–May’s attack for any size of p.
At a glance, our lattice construction technique is specialized to the improvement of Bleichenbacher–May’s attack. As we pointed out, May’s attack and Bleichenbacher–May’s attack used Coppersmith’s method to solve a modular equation [8, 20], whereas Jochemsz–May’s attack used the method to solve an integer equation [7, 11]. The modular equation for the former attack and the integer equation for the latter attack have completely different algebraic structures. However, surprisingly, our powerful lattice construction enables us to construct better lattices and improves Jochemsz–May’s attack, too. It suggests that the construction is quite useful to study the security of CRT-RSA over a wide range.
2 Preliminaries
Consider a modular equation \(h(x_1,\ldots ,x_r)=0 \pmod {W}\), where all the absolute values of the target solutions \(({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)\) are bounded above by \(X_1,\ldots ,X_r\). When \( \prod ^r_{j=1}X_j\) is reasonably smaller than W, Coppersmith’s method can find all the solutions in polynomial time. In this section, we recall a simplified reformulation of the method proposed by Howgrave–Graham [20] and its basis tools, i.e., Howgrave–Graham’s lemma and the LLL algorithm.
Let \(\Vert h(x_1,\ldots ,x_r)\Vert \) denote the norm of a polynomial which represents the Euclidean norm of the coefficient vector. The following Howgrave–Graham’s lemma reduces the modular equations into integer equations.
Lemma 1
(Howgrave–Graham’s Lemma [20]) Let \( {\tilde{h}}(x_1,\ldots ,x_r)\in {\mathbb {Z}}[x_1,\ldots ,x_r]\) be a polynomial with at most n monomials. Let \(m,W,X_1,\ldots ,X_r\) be positive integers. Suppose that:
-
1.
\( {\tilde{h}}({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)=0 \pmod {W^m}\), where \(|{\tilde{x}}_1|<X_1,\ldots ,|{\tilde{x}}_r|<X_r\),
-
2.
\( \Vert {\tilde{h}}(x_1X_1,\ldots ,x_rX_r) \Vert <W^m/\sqrt{n}\).
Then \( {\tilde{h}}({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)=0\) holds over the integers.
To solve r-variate modular equations \(h(x_1,\ldots ,x_r)=0 \pmod {W}\), it suffices to find r new polynomials \( {\tilde{h}}_1(x_1,\ldots ,x_r), \ldots , {\tilde{h}}_r(x_1,\ldots ,x_r)\) whose root is the same as the original one, i.e., \((x_1,\ldots ,x_r)=({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)\), and whose norms are small enough to satisfy Howgrave–Graham’s lemma.
To find such small norm polynomials from the original modular polynomial \(h(x_1,\ldots ,x_r)\), lattices and the LLL algorithm are used. An n-dimensional lattice is an additive discrete subgroup of \({\mathbb {Z}}^n\). In other words, a lattice represents all integer linear combinations of its basis vectors. All vectors are row representation throughout the paper. Let \(\varvec{b}_1,\ldots ,\varvec{b}_m\) be n-dimensional linearly independent vectors in \({\mathbb {Z}}^n\). A lattice spanned by these vectors as a basis is defined as \(L(\varvec{b}_1,\ldots ,\varvec{b}_m):=\{\sum ^m_{j=1}c_j\varvec{b}_j: c_j \in {\mathbb {Z}}\ \text{ for } \text{ all }\ j=1,2,\ldots ,n \}.\) We also use a matrix representation for the basis. We define a basis matrix \(\varvec{B}\) as \(m\times n\) matrix which has the basis vectors \(\varvec{b}_1,\ldots ,\varvec{b}_m\) in each row. A lattice spanned by a basis matrix \(\varvec{B}\) is denoted as \(L(\varvec{B})\). We call a lattice full-rank if and only if \(n=m\). The determinant of a lattice \(\det (L(\varvec{B}))\) is defined as the m-dimensional volume of the fundamental parallelepiped; \({\mathcal {P}}(\varvec{B}):=\{\mathbf{c}B: {\mathbf{c}} \in {\mathbb {R}}^m, 0 \le c_j<1, \text{ for }\ \text{ all }\ j=1,2,\ldots ,m \}\). The determinant can be computed as \(\det (L(\varvec{B}))=\sqrt{\det (\varvec{B}\varvec{B}^T)}\) in general and that of a full-rank lattice can be computed as \(\det (L(\varvec{B}))=|\det (\varvec{B})|\). In this paper, we only use a full-rank lattice. More specifically, we only use a lattice with a triangular basis matrix. Hence, the determinant of the lattice can be computed easily as the absolute value of a product of all diagonal entries.
Lattices have been used in various ways in cryptographic research. See [9, 10, 30,31,32] for more information. In cryptanalysis, finding nonzero short lattice vectors is usually an essential operation. In this paper, we recall the LLL algorithm [25] that outputs short lattice vectors in polynomial time.
Proposition 1
(LLL algorithm [25, 30]) Given linearly independent vectors \(\varvec{b}_1,\ldots ,\varvec{b}_n\) in \( {\mathbb {Z}}^n\), the LLL algorithm finds new basis vectors \( \tilde{\varvec{b}}_1,\ldots ,\tilde{\varvec{b}}_n\) for a lattice \(L(\varvec{b}_1,\ldots ,\varvec{b}_n)\) that satisfy
in time polynomial in n and the maximum input length of \(\varvec{b}_1,\ldots ,\varvec{b}_n\).
Again, we explain how to solve the modular equation \(h(x_1,\ldots ,x_r)=0 \pmod {W}\). At first, we construct n polynomials \(h_1(x_1,\ldots ,x_r),\ldots ,h_n(x_1,\ldots ,x_r)\) that have the root \(({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)\) modulo \(W^m\) with some positive integer m. Then we construct n basis vectors \(\varvec{b}_1,\ldots ,\varvec{b}_n\) and equivalently its matrix representation \(\varvec{B}\). Each elements of a vector \(\varvec{b}_j\) for \(j=1,2,\ldots ,n\) is a coefficient of \(h_j(x_1X_1,\ldots ,x_rX_r)\). Since all vectors in a lattice \(L(\varvec{B})\) are integer linear combinations of the basis vectors, all polynomials whose coefficients are derived from lattice vectors have the root \(({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)\) modulo \(W^m\). We apply the LLL algorithm to a lattice basis \(\varvec{B}\) and obtain r LLL-reduced vectors \( \tilde{\varvec{b}}_1,\ldots ,\tilde{\varvec{b}}_r\). Then new polynomials \( {\tilde{h}}_1(x_1,\ldots ,x_r),\ldots ,{\tilde{h}}_r(x_1,\ldots ,x_r)\) which are derived from the above r LLL-reduced vectors satisfy Howgrave–Graham’s lemma provided that \(\det (L(\varvec{B})))^{1/n}<W^m\). Here, we omit small terms that do not depend on W. When we obtain r polynomials \( {\tilde{h}}_1(x_1,\ldots ,x_r), \ldots , {\tilde{h}}_r(x_1,\ldots ,x_r)\), the root \(({\tilde{x}}_1,\ldots ,{\tilde{x}}_r)\) can easily be recovered by computing resultant or Gröbner bases for the polynomials.
We should note that the method needs heuristic argument for multivariate problems. The polynomials \({\tilde{h}}_1(x_1,\ldots ,x_r),\ldots , {\tilde{h}}_n(x_1,\ldots ,x_r)\) derived from LLL output vectors have no assurance of algebraic independency. In this paper, we assume that the polynomials are algebraic independent as previous works [5, 22, 29] since there exist few negative reports. Moreover, we justify the validity of our attacks by computer experiments.
3 Small \(d_q\) Attack
In this section, we propose an attack for small \(d_q\) where p is significantly smaller than q. The attack improves Bleichenbacher–May’s attack [5].
3.1 An Overview of the Lattice Construction
At first, we explain our strategy for lattice constructions. Since our lattice construction is highly technical, we show toy examples that compare previous lattices [5, 29] and ours. We hope that these examples help readers to understand our lattice construction easily.
Recall the CRT-RSA key generation;
with some integer k. If we can solve the following modular equation:
whose root is \((x_{q},y_q)=(k,q)\), a public modulus N can be factorized. However, since the prime factor q is significantly larger than the other prime factor p, i.e., \(p=N^{\beta }\) and \(q=N^{1-\beta }\) for \(\beta \le 1/2\), May [29] multiplied the above equation by p and obtained the following equation:
Hence, if the following modular equation can be solved, the public modulus N can be factorized:
whose root is \((x_{p},y_p)=(k-1,p)\). Let \(e=N^{\alpha }\) and \(d_q=N^{\delta }\). Then the absolute values of the root \((x_p,x_q,y_p,y_q)\) is bounded above by \(X_{p}:=N^{\alpha +\beta +\delta -1}, X_{q}:=N^{\alpha +\beta +\delta -1}, Y_p:=N^{\beta }, Y_q:=N^{1-\beta }\), respectively, within constant factors. Later we also use a notation \(X:=X_p=X_q\). In this setting, the other CRT-exponent \(d_p\) can be arbitrary large such that \(d_p\approx N^{\beta }\).
3.1.1 May’s Matrix
May [29] solved the modular equation \(f_{p}(x_{p},y_p)=0\) under the standard lattice construction which can be captured by Jochemsz–May’s strategy [22]. For example, although we omit the detail, he constructed the basis matrix as the following:
where the rows consist of coefficients of seven polynomials:
All the polynomials share the common root as \(f_{p}(x_{p},y_p)\) modulo e. In addition to the base polynomials, i.e., \(e, ex_{p}, f_{p}(x_{p},y_p)\), he added extra \(y_p\)-shifts, i.e., \(ey_p, y_pf_{p}(x_{p},y_p), ey_p^2, y_p^2f_{p}(x_{p},y_p)\). Applying the LLL reduction to the above matrix, polynomials derived from the LLL output vectors satisfy Howgrave–Graham’s lemma when
The core idea of the approach is solving Eq. (2) not (1) since p is significantly smaller than q. Hence, if p becomes close to q such that \(\beta \ge 0.382\), May’s attack does not work.
