Previous Article in Journal
A New Development of the Classical Single Ladder Problem via Converting the Ladder to a Staircase

Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

# New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p2q

by
,
*,†,
Siti Hasana Sapar
,
Amir Hamzah Abd Ghafar
and
Institute for Mathematical Research, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Mathematics 2021, 9(4), 340; https://doi.org/10.3390/math9040340
Submission received: 27 September 2020 / Revised: 18 January 2021 / Accepted: 25 January 2021 / Published: 8 February 2021

## Abstract

:
This paper describes an attack on the Rivest, Shamir and Adleman (RSA) cryptosystem utilizing the modulus $N = p 2 q$ where p and q are two large balanced primes. Let $e 1 , e 2 < N γ$ be the integers such that $d 1 , d 2 < N δ$ be their multiplicative inverses. Based on the two key equations $e 1 d 1 − k 1 ϕ ( N ) = 1$ and $e 2 d 2 − k 2 ϕ ( N ) = 1$ where $ϕ ( N ) = p ( p − 1 ) ( q − 1 )$, our attack works when the primes share a known amount of least significant bits (LSBs) and the private exponents share an amount of most significant bits (MSBs). We apply the extended strategy of Jochemsz–May to find the small roots of an integer polynomial and show that N can be factored if $δ < 11 10 + 9 4 α − 1 2 β − 1 2 γ − 1 30 180 γ + 990 α − 180 β + 64 .$ Our attack improves the bounds of some previously proposed attacks that makes the RSA variant vulnerable.

## 1. Introduction

In 1978, security in transmitting data between two parties is imperative to avert the information from being expose to an unauthorised person. Rivest, Shamir and Adleman came out with a brilliant public key cryptosystem design. It is also known as an asymmetric cryptosystem as it uses different keys for encrypting and decrypting the data. The cryptosystem is called RSA [1]. For encryption, the public parameters N and e are needed where $N = p q$ and e is an integer that is relatively prime with $ϕ ( N )$ where $ϕ ( N ) = ( p − 1 ) ( q − 1 )$ is the Euler totient function. The private key d is an integer satisfying $e d ≡ 1 ( mod ϕ ( N ) )$ is used for the decryption process. The security of the RSA cryptosystem relies on three hard problems which are the integer factorization problem of $N = p q$, solving the $e t h$ root problem of $C ≡ M e ( mod N )$ and solving the diophantine key equation given by $e d − k ϕ ( N ) = 1$.
The efficiency of the RSA algorithm depends on the cost and execution time for encryption and decryption processes. In order to reduce the cost and to accelerate the decryption process, one thus tends to use small decryption exponents. However in 1990, Wiener [2] found out that the RSA cryptosystem is vulnerable when the decryption exponent d is too small. Wiener proved that by using continued fractions, one can factor out N if the $d < 1 3 N 1 4$. Since then, researchers worked on the same purpose in order to improve the bound of d. There are different approaches in their analysis. For instance, Boneh and Durfee [3] obtained a better bound of $d < N 0.292$ by using Coppersmith’s method [4] to find small solutions of modular polynomial equations.
Multi-Power RSA is one of the variants of RSA whereby the modulus $N = p r q$ for $r ≥ 2$ is utilized. This type of modulus provides advantage for both key generation and the decryption algorithms provided the Chinese Remainder Theorem is utilized [5]. Among cryptosystems that utilize this fact are designs by Takagi [6], Ariffin et al. [7] and Asbullah et al. [8]. Through their papers, the designers managed to show that their cryptosystems had low computing costs compared to the standard RSA. As such, the study of the Integer Factorization Problem of $N = p r q$ becomes important. Boneh et al. [9] proved that $N = p r q$ is factorable for large r, when $r ≅ log p$. Since then, many attackers made an attempt to cryptanalyse the multi-power RSA modulus. We only stated the results from these three former attacks which are May [10], Sarkar [11], and Lu et al. [12] because we aim to improve their unsafe bound of their decryption exponent. The following table presents the bounds from these former attacks and the method that they have been used. Note that these former attacks focused on the modulus $N = p r q$ but we only consider the bound for $r = 2$ for comparison purpose.
Another flaw of the RSA cryptosystem is when the information of MSB(s) or LSB(s) of the private key d or secret primes are leaked to a third party which could lead to recovery of the entire private key and thus break the cryptosystem. This type of attack is called partial key exposure attacks. Boneh, Durfee and Frankel [13] in 1998 showed that only by knowing a quarter of the private key d, it is adequate for them to recover the whole value of d by using Coppersmith’s technique. Sun et al. [14] and Zhao et al. [15] also showed that using primes that share either most or least significant bits are insecure and the modulus can be factored in polynomial time. Following through in 2014, Nitaj et al. [16] came out with an idea to attack the modulus $N = p q$ where the primes share their LSBs and there exists two public parameters $e 1$ and $e 2$ such that the corresponding decryption parameters $d 1$ and $d 2$ share their MSBs. They showed that if the RSA crytosystem satisfies those conditions, then it is possible to factor N provided $d 1 , d 2 < N δ$ where $δ < 5 2 − 2 α − β − 1 4 6 ( 1 − 4 α ) ( 5 + 4 γ − 4 α − 4 β ) .$ Thus, implementors need to ensure that their private key does not fall below than the bound that can be factorised by the third party.
Our contribution:
Extending the result from [16], this paper presents an attack on the modulus $N = p 2 q$ when the primes share a known amount of the LSBs while $d 1$ and $d 2$ share an amount of their MSBs. We formulate a lemma by ulitizing the information on the sharing LSBs between the primes. Then, we use the result from the lemma to build an integer multivariate polynomial. We apply the strategy of Jochemsz and May to find the small roots of our integer multivariate polynomial which leads to the factorization of the modulus N. We are able to increase the unsafe bound for the decryption exponent given by $d 1 , d 2 < N δ$ where
$δ < 11 10 + 9 4 α − 1 2 β − 1 2 γ − 1 30 180 γ + 990 α − 180 β + 64 .$
That is, we prove that if $d 1 , d 2 < N δ$, then N can be factored. As such, we improved the bounds made by the previous attacks as shown in Table 1.
The outline of this paper is structured as follows. In Section 2, we describe some fundamental concepts and a few mechanisms that are needed in proving our theorem. Next, in Section 3, we give details on our approach. We finally conclude in Section 4.

