Next Article in Journal
Applications of Blockchain Technology in Medicine and Healthcare: Challenges and Future Perspectives
Previous Article in Journal
Further Observations on SIMON and SPECK Block Cipher Families
Article Menu

Export Article

Cryptography 2019, 3(1), 2; doi:10.3390/cryptography3010002

Article
New Cryptanalytic Attack on RSA Modulus N = pq Using Small Prime Difference Method
1
Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, Selangor 43400, Malaysia
2
Department of Mathematics, Faculty of Science, Universiti Putra Malaysia, Selangor 43400, Malaysia
3
Centre of Foundation Studies for Agriculture Science, Universiti Putra Malaysia, Selangor 43400, Malaysia
*
Correspondence: [email protected]
These authors contributed equally to this work.
Received: 1 November 2018 / Accepted: 15 December 2018 / Published: 20 December 2018

Abstract

:
This paper presents new short decryption exponent attacks on RSA, which successfully leads to the factorization of RSA modulus N = p q in polynomial time. The paper has two parts. In the first part, we report the usage of the small prime difference method of the form | b 2 p a 2 q | < N γ where the ratio of q p is close to b 2 a 2 , which yields a bound d < 3 2 N 3 4 γ from the convergents of the continued fraction expansion of e N a 2 + b 2 a b N + 1 . The second part of the paper reports four cryptanalytic attacks on t instances of RSA moduli N s = p s q s for s = 1 , 2 , , t where we use N a 2 + b 2 a b N + 1 as an approximation of ϕ ( N ) satisfying generalized key equations of the shape e s d k s ϕ ( N s ) = 1 , e s d s k ϕ ( N s ) = 1 , e s d k s ϕ ( N s ) = z s , and e s d s k ϕ ( N s ) = z s for unknown positive integers d , k s , d s , k s , and z s , where we establish that t RSA moduli can be simultaneously factored in polynomial time using combinations of simultaneous Diophantine approximations and lattice basis reduction methods. In all the reported attacks, we have found an improved short secret exponent bound, which is considered to be better than some bounds as reported in the literature.
Keywords:
RSA modulus; primes difference; cryptanalysis; short decryption exponent; attacks; continued fraction

1. Introduction

The RSA cryptosystem is the most widely used public key cryptosystem, invented by three mathematicians, Rivest, Shamir, and Adleman [1] and since then has been extensively used for many applications in the government as well as commercial domain, which include e-banking, secure telephone, smart cards, and communications in different types of networks [2].
RSA key generation involves a random selection of two distinct large prime numbers such that their product is represented as N = p q and called an RSA modulus. The Euler totient function ϕ ( N ) is computed as ϕ ( N ) = ( p 1 ) ( q 1 ) . Additionally, choose an integer e < ϕ ( N ) such that gcd ( e , ϕ ( N ) ) = 1 and compute short decryption exponent d such that the relation e d 1 ( mod ϕ ( N ) ) is satisfied. Then, ( e , N ) are the public pair and ( d , p , q ) are private key tuple.
The encryption function is computed by choosing a message M Z N and computing the ciphertext C = M e ( mod N ) , while the plaintext can be recovered by computing the decryption exponent from equation M = C d ( mod N ) . The primes p and q in most cases are considered to have same bit-length.
In simpler terms, an RSA cryptosystem involves three processes of key generation, encryption, and decryption algorithms as presented in Algorithms 1–3 below:
Algorithm 1 RSA key generation
1:
Initialization: Input the size n and ( e , N ) .
2:
Choose two random and distinct n b i t strong primes ( p , q ) .
3:
for each pair of the form ( p , q ) do
4:
     N : = p q
5:
     ϕ ( N ) : = ( p 1 ) ( q 1 )
6:
end for
7:
Choose a random integer e such that 1 < e < ϕ ( N ) and gcd ( e , ϕ ( N ) ) = 1.
8:
ifd is an integer then
9:
     e d 1 ( mod ϕ ( N ) ) .
10:
end if
11:
return the public key pair ( N , e ) and the private key pair ( N , d ) .
Algorithm 2 RSA encryption
1:
Initialization: Input the public key pair ( e , N ) and the plaintext M.
2:
Represents the plaintext message M as integer such that M < N and gcd ( M , N ) = 1 .
3:
for each triplet of the form ( e , N , M ) do
4:
     C : = M e ( mod N )
5:
end for
6:
return the ciphertext C.
Algorithm 3 RSA decryption
1:
Initialization: Input the private key pair ( d , N ) and the ciphertext C.
2:
for each triplet of the form ( d , N , C ) do
3:
     M : = C d ( mod N )
4:
end for
5:
return the message M.
The security of an RSA cryptosystem depends on the difficulty of solving the integer factorization problem, the failure of an adversary to compute the secret key d from RSA key equation e d = 1 + k ϕ ( N ) , where only the public key e is given as outlined in Algorithm 1 and the difficulty of solving the e t h -root problem of C = M e ( mod N ) as outlined in Algorithm 2. The problem of computing d from ( e , N ) is equivalent to the problem of factoring RSA modulus N into its nontrivial prime factors of p and q, as proven by Reference [3]. It is therefore recommended for RSA users to generate primes p and q in such a way that the problem of factoring N = p q is computationally infeasible for an adversary. Choosing p and q as strong primes has been recommended as a way of maximizing the difficulty of factoring RSA modulus N.
