New Cryptanalysis of Prime Power RSA with Two Private Exponents

Abstract

Prime Power RSA is a variant of the RSA scheme due to Takagi with modulus $N=p^{r}q$ for $r⩾2$, where $p,q$ are of the same bit-size. In this paper, we concentrate on one type of Prime Power RSA which assumes $e·d\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$. Two new attacks on this type of Prime Power RSA are presented when given two pairs of public and private exponents, namely, $(e_1,d_1)$ and $(e_2,d_2)$ with the same modulus N. Suppose that $d_1<N^{{\beta }_1},d_2<N^{{\beta }_2}$. In 2015, Zheng and Hu showed that when ${\beta }_1{\beta }_2<{(r-1)}^3/{(r+1)}^3$, N may be factored in probabilistic polynomial time. The first attack of this paper shows that one can obtain the factorization of N in probabilistic polynomial time, provided that ${\beta }_1{\beta }_2<r/{(r+1)}^3$. Later, in the second attack, we improve both the first attack and the attack of Zheng and Hu, and show that the condition ${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3$ already suffices to break the Prime Power RSA. By introducing multiple parameters, our lattice constructions take full advantage of known information, and obtain the best known attack. Specifically, we make full use of the information that $p^r$ is a divisor of N, while the attack of Zheng and Hu only assumes that $p^{r-1}$ is a divisor of N. As a consequence, this method implies a better lattice construction, and thus improves the previous attack. The experiments which reach a better upper bound than before also verify it. Our approaches are based on Coppersmith’s method for finding small roots of bivariate modular polynomial equations.

1. Introduction

In 1977, Rivest, Shamir and Adleman [1] proposed the well-known RSA public key cryptosystem. From then on, RSA has played a very important role in cryptography, and has resulted in a wide variety of applications [2,3,4,5,6]. As a consequence, much effort has been made to evaluate the security of RSA. In this paper, we recall the lattice-based cryptanalysis of RSA and its variants, where Coppersmith’s method plays a pivotal part. Coppersmith’s method is to find small roots of v-variate modular polynomial equations or $(v+1)$-variate integer polynomial equations in polynomial time based on lattice basis reduction. Initially, in 1996, Coppersmith [7,8] obtained the results for the case of $v=1$. Later, the methods of Refs. [7,8] were reformulated by Howgrave-Graham [9] and Coron [10], respectively, in simpler ways, which have been widely adopted by researchers for cryptanalysis. The two reformulations by Howgrave-Graham and Coron can also be extended to the case of $v⩾2$, in which the results are based on an assumption and thus are heuristic. In general, the reformulations are used when we refer to Coppersmith’s method.

As a powerful tool in the field of cryptanalysis, Coppersmith’s method has been used extensively to study the security of RSA and its variants. Let $N=pq$ be the RSA modulus, where the primes $p,q$ are of the same bit-size. Denote the public exponent by e and the private exponent by d; thus, we have $e·d\equiv 1\mathrm{mod}\phi \left(N\right)$, where $\phi (·)$ is Euler’s totient function. In Eurocrypt 1999, based on Coppersmith’s method, Boneh and Durfee [11] showed that N may be factored in polynomial time when $d<N^{1-{\displaystyle \frac{\sqrt{2}}{2}}}\approx N^{0.292}$, which improved Wiener’s result $d<N^{0.25}$ in Ref. [12]. As far as the authors know, the result $d<N^{0.292}$ is the best small private exponent attack up to now. Although several papers [13,14,15,16,17] revisited the work, none of them improved Boneh and Durfee’s bound. Generalizations of the small private exponent attack on RSA have also been considered when there are multiple public/private key pairs $(e_1,d_1),\cdots ,(e_n,d_n)$ for the same RSA modulus N. See Refs. [18,19,20,21,22] for details of these generalizations.

In order to have a faster decryption process and keep security at the same time, Takagi [23] proposed a new cryptosystem based on RSA in Crypto 1998. This variant of RSA, usually called Prime Power RSA, assumed that modulus $N=p^{r}q$ for $r⩾2$, where $p,q$ are also of the same bit-size. There are two types of Prime Power RSA according to the definition of $e,d$. In the first type, $e·d\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$, while in the second type, $e·d\equiv 1\mathrm{mod}(p-1)(q-1)$. In CT-RSA 2008, Itoh, Kunihiro and Kurosawa [24] proved that polynomial time factorization of N is possible for the second type if $d<N^{{\displaystyle \frac{2-\sqrt{2}}{r+1}}}$. For the first type, Takaga [23] initially showed that Wiener’s continued fraction attack is effective for the small private exponent $d<N^{{\displaystyle \frac{1}{2(r+1)}}}$. Later, in PKC 2004, May [25] presented new attacks based on Coppersmith’s method when $d<N^{{\displaystyle \frac{{(r-1)}^2}{{(r+1)}^2}}}$ or $d<N^{{\displaystyle \frac{r}{{(r+1)}^2}}}$. Both two bounds of May are improved up to $d<N^{{\displaystyle \frac{r(r-1)}{{(r+1)}^2}}}$ by Lu et al. [26] in Asiacrypt 2015. Furthermore, Sarkar [27,28] improved the bounds of May and Lu et al. for some small r.

This paper concentrates on the first type of Prime Power RSA, namely, $e·d\equiv 1\mathrm{mod}{p}^{r-1}$ $(p-1)(q-1)$. Just like cryptanalysis of RSA with multiple small private exponents [18,19,20,21,22], we study small private exponent attacks on the first type of Prime Power RSA when given two pairs of public and private exponents, namely, $(e_1,d_1)$ and $(e_2,d_2)$ with the same modulus N. Suppose $d_1<N^{{\beta }_1},d_2<N^{{\beta }_2}$. In 2015, Zheng and Hu [29] showed that when ${\beta }_1{\beta }_2<{(r-1)}^3/{(r+1)}^3$, N may be factored in probabilistic polynomial time. In this paper, we present two new small private exponent attacks. The first attack shows that one can obtain the factorization of N in probabilistic polynomial time, provided that ${\beta }_1{\beta }_2<r/{(r+1)}^3$, which is better than Ref. [29] when $r=2$. Later in the second attack, we improve both the result ${\beta }_1{\beta }_2<{(r-1)}^3/{(r+1)}^3$ and the result ${\beta }_1{\beta }_2<r/{(r+1)}^3$ up to ${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3$ for any $r⩾2$. Just like Ref. [29], our attacks are based on Coppersmith’s method for finding small roots of bivariate modular polynomial equations. Thus, our results also rely on Assumption 1, which is introduced in Section 2 and examined through experiments in Section 5. We present our results as follows:

Theorem 1.

