volume 110 no. 4 2016,587-607 - ijpam · the attacks work when k rsa public keys (n i,e i) are...

International Journal of Pure and Applied Mathematics

Volume 110 No. 4 2016, 587-607

ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version)url: http://www.ijpam.eudoi: 10.12732/ijpam.v110i4.3

PAijpam.eu

NEW PRACTICAL ATTACK

ON RSA MODULUS OF TYPE N = p2q

Normahirah Nek Abd Rahman1 §, Muhammad Rezal Kamel Ariffin2

1,2Al-Kindi Cryptography Research LaboratoryInstitute for Mathematical Research

Universiti Putra Malaysia43400 UPM Serdang, Selangor, MALAYSIA

2Department of MathematicsFaculty of Science

Universiti Putra Malaysia43400 UPM Serdang, Selangor, MALAYSIA

Abstract: This paper proposes three new attacks on RSA with the modulus N = p2q.

The first attack is based on the equation eX −NY = (p2u+ q2v)Z such that u is an integer

multiple of 2 and v is an integer multiple of 3 with |p2u− q2v| < N1/2 and gcd(X,Y ) = 1.

If X|Z| < N2|p2u+q2v|

, then N can be factored in polynomial time using continued fractions

expansion. For the second and third attack, this paper proposes new vulnerabilities in k RSA

cryptosystem moduli Ni = p2i qi for k ≥ 2 and i = 1, ..., k. The attacks work when k RSA

public keys (Ni, ei) are related through eix−Niyi = (p2iu+q2i v)zi or eixi−Niy = (p2iu+q2i v)zi

where the parameters x, xi, y, yi and zi are suitably small.

AMS Subject Classification: 11A51, 11A55, 11K60, 03G10

Key Words: RSA, factorization, continued fraction, LLL algorithm, simultaneous diophan-

tine approximations

1. Introduction

The RSA cryptosystem has been proposed by Rivest, Shamir and Adleman

Received: June 23, 2016

Revised: August 15, 2016

Published: November 9, 2016

c© 2016 Academic Publications, Ltd.

url: www.acadpubl.eu

§Correspondence author

588 N.N. Abd Rahman, M.R.K. Ariffin

became a well-known asymmetric cryptosystem for transmission of data [17].Basically, the difficulty of breaking the RSA cryptosystem is based three hardmathematical problems which is the integer factorization problem of N = pq,the eth root problem from C ≡ M e (mod N) and to solve the Diophantine keyequation ed+ 1 = φ(N)k.

The encryption and decryption processes in RSA require executing expo-nential multiplications modulo the integer N = pq. To reduce the encryptiontime, one may wish to use a small public exponent, e while to reduce the de-cryption time, one may tempted to use a short secret exponent, d. The choiceof small d is especially interesting when the device performing secret operationshas limited power.

Hence, the RSA cryptosystem is likely to have faster decryption when thesecret exponent d is relatively small. This idea was firstly introduced by Wienerin 1990. After investigating the diophantine key equation, Wiener proved thatif the secret exponent d < 1

3N1/4 would result in RSA to be totally insecure

[21]. That is through the continued fractions of eN , Wiener was able to obtain

the integer solutions of the diophantine key equation and eventually factoringN .

Later, in 1999, by using lattice basis reduction technique, Boneh and Durfeeproposed an extension on Wiener’s work. It was determined that the RSAcryptosystem is insecure when d < N0.292[4]. On the other hand, de Wegerproposed an extension of these attacks to an RSA modulus with small differencebetween its prime factors [5]. Similarly, by combining lattice basis reductiontechniques and the continued fraction expansion algorithm, Blomer and Maycome up with an attack extension of Wiener’s attack [3].

Later, Howgrave-Graham and Seifert proposed an extension of Wiener’sattack that allows the RSA system to be insecure in the presence of two de-cryption exponents (d1, d2) with d1, d2 < N5/14 [8]. In the presence of threedecryption exponents, they improved the bound to N2/5 based on lattice reduc-tion method. In 2007, Hinek showed that it is possible to factor the k modulusNi using equations eid− kiφ(Ni) = 1 if d < N δ with δ = k

2(k+1) − ε where ε is

a small constant depending on the size of max Ni [7].

In 2014, Nitaj et al. presented new method to factor all the RSA moduliN1, ..., Nk in the scenario that RSA instances satisfy k equations of the shapeeix− yiφ(Ni) = zi or of the shape eixi − yφ(Ni) = zi with suitable parametersx, xi, y, yi and zi, φ(Ni) = (pi − 1)(qi − 1) based on the LLL algorithm whichhas been introduced by Lenstra et al. [9] for lattice basis reduction [15].

Furthering this, many RSA variant have been propose to achieve betterthroughput. That is to be able to send large data sets and to achieve better

NEW PRACTICAL ATTACK... 589

computational time while maintaining the level of security. These new variantscapatilize on the concept Prime Power RSA. In Prime Power RSA the modulusN is in the form N = prq for r ≥ 2. Takagi (1997) showed how to used thePrime Power RSA to speed up the decryption process when the public andprivate exponents satisfy an equation ed ≡ 1(mod (p−1)(q−1)) [20]. Okamotoand Uchiyama (1998) presented a public key cryptosystem that is provably assecure as factoring a modulus in the form N = p2q [16].

