New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p 2 q

: This paper describes an attack on the Rivest, Shamir and Adleman (RSA) cryptosystem utilizing the modulus N = p 2 q where p and q are two large balanced primes. Let e 1 , e 2 < N γ be the integers such that d 1 , d 2 < N δ be their multiplicative inverses. Based on the two key equations e 1 d 1 − k 1 φ ( N ) = 1 and e 2 d 2 − k 2 φ ( N ) = 1 where φ ( N ) = p ( p − 1 )( q − 1 ) , our attack works when the primes share a known amount of least signiﬁcant bits (LSBs) and the private exponents share an amount of most signiﬁcant bits (MSBs). We apply the extended strategy of Jochemsz–May to ﬁnd the small roots of an integer polynomial and show that N can be factored if δ < 1110 + 94 α − 12 β − 12 γ − 130 (cid:112) 180 γ + 990 α − 180 β + 64. Our attack improves the bounds of some previously proposed attacks that makes the RSA variant vulnerable.


Introduction
In 1978, security in transmitting data between two parties is imperative to avert the information from being expose to an unauthorised person. Rivest, Shamir and Adleman came out with a brilliant public key cryptosystem design. It is also known as an asymmetric cryptosystem as it uses different keys for encrypting and decrypting the data. The cryptosystem is called RSA [1]. For encryption, the public parameters N and e are needed where N = pq and e is an integer that is relatively prime with φ(N) where φ(N) = (p − 1)(q − 1) is the Euler totient function. The private key d is an integer satisfying ed ≡ 1 (mod φ(N)) is used for the decryption process. The security of the RSA cryptosystem relies on three hard problems which are the integer factorization problem of N = pq, solving the e th root problem of C ≡ M e (mod N) and solving the diophantine key equation given by ed − kφ(N) = 1.
The efficiency of the RSA algorithm depends on the cost and execution time for encryption and decryption processes. In order to reduce the cost and to accelerate the decryption process, one thus tends to use small decryption exponents. However in 1990, Wiener [2] found out that the RSA cryptosystem is vulnerable when the decryption exponent d is too small. Wiener proved that by using continued fractions, one can factor out N if the d < 1 3 N 1 4 . Since then, researchers worked on the same purpose in order to improve the bound of d. There are different approaches in their analysis. For instance, Boneh and Durfee [3] obtained a better bound of d < N 0.292 by using Coppersmith's method [4] to find small solutions of modular polynomial equations.
Multi-Power RSA is one of the variants of RSA whereby the modulus N = p r q for r ≥ 2 is utilized. This type of modulus provides advantage for both key generation and the decryption algorithms provided the Chinese Remainder Theorem is utilized [5].
Among cryptosystems that utilize this fact are designs by Takagi [6], Ariffin et al. [7] and Asbullah et al. [8]. Through their papers, the designers managed to show that their cryptosystems had low computing costs compared to the standard RSA. As such, the study of the Integer Factorization Problem of N = p r q becomes important. Boneh et al. [9] proved that N = p r q is factorable for large r, when r ∼ = log p. Since then, many attackers made an attempt to cryptanalyse the multi-power RSA modulus. We only stated the results from these three former attacks which are May [10], Sarkar [11], and Lu et al. [12] because we aim to improve their unsafe bound of their decryption exponent. The following table presents the bounds from these former attacks and the method that they have been used. Note that these former attacks focused on the modulus N = p r q but we only consider the bound for r = 2 for comparison purpose.
Another flaw of the RSA cryptosystem is when the information of MSB(s) or LSB(s) of the private key d or secret primes are leaked to a third party which could lead to recovery of the entire private key and thus break the cryptosystem. This type of attack is called partial key exposure attacks. Boneh, Durfee and Frankel [13] in 1998 showed that only by knowing a quarter of the private key d, it is adequate for them to recover the whole value of d by using Coppersmith's technique. Sun et al. [14] and Zhao et al. [15] also showed that using primes that share either most or least significant bits are insecure and the modulus can be factored in polynomial time. Following through in 2014, Nitaj et al. [16] came out with an idea to attack the modulus N = pq where the primes share their LSBs and there exists two public parameters e 1 and e 2 such that the corresponding decryption parameters d 1 and d 2 share their MSBs. They showed that if the RSA crytosystem satisfies those conditions, then it is possible to factor N provided d 1 , . Thus, implementors need to ensure that their private key does not fall below than the bound that can be factorised by the third party.
Our contribution: Extending the result from [16], this paper presents an attack on the modulus N = p 2 q when the primes share a known amount of the LSBs while d 1 and d 2 share an amount of their MSBs. We formulate a lemma by ulitizing the information on the sharing LSBs between the primes. Then, we use the result from the lemma to build an integer multivariate polynomial. We apply the strategy of Jochemsz and May to find the small roots of our integer multivariate polynomial which leads to the factorization of the modulus N. We are able to increase the unsafe bound for the decryption exponent given by d 1 , That is, we prove that if d 1 , d 2 < N δ , then N can be factored. As such, we improved the bounds made by the previous attacks as shown in Table 1.