3.1.2 Bleichenbacher–May Matrix
To improve May’s attack [29] based on the above matrix, Bleichenbacher and May [5] made use of the relation \(y_py_q=N\) as Durfee and Nguyen [12]. Although the exact solution of \(y_p\) is unknown, the relation enables us to reduce powers of \(Y_p\) in the diagonal entries by multiplying powers of \(y_q\) to all the polynomials. By optimizing the powers of \(y_q\), Bleichenbacher–May’s matrix always offers better results than May’s matrix.
To explain our improvement later, we modify Bleichenbacher–May’s matrix, where the modified matrix offers the same bound as the original Bleichenbacher–May matrix. The modification helps readers to understand the spirit of our improvement. Previous May’s matrix used only extra \(y_p\)-shifts; however, modified Bleichenbacher–May’s matrix used both \(y_p\)-shifts and \(y_q\)-shifts. Hence, we omit \(ey_p^2, y_p^2f_{p}(x_{p},y_p)\) from the above matrix and add \(ey_q, N^{-1}\cdot y_qf_p(x_p,y_p)\) in turn where the new polynomials share the common root as \(f_{p}(x_{p},y_p)\) modulo e:
The rows consist of coefficients of seven polynomials:
Although the precise definition of the polynomial selection is slightly different from the one in the original paper, they are essentially the same in the sense that the above matrix yields the same bound as the original Bleichenbacher–May attack. Applying the LLL reduction to the above matrix, polynomials derived from the LLL output vectors satisfy Howgrave–Graham’s lemma when
Compared with May’s matrix, the matrix reduces the powers of \(Y_p\) by multiplying the powers of \(Y_q\). It means that Bleichenbacher–May’s approach tries to control the appearance of \(Y_p\) and \(Y_q\). Then the attack works for larger p than May’s attack up to \(p<N^{0.468}\). By optimizing the selection of \(y_p\)-shifts and \(y_q\)-shifts, Bleichenbacher–May’s attack is always better than May’s attack.
3.1.3 Our Matrix
To improve the Bleichenbacher–May attack, what we focus on is the representation of the polynomial. More concretely, previous works used only one representation, i.e., \(f_{p}(x_{p},y_p)\), however, there is the other representation, i.e., \(f_q(x_q,y_q)\), for the same polynomial. Indeed, a useful algebraic property can be exploited from the polynomial \(f_{q}(x_{q},y_q)\) by making use of the fact that \(x_{q}=x_{p}+1\). For the above Bleichenbacher–May matrix to be triangular, the polynomial \(ey_q\) is necessary. Since \(eY_q\) is larger than the modulus e, the polynomial does not contribute to maximize the solvable root bound as explained in [31, 46]. However, we make use of \(f_{q}(x_{q},y_q)\) and show that the matrix becomes triangular without \(ey_q\) as follows:
The rows consist of coefficients of six polynomials:
Although the above Bleichenbacher–May matrix used \(N^{-1}\cdot y_qf_{p}(x_{p},y_p)\) in the bottom row, we use \(f_{q}(x_{q},y_q)\) in turn. Notice that \(f_{q}(x_{q},y_q)=N^{-1}\cdot y_qf_{p}(x_{p},y_p)\), and we use the same polynomial as the Bleichenbacher–May; however, the algebraic structure of \(f_q(x_{q},y_q)\) , i.e., the relation \(x_q=x_p+1\), enables the matrix to be triangular without \(ey_q\). The operation means that Bleichenbacher–May’s matrix contains better sublattices. The representation \(f_{q}(x_{q},y_q)\), which was not used by Bleichenbacher and May, enables us to exploit the sublattices. Indeed, by construction, our matrix always outperforms the above Bleichenbacher–May matrix with less lattice dimensions. Applying the LLL reduction to our above matrix, polynomials derived from the LLL output vectors satisfy Howgrave–Graham’s lemma when
Since \(\beta \le 1/2\), the bound is always better than the above Bleichenbacher–May example.
3.1.4 May’s Modulo q Attack
We should notice that our lattice construction does not always offer the best attack. More concretely, as we discussed above, our lattice offers better results than all the existing lattices to solve \(f_p(x_p,y_p)=0\) and \(f_q(x_q,y_q)=0\). However, there is the other formulations to attack CRT-RSA, i.e., May’s modulo q approach [29]. From the CRT-RSA key generation \(ed_q=1+k(q-1)\), May solved a modular equation;
whose root is \((k-1,d_q)\). Since the modulo e and the modulo q approach is different, we should check which method is better. Although our modulo e attacks are the better in most cases, we will show in Sect. 5.2 that the modulo p approach outperforms modulo e approach for small \(d_p\) attack with a modulus \(N=p^rq\).
3.2 Attack for Large e
Although the above discussion handled only toy examples, our approach improves an asymptotic condition of the small CRT-exponent attack. In this section, we propose an improved attack that works when \(\alpha >\beta /(1-\beta )\). The attack is the first result to cover the desired bound, i.e., \(\beta <1/2\) with a full size e.
Theorem 1
Let \(N=pq\) be an RSA modulus, where \(p=N^{\beta }\) and \(q=N^{1-\beta }\) for \(\beta \le 1/2\). Let \(e=N^{\alpha }\) and \(d_q<N^{\delta }\) be a public/CRT-exponent, respectively, such that \(ed_q=1 \pmod {(q-1)}\). Given public elements N and e, if N is sufficiently large and
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
As opposed to previous results, when \(\alpha =1\), the attack works to \(\beta <1/2\). Figure 1 shows comparison of our result and the Bleichenbacher–May for \(\alpha =1\). Our attack covers larger \(\delta \) than the Bleichenbacher–May attack for all \(\beta \).
Proof of Theorem 1
To solve the modular equation \(f_{q}(x_{q},y_q)=0\) and equivalently \(f_{p}(x_{p},y_p)=0\), we use the following shift-polynomials:
with some positive integer m. For nonnegative integers i and j, all the shift-polynomials share the same root as \(f_{p}(x_{p},y_p)\) and \(f_{q}(x_{q},y_q)\) modulo \(e^m\). May [29] used the same shift-polynomials as \(g_{[i,j]}(x_{p},y_p)\) and \(g'_{[i,j]}(x_{p},y_p)\). The (modified) Bleichenbacher–May attack used an additional shift-polynomial which used only \(f_{p}(x_{p},y_p)\). However, as we showed an example in the previous section, we use the both representations \(f_{p}(x_{p},y_p)\) and \(f_{q}(x_{q},y_q)\), simultaneously. Then we can construct triangular basis matrix that generalize the toy example as follows. \(\square \)
Lemma 2
Let all the polynomials be defined as above. Let \(\tau _p\) and \(\tau _q\) be constants such that \(\tau _p\ge 0\) and \(0\le \tau _q\le 1\). Define sets of indices
Let \(\varvec{B}\) be a matrix whose rows consist of coefficients of \(g_{[i,j]}(x_{p}X_p,y_pY_p)\), \(g'_{[i,j]}(x_{p}X_p,y_pY_p)\), and \(g''_{[i,j]}(x_{p}X_p,x_{q}X_q,y_pY_p,y_qY_q)\) with indices in \({\mathcal {I}}_x\), \({\mathcal {I}}_{y,p}\), and \({\mathcal {I}}_{y,q}\), respectively. If the shift-polynomials are ordered as
and \(N^{-1} \pmod {e^m}\) is multiplied appropriately, then the matrix becomes triangular with diagonal entries
-
\(X_{p}^{i+j}Y_p^ie^{m-i}\) for \(g_{[i,j]}(x_{p}X_p,y_pY_p)\),
-
\(X_{p}^{i}Y_p^{i+j}e^{m-i}\) for \(g'_{[i,j]}(x_{p}X_p,y_pY_p)\),
-
\(X_{q}^{i}Y_q^je^{m-i}\) for \(g''_{[i,j]}(x_{p}Y_p,x_{q}X_q,y_pY_p,y_qY_q)\).
Here, we do not prove the lemma. In Sect. 3.4, we prove a more general form of the statement, i.e., Lemma 3.
We compute the resulting condition of Theorem 1. The dimension n and the determinant of the lattice \(\det (\varvec{B})=X^{s_{X}}Y_p^{s_{Y_p}}Y_q^{s_{Y_q}}e^{s_{e}}\) can be computed as:
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy Howgrave–Graham’s lemma if \(X^{s_{X}}Y_p^{s_{Y_p}}Y_q^{s_{Y_q}}e^{s_e}<e^{nm}\), i.e.,
by omitting low-order terms of m. To minimize the left-hand side of the inequality, we substitute the parameters
then the condition becomes
as required. To satisfy the restriction \(\tau _p\ge 0\), \(\alpha >\beta /(1-\beta )\) should hold. The other parameter \(\tau _q\) always satisfies \(0\le \tau _q\le 1\). \(\square \)
3.3 Attack for Small e
The attack of Theorem 1 works only for \(\alpha >\beta /(1-\beta )\). The constraint comes from the fact that the parameter \(\tau _p\) used in the proof should be nonnegative. To capture the other case, i.e., \(\alpha \le \beta /(1-\beta )\), under the same algorithm construction, we set the parameters \(\tau _p=0\) and \(\tau _q=(1-\beta -\delta )/(1-\beta )\), then the attack works for \(\delta <2(1-\beta )-\sqrt{(1+\alpha )(1-\beta )}\).
However, by modifying the lattice construction, a better result can be obtained as follows.
Theorem 2
Let \(N=pq\) be an RSA modulus, where \(p<N^{\beta }\) and \(q\ge N^{1-\beta }\) for \(\beta \le 1/2\). Let \(e=N^{\alpha }\) and \(d_q<N^{\delta }\) be a public/CRT-exponent, respectively, such that \(ed_q=1 \pmod {(q-1)}\). Given public elements N and e, if N is sufficiently large and
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
As we claimed, the bound of Theorem 2 is better than \(\delta <2(1-\beta )-\sqrt{(1+\alpha )(1-\beta )}\) that can be obtained from the same algorithm construction as Theorem 1. We show the proof of Theorem 2. The proof is more technical than that of Theorem 1; however, the spirit is almost the same. In the subsequent sections, lattices that are similar to that of Theorem 2 will be used.
