Partial Key Attack Given MSBs of CRT-RSA Private Keys

: The CRT-RSA cryptosystem is the most widely adopted RSA variant in digital applications. It exploits the properties of the Chinese remainder theorem (CRT) to elegantly reduce the size of the private keys. This signiﬁcantly increases the efﬁciency of the RSA decryption algorithm. Nevertheless, an attack on RSA may also be applied to this RSA variant. One of the attacks is called partially known private key attack, that relies on the assumption that the adversary has knowledge of partial bits regarding RSA private keys. In this paper, we mount this type of attack on CRT-RSA. By using partial most signiﬁcant bits (MSBs) of one of the RSA primes, p or q and its corresponding private exponent, d , we obtain an RSA intermediate. The intermediate is derived from p − 1 and RSA public key, e . The analytical and novel reason on the success of our attack is that once the adversary has obtained the parameters: approximation of private exponent ˜ d p , approximation of p , ˜ p and the public exponent e where ˜ d p , ˜ p , e = N α /2 where 0 < α ≤ 1/4 such that | d p − ˜ d p | , | p − ˜ p | < N 1 − α 2 and has determined the largest prime of (cid:106) p − 1 e (cid:107) , it will enable the adversary to factor the RSA modulus N = pq . Although the parameter space to ﬁnd the prime factor is large, we show that one can adjust its “success appetite” by applying prime-counting function properties. By comparing our method with contemporary partial key attacks on CRT-RSA, upon determining a suitable predetermined “success appetite” value, we found out that our method required fewer bits of the private keys in order to factor N .


Introduction
RSA algorithm is known as one of the earliest public-key cryptosystems, introduced in 1977 [1]. However, its practical applications multiply in numbers with the coming of the digital age that requires swift key transportation mechanism to establish secure communication, either by encrypting a key or verifying a digital certificate. To ensure the encryption (or signing) and decryption (or verification) of RSA works, an RSA modulus N = pq is introduced where p = q and p < q < 2p. To encrypt or sign, an RSA public exponent, e is required such that it satisfies gcd(e, φ(N)) = 1 where φ(N) is Euler's totient function. To decrypt or verify, an RSA private exponent, d is required such that it satisfies the RSA key equation, ed ≡ 1 (mod φ(N)).
called a 1 , N can be factored in polynomial time if the conditions on the approximations of d p and p are satisfied. We also extend this result by showing the difficulties of finding a 1 can be reduced by having sufficient combinations of computing power and success appetites.
Organization of the article. In Section 2, we show the CRT-RSA key generation algorithm in its full form. We also introduce a certain theorem, definition and lemmas that will be utilized in our attack. In Section 3, we introduce our attack by parts. First, we show the conditions required to conduct our attack. Then, we proceed with the attack by proving that by knowing the largest prime factor of p−1 e called a 1 , our attack can factor N in polynomial time using conditions from the first part of the attack. In Section 4, we estimate the number of primes that can be the candidates for the largest prime factor of p−1 e using a theorem provided before. Then, in Section 5, we estimate the number of primes that can be the candidates for the largest prime factor of p−1 e if based on various success appetites which have been pre-defined. By using this estimation, we discuss our method compared to other methods that attacked CRT-RSA in Section 6 before we finally conclude our paper in Section 7.

Preliminaries
One of the earliest variations of the RSA cryptosystem is to decrypt the plaintext using Chinese remainder theorem or CRT (more on CRT can be read here [19]). This variant, called CRT-RSA, is proposed by the creators of RSA in their patent application [3]. The rationale of using the concept is to utilize much smaller parameter size in the decryption algorithm specifically during computing the modular exponentiation computation. As we shall see, in Algorithm 1, the key generation algorithm of CRT-RSA employs almost similar computations compared to the standard process. However, the difference lies in additional computations of d p ≡ e −1 (mod p − 1) and d q ≡ e −1 (mod q − 1) which we called CRT exponents as in Algorithm 1 (line 5 and line 6). The CRT-RSA key generation algorithm is as follows:
In this paper, supposing e = N α 2 , we assume that the adversary is given a fraction α of the MSBs of d p and p (or q). We shall see that by having this information, the adversary can derive an important intermediate that allows us to find d in polynomial time, thus factoring N in polynomial time. However, to find the greatest prime factor of the intermediate that can enable our attack, we need to count the number of primes that can be the suitable candidates for our greatest prime factor. To achieve that, we need to utilize the prime counting function as follows: (See [20], (Theorem 6.9)).

