New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p²q

Abstract

This paper describes an attack on the Rivest, Shamir and Adleman (RSA) cryptosystem utilizing the modulus $N=p^{2}q$ where p and q are two large balanced primes. Let $e_1,e_2<N^{\gamma }$ be the integers such that $d_1,d_2<N^{\delta }$ be their multiplicative inverses. Based on the two key equations $e_1{d}_1-k_1\varphi \left(N\right)=1$ and $e_2{d}_2-k_2\varphi \left(N\right)=1$ where $\varphi \left(N\right)=p(p-1)(q-1)$, our attack works when the primes share a known amount of least significant bits (LSBs) and the private exponents share an amount of most significant bits (MSBs). We apply the extended strategy of Jochemsz–May to find the small roots of an integer polynomial and show that N can be factored if $\delta <\frac{11}{10}+\frac{9}{4}\alpha -\frac{1}{2}\beta -\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +990\alpha -180\beta +64}.$ Our attack improves the bounds of some previously proposed attacks that makes the RSA variant vulnerable.

1. Introduction

In 1978, security in transmitting data between two parties is imperative to avert the information from being expose to an unauthorised person. Rivest, Shamir and Adleman came out with a brilliant public key cryptosystem design. It is also known as an asymmetric cryptosystem as it uses different keys for encrypting and decrypting the data. The cryptosystem is called RSA [1]. For encryption, the public parameters N and e are needed where $N=pq$ and e is an integer that is relatively prime with $\varphi \left(N\right)$ where $\varphi \left(N\right)=(p-1)(q-1)$ is the Euler totient function. The private key d is an integer satisfying $ed\equiv 1\left(\mathrm{mod}\varphi \right(N\left)\right)$ is used for the decryption process. The security of the RSA cryptosystem relies on three hard problems which are the integer factorization problem of $N=pq$, solving the $e^{th}$ root problem of $C\equiv M^e\left(\mathrm{mod}N\right)$ and solving the diophantine key equation given by $ed-k\varphi \left(N\right)=1$.

The efficiency of the RSA algorithm depends on the cost and execution time for encryption and decryption processes. In order to reduce the cost and to accelerate the decryption process, one thus tends to use small decryption exponents. However in 1990, Wiener [2] found out that the RSA cryptosystem is vulnerable when the decryption exponent d is too small. Wiener proved that by using continued fractions, one can factor out N if the $d<\frac{1}{3}{N}^{\frac{1}{4}}$. Since then, researchers worked on the same purpose in order to improve the bound of d. There are different approaches in their analysis. For instance, Boneh and Durfee [3] obtained a better bound of $d<N^{0.292}$ by using Coppersmith’s method [4] to find small solutions of modular polynomial equations.

Multi-Power RSA is one of the variants of RSA whereby the modulus $N=p^{r}q$ for $r\ge 2$ is utilized. This type of modulus provides advantage for both key generation and the decryption algorithms provided the Chinese Remainder Theorem is utilized [5]. Among cryptosystems that utilize this fact are designs by Takagi [6], Ariffin et al. [7] and Asbullah et al. [8]. Through their papers, the designers managed to show that their cryptosystems had low computing costs compared to the standard RSA. As such, the study of the Integer Factorization Problem of $N=p^{r}q$ becomes important. Boneh et al. [9] proved that $N=p^{r}q$ is factorable for large r, when $r\cong \log p$. Since then, many attackers made an attempt to cryptanalyse the multi-power RSA modulus. We only stated the results from these three former attacks which are May [10], Sarkar [11], and Lu et al. [12] because we aim to improve their unsafe bound of their decryption exponent. The following table presents the bounds from these former attacks and the method that they have been used. Note that these former attacks focused on the modulus $N=p^{r}q$ but we only consider the bound for $r=2$ for comparison purpose.

Another flaw of the RSA cryptosystem is when the information of MSB(s) or LSB(s) of the private key d or secret primes are leaked to a third party which could lead to recovery of the entire private key and thus break the cryptosystem. This type of attack is called partial key exposure attacks. Boneh, Durfee and Frankel [13] in 1998 showed that only by knowing a quarter of the private key d, it is adequate for them to recover the whole value of d by using Coppersmith’s technique. Sun et al. [14] and Zhao et al. [15] also showed that using primes that share either most or least significant bits are insecure and the modulus can be factored in polynomial time. Following through in 2014, Nitaj et al. [16] came out with an idea to attack the modulus $N=pq$ where the primes share their LSBs and there exists two public parameters $e_1$ and $e_2$ such that the corresponding decryption parameters $d_1$ and $d_2$ share their MSBs. They showed that if the RSA crytosystem satisfies those conditions, then it is possible to factor N provided $d_1,d_2<N^{\delta }$ where $\delta <\frac{5}{2}-2\alpha -\beta -\frac{1}{4}\sqrt{6(1-4\alpha )(5+4\gamma -4\alpha -4\beta )}.$ Thus, implementors need to ensure that their private key does not fall below than the bound that can be factorised by the third party.