Proof of Theorem 2
To solve the modular equation \(f_{q}(x_{q},y_q)=0\) and equivalently \(f_{p}(x_{p},y_p)=0\), we use the following shift-polynomials:
with some positive integer m and a parameter \(0<\lambda \le 1\). For nonnegative integers i and j, all the shift-polynomials share the common root as \(f_{p}(x_{p},y_p)\) and \(f_{q}(x_{q},y_q)\) modulo \(e^m\). Here, notice that \(\lceil \lambda i\rceil +\lfloor (1-\lambda )i\rfloor =i\) for all i. The shift-polynomials \(g'_{[i,j]}(x_{p},y_p)\) and \(g''_{[i,j]}(x_{p},y_p)\) used in the proof of Theorem 1 is the special case of \(g_{[i,j],\lambda }(x_{p},x_q,y_p,y_q)\) and \(g'_{[i,j],\lambda }(x_{p},x_q,y_p,y_q)\) for \(\lambda =1\). As the attack of Theorem 1, we use both representations \(f_{p}(x_{p},y_p)\) and \(f_{q}(x_{q},y_q)\) simultaneously for all shift-polynomials. Using these shift-polynomials, we can construct triangular basis matrix as follows.
Lemma 3
Let all the polynomials be defined as above. Let \(\tau \) be a constant such that \(1-\lambda <\tau \le 1\). Let m be a positive integer. Define sets of indices as
Let \(\varvec{B}\) be a matrix whose rows consist of coefficients of \(g_{[i,j],\lambda }(x_{p}X_p,x_qX_q,y_pY_p,y_qY_q)\) and \(g'_{[i,j],\lambda }(x_{p}X_p,x_qX_q,y_pY_p,y_qY_q)\) with indices in \({\mathcal {I}}_{x}\) and \({\mathcal {I}}_{y,q}\), respectively. If the shift-polynomials are ordered as
and \(N^{-1} \pmod {e^m}\) is multiplied appropriately, then the matrix becomes triangular with diagonal entries
-
\(X_{p}^{i+j}Y_p^{\lceil \lambda i\rceil }e^{m-i}\) for \(g_{[i,j],\lambda }(x_{p}X_{p},x_qX_{q},y_pY_p,y_qY_q)\) with i such that \(i=0\) or \(\lceil \lambda i\rceil -\lceil \lambda (i-1)\rceil =1\),
-
\(X_{q}^{i+j}Y_q^{\lfloor (1-\lambda )i\rfloor }e^{m-i}\) for \(g_{[i,j],\lambda }(x_{p}X_{p},x_qX_{q},y_pY_p,y_qY_q)\) with i such that \(i\ne 0\) and \(\lceil \lambda i\rceil -\lceil \lambda (i-1)\rceil =0\),
-
\(X_{q}^{i}Y_q^{\lfloor (1-\lambda )i\rfloor +j}e^{m-i}\) for \(g'_{[i,j],\lambda }(x_{p}X_{p},x_qX_{q},y_pY_p,y_qY_q)\).
A proof of the lemma is the most technical part of this paper. We prove it in Sect. 3.4.
We compute the resulting condition of Theorem 2. The dimension n and the determinant of the lattice \(\det (\varvec{B})=X^{s_{X}}Y_p^{s_{Y_p}}Y_q^{s_{Y_q}}e^{s_{e}}\) can be computed as:
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy Howgrave–Graham’s lemma if \(X^{s_{X}}Y_p^{s_{Y_p}}Y_q^{s_{Y_q}}e^{s_e}<e^{nm}\), i.e.,
by omitting low-order terms of m. To minimize the left-hand side of the inequality, we set the parameters
then the condition becomes
as required. To satisfy the restrictions \(0<\lambda \le 1\) and \(1-\lambda <\tau \le 1\), \(\beta (1-\beta )\le \alpha \le \beta /(1-\beta )\) should hold. \(\square \)
As opposed to the attack of Theorem 1, that of Theorem 2 is applicable to a balanced RSA, i.e., \(\beta =1/2\), for \(\alpha \le 1\). For a balanced RSA, we substitute \(\beta =1/2\) and the attack becomes as follows.
Theorem 3
Let \(N=pq\) be an RSA modulus, where the prime factors p and q are the same bitsize. Let \(e=N^{\alpha }\) and \(d_q<N^{\delta }\) be a public/CRT-exponent, respectively, such that \(ed_q=1 \pmod {(q-1)}\). Given public elements N and e, if N is sufficiently large and
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
By construction, the attack always outperforms that under Bleichenbacher–May’s lattice construction. We also compare our attack with that of Lu et al. [29] (Theorem 9 of [28]) that follows May’s modulo q approach.
Theorem 4
([28]) Let \(N=pq\) be an RSA modulus, where the prime factors p and q are the same bitsize. Let \(e=N^{\alpha }\) and \(d_q<N^{\delta }\) be a public/CRT-exponent, respectively, such that \(ed_q=1 \pmod {(q-1)}\). Given public elements N and e, if
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
Figure 2 shows comparison of our attack (Theorem 3) and that of Lu et al. (Theorem 4). Our attack is better for all \(1/4<\alpha <1\).
3.4 Proof of Lemma 3
In this section, we show a proof of Lemma 3 that is the most technical part of this paper. Before the detailed proof, we explain the spirit of our triangular matrix. The polynomials that we use contain four variables \(x_p, x_q, y_p, y_q\). Furthermore, there are two algebraic relations: \(x_q=x_p+1\) and \(y_py_q=N\). By using the latter relation, i.e., \(y_py_q=N\), we transform all monomials as they do not have both \(y_p\) and \(y_q\), simultaneously, where the same operation was also done in previous works [5, 12]. Moreover, we use an additional trick. By using the former relation, i.e., \(x_q=x_p+1\), we transform all monomials as they do not have both \(x_p\) and \(x_q\), simultaneously. More concretely, the variable \(x_{p}\) appears only in monomials, where powers of \(y_p\) are nonnegative, whereas the variable \(x_{q}\) appears only in monomials, where powers of \(y_q\) are positive. The simple operation is the key technique of this paper. To visualize the operation, we show some examples of our triangular matrix in Tables 1 and 2 . We hope that the examples help reader to understand our technique easily.
Then we show the proof of Lemma 3.
Proof of Lemma 3
Since all the polynomials
for \(i=0\) have only one monomial \(x_{p}^je^m\), these polynomials generate triangular basis matrix with diagonal entries \(X_{p}^je^m\). Then the remaining proof is inductive; we show that the basis matrix is still triangular with other polynomials.
At first, we assume that polynomials \(g_{[i',j'],\lambda }(x_{p},x_{q},y_p,y_q)\) such that \(g_{[i',j'],\lambda }(x_{p},x_{q},y_p,y_q)\prec g_{[i,j],\lambda }(x_{p},x_{q},y_p,y_q)\) generate a triangular matrix as stated in Lemma 3. Then, we show that a matrix is still triangular with a new polynomial \(g_{[i,j],\lambda }(x_{p},x_{q},y_p,y_q)\) whose diagonal is \(X_p^{i+j}Y_{p}^{\lceil \lambda i\rceil }e^{m-i}\) or \(X_q^{i+j}Y_{q}^{\lfloor (1-\lambda )i\rfloor }e^{m-i}\). By definition,
From the relation \(x_{q}=x_{p}+1\) and equivalently \(x_p=x_q-1\), the polynomial becomes
By expanding \((Nx_{q}-x_{p}y_p)^{\lceil \lambda i\rceil }\) and \((x_{p}+x_{q}y_q)^{\lfloor (1-\lambda )i\rfloor }\), the polynomial becomes
From the relation \(y_py_q=N\), we modify all the monomial so that \(y_p\) and \(y_q\) do not appear in each monomial, simultaneously. Then, the polynomial becomes
Notice that there are no monomials that have \(y_p\) and \(y_q\), simultaneously. The exponents of \(y_p\) in the first summation are nonnegative, whereas the exponents of \(y_q\) in the second summation are positive. Hence, as we discussed above, we replace all \(x_q\) in the first summation by \(x_p+1\) and replace all \(x_p\) in the second summation by \(x_q-1\). Then, the polynomial becomes
The polynomial has monomials for variables
-
\(x_p^{i_{px}}y_{p}^{i_{py}}\) for \(i_{py}=0,1,\ldots ,\lceil \lambda i\rceil \),
-
\(x_q^{i_{qx}}y_{q}^{i_{qy}}\) for \(i_{qy}=1,2,\ldots ,\lfloor (1-\lambda )i\rfloor \),
for some \(i_{px}\) and \(i_{qx}\), respectively. When \(\lceil \lambda i\rceil -\lceil \lambda (i-1)\rceil =1\), all polynomials \(g_{[i',j'],\lambda }(x_p,x_q,y_p,y_q)\) that have diagonal entries for the following variables satisfy \(g_{[i',j'],\lambda }(x_p,x_q,y_p,y_q)\prec g_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\):
-
\(x_p^{i_{px}}y_{p}^{i_{py}}\) for \(i_{py}=0,1,\ldots ,\lceil \lambda i\rceil -1\),
-
\(x_q^{i_{qx}}y_{q}^{i_{qy}}\) for \(i_{qy}=1,2,\ldots ,\lfloor (1-\lambda )i\rfloor \).