In 2004, May improved the bound of private exponent to d < Nr

(r+1)2 forRSA modulus in the form N = prq [11]. Later, Sarkar (2014) improved thebound to d < N0.395 for RSA modulus N = p2q [18].

Recently, Asbullah and Ariffin showed that one can factor N = p2q inpolynomial time if e satisfies the equation eX − (N − (ap2 + bq2)Y = Z wherea, b are positive integer satisfying gcd(a, b) = 1, |ap2 − bq2| < N1/2, |Z| <|ap2−bq2|3(ap2+bq2)N

1/3Y and 1 ≤ Y ≤ X < N1/2

2(ap2+bq2)1/2[2].

Our contribution. Therefore, in this paper, we present new cryptanalysison the modulus of N = p2q by using continued fractions method as the firstanalysis motivated from some previous attacks by [21], [12], [13],[14] and [1]. Weconsider the public value, e satisfying the following generalized key equation,eX − NY = (p2u + q2v)Z such that u is an integer multiple of 2 and v is aninteger multiple of 3. If

gcd(X,Y ) = 1, |p2u− q2v| < N1/2, X|Z| < N

2|p2u+ q2v|then N can be factored in polynomial time using continued fractions. We alsoshow that the number of such parameters e satisfying the equation are at leastN

13−ε where ε > 0 is arbitrarily small for large N .In the second attack, we focus on k instances of (Ni, ei) where Ni = p2i qi

together with its generalized system of key equations eix−Niyi = (p2i u+q2i v)zi.We prove that, each RSA moduli Ni can be factored in polynomial time if

x < N δ, yi < N δ, |zi| <√2N1/2

|p2i u− q2i v|where δ =

k

3− αk, N = mini Ni.

Finally, for the third attack, we we prove that we are able to factor k RSAmoduli of the form Ni = p2i qi when k instance of (Ni, ei) are available andthe variables (xi, y, zi, δ) in the generalized system of key equations given byeixi −Niy = (p2i u+ q2i v)zi satisfying

xi < N δ, y < N δ, |zi| <√2N1/2

|p2iu− q2i v|where δ = βk − αk − 2k

3,


with N = maxi Ni and mini ei = Nβ.For the second and third attack, we transform the equations into a simul-

taneous diophantine problem and applying lattice basis reduction techniquesto find parameters (x, yi) or (y, xi). This leads to a suitable approximation ofp2u + q2v which allow us to apply the theorem that we propose in first crypt-analysis to compute the prime factor pi and qi of the moduli Ni. We also provethat the propose attacks enables to factor the k RSA moduli Ni simultaneously.

The layout of the paper is as follows. In Section 2, we begin with a briefreview on continued fractions expansion, lattice basic reduction, simultane-ous diophantine approximation and also some useful results that will be usedthroughout the paper. In Section 3, Section 4 and Section 5, we present ourfirst, second and third attacks consecutively together with examples. Then, weconclude the paper in Section 6.

2. Preliminaries

In this section, we give brief review on continued fractions expansion, latticebasic reduction and simultaneous diophantine approximation that will be usedthroughout this paper.

2.1. Continued Fractions Expansion

A continued fraction is an expression of the form

a0 +1

a1 +1

. . .+ 1

an+...

= [a0, a1, . . . , an, . . .],

which, for simplicity, can be rewritten as x = [a0, a1, . . . , an, . . .]. If x is a ratio-nal number, then the process of calculating the continued fractions expansionwill finish in some finite index n and then x = [a0, a1, . . . , an]. The convergentsab of x are the fractions denoted by a

b = [a0, a1, . . . , ai] for i ≥ 0. An importantresult on continued fractions that will be used is the following theorem.

Theorem 1. (Legendre) [6]. Let x = [a0, a1, a2, . . .] be the continuedfraction expansion of x. If X and Y are coprime integers such that

∣

∣

∣x− Y

X

∣

∣

∣<

1

2X2

thenY

Xis convergent of x.


2.2. Lattice Basis Reductions

Let u1, ..., ud be d linearly independent vectors of Rn with d ≤ n. The set of allinteger linear combinations of the vectors u1, ..., ud is called a lattice and is inthe form

L =

{

d∑

i=1

xiui | xi ∈ Z

}

.

The set (ui, ..., ud) is called a basis of L and d is its dimension. The determinantof L is defined as det(L) =

√

det(UTU) where U is the matrix of the ui’s in thecanonical basis of Rn. Define ‖v‖ to be the Euclidean norm of a vector v ∈ L.A central problem in lattice reduction is to find a short non-zero vector in L.The LLL algorithm [9] produces a reduced basis and the following result fixesthe sizes of the reduced basis vector (see [10]).