## 2. Materials and Methods

We start this section by introducing in brief on lattice, a theorem on lattice reduced basis, and two useful lemmas on approximation of size of primes in modulus. Then we provide our main lemma of primes sharing bits that has been reformulated from [16]. All of these definitons, theorem and lemmas will be used throughout this paper.

#### 2.1. Lattices

Let $b 1 , … , b ω ∈ R n$ be a set vectors that are linearly independent with $ω ≤ n$. The lattice $L$ constructed by $b 1 , … , b ω$ is the set of linear combinations of $b 1 , … , b n$ with dimension n provided the coefficients are positive integers such that
$L = a 1 b 1 + a 2 b 2 + ⋯ + a n b n ; a 1 , a 2 , . . . , a ω ∈ Z$
The dimension of this lattice is dim$( L ) = ω$. The lattice is called full ranked lattice if $ω = n$. To find the determinant of this type of lattice, one may compute the absolute value of the determinant of the matrix whose rows consist of ${ v 1 , … , v ω }$. Lenstra, Lenstra, and Lovasz in 1982 [17] invented the $L L L$ algorithm to find a short basis vector in time polynomial. Their theorem is stated as follows.
Theorem 1.
Let the lattice $L$ with dim $= ω$ be constructed by a basis $v 1 , … , v ω$. The $L L L$ algorithm outputs a reduced basis $b 1 , … , b ω$,
$| | b 1 | | ≤ | | b 2 | | ≤ ⋯ ≤ | | b i | | ≤ 2 ω ( ω − 1 ) 4 ( ω + 1 − i ) d e t L 1 ω + 1 − i$
for all $1 ≤ i ≤ ω$.
In practice, the LLL algorithm has been broadly known to often produces the vectors that have much smaller norms than theoretically predicted. Hence, by utilizing this algorithm, Coppersmith in 1997 introduced a technique to find small roots for polynomial that is modular form. By applying the LLL algorithm, a number of linear equations with sufficiently small norms will be produced. Later, Howgrave-Graham [18] reformulated Coppersmith’s idea of finding the roots of modular polynomial and thus came out with the theorem as follows.
Theorem 2.
Let $f ( x 1 , ⋯ , x n ) ∈ Z [ x 1 , ⋯ , x n ]$ be a polynomial with ω monomials. Suppose that $f x 1 ( 0 ) , ⋯ , x n ( 0 ) ≡ 0 m o d R$ where for $i = 1 , … , n ,$ and . Then $h x 1 ( 0 ) , ⋯ , x n ( 0 ) = 0$ holds over integers.
Remark that our attack relies on Assumption 1 which was also being used in the previous proposed attacks such as [11,12,13].
Assumption 1.
The construction of LLL algorithm produces a few polynomials that are algebraically independent. The resultant technique can be used in order to compute the common roots of these polynomials.
Applying Coppersmith’s method, Jochemsz and May [19] introduced a strategy purposely to solve for the small roots of a polynomial. Interestingly, their strategy can be used on either modular or integer of multivariate polynomial. It was also easier to understand and implement. Thus, in our work, we used their strategy in order to find the roots of our polynomial.

#### 2.2. Approximation of Size of Primes in Modulus

Asbullah and Ariffin [20] produced the following lemmas to show an approximation of $N − ϕ ( N )$. Lemma 1 describes the size of p and q for the modulus $N = p 2 q$ which then was utilized in Lemma 2 to approximate the size of $N − ϕ ( N )$. In our work, we use Lemma 2 to approximate the bound for one of the variables in our polynomial.
Lemma 1.
Suppose $N = p 2 q$ where p and q are balanced primes. Then
$2 − 1 / 3 N 1 / 3 < q < N 1 / 3 < p < 2 1 / 3 N 1 / 3$
Lemma 2.
Suppose $N = p 2 q$ where p and q are balanced primes. Then
$2 N 2 / 3 − N 1 / 3 < N − ϕ ( N ) < 2 2 / 3 + 2 − 1 / 3 N 2 / 3 − 2 1 / 3 N 1 / 3$

#### 2.3. Prime Sharing LSBs on the Modulus $N = P q$

We present the lemma by [16]. The authors study the case where the modulus $N = p q$ consists of the primes that share some known amount of LSBs.
Lemma 3.
Let $N = p q$ be an RSA modulus where $p , q$ are balanced primes. Let $p − q = 2 b u$ for a known value of b. Then $p = 2 b p 1 + u 0$ and $q = 2 b q 1 + u 0$ where $u 0$ is the solution of the equation $x 2 ≡ N ( m o d 2 b )$ and $p + q = 2 2 b v + v 0$ with
$v 0 ≡ 2 u 0 + ( N − u 0 2 ) u 0 − 1 ( m o d 2 2 b ) .$
Proof.
See [16]. □