Since the remaining monomial in \(g_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\) is only one element for a variable \(x_p^{i+j}y_{p}^{\lceil \lambda i\rceil }\). Hence, as stated in Lemma 3, the diagonal for \(g_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\) such that \(\lceil \lambda i\rceil -\lceil \lambda (i-1)\rceil =1\) is \(X_p^{i+j}Y_{p}^{\lceil \lambda i\rceil }e^{m-i}\). As the same way, we can prove that the diagonal for \(g_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\) such that \(i\ne 0\) and \(\lceil \lambda i\rceil -\lceil \lambda (i-1)\rceil \ne 1\) is \(X_q^{i+j}Y_{q}^{\lfloor (1-\lambda )i\rfloor }e^{m-i}\).
Next, we assume that polynomials \(g_{[i',j'],\lambda }(x_{p},x_{q},y_p,y_q)\) and \(g'_{[i',j'],\lambda }(x_{p},x_{q},y_p,y_q)\) such that \(g'_{[i',j'],\lambda }(x_{p},x_{q},y_p,y_q)\prec g'_{[i,j],\lambda }(x_{p},x_{q},y_p,y_q)\) generate a triangular matrix as stated in Lemma 3. Then, we show that a matrix is still triangular with a new polynomial \(g'_{[i,j],\lambda }(x_{p},x_{q},y_p,y_q)\) whose diagonal is \(X_q^{i}Y_{q}^{\lfloor (1-\lambda )i\rfloor +j}e^{m-i}\). By definition,
From the relation \(x_q=x_p+1\) and equivalently \(x_p=x_q-1\), the polynomial becomes
By expanding \((Nx_q-x_py_p)^{\lceil \lambda i\rceil }\) and \((x_p+x_qy_q)^{\lfloor (1-\lambda )i\rfloor }\),
From the relation \(y_py_q=N\), we modify all the monomial so that \(y_p\) and \(y_q\) do not appear in each monomial, simultaneously. Then, the polynomial becomes
Notice that there are no monomials that have \(y_p\) and \(y_q\), simultaneously. The exponents of \(y_p\) in the first summation are nonnegative, whereas the exponents of \(y_q\) in the second summation are positive. Hence, as we discussed above, we replace all \(x_q\) in the first summation by \(x_p+1\) and replace all \(x_p\) in the second summation by \(x_q-1\). Then, the polynomial becomes
The polynomial has monomials for variables
-
\(x_p^{i_{px}}y_{p}^{i_{py}}\) for \(i_{py}=0,1,\ldots ,\lceil \lambda i\rceil -j\),
-
\(x_q^{i_{qx}}y_{q}^{i_{qy}}\) for \(i_{qy}=1,2,\ldots ,\lfloor (1-\lambda )i\rfloor +j\),
for some \(i_{px}\) and \(i_{qx}\), respectively. Notice that \(g_{[i',j'],\lambda }(x_p,x_q,y_p,y_q)\prec g'_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\) hold for all \((i',j')\), and all \(x_p^{i_{px}}y_{p}^{i_{py}}\) are diagonal entries of \(g_{[i',j'],\lambda }(x_p,x_q,y_p,y_q)\). All polynomials \(g'_{[i',j'],\lambda }(x_p,x_q,y_p,y_q)\) that have diagonal entries for the following variables satisfy \(g'_{[i',j'],\lambda }(x_p,x_q,y_p,y_q)\prec g'_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\):
-
\(x_q^{i_{qx}}y_{q}^{i_{qy}}\) for \(i_{qy}=1,2,\ldots ,\lfloor (1-\lambda )i\rfloor -1\).
Since the remaining monomial in \(g_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\) is only one element for a variable \(x_q^{i}y_{q}^{\lfloor (1-\lambda )i\rfloor +j}\). Hence, as stated in Lemma 3, the diagonal for \(g'_{[i,j],\lambda }(x_p,x_q,y_p,y_q)\) is \(X_q^{i}Y_{q}^{\lfloor (1-\lambda )i\rfloor +j}e^{m-i}\). \(\square \)
At the end of this section, we briefly show how to deduce Lemma 2 from Lemma 3. The collection of shift-polynomials \(g_{[i,j]}(x_{p},y_p)\) and \(g''_{[i,j]}(x_{p},x_{q},y_p,y_q)\) in Lemma 2 are essentially the same as \(g_{[i,j],\lambda }(x_{p},x_q,y_p,y_q)\) and \(g'_{[i,j],\lambda }(x_{p},x_q,y_p,y_q)\) in Lemma 3 for \(\lambda =1\). Hence, by setting the parameters \((\lambda ,\tau )\) in Lemma 3 as \((1,\tau _q)\), Lemma 3 shows that \(g_{[i,j]}(x_{p},y_p)\) and \(g''_{[i,j]}(x_{p},x_{q},y_p,y_q)\) in Lemma 2 generate a triangular matrix. To complete the proof of Lemma 2, we also use May’s result [29] that showed that polynomials \(g_{[i,j]}(x_{p},y_p)\) and \(g'_{[i,j]}(x_{p},y_p)\) generate a triangular matrix. As a result, \(g_{[i,j]}(x_{p},y_p)\), \(g'_{[i,j]}(x_{p},y_p)\), and \(g''_{[i,j]}(x_{p},x_{q},y_p,y_q)\) in Lemma 2 generate a triangular matrix.
3.5 Experimental Results
We have implemented the experiment program in Magma 2.11 computer algebra system [2] on a PC with Intel(R) Core(TM) Duo CPU(3.30GHz, 4.0GB RAM Windows 7). Table 3 lists some theoretical and experimental results on factoring two 1000-bit RSA moduli with varying bitsize of q. In all experiments, we successfully find the factorization of these RSA moduli. In practice, we always obtained sufficient polynomials with small norm and were able to extract the desired root by computing Gröbner bases for these polynomials. And the computation was fast in practice when we used as many polynomials as possible.
In [5], the experimental results are much better than their theoretical analysis. For example, for 440-bit factor q, with a lattice dimension of 63, in theory the attack should not work (we can recover the small private key \(d_p\) up to a size of \(N^{-0.083}\)), however, in practice, we succeed for \(d_p\) with bitsize a 0.010-fraction of N. Since our lattice construction captures the underlying sublattice structure of [5]’s desired lattice, we can do better than [5]: with a lattice dimension of 66, experimentally we can reconstruct \(d_p\) with a size of \(N^{0.012}\).
Note that our result of Theorem 1 is an asymptotic improvement. In Table 4, we present numerical values of \(\delta \) for different values of \(\beta \) and lattice dimension. Moreover, compared with [5], our method requires smaller lattice dimensions. For \(\beta =0.35\) and \(\beta =0.40\), Fig. 3 shows a comparison of these two approaches in the terms of the bitsize of small secret exponent \(d_p\) that can be attacked.
4 Small \(d_p\) and \(d_q\) Attack
In this section, we propose an attack when both \(d_p\) and \(d_q\) are small. The attack improves Jochemsz–May’s attack [22] by utilizing our lattice construction technique. Furthermore, the attack that we propose in this section is better than that in our proceeding version [56].
4.1 Our Attack
Recall the CRT-RSA key generation;
with some integers \(k_q\) and \(k_p\). Hence, if we can solve the following simultaneous modular equations, RSA modulus N can be factorized:
where the root is \((x_{q,1},x_{p,2},y_q,y_p)=(k_q,k_p,q,p)\).
In addition, by multiplying p and q to the key generation equations, respectively, the following representations can be obtained:
Then, we can also use the following modular equations:
where the root is \((x_{p,1},x_{q,2},y_p,y_q)=(k_q-1,k_p-1,p,q)\).
To summarize the above discussion, we want to solve the following simultaneous modular equations:
where the root is \((x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)=(k_q-1,k_q,k_p,k_p-1,p,q)\). Let \(e=N^{\alpha }\), \(d_p<N^{\delta }\), and \(d_q<N^{\delta }\) for a balanced RSA, i.e, \(q<p<2q\). The absolute values of \(x_{p,1},x_{q,1},x_{p,2},x_{q,2}\) are bounded above by \(X=N^{\alpha +\delta -1/2}\) within constant factors, whereas the absolute values of \(y_p\) and \(y_q\) are bounded above by \(Y=N^{1/2}\) within constant factors.
Unfortunately, an approach to solve the above four equations simultaneously does not offer an improvement. The approach gives us only the same bound as Theorem 3. Hence, we use an additional algebraic relation. From the CRT-RSA key generation,
By multiplying these two equations, we obtain
Then the following new equation can be obtained:
The polynomial also has two representations as the previous polynomials. Notice that the same equation as \(h(x_{p,1},x_{q,1},x_{p,2},x_{q,2})\) was already used by Galbraith et al. [14]. We make use of these equations and obtain the following result.
Theorem 5
Let \(N=pq\) be an RSA modulus, where p and q are the same bitsize. Let \(e=N^{\alpha }\) and \(d_p,d_q<N^{\delta }\) be a public/CRT-exponent, respectively, such that \(ed_q=1 \pmod {(q-1)}\) and \(ed_p=1 \pmod {(p-1)}\). Given public elements N and e, if N is sufficiently large and
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
For the full size e, the attack works for \(\delta <1/2-1/\sqrt{7}=0.122\cdots \) which is better than Jochemsz–May’s bound [22], i.e., \(\delta <0.073\). Our attack is better than all existing attacks. Furthermore, the result proposed in this paper is much better than our proceeding version [56], i.e., \(\delta <1/2-1/\sqrt{6}=0.091\cdots \). We obtain the improvement by exploiting sublattice structures from the lattice in [56]. Therefore, our proposed attack in this paper is practically faster than our previous attack [56].
Proof of Theorem 5
To solve the above modular equations, we use the following shift-polynomials:
with some positive integer m. For nonnegative integers \(i_1,i_2,j_1,i_2,\) and u, all the shift-polynomials share the common root as \(f_{p,1}(x_{p,1},y_p)\), \(f_{p,2}(x_{p,2},y_p)\), \(f_{q,1}(x_{q,1},y_q)\), \(f_{q,2}(x_{q,2},y_q)\), and \(h(x_{p,1},x_{q,1},x_{p,2},x_{q,2})\) modulo \(e^m\). Then we can construct triangular basis matrix as follows.