Theorem 2. [9]. Let L be a lattice of dimension ω with a basis {v1, ..., vω}.The LLL algorithm produces a reduced basis {b1, ..., bω} satisfying

‖b1‖ ≤ ‖b2‖ ≤ ... ≤ ‖bi‖ ≤ 2ω(ω−1)

4(ω+1−i)det(L)1

ω+1−i ,

for all 1 ≤ i ≤ ω.

One of the important application of the LLL algorithm is it provides a solutionto the simultaneous Diophantine approximations problem which is defined asfollows. Let α1, ..., αn be n real numbers and ε a real number such that 0 <ε < 1. A classical theorem of Dirichlet asserts that there exist integers p1, ..., pnand a positive integer q ≤ ε−n such that

|qαi − pi| < ε for 1 ≤ i ≤ n.

In [9] described a method to find simultaneous diophantine approximations torational numbers which they consider a lattice with real entries. Hence, westate here a similar result for a lattice with integer entries.

Theorem 3. (Simultaneous Diophantine Approximations) [9]. There is apolynomial time algorithm, for given rational numbers α1, ..., αn and 0 < ε < 1,to compute integers p1, ..., pn and a positive integer q such that

maxi|qαi − pi| < ε and q ≤ 2n(n−3)/4 · 3n · ε−n.

Proof. See Appendix.


3. The First Attack

In this section, we present our first attack on RSA with the modulus N = p2q.The following lemma shows that any approximation of p2u + q2v will lead toan approximation of q. We begin with a lemma fixing the size of prime factorp and q of RSA-type modulus N = p2q.

Lemma 1. Let N = p2q with q < p < 2q. Then 2−1/3N1/3 < q < N1/3 <p < 21/3N1/3.

Proof. Suppose q < p < 2q. Multiplying by p2, we get N < p3 < 2N .Hence N1/3 < p < 21/3N1/3. Multiplying q < p < 2q by pq and q2, we getq3 < pq2 < 2q3 and pq2 < N < 2pq2, respectively. This implies 2−2/3N1/3 <q < N1/3. This terminate the proof.

Lemma 2. Let N = p2q with q < p < 2q. Let u, v ∈ N such that u is aninteger multiple of 2 and v is an integer multiple of 3. Let |p2u− q2v| < N1/2.Set

S = (p2u+ q2v)Z, where 1 ≤ |Z| <√2N1/2

|p2u−q2v| , then uvZ2q =[

S2

4N

]

.

Proof. First, we consider S = (p2u+ q2v)Z Then, observe that

S2 =(

(p2u+ q2v)Z)2

= (p2Zu+ q2Zv)2

= (p2Zu+ q2Zv)(p2Zu+ q2Zv)

= (p2Zu)2 + 2(p2Zu)(q2Zv) + (q2Zv)2

= (p2Zu− q2Zv)2 + 4(p2q2uvZ2)

= (p2Zu− q2Zv)2 + 4NquvZ2

We obtain

S2 − 4NquvZ2 =(

p2Zu− q2Zv)2

> 0 (1)

Hence, we divide (1) by 4N and we get

∣

∣

∣

∣

∣

S2

4N− uvZ2q

∣

∣

∣

∣

∣

=

∣

∣

∣

∣

∣

S2 − 4NquvZ2

4N

∣

∣

∣

∣

∣

=

(

p2Zu− q2Zv)2

4N


=

(

p2u− q2v)2

Z2

4N

<

(

p2u− q2v)2( √

2N1/2

|p2u−q2v|

)2

4N

<

(√2N1/2

)2

4N=

1

2

which we deduce uvZ2q =[

S2

4N

]

. This terminate the proof.

Lemma 3. Let N = p2q with q < p < 2q. Let e be an exponent satisfyingan equation eX−NY = (p2u+q2v)Z for some u, v ∈ N and with gcd(X,Y ) = 1and X|Z| < N

2|p2u+q2v| thenYX is a convergent of the continued fraction e

N .

Proof. Suppose that X|Z| < N2|p2u+q2v| . Starting with the equation eX −

NY = (p2u+ q2v)Z and if we divide by NX, then we obtain∣

∣

∣

∣

∣

e

N− Y

X

∣

∣

∣

∣

∣

=

∣

∣

∣

∣

∣

(p2u+ q2v)Z

NX

∣

∣

∣

∣

∣

In order to apply Legendre theorem, observe that, if X|Z| < N2|p2u+q2v| , then

|(p2u+q2v)Z |NX < 1

2X2 is satisfied. Hence, we conclude that YX is convergent of

continued fraction eN .

The following theorem shows that how to factor N = p2q completely.

Theorem 4. Let N = p2q with q < p < 2q. Let u, v ∈ N such that u is aninteger multiple of 2 and v is an integer multiple of 3. Let |p2u− q2v| < N1/2.Let e be an exponent satisfying an equation eX − NY = (p2u + q2v)Z withgcd(X,Y ) = 1. If X|Z| < N

2|p2u+q2v| then N can be factored in polynomial time.