Let $N=p^{r}q$ ($r⩾2$) be a known modulus of Prime Power RSA, where primes $p,q$ are of the same bit-size. Select $e_1,e_2,d_1,d_2\in {\mathbb{Z}}^{+}$ such that $e_1·d_1\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1),e_2·d_2\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$, and $e_1,e_2\approx N,d_1<N^{{\beta }_1},d_2<N^{{\beta }_2}$. Then, under Assumption 1, N can be factored in probabilistic polynomial time if

$${\beta }_1{\beta }_2<r/{(r+1)}^3.$$

Theorem 2.

Notations are defined as Theorem 1. Then, under Assumption 1, N can be factored in probabilistic polynomial time if

$${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3.$$

Theorems 1 and 2 can also be extended to partial key exposure attacks just like Ref. [29]. Suppose that for $i=1,2$, we have $d_i=d_i^{\prime }+\widetilde{d_i}$, where MSBs (Most Significant Bits) $d_i^{\prime }$ is known and $\widetilde{d_i}<N^{{\gamma }_i}$, or we have $d_i=\widetilde{d_i}M+d_i^{\prime }$, where LSBs (Least Significant Bits) $d_i^{\prime }$ is known and $\widetilde{d_i}<N^{{\gamma }_i}$. Then, partial key exposure attack corresponding to Theorem 1 implies that N can be factored in probabilistic polynomial time if ${\gamma }_1{\gamma }_2<r/{(r+1)}^3$. And similarly, one can obtain ${\gamma }_1{\gamma }_2<r{(r-1)}^2/{(r+1)}^3$ from Theorem 2. Proof of these two partial key exposure attacks is just the same as proof of Theorem 1 and Theorem 2 according to the analysis in Ref. [29].

Finally, we summarize related works and our contributions, which are given in Table 1. There are three attacks with one small private exponent, including May’s two results in Ref. [25] and Lu et al.’s result in Ref. [26]. For attacks with two small private exponents, Table 1 illustrates that Zheng and Hu’s result, namely, Ref. [29] Theorem 1, is a generalization of Ref. [25] Theorem 6. Similarly, our contributions, namely, Theorems 1 and 2, are obtained as generalizations of Ref. [25] Theorem 3 and Ref. [26] Theorem 4.

Table 1. Related works and our contributions of attacks on Prime Power RSA with modulus $N=p^{r}q$.

One Small Private Exponent	$\mathit{d}<{\mathit{N}}^{\mathit{\beta }}$	Two Small Private Exponents	${\mathit{d}}_1<{\mathit{N}}^{{\mathit{\beta }}_1},{\mathit{d}}_2<{\mathit{N}}^{{\mathit{\beta }}_2}$
Ref. [25], Theorem 6 (May)	$\beta <{(r-1)}^2/{(r+1)}^2$	Ref. [29], Theorem 1 (Zheng and Hu)	${\beta }_1{\beta }_2<{(r-1)}^3/{(r+1)}^3$
Ref. [25], Theorem 3 (May)	$\beta <r/{(r+1)}^2$	Theorem 1 in this paper	${\beta }_1{\beta }_2<r/{(r+1)}^3$
Ref. [26], Theorem 4 (Lu et al.)	$\beta <r(r-1)/{(r+1)}^2$	Theorem 2 in this paper	${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3$

We note that Coppersmith’s method is also powerful for cryptanalysis of other RSA variants, such as the CRT-RSA. One can refer to Refs. [30,31,32] for details, which present small private exponent attack, partial key exposure attack and other cryptanalysis for the RSA variant using CRT (Chinese Remainder Theorem) exponents.

The rest of this paper is organized as follows: In Section 2, we introduce the lattice-based Coppersmith’s method, mainly including Howgrave-Graham’s lemma and the LLL algorithm. Section 3 presents our first attack modulo p, and thus completes the proof of Theorem 1. Similarly, our second attack modulo $p^{r-1}$ is given and Theorem 2 is proved in Section 4. In Section 5, we examine the justification of our approaches through some experiments. Section 6 presents the conclusions.

2. Preliminaries

In this section, we introduce Coppersmith’s method for finding small roots of bivariate modular polynomial equations, which will be used in our attacks in Section 3 and Section 4. First of all, let us recall the definition of a lattice.

Definition 1.

Let $\overrightarrow{b_1},\overrightarrow{b_2},\cdots ,\overrightarrow{b_{\omega }}\in {\mathbb{R}}^s$ be linearly independent row vectors for $\omega ⩽s$. A lattice Λ generated by $\overrightarrow{b_1},\overrightarrow{b_2},\cdots ,\overrightarrow{b_{\omega }}$ is the set of all integral linear combinations of these vectors:

$$\begin{array}{ccc}\Lambda \hfill & =& {\mathrm{span}}_{\mathbb{Z}}(\overrightarrow{b_1},\overrightarrow{b_2},\cdots ,\overrightarrow{b_{\omega }})\hfill \\ & =& \left\{{\displaystyle \sum _{i=1}^{\omega }}{x}_i\overrightarrow{b_i}|x_i\in \mathbb{Z},i=1,2,\cdots ,\omega \right\}.\hfill \end{array}$$

We call s the dimension of $\Lambda$ and $\omega$ its rank. Row vectors $\overrightarrow{b_1},\overrightarrow{b_2},\cdots ,\overrightarrow{b_{\omega }}$ are a basis of $\Lambda$, and we denote the basis as a matrix, called the basis matrix of $\Lambda$:

$$\mathcal{B}=\left(\begin{array}{c}\overrightarrow{b_1}\\ \overrightarrow{b_2}\\ \cdots \\ \overrightarrow{b_{\omega }}\end{array}\right)\in {\mathbb{R}}^{\omega \times s}.$$

The determinant of $\Lambda$ is defined as $det(\Lambda )=\sqrt{det\left(\mathcal{B}{\mathcal{B}}^T\right)}$, which is independent of the choice of basis and only determined by $\Lambda$. This paper only considers lattices for the case of $\omega =s$. Thus, $\mathcal{B}$ is a square matrix and $det(\Lambda )=|det\mathcal{B}|$.

For example, let $\omega =s=2$ and $\overrightarrow{b_1}=(5,5),\overrightarrow{b_2}=(2,0)$, then the lattice generated by $\overrightarrow{b_1},\overrightarrow{b_2}$ is defined as $\{x_1·(5,5)+x_2·(2,0)|x_1,x_2\in \mathbb{Z}\}$. It is easy to find a short vector in a lattice for small dimension s. However, it becomes difficult as s grows. A lot of cryptanalysis works rely on finding short vectors in a high-dimension lattice. Thus, we must introduce the famous LLL algorithm as follows:

In 1982, Lenstra et al. [33] proposed the LLL algorithm for lattice basis reduction. It allows one to find short vectors in a lattice in polynomial time. The proof of the following fact can be found in Ref. [34]. The norm of a vector $\overrightarrow{v_i}=(v_{i1},v_{i2},\cdots ,v_{is})$ is defined as ${\parallel \overrightarrow{v_i}\parallel }_2=\sqrt{v_{i1}^2+v_{i2}^2+\cdots +v_{is}^2}$, for some positive integer i.