Lemma 4
Let all the polynomials be defined as above. Let \(\tau \) be a constant such that \(1/2\le \tau \le 1\). Define sets of indices as
Let \(\varvec{B}\) be a matrix whose rows consist of coefficients of \(g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1}X_{p,1},x_{q,1}X_{q,1},x_{p,2}X_{p,2},x_{q,2}X_{q,2},y_pY_p,y_qY_q)\), \(g'_{[i_1,i_2,j_1],p}(x_{p,1}X_{p,1},x_{q,1}X_{q,1},x_{p,2}X_{p,2},x_{q,2}X_{q,2},y_pY_p,y_qY_q)\), and \(g'_{[i_1,i_2,j_2],q}(x_{p,1}X_{p,1},x_{q,1}X_{q,1},x_{p,2}X_{p,2},x_{q,2}X_{q,2},y_pY_p,y_qY_q)\) with indices in \({\mathcal {I}}_x\), \({\mathcal {I}}_{y,p}\), and \({\mathcal {I}}_{y,q}\), respectively. If the shift-polynomials are ordered as
and \(N^{-1} \pmod {e^m}\) is multiplied appropriately, then the matrix becomes triangular with diagonal entries
-
\(X_{p,1}^{i_1+j_1+u}X_{p,2}^{i_2+j_2+u}Y_p^{\lceil (i_1+i_2)/2\rceil }e^{m-(i_1+i_2+u)}\) for \(g_{[i_1,i_2,j_1,j_2,u]}\) if \(i_1+i_2\) is odd,
-
\(X_{q,1}^{i_1+j_1+u}X_{q,2}^{i_2+j_2+u}Y_q^{\lfloor (i_1+i_2)/2\rfloor }e^{m-(i_1+i_2+u)}\) for \(g_{[i_1,i_2,j_1,j_2,u]}\) if \(i_1+i_2\) is even,
-
\(X_{p,1}^{i_1}X_{p,2}^{i_2}Y_p^{\lceil (i_1+i_2)/2\rceil +j_1}e^{m-(i_1+i_2)}\) for \(g'_{[i_1,i_2,j_1],p}\),
-
\(X_{q,1}^{i_1}X_{q,2}^{i_2}Y_q^{\lfloor (i_1+i_2)/2\rfloor +j_2}e^{m-(i_1+i_2)}\) for \(g'_{[i_1,i_2,j_2],q}\).
The proof will appear in Sect. 4.2.
We compute the resulting condition of Theorem 5. The dimension n and the determinant of the lattice \(\det (\varvec{B})=X^{s_{X}}Y^{s_{Y}}e^{s_{e}}\) can be computed as:
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy Howgrave–Graham’s lemma if \(X^{s_{X}}Y^{s_{Y}}e^{s_e}<e^{nm}\), i.e.,
by omitting low-order terms of m. To minimize the left-hand side of the inequality, we set the parameters \(\tau =1-2\delta \), then the condition becomes
as required. To satisfy the restriction \(\tau \ge 1/2\), \(\delta \le 1/4\) and equivalently \(\alpha \ge 7/16\) should hold. \(\square \)
4.2 Proof of Lemma 4
In this subsection, we show a proof of Lemma 4. Similarly as the proof of Lemma 3, we first explain the spirit of our triangular matrix. The polynomials that we use contain six variables \(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q\), and there are three algebraic relations: \(x_{q,1}=x_{p,1}+1\), \(x_{p,2}=x_{q,2}+1\) and \(y_py_q=N\). By using the last relation, i.e., \(y_py_q=N\), we transform all monomials as they do not have both \(y_p\) and \(y_q\), simultaneously, where the same operation was also done in Sect. 3.4. By using the former two relations, i.e., \(x_{q,1}=x_{p,1}+1\) and \(x_{p,2}=x_{q,2}+1\), we transform all monomials as they do not have both \(x_{p,1}\), \(x_{q,1}\), simultaneously, and both \(x_{p,2}\), \(x_{q,2}\), simultaneously. More concretely, the variable \(x_{p,1}\) and \(x_{p,2}\) appear only in monomials, where exponents of \(y_p\) are positive, whereas the variable \(x_{q,1}\) and \(x_{q,2}\) appear only in monomials, where exponents of \(y_q\) are nonnegative. The operation is a direct extension of that in Sect. 3.
Then we show the proof of Lemma 4.
Proof of Lemma 4.
When \((i_2,j_2,u)=(0,0,0)\),
Notice that the polynomials are similar to \(g_{[i,j],\lambda }(x_{p},x_{q},y_p,y_q)\) for \(\lambda =1/2\) in Lemma 3. Then, the polynomials generate triangular basis matrix as claimed in Lemma 4. Similarly, the polynomials \(g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) for \((i_1,j_1,u)=(0,0,0)\) generate triangular basis matrix. Since the proof is completely the same as that of Lemma 3, we omit it here. Then, the remaining proof is inductive; we show that the basis matrix is still triangular with other polynomials.
At first, we assume that polynomials \(g_{[i'_1,i'_2,j'_1,j'_2,u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) such that \(g_{[i'_1,i'_2,j'_1,j'_2,u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q) \prec g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) generate a triangular matrix as stated in Lemma 4. Then, we show that a matrix is still triangular with a new polynomial \(g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) whose diagonal is \(x_{p,1}^{i_1+j_1+u}x_{p,2}^{i_2+j_2+u}y_p^{\lceil (i_1+i_2)/2\rceil }e^{m-(i_1+i_2+u)}\). By definition,
From the relation \(x_{q,1}=x_{p,1}+1\), \(x_{p,2}=x_{q,2}+1\) and equivalently \(x_{p,1}=x_{q,1}-1\), \(x_{q,2}=x_{p,2}-1\), the polynomial becomes
By expanding \(\left( Nx_{q,1}-x_{p,1}y_p\right) ^{i_{1}}\) and \(\left( -x_{q,2}+x_{p,2}y_{p}\right) ^{i_{2}}\), the polynomial becomes
From the relation \(y_py_q=N\), we modify all the monomials so that \(y_p\) and \(y_q\) do not appear in each monomial, simultaneously. Then, the polynomial becomes
Notice that there are no monomials that have \(y_p\) and \(y_q\) simultaneously. The exponents of \(y_p\) in the first summation are positive, whereas the exponents of \(y_q\) in the second summation are nonnegative.
By expanding
the polynomial becomes
Next, as we discussed above, we replace all \(x_{q,1}, x_{q,2}\) in the first summation by \(x_{p,1}+1, x_{p,2}-1\), respectively, and replace all \(x_{p,1}, x_{p,2}\) in the second summation by \(x_{q,1}-1,x_{q,2}+1\), respectively. Then, the polynomial becomes
The polynomial has monomials for variables
-
\(x_{p,1}^{i_{px,1}}x_{p,2}^{i_{px,2}}y_{p}^{i_{py}}\) for \(i_{py}=1,2,\ldots ,\lceil (i_1+i_2)/2\rceil \),
-
\(x_{q,1}^{i_{qx,1}}x_{q,1}^{i_{qx,1}}y_{q}^{i_{qy}}\) for \(i_{qy}=0,1,\ldots ,\lfloor (i_1+i_2)/2\rfloor \).
When \((i_1+i_2)\) is odd, all polynomials \(g_{[i_1',i_2',j_1',j_2',u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) that have diagonal entries for the following variables satisfy \(g_{[i_1',i_2',j_1',j_2',u']}\)\((x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\prec g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\):
-
\(x_{p,1}^{i_{px,1}}x_{p,2}^{i_{px,2}}y_{p}^{i_{py}}\) for \(i_{py}=1,2,\ldots ,\lceil (i_1+i_2)/2\rceil -1\),
-
\(x_{q,1}^{i_{qx,1}}x_{q,1}^{i_{qx,1}}y_{q}^{i_{qy}}\) for \(i_{qy}=0,1,\ldots ,\lfloor (i_1+i_2)/2\rfloor \).
Hence, we focus on the monomials in \(g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) for variables
-
\(x_{p,1}^{i_{px,1}}x_{p,2}^{i_{px,2}}y_{p}^{\lceil (i_1+i_2)/2\rceil }\) for \(i_{px,1}=i_1+j_1,i_1+j_1+1,\ldots ,i_1+j_1+u; i_{px,2}=i_2+j_2,i_2+j_2+1,\ldots , i_2+j_2+u\).
All polynomials \(g_{[i_1',i_2',j_1',j_2',u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) that have the above diagonal entries for variables except \(x_{p,1}^{i_1+j_1+u}x_{p,2}^{i_2+j_2+u}y_{p}^{\lceil (i_1+i_2)/2\rceil }\) satisfy \(g_{[i_1',i_2',j_1',j_2',u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\prec g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\). Hence, as stated in Lemma 4, the polynomial \(g_{[i_1,i_2,j_1,j_2,u]}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) for odd \((i_1+i_2)\) has a diagonal \(X_{p,1}^{i_1+j_1+u}X_{p,2}^{i_2+j_2+u}Y_p^{\lceil (i_1+i_2)/2\rceil }e^{m-(i_1+i_2+u)}\). Similarly, we can prove the statement when \((i_1+i_2)\) is even. Hence, polynomials \(g_{[i'_1,i'_2,j'_1,j'_2,u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) generate triangular basis matrix as stated in Lemma 4.
Next, we assume that polynomials \(g_{[i'_1,i'_2,j'_1,j'_2,u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) and \(g'_{[i'_1,i'_2,j'_1],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) such that \(g'_{[i'_1,i'_2,j'_1],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q) \prec g'_{[i_1,i_2,j_1],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) generate a triangular matrix as stated in Lemma 4. Then, we show that a matrix is still triangular with a new polynomial \(g'_{[i_1,i_2,j_1],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) whose diagonal is \(x_{p,1}^{i_1}x_{p,2}^{i_2}y_p^{\lceil (i_1+i_2)/2\rceil +j_1}e^{m-(i_1+i_2)}\). By definition,
From the relation \(x_{p,1}=x_{q,1}-1\) and \(x_{p,2}=x_{q,2}+1\), the polynomial becomes
By expanding \(\left( Nx_{q,1}-x_{p,1}y_p\right) ^{i_{1}}\) and \(\left( -x_{q,2}+x_{p,2}y_{p}\right) ^{i_{2}}\), the polynomial becomes
From the relation \(y_py_q=N\), we modify all the monomial so that \(y_p\) and \(y_q\) do not appear in each monomial, simultaneously. Then, the polynomial becomes
Notice that there are no monomials that have \(y_p\) and \(y_q\), simultaneously. The exponents of \(y_p\) in the first summation are positive, whereas the exponents of \(y_q\) in the second summation are nonnegative.