Our contribution:

Extending the result from [16], this paper presents an attack on the modulus $N=p^{2}q$ when the primes share a known amount of the LSBs while $d_1$ and $d_2$ share an amount of their MSBs. We formulate a lemma by ulitizing the information on the sharing LSBs between the primes. Then, we use the result from the lemma to build an integer multivariate polynomial. We apply the strategy of Jochemsz and May to find the small roots of our integer multivariate polynomial which leads to the factorization of the modulus N. We are able to increase the unsafe bound for the decryption exponent given by $d_1,d_2<N^{\delta }$ where

$$\begin{array}{c}\hfill \delta <\frac{11}{10}+\frac{9}{4}\alpha -\frac{1}{2}\beta -\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +990\alpha -180\beta +64}.\end{array}$$

That is, we prove that if $d_1,d_2<N^{\delta }$, then N can be factored. As such, we improved the bounds made by the previous attacks as shown in Table 1.

Table 1. Bounds for d from the former attacks.

Former Attack	Bound	Method
[12]	$d<N^{\frac{r(r-1)}{{(r+1)}^2}}=d<N^{0.22}$	New proposed algorithm
[10]	$d<N^{\max \frac{r}{{(r+1)}^2},\frac{{(r-1)}^2}{{(r+1)}^2}}=d<N^{0.22}$	Coppersmith’s Method
[11]	$d<N^{0.39}$	Lattice reduction

The outline of this paper is structured as follows. In Section 2, we describe some fundamental concepts and a few mechanisms that are needed in proving our theorem. Next, in Section 3, we give details on our approach. We finally conclude in Section 4.

2. Materials and Methods

We start this section by introducing in brief on lattice, a theorem on lattice reduced basis, and two useful lemmas on approximation of size of primes in modulus. Then we provide our main lemma of primes sharing bits that has been reformulated from [16]. All of these definitons, theorem and lemmas will be used throughout this paper.

2.1. Lattices

Let $b_1,\dots ,b_{\omega }\in {\mathbb{R}}^n$ be a set vectors that are linearly independent with $\omega \le n$. The lattice $\mathcal{L}$ constructed by $b_1,\dots ,b_{\omega }$ is the set of linear combinations of $b_1,\dots ,b_n$ with dimension n provided the coefficients are positive integers such that

$$\begin{array}{c}\hfill \mathcal{L}=a_1{b}_1+a_2{b}_2+\cdots +a_n{b}_n;a_1,a_2,...,a_{\omega }\in \mathbb{Z}\end{array}$$

The dimension of this lattice is dim$\left(\mathcal{L}\right)=\omega$. The lattice is called full ranked lattice if $\omega =n$. To find the determinant of this type of lattice, one may compute the absolute value of the determinant of the matrix whose rows consist of $\{v_1,\dots ,v_{\omega }\}$. Lenstra, Lenstra, and Lovasz in 1982 [17] invented the $LLL$ algorithm to find a short basis vector in time polynomial. Their theorem is stated as follows.

Theorem 1.

Let the lattice $\mathcal{L}$ with dim $=\omega$ be constructed by a basis $v_1,\dots ,v_{\omega }$. The $LLL$ algorithm outputs a reduced basis $b_1,\dots ,b_{\omega }$,

$$\begin{array}{c}\hfill \left|\right|b_1\left|\right|\le \left|\right|b_2\left|\right|\le \cdots \le \left|\right|b_i\left|\right|\le 2^{\frac{\omega (\omega -1)}{4(\omega +1-i)}}det{\left(\mathcal{L}\right)}^{\frac{1}{\omega +1-i}}\end{array}$$

for all $1\le i\le \omega$.

In practice, the LLL algorithm has been broadly known to often produces the vectors that have much smaller norms than theoretically predicted. Hence, by utilizing this algorithm, Coppersmith in 1997 introduced a technique to find small roots for polynomial that is modular form. By applying the LLL algorithm, a number of linear equations with sufficiently small norms will be produced. Later, Howgrave-Graham [18] reformulated Coppersmith’s idea of finding the roots of modular polynomial and thus came out with the theorem as follows.

Theorem 2.