#### 2.4. Prime Sharing LSBs on the Modulus $N = P 2 q$

This section presents the lemma that has been reformulated from the result [16]. It considers the case where the primes of the modulus $N = p 2 q$ share some known amount of their LSBs.
Lemma 4.
Let $N = p 2 q$ be modulus and suppose that $p − q = 2 m u$ for a known value of m. Let $p = 2 m p 1 + u 0$ and $q = 2 m q 1 + u 0$ where $u 0$ is a solution to $p 3 ≡ N ( m o d 2 m )$. If $s 0 ≡ u 0 − 1 ( N − u 0 3 ) ( mod 2 3 m )$ then $p 2 + p q − p = 2 3 m s + s 0 − v$ where
$v = 2 m p 1 + 2 2 m p 1 q 1 − 2 m p 1 u 0 − 2 u 0 2 + u 0 .$
Proof.
See Appendix A. □

## 3. Our New Attack

In this section, we present the theorem of an attack on modulus $N = p 2 q$ which applies when the primes share a known amount of LSBs and there exists $d 1$ and $d 2$ that share an amount of MSBs.
Theorem 3.
Let $N = p 2 q$ be modulus such that $p − q = 2 m u$ where $2 m ≈ N α$. Let $e 1 , e 2 ≈ N γ$ be two public exponents that satisfy $e 1 d 1 − k 1 ϕ ( N ) = 1$, and $e 2 d 2 − k 2 ϕ ( N ) = 1$. Suppose that $d 1 , d 2 < N δ$ and $d 1 − d 2 < N β$. Then N can be factored if
$δ < 11 10 + 9 4 α − 1 2 β − 1 2 γ − 1 30 180 γ + 990 α − 180 β + 64$
Proof.
See Appendix B. □

## 4. Comparison with the Previous Attacks

We make a comparison of bounds with the previous analysis upon the modulus $N = p r q$ for $r = 2$. Their analysis focused on the RSA key equation $e d − k ϕ ( N ) = 1$ where $ϕ ( N ) = p r − 1 ( p r − 1 ) ( q − 1 )$. Note that in these former attacks, they do not consider where the private exponent or the primes share an amount of LSBs or MSBs. Thus, in our comparison, we let $β = d 1 − d 2 = 1$, $α = 0.2$. We get the following corollary.
Corollary 1.
Let $N = p 2 q$ be modulus with balanced primes. Let $e 1 , e 2 ≈ N γ$ satisfies $e 1 d 1 − k 1 ϕ ( N ) = 1$, and $e 2 d 2 − k 2 ϕ ( N ) = 1$. Let $d 1 , d 2 < N δ$. Then N can be factored if
$δ < 21 20 − 1 2 γ − 1 30 180 γ + 82 .$
Table 2 shows that our bound improves the previous bounds. The value of $δ$ increases impressively as the value of $γ$ decreases. Note that the bounds from the former attacks only consider the value of r, thus the values of $δ$ is fixed for all values of $γ$. Refer Table 1 in Section 1 to see the bounds from these former atttacks for $r = 2$.
Remark 1.
We want to analyze the bound for γ that works for our attack. Observe that from the Corollary 1, after setting the value of $β = 1$ and $α = 0.2$ we obtain
$δ < 21 20 − 1 2 γ − 1 30 180 γ + 82 .$
Assume that $e = N γ$. From key equation, we have
$e d = 1 + k ϕ ( N ) > ϕ ( N ) ≈ N$
then
$d > N e = N 1 − γ .$
Now, the condition of Corollary 1 becomes
$1 − γ < 21 20 − 1 2 γ − 1 30 180 γ + 82$
A straightforward calculation gives us the upper bound of the positive value γ which is $γ < 29 30 ≈ 0.96$. Hence, the method works for smaller value of γ. This translates into $d ≈ N$.

## 5. Conclusions

We present an attack on partial key exposure for modulus $N = p 2 q$. Note that our attack is an extension from [16]. In our paper, we show that despite the advantages of using the modulus $N = p 2 q$, the modulus is still vulnerable to the attack if the primes share some amount of LSBs and the private keys $d 1 , d 2$ share some amount of MSBs. We reformulate the lemma from [16] and find the substitution for $p 2 + p q − p$. We utilize the result in our lemma to prove our theorem that is based on the two key equations $e 1 d 1 − k 1 ϕ ( N ) = 1$ and $e 2 d 2 − k 2 ϕ ( N ) = 1$. From our theorem, we show that one can factor N when $d < N δ$ for $δ < 11 10 + 9 4 α − 1 2 β − 1 2 γ − 1 30 180 γ + 990 α − 180 β + 64$ for $0 < γ < 0.96$. Thus, one needs to be careful in selecting their primes and decryption exponents as it may leads to the vulnerability of their cryptosystem and their secret data might leak to an unauthorized party. There are other schemes that one might be interested to apply in order to keep the data secure such as using covert channel [21] and double blockchain [22].