Next, as we discussed above, we replace all \(x_{q,1}, x_{q,2}\) in the first summation by \(x_{p,1}+1, x_{p,2}-1\), respectively, and replace all \(x_{p,1}, x_{p,2}\) in the second summation by \(x_{q,1}-1,x_{q,2}+1\), respectively. Then, the polynomial becomes
The polynomial has monomials for variables
-
\(x_{p,1}^{i_{px,1}}x_{p,2}^{i_{px,2}}y_{p}^{i_{py}}\) for \(i_{py}=1,2,\ldots ,\lceil (i_1+i_2)/2\rceil +j_1; i_{px,1}+i_{px,2}=i_{py}+\lfloor (i_1+i_2)/2\rfloor -j_1, \ldots , i_1+i_2\),
-
\(x_{q,1}^{i_{qx,1}}x_{q,2}^{i_{qx,2}}y_{q}^{i_{qy}}\) for \(i_{qy}=0,1,\ldots ,\lfloor (i_1+i_2)/2\rfloor -j_1; i_{qx,1}+i_{qx,2}=i_{qy}-\lfloor (i_1+i_2)/2\rfloor +j_1, \ldots , i_1+i_2\).
Since all these variables except \(x_{p,1}^{i_{1}}x_{p,2}^{i_{2}}y_{p}^{\lceil (i_1+i_2)/2\rceil +j_1}\) appear in diagonal entries of \(g_{[i_1',i_2',j_1',j_2',u']}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) or \(g'_{[i_1',i_2',j_1'],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) such that \(g'_{[i_1,i_2,j_1],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\prec g'_{[i_1',i_2',j_1'],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\), as stated in Lemma 4, the diagonal of \(g'_{[i_1,i_2,j_1],p}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) in the triangular basis matrix is \(X_{p,1}^{i_{1}}X_{p,2}^{i_{2}}Y_{p}^{\lceil (i_1+i_2)/2\rceil +j_1}e^{m-(i_1+i_2)}\). Similarly, we can prove that the polynomials generate triangular basis matrix and the diagonal of \(g'_{[i_1,i_2,j_2],q}(x_{p,1},x_{q,1},x_{p,2},x_{q,2},y_p,y_q)\) is \(X_{q,1}^{i_{1}}X_{q,2}^{i_{2}}Y_{q}^{\lceil (i_1+i_2)/2\rceil +j_2}e^{m-(i_1+i_2)}\). \(\square \)
4.3 Experimental Results
We compare the practical behaviors between our previous attack in [56] and an improved attack proposed in this version. Note that the improved lattice construction captures a sublattice of our previous one [56], hence the experimental results do not change for \(m=4,6\). However since the new sets adopt lattices with much smaller dimension, we greatly reduce the running time of LLL algorithm.
Moreover, for \(m=8\) we can reduce the dimension from about 500 of [56] to 180 which is acceptable for practical implementation, it means that we can further improve the experimental results of our previous attack. We implemented the experiment programs of both previous attack [56] and our improved one by Sage 7.4 and \(L^2\) reduction algorithm from Nguyen and Stehl\(\acute{e}\) [33]. The calculations were performed on Intel Xeon E5-2637 processor running at 3.5GHz. By means of a comparison among the work of Herrmann–May’s result [19], our previous attack [56], and the improved one, we list the experimental results with varying bitsize of RSA moduli under small CRT-exponents in Table 5. In all experiments, we successfully find the factorization of these RSA moduli. In practice, we always obtained sufficient polynomials with small norm and were able to extract the desired root by computing Gröbner bases for these polynomials. And the computation was fast in practice when we used as many polynomials as possible. As it is shown, the experimental results of small CRT-exponents attack can be further improved.
5 Attacks on the Variants
In this section, we study small CRT-exponent attacks on the RSA variants, i.e., the Multi-Prime RSA, Takagi’s RSA, and the RSA with multiple exponent pairs. We extend our attack of Theorem 2 to the variants.
5.1 Multi-Prime RSA
In this section, we extends the small CRT-exponent attack for the Multi-Prime RSA as follows.
Theorem 6
Let \(N=\prod ^r_{i=1}p_i\) be an RSA modulus, where \(r\ge 2\) and all the prime factors \(p_1,\ldots ,p_r\) are the same bitsize. Let \(e=N^{\alpha }\) and \(d_{p_i}<N^{\delta _i}\) be a public/CRT-exponent, respectively, such that \(ed_{p_i}=1 \pmod {(p_i-1)}\) for all \(i=1,\ldots ,r\). Given public elements N and e, if N is sufficiently large and
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for the Multi-Prime RSA in the sense that Theorem 6 becomes the same as Theorem 3 for \(r=2\).
Proof of Theorem 6
Recall the CRT-RSA key generation;
with some integer \(k_{p_i}\). By multiplying an integer \(N/p_i\),
Then we solve the following modular equations;
whose root is \((x_{N/p_i},x_{p_i},y_{N/p_i},y_{p_i})=(k_{p_i}-1,k_{p_i},N/p_i,p_i)\). The absolute values of the root are bounded above by \(X:=N^{\alpha +\delta -1/r}\) for \(x_{N/p_i}\) and \(x_{p_i}\), \(Y_{N/p_i}:=N^{(r-1)/r}, Y_{p_i}:=N^{1/r}\) for \(y_{N/p_i},y_{p_i}\), respectively. We construct the same matrix as the proof of Theorem 2 and the modular equation can be solved when
We set the parameters \(\lambda =\frac{1-r\delta }{r-1}, \tau =1-r\delta \) and the condition becomes \(\delta _i<\frac{1-\sqrt{(r-1)\alpha }}{r}\) as required. To satisfy the restrictions of parameters, \(\alpha >\frac{r-1}{r^2}\) should hold. \(\square \)
We also extend May’s modulo \(p_i\) attack [29] for the Multi-Prime RSA as follows.
Theorem 7
(Adapted from [28]) Let \(N=\prod ^r_{i=1}p_i\) be an RSA modulus, where \(r\ge 2\) and all the prime factors \(p_1,\ldots ,p_r\) are the same bitsize. Let \(e=N^{\alpha }\) and \(d_{p_i}<N^{\delta _i}\) be a public/CRT-exponent, respectively such that \(ed_{p_i}=1 \pmod {(p_i-1)}\) for all \(i=1,\ldots ,r\). Given public elements N and e, if
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for the Multi-Prime RSA in the sense that Theorem 7 becomes the same as Theorem 4 for \(r=2\). We omit the proof since it is almost the same as Theorem 9 of [28]. The bound of Theorem 6 is always better than or equal to that of Theorem 7. Figure 4 shows comparison of the attack condition between Theorem 6 and 7 for \(r=3\) and 4.
5.2 Takagi’s RSA
In this section, we extends the small CRT-exponent attack for Takagi’s RSA as follows.
Theorem 8
Let \(N=p^rq\) be an RSA modulus, where \(r\ge 1\) and the prime factors p and q are the same bitsize. Let \(e=N^{\alpha }\) and \(d_{p}<N^{\delta _p}, d_{q}<N^{\delta _q}\) be a public/CRT-exponent, respectively, such that \(ed_{p}=1 \pmod {(p-1)}\) and \(ed_{q}=1 \pmod {(q-1)}\). Given public elements N and e, if N is sufficiently large and
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for Takagi’s RSA in the sense that Theorem 8 becomes the same as Theorem 3 for \(r=1\). Although Shinohara et al. [43] extended Bleichenbacher–May’s attack, our attack is always better.
Proof of Theorem 8
Recall the CRT-RSA key generation;
with some integer \(k_{p}\) and \(d_q\). By multiplying \(N/p=p^{r-1}q\) and \(N/q=p^{r}\), respectively,
Then we solve the following modular equations for small \(d_p\);
whose root is \((x_{p^{r-1}q},x_{p},y_{p^{r-1}q},y_{p})=(k_{p}-1,k_{p},p^{r-1}q,p)\), and the following modular equations for small \(d_q\);
whose root is \((x_{p^{r}},x_{q},y_{p^{r}},y_{q})=(k_{q}-1,k_{q},p^{r},q)\). The absolute values of the root are bounded above by \(X:=N^{\alpha +\delta -1/(r+1)}\) for \(x_{p^{r-1}q},x_{p},x_{p^r}\), and \(x_{q}\), \(Y_{r}:=N^{r/(r+1)}\) for \(y_{p^{r-1}q}\) and \(y_{p^r}\), \(Y_{1}:=N^{1/(r+1)}\) for \(y_{p}\) and \(y_{q}\), respectively. For both small \(d_p\) and \(d_q\) attacks, we construct the same matrix as the proof of Theorem 2 and the modular equation can be solved when
We set the parameters \(\lambda =\frac{1-(r+1)\delta }{r}, \tau =1-(r+1)\delta \) and the condition becomes \(\delta <\frac{1-\sqrt{r\alpha }}{(r+1)}\) as required. To satisfy the restrictions of parameters, \(\alpha >\frac{r}{(r+1)^2}\) should hold. \(\square \)
We also extend May’s modulo a prime factor attack [29] for Takagi’s RSA as follows.