Theorem 1.
Let π(X) be a function estimating number of primes ≤ X. Then After the adversary can count the number of primes that can be the suitable candidates for our greatest prime factor, the adversary need to know the probability of finding the prime in a known parameter space. This probability will help the adversary to adjust the success appetite of the attack and consequently determine whether the attack is feasible, based on the computational ability of the adversary. To estimate the probability, we require an application of the prime number theorem called Dickman's function. Given a real number value, this function computes the probability of the greatest prime factor of an integer to be less than the given value. We call this function a Dickman's function [21,22] and it is defined as below: Definition 1 (Dickman's function). The probability function that a random integer between 1 and N will have its greatest prime factor less than N ζ is defined through the integral equation Dickman's function is defined in a form of cumulative distribution function. It is important to determine the distribution of the greatest prime factor of a given value. For example, let ζ = 1/2 then This means that for any random integer N, there is a probability of 0.3068 that its greatest prime factor is less than N 1/2 . Next, we require these two lemmas to help us in the attack. and Since u w and v w are integers, u This result will help us to enable the attack later presented in Theorem 2.

Lemma 2.
If an integer H divides rs t then rs t · 1 H = rs tH .
Proof. Let rs t = z 1 + r t for some integer z 1 and r where r < t. Then If H divides rs t then H will also divides z 1 . Hence z 1 H = z 2 for some integer z 2 ∈ Z. That is, Then Comparing (5) and (6), This completes the proof.
The above results will help us to enable the attack later presented in Theorem 2.

The Attack
The initial strategy in our attack is to find the conditions on the approximations of d p and p to enable our attack. By using these conditions, we shall prove mathematically that there exists an unknown intermediate that will help us to find the factorization of N in polynomial time.
First, to find the conditions on the approximations of d p and p, we need the following lemma regarding an approximation of p. Lemma 3. Let N = pq with p < q < 2p. If there existsp where |p −p| < p 1−α then (p − 1)p > 1 8 N.
Proof. From p < q < 2p we know and Combining (7) and (8), we get p < N 1/2 < q. Since p and q are of the same bit length, observe Suppose |p −p| < p 1−α . This impliesp shares the same a fraction α of the MSBs with p and subsequentlyp > p 2 . Thus This completes the proof.
The next lemma assumes that p < q < 2p, then we show that, by having a fraction α of the MSBs of p and q of CRT-RSA modulus, we can get an approximation of p to a certain bound. Proof. We know that if p < q < 2p then p 2 < N < 2p 2 . Observe p < N 1/2 < √ 2p. If a fraction α of the MSBs of p are known then we can findp which consists of a fraction α of the MSBs of p such that On the side of q, since N 1/2 < q 2 < 2pq ⇒ N 1/2 < q < (2N) 1/2 , if a fraction α of the MSBs of q are known, then |q −q| < q 1−α < (2N) Since q andq shares the same a fraction α of the MSBs, thenq < (2N) 1/2 . Givenq, we can computẽ p = Ñ q which satisfies This completes the proof.
From Lemma 4, we know that by having a fraction α of MSBs of p or q, we can obtain an approximation of p calledp where |p −p| < N 1−α 2 . This approximation of p will enable the next lemma to find k p given a fraction α of the MSBs of d p andp where ed p = 1 + k p (p − 1) and |p −p| < N 1 2 −α . Lemma 5. Let N = pq be an CRT-RSA modulus with p < q < 2p. Suppose e = N α 2 be a valid public exponent with 0 < α ≤ 1/4 and d p be its corresponding private exponent which satisfies CRT-RSA key equation . If a fraction α of the MSBs of d p and p (or q) are known, then the constant k p in the key equation can be determined, up to a small constant additive error, in time polynomial in log(N).
Proof. Recall that one of the private exponent of CRT-RSA satisfies ed p = 1 + k p (p − 1). So, we can write If a fraction α of the MSBs of d p are known, then we haved p such that . From Lemma 4, if we have a fraction α of the MSBs of p (or q) are known then we havep such that |p −p| < p 1−α < N 1 2 (1−α) .k p is given bỹ for some | | ≤ 1/2, reveals some of the most significant bits of k p . In particular, notice that for large N. Hence, the constant k p will be in the range k p − 10,k p + 10 . Since k p can be computed in time polynomial in log(N). This completes the proof.
Lemma 5 shows the significance of knowing a fraction α of the MSBs of d and p, in order to find k p . It also shows that the conditions presented in Lemma 5 must be carried throughout the attack since it enables the attack. The value of k p obtained in Lemma 5 is utilized in the next proposition. Proposition 1. Let N = pq be an CRT-RSA modulus with p < q < 2p and |p −p| < N 1 2 −α . Suppose e = N α 2 be a valid public exponent with 0 < α ≤ 1/4 and d p be its corresponding private exponent, which satisfies ed p = 1 + k p (p − 1). Let ed p = 1 (mod k p ) for some d p ∈ Z then d p = k p Proof. Observe that for some k p ∈ Z. Substitute value of e in (12) into (13), we obtain Rearranging (14), we have The term d p (p − 1) − dk p can become This implies that e . Now, we can see that This completes the proof. (18) shows that under assumption of Proposition 1, which values d p and k p are known, it is crucial that