In an RSA cryptosystem, there are public key pairs ( e , N ) and private key tuples ( d , p , q , ϕ ( N ) ) . Once the private key d is known, it can lead to the total break of RSA. It is often tempting to use a small decryption exponent so as to speed up computation in RSA decryption and signature verification. However, this poses a great security challenge to the system. A very small decryption exponent can be broken by a trivial brute force exhaustive search to find the correct decryption exponent. For instance, all private exponents d < 2 60 can be recovered easily, but it is computationally infeasible to recover all private exponents d < 2 80 by brute force attack [4].
The first attack on small decryption exponent was reported by Wiener in 1990. He showed that RSA is insecure if the small decryption exponent is d < 1 3 N 0.25 using the continued fractions method to recover d from the convergents of the continued fractions expansion of e N , [5]. Since then, many attacks on short decryption exponents emerged, which improved the bound. Boneh and Durfee (1999) proposed an attack on the small decryption exponent using the Coppersmith lattice-based technique, in which they heuristically showed that RSA in insecure if d < N 0.292 , as reported by Reference [6].
In another development, B. De Weger (2002) also used the primes difference method to carry out an attack on RSA modulus N = p q , where he proved that if d < N 3 4 | p q | , then the RSA cryptosystem is considered to be insecure where primes p and q have the same bit-length, which is an improvement on Wiener’s bound as reported by Reference [7]. In addition, Maitra and Sarkar (2008) improved the work of Reference [7] using the prime difference method of | 2 q p | < N γ and showed that RSA is not secure if d < N 1 γ 2 , as reported by Reference [8].
Furthermore, Chen’s et al. (2009) have generalized the work of Reference [7], where they proposed an attack using the generalization method, in which they proved that RSA modulus N = p q can be broken if | a p b q | = N γ and d < N 3 4 γ , where the ratio of two primes p q is very near to the ratio b a , where p < q < 2 p , a, and b are small positive integers less than log N , then the RSA modulus can be factored from the convergents of the continued fraction expansion of e N a + b a b N + 1 . Substituting a = b = 1 gave the approximation of ϕ ( N ) as reported by [7]. Also, taking a = 2 and b = 1 gave approximation of ϕ ( N ) as reported by Reference [8]. In their experiment result, they used the value of γ = 0.5 to justify their theorem, as reported by Reference [9].
Nitaj (2013) improved Wiener’s bound to d < 6 2 6 N 1 4 , as reported by Reference [10]. Asbullah (2015) also improved Wiener’s bound to d < 1 2 N 1 4 , as reported [11].
This paper reports the use of the small prime difference method to factor the RSA modulus N and its relation to further extend the bound of weak decryption exponents. Given public key pair ( e , N ) , we exploited RSA key equation e d = 1 + k ϕ ( N ) and broke the instances of RSA by factoring the modulus N into its nontrivial prime factors p and q. We also reported four cryptanalytic attacks on factoring t RSA moduli using a system of equations where, in one instance, the moduli ( e s , N s ) shared a common decryption exponent d and, in another scenario, every pair ( e s , N s ) had its own unique decryption exponent d s . The method uses | b 2 p a 2 q | < N γ such that if the ratio of q p is close to the ratio of b 2 a 2 , where a and b are small positive integers and 0.25 < γ 0.5 , then private key d < 3 2 N 3 4 γ can be efficiently recovered from the convergents of the continued fraction expansion of e N a 2 + b 2 a b N + 1 . Our bound is considered to be an improved bound of that of References [5,9,11]. This paper also presents an experimental result which shows that taking γ = 15 32 , we can recover primes p and q if the private key d < 3 2 N 0.28125 . This is an improvement of the result of Reference [9], as they did not give an experiment result of γ < 0.5 .
The second part of the paper presents t instances of factoring RSA moduli N s = p s q s for t = 1 , 2 , , t by transforming generalized key equations of the form e s d k s ϕ ( N s ) = 1 , e s d s k ϕ ( N s ) = 1 , e s d k s ϕ ( N s ) = z s , and e s d s k ϕ ( N s ) = z s for unknown parameters d , k s , d s , k s , and z s into simultaneous Diophantine problem and applying the lattice basis reduction and L L L methods to find the values of d, k s , d s , and k. We formulated a quadratic equation which enabled us to find t prime factors p s and q s and finally factorize t moduli N 1 , N 2 , , N t in polynomial time. We have found decryption exponents bounds that are greater than those of References [12,13].
The rest of the paper is organized as follows. In Section 2, we present a review of some preliminary results on continued fractions and state some theorems that are related to our work. Section 3 presents our proposed findings and discussion on the results. We give experimental results to illustrate our theorems, which show how an incorrect choice of d can lead to the factorization of RSA modulus N = p q in polynomial time. Finally, in Section 4, we conclude the paper.