Theorem 9
(Adapted from [29]) Let \(N=p^rq\) be an RSA modulus, where \(r\ge 1\) and the prime factors p and q are the same bitsize. Let \(e=N^{\alpha }\) and \(d_{p}<N^{\delta _p}, d_{q}<N^{\delta _q}\) be a public/CRT-exponent, respectively, such that \(ed_{p}=1 \pmod {(p-1)}\) and \(ed_{q}=1 \pmod {(q-1)}\). Given public elements N and e, if
then N can be factorized in polynomial time by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
We can successfully extend an attack for the Takagi’s RSA in the sense that Theorem 9 becomes the same as Theorem 4 for \(r=1\). We omit the proof since it is almost the same as Theorem 9 of [28]. The bound for \(\delta _q\) of Theorem 8 is always better than or equal to that of Theorem 9; however, the bound for \(\delta _p\) of Theorem 9 is better than or equal to that of Theorem 8. Figure 5 shows comparison of the attack condition for small \(d_p\) between Theorem 8 and 9 for \(r=2\) and 3.
5.3 RSA with Multiple Exponent Pairs
In this section, we extends the small CRT-exponent attack for the RSA with multiple exponent pairs as follows.
Theorem 10
Let \(N=pq\) be an RSA modulus, where the prime factors p and q are the same bitsize. Let \(e_{\ell }=N^{\alpha }\) and \(d_{q,\ell }<N^{\delta }\) for \(\ell =1,\ldots ,r\) be a public/CRT exponent, respectively, such that \(e_{\ell }d_{q,\ell }=1 \pmod {(q-1)}\). Given public elements N and \(e_1,\ldots ,e_r\), if N is sufficiently large and
then N can be factorized in time polynomial in input length and exponential in r by assuming that polynomials which are derived from LLL-reduced bases are algebraically independent.
We can successfully extend the attack for RSA with multiple exponent pairs in the sense that Theorem 10 becomes the same as Theorem 3 for \(r=1\). We do not think May’s modulo q approach is an appropriate way for the attack scenario, and hence, we do not extend it. Peng et al. proposed the attack (Theorem 2 of [35]) which extended Bleichenbacher–May’s [5] and works when \(\delta <(9r-14)/(24r+8)\) for an \(\alpha =1\). Theorem 10 is always better than the attack of Peng et al. Indeed, even if there are infinitely many exponent pairs r, the attack of Peng et al. works for \(\delta <3/8\), whereas our attack works for the same bound of \(\delta \) with only 21 exponent pairs. Figure 6 shows comparison of recoverable sizes of \(d_q\) between our attack and that of Peng et al. [35].
Proof of Theorem 10
Recall the CRT-RSA key generation for \(d_{q,\ell }\);
with some integer \(k_{\ell }\). By multiplying an integer p,
Then we solve the following modular equations;
whose root is \((x_{p,\ell },x_{q,\ell },y_{p},y_{q})=(k_{\ell }-1,k_{\ell },p,q)\). The absolute values of the root are bounded above by \(X:=N^{\alpha +\delta -1/2}\) for \(x_{p,\ell }\) and \(x_{q,\ell }\), \(Y:=N^{1/2}\) for \(y_{p},y_{q}\), respectively, within constant factors.
To solve the modular equations, we use the following shift-polynomials
with some positive odd integer m. All the shift-polynomials share the common root modulo \(e^m\). Let \(\tau \) be a constant such that \(0<\tau \le 1\). We use the shift-polynomials
and construct a triangular basis matrix with diagonal entries
-
\(X_{p,\ell }^{i_X}Y_p^{i_Y}e^{m-\min \{i_X,2i_Y-1\}}\) for \(i_X=1,2,\ldots ,m; i_Y=0,1,\ldots ,\tau i_X+o(i_X)\),
-
\(X_{q,\ell }^{i_X}Y_q^{i_Y}e^{m-\min \{i_X,2i_Y\}}\) for \(i_X=0,1,\ldots ,m; i_Y=0,1,\ldots ,\tau i_X+o(i_X)\).
As Boneh and Durfee’s attack was extended to multiple exponent pairs setting [47], we use Minkowski sum based lattice method [1] and combine r lattices for \(d_{q,\ell }\) with \(\ell =1,2,\ldots ,r\). Then the dimension n and the determinant of the combined lattice \(X^{s_X}Y^{s_Y}e^{s_e}\) can be computed as follows:
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy Howgrave–Graham’s lemma if \(X^{s_{X}}Y^{s_{Y}}e^{s_e}<e^{nm}\), i.e.,
by omitting low-order terms of m. To minimize the left-hand side of the inequality, we set the parameters \(\tau =1-2\delta \), then the condition becomes
as required. \(\square \)
6 Concluding Remarks and Open Problem
In this paper, we studied a lattice-based cryptanalysis of the small CRT-exponent RSA. We developed a new lattice construction technique that is specialized to the CRT-RSA key generation and proposed several improved attacks. When a prime factor p is significantly smaller than the other prime factor q with a small \(d_q\), we solved an open problem which was claimed in [5, 29]; we proposed an attack which works for \(p<N^{0.5}\). When both \(d_p\) and \(d_q\) are small, we proposed an attack which works for \(d_p,d_q<N^{0.122}\) with a full size e. We also proposed attacks on the RSA variants, i.e., the Multi-Prime RSA, Takagi’s RSA, and RSA with multiple exponent pairs.
In Sect. 4, we obtain the improvement by exploiting sublattice structures from [56]. Although the experimental results based on the sublattice provide better matching between achievable sizes of \(d_p,d_q\) and the theoretically predicted bound than the previous lattice in [56], there still exists a gap. In other words, it seems that there is still room for improvements of the bound \(N^{0.122}\) by this approach. Specifically, for the 31-dimensional lattices (resp. 84-dimensional lattices), the theoretically predicted bound \(\delta \) should be 0.00 (resp. 0.03), however, we successfully find integer equations when \(\delta \le 0.03\) (resp. \(\delta \le 0.05\)). We think that the reason for this gap derives from that to make the matrix triangular, we can not only remove the unhelpful polynomials. The open problem is how to further improve this bound to fill the gap between achievable bound in experiments and the theoretically predicted bound. We hope our novel lattice construction can be fully analyzed and lead to a better results.
References
Y. Aono, Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s technique and applications to RSA. in Colin Boyd and Leonie Simpson, editors, Information Security and Privacy—18th Australasian Conference, ACISP 2013, Volume 7959 of Lecture Notes in Computer Science (Springer, 2013), pp. 88–103
W. Bosma, J.J. Cannon, Catherine Playoust, The magma algebra system I: the user language. J. Symb. Comput., 24(3/4), 235–265, 1997.
D. Boneh, G. Durfee, Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Information Theory, 46(4), 1339–1349 (2000).
J. Blömer, A. May, New partial key exposure attacks on RSA, in Dan Boneh, editor, Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Volume 2729 of Lecture Notes in Computer Science (Springer, 2003), pp. 27–43
D. Bleichenbacher, A. May, New attacks on RSA with small secret CRT-exponents, in Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Public Key Cryptography—PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, volume 3958 of Lecture Notes in Computer Science (Springer, 2006), pp. 1–13
A. Bauer, D. Vergnaud, J.-C. Zapalowicz, Inferring sequences produced by nonlinear pseudorandom number generators using Coppersmith’s methods, in Marc Fischlin, Johannes A. Buchmann, and Mark Manulis, editors, Public Key Cryptography-PKC 2012—15th International Conference on Practice and Theory in Public Key Cryptography, volume 7293 of Lecture Notes in Computer Science (Springer, 2012), pp. 609–626
D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, volume 1070 of Lecture Notes in Computer Science (Springer, 1996), pp. 178–189
D. Coppersmith, Finding a small root of a univariate modular equation, in Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques, Volume 1070 of Lecture Notes in Computer Science (Springer, 1996), pp. 155–165
D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology, 10(4), 233–260 (1997)
D. Coppersmith, Finding small solutions to small degree polynomials, in Joseph H. Silverman, editor, Cryptography and Lattices, International Conference, CaLC 2001, Volume 2146 of Lecture Notes in Computer Science (Springer, 2001), pp. 20–31
J. Coron, Finding small roots of bivariate integer polynomial equations revisited, in Christian Cachin and Jan Camenisch, editors, Advances in Cryptology—EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Volume 3027 of Lecture Notes in Computer Science (Springer, 2004), pp. 492–505
G. Durfee, P.Q. Nguyen, Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt ’99, in Tatsuaki Okamoto, editor, Advances in Cryptology—ASIACRYPT 2000, 6th International Conference on the Theory and Application of Cryptology and Information Security, Volume 1976 of Lecture Notes in Computer Science (Springer, 2000), pp. 14–29
M.F. Esgin, M.S. Kiraz, O. Uzunkol, A new partial key exposure attack on multi-power RSA, in Andreas Maletti, editor, Algebraic Informatics—6th International Conference, CAI 2015, Volume 9270 of Lecture Notes in Computer Science (Springer, 2015), pp. 103–114
S.D. Galbraith, C. Heneghan, J.F. McKee, Tunable balancing of RSA, in Colin Boyd and Juan Manuel González Nieto, editors, Information Security and Privacy, 10th Australasian Conference, ACISP 2005, Volume 3574 of Lecture Notes in Computer Science (Springer, 2005), pp. 280–292
M. Herrmann, Lattice-Based Cryptanalysis Using Unravelled Linearization. Ph.D. thesis, der Ruhr-University Bochum (2011)
Z. Huang, L. Hu, J. Xu, Attacking RSA with a composed decryption exponent using unravelled linearization, in Dongdai Lin, Moti Yung, and Jianying Zhou, editors, Information Security and Cryptology—10th International Conference, Inscrypt 2014, Volume 8957 of Lecture Notes in Computer Science (Springer, 2014), pp. 207–219
Z. Huang, L. Hu, J. Xu, L. Peng, Y. Xie, Partial key exposure attacks on Takagi’s variant of RSA, in Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, Applied Cryptography and Network Security—12th International Conference, ACNS 2014, Volume 8479 of Lecture Notes in Computer Science (Springer, 2014), pp. 134–150
M. Herrmann, A. May, Attacking power generators using unravelled linearization: when do we output too much? in Mitsuru Matsui, editor, Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Volume 5912 of Lecture Notes in Computer Science (Springer, 2009), pp. 487–504
M. Herrmann, A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, in Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography—PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Volume 6056 of Lecture Notes in Computer Science (Springer, 2010), pp. 53–69
N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, in Michael Darnell, editor, Cryptography and Coding, 6th IMA International Conference, Volume 1355 of Lecture Notes in Computer Science (Springer, 1997), pp. 131–142
E. Jochemsz, A. May, A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants, in Xuejia Lai and Kefei Chen, editors, Advances in Cryptology—ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Volume 4284 of Lecture Notes in Computer Science (Springer, 2006), pp. 267–282
E. Jochemsz, A. May, A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\), in Alfred Menezes, editor, Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Volume 4622 of Lecture Notes in Computer Science (Springer, 2007), pp. 395–411
N. Kunihiro, N. Shinohara, T. Izu, A unified framework for small secret exponent attack on RSA. IEICE Transactions 97-A(6), 1285–1295 (2014)
N. Kunihiro, On optimal bounds of small inverse problems and approximate GCD problems with higher degree, in Dieter Gollmann and Felix C. Freiling, editors, Information Security—15th International Conference, ISC 2012, Volume 7483 of Lecture Notes in Computer Science (Springer, 2012), pp. 55–69
A.K. Lenstra, H.W.jun. Lenstra, Lászlo Lovász, Factoring polynomials with rational coefficients. Math. Ann., 261, 515–534 (1982).