Remark 1. Equation
The next theorem shows the implication of the results from Proposition 1 in our aim to factor CRT-RSA modulus in polynomial time. Theorem 2. Let N = pq be a CRT-RSA modulus with p < q < 2p. Suppose e = N α 2 be a valid public exponent with 0 < α ≤ 1/4 and d p be its corresponding private exponent which satisfies ed p = 1 + k p (p − 1). Let ed p = 1 + k p k p for some k p , k p , d p ∈ Z. Let a 1 be one of the prime factor of (p−1) If a 1 and a fraction α of the MSBs of d p and p (or q) are known then N can be factored in polynomial time.
Proof. If a 1 satisfies |(p − 1) −p| < ea 1 , and p ea 1 =p ea 1 − 1 and p−1 . This also implies From Proposition 1, Ifp and a fraction α of the MSBs of d p are known, based on Lemma 5, we can find k p in polynomial time. Then, we can compute d p as d p ≡ 1/e (mod k p ). If a 1 is known, we can compute d p in (21).
Using the value of d p , we can obtain p by computing p = ed p −1 k p + 1 and factorizes N. This completes the proof.

Remark 2.
We have shown that given α most significant bits of d p and p, the complexity of factoring N depends on knowing the factor of (p−1) ea 1 . This demonstrates that we have reduced one of the hard problems of RSA from factoring N to factoring . However, the complexity of factorization is still sub-exponential according to the current factorization technique.
We construct an algorithm based on our attack. The parameters used in the algorithm are described in Table 1: Parameters known before the attack: Parameters known during the attack: • Constant from CRT-RSA key Equation (10), k p • Intermediate of (13),k p • Intermediate of (13), d p Parameters known after the attack: • CRT-RSA private exponent, d p • CRT-RSA private key, p • CRT-RSA private key, q The algorithm takes the input of RSA public keys (N, e) and a prime factor of (p−1) e , a 1 that satisfies |(p − 1) −p| < ea 1 , given a fraction α of the MSBs of d p andp. The algorithm is as follows: Remark 3. Since we assume that the value of a 1 is already known in Algorithm 2, the algorithm runs in polynomial time.
The following is an example to illustrate Algorithm 2. 2: Set k p ∈ {k p − 10,k p + 10}.
Step 1 until 2 are based on Lemma 5 3: for each k p do 4: Compute d p ≡ e −1 (mod k p )

7:
if p ∈ Z then 8: Compute q = N/p . 9: if q ∈ Z then 10: Set q = q . where a fraction α of the MSBs of p (or q) are also given, such that |p −p| < p 1−α . From Lemma 5, givend p andp, we obtaink p and proceed to recover k p = 64947035018102022468569402425 in polynomial time. Then, we compute Given that we also know one of the prime factor of N has been successfully factored. Figure 1 shows the flowchart based on Algorithm 2: Start Compute

Our Attack in RSA Implementation
In most RSA implementations, RSA public exponent e is a small integer. The reason for this choice is to optimize the computing time of the RSA encryption algorithm. In this part, we investigate the implication of the size of e in our attack. Typically, e = 2 16 + 1. Since we set e = N α 2 in our attack, observe that α = 2 log N e ≈ 2 log 2 2048 2 16 + 1 ≈ 0.01562 in the implementation of RSA-2048.
This implicates that our attack requires 0.01562 · 2048 = 31.98976 or about 32 bits of d p and p to be exposed since |d p −d p | < N 1−α and |p −p| < p 1−α . The exposed bits may come from the side-channel attack or a brute-force method, since the number of bits that are required are quite small. The number of exposed bits that are required can be reduced, if the size of N or e is smaller.