Let $f(x_1,\cdots ,x_n)\in \mathbb{Z}[x_1,\cdots ,x_n]$ be a polynomial with ω monomials. Suppose that $f\left(x_1^{\left(0\right)},\cdots ,x_n^{\left(0\right)}\right)\equiv 0\left(modR\right)$ where $|x_i^{\left(0\right)}| <X_i$ for $i=1,\dots ,n,$ and $h\left(x_1{X}_1,\cdots ,x_n{X}_n\right) <\frac{R}{\sqrt{\omega }}$. Then $h\left(x_1^{\left(0\right)},\cdots ,x_n^{\left(0\right)}\right)=0$ holds over integers.

Remark that our attack relies on Assumption 1 which was also being used in the previous proposed attacks such as [11,12,13].

Assumption 1.

The construction of LLL algorithm produces a few polynomials that are algebraically independent. The resultant technique can be used in order to compute the common roots of these polynomials.

Applying Coppersmith’s method, Jochemsz and May [19] introduced a strategy purposely to solve for the small roots of a polynomial. Interestingly, their strategy can be used on either modular or integer of multivariate polynomial. It was also easier to understand and implement. Thus, in our work, we used their strategy in order to find the roots of our polynomial.

2.2. Approximation of Size of Primes in Modulus

Asbullah and Ariffin [20] produced the following lemmas to show an approximation of $N-\varphi \left(N\right)$. Lemma 1 describes the size of p and q for the modulus $N=p^{2}q$ which then was utilized in Lemma 2 to approximate the size of $N-\varphi \left(N\right)$. In our work, we use Lemma 2 to approximate the bound for one of the variables in our polynomial.

Lemma 1.

Suppose $N=p^{2}q$ where p and q are balanced primes. Then

$$\begin{array}{c}\hfill 2^{-1/3}{N}^{1/3}<q<N^{1/3}<p<2^{1/3}{N}^{1/3}\end{array}$$

Lemma 2.

Suppose $N=p^{2}q$ where p and q are balanced primes. Then

$$\begin{array}{c}\hfill 2N^{2/3}-N^{1/3}<N-\varphi \left(N\right)<\left(2^{2/3}+2^{-1/3}\right)N^{2/3}-2^{1/3}{N}^{1/3}\end{array}$$

2.3. Prime Sharing LSBs on the Modulus $N=Pq$

We present the lemma by [16]. The authors study the case where the modulus $N=pq$ consists of the primes that share some known amount of LSBs.

Lemma 3.

Let $N=pq$ be an RSA modulus where $p,q$ are balanced primes. Let $p-q=2^{b}u$ for a known value of b. Then $p=2^b{p}_1+u_0$ and $q=2^b{q}_1+u_0$ where $u_0$ is the solution of the equation $x^2\equiv N\left(mod{2}^b\right)$ and $p+q=2^{2b}v+v_0$ with

$$v_0\equiv 2u_0+(N-u_0^2)u_0^{-1}\left(mod{2}^{2b}\right).$$

Proof. 

See [16]. □

2.4. Prime Sharing LSBs on the Modulus $N=P^{2}q$

This section presents the lemma that has been reformulated from the result [16]. It considers the case where the primes of the modulus $N=p^{2}q$ share some known amount of their LSBs.

Lemma 4.

Let $N=p^{2}q$ be modulus and suppose that $p-q=2^{m}u$ for a known value of m. Let $p=2^m{p}_1+u_0$ and $q=2^m{q}_1+u_0$ where $u_0$ is a solution to $p^3\equiv N\left(mod{2}^m\right)$. If $s_0\equiv u_0^{-1}(N-u_0^3)\left(\mathrm{mod}{2}^{3m}\right)$ then $p^2+pq-p=2^{3m}s+s_0-v$ where

$$\begin{array}{c}\hfill v=2^m{p}_1+2^{2m}{p}_1{q}_1-2^m{p}_1{u}_0-2u_0^2+u_0.\end{array}$$

Proof. 

See Appendix A. □

3. Our New Attack

In this section, we present the theorem of an attack on modulus $N=p^{2}q$ which applies when the primes share a known amount of LSBs and there exists $d_1$ and $d_2$ that share an amount of MSBs.

Theorem 3.

Let $N=p^{2}q$ be modulus such that $p-q=2^{m}u$ where $2^m\approx N^{\alpha }$. Let $e_1,e_2\approx N^{\gamma }$ be two public exponents that satisfy $e_1{d}_1-k_1\varphi \left(N\right)=1$, and $e_2{d}_2-k_2\varphi \left(N\right)=1$. Suppose that $d_1,d_2<N^{\delta }$ and $\left|d_1-d_2\right|<N^{\beta }$. Then N can be factored if

$$\begin{array}{c}\hfill \delta <\frac{11}{10}+\frac{9}{4}\alpha -\frac{1}{2}\beta -\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +990\alpha -180\beta +64}\end{array}$$

Proof. 