## Author Contributions

Formal analysis, N.N.H.A., M.R.K.A., S.H.S., A.H.A.G. and M.A.A.; Funding acquisition, M.R.K.A.; Investigation, N.N.H.A.; Project administration, M.R.K.A.; Validation, S.H.S.; Writing–original draft, N.N.H.A.; Writing–review and editing, M.R.K.A., S.H.S., A.H.A.G. and M.A.A. All authors have read and agreed to the published version of the manuscript.

## Funding

The research was supported by Ministry of Education of Malaysia with Fundamental Research Grant Scheme (FRGS/1/2019/STG06/UPM/02/8).

Not applicable.

Not applicable.

Not applicable.

## Conflicts of Interest

The authors declare no conflict of interest.

## Appendix A

Proof of Lemma 4.
Let $p − q = 2 m u$. Then $q = p − 2 m u$ and
$N = p 2 q = p 2 ( p − 2 m u ) = p 3 − 2 m u p 2 .$
Hence, from (A1), we obtain $p 3 ≡ N ( mod 2 m )$. Let $u 0$ be a solution of the modular equation $p 3 ≡ N ( mod 2 m )$. Then, $p ≡ u 0 ( mod 2 m )$ is a solution which can be rewritten as $p = 2 m p 1 + u 0$ where $p 1$ is a positive integer. Now we have,
$q = p − 2 m u = 2 m p 1 + u 0 − 2 m u = 2 m ( p 1 − u ) + u 0 = 2 m q 1 + u 0$
where $q 1 = p 1 − u .$ Utilizing $N = p 2 q$ would yield
$N = ( 2 m p 1 + u 0 ) 2 ( 2 m q 1 + u 0 ) = 2 2 m p 1 2 + 2 m + 1 p 1 u 0 + u 0 2 2 m q 1 + u 0 = 2 3 m p 1 2 q 1 + 2 2 m p 1 2 u 0 + 2 2 m + 1 p 1 u 0 q 1 + 2 m + 1 p 1 u 0 2 + 2 m q 1 u 0 2 + u 0 3 .$
From (A2), we deduce
$2 2 m u 0 ( p 1 2 + 2 p 1 q 1 ) + 2 m u 0 2 ( 2 p 1 + q 1 ) + u 0 3 ≡ N ( mod 2 3 m )$
$2 2 m u 0 ( p 1 2 + 2 p 1 q 1 ) + 2 m u 0 2 ( 2 p 1 + q 1 ) ≡ N − u 0 3 ( mod 2 3 m ) .$
Suppose gcd$( u 0 , 2 3 m ) = 1$, we multiply (A3) with $u 0 − 1$ and get
$2 2 m ( p 1 2 + 2 p 1 q 1 ) + 2 m u 0 ( 2 p 1 + q 1 ) ≡ u 0 − 1 ( N − u 0 3 ) ( mod 2 3 m )$
which can be rewritten as
$2 2 m ( p 1 2 + 2 p 1 q 1 ) + 2 m u 0 ( 2 p 1 + q 1 ) = 2 3 m s + s 0$
where $s 0 ≡ u 0 − 1 ( N − u 0 3 ) ( mod 2 3 m )$. Finally we have,
$p 2 + p q − p = ( 2 m p 1 + u 0 ) 2 + ( 2 m p 1 + u 0 ) ( 2 m q 1 + u 0 ) − ( 2 m p 1 + u 0 ) = 2 2 m p 1 2 + 2 m + 1 p 1 u 0 + u 0 2 + 2 2 m p 1 q 1 + 2 m p 1 u 0 + 2 m q 1 u 0 + u 0 2 − 2 m p 1 − u 0 = 2 2 m ( p 1 2 + 2 p 1 q 1 ) + 2 m u 0 ( 2 p 1 + q 1 ) − ( 2 m p 1 + 2 2 m p 1 q 1 − 2 m p 1 u 0 − 2 u 0 2 + u 0 ) = 2 3 m s + s 0 − v$
where $v = ( 2 m p 1 + 2 2 m p 1 q 1 − 2 m p 1 u 0 − 2 u 0 2 + u 0 ) .$