Proposition 1

(LLL). Let s be the dimension (and the rank) of Λ. Given a basis (square) matrix $\mathcal{B}$ of Λ, the LLL algorithm outputs an LLL-reduced basis $\overrightarrow{v_1},\overrightarrow{v_2},\cdots ,\overrightarrow{v_s}$ satisfying

$${\parallel \overrightarrow{v_1}\parallel }_2,{\parallel \overrightarrow{v_2}\parallel }_2,\cdots ,{\parallel \overrightarrow{v_i}\parallel }_2⩽2^{{\displaystyle \frac{s(s-1)}{4(s-i+1)}}}det{(\Lambda )}^{{\displaystyle \frac{1}{s-i+1}}}(1⩽i⩽s)$$

in polynomial time in s and in the bit sizes of the entries of the basis matrix $\mathcal{B}$.

Next, we introduce the following useful lemma due to Howgrave-Graham [9]. The norm of a polynomial $h(x_1,\cdots ,x_n)=\sum a_{t_1,\cdots ,t_n}{x}_1^{t_1}\cdots x_n^{t_n}$ is defined as $\parallel h(x_1,\cdots ,x_n){\parallel }_2=\sqrt{\sum |a_{t_1,\cdots ,t_n}{|}^2}$.

Lemma 1

(Howgrave-Graham). Let $h(x_1,\cdots ,x_v)\in \mathbb{Z}[x_1,\cdots ,x_v]$ be a polynomial that consists of at most s monomials. Suppose that there exists $(x_1^{\left(0\right)},\cdots ,x_v^{\left(0\right)})\in {\mathbb{Z}}^v$ satisfying

$$h(x_1^{\left(0\right)},\cdots ,x_v^{\left(0\right)})\equiv 0\mathrm{mod}V,|x_1^{\left(0\right)}|<X_1,\cdots ,\left|x_v^{\left(0\right)}\right|<X_v,$$

and we have

$$\parallel h(X_1{x}_1,\cdots ,X_v{x}_v){\parallel }_2<V/\sqrt{s}.$$

Then, $h(x_1^{\left(0\right)},\cdots ,x_v^{\left(0\right)})=0$ holds over the integers.

Combining Proposition 1 with Lemma 1, one can analyse the bounds for the small roots. The method is called Coppersmith’s method, which has been widely adopted by researchers for lattice-based cryptanalysis of RSA. Now, we summarize Coppersmith’s method for the case of bivariate modular polynomial equations as follows:

Finding small roots of bivariate modular polynomial equations can be described as finding each root $(x_1^{\left(0\right)},x_2^{\left(0\right)})\in {\mathbb{Z}}^2$ of

$$h_0(x_1,x_2)\equiv 0\mathrm{mod}W,|x_1|<X_1,\left|x_2\right|<X_2.$$

Let m be a positive integer, and find a subset ${\Lambda }^{*}$ of $\mathbb{Z}[x_1,x_2]$ satisfying

$$h(x_1^{\left(0\right)},x_2^{\left(0\right)})\equiv 0\mathrm{mod}{W}^m,\forall h(x_1,x_2)\in {\Lambda }^{*}.$$

Given an order of some monomials of $\mathbb{Z}[x_1,x_2]$, there is a one-to-one correspondence between a polynomial $h(x_1,x_2)$ in ${\Lambda }^{*}$ and a vector in a subset $\Lambda$ of ${\mathbb{R}}^s$, and components of the vector are coefficients of $h(X_1{x}_1,X_2{x}_2)$ in order of the corresponding monomials. For example, if $s=4$ and the monomial order is defined such that $1\prec x_1\prec x_2\prec x_1{x}_2$, we know that the polynomial $2+x_2+6x_1{x}_2$ corresponds to the vector $(2,0,X_2,6X_1{X}_2)$. $\Lambda$ is also required to be a lattice of dimension s. Combining Proposition 1 for $i=2$ with Lemma 1 for $v=2$ and $V=W^m$, if

$$2^{{\displaystyle \frac{s}{4}}}det{(\Lambda )}^{{\displaystyle \frac{1}{s-1}}}<W^m/\sqrt{s}$$

(1)

is satisfied, by running the LLL algorithm, one can obtain two polynomials $g_1(x_1,x_2),g_2(x_1,x_2)$, both of which share the desired root $(x_1^{\left(0\right)},x_2^{\left(0\right)})$ as a common root over the integers. Then, Coppersmith’s method needs the following assumption:

Assumption 1.

Polynomials obtained by our lattice-based method are algebraically independent, and the common roots of these polynomials can be efficiently computed using techniques like calculation of the resultants or finding a Gröbner basis.

Since Assumption 1 is heuristic, we need to perform experiments to examine it in our attacks, which is done in Section 5. In our experiments, we choose to extract the desired root $(x_1^{\left(0\right)},x_2^{\left(0\right)})$ by computing the resultants of $g_1(x_1,x_2)$ and $g_2(x_1,x_2)$. See Section 5 for these details.

Notice that Inequality (1) is equivalent to $2^{{\displaystyle \frac{s(s-1)}{4}}}{s}^{{\displaystyle \frac{s-1}{2}}}det(\Lambda )<W^{m(s-1)}.$ In fact, researchers often ignore terms that do not depend on W. Thus, we obtain

$$det(\Lambda )<W^{m(s-1)}.$$

(2)

According to the analysis above, under Assumption 1, using Coppersmith’s method to find small roots of bivariate modular polynomial equations just requires the condition Inequality (2).

3. First Attack: Solving Simultaneous Equations Modulo $\mathit{p}$

This section will present our first attack, and thus complete the proof of Theorem 1. Recall the notations defined in Theorem 1 at first. Let $N=p^{r}q$ ($r⩾2$) be a known modulus of Prime Power RSA, where primes $p,q$ are of the same bit-size. Select $e_1,e_2,d_1,d_2\in {\mathbb{Z}}^{+}$ such that $e_1·d_1\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1),e_2·d_2\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$, and $e_1,e_2\approx N,d_1<N^{{\beta }_1},d_2<N^{{\beta }_2}$. Here, ${\beta }_1,{\beta }_2\in {\mathbb{R}}^{+}$ are chosen as ${\beta }_1={\log }_N{d}_1+{ϵ}_1,{\beta }_2={\log }_N{d}_2+{ϵ}_2$, for some very small ${ϵ}_1,{ϵ}_2\in {\mathbb{R}}^{+}$ nearly equal to 0.