2. Preliminaries and Methods

In this section, we state some basics on continued fraction, the lattice basis reduction technique, simultaneous Diophantine approximations, and theorems related to our work.
Definition 1 (Continued fractions).
For any positive x R , define x 0 = x and for i = 1 , 2 , , n , do x i = a i , x i + 1 = 1 x i a i until x n Z . Then, x can be expanded as continued fraction in following form,
x = a 0 + 1 a 1 + 1 a 2 + 1 a 3 + .
This expression is often used in the form x = [ a 0 , a 1 , a 2 , , a n , ] . Any rational number a b can be expressed as a finite continued fraction x = [ a 0 , a 1 , a 2 , , a n ] . The convergents a b of x are the fractions denoted by a b = [ a 0 , a 1 , a 2 , , a i ] for i 0 . We note that if x = a b is a rational number, then the continued fraction expansion of x is finite with total number of convergents being polynomial in log ( b ) .
Definition 2.
Let b 1 , b 2 , , b m V where V is a vector space subset of R n . The set of vectors b 1 , b 2 , , b m V are said to be linearly dependent if there exist x 1 , , x m R , which are not all zero and such that:
i m ( x i b i = 0 ) .
Otherwise, they are said to be linearly independent.
Definition 3.
(Lenstra et al. 1982) Let n be a positive integer. A subset L of an n-dimensional real vector space R n is called a lattice and if there exists a basis b 1 , , b n on R n such that we have the following relation L = i = 1 n Z b i = i = 1 n r i b i f o r r i Z , 1 i n . In this situation, we say that b 1 , , b n are the basis for L or that they span L .
Definition 4.
(Nitaj, 2013) (LLL Reduction) Let B = b 1 b n be a basis for a lattice L and suppose B * = b 1 * b n * be the associated Gram–Schmidt orthogonal basis. Let:
μ i , j = b i , b j * b j * , b j * f o r 1 j < i .
The basis B is said to be LLL reduced if it satisfies the following two conditions:
  • μ i , j 1 2 , f o r 1 j < i n
  • 3 4 | | b i 1 * | | 2 | | b i * + μ i , i 1 b i 1 * | | 2 f o r 1 i n . Equivalently, it can be written as:
    | | b i * | | 2 ( 3 4 μ i , i 1 2 ) | | b i 1 * | | 2 .
Theorem 1.
(Legendre’s Theorem). Let α be a positive real number. If the rational numbers ( a , b ) Z such that gcd ( a , b ) = 1 and:
α a b < 1 2 b 2 ,
then a b is one of the convergents of the continued fraction expansion α.
Proof. 
See Reference [14]. ☐
Theorem 2.
(Wang et al., 2016). If p 1 q 1 , p 2 q 2 , , p k q k , are convergents of the simple continued fraction [ a 1 , a 2 , , a k , ] , then the numerators and denominators of these convergents satisfy the following recursive relations:
p 1 = a 1 , p 2 = a 2 a 1 + 1 , p k = a k p k 1 + p k 2 ,
q 1 = 1 , q 2 = a 2 , q k = a k q k 1 + q k 2 ,
for k 3 .
Theorem 3.
(Wiener, 1990). Let N = p q be an RSA modulus with q < p < 2 q . Let e < ϕ ( N ) be a public exponent and d be the corresponding private key. If d < 1 3 N 1 4 , then one can factor N in polynomial time.
Theorem 4.
(B. de Weger, 2002). Let N = p q be an RSA modulus with q < p < 2 p such that | p q | < N β for β = [ 1 4 , 1 2 ] , and N > 8 d . Let e and d be public and private keys respectively such that e < ϕ ( N ) , with ϕ ( N ) > 3 4 N and d < N δ . If δ < 3 4 β , then the convergents can be found from the continued fraction of e N 2 N + 1 , which led to the factorization of N.
Theorem 5.
(Maitra-Sarkar, 2008). Let N = p q be an RSA modulus satistying q < p < 2 q . Suppose that ρ q p N γ 16 with γ < 1 2 , 1 ρ 2 and d = N δ . Then N can be factored in polynomial time if δ < 1 γ 2 from the convergents of the continued fraction expansion of e N 3 2 N + 1 .
Theorem 6.
(Chen et al., 2009). Let p and q be RSA primes satisfying p < q < 2 p . Let | a p b q | = N γ . If q q is close to b a such that ( b ( a 2 + 1 ) p a ( b 2 + 1 ) q ) ( a p b q ) > 0 , then the secret key d < N 3 4 γ can be discovered from the convergents of e N a + b a b N + 1 .
Theorem 7.
(Blomer-May, 2004). Let ( N , e ) be an RSA public pair with modulus N = p q and the prime difference p q c N 1 2 . Suppose that the public exponent e Z ϕ ( N ) satisfies e x + y = k ϕ ( N ) with 0 < x < 1 3 N 1 4 and | y | N 3 4 e x for c 1 . Then, N can be factored in polynomial time.
Theorem 8.
(Lenstra et al., 1982). Let L be a lattice basis of dimension n having a basis v 1 v n . The L L L algorithm produces a reduced basis b 1 b n satisfying the following condition:
| | b 1 | | | | b 2 | | | | b j | | 2 n ( n 1 ) 4 ( n + 1 j ) d e t ( L ) 1 n + 1 j ,
for all 1 j n .
Proof. 
See Reference [15]. ☐
We will use the following Theorem 9 in our proofs of Theorems 14–17.
Theorem 9.
(Simultaneous Diophantine Approximations) (Nitaj et al., 2014). Given any rational numbers of the form α 1 , , α n and 0 < ε < 1 , there is a polynomial time algorithm to compute integers p 1 , , p n and a positive integer q such that:
max i q α i p i < ε a n d q 3 n 2 n ( n 3 ) 4 ε n .
Theorem 10.
(Nitaj et al. 2014). Let N i = p i q i for 1 i k be k RSA moduli. Let N = min { N i } and e i , i = 1 , , k be k public exponents. Define δ = k 2 ( k + 1 ) . If there exist an integer x < N δ and k integers y i < N δ and | z i | < p i q i 3 ( p i + q i ) y i N 1 / 4 such that e i x y i ϕ ( N i ) = z i for i = 1 , , k , then one can factor k RSA moduli N 1 , , N k in polynomial time.
Theorem 11.
(Nitaj et al., 2014). Let N i = p i q i , for 1 i k be k RSA moduli N i where p and p are balanced primes. Let e i , i = 1 , , k , be k public exponents with min { e i } = N α . Define δ = ( 2 α 1 ) k 2 ( k + 1 ) . If there exist an integer y < N δ and k integers x i < N δ and | z i | < p i q i 3 ( p i + q i ) y N 1 / 4 such that e i x i y ϕ ( N i ) = z i for i = 1 , , k , then one can factor the k RSA moduli N 1 , , N k in polynomial time.
Theorem 12.
(Asbullah, 2015). Let N = p q with q < p < 2 q . Let e < ϕ ( N ) and d satisfy e d 1 mod ϕ ( N ) . If d < 1 2 N 1 4 , then k d is a convergent of the continued fraction e N .

3. The Proposed Findings and Discussion

In this section, we present our findings. The first part reported a short secret exponent attack on RSA modulus N = p q , where p and q are prime numbers of the same bit-length. We show that if d < 3 2 N 3 4 γ , then one can find k d from the convergents of the continued fraction expansion of e N a 2 + b 2 a b N + 1 which leads to the factorization of RSA modulus N in polynomial time. In the second part of the paper, we presented four cryptanalytic attacks using a generalized key equation of the shape e s d k s ϕ ( N s ) = 1 , e s d s k ϕ ( N s ) = 1 , e s d k s ϕ ( N s ) = z s , and e s d s k ϕ ( N s ) = z s for unknown integers d , k s , d s , k s , and z s . We showed that t RSA moduli N s = p s q s can be simultaneously factored in polynomial time where s = 1 , 2 , , t .