## Appendix B

Proof of Theorem 3.
Let $e 1$ and $e 2$ satisfy
$e 1 d 1 − k 1 ϕ ( N ) = 1 ,$
$e 2 d 2 − k 2 ϕ ( N ) = 1 .$
Subtracting the product of (A4) by $e 2$ and (A5) by $e 1$, we get
$e 1 e 2 ( d 1 − d 2 ) − e 2 k 1 ϕ ( N ) + e 1 k 2 ϕ ( N ) = e 2 − e 1 .$
From Lemma 1, we show that $p 2 + p q − p$ can be substituted by $2 3 m s + s 0 − v$ where $s 0 ≡ u 0 − 1 N − u 0 3 mod 2 3 m$ and $u 0$ is a solution of the congruence $p 3 ≡ N mod 2 m$. Therefore
$ϕ ( N ) = p ( p − 1 ) ( q − 1 ) = N − p 2 + p q − p = N − ( 2 3 m s + s 0 − v ) .$
Plugging (A7) in (A6), we get
$e 1 e 2 ( d 1 − d 2 ) − e 2 k 1 N − 2 3 m s + s 0 − v + e 1 k 2 N − 2 3 m s + s 0 − v = e 2 − e 1 .$
Rearranging (A8),
$e 1 e 2 ( d 1 − d 2 ) − e 2 ( N − s 0 ) k 1 + 2 3 m e 2 k 1 s − e 2 k 1 v + e 1 ( N − s 0 ) k 2 − 2 3 m e 1 k 2 s + e 1 k 2 v + ( e 1 − e 2 ) = 0$
We transform (A9) into
$a 1 x 1 + a 2 x 2 + a 3 x 2 x 4 + a 4 x 2 x 5 + a 5 x 3 + a 6 x 3 x 4 + a 7 x 3 x 5 + a 8 = 0$
and we fix the coefficients and variables as follows:
$a 1 = e 1 e 2 , a 2 = − e 2 ( N − s 0 ) , a 3 = 2 3 m e 2 , a 4 = − e 2 , a 5 = e 1 ( N − s 0 ) , a 6 = − 2 3 m e 1 a 7 = e 1 , a 8 = e 1 − e 2 , and x 1 = d 1 − d 2 , x 2 = k 1 , x 3 = k 2 , x 4 = s , x 5 = v .$
Now, we would have the polynomial
$f ( x 1 , x 2 , x 3 , x 4 , x 5 ) = a 1 x 1 + a 2 x 2 + a 3 x 2 x 4 + a 4 x 2 x 5 + a 5 x 3 + a 6 x 3 x 4 + a 7 x 3 x 5 + a 8 .$
Then $( d 1 − d 2 , k 1 , k 2 , s , v )$ is a root of $f ( x 1 , x 2 , x 3 , x 4 , x 5 )$ and can be found by using Coppersmith’s technique [4]. However, we choose apply the extended strategy of Jochemsz and May [19] due to its easier implementation. The following bound will be needed:
• max$( e 1 , e 2 ) = N γ$
• max$( d 1 , d 2 ) < N δ$
• $| d 1 − d 2 | < X 1 = N β$
• $k 1 = e 1 d 1 − 1 ϕ ( N ) < X 2 = N γ + δ − 1$
• $k 2 = e 2 d 2 − 1 ϕ ( N ) < X 3 = N γ + δ − 1$
• $p − q = 2 m u$ with $2 m ≈ N α$ and $α < 2 9$.
• $p 2 + p q − p = 2 3 m s + s 0 − v$ with
-
$s = p 2 + p q − p + s − v 2 3 m < X 4 = N 2 / 3 − 3 α$,
-
$v = 2 3 m s + s 0 − ( p 2 + p q − p ) < X 5 = N 2 / 3$
Let $m , t ∈ Z +$. Define two sets,
$S = ⋃ 0 ≤ j ≤ t { x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 | x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 monomial of f m − 1 }$
and
$M = { monomials of x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 f | x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ S } .$
Using the binomial expansion formula, we find the expansion of polynomial $f m − 1 ( x 1 , x 2 , x 3 , x 4 , x 5 )$.
Neglecting the coefficients, we get
$f m − 1 ( x 1 , x 2 , x 3 , x 4 , x 5 ) = ∑ i 1 = 0 m − 1 ∑ i 2 = 0 m − 1 − i 1 ∑ i 3 = 0 m − 1 − i 1 − i 2 ∑ i 4 = 0 i 2 + i 3 ∑ i 5 = 0 i 2 + i 3 − i 4 x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 .$
The monomials $x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5$ in (A10) can be categorised as:
$x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ S if i 1 = 0 , … , m − 1 , i 2 = 0 , … , m − 1 − i 1 , i 3 = 0 , … , m − 1 − i 1 − i 2 , i 4 = 0 , … , i 2 + i 3 , i 5 = 0 , … , i 2 + i 3 − i 4 + t ,$
and
$x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ M if i 1 = 0 , … , m , i 2 = 0 , … , m − i 1 , i 3 = 0 , … , m − i 1 − i 2 , i 4 = 0 , … , i 2 + i 3 , i 5 = 0 , … , i 2 + i 3 − i 4 + t .$
Define
$W = | | f ( x 1 X 1 , x 2 X 2 , x 3 X 3 , x 4 X 4 , x 5 X 5 | | ∞ .$
Then W satisfies
$W ≥ | a 2 | X 2 = e 2 ( N − s 0 ) k 1 = N γ + δ − 1 ≈ N 2 γ + δ .$
Next define
$R = W X 1 m − 1 X 2 m − 1 X 3 m − 1 X 4 m − 1 X 5 m − 1 + t .$
Suppose that $a 8 = e 1 − e 2$ is relatively prime with R. We define $f ′ ( x 1 , x 2 , x 3 , x 4 , x 5 ) = a 8 − 1 f ( x 1 , x 2 , x 3 , x 4 , x 5 ) mod R$ in order to work with a polynomial with constant term 1. Next, define the polynomials
$G = x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 f ′ X 1 m − 1 − i 1 X 2 m − 1 − i 2 X 3 m − 1 − i 3 X 4 m − 1 − i 4 X 5 m − 1 + t − i 5 , with x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ S H = x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 R , with x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ M \ S .$
The basis of a lattice $L$ is built by using the coefficients of polynomial G and H with dimension
$ω = ∑ x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ M 1 = 1 120 ( m + 1 ) ( m + 2 ) ( m + 3 ) ( 3 m 2 + 10 m t + 17 m + 20 t + 20 ) .$