For $i=1,2$, since $e_i{d}_i\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$, there exists integer $k_i$ such that

$$e_i{d}_i-1=p^{r-1}(p-1)(q-1)k_i.$$

(3)

In this section, we consider simultaneous equations modulo p. Since $r⩾2$, it is obvious that p divides $p^{r-1}$. Thus, Equation (3) implies

$$e_i{d}_i-1\equiv 0\mathrm{mod}p.$$

Let $e_i^{\prime }$ be the inverse of $e_i$ modulo N, and then we have

$$d_i-e_i^{\prime }\equiv 0\mathrm{mod}p.$$

(4)

If $e_i^{\prime }$ does not exist, we can obtain the factorization of N by computing the greatest common divisors of $e_i$ and N. From Equation (4), we know that $(x_1,x_2)=(d_1,d_2)$ is a solution of

$$\begin{array}{c}\left\{\begin{array}{c}{x}_1-e_1^{\prime }\equiv 0\mathrm{mod}p,\hfill \\ x_2-e_2^{\prime }\equiv 0\mathrm{mod}p,\hfill \end{array}\right.\hfill \end{array}$$

which is also equivalent to

$$\begin{array}{c}\left\{\begin{array}{c}{(x_1-e_1^{\prime })}^r\equiv 0\mathrm{mod}{p}^r,\hfill \\ {(x_2-e_2^{\prime })}^r\equiv 0\mathrm{mod}{p}^r.\hfill \end{array}\right.\hfill \end{array}$$

For a positive integer m, we define the following shift polynomials:

$$\begin{array}{c}{f}_{i_1,i_2,j_1,j_2}(x_1,x_2)=\hfill \\ {\left[{(x_1-e_1^{\prime })}^r\right]}^{i_1}{\left[{(x_2-e_2^{\prime })}^r\right]}^{i_2}{x}_1^{j_1}{x}_2^{j_2}{N}^{max\{m-i_1-i_2,0\}},\hfill \end{array}$$

where $|x_1|<X_1:=N^{{\beta }_1},\left|x_2\right|<X_2:=N^{{\beta }_2}$. Let $W=p^r$, and then one can check that all polynomials $f_{i_1,i_2,j_1,j_2}(x_1,x_2)$ share the common root $(d_1,d_2)$ modulo $W^m$. To construct the basis matrix $\mathcal{B}$ of our lattice $\Lambda$, we select the shift polynomials $f_{i_1,i_2,j_1,j_2}(x_1,x_2)$, where $(i_1,i_2,j_1,j_2)$ belongs to

$$\begin{array}{c}\{(i_1,i_2,j_1,j_2)|i_k=\lfloor {\displaystyle \frac{t_k}{r}}\rfloor ,j_k=t_k-r{i}_k\mathrm{for}k=1,2,\\ \mathrm{where}{t}_1,t_2\in {\mathbb{Z}}^{+}\cup \left\{0\right\},{\beta }_1{t}_1+{\beta }_2{t}_2⩽{\displaystyle \frac{r}{r+1}}m\}.\end{array}$$

It implies that the shift polynomials $f_{i_1,i_2,j_1,j_2}(x_1,x_2)$ are chosen for

$$\begin{array}{c}{\beta }_1(r{i}_1+j_1)+{\beta }_2(r{i}_2+j_2)⩽{\displaystyle \frac{r}{r+1}}m,\\ \mathrm{where}{j}_1,j_2\in \{0,1,2,\cdots ,r-1\}.\end{array}$$

Define the monomial order ≺ as $x_1^{k_1}{x}_2^{k_2}\prec x_1^{l_1}{x}_2^{l_2}$ if $k_1+k_2<l_1+l_2$ or $k_1+k_2=l_1+l_2,k_1>l_1$. Then, the coefficient vectors of $f_{i_1,i_2,j_1,j_2}(X_1{x}_1,X_2{x}_2)$ are determined according to ≺, and thus we acquire the basis matrix $\mathcal{B}$ that consists of these coefficient vectors.

Just as (Ref. [29], Table 1), Table 2 in this paper illustrates an example of $\mathcal{B}$ with parameters $m=1,r=2,{\beta }_1=0.2,{\beta }_2=0.2$. Here, we use the polynomial $f_{0,1,1,0}$ in Table 2 to show the one-to-one correspondence between a polynomial and a row vector of the basis matrix $\mathcal{B}$. We have $m=1,r=2$, and $f_{0,1,1,0}(x_1,x_2)={\left[{(x_1-e_1^{\prime })}^2\right]}^0{\left[{(x_2-e_2^{\prime })}^2\right]}^1{x}_1^1{x}_2^0{N}^{max\{1-0-1,0\}}={(x_2-e_2^{\prime })}^2{x}_1={e_2^{\prime }}^2{x}_1-2e_2^{\prime }{x}_1{x}_2+x_1{x_2}^2$. Thus, one can obtain $f_{0,1,1,0}(X_1{x}_1,X_2{x}_2)={e_2^{\prime }}^2{X}_1{x}_1-2e_2^{\prime }{X}_1{X}_2{x}_1{x}_2+X_1{X_2}^2{x}_1{x_2}^2$. Considering the corresponding coefficients to the monomials $1,x_1,x_2,x_1^2,x_1{x}_2,x_2^2,x_1^3,x_1^2{x}_2,x_1{x}_2^2,x_2^3$, from $f_{0,1,1,0}(X_1{x}_1,X_2{x}_2)$, we obtain a row vector $(0,{e_2^{\prime }}^2{X}_1,$$0,0,-2e_2^{\prime }{X}_1{X}_2,0,0,0,X_1{X_2}^2,0)$ or simply $(0,*,0,0,*,0,0,0,X_1{X_2}^2,0)$ for the basis matrix $\mathcal{B}$. Here, the notation * denotes a non-zero value for the off-diagonal entries of $\mathcal{B}$, and these non-zero values are not important.

Table 2. Basis matrix $\mathcal{B}$ with $m=1$ when $r=2,{\beta }_1=0.2,{\beta }_2=0.2$.