Proof. Suppose that e be an exponent satisfying an equation eX −NY =(p2u+q2v)Z with gcd(X,Y ) = 1. Let X and |Z| satisfy the condition in Lemma2, then Y

X is convergent of continued fraction eN . From the value of X and Y ,

we define S = eX−NY . Then from Lemma 2, this implies that uvZ2q =[

S2

4N

]

.

It follows that we obtain q = gcd([

S2

4N

]

, N)

.

Now, we proposed the following algorithm for further recovering prime fac-torization of RSA-type modulus N = p2q.


INPUT: The public key modulus (N, e) satisfying N = p2q.OUTPUT: The prime factor p, q.

1. Compute the continued fraction eN .

2. For each convergent YX of e

N , compute S = eX −NY .

3. Compute[

S2

4N

]

.

4. Compute q = gcd([

S2

4N

]

, N)

5. If 1 < q < N , then p =√

Nq .

Table 1: Algorithm 1

Example 1. As an illustration of our first attack, let N and e be asfollows.

N = 64846371051769

e = 54715049302680

Suppose that N and e satisfy all the conditions stated in Theorem 4. Then, wecompute the continued fraction of e

N . The list of the convergent of continuedfraction are shown as follows

[

0, 1,5

6,11

13,27

32,1847

2189,11109

13166,12956

15355,37021

43876, . . .

]

,

We may omit the first and the second entry. We start with the convergent56 and we obtain

S = eX −NY = 4058440557235

and[ S2

4N

]

= 63499851608

Hence, if we compute gcd(63499851608, 64505203569251) = 1. Then, we try fornext convergent 11

13 , we obtain

S = eX −NY = −2014440634619

and[ S2

4N

]

= 15644557299


Then, if we compute gcd(15644557299, 64505203569251) = 1. We proceed withthe next convergent which is 27

32 and we get

S = eX −NY = 29559287997

and[ S2

4N

]

= 3368544

Thus, we compute gcd(3368544, 64505203569251) = 35089 which leads to the

factorization of N since q = 35089 and p =√

Nq = 42989.

Now, we give an estimation of the number of the exponents e satisfying theequation eX −NY = (p2u+ q2v)Z. We begin by showing the following result.Suppose that u is an integer multiple of 2 and v is an integer multiple of 3and the public parameter e < N satisfies at most one equation eX − NY =(p2u+q2v)Z where the parametersX, Y and Z satisfy the condition in Theorem4.

Suppose that u, v ∈ N and the public parameter e < N satisfy at mostone equation eX − NY = (p2u + q2v)Z with gcd(X, (p2u + q2v)Z) = 1. Ob-serve that since gcd(X,N) = 1, then reduce the equation to e ≡ (p2u +q2v)ZX−1 (mod N). We describe the following lemma which show that differ-ent parameter X1, X2 define different exponents e1, e2.

Lemma 4. [13]. Let m and n be positive integers. Then

mφ(n)

n− 2ω(n) <

m∑

k=1gcd(k, n)=1

1 < mφ(n)

n+ 2ω(n)

where ω(n) is the number of distinct prime factors of n.

Proof. Let µ(d) be the Mobius function which is defined by µ(1) = 1,µ(d) = 0 if d is not square-free and µ(d) = (−1)ω(d) id d is square-free whereω(d) is the number of distinct prime factors of d. Then, from Legendre Theoremgives

m∑

k=1gcd(k, n)=1

1 =∑

d|nµ(d)

⌊m

d

⌋

.


This terminates the proof.

Lemma 5. Let N = p2q be RSA modulus with q < p < 2q and u, v ∈ N.For i = 1,2, let ei be two exponents satisfying eXi −NYi = (p2u+ q2v)Z withgcd(Xi, (p

2u+ q2v)Z) and Xi|Z| < N2|p2u+q2v| . Then X1 6= X2 and e1 6= e2.

Proof. Suppose that for i = 1, 2 and assume for contradiction that e1 = e2and e satisfying

(p2u+ q2v)ZX−11 ≡ (p2u+ q2v)ZX−1

2 (mod N) (2)

Rearrange (2), we obtain

(p2u+ q2v)Z(X−11 −X−1

2 ) ≡ 0 (mod N)

Then, we notice that, since gcd(Xi, (p2u+q2v)Z), thenX−1

2 −X−11 ≡ 0 (modN)

and X2 −X1 ≡ 0 (mod N). Then, we have

|X2 −X1| ≤ X2 +X1 < 2

(

N

2(p2u+ q2v)

)

< N (3)

Hence, X2 −X1 = 0 and X2 = X1. It follows that e1 = e2. This terminate theproof.

Here, the following theorem shows the result estimation of the weak expo-nents e with the structure e ≡ (p2u + q2v)X−1 (mod N) with gcd(X, (p2u +q2v)) = 1 and X < N

2(p2u+q2v) by applying Lemma 4 and Theorem 4 and we

consider only for the case when Z = 1.