Estimating Number of Candidates for a 1
To find an a 1 that satisfy |(p − 1) −p| < ea 1 posed in Theorem 2, we can anticipate that a 1 to be the largest prime factor of (p−1) e . We need to estimate the number of primes that are eligible to be a 1 . However, first, the next lemma modifies the result by [20] and applies it to show an estimation of the number of primes between two bounds. Lemma 6. Let N ζ and N θ respectively be the upper and lower bounds of a 1 where 0 < θ < ζ < 1. Then, the number of primes between N ζ and N θ will be less than N ζ Proof. Let F be the number of primes less than the upper bound of a 1 and G be the number of primes less than the lower bound of a 1 . Then, according to Theorem 1, To estimate the number of candidates of a 1 , we need to calculate (22) as N θ < N ζ . This completes the proof.
Then, we need to find the upper and lower bounds of a 1 that satisfy the condition posed in Theorem 2.

Proposition 2.
Let N = pq be a CRT-RSA modulus with p < q < 2p. Suppose e = N α 2 is a valid public exponent with 0 < α ≤ 1/4 and d p be its corresponding private exponent which satisfies ed p = 1 + k p (p − 1). Let ed p = 1 + k p k p for some k p , k p , d p ∈ Z. Let a fraction α of the MSBs of d p and p (or q) are known. If a 1 be one of the prime factor of Proof. We know that |(p − 1) −p| < ea 1 where |p −p| < N 1 2 −α . Then Thus, N 1−3α 2 is the lower bound for a 1 . For the upper bound, we know that a 1 < (p−1) e as a 1 is a factor of (p−1) e . Then Thus, a 1 < N 1−α 2 . This follows the result.
After we know the upper and lower bounds of a 1 , we can estimate the number of primes between the bounds. To achieve that, we use the estimation in Lemma 6. The estimation is as follows in the next proposition. Proposition 3. Let N = pq be an CRT-RSA modulus with p < q < 2p. Suppose e = N α 2 be a valid public exponent with 0 < α ≤ 1/4 and d p be its corresponding private exponent which satisfies ed p = 1 + k p (p − 1). Let ed p = 1 + k p k p for some k p , k p , d p ∈ Z. Let a fraction α of the MSBs of d p and p (or q) are known. If a 1 be one of the prime factor of i such that |(p − 1) −p| < ea 1 then the number of candidates of a 1 that satisfies Theorem 2. will be less than . Proof. We use results from Lemma 6 to count the sum of primes that satisfy Theorem 2. Thus, we changes H 1 and H 2 in Lemma 6 to N 1−α 2 and N 1−3α 2 respectively based on the bounds in Proposition 2. Equation (22) will become This completes the proof.
The following is an example to illustrate the result from Proposition 3.

Example 2.
In this example, we try to illustrate the number of primes that are eligible to be the candidates of a 1 .To do that, we set α = 1 4 to imitate the lowest possible estimation of the number of primes. We also substitute the value of N from Example 1 into (23) which approximates to 2.736665 × 10 228 ≈ N 0.3705816 . This is the approximation of the amount of primes that are eligible to be the candidates of a 1 .

Estimating the Number of Candidates for a 1 with Various Success Appetite
To reduce the number of the candidates of a 1 to be manipulated by an adversary, we define the "success appetite" terminology to best describe our findings. Definition 2. CRT-RSA Success Appetite, G(δ h ) is the conditional probability of successfully finding the largest prime factor of p e , a 1 ; where a 1 is less than N y 1 , given that a 1 is greater than N y 2 where N = pq and y 1 > y 2 for suitable y 1 , y 2 ∈ (0, 1).

Remark 4.
Success appetite as described in this paper relates to the success probability of the adversary to find the actual value of a 1 from a certain set of primes. The adversary can choose his success appetite, depending on computing resources available to the adversary. The probability of success for the adversary depends on the size of the set of prime candidates where a 1 resides. As such, success appetite and probability of success are two different concepts.
Since further experiment and analysis must be completed to be corroborated with the independent nature of Dickman's function and randomized values of p i e i , we put forward the next conjecture that defines CRT-RSA success appetite quantitatively.