${\mathit{f}}_{{\mathit{i}}_1,{\mathit{i}}_2,{\mathit{j}}_1,{\mathit{j}}_2}$	1	${\mathit{x}}_1$	${\mathit{x}}_2$	${\mathit{x}}_1^2$	${\mathit{x}}_1{\mathit{x}}_2$	${\mathit{x}}_2^2$	${\mathit{x}}_1^3$	${\mathit{x}}_1^2{\mathit{x}}_2$	${\mathit{x}}_1{\mathit{x}}_2^2$	${\mathit{x}}_2^3$
$f_{0,0,0,0}$	N
$f_{0,0,1,0}$		$X_{1}N$
$f_{0,0,0,1}$			$X_{2}N$
$f_{1,0,0,0}$	*	*		$X_1^2$
$f_{0,0,1,1}$					$X_1{X}_{2}N$
$f_{0,1,0,0}$	*		*			$X_2^2$
$f_{1,0,1,0}$		*		*			$X_1^3$
$f_{1,0,0,1}$			*		*			$X_1^2{X}_2$
$f_{0,1,1,0}$		*			*				$X_1{X}_2^2$
$f_{0,1,0,1}$			*			*				$X_2^3$

As Table 2 shows, the basis matrix $\mathcal{B}$ is a lower triangular square matrix. Among the off-diagonal entries of $\mathcal{B}$, some are zero and we denote other non-zero entries as * in Table 2. Since the diagonal entries of $\mathcal{B}$ are clear, one can simply calculate its determinant as $det(\Lambda )=|det\mathcal{B}|=N·X_{1}N·X_{2}N·X_1^2·X_1{X}_{2}N·X_2^2·X_1^3·X_1^2{X}_2·X_1{X}_2^2·X_2^3=X_1^{10}{X}_2^{10}{N}^4$.

Generally speaking, let $det(\Lambda )=X_1^{s_1}{X}_2^{s_2}{N}^{s_N}$, and define the sets

$$\begin{array}{ccc}\mathcal{R}\hfill & :=& \{(t_1,t_2)\in {\mathbb{N}}^2|{\beta }_1{t}_1+{\beta }_2{t}_2⩽{\displaystyle \frac{r}{r+1}}m\},\hfill \\ \mathcal{S}\hfill & :=& \{(i_1,i_2)\in {\mathbb{N}}^2|i_1+i_2=0,1,2,\cdots ,m\}.\hfill \end{array}$$

Then, we have

$$\begin{array}{ccc}{s}_1\hfill & =& \sum _{(t_1,t_2)\in \mathcal{R}}{t}_1\hfill \\ & =& \sum _{t_1=0}^{\lfloor {\displaystyle \frac{r}{r+1}}m/{\beta }_1\rfloor }\sum _{t_2=0}^{\lfloor ({\displaystyle \frac{r}{r+1}}m-{\beta }_1{t}_1)/{\beta }_2\rfloor }{t}_1\hfill \\ & =& {\displaystyle \frac{1}{6{\beta }_1^2{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3{m}^3+o\left(m^3\right),\hfill \\ s_2\hfill & =& \sum _{(t_1,t_2)\in \mathcal{R}}{t}_2\hfill \\ & =& \sum _{t_2=0}^{\lfloor {\displaystyle \frac{r}{r+1}}m/{\beta }_2\rfloor }\sum _{t_1=0}^{\lfloor ({\displaystyle \frac{r}{r+1}}m-{\beta }_2{t}_2)/{\beta }_1\rfloor }{t}_2\hfill \\ & =& {\displaystyle \frac{1}{6{\beta }_1{\beta }_2^2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3{m}^3+o\left(m^3\right),\hfill \\ s_N\hfill & =& \sum _{(i_1,i_2)\in \mathcal{S}}{r}^2(m-i_1-i_2)\hfill \\ & =& \sum _{I=0}^m(I+1)r^2(m-I)\hfill \\ & =& {\displaystyle \frac{1}{6}}{r}^2{m}^3+o\left(m^3\right).\hfill \end{array}$$

Let s denote the dimension of $\Lambda$, and we can calculate

$$\begin{array}{ccc}s\hfill & =& \sum _{(t_1,t_2)\in \mathcal{R}}1\hfill \\ & =& \sum _{t_1=0}^{\lfloor {\displaystyle \frac{r}{r+1}}m/{\beta }_1\rfloor }\sum _{t_2=0}^{\lfloor ({\displaystyle \frac{r}{r+1}}m-{\beta }_1{t}_1)/{\beta }_2\rfloor }1\hfill \\ & =& {\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^2{m}^2+o\left(m^2\right).\hfill \end{array}$$

According to the definitions of the shift polynomials $f_{i_1,i_2,j_1,j_2}(x_1,x_2)$, we know all of them share the common root $(d_1,d_2)$ modulo $W^m$, where $W=p^r$. Thus, all integral linear combinations of these $f_{i_1,i_2,j_1,j_2}(x_1,x_2)$ also share the common root $(d_1,d_2)$ modulo $W^m$. Furthermore, we construct a lattice $\Lambda$, each vector of which can be exactly written as the coefficient vector of a polynomial, which is an integral linear combination of $f_{i_1,i_2,j_1,j_2}(X_1{x}_1,X_2{x}_2)$. Then, just as described in Section 2 (Preliminaries), under Assumption 1, using Coppersmith’s method to find the small common root $(d_1,d_2)$ just requires the condition Inequality (2), namely, $det(\Lambda )<W^{m(s-1)}$, where $W=p^r$. (We note that after the private exponents $d_1,d_2$ are obtained, either of them can yield the factorization of N in probabilistic polynomial time [35], Chapter 4.6.1).

From condition $det(\Lambda )<{\left(p^r\right)}^{m(s-1)}$ and calculation of $det(\Lambda )$ and s, we have

$$\begin{array}{cc}& X_1^{{\displaystyle \frac{1}{6{\beta }_1^2{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{X}_2^{{\displaystyle \frac{1}{6{\beta }_1{\beta }_2^2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{N}^{{\displaystyle \frac{1}{6}}{r}^2+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}\hfill \\ <& {\left(p^r\right)}^{{\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^2+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}.\hfill \end{array}$$

Since primes $p,q$ are of the same bit-size, we have $p^r\approx N^{{\displaystyle \frac{r}{r+1}}}$. Together with $X_1=N^{{\beta }_1},X_2=N^{{\beta }_2}$, it is obtained that

$$\begin{array}{cc}& N^{{\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{N}^{{\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{N}^{{\displaystyle \frac{1}{6}}{r}^2+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}\hfill \\ <& N^{{\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}.\hfill \end{array}$$

Take $m\to \infty$ and omit term ${\displaystyle \frac{o\left(m^3\right)}{m^3}}$; then, we have

$${\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{({\displaystyle \frac{r}{r+1}})}^3+{\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{({\displaystyle \frac{r}{r+1}})}^3+{\displaystyle \frac{1}{6}}{r}^2<{\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{({\displaystyle \frac{r}{r+1}})}^3,$$

which finally reduces to

$${\beta }_1{\beta }_2<r/{(r+1)}^3.$$

The running time of our first attack is analogous to the attack in Ref. [29]. Thus, Theorem 1 follows.