Theorem 5. Let N = p2q be RSA modulus with q < p < 2q and u, v ∈ N.The number of exponents e satisfying e ≡ (p2u + q2v)X−1 (mod N) with

gcd(X, (p2u + q2v)) = 1 and X < N2(p2u+q2v)

where |p2u+ q2v| = N13+β is at

least N13−ε, ε > 0 is arbitrarily small for suitably large N .

Proof. Suppose the number of exponents satisfying

e ≡ (p2u+ q2v)X−1 (mod N)

with the condition of the theorem is

N =

B1∑

X=1gcd(X,p2u+q2v)=1

1. (4)


where

B1 =

⌊

N

2(p2u+ q2v)

⌋

Now, by using Lemma 4 with n = p2u+ q2v and m = B1, we obtain

B1φ(N)(p2u+ q2v)

p2u+ q2v−2ω(p

2u+q2v) < N < B1φ(N)(p2u+ q2v)

p2u+ q2v+2ω(p

2u+q2v) (5)

Notice that, 2ω(p2u+q2v) is the number of square free divisors of p2u+ q2v which

is upper bounded by the total number π(p2u + q2v) of divisors of p2u + q2v.Since π(n) satisfies π(n) = log log n ([6], Theorem 430-431).

Since n = p2u+q2v = N2/3+β andB1 =

⌊

N2(p2u+q2v)

⌋

, thenB1 =

⌊

12N

13−β

⌋

.

Hence, we obtain

N = B1φ(N)(p2u+ q2v)

p2u+ q2v= N− 1

3−2βφ(p2u+ q2v) (6)

By using ([6], Theorem 328)

φ(n) >cn

log log n(7)

Then, we substitute (7) in (6), we get

N =c(N

23+β)

log log (N23+β)

×N− 13−2β = N

13−β−ε

where we set N−ε = clog log N and ε > 0 is arbitrarily small for large N . This

terminates the proof.

4. The Second Attack

In this section, we propose our second attack. Suppose that we are given kmoduli Ni = p2i qi. We consider in this scenario that the following generalizedsystem of key equation given by eix − Niyi = (p2iu + q2i v)zi will provide usthe factor of each moduli which are all of the same size. We show that there,it is possible to factor k RSA moduli. This is achievable when the unknownparameters x, yi and zi are suitably small. We couple this information togetherwith the execution of the LLL algorithm to achieve our objective.


Theorem 6. For k ≥ 2, let Ni = p2i qi, 1 ≤ i ≤ k be k RSA modulieach with the same size N where N = mini Ni. Let ei, i = 1, ..., k be k publicexponents. Define δ = k

6 . Let u, v ∈ N such that u is an integer multiple of 2and v is an integer multiple of 3. If there exist an integer x < N δ and k integers

yi < N δ and |zi| <√2N1/2

|p2iu−q2i v|such that eix−Niyi = (p2i u+ q2i v)zi for i = 1, ..., k,

then one can factor the k RSA moduli N1, ...Nk in polynomial time.

Proof. For k ≥ 2 and i = 1, ..., k, starting with the equation eix − Niyi =(p2i u+ q2i v)zi, we obtain

∣

∣

∣

eiNi

x− yi

∣

∣

∣=

|(p2i u+ q2i v)zi|Ni

(8)

Let N = mini Ni and suppose that yi < N δ and |zi| <√2N1/2

|p2iu−q2i v|. We set

|p2iu− q2i v| > pi since we use the relation N1/3 < p < 21/3N1/3 and p2iu+ q2i v <2N2/3 then we will get

(p2i u+ q2i v)|zi|Ni

≤ (p2iu+ q2i v)|zi|N

≤(2N

23 )(√

2N1/2

N1/3

)

N

≤ 23/2N5/6

N

= 23/2N− 16 (9)

Plugging (9) in (8), we obtain∣

∣

∣

eiNi

x− yi

∣

∣

∣≤ 23/2N− 1

6

We now proceed to prove the existence of integer x. Let ε = 23/2N− 16 , δ = k

6 .We have

N δ · εk = 23k/2N δ− k6 = 23k/2

Then, since 23k/2 < 2k(k−3)

4 ·3k for k ≥ 2, we get N δ · εk < 2k(k−3)

4 ·3k. It followsthat if x < N δ, then x < 2

k(k−3)4 · 3k · ε−k. Summarizing for i = 1, ..., k, we have

∣

∣

∣

eiNi

x− yi

∣

∣

∣< ε, x < 2

k(k−3)4 · 3k · ε−k

It follows the condition of Theorem 3 are fulfilled will find x and yi for i =1, ..., k. Next, using the equation eix − Niyi = (p2iu + q2i v)zi and 1 < |zi| <


√2N1/2

|p2iu−q2i v|, this implies that uvZ2q =

[

S2

4N

]

for Si = eix−Niyi for each i = 1, ..., k,

we find qi = gcd([

S2i

4Ni

]

, Ni

)

. This leads to the factorization of k RSA moduli

N1, ..., Nk . This terminates the proof.

