Abstract

This paper presents new short decryption exponent attacks on RSA, which successfully leads to the factorization of RSA modulus $N=pq$ in polynomial time. The paper has two parts. In the first part, we report the usage of the small prime difference method of the form $|b^{2}p-a^{2}q|<N^{\gamma }$ where the ratio of $\frac{q}{p}$ is close to $\frac{b^2}{a^2}$ , which yields a bound $d<\frac{\sqrt{3}}{\sqrt{2}}{N}^{\frac{3}{4}-\gamma }$ from the convergents of the continued fraction expansion of $\frac{e}{N-\lceil \frac{a^2+b^2}{ab}\sqrt{N}\rceil +1}$ . The second part of the paper reports four cryptanalytic attacks on t instances of RSA moduli $N_s=p_s{q}_s$ for $s=1,2,\dots ,t$ where we use $N-\lceil \frac{a^2+b^2}{ab}\sqrt{N}\rceil +1$ as an approximation of $\varphi (N)$ satisfying generalized key equations of the shape $e_{s}d-k_s\varphi (N_s)=1$ , $e_s{d}_s-k\varphi (N_s)=1$ , $e_{s}d-k_s\varphi (N_s)=z_s$ , and $e_s{d}_s-k\varphi (N_s)=z_s$ for unknown positive integers $d,k_s,d_s,k_s$ , and $z_s$ , where we establish that t RSA moduli can be simultaneously factored in polynomial time using combinations of simultaneous Diophantine approximations and lattice basis reduction methods. In all the reported attacks, we have found an improved short secret exponent bound, which is considered to be better than some bounds as reported in the literature. View Full-Text