Former Attack
Bound Method [12] 22 Coppersmith's Method [11] d < N 0.39 Lattice reduction The outline of this paper is structured as follows. In Section 2, we describe some fundamental concepts and a few mechanisms that are needed in proving our theorem. Next, in Section 3, we give details on our approach. We finally conclude in Section 4.

Materials and Methods
We start this section by introducing in brief on lattice, a theorem on lattice reduced basis, and two useful lemmas on approximation of size of primes in modulus. Then we provide our main lemma of primes sharing bits that has been reformulated from [16]. All of these definitons, theorem and lemmas will be used throughout this paper.

Lattices
Let b 1 , ..., b ω ∈ R n be a set vectors that are linearly independent with ω ≤ n. The lattice L constructed by b 1 , ..., b ω is the set of linear combinations of b 1 , ..., b n with dimension n provided the coefficients are positive integers such that L = a 1 b 1 + a 2 b 2 + · · · + a n b n ; a 1 , a 2 , ..., a ω ∈ Z The dimension of this lattice is dim(L) = ω. The lattice is called full ranked lattice if ω = n. To find the determinant of this type of lattice, one may compute the absolute value of the determinant of the matrix whose rows consist of {v 1 , ..., v ω }. Lenstra, Lenstra, and Lovasz in 1982 [17] invented the LLL algorithm to find a short basis vector in time polynomial. Their theorem is stated as follows.
In practice, the LLL algorithm has been broadly known to often produces the vectors that have much smaller norms than theoretically predicted. Hence, by utilizing this algorithm, Coppersmith in 1997 introduced a technique to find small roots for polynomial that is modular form. By applying the LLL algorithm, a number of linear equations with sufficiently small norms will be produced. Later, Howgrave-Graham [18] reformulated Coppersmith's idea of finding the roots of modular polynomial and thus came out with the theorem as follows.
Remark that our attack relies on Assumption 1 which was also being used in the previous proposed attacks such as [11][12][13]. Assumption 1. The construction of LLL algorithm produces a few polynomials that are algebraically independent. The resultant technique can be used in order to compute the common roots of these polynomials.
Applying Coppersmith's method, Jochemsz and May [19] introduced a strategy purposely to solve for the small roots of a polynomial. Interestingly, their strategy can be used on either modular or integer of multivariate polynomial. It was also easier to understand and implement. Thus, in our work, we used their strategy in order to find the roots of our polynomial.

Approximation of Size of Primes in Modulus
Asbullah and Ariffin [20] produced the following lemmas to show an approximation of N − φ(N). Lemma 1 describes the size of p and q for the modulus N = p 2 q which then was utilized in Lemma 2 to approximate the size of N − φ(N). In our work, we use Lemma 2 to approximate the bound for one of the variables in our polynomial. Lemma 1. Suppose N = p 2 q where p and q are balanced primes. Then Lemma 2. Suppose N = p 2 q where p and q are balanced primes. Then

Prime Sharing LSBs on the Modulus N = Pq
We present the lemma by [16]. The authors study the case where the modulus N = pq consists of the primes that share some known amount of LSBs. Lemma 3. Let N = pq be an RSA modulus where p, q are balanced primes. Let p − q = 2 b u for a known value of b. Then p = 2 b p 1 + u 0 and q = 2 b q 1 + u 0 where u 0 is the solution of the equation Proof. See [16].

Prime Sharing LSBs on the Modulus N = P 2 q
This section presents the lemma that has been reformulated from the result [16]. It considers the case where the primes of the modulus N = p 2 q share some known amount of their LSBs. Lemma 4. Let N = p 2 q be modulus and suppose that p − q = 2 m u for a known value of m. Let p = 2 m p 1 + u 0 and q = 2 m q 1 + u 0 where u 0 is a solution to p 3 ≡ N (mod 2 m ).
Proof. See Appendix A.

Our New Attack
In this section, we present the theorem of an attack on modulus N = p 2 q which applies when the primes share a known amount of LSBs and there exists d 1 and d 2 that share an amount of MSBs.

Comparison with the Previous Attacks
We make a comparison of bounds with the previous analysis upon the modulus N = p r q for r = 2. Their analysis focused on the RSA key equation ed − kφ(N) = 1 where φ(N) = p r−1 (p r − 1)(q − 1). Note that in these former attacks, they do not consider where the private exponent or the primes share an amount of LSBs or MSBs. Thus, in our comparison, we let β = d 1 − d 2 = 1, α = 0.2. We get the following corollary. Corollary 1. Let N = p 2 q be modulus with balanced primes. Let e 1 , e 2 ≈ N γ satisfies Table 2 shows that our bound improves the previous bounds. The value of δ increases impressively as the value of γ decreases. Note that the bounds from the former attacks only consider the value of r, thus the values of δ is fixed for all values of γ. Refer Table 1 in Section 1 to see the bounds from these former atttacks for r = 2. Assume that e = N γ . From key equation, we have Now, the condition of Corollary 1 becomes A straightforward calculation gives us the upper bound of the positive value γ which is γ < 29 30 ≈ 0.96. Hence, the method works for smaller value of γ. This translates into d ≈ N.