4. Second Attack: Solving Simultaneous Equations Modulo ${\mathit{p}}^{\mathit{r}-\mathbf{1}}$

In this section, we present the second attack, and thus complete the proof of Theorem 2. Similarly, recall the notations at first. Let $N=p^{r}q$ ($r⩾2$) be a known modulus of Prime Power RSA, where the primes $p,q$ are of the same bit-size. Select $e_1,e_2,d_1,d_2\in {\mathbb{Z}}^{+}$ such that $e_1·d_1\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1),e_2·d_2\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$, and $e_1,e_2\approx N,d_1<N^{{\beta }_1},d_2<N^{{\beta }_2}$. Here, ${\beta }_1,{\beta }_2\in {\mathbb{R}}^{+}$ are also chosen as ${\beta }_1={\log }_N{d}_1+{ϵ}_1,{\beta }_2={\log }_N{d}_2+{ϵ}_2$, for some very small ${ϵ}_1,{ϵ}_2\in {\mathbb{R}}^{+}$ nearly equal to 0.

This section pays attention to simultaneous equations modulo $p^{r-1}$. Note that for $i=1,2$, Equation (3) also implies

$$e_i{d}_i-1\equiv 0\mathrm{mod}{p}^{r-1},$$

which is equivalent to

$$d_i-e_i^{\prime }\equiv 0\mathrm{mod}{p}^{r-1}.$$

where $e_i^{\prime }$ is the inverse of $e_i$ modulo N. Thus, $(x_1,x_2)=(d_1,d_2)$ is also a solution of

$$\begin{array}{c}\left\{\begin{array}{c}{x}_1-e_1^{\prime }\equiv 0\mathrm{mod}{p}^{r-1},\hfill \\ x_2-e_2^{\prime }\equiv 0\mathrm{mod}{p}^{r-1}.\hfill \end{array}\right.\hfill \end{array}$$

Note that our first attack in Section 3 begins with $e_i{d}_i-1\equiv 0\mathrm{mod}p$, though $e_i{d}_i-1\equiv 0\mathrm{mod}{p}^{r-1}$ also holds. Thus, our first attack does not take full advantage of known information when $r⩾3$, and is only better than the attack in Ref. [29] when $r=2$. Since p is unknown, one must use the known integer N as a constant factor to construct the shift polynomials which share the common root $(d_1,d_2)$ modulo $p^t$ for some integer t. When $r=2$, Section 3 makes full use of the information that $p^r$ is a divisor of N, while the attack in Ref. [29] only assumes that $p^{r-1}$ is a divisor of N and thus is improved by our first attack. In this section, we begin with $e_i{d}_i-1\equiv 0\mathrm{mod}{p}^{r-1}$, while the information that $p^r$ is a divisor of N is also made full use of at the same time. Namely, the shift polynomials for our second attack are defined as follows:

$$f_{i_1,i_2}(x_1,x_2)={(x_1-e_1^{\prime })}^{i_1}{(x_2-e_2^{\prime })}^{i_2}{N}^{max\{\lceil {\displaystyle \frac{(r-1)(m-i_1-i_2)}{r}}\rceil ,0\}},$$

where $\left|x_1\right|<X_1:=N^{{\beta }_1},\left|x_2\right|<X_2:=N^{{\beta }_2}$, and m is a positive integer. Let $W^{*}=p^{r-1}$, and one can see that ${\left(W^{*}\right)}^{m-i_1-i_2}$ divides $N^{\lceil {\displaystyle \frac{(r-1)(m-i_1-i_2)}{r}}\rceil }$. Thus, all polynomials $f_{i_1,i_2}(x_1,x_2)$ share the common root $(d_1,d_2)$ modulo ${\left(W^{*}\right)}^m$. To construct the basis matrix ${\mathcal{B}}^{*}$ of our second lattice ${\Lambda }^{*}$, shift polynomials $f_{i_1,i_2}(x_1,x_2)$ are chosen for

$${\beta }_1{i}_1+{\beta }_2{i}_2⩽{\displaystyle \frac{r-1}{r+1}}m.$$

Define the same monomial order ≺ as Section 3, and we acquire the basis matrix ${\mathcal{B}}^{*}$ that consists of coefficient vectors of $f_{i_1,i_2}(X_1{x}_1,X_2{x}_2)$. Similar to (Ref. [29], Table 2), Table 3 in this paper shows an example of ${\mathcal{B}}^{*}$ with $m=3$ when $r=3,{\beta }_1=0.3,{\beta }_2=0.4$. We note that $f_{0,0}=N^2$ in Table 3 while $f_{0,0}=N^3$ in (Ref. [29], Table 2), though both of them are equal to 0 modulo ${\left(p^{r-1}\right)}^m=p^6$. As Table 3 shows, the basis matrix ${\mathcal{B}}^{*}$ is a lower triangular square matrix. Among the off-diagonal entries of ${\mathcal{B}}^{*}$, some are zero and we denote other non-zero entries as * in Table 3. Since the diagonal entries of ${\mathcal{B}}^{*}$ are clear, one can simply calculate its determinant as $det\left({\Lambda }^{*}\right)=|det{\mathcal{B}}^{*}|=N^2·X_1{N}^2·X_2{N}^2·X_1^{2}N·X_1{X}_{2}N·X_2^{2}N·X_1^3·X_1^2{X}_2·X_1{X}_2^2·X_2^3·X_1^4·X_1^3{X}_2·X_1^2{X}_2^2·X_1{X}_2^3·X_1^5=X_1^{25}{X}_2^{16}{N}^9$.

Table 3. Basis matrix ${\mathcal{B}}^{*}$ with $m=3$ when $r=3,{\beta }_1=0.3,{\beta }_2=0.4$.