3.1. A Short Decryption Exponent Attack Using | b 2 p a 2 q | < N γ

In this section, we present two lemmas and a theorem with numerical examples.
Lemma 1.
Let p and q be prime numbers, where q < p < 2 q and N = p q . If a and b are small positive integers such that b 2 a 2 is close to q p for a > b and b 2 p a 2 q 0 , then ϕ ( N ) > N a 2 + b 2 a b N + 1 .
Proof of Lemma 1.
Let ( b 2 p a 2 q ) ( a 2 p b 2 q ) < 0 , then we get,
a 2 b 2 p 2 a 4 p q b 4 p q + a 2 b 2 q 2 < 0 a 2 b 2 ( p 2 + q 2 ) < ( a 4 + b 4 ) p q .
Adding 2 a 2 b 2 p q to both sides we have,
a 2 b 2 ( p + q ) 2 < a 4 + 2 a 2 b 2 + b 4 ) p q p + q < a 2 + b 2 a b N .
Then ϕ ( N ) > N + 1 a 2 + b 2 a b N . ☐
Lemma 2.
Let p and q be prime numbers where q < p < 2 q and N = p q . If,
( a 2 ( b 4 + 1 ) p b 2 ( a 4 + 1 ) q ) ( b 2 p a 2 q ) > 0 ,
then,
a 2 + b 2 a b N ( p + q ) < ( b 2 p a 2 q ) 2 ( a 2 + b 2 a b + 2 ) N .
Proof of Lemma 2.
We first compute,
a 2 + b 2 a b N ( p + q ) a 2 + b 2 a b N + ( p + q ) ( b 2 p a 2 q ) 2
= ( a 2 + b 2 ) 2 a 2 b 2 N + ( a 2 + b 2 ) a b N ( p + q ) ( a 2 + b 2 ) a b N ( p + q ) ( p + q ) 2 ( b 2 p a 2 q ) 2 = ( a 2 b 6 + a 2 b 2 ) p 2 + ( a 4 + 2 a 4 b 4 + b 4 ) p q ( a 6 b 2 a 2 b 2 ) q 2 a 2 b 2 = ( a 2 ( b 4 + 1 ) p b 2 ( a 4 + 1 ) q ) ( b 2 p a 2 q ) a 2 b 2 .
Since ( a 2 ( b 4 + 1 ) p b 2 ( a 4 + 1 ) q ) ( b 2 p a 2 q ) > 0 , we get,
a 2 + b 2 a b N ( p + q ) a 2 + b 2 a b N + ( p + q ) ( b 2 p a 2 q ) 2 < 0 a 2 + b 2 a b N ( p + q ) < ( b 2 p a 2 q ) 2 a 2 + b 2 a b N + ( p + q ) a 2 + b 2 a b N ( p + q ) < ( b 2 p a 2 q ) 2 ( a 2 + b 2 a b + 2 ) N .
Theorem 13.
Let p and q be prime numbers, where q < p < 2 q and N = p q . Given the pair ( e , N ) for e < ϕ ( N ) as a public key pair and (d,p,q) as a private key tuple, let | b 2 p a 2 q | < N γ . If q p is close to b 2 a 2 such that the relation ( a 2 ( b 4 + 1 ) p b 2 ( a 4 + 1 ) q ) ( b 2 p a 2 q ) > 0 holds and d < 3 2 N 3 4 γ , then k d can be calculated efficiently from the convergent of the continued fraction expansion of e N a 2 + b 2 a b N + 1 for k < d and ( a , b ) are positive integers less than log N .
Proof of Theorem 13.
Since ( a 2 ( b 4 + 1 ) p b 2 ( a 4 + 1 ) q ) ( b 2 p a 2 q ) > 0 and b 2 p a 2 q < N γ , then from Lemma 2 we have,
a 2 + b 2 a b N ( p + q ) < ( b 2 p a 2 q ) 2 a 2 + b 2 a b N + 2 N a 2 + b 2 a b N + ϕ ( N ) N 1 < N 2 γ ( a 2 + b 2 a b + 2 ) N .
Using RSA key equation e d k ϕ ( N ) = 1 , for some k Z , this gives us,
e ϕ ( N ) k d = 1 d ϕ ( N ) .
Taking N a 2 + b 2 a b N + 1 as approximation of ϕ ( N ) , this becomes,
e ϕ ( N ) k d = e N a 2 + b 2 a b N + 1 k d = e N a 2 + b 2 a b N + 1 e ϕ ( N ) + e ϕ ( N ) k d e N a 2 + b 2 a b N + 1 e ϕ ( N ) + e ϕ ( N ) k d = e | ( ϕ ( N ) N a 2 + b 2 a b N 1 ) | ϕ ( N ) ( N a 2 + b 2 a b N + 1 ) + 1 d ϕ ( N ) .
Finally,
e ϕ ( N ) k d < N 2 γ ( N a 2 + b 2 a b N + 1 ) ( a 2 + b 2 a b N + 2 N ) + 1 d ϕ ( N ) .
Now, assuming that N a 2 + b 2 a b N + 1 > 4 a b ( a + b ) 2 N , ϕ ( N ) > 4 5 N and N > 10 d , where a and b are small positive integers, plugging the conditions into above inequality (Equation (1)), we get,
e ϕ ( N ) k d < N 2 γ ( 4 a b ) ( a + b ) 2 N ( a 2 + b 2 a b N + 2 N ) + 1 4 5 ( 10 d 2 ) < N 2 γ 3 2 4 + 1 8 d 2 .
Suppose that d < 3 2 N 3 4 γ , then,
N 2 γ 3 2 4 + 1 8 d 2 < 1 2 d 2 .
Hence, we have,
e N a 2 + b 2 a b N + 1 k d < 1 2 d 2 .
This shows that Theorem 13 produces k d as the convergent of the continued fraction expansion of e N a 2 + b 2 a b N + 1 . This terminates the proof. ☐
This is an improvement on the work of Reference [9], whose d < N 3 4 γ . Also taking the value of γ = 15 32 , we have our decryption exponent d < 3 2 N 0.28125 , which is also an improvement on the results of References [5,11] whose decryption exponents were d < 1 3 N 1 4 and d < 1 2 N 1 4 , respectively.
From Table 1 one can observe that our bound is an improvement of the abovementioned bounds.
Example 1.
In this example, we illustrate how to factor the RSA modulus N = p q for the case γ = 15 32 = 0.46875 . Let,
N = 26165530044163 ,
e = 20107848788311 ,
and a = 3 , b = 2 , γ = 15 32 . Taking the continued fraction expansion of e N 13 6 N + 1 , we get,
[ 0 , 1 , 3 , 3 , 7 , 1 , 1 , 1 , 4 , 161 , 2 , 3 , 1 , 1 , 1 , 5 , 1 , 2 , 2 , 8 , 4 , 5 , 1 , 5 , 26 , 3 ]
and their corresponding convergents are as follows,
[ 0 , 1 , 3 4 , 10 13 , 73 95 , 83 108 , 156 203 , 239 311 , 1112 1447 , 179 , 271 233 , 278 , 359 , 654 468 , 003 , 1 , 258 , 233 1 , 637 , 287 , 1 , 617 , 887 2 , 105 , 290 , 2 , 876 , 120 3 , 742 , 577 , ] ,
k d = 1112 1447 and computing,
1 + k ϕ ( N ) d = 20107848788311 ϕ ( N ) = 26165519061768 N ϕ ( N ) + 1 = 10982396 .
Finally, solving the quadratic equation x 2 ( N ϕ ( N ) + 1 ) x + N = 0 leads to the factorization of N. This reveals the factors of N as p = 7488127 and q = 3494269 . Taking the value of γ = 0.46875 , this shows that our bound increases to d < 3 2 N 0.28125 , that is, 1447 < 7274.146806 . This shows that our private key is greater than the bounds of References [5,11], i.e., 753.8954627 < 1147 < 7274.146806 (bound of Reference [5] ) and 1130.843194 < 1147 < 7274.146806 (bound of Reference [11]). This is an improvement on bounds stated in Table 1.