Conclusions
We present an attack on partial key exposure for modulus N = p 2 q. Note that our attack is an extension from [16]. In our paper, we show that despite the advantages of using the modulus N = p 2 q, the modulus is still vulnerable to the attack if the primes share some amount of LSBs and the private keys d 1 , d 2 share some amount of MSBs. We reformulate the lemma from [16] and find the substitution for p 2 + pq − p. We utilize the result in our lemma to prove our theorem that is based on the two key equations e 1 d 1 − k 1 φ(N) = 1 and e 2 d 2 − k 2 φ(N) = 1. From our theorem, we show that one can factor N when d < N δ for δ < 11 10 + 9 4 α − 1 2 β − 1 2 γ − 1 30 180γ + 990α − 180β + 64 for 0 < γ < 0.96. Thus, one needs to be careful in selecting their primes and decryption exponents as it may leads to the vulnerability of their cryptosystem and their secret data might leak to an unauthorized party. There are other schemes that one might be interested to apply in order to keep the data secure such as using covert channel [21] and double blockchain [22].
Hence, from (A1), we obtain p 3 ≡ N (mod 2 m ). Let u 0 be a solution of the modular equation p 3 ≡ N (mod 2 m ). Then, p ≡ u 0 (mod 2 m ) is a solution which can be rewritten as p = 2 m p 1 + u 0 where p 1 is a positive integer . Now we have, Suppose gcd(u 0 , 2 3m ) = 1, we multiply (A3) with u −1 0 and get which can be rewritten as ). Finally we have,

Appendix B
Proof of Theorem 3. Let e 1 and e 2 satisfy Subtracting the product of (A4) by e 2 and (A5) by e 1 , we get From Lemma 1, we show that p 2 + pq − p can be substituted by 2 3m s 0 mod 2 3m and u 0 is a solution of the congruence p 3 ≡ N(mod 2 m ). Therefore Plugging (A7) in (A6), we get Rearranging (A8), We transform (A9) into and we fix the coefficients and variables as follows: Now, we would have the polynomial is a root of f (x 1 , x 2 , x 3 , x 4 , x 5 ) and can be found by using Coppersmith's technique [4]. However, we choose apply the extended strategy of Jochemsz and May [19] due to its easier implementation. The following bound will be needed: Let m, t ∈ Z + . Define two sets, Using the binomial expansion formula, we find the expansion of polynomial Neglecting the coefficients, we get The monomials x 5 in (A10) can be categorised as: and Define Then W satisfies Next define Suppose that a 8 = e 1 − e 2 is relatively prime with R. We define f (x 1 , x 2 , x 3 , x 4 , x 5 ) = a −1 8 f (x 1 , x 2 , x 3 , x 4 , x 5 ) mod R in order to work with a polynomial with constant term 1. Next, define the polynomials The basis of a lattice L is built by using the coefficients of polynomial G and H with dimension In order to construct an upper triangular matrix, we perform the following ordering  5 5 for polynomials H Refer the Table A1 in Appendix C for the coeffficient matrix of m = 2 and t = 1. Next, we define All the polynomials G and H and their combinations share the root (d 1 − d 2 , k 1 , k 2 , s, v) modulo R. A new basis with short vectors is produced after applying the LLL algorithm to the lattice L. For i = 1, . . . , 4, let f i (x 1 X 1 , x 2 X 2 , x 3 X 3 , x 4 X 4 , x 5 X 5 ) be four short vectors of the reduced basis. Each f i is a combination of G and H, and then share the root (d 1 − d 2 , k 1 , k 2 , s, v). Applying Theorem 1 from Section 2, we have for i = 1, 2, 3, 4; We force the polynomials f i for i = 1, 2, 3, 4, to comply with Howgrave-Graham's bound [18] which can be transformed into det(L) < R ω , that is Substituting ω with |M| and |M| − |M\S| with |S|, we get Using (A12), we get m(m + 1)(m + 2)(3m 2 + 10mt + 11m + 10t + 6), m(m + 1)(m + 2)(4m 2 + 15mt + 18m + 25t + 18), Similarly, we get Set t = τm, then, Using this, and after simplifying by m 5 , the inequation (A13) transform into Substituting and rearranging the values of X 1 , X 2 , X 3 , X 4 , X 5 and W from (A11) we get or equivalently, Differentiate the equation above with respect to τ, we get the optimal value τ = 27α−6β−12δ−6γ+6 16 , this reduces to −720δ 2 + (3240α − 720β − 720γ + 1584)δ − 3645α 2 + 1620αβ + 1620αγ − 2772α −180β 2 + 648β − 360βγ − 180γ 2 + 936γ − 820 < 0 which is valid if We find our reduced polynomial f , f 1 , f 2 , f 3 , f 4 with the root of (d 1 − d 2 , k 1 , k 2 , s, v) under this condition. By Assumption 1 in Section 2, the solution of the roots can be extracted using resultant technique. Then, using the fourth and fifth root, s, v, we compute After that, we use (A14) to find φ(N) = N − p 2 + pq − p and since φ(N) = p(p − 1)(q − 1), we can get p by taking the gcd (N, φ(N)) . This leads to factorization of N and hence terminates the proof.