Conjecture 1.
Given i different RSA moduli, N i = p i q i that are randomly generated in RSA key generation algorithm, then the largest number of RSA moduli of which the greatest prime factor of p i e i is between its intended success-dependent upper and lower bound is G(δ h ) · i.
By having the CRT-RSA success appetite, an adversary can evaluate it using the next corollary.
i . Suppose B is a known integer larger than ρφ(N) and B − ρφ(N) < ea 1 . Let F X (y) be the Dickman's function. If δ h is the CRT-RSA success appetite, then the number of candidates of a 1 that satisfies Theorem 2 will be less than N 1−α 2 Proof. Let F X (y) or F(y) be the probability function for a random integer between 1 and X to have the greatest prime factor less than X y as defined in Definition 1 (Dickman's function). Let X y 1 be the upper bound of a 1 and X y 2 to be the lower bound of a 1 , then (23) can also be written as Next, we define (a) F(y 1 ) to be the probability of X having its greatest prime factor less than X y 1 ; (b) F(y 2 ) to be the probability of X having its greatest prime factor less than X y 2 ; and (c) F(y 2 ) to be the probability of X not having its greatest prime factor less than X y 2 .
Let δ h be the success appetite as defined in Definition 2, we can rewrite δ h as the probability of p−1 e having its largest prime factor less than N y 1 , given that it has no largest prime factor less than N y 2 . Using the definition of conditional probability, observe that From (25), According to Proposition 2, y 2 = 1−3α 2 . Substitute values of y 1 and y 2 into (24), we obtain where Proposition 4 shows that an adversary can adjust the upper bound of a 1 according to the success appetite preferred by the adversary. In the next section, we can see how this adjustment can reduce the number of primes eligible to be the significant candidates of a 1 .

Comparative Analysis
In this section, we show two comparisons. In the first comparison, we compare the changes of the number of candidates of a 1 , π(a 1 ) in terms of β (where π(a 1 ) = N β ) when the success appetite, δ h changes. We also set α = 0.05, 0.1, 0.15, 0.2 and 0.25 to see the changes in π(a 1 ). The full details of the values are shown in Table 2. Based on Table 2, when δ h progressively reduces from 1 to 0.01, for α = 0.05, the number of candidates also slowly reduces from N 0.4706 to N 0.4208 , N 0.4457 to N 0.3464 for α = 0.1, N 0.4205 to N 0.2719 for α = 0.15, N 0.3952 to N 0.1973 for α = 0.2 and N 0.3704 to N 0.125 for α = 0.25. In general, the number of candidates decreases as the values of the success appetites decrease. A similar pattern occurs when the values of α increases. This means that the best situation for an adversary to conduct an attack against CRT-RSA using our method is when 0.25 MSBs of d and p (or q) are known with a consideration of a success appetite that is as small as possible.
In the second comparison, we intend to compare our attack with results from [12][13][14][15][16]. All of these results require some bits of d p to be known beforehand. In [15], Takayatsu et al. provided a result which includes bits of d q . A comparison with our results is shown in Table 3.
Based on Table 3, Ref. [16] requires at least 0.27 random bits of all p, q, d, d p , d q . The attack also used random reconstruction algorithm. On another hand, attack by [12] requires an approximation of d p calledd p to be given, such that |d p −d p | < N 1 4 −α where e = N α . The suitable size of e used in the attack is 1 < e < N 1/4 . The methodology used in [12] can also be applied in many conditions, since we can see that the extension of the results in [13][14][15] are also using the similar lattice-based approach.
Meanwhile, our attack requires an approximation of d p and p calledd p andp to be given, such that |d p −d p |, |p −p| < N 1−α 2 . As 0 < α ≤ 1/4, this means that the suitable range for e in our case is 0 < e < N 1/8 . based on Table 3, Ref. [12] needs the approximation of d p to be between 0 and < N 1/4 from the actual d p . Meanwhile, in our case, we need the approximation of d p and p to be between N 3/8 and N 1/2 from the actual values of d p and p. This means that our attack is less stringent and requires less MSBs of private keys to be known than [12] (although our attack needs two approximations of private keys). In addition, our method takes a different approach compared to other results, since we detach our method from the common approach of partial key attack on CRT-RSA by using the lattice-based method to finding the largest prime factor of p−1 e with versatile success appetites.

Conclusions
We have successfully factored the modulus of CRT-RSA in polynomial time using our new method under specific conditions. Given e = N α 2 , where 0 < α ≤ 1/4, the method requires an approximation of private exponent calledd p and approximation of p calledp to be known, such that |d p −d p |, |p −p| < N 1−α 2 . Our attack also requires the largest prime factor of p−1 e . By utilizing Dickman's theorem, we showed a practical approach to identify the prime from a set of primes that the factor most likely resides in. The approach manipulates a versatile self-defined value known as the success appetite value that can be referred to by the adversary based on the computational power at hand. This makes our attack less stringent and requires fewer MSBs of private keys to be known than existing attacks. For a future extension of this work, one may develop a new method to find a 1 from a smaller set of primes. The method should include a marked up algorithm that identifies a 1 , where its respective success appetite is compared with the number of candidates of a 1 in terms of the logarithm to base N, as shown in Table 2. Another interesting future approach to tackle the problem of finding a 1 is by using synchronized machine learning with the aid of cloud systems for its storage space, as shown in [23].