3.2. System of Equations Using N a 2 + b 2 a b N + 1 as Approximation of ϕ ( N )

In this section, we present four cryptanalytic attacks on t RSA moduli N s = p s q s using a system of equations of the form e s d k s ϕ ( N s ) = 1 , e s d s k ϕ ( N s ) = 1 , e s d k s ϕ ( N s ) = z s , and e s d s k ϕ ( N s ) = z s for s = 1 , , t , in which we successfully factor t RSA moduli in polynomial time for unknown positive integers d, k s , z s , d s , and k for s = 1 , , t .

3.2.1. The Attack on t RSA Moduli N s = p s q s Satisfying e s d k s ϕ ( N s ) = 1

Taking t 2 , let N s = p s q s , s = 1 , , t . The attack works for t instances ( N s , e s ) when there exist an integer d and t integers k s satisfying equation e s d k s ϕ ( N s ) = 1 . We show that prime factors p s and q s of t RSA moduli N s for s = 1 , , t can be found efficiently for N = max { N s } and d < N γ , k s < N γ , for all γ = 3 t 2 ( 3 t + 1 ) . In this case, the RSA instances shared common decryption exponent d.
Theorem 14.
Let N s = p s q s be t RSA moduli for s = 1 t and let ( e s , N s ) be a public key pair and ( d , N s ) be a private key pair such that e s < ϕ ( N s ) and the relation e s d 1 ( mod ϕ ( N ) ) is satisfied. Let also N = max { N s } ; if there exist positive integers d < N γ , k s < N γ , for all γ = 3 t 2 ( 3 t + 1 ) such that equation e s d k s ϕ ( N s ) = 1 holds, then prime factors of t RSA moduli N s can be successfully recovered in polynomial time.
Proof of Theorem 14.
For t 2 , and let N s = p s q s , 1 s t be t moduli. Let N = max { N s } and suppose that k s < N γ . Then equation e s d k s ϕ ( N s ) = 1 can be rewritten as,
e s d k s ( N s ( p s + q s ) + 1 ) = 1 e s d k s N s a 2 + b 2 a b N s + a 2 + b 2 a b N s ( N s ϕ ( N s ) + 1 ) + 1 = 1 e s N s a 2 + b 2 a b N s + 1 d k s = 1 k s N s ϕ ( N s ) + 1 a 2 + b 2 a b N s N s a 2 + b 2 a b N s + 1 .
Let N = max { N s } and suppose that k s < N γ are positive integers and from Theorem 13, it was shown that,
a 2 + b 2 a b N s + ϕ ( N s ) N s 1 < N 2 γ ( a 2 + b 2 a b + 2 ) N N s a 2 + b 2 a b N s + 1 > 4 a b ( a + b ) 2 N
1 k s N s ϕ ( N s ) + 1 a 2 + b 2 a b N s N s a 2 + b 2 a b N s + 1 1 + k s a 2 + b 2 a b N s N s + ϕ ( N s ) 1 N s a 2 + b 2 a b N s + 1 < 1 + N γ N 2 γ ( a 2 + b 2 a b + 2 ) N 4 a b ( a + b ) 2 N < 1 + N 3 γ 1 2 1 4 < b N 3 γ 3 2
We therefore have,
e s N s a 2 + b 2 a b N s + 1 d k s < b N 3 γ 3 2 .
Hence, to show the existence of integer d and t integers k s we let ε = b N 3 γ 3 2 , with γ = 3 t 2 ( 3 t + 1 ) . Then, we have,
N γ ε t = N γ b N 3 γ 3 2 t = b t N γ + 3 γ t 3 t 2 = b t .
Following Theorem 9, we have b t < 2 t ( t 3 ) 4 · 3 t for t 2 , then, we get N γ ε t < 2 t ( t 3 ) 4 × 3 t . It follows that if d < N γ , then d < 2 t ( t 3 ) 4 × 3 t × ε t for s = 1 , , t . Finally,
e s N s a 2 + b 2 a b N s + 1 d k s < ε .
This clearly satisfies the conditions of Theorem 9, and we proceed to reveal the private key d and t integers k s for s = 1 , , t . Next, from equation e s d k s ϕ ( N s ) = 1 we compute,
ϕ ( N s ) = e s d 1 k s p s + q s = N s ϕ ( N s ) + 1 .
Finally, by finding the roots of the quadratic equation x 2 ( N s ϕ ( N s ) + 1 ) x + N s = 0 , the prime factors p s and q s can be revealed, which lead to the factorization of t RSA moduli N s for s = 1 , , t in polynomial time. ☐
Let,
X 1 = e 1 N 1 a 2 + b 2 a b N 1 + 1 , X 2 = e 2 N 2 a 2 + b 2 a b N 2 + 1 , X 3 = e 3 N 3 a 2 + b 2 a b N 3 + 1 .
Define,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T × X 3 ] 0 T 0 0 0 0 T 0 0 0 0 T
Taking suitable small positive integers a and b, the matrix M can be used in computing the reduced basis after we apply the LLL algorithm.
Example 2.