In order to construct an upper triangular matrix, we perform the following ordering of the monomials: if $∑ i j < ∑ i j ′$ then $x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 < x 1 i 1 ′ x 2 i 2 ′ x 3 i 3 ′ x 4 i 4 ′ x 5 i 5 ′$ and the monomials are lexicographically ordered if $∑ i j = ∑ i j ′$. The diagonal entries of the matrix are of the form
$( X 1 X 2 X 3 X 4 ) m − 1 X 5 m − 1 + t for polynomials G W X 1 m − 1 + i 1 X 2 m − 1 + i 2 X 3 m − 1 + i 3 X 4 m − 1 + i 4 X 5 m − 1 + t + i 5 for polynomials H$
Refer the Table A1 in Appendix C for the coeffficient matrix of $m = 2$ and $t = 1$.
Next, we define
$s j = ∑ x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ M \ S i j , for j = 1 , . . . , 5$
The determinant of $L$ is then
$det ( L ) = W M \ S X 5 ( m − 1 + t ) ω + s 5 ∏ j = 1 4 X j ( m − 1 ) ω + s j .$
All the polynomials G and H and their combinations share the root $( d 1 − d 2 , k 1 , k 2 , s , v )$ modulo R. A new basis with short vectors is produced after applying the LLL algorithm to the lattice $L$. For $i = 1 , ⋯ , 4$, let $f i ( x 1 X 1 , x 2 X 2 , x 3 X 3 , x 4 X 4 , x 5 X 5 )$ be four short vectors of the reduced basis. Each $f i$ is a combination of G and H, and then share the root $( d 1 − d 2 , k 1 , k 2 , s , v )$. Applying Theorem 1 from Section 2, we have for $i = 1 , 2 , 3 , 4 ;$
$| | f i ( x 1 X 1 , x 2 X 2 , x 3 X 3 , x 4 X 4 , x 5 X 5 ) | | < 2 ω ( ω − 1 ) 4 ( ω − 2 ) det ( L ) 1 ω − 2 .$
We force the polynomials $f i$ for $i = 1 , 2 , 3 , 4$, to comply with Howgrave-Graham’s bound [18]$| | f i ( x 1 X 1 , x 2 X 2 , x 3 X 3 , x 4 X 4 , x 5 X 5 ) | | < R ω$. The condition is suffice when
$2 ω ( ω − 1 ) 4 ( ω − 2 ) det ( L ) 1 ω − 2 < R ω$
which can be transformed into det$( L ) < R ω$, that is
$W M \ S X 5 ( m − 1 + t ) ω + s 5 ∏ j = 1 4 X j ( m − 1 ) ω + s j < W ( X 1 X 2 X 3 X 4 ) m − 1 X 5 m − 1 + t ω .$
Substituting $ω$ with $| M |$ and $| M | − | M \ S |$ with $| S |$, we get
$∏ j = 1 5 X j s j < W | S | .$
Using (A12), we get
$s 1 = 1 120 m ( m + 1 ) ( m + 2 ) ( 3 m 2 + 10 m t + 11 m + 10 t + 6 ) , s 2 = 1 120 m ( m + 1 ) ( m + 2 ) ( 6 m 2 + 15 m t + 27 m + 25 t + 27 ) , s 3 = 1 120 m ( m + 1 ) ( m + 2 ) ( 6 m 2 + 15 m t + 27 m + 25 t + 27 ) , s 4 = 1 120 m ( m + 1 ) ( m + 2 ) ( 4 m 2 + 15 m t + 18 m + 25 t + 18 ) , s 5 = 1 120 ( m + 1 ) ( m + 2 ) ( 4 m 3 + 15 m 2 t + 20 m t 2 + 18 m 2 + 45 m t + 30 t 2 + 18 m + 30 t ) .$
Similarly, we get
$| S | = ∑ x 1 i 1 x 2 i 2 x 3 i 3 x 4 i 4 x 5 i 5 ∈ S 1 = 1 120 m ( m + 1 ) ( m + 2 ) ( 3 m 2 + 10 m t + 11 m + 10 t + 6 ) .$
Set $t = τ m$, then,
$s 1 = 1 120 ( 10 τ + 3 ) m 5 + o ( m 5 ) , s 2 = 1 40 ( 5 τ + 2 ) m 5 + o ( m 5 ) , s 3 = 1 40 ( 5 τ + 2 ) m 5 + o ( m 5 ) , s 4 = 1 120 ( 15 τ + 4 ) m 5 + o ( m 5 ) , s 5 = 1 120 ( 20 τ 2 + 15 τ + 4 ) m 5 + o ( m 5 ) , | S | = 1 120 ( 10 τ + 3 ) m 5 + o ( m 5 ) .$
Using this, and after simplifying by $m 5$, the inequation (A13) transform into
$X 1 1 120 ( 10 τ + 3 ) X 2 1 40 ( 5 τ + 2 ) X 3 1 40 ( 5 τ + 2 ) X 4 1 120 ( 15 τ + 4 ) X 5 1 120 ( 20 τ 2 + 15 τ + 4 ) < W 1 120 ( 10 τ + 3 ) .$
Substituting and rearranging the values of $X 1 , X 2 , X 3 , X 4 , X 5$ and W from (A11) we get
$1 120 ( 10 τ + 3 ) β + 1 40 ( 5 τ + 2 ) ( γ + δ − 1 ) + 1 40 ( 5 τ + 2 ) ( γ + δ − 1 ) + 1 120 ( 15 τ + 4 ) 2 3 − 3 α + 2 3 1 120 ( 20 τ 2 + 15 τ + 4 ) < 1 120 ( 10 τ + 3 ) ( 2 γ + δ )$
or equivalently,
$40 τ 2 + ( 30 β + 60 δ − 135 α + 30 γ − 30 ) τ + 9 β + 27 δ + 18 γ − 36 α − 20 < 0 .$
Differentiate the equation above with respect to $τ$, we get the optimal value $τ = 27 α − 6 β − 12 δ − 6 γ + 6 16$, this reduces to
$− 720 δ 2 + ( 3240 α − 720 β − 720 γ + 1584 ) δ − 3645 α 2 + 1620 α β + 1620 α γ − 2772 α − 180 β 2 + 648 β − 360 β γ − 180 γ 2 + 936 γ − 820 < 0$
which is valid if
$δ < 11 10 + 9 4 α − 1 2 β − 1 2 γ − 1 30 180 γ + 990 α − 180 β + 64 .$
We find our reduced polynomial $f , f 1 , f 2 , f 3 , f 4$ with the root of $( d 1 − d 2 , k 1 , k 2 , s , v )$ under this condition. By Assumption 1 in Section 2, the solution of the roots can be extracted using resultant technique. Then, using the fourth and fifth root, $s , v$, we compute
$p 2 + p q − p = 2 3 m s + s 0 − v .$
After that, we use (A14) to find $ϕ ( N ) = N − p 2 + p q − p$ and since $ϕ ( N ) = p ( p − 1 ) ( q − 1 )$, we can get p by taking the gcd$( N , ϕ ( N ) )$. This leads to factorization of N and hence terminates the proof. □