${\mathit{f}}_{{\mathit{i}}_1,{\mathit{i}}_2}$	1	${\mathit{x}}_1$	${\mathit{x}}_2$	${\mathit{x}}_1^2$	${\mathit{x}}_1{\mathit{x}}_2$	${\mathit{x}}_2^2$	${\mathit{x}}_1^3$	${\mathit{x}}_1^2{\mathit{x}}_2$	${\mathit{x}}_1{\mathit{x}}_2^2$	${\mathit{x}}_2^3$	${\mathit{x}}_1^4$	${\mathit{x}}_1^3{\mathit{x}}_2$	${\mathit{x}}_1^2{\mathit{x}}_2^2$	${\mathit{x}}_1{\mathit{x}}_2^3$	${\mathit{x}}_1^5$
$f_{0,0}$	$N^2$
$f_{1,0}$	*	$X_1{N}^2$
$f_{0,1}$	*		$X_2{N}^2$
$f_{2,0}$	*	*		$X_1^{2}N$
$f_{1,1}$	*	*	*		$X_1{X}_{2}N$
$f_{0,2}$	*		*			$X_2^{2}N$
$f_{3,0}$	*	*		*			$X_1^3$
$f_{2,1}$	*	*	*	*	*			$X_1^2{X}_2$
$f_{1,2}$	*	*	*		*	*			$X_1{X}_2^2$
$f_{0,3}$	*		*			*				$X_2^3$
$f_{4,0}$	*	*		*			*				$X_1^4$
$f_{3,1}$	*	*	*	*	*		*	*				$X_1^3{X}_2$
$f_{2,2}$	*	*	*	*	*	*		*	*				$X_1^2{X}_2^2$
$f_{1,3}$	*	*	*		*	*			*	*				$X_1{X}_2^3$
$f_{5,0}$	*	*		*			*				*				$X_1^5$

Generally speaking, let $det\left({\Lambda }^{*}\right)=X_1^{s_1^{*}}{X}_2^{s_2^{*}}{N}^{s_N^{*}}$, and define the sets

$$\begin{array}{ccc}{\mathcal{R}}^{*}\hfill & :=& \{(i_1,i_2)\in {\mathbb{N}}^2|{\beta }_1{i}_1+{\beta }_2{i}_2⩽{\displaystyle \frac{r-1}{r+1}}m\},\hfill \\ {\mathcal{S}}^{*}\hfill & :=& \{(i_1,i_2)\in {\mathbb{N}}^2|i_1+i_2=0,1,2,\cdots ,m\}.\hfill \end{array}$$

Then, we have

$$\begin{array}{ccc}{s}_1^{*}\hfill & =& \sum _{(i_1,i_2)\in {\mathcal{R}}^{*}}{i}_1\hfill \\ & =& \sum _{i_1=0}^{\lfloor {\displaystyle \frac{r-1}{r+1}}m/{\beta }_1\rfloor }\sum _{i_2=0}^{\lfloor ({\displaystyle \frac{r-1}{r+1}}m-{\beta }_1{i}_1)/{\beta }_2\rfloor }{i}_1\hfill \\ & =& {\displaystyle \frac{1}{6{\beta }_1^2{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3{m}^3+o\left(m^3\right),\hfill \\ s_2^{*}\hfill & =& \sum _{(i_1,i_2)\in {\mathcal{R}}^{*}}{i}_2\hfill \\ & =& \sum _{i_2=0}^{\lfloor {\displaystyle \frac{r-1}{r+1}}m/{\beta }_2\rfloor }\sum _{i_1=0}^{\lfloor ({\displaystyle \frac{r-1}{r+1}}m-{\beta }_2{i}_2)/{\beta }_1\rfloor }{i}_2\hfill \\ & =& {\displaystyle \frac{1}{6{\beta }_1{\beta }_2^2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3{m}^3+o\left(m^3\right),\hfill \\ s_N^{*}\hfill & =& \sum _{(i_1,i_2)\in {\mathcal{S}}^{*}}\lceil {\displaystyle \frac{(r-1)(m-i_1-i_2)}{r}}\rceil \hfill \\ & =& \sum _{I=0}^m(I+1)\lceil {\displaystyle \frac{(r-1)(m-I)}{r}}\rceil \hfill \\ & =& {\displaystyle \frac{r-1}{6r}}{m}^3+o\left(m^3\right).\hfill \end{array}$$

Denote $s^{*}$ the dimension of ${\Lambda }^{*}$, and calculate

$$\begin{array}{ccc}{s}^{*}\hfill & =& \sum _{(i_1,i_2)\in {\mathcal{R}}^{*}}1\hfill \\ & =& \sum _{i_1=0}^{\lfloor {\displaystyle \frac{r-1}{r+1}}m/{\beta }_1\rfloor }\sum _{i_2=0}^{\lfloor ({\displaystyle \frac{r-1}{r+1}}m-{\beta }_1{i}_1)/{\beta }_2\rfloor }1\hfill \\ & =& {\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^2{m}^2+o\left(m^2\right).\hfill \end{array}$$

Similar to Section 3, our second attack also requires the condition Inequality (2), namely, $det\left({\Lambda }^{*}\right)<{\left(W^{*}\right)}^{m(s^{*}-1)}$, where $W^{*}=p^{r-1}$. From condition $det\left({\Lambda }^{*}\right)<{\left(p^{r-1}\right)}^{m(s^{*}-1)}$ and calculation of $det\left({\Lambda }^{*}\right)$ and $s^{*}$, we have

$$\begin{array}{cc}& X_1^{{\displaystyle \frac{1}{6{\beta }_1^2{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{X}_2^{{\displaystyle \frac{1}{6{\beta }_1{\beta }_2^2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{N}^{{\displaystyle \frac{r-1}{6r}}+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}\hfill \\ <& {\left(p^{r-1}\right)}^{{\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^2+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}.\hfill \end{array}$$

Substituting $X_1=N^{{\beta }_1},X_2=N^{{\beta }_2},p^{r-1}\approx N^{{\displaystyle \frac{r-1}{r+1}}}$, it is obtained that

$$\begin{array}{cc}& N^{{\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{N}^{{\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}{N}^{{\displaystyle \frac{r-1}{6r}}+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}\hfill \\ <& N^{{\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{\left({\displaystyle \frac{r-1}{r+1}}\right)}^3+{\displaystyle \frac{o\left(m^3\right)}{m^3}}}.\hfill \end{array}$$

Then, just as in Section 3, we take $m\to \infty$ and omit the term ${\displaystyle \frac{o\left(m^3\right)}{m^3}}$, and obtain

$${\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{({\displaystyle \frac{r-1}{r+1}})}^3+{\displaystyle \frac{1}{6{\beta }_1{\beta }_2}}{({\displaystyle \frac{r-1}{r+1}})}^3+{\displaystyle \frac{r-1}{6r}}<{\displaystyle \frac{1}{2{\beta }_1{\beta }_2}}{({\displaystyle \frac{r-1}{r+1}})}^3,$$

which finally reduces to

$${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3.$$

The running time of our second attack is also analogous to the attack in Ref. [29]. Thus, Theorem 2 follows.

5. Experiments

Just like other cryptanalyses of RSA based on Coppersmith’s method, our approaches are heuristic due to Assumption 1 as stated before. In order to show the correctness of our results, we implemented several experiments in SAGE 5.0 over Linux Fedora 16 on a laptop with 2.80 GHz Intel Core2 CPU and 4 GB RAM.