In what follows, we give an illustration of how Theorem 14 works on three RSA moduli and their corresponding public exponents,
Let N 1 = 359072092653124553811906103878007890140989 N 2 = 324883680116881280214836807152055627596063 N 3 = 382594344895631082046807051393818596023693 e 1 = 45375420344792168881455554779343580096391 e 2 = 243789589028178310684702159604367474648551 e 3 = 310614049489189851372469759955479934011591 .
Observe that,
N = max { N 1 , N 2 , N 3 } = 382594344895631082046807051393818596023693 .
By using a = 3 , b = 2 and since t = 3 , we will have from Algorithm 4 γ = 3 t 2 ( 3 t + 1 ) = 0.45 and ε = b N 3 γ 3 2 = 0.000001157761794 .
Algorithm 4 Theorem 14
1:
Initialization: The public key tuple ( N s , e s , γ ) satisfying Theorem 14.
2:
Choose a, b and t to be suitable small positive integers and N = max { N s } for s = 1 , , t .
3:
forany ( a , b , t , N , γ ) do
4:
     ε : = b N 3 γ 3 2
5:
     T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] for t 2 .
6:
endfor
7:
Consider the lattice L spanned by the matrix M as stated above.
8:
Applying the LLL algorithm to L , we obtain the reduced basis matrix K.
9:
forany ( M , K ) do
10:
     J : = = M 1
11:
     Q = J K .
12:
endfor
13:
Produce d, k s from Q
14:
foreach triplet ( d , k s , e s ) do
15:
     ϕ ( N s ) : = e s d 1 k s
16:
     W s : = N s ϕ ( N s ) + 1 .
17:
endfor
18:
Solve the quadratic equation x 2 W s x + N s = 0
19:
return the prime factors ( p s , q s ) .
Applying Theorem 9 and using Algorithm 4 for n = t = 3 , we compute,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] = 22541258940000000000000000 .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T × X 3 ] 0 T 0 0 0 0 T 0 0 0 0 T
Therefore, by applying the LLL algorithm to L , we obtain the reduced basis with the following matrix,
K = 2578263109750711 2034699965866566690 2344404377412628796 2580976588820297660 2580976588820297660 7038163058258067570 1213053071081376612 4486161207788962020 4247153090969385088 4534704902749259520 12312546858704031232 7327527172122145280 8914983043342173506 11071823379597700260 645732543479046584 645732543479046584
Next, from Algorithm 4 we compute Q = K · J ,
Q = 2578263109750711 325811375370309 1934703841407202 2093195458460643 9287723537945650383 1173676173123327666 6969418419258590716 7540355619851993530 7540355619851993530 536706585430991758 3187022832955722161 3448104860897526334 8914983043342173506 1126573496618480874 6689717536897095223 7237741543135901521
From the first row of matrix Q, we obtain d , k 1 , k 2 , and k 3 as follows,
d = 2578263109750711 , k 1 = 325811375370309 , k 2 = 1934703841407202 , k 3 = 2093195458460643
Using Algorithm 4, we now compute ϕ ( N s ) = e s d 1 k s for s = 1 , 2 , 3 .
ϕ ( N 1 ) = 359072092653124553810707267684522589776000
ϕ ( N 2 ) = 324883680116881280213619313059216656916880
ϕ ( N 3 ) = 382594344895631082045445951038518440638400 .
Next, from Algorithm 4 we proceed to compute W s for s = 1 , 2 , 3 .
W 1 = 1198836193485300364990
W 2 = 1217494092838970679184
W 3 = 1361100355300155385294 .
Finally, solving the quadratic equation x 2 W s x + N s = 0 for s = 1 , 2 , 3 yields ( p 1 , q 1 ) , ( p 2 , q 2 ) , and ( p 3 , q 3 ) , which lead to the factorization of three RSA moduli N 1 , N 2 , N 3 . That is,
p 1 = 614582596386772289501 , q 1 = 584253597098528075489
p 2 = 822497570179231384793 , q 2 = 394996522659739294391
p 3 = 964370894659814712593 , q 3 = 396729460640340672701 .
From our result, one can observe that we get d N 0.3706 , which is larger than Blömer–May’s bound x < 1 3 N 0.25 , as reported in Reference [12]. Our d N 0.3706 is also larger than Nitaj et al.’s bound d N 0.344 , as reported in Reference [13].