Y. Lu, R. Zhang, D. Lin, Factoring multi-power RSA modulus \({N} = p^rq\) with partial known bits, in Colin Boyd and Leonie Simpson, editors, Information Security and Privacy—18th Australasian Conference, ACISP 2013, Volume 7959 of Lecture Notes in Computer Science (Springer, 2013), pp. 57–71
Y. Lu, R. Zhang, D. Lin, New partial key exposure attacks on CRT-RSA with large public exponents, in Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, Applied Cryptography and Network Security—12th International Conference, ACNS 2014, Volume 8479 of Lecture Notes in Computer Science (Springer, 2014), pp. 151–162
Y. Lu, R. Zhang, L. Peng, D. Lin, Solving linear equations modulo unknown divisors: Revisited, in Tetsu Iwata and Jung Hee Cheon, editors, Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Volume 9452 of Lecture Notes in Computer Science (Springer, 2015), pp. 189–213
A. May, Cryptanalysis of unbalanced RSA with small CRT-exponent, in Moti Yung, editor, Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Volume 2442 of Lecture Notes in Computer Science (Springer, 2002), pp. 242–256
A. May, New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003)
A. May, Using LLL-reduction for solving RSA and factorization problems, in Phong Q. Nguyen and Brigitte Vallée, editors, The LLL Algorithm-Survey and Applications, Information Security and Cryptography (Springer, 2010), pp. 315–348
P.Q. Nguyen, J. Stern, The two faces of lattices in cryptology, in Joseph H. Silverman, editor, Cryptography and Lattices, International Conference, CaLC 2001, Volume 2146 of Lecture Notes in Computer Science (Springer, 2001), pp. 146–180
Phong Q. Nguyen, Damien Stehlé, An LLL algorithm with quadratic complexity. SIAM J. Comput., 39(3), 874–903 (2009).
L. Peng, L. Hu, Z. Huang, J. Xu, Partial prime factor exposure attacks on RSA and its Takagi’s variant, in Javier Lopez and Yongdong Wu, editors, Information Security Practice and Experience—11th International Conference, ISPEC 2015, Volume 9065 of Lecture Notes in Computer Science (Springer, 2015), pp. 96–108
L. Peng, L. Hu, Y. Lu, S. Sarkar, J. Xu, Z. Huang, Cryptanalysis of variants of RSA with multiple small secret exponents, in Alex Biryukov and Vipul Goyal, editors, Progress in Cryptology-INDOCRYPT 2015—16th International Conference on Cryptology in India, Volume 9462 of Lecture Notes in Computer Science (Springer, 2015), pp. 105–123
L. Peng, L. Hu, Y. Lu, Improved results on cryptanalysis of prime power RSA, in Seokhie Hong and Jong Hwan Park, editors, Information Security and Cryptology-ICISC 2016—19th International Conference, Volume 10157 of Lecture Notes in Computer Science (2016), pp. 287–303
L. Peng, L. Hu, Y. Lu, H. Wei, An improved analysis on three variants of the RSA cryptosystem, in Kefei Chen, Dongdai Lin, and Moti Yung, editors, Information Security and Cryptology—12th International Conference, Inscrypt 2016, Volume 10143 of Lecture Notes in Computer Science (Springer, 2016), pp. 140–149
L. Peng, L. Hu, Y. Lu, J. Xu, Z. Huang, Cryptanalysis of dual RSA. Des. Codes Cryptography 83(1), 1–21 (2017).
PKCS#1, RSA cryptography specifications version 2.0. http://www.ietf.org/rfc/rfc2437.txt
J.-J. Quisquater, C. Couvreur, Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters, 18(2), 905–907 (1982)
S. Sarkar, Small secret exponent attack on RSA variant with modulus \({N}=p^rq\). Des. Codes Cryptography, 73(2), 383–392 (2014)
S. Sarkar, Revisiting prime power RSA. Discrete Applied Mathematics, 203, 127–133 (2016)
N. Shinohara, T. Izu, N. Kunihiro, Small secret CRT-exponent attacks on Takagi’s RSA. IEICE Transactions, 94-A(1), 19–27 (2011)
S. Sarkar, S. Maitra, Partial key exposure attack on CRT-RSA, in Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and Damien Vergnaud, editors, Applied Cryptography and Network Security, 7th International Conference, ACNS 2009, Volume 5536 of Lecture Notes in Computer Science (2009), pp. 473–484
H.-M. Sun, M.-E. Wu, An approach towards rebalanced RSA-CRT with short public exponent. IACR Cryptology ePrint Archive, 2005, 53 (2005)
A. Takayasu, N. Kunihiro, Better lattice constructions for solving multivariate linear equations modulo unknown divisors. IEICE Transactions, 97-A(6), 1259–1272 (2014).
A. Takayasu, N. Kunihiro, Cryptanalysis of RSA with multiple small secret exponents, in Willy Susilo and Yi Mu, editors, Information Security and Privacy—19th Australasian Conference, ACISP 2014, Volume 8544 of Lecture Notes in Computer Science (Springer, 2014), pp. 176–191
A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA: achieving the boneh-durfee bound, in Antoine Joux and Amr M. Youssef, editors, Selected Areas in Cryptography-SAC 2014—21st International Conference, Volume 8781 of Lecture Notes in Computer Science (Springer, 2014), pp. 345–362
A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: better cryptanalysis to full size encryption exponents, in Tal Malkin, Vladimir Kolesnikov, Allison Bishop Lewko, and Michalis Polychronakis, editors, Applied Cryptography and Network Security—13th International Conference, ACNS 2015, Volume 9092 of Lecture Notes in Computer Science (Springer, 2015), pp. 518–537
A. Takayasu, N. Kunihiro, How to generalize RSA cryptanalyses, in Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano, and Bo-Yin Yang, editors, Public-Key Cryptography-PKC 2016—19th IACR International Conference on Practice and Theory in Public-Key Cryptography, Volume 9615 of Lecture Notes in Computer Science (Springer, 2016), pp. 67–97
A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: general improvement for the exposed least significant bits, in Matt Bishop and Anderson C. A. Nascimento, editors, Information Security—19th International Conference, ISC 2016, Volume 9866 of Lecture Notes in Computer Science, (Springer, 2016), pp. 35–47
A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA with multiple exponent pairs, in Joseph K. Liu and Ron Steinfeld, editors, Information Security and Privacy—21st Australasian Conference, ACISP 2016, Volume 9723 of Lecture Notes in Computer Science (Springer, 2016), pp. 243–257
A. Takayasu, N. Kunihiro, Small secret exponent attacks on RSA with unbalanced prime factors, in 2016 International Symposium on Information Theory and Its Applications, ISITA 2016 (IEEE, 2016), pp. 236–240
A. Takayasu, N. Kunihiro, General bounds for small inverse problems and its applications to multi-prime RSA. IEICE Transactions, 100-A(1), 50–61 (2017)
A. Takayasu, N. Kunihiro, A tool kit for partial key exposure attacks on RSA, in Helena Handschuh, editor, Topics in Cryptology-CT-RSA 2017—The Cryptographers’ Track at the RSA Conference 2017, Volume 10159 of Lecture Notes in Computer Science (Springer, 2017), pp. 58–73
A. Takayasu, Y. Lu, L. Peng, Small CRT-exponent RSA revisited, in Jean-Sébastien Coron and Jesper Buus Nielsen, editors, Advances in Cryptology-EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Volume 10211 of Lecture Notes in Computer Science (2017), pp. 130–159
M.J. Wiener, Cryptanalysis of short RSA secret exponents. IEEE Trans. Information Theory, 36(3), 553–558 (1990)
Acknowledgements
We would like to thank Shuichi Katsumata for his helpful comments. We also thank the anonymous reviewers for their useful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Serge Vaudenay.
This paper is the full version of [56]. This research was supported by JST CREST Grant Number JPMJCR14D6, Japan, JSPS KAKENHI Grant Number 17H06571, Japan, the National Natural Science Foundation of China (Grants 61702505, 61472417, 61732021, 61502488, 61602471, 61772520), National Cryptography Development Fund (MMJJ20170115, MMJJ20170124) and the Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grants Y7Z0341103, Y7Z0321102).
Atsushi Takayasu: During the work, the author was supported by a JSPS Fellowship for Young Scientists.
Rights and permissions
About this article
Cite this article
Takayasu, A., Lu, Y. & Peng, L. Small CRT-Exponent RSA Revisited. J Cryptol 32, 1337–1382 (2019). https://doi.org/10.1007/s00145-018-9282-3
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-018-9282-3