We choose to use calculation of the resultants to examine Assumption 1 in our experiments. Suppose after running the LLL algorithm, we finally acquire two polynomials $g_1(x_1,x_2),g_2(x_1,x_2)$ with desired $(d_1,d_2)$ as a common root over the integers. By computing the resultants of $g_1(x_1,x_2)$ and $g_2(x_1,x_2)$, we can eliminate $x_2$; namely, we obtain $g_{12}\left(x_1\right)={\mathrm{Res}}_{x_2}(g_1,g_2)$. If Assumption 1 holds, $g_{12}\left(x_1\right)\neg \equiv 0$. Thus, one can use any standard root-finding algorithm to recover the desired root $d_1\in \mathbb{Z}$ from $g_{12}\left(x_1\right)$. Similarly $d_2\in \mathbb{Z}$ is also computed from $g_1(d_1,x_2)$ or $g_2(d_1,x_2)$.

In all of our experiments, Assumption 1 always holds and we have successfully collected the desired root $(d_1,d_2)$. We present some experimental results for our first attack (Theorem 1) in Table 4, while Table 5 is shown for our second attack (Theorem 2).

Table 4. Some experimental results for our first attack (Theorem 1).

N (Bits)	r	${\mathit{\beta }}_1$	${\mathit{\beta }}_2$	m	$\mathit{s}=\dim \left(\mathbf{\Lambda }\right)$	${\log }_2\left(\det \left(\mathbf{\Lambda }\right)\right)$	Time for LLL Algorithm
1000	2	$0.2830$	$0.1510$	4	97	$2.454\times {10}^5$	748.8 s
1500	2	$0.2140$	$0.2067$	3	55	$1.641\times {10}^5$	112.9 s
2000	2	$0.2205$	$0.1650$	3	67	$2.518\times {10}^5$	345.5 s
1000	3	$0.1406$	$0.1381$	2	66	$9.731\times {10}^4$	35.27 s
1500	3	$0.1501$	$0.1333$	2	67	$1.497\times {10}^5$	82.54 s
2000	3	$0.1605$	$0.1550$	1	15	$3.062\times {10}^4$	0.108 s

Table 5. Some experimental results for our second attack (Theorem 2).

N (Bits)	r	${\mathit{\beta }}_1$	${\mathit{\beta }}_2$	m	${\mathit{s}}^{*}=\dim \left({\mathbf{\Lambda }}^{*}\right)$	${\log }_2\left(\det \left(\mathbf{\Lambda }\right)\right)$	Time for LLL Algorithm
1000	2	$0.2710$	$0.1556$	5	42	$6.593\times {10}^4$	11.66 s
1500	2	$0.2139$	$0.2065$	6	55	$1.551\times {10}^5$	74.71 s
2000	3	$0.4007$	$0.3016$	5	33	$1.596\times {10}^5$	27.12 s
1000	3	$0.3510$	$0.3500$	7	56	$1.852\times {10}^5$	124.7 s
1500	4	$0.5004$	$0.4125$	6	40	$2.106\times {10}^5$	60.18 s
2000	4	$0.4753$	$0.4744$	7	45	$3.759\times {10}^5$	352.5 s

Let us take several examples to illustrate our experiments in detail. In Table 4, firstly, we select $r=2,{\beta }_1=0.2830,{\beta }_2=0.1510$ and a 1000-bit Prime Power RSA modulus N. It means $N=p^{2}q$, and $d_1$ is a nearly 283-bit private exponent (or slightly smaller than a 283-bit number), and $d_2$ is a nearly 151-bit private exponent (or slightly smaller than a 151-bit number). One can check that ${\beta }_1{\beta }_2<r/{(r+1)}^3$ holds for $r=2,{\beta }_1=0.2830,{\beta }_2=0.1510$. Thus, according to Theorem 1, the modulus N can be easily factored. Just as our first attack in Section 3 shows, we construct a lattice $\Lambda$ with parameter $m=4$. One can calculate the dimension $s=\dim (\Lambda )=97$, and ${\log }_2(det(\Lambda ))=2.454\times {10}^5$. Both $\dim (\Lambda )$ and ${\log }_2(det(\Lambda ))$ will determine the time for the LLL algorithm to obtain the desired root $(d_1,d_2)$. It takes us about 748.8 s for this first example. For other examples, as $\dim (\Lambda )$ or ${\log }_2(det(\Lambda ))$ becomes smaller, it takes less time to run the LLL algorithm.

For the last example in Table 5, we select $r=4,{\beta }_1=0.4753,{\beta }_2=0.4744$ and a 2000-bit Prime Power RSA modulus N. It means $N=p^{4}q$, and $d_1$ is a nearly 950-bit private exponent, and $d_2$ is a nearly 948-bit private exponent. One can check that ${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3$ holds for $r=4,{\beta }_1=0.4753,{\beta }_2=0.4744$. Thus, according to Theorem 2, the modulus N can be easily factored. Just as our second attack in Section 4 shows, we construct a lattice $\Lambda$ with parameter $m=7$. One can calculate the dimension $s=\dim (\Lambda )=45$, and ${\log }_2(det(\Lambda ))=3.759\times {10}^5$. For this case of $\dim (\Lambda )$ and ${\log }_2(det(\Lambda ))$, it takes us about 352.5 s to run the LLL algorithm to obtain the desired root $(d_1,d_2)$. There are also other examples shown in Table 5 for our second attack (Theorem 2).

6. Conclusions

In this paper, we show a new cryptanalysis of Prime Power RSA, where $N=p^{r}q$ and $e·d\equiv 1\mathrm{mod}{p}^{r-1}(p-1)(q-1)$. As generalizations of small private exponent attacks, two new attacks with two small private exponents $d_1<N^{{\beta }_1},d_2<N^{{\beta }_2}$ are presented. Our first attack shows that when ${\beta }_1{\beta }_2<r/{(r+1)}^3$, N may be factored in probabilistic polynomial time. This is better than ${\beta }_1{\beta }_2<{(r-1)}^3/{(r+1)}^3$ in Ref. [29] when $r=2$. Later, our second attack improves both the result ${\beta }_1{\beta }_2<{(r-1)}^3/{(r+1)}^3$ and the result ${\beta }_1{\beta }_2<r/{(r+1)}^3$ up to ${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3$ for any $r⩾2$. The key point is that we try our best to make full use of known information. Our attacks are based on Coppersmith’s method for finding small roots of bivariate modular polynomial equations, and the justifications for our approaches are examined through experiments.

Just like other lattice-based cryptanalyses of RSA and its variants using Coppersmith’s method, a better lattice construction will lead to a better result. The open problem is how to further improve the ${\beta }_1{\beta }_2<r{(r-1)}^2/{(r+1)}^3$ using a new novel lattice construction? Moreover, besides Coppersmith’s method, is there another innovative lattice-based method which can be a powerful tool for the cryptanalysis of RSA? These will be interesting topics for future work.