3.2.2. The Attack on t RSA Moduli N s = p s q s Satisfying e s d s k ϕ ( N s ) = 1

In this section, we consider a second case in which t RSA moduli satisfy t equations of the form e s d s k ϕ ( N s ) = 1 for unknown positive integers d s and k for s = 1 , , t . In this case, every pair of the RSA instances has its own unique decryption exponent d s .
Theorem 15.
Let N s = p s q s be t RSA moduli for s = 1 , , t and let ( e s , N s ) be a public key pair and ( d s , N s ) be a private key pair with e s < ϕ ( N s ) and the given relation e s d s 1 ( mod ϕ ( N ) ) is satisfied. Let e = min { e s } = N α be t public exponents; if there exist t integers d s < N γ , k < N γ , f o r a l l γ = ( 1 + 2 α ) t 2 ( 3 t + 1 ) such that equation e s d s k ϕ ( N s ) = 1 holds, then t prime factors of RSA moduli N s can be successfully recovered in polynomial time.
Proof of Theorem 15.
For t 3 and N s = p s q s , be t RSA moduli. Let e = min { e s } = N α be t public exponents for s = 1 , , t and suppose that d s < N γ . Then, the equation e s d s k ϕ ( N s ) = 1 can be rewritten as,
e s d s k ( N s ( p s + q s ) + 1 ) = 1 e s d s k N s a 2 + b 2 a b N s + a 2 + b 2 a b N s ( N s ϕ ( N s ) + 1 ) + 1 = 1 k N s a 2 + b 2 a b N s + 1 e s d s = 1 k N s ϕ ( N s ) + 1 a 2 + b 2 a b N s e s .
Let N = max { N s } and d s < N γ , k < N γ be positive integers and from Theorem 13, it was shown that,
a 2 + b 2 a b N s + ϕ ( N s ) N s 1 < N 2 γ ( a 2 + b 2 a b + 2 ) N .
Additionally, suppose that e = min { e s } = N α , then we have,
1 k N s ϕ ( N s ) + 1 a 2 + b 2 a b N s e s 1 + k a 2 + b 2 a b N s N s + ϕ ( N s ) 1 e s < 1 + N γ N 2 γ ( a 2 + b 2 a b + 2 ) N N α < 8 N 3 γ 1 2 α .
Hence, we get,
k N s a 2 + b 2 a b N s + 1 e s d s < 8 N 3 γ 1 2 α .
We now proceed to show the existence of integer k and t integers d s . Let ε = 8 N 3 γ 1 2 α and γ = ( 1 + 2 α ) t 2 ( 3 t + 1 ) . Then, we get,
N γ ε t = N γ 8 N 3 γ 1 2 α t = 8 t 2 N γ + 3 γ t t 2 α t = 8 t 2 .
Following Theorem 9, we have 8 t 2 < 2 t ( t 3 ) 4 · 3 t for t 3 , then we get N γ ε t < 2 t ( t 3 ) 4 · 3 t . It follows that if k < N γ and following Theorem 9, we have k < 2 t ( t 3 ) 4 × 3 t × ε t for s = 1 , , t . Finally,
k N s a 2 + b 2 a b N s + 1 e s d s < ε .
This clearly satisfies the conditions of Theorem 9, and we proceed to reveal t integers of the private key d s and integer k for s = 1 , , t . Next, from equation e s d s k ϕ ( N s ) = 1 we compute,
ϕ ( N s ) = e s d s 1 k p s + q s = N s ϕ ( N s ) + 1 .
Finally, by finding the roots of the quadratic equation x 2 ( N s ϕ ( N s ) + 1 ) x + N s = 0 , the prime factors p s and q s can be found, which lead to the factorization of t RSA moduli N s for s = 1 , , t .
Let,
X 1 = N 1 a 2 + b 2 a b N 1 + 1 e 1 , X 2 = N 2 a 2 + b 2 a b N 2 + 1 e 2 , X 3 = N 3 a 2 + b 2 a b N 3 + 1 e 3 .
Define,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T ( X 3 ) ] 0 T 0 0 0 0 T 0 0 0 0 T
Taking suitable small positive integers a and b, the matrix M can be used in computing the reduced basis after we apply the LLL algorithm
Example 3.
In what follows, we give a numerical example to illustrate how our attack of Theorem 15 works on three RSA Moduli. We consider the following three RSA moduli and their corresponding public exponents,
N 1 = 163889671902988443382883271210955564227203
N 2 = 1148623006222285920602264446698309119625517
N 3 = 958230896880440803103514702761136188985911
e 1 = 102148699518319970718711207616780801429013
e 2 = 555369481273226483312414829199486063579195
e 3 = 2947238068713166701798078609368273575653161 .
Observe that,
N = max { N 1 , N 2 , N 3 } = 1148623006222285920602264446698309119625517 e s = min { e 1 , e 2 , e 3 } = 102148699518319970718711207616780801429013 ,
with e s = min { e 1 , e 2 , e 3 } = N α with α = 0.9750133088 . By using a = 3 , b = 2 and since t = 3 , we will have from Algorithm 5 γ = ( 1 + 2 α ) t 2 ( 3 t + 1 ) = 0.44250 and ε = 8 N 3 γ 1 2 α = 0.000001768531652 .
Applying Theorem 9 and using Algorithm 5, we compute,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] = 4140031786000000000000000 .
Algorithm 5 Theorem 15
1:
Initialization: The public key tuple ( N s , e s , α , γ ) satisfying Theorem 15.
2:
Choose a, b and t to be suitable small positive integers and N = max { N s } for s = 1 , , t .
3:
forany ( a , b , t , N , α , γ ) do
4:
     ε = 8 N 3 γ 1 2 α
5:
     e = : min { e s } : = N α
6:
     T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] for t 2 .
7:
endfor
8:
Consider the lattice L spanned by the matrix M as stated above.
9:
Applying the LLL algorithm to L , we obtain the reduced basis matrix K.
10:
forany ( M , K ) do
11:
     J : = = M 1
12:
     Q = J K .
13:
endfor
14:
Produce d s , k from Q
15:
foreach triplet ( d s , k , e s ) do
16:
     ϕ ( N s ) : = e s d s 1 k
17:
     W s : = N s ϕ ( N s ) + 1 .
18:
endfor
19:
Solve the quadratic equation x 2 W s x + N s = 0
20:
return the prime factors ( p s , q s ) .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T ( X 3 ) ] 0 T 0 0 0 0 T 0 0 0 0 T
Therefore, by applying the LLL algorithm to L , we obtain the reduced basis with the following matrix,
K = 1944662874609887749 739703099714239590 345516048415097753 75220223065832636 312939819716059 3078110579756278310 414033376574202823 67328478162817476 641396426019740525 1430247980684822250 660964237954996575 2681843509732748900 893602997419446810 1688910391195682900 3790386709273250430 350853801896118840
Next, from Algorithm 5, we compute Q = K · J ,
Q = 1944662874609887749 3120060871891740871 4021979227238758337 632265194403229474 312939819716059 502087688051741 647226555670387 101745633411641 641396426019740525 1029070857639965612 1326545148548731842 208536215341829039 893602997419446810 1433716755565101613 1848162342143902764 290535742857772536
From the second row of matrix Q, we obtain k , d 1 , d 2 , and d 3 as follows,
k = 312939819716059 , d 1 = 502087688051741 , d 2 = 647226555670387 , d 3 = 101745633411641 .
Using Algorithm 5, we compute ϕ ( N s ) = e s d s 1 k for s = 1 , 2 , 3 . That is,
ϕ ( N 1 ) = 163889671902988443381763445058591755881248
ϕ ( N 2 ) = 1148623006222285920600119881462113872455296
ϕ ( N 3 ) = 958230896880440803101547264462074637000800 .
Next, from Algorithm 5 we proceed to compute W s for s = 1 , 2 , 3 .
W 1 = 1119826152363808345956
W 2 = 2144565236195247170222
W 3 = 1967438299061551985112 .
Finally, solving the quadratic equation x 2 W s x + N s = 0 for s = 1 , 2 , 3 yields ( p 1 , q 1 ) , ( p 2 , q 2 ) , and ( p 3 , q 3 ) which lead to the factorization of three RSA moduli N 1 , N 2 , N 3 . That is,
p 1 = 946711448692045925137 , q 1 = 173114703671762420819
p 2 = 1106444100091356676813 , q 2 = 1038121136103890493409
p 3 = 1081045755724110472721 , q 3 = 886392543337441512391 .
From our result, one can observe that we get min { d 1 , d 2 , d 3 } N 0.333 , which is larger than Blömer–May’s bound x < 1 3 N 0.25 , as reported in Reference [12].