See Appendix B. □

4. Comparison with the Previous Attacks

We make a comparison of bounds with the previous analysis upon the modulus $N=p^{r}q$ for $r=2$. Their analysis focused on the RSA key equation $ed-k\varphi \left(N\right)=1$ where $\varphi \left(N\right)=p^{r-1}(p^r-1)(q-1)$. Note that in these former attacks, they do not consider where the private exponent or the primes share an amount of LSBs or MSBs. Thus, in our comparison, we let $\beta =d_1-d_2=1$, $\alpha =0.2$. We get the following corollary.

Corollary 1.

Let $N=p^{2}q$ be modulus with balanced primes. Let $e_1,e_2\approx N^{\gamma }$ satisfies $e_1{d}_1-k_1\varphi \left(N\right)=1$, and $e_2{d}_2-k_2\varphi \left(N\right)=1$. Let $d_1,d_2<N^{\delta }$. Then N can be factored if

$$\begin{array}{c}\hfill \delta <\frac{21}{20}-\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +82}.\end{array}$$

Table 2 shows that our bound improves the previous bounds. The value of $\delta$ increases impressively as the value of $\gamma$ decreases. Note that the bounds from the former attacks only consider the value of r, thus the values of $\delta$ is fixed for all values of $\gamma$. Refer Table 1 in Section 1 to see the bounds from these former atttacks for $r=2$.

Table 2. Comparison with methods from [10,11,12] for $\alpha =0.2$ and $\beta =1$.

	$\mathit{\gamma }={\mathbf{log}}_{\mathit{N}}\left(\mathit{e}\right)$	$\mathit{\gamma }=0.7$	$\mathit{\gamma }=0.60$	$\mathit{\gamma }=0.5$	$\mathit{\gamma }=0.4$	$\mathit{\gamma }=0.3$
Bound of $\mathit{\delta }$
[12]		0.22	0.22	0.22	0.22	0.22
[10]		0.22	0.22	0.22	0.22	0.22
[11]		0.39	0.39	0.39	0.39	0.39
Our bound in Corollary 1		0.21	0.29	0.36	0.43	0.51

Remark 1.

We want to analyze the bound for γ that works for our attack. Observe that from the Corollary 1, after setting the value of $\beta =1$ and $\alpha =0.2$ we obtain

$$\begin{array}{c}\hfill \delta <\frac{21}{20}-\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +82}.\end{array}$$

Assume that $e=N^{\gamma }$. From key equation, we have

$$\begin{array}{c}\hfill ed=1+k\varphi \left(N\right)>\varphi \left(N\right)\approx N\end{array}$$

then

$$\begin{array}{c}\hfill d>\frac{N}{e}=N^{1-\gamma }.\end{array}$$

Now, the condition of Corollary 1 becomes

$$\begin{array}{cc}\hfill 1-\gamma & <\frac{21}{20}-\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +82}\end{array}$$

A straightforward calculation gives us the upper bound of the positive value γ which is $\gamma <\frac{29}{30}\approx 0.96$. Hence, the method works for smaller value of γ. This translates into $d\approx N$.

5. Conclusions

We present an attack on partial key exposure for modulus $N=p^{2}q$. Note that our attack is an extension from [16]. In our paper, we show that despite the advantages of using the modulus $N=p^{2}q$, the modulus is still vulnerable to the attack if the primes share some amount of LSBs and the private keys $d_1,d_2$ share some amount of MSBs. We reformulate the lemma from [16] and find the substitution for $p^2+pq-p$. We utilize the result in our lemma to prove our theorem that is based on the two key equations $e_1{d}_1-k_1\varphi \left(N\right)=1$ and $e_2{d}_2-k_2\varphi \left(N\right)=1$. From our theorem, we show that one can factor N when $d<N^{\delta }$ for $\delta <\frac{11}{10}+\frac{9}{4}\alpha -\frac{1}{2}\beta -\frac{1}{2}\gamma -\frac{1}{30}\sqrt{180\gamma +990\alpha -180\beta +64}$ for $0<\gamma <0.96$. Thus, one needs to be careful in selecting their primes and decryption exponents as it may leads to the vulnerability of their cryptosystem and their secret data might leak to an unauthorized party. There are other schemes that one might be interested to apply in order to keep the data secure such as using covert channel [21] and double blockchain [22].