Example 2. As an illustration of this second attack, we consider thefollowing three RSA moduli and public exponents

N1 = 114000760222549864279781270853885152295461,

N2 = 228115095149010518316554945466909090873661,

N3 = 231236890212417970842411124690482829278481,

e1 = 109098385125715102458611794533226114000584,

e2 = 142008308621371178234527659441810463340520,

e3 = 155000153884152408505814407363292624088474.

Then,N = min(N1, N2, N3) = 114000760222549864279781270853885152295461.

Since k = 3, we get δ = k6 = 1

2 and ε = 23/2N− 16 ≈ 0.0000004061. Set u = 260

and v = 390. Then, by using (12) with n = k = 3, we find

C =[

3n+1 · 2(n+1)(n−4)

4 · ε−n−1]

= 1487807969515159755890958645.

Consider the lattice L spanned by the matrix

M =

1 −[Ce1/N1] −[Ce2/N2] −[Ce3/N3]0 C 0 00 0 C 00 0 0 C

.

Then, applying the LLL algorithm to L, we get a reduced basis with thematrix

K =

−20928770380 18379710443495355−821694325288669743815 −5307663688934081173953954727165130615012467 7632326057289218738043366893382339493311163 −6149573579215638802239

14570849265561705 146230411084835952473756275407667582000 −1797809971033007371660152563492536187551627 −11112950227262258087203072678888010902213063 4667676475378000743755

.


Now, we obtain

K ·M−1 =

−20928770380 −20028770393−821694325288669743815 −7863590012992354184973954727165130615012467 37846620187994476883183366893382339493311163 3222106854257955345071

−13028770767 −14028741809−511528714317654489673 −5507890490504395905682461933154455801268684 26508889589458960737722095989457524477103184 2256858721351764003931

.

From the first row, we deduce x = 20928770380, y1 = 20028770393, y2 =13028770767 and y3 = 14028741809. By using x and yi for i = 1, 2, 3, defineSi = eix − Niyi is an approximation of p2i u + q2i v. Hence, by using Lemma 2

and Theorem 4, this implies that uvZ2q =[

S2

4N

]

for Si = eix−Niyi. Then, we

obtain

S1 = 1408315151419853220300456815747,

S2 = 2234046567945829713849902729613,

S3 = 2272731290043918799693441887991.

Then, for each i = 1, 2, 3, we find[

S2i

4Ni

]

and we obtain

[ S21

4N1

]

= 4349426183314188600,[ S2

2

4N2

]

= 5469787153377900600,

[ S23

4N3

]

= 5584432821250709400.

For each i = 1, 2, 3, we find qi = gcd([

S2i

4Ni

]

, Ni

)

and we obtain

q1 = 42893749342349, q2 = 53942674096429, q3 = 55073301984721.

This leads us to the factorization of three RSA moduli N1, N2 and N3 which

p1 = 51553347319883, p2 = 65029554162953 p3 = 64797462962081.


5. The Third Attack

On the other hand, in this section, we propose our third attack. Suppose that weare given k moduli Ni = p2i qi. We consider in this scenario that the followinggeneralized system of key equation given by eixi − Niy = (p2i u + q2i v)zi willprovide us the factor of each moduli which are all of the same size. We showthat there, it is possible to factor k RSA moduli. This is achievable when theunknown parameters xi, y and zi are suitably small. We couple this informationtogether with the execution of the LLL algorithm to achieve our objective.

Theorem 7. For k ≥ 2, let Ni = p2i qi, 1 ≤ i ≤ k be k RSA modulieach with the same size N where N = maxi Ni. Let ei, i = 1, ..., k be kpublic exponents with mini ei = Nβ. Define δ = βk − 5k

6 . Let u, v ∈ N suchthat u is an integer multiple of 2 and v is an integer multiple of 3. If there

exist an integer y < N δ, k integers xi < N δ and |zi| <√2N1/2

|p2iu−q2i v|such that

eixi − Niy = (p2i u + q2i v)zi for i = 1, ..., k, then one can factor the k RSAmoduli N1, ..., Nk in polynomial time.

Proof. For k ≥ 2 and i = 1, ..., k, the equation eixi −Niy = (p2iu + q2i v)zi,we get

∣

∣

∣

Ni

eiy − xi

∣

∣

∣=

|(p2i u+ q2i v)zi|ei

(10)

Let N = maxi Ni and suppose that y < N δ, |zi| <√2N1/2

|p2iu−q2i v|and mini ei = Nβ.

We set |p2iu − q2i v| > pi since we use the relation N1/3 < p < 21/3N1/3 andp2iu+ q2i v < 2N2/3 then we will get

|(p2i u+ q2i v)zi|ei

≤ (p2iu+ q2i v)|zi|Nβ

<(2N

23 )

√2N1/2

|p2iu−q2i v|Nβ

<(2N

23 )(

√2N1/2

N1/3 )

Nβ

= 232N

56−β (11)

Plugging (11) in (10), we obtain

∣

∣

∣

Ni

eiy − xi

∣

∣

∣< 2

32N

56−β.