## Appendix C

Remark A1.
Note that the values of A and B are as follows:
$A = X 1 X 2 X 3 X 4 X 5$
$B = X 1 i 1 X 2 i 2 X 3 i 3 X 4 i 4 X 5 i 5 R$.
Table A1. The coefficient matrix for the case $m = 2$ and $t = 0$.
Table A1. The coefficient matrix for the case $m = 2$ and $t = 0$.
1$x 3$$x 3 x 5$$x 3 x 4$$x 3 2$$x 3 2 x 5$$x 3 2 x 5 2$$x 3 2 x 4$$x 3 2 x 4 x 5$$x 3 2 x 4 2$$x 2$$x 2 x 5$$x 2 x 4$$x 2 x 3$$x 2 x 3 x 5$$x 2 x 3 x 5 2$$x 2 x 3 x 4$$x 2 x 3 x 4 x 5$$x 2 x 3 x 4 2$$x 2 2$$x 2 2 x 5$$x 2 2 x 5 2$$x 2 2 x 4$$x 2 2 x 4 x 5$$x 2 2 x 4 2$$x 1$$x 1 x 3$$x 1 x 3 x 5$$x 1 x 3 x 4$$x 1 x 2$$x 1 x 2 x 5$$x 1 x 2 x 4$$x 1 2$
$g 0 , 0 , 0 , 0 , 0$A****** ****** **
$g 0 , 0 , 1 , 0 , 0$ A **** ** **** ** **
$g 0 , 0 , 1 , 0 , 1$ A **** ** **** ** **
$g 0 , 0 , 1 , 1 , 0$ A ****** ****** **
$g 0 , 0 , 2 , 0 , 0$ B
$g 0 , 0 , 2 , 0 , 1$ B
$g 0 , 0 , 2 , 0 , 2$ B
$g 0 , 0 , 2 , 1 , 0$ B
$g 0 , 0 , 2 , 1 , 1$ B
$g 0 , 0 , 2 , 2 , 0$ B
$g 0 , 1 , 0 , 0 , 0$ A **** ** **** ** **
$g 0 , 1 , 0 , 0 , 1$ A **** ** **** ** **
$g 0 , 1 , 0 , 1 , 0$ B
$g 0 , 1 , 1 , 0 , 0$ B
$g 0 , 1 , 1 , 0 , 1$ B
$g 0 , 1 , 1 , 0 , 2$ B
$g 0 , 1 , 1 , 1 , 0$ B
$g 0 , 1 , 1 , 1 , 1$ B
$g 0 , 1 , 1 , 2 , 0$ B
$g 0 , 2 , 0 , 0 , 0$ B
$g 0 , 2 , 0 , 0 , 1$ B
$g 0 , 2 , 0 , 0 , 2$ B
$g 0 , 2 , 0 , 1 , 0$ B
$g 0 , 2 , 0 , 1 , 1$ B
$g 0 , 2 , 0 , 2 , 0$ B
$g 1 , 0 , 0 , 0 , 0$ A**************
$g 1 , 0 , 1 , 0 , 0$ B
$g 1 , 0 , 1 , 0 , 1$ B
$g 1 , 0 , 1 , 1 , 0$ B
$g 1 , 1 , 0 , 0 , 0$ B
$g 1 , 1 , 0 , 0 , 1$ B
$g 1 , 1 , 0 , 1 , 0$ B
$g 2 , 0 , 0 , 0 , 0$ B
** denotes the non-zero elements.