We now proceed to prove the existence of integer y and the integers xi. Letε = 2

32N

56−β, δ = βk − 5k

6 . Then, we obtain

N δ · εk = N δ(232N

56−β)k = 2

3k2 (N δ+ 5

6k−βk) = 2

32k.

Then, since 232k < 2

k(k−3)4 · 3k for k ≥ 2, we get N δ · εk < 2

k(k−3)4 · 3k. It follows

that if y < N δ, then y < 2k(k−3)

4 · 3k · ε−k. Summarizing for i = 1, ..., k, we get

∣

∣

∣

Ni

eiy − xi

∣

∣

∣< ε, y < 2

k(k−3)4 · 3k · ε−k, for i = 1, ..., k,

It follows the condition of Theorem 3 are fulfilled will find y and xi for i =1, ..., k. Next, by using the equation eixi − Niy = (p2iu + q2i v)zi and since

1 < |zi| <√2N1/2

|p2iu−q2i v|and this implies that uvZ2q =

[

S2

4N

]

for Si = eixi −Niy for

each i = 1, ..., k, we find qi = gcd([

S2i

4Ni

]

, Ni

)

. This leads to the factorization

of k RSA moduli N1, ..., Nk. This terminates the proof.

Example 3. As an illustration of the third attack, consider the followingthree RSA moduli and public exponents

N1 = 147314237626225897112311813588154268426541,

N2 = 237775916900172954272543791107506089080583,

N3 = 339469256280126448305842424969023615121683,

e1 = 114870922237709588771245579061028359832082,

e2 = 190060878414430430558257488372807936044696,

e3 = 285683325696348235446830296205564009730629.

Then,N = max(N1, N2, N3) = 339469256280126448305842424969023615121683.We also obtain min(e1, e2, e3) = Nβ with β ≈ 0.9886688835. Since k = 3 we

get δ = βk − 5k6 = 0.466006650 and ε = 2

32N

56−β ≈ 0.0000010007. Set u = 300

and v = 450. Then, by using (12) with n = k = 3, we find

C =[

3n+1 · 2(n+1)(n−4)

4 · ε−n−1]

= 40375135744077325436700551.

Consider the lattice L spanned by the matrix

M =

1 −[CN1/e1] −[CN2/e2] −[CN3/e3]0 C 0 00 0 C 00 0 0 C

.


Then, applying the LLL algorithm to L, we get a reduced basis with the matrixK

=

[

−3186595759 −666654400396680 −538317459032548 −502459761727128−80004816082475565419 −256706228905171710597 186745528335567423374 140520570411343159128−384981563884386646447 −58239693649250278240 37246015231993662609 37369006403280349418−137762503349110575602 −40146208250920113708 383386780152511327889 −357481563550077921439

]

.

Now, we obtainK ·M−1

=

[

−3186595759 −4086594899 −3986594899 −3786539833−80004816082475565419 −102600799732652192026 −100090132483550528817 −95067415461319812077−384981563884386646447 −493712982180297031867 −481631701936416978224 −457462488770877775947−137762503349110575602 −176671151924402499790 −172347964618324415739 −163699209399846282679

]

.

From the first row, we deduce y = 3186595759, x1 = 4086594899, x2 =3986594899 and x3 = 3786539833. By using y and xi for i = 1, 2, 3, defineSi = eixi − Niy is an approximation of p2iu + q2i v. Hence, by using Lemma 2

and Theorem 4, this implies that uvZ2q =[

S2

4N

]

for Si = eixi −Niy. Then, we

get

S1 = 1896689401488740578359644110099,

S2 = 2534050590627111611641312558207,

S3 = 3555263844990520758622991902560.

Next, for each i = 1, 2, 3, we find[

S2i

4Ni

]

and we get[

S21

4N1

]

= 6105028854792915000,[

S22

4N2

]

= 6751537833995145000,[

S23

4N3

]

= 9308575646881605000. For each

i = 1, 2, 3, we find qi = gcd([

S2i

4Ni

]

, Ni

)

and we obtain

q1 = 45222435961429, q2 = 50011391362927, q3 = 68952412199123.

This leads us to the factorization of three RSA moduli N1, N2 and N3 which

p1 = 57074929677173, p2 = 68952412199123, p3 = 70165801822561.

6. Conclusion

In conclusion, this paper presents three new attacks on RSA moduli type N =p2q. The first attack is based on the equation eX −NY = (p2u+ q2v)Z whereu is an integer multiple of 2 and v is an integer multiple of 3 together withsome conditions on the parameters. Continuing our work, we focused on the


system of generalized key equations of the form eix−Niyi = (p2i u+ q2i v)zi forthe second attack and in the form of eixi − Niy = (p2i u + q2i v)zi for the thirdattack. We proved the two attacks are successful when the parameters x, xi, y,yi and zi are suitably small. On top of that, we also proved that both of ourattacks enables us to factor k RSA moduli of the form Ni = p2i qi simultaneouslybased on LLL algorithm.

References

[1] M.A. Asbullah, Cryptanalysis on the Modulus N = p2q and Design of Rabin-Like Cryp-tosystem without Decryption Failure, PhD Thesis, Universiti Putra Malaysia, 2015.

[2] M.A. Asbullah, M.R.K. Ariffin, New attack on RSA with modulus N = p2q using con-tinued fractions, Journal of Physics, 622 (2015), 191-199.

[3] J. Blomer, A. May, A generalized Wiener attack on RSA, Practice and Theory inPublic Key Cryptography PKC 2004 LNCS Springer-Verlag, 2947 (2004), 1-13, doi:

10.1007/978-3-540-24632-9-1.

[4] D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less thanN0.292,Advance in Cryptology-Eurocrypt’99, Lecture Notes in Computer Science, 1592(1999), 1-11.

[5] B. de Weger, Cryptanalysis of RSA with small prime difference, Applicable Alge-bra in Engineering Communication and Computing, 13 No. 1 (2002), pages 17, doi:

10.1007/s002000100088.

[6] G. Hardy and E. Wright, An Introduction to the Theory of Numbers, Oxford UniversityPress, London, 1965.

[7] J. Hinek, On the Security of Some Variants of RSA, PhD Thesis, Waterloo, Ontario,Canada, 2007.

[8] N. Howgrave-Graham, J. Seifert, Extending Wiener attack in the presence of many de-crypting exponents, In: Secure Networking-CQRE (Secure)’99 Lecture Notes in Com-puter Science, 1740, Springer-Verlag (1999), 153-166.

[9] A.K. Lenstra, H.W. Lenstra, L. Lovasz, Factoring Polynomials with Rational Coefficients,Mathematische Annalen, 261(1982), 513-534, doi: 10.1007/BF01457454.

[10] A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, PhD Thesis, Univer-sity of Paderborn, 2003.

[11] A. May, Secret exponent attacks on RSA-type scheme with moduli N = prq, In: PKC2004 LNCS, 2947, Springer-Verlag (2004), 218-230.

[12] A. Nitaj, Cryptanalysis of RSA using the ratio of the primes, Progress in Cryptology -AFRICACRYPT, Springer (2009), 98-115, doi: 10.1007/978-3-642-02384-2 7.

[13] A. Nitaj, A new vulnerable class of exponents in RSA, JP Journal of Algebra, NumberTheory and Applications, 21 No. 2 (2011a), 203-220.

[14] A. Nitaj, New weak RSA keys, JP Journal of Algebra, Number Theory and Applications,23 No. 2 (2011b), 131-148.


[15] A. Nitaj, M. Ariffin, D.I. Nassr, H.M. Bahig, New attacks on the RSA cryptosys-tem, Lecture Notes in Computer Science, 8469, Springer Verlag (2014), 178-198, doi:

10.1007/978-3-319-06734-6 12.

[16] T. Okamoto, S. Uchiyama, A new public-key cryptosystem as secure as factor-ing, In: Advances In Cryptology-EUROCRYPT’98, Springer (1998), 308-318, doi:

10.1007/BFb0054135.

[17] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures andpublic-key cryptosystems, Communication of the ACM, 21, No. 2 (1978), 17-28, doi:

10.1145/359340.359342.

[18] S. Sarkar, Small secret exponent attack on RSA variant with modulus N = prq, Designs,Codes and Cryptography, 73, No. 2, Springer (2014), 383-392, doi: 10.1007/s10623-014-9928-6.

[19] S. Sarkar, S. Maitra, Cryptanalysis of RSA with two decryption exponents, InformationProcessing Letters, 110 (2010), 178-181, doi: 10.1016/j.ipl.2009.11.016.

[20] T. Takagi, Fast RSA-type cryptosystem modulo pkq, Advances in Cryptology-CRYPTO’98, Springer (1998), 318-326, doi: 10.1007/BFb0055738.

[21] M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transaction on Infor-mation Theory IT-36, 36 (1990), 553-558, doi: 10.1109/18.54902.

Appendix: Proof of Theorem 3

Proof. [9] Let ε ∈ (0, 1). Set

C =⌈

3n+1 · 2(n+1)(n−4)

4 · ε−n−1⌉

, (12)

where ⌈x⌉ is the integer greater than or equal to x. Consider the lattice Lspanned by the rows of the matrix

M =

1 −[Cα1] −[Cα2] · · · −[Cαn]0 C 0 · · · 00 0 C · · · 0...

......

. . ....

0 0 0 · · · C

,

where [x] is the nearest integer to x. The determinant of L is det(L) = Cn andthe dimension is n + 1. Applying the LLL algorithm, we find a reduced basis(b1, ..., bn+1) with

‖b1‖ ≤ 2n/4det(L)1/(n+1) = 2n/4Cn/(n+1).

Since b1 ∈ L, we can write b1 = ±[q, p1, p2, ..., pn]M , that is

b1 = ±[q, Cp1 − q[Cα1], Cp2 − q[Cα2], ..., Cpn − q[Cαn]], (13)

volume 110 no. 4 2016,587-607 - ijpam · the attacks work when k rsa public keys (n i,e i) are...

Documents