## References

1. Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
2. Wiener, M.J. Cryptanalysis of short RSA secret exponents. J. IEEE T. Inform. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef] [Green Version]
3. Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N0.292. J. IEEE Trans. Inform. Theory 2000, 46, 1339–1349. [Google Scholar] [CrossRef]
4. Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 1997, 10, 233–260. [Google Scholar] [CrossRef] [Green Version]
5. Hinek, M.J. Multi-Prime RSA. In Cryptanalysis of RSA and Its Variants; CRC: London, UK; New York, NY, USA, 2010; p. 155. [Google Scholar]
6. Takagi, T. A fast RSA-type public-key primitive modulo pkq using Hensel lifting. IEICE Trans. 2004, 87, 94–101. [Google Scholar]
7. Ariffin, M.R.K.; Asbullah, M.A.; Abu, N.A.; Mahad, Z. A new efficient asymmetric ccryptosystem based on the integer factorization problem of N=p2q. MJMS 2013, 10, 19–37. [Google Scholar]
8. Asbullah, M.A.; Ariffin, M.R.K. Design of Rabin-like cryptosystem without decryption failure. MJMS 2016, 10, 1–18. [Google Scholar]
9. Boneh, D.; Durfee, G.; Howgrave-Graham, N. Factor N=prq for large r. In Cryptographers’ Track at the RSA Conference; Springer: Cham, Switzerland, 1999; pp. 326–337. [Google Scholar]
10. May, A. A secret exponent attacks on RSA-typer schemes with moduli N=prq. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2004; pp. 218–230. [Google Scholar]
11. Sarkar, S. Small secret exponent attack on RSA varian with modulus N=prq. Des. Codes Cryptogr. 2014, 73, 383–392. [Google Scholar] [CrossRef]
12. Lu, Y.; Zhang, R.; Peng, L.; Lin, D. Solving linear equations modulo unknown divisors: Revisited. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2015; pp. 189–213. [Google Scholar]
13. Boneh, D.; Durfee, G.; Frankel, Y. An attack on RSA given a small fraction of the private key bits. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 1998; pp. 25–34. [Google Scholar]
14. Sun, H.M.; Wu, M.E.; Steinfeld, R.; Guo, J.; Wang, H. Cryptanalysis of short exponent RSA with primes sharing least significant bits. In International Conference on Cryptology and Network Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 49–63. [Google Scholar]
15. Zhao, Y.D.; Qi, W.F. Small private-exponent attack on RSA with primes sharing bits. In International Conference on Information Security; Springer: Berlin/Heidelberg, Germany, 2007; pp. 221–229. [Google Scholar]
16. Nitaj, A.; Ariffin, M.R.K.; Nassr, D.I.; Bahig, H.M. New attacks on the RSA cryptosystem. In International Conference on Cryptology in Africa; Springer: Cham, Switzerland, 2014; pp. 178–198. [Google Scholar]
17. Lenstra, A.K.; Lenstra, H.W.; Lovasz, H.W. Factoring polynomials with rational coeffcients. J. Math. Ann. 1982, 261, 515–534. [Google Scholar] [CrossRef]
18. Howgrave-Graham, N. Finding small roots of univariate modular equations revisited. In MA International Conference on Cryptography and Coding; Springer: Berlin/Heidelberg, Germany, 1997; pp. 131–142. [Google Scholar]
19. Jochemsz, E.; May, A. A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2006; pp. 267–282. [Google Scholar]
20. Asbullah, M.A.; Ariffin, M.R.K. New attacks on RSA with modulus N=p2q using continued fractions. J. Phys. Conf. Ser. 2015, 622, 191–199. [Google Scholar] [CrossRef] [Green Version]
21. Zhang, L.; Huang, T.; Hu, X.; Zhang, Z.; Wang, W.; Guan, D.; Zhoa, C.; Kim, S. A distributed covert channel of the packet ordering enhancement model based on data compression. Comput. Mater. Contin. 2020, 64, 2013–2030. [Google Scholar]
22. Zhang, L.; Peng, M.; Wang, W.; Cui, S.; Kim, S. Secure and efficient data storage and sharing scheme based on double blockchain. Comput. Mater. Contin. 2021, 66, 499–515. [Google Scholar]
Table 1. Bounds for d from the former attacks.
Table 1. Bounds for d from the former attacks.
Former AttackBoundMethod
[12]$d < N r ( r − 1 ) ( r + 1 ) 2 = d < N 0.22$New proposed algorithm
[10]$d < N max r ( r + 1 ) 2 , ( r − 1 ) 2 ( r + 1 ) 2 = d < N 0.22$Coppersmith’s Method
[11]$d < N 0.39$Lattice reduction
Table 2. Comparison with methods from [10,11,12] for $α = 0.2$ and $β = 1$.
Table 2. Comparison with methods from [10,11,12] for $α = 0.2$ and $β = 1$.
$γ = log N ( e )$$γ = 0.7$$γ = 0.60$$γ = 0.5$$γ = 0.4$$γ = 0.3$
Bound of $δ$
[12]0.220.220.220.220.22
[10]0.220.220.220.220.22
[11]0.390.390.390.390.39
Our bound in Corollary 10.210.290.360.430.51
 Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

## Share and Cite

MDPI and ACS Style

Adenan, N.N.H.; Kamel Ariffin, M.R.; Sapar, S.H.; Abd Ghafar, A.H.; Asbullah, M.A. New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p2q. Mathematics 2021, 9, 340. https://doi.org/10.3390/math9040340

AMA Style

Adenan NNH, Kamel Ariffin MR, Sapar SH, Abd Ghafar AH, Asbullah MA. New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p2q. Mathematics. 2021; 9(4):340. https://doi.org/10.3390/math9040340

Chicago/Turabian Style

Adenan, Nurul Nur Hanisah, Muhammad Rezal Kamel Ariffin, Siti Hasana Sapar, Amir Hamzah Abd Ghafar, and Muhammad Asyraf Asbullah. 2021. "New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p2q" Mathematics 9, no. 4: 340. https://doi.org/10.3390/math9040340

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.