3.2.3. The Attack on t RSA Moduli N s = p s q s Satisfying e s d k s ϕ ( N s ) = z s

In this section, we consider another case in which t RSA moduli satisfies t equations of the form e s d s k ϕ ( N s ) = z s for unknown positive integers d s , k, and z s for s = 1 , , t .
For t 2 , let N s = p s q s , for = 1 , , t . The attack works for t instances ( N s , e s ) if there exist an integer d and t integers k s such that e s d k s ϕ ( N s ) = z s holds. We show that prime factors p s and q s of t RSA moduli N s for s = 1 , , t can be found efficiently for N = max { N s } and d , k s , and z s < N γ for all γ = 3 t 2 ( 4 t + 1 ) for unknown positive integers d , k s , and z s . In this case, the RSA instances shared a common decryption exponent d.
Theorem 16.
Let N s = p s q s be RSA moduli for s = 1 , , t and let the pair ( e s , N s ) be public keys and ( d , N s ) bea private key with e s < ϕ ( N s ) and the given relation e s d z s ( mod ϕ ( N s ) ) is satisfied. Let N = max { N s } for s = 1 , , t . If there exist integers d < N γ , k s < N γ , f o r a l l γ = 3 t 2 ( 4 t + 1 ) such that equation e s d k s ϕ ( N s ) = z s holds, then the prime factors of t RSA moduli N s can be successfully recovered in polynomial time.
Proof of Theorem 16.
For t 2 , and let N s = p s q s , 1 s t be t RSA moduli. Let N = max { N s } and suppose that k s < N γ . Then equation e s d k s ϕ ( N s ) = z s can be rewritten as,
e s d k s ( N s ( p s + q s ) + 1 ) = z s e s d k s N s a 2 + b 2 a b N s + a 2 + b 2 a b N s ( N s ϕ ( N s ) + 1 ) + 1 = z s
e s N s a 2 + b 2 a b N s + 1 d k s = z s k s N s ϕ ( N s ) + 1 a 2 + b 2 a b N s N s a 2 + b 2 a b N s + 1 .
Taking N = max { N s } and suppose that k s < N γ , z s < N γ are positive integers and from Theorem 13, it was shown that,
a 2 + b 2 a b N s + ϕ ( N s ) N s 1 < N 2 γ ( a 2 + b 2 a b + 2 ) N N s a 2 + b 2 a b N s + 1 > 4 a b ( a + b ) 2 N .
Plugging into Equation (5) yields,
z s k s N s ϕ ( N s ) + 1 a 2 + b 2 a b N s ) N s a 2 + b 2 a b N s + 1 z s + k s a 2 + b 2 a b N s N s + ϕ ( N s ) 1 ) N s a 2 + b 2 a b N s + 1 < N γ + N γ N 2 γ ( a 2 + b 2 a b + 2 ) N 4 a b ( a + b ) 2 N < b N 4 γ 3 2 .
Hence, we have,
e s N s a 2 + b 2 a b N s + 1 d k s < b N 4 γ 3 2 .
Hence, to show the existence of integer d and t integers k s , we let ε = b N 4 γ 3 2 , with γ = 3 t 2 ( 4 t + 1 ) . Then, we have:
N γ ε t = N γ b N 4 γ 3 2 t = b t N γ + 4 γ t 3 t 2 = b t .
Following Theorem 9, we have b t < 2 t ( t 3 ) 4 × 3 t for t 2 , then we get N γ ε t < 2 t ( t 3 ) 4 × 3 t . It follows that if d < N γ , then d < 2 t ( t 3 ) 4 × 3 t × ε t for s = 1 , , t . Finally,
e s N s a 2 + b 2 a b N s + 1 d k s < ε .
This also satisfies the conditions of Theorem 9, and we next proceed to reveal the private key d and t integers k s for s = 1 , , t . Next, from equation e s d k s ϕ ( N s ) = z s we compute,
ϕ ( N s ) = e s d z s k s p s + q s = N s ϕ ( N s ) + 1 .
Finally, by finding the roots of the quadratic equation x 2 ( N s ϕ ( N s ) + 1 ) x + N s = 0 , prime factors p s and q s can be revealed, which lead to the factorization of t RSA moduli N s for s = 1 , , t in polynomial time. ☐
Let,
X 1 = e 1 N 1 a 2 + b 2 a b N 1 + 1 , X 2 = e 2 N 2 a 2 + b 2 a b N 2 + 1 , X 3 = e 3 N 3 a 2 + b 2 a b N 3 + 1 .
Define,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T ( X 3 ) ] 0 T 0 0 0 0 T 0 0 0 0 T
Taking suitable small positive integers a and b, the matrix M can be used in computing the reduced basis after we apply the LLL algorithm.
Example 4.
In what follows, we give a numerical example to illustrate how our attack of Theorem 16 works on t RSA Moduli. We consider the following three RSA moduli and their corresponding public exponents,
Let N 1 = 330296126221226061978488805127502203372577 N 2 = 187396362359066080307391868109309718740567 N 3 = 216436372402461777072305279786697609409967 e 1 = 302169635060396919768302245253373846319703 e 2 = 91199418785305795947645004809998556532621 e 3 = 162134135066593548250015517503190950433936 .
Observe that,
N = max { N 1 , N 2 , N 3 } = 330296126221226061978488805127502203372577 .
By using a = 3 , b = 2 and since t = 3 , we will have from Algorithm 6 γ = 3 t 2 ( 4 t + 1 ) = 0.364 and ε = b N 3 γ 3 2 = 0.00003240252930 . Applying Theorem 9 and Algorithm 6 for n = t = 3 we compute,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] = 36740018900000000000 .
Algorithm 6 Theorem 16
1:
Initialization: The public key tuple ( N s , e s , z s , γ ) satisfying Theorem 16.
2:
Choose a, b and t to be suitable small positive integers and N = max { N s } for s = 1 , , t .
3:
forany ( a , b , t , N , γ ) do
4:
       ε = b N 3 γ 3 2
5:
       T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] f o r t 2 .
6:
endfor
7:
Consider the lattice L spanned by the matrix M as stated above.
8:
Applying the LLL algorithm to L , we obtain the reduced basis matrix K.
9:
forany ( M , K ) do
10:
       J : = = M 1
11:
       Q = J K .
12:
endfor
13:
Produce d, k s Q
14:
foreach triplet ( d , k s , e s , z s ) do
15:
       ϕ ( N s ) : = e s d z s k s
16:
       W s : = N s ϕ ( N s ) + 1 .
17:
endfor
18:
Solve the quadratic equation x 2 W s x + N s = 0
19:
return the prime factors ( p s , q s ) .
Consider the lattice L spanned by the matrix
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T ( X 3 ) ] 0 T 0 0 0 0 T 0 0 0 0 T
Therefore, by applying the LLL algorithm to L , we obtain the reduced basis with the following matrix,
K = 221202829045687 93563315351041 100537693381434 43249006678519 219137979005996 215228853099828 366048772777528 36384754276652 15192444691558 450517287777994 9761598838844 503486112156954 337933481607001 490633444109457 161755868358618 208327724754663
Next, from Algorithm 6, we compute Q = K · J ,
Q = 221202829045687 202366218737588 107651873220345 165704724042021 219137979005996 200477201781543 106646981123572 164157929150241 15192444691558 13898726335799 7393644723707 11380776032563 337933481607001 309156628568763 164460700958544 253148544961339
From the first row of matrix Q, one can observe that we obtain d , k 1 , k 2 , and k 3 as follows,
d = 221202829045687 , k 1 = 202366218737588 , k 2 = 107651873220345 , k 3 = 165704724042021 .
Using Algorithm 6, we compute ϕ ( N s ) = e s d z s k s for s = 1 , 2 , 3 where z 1 , z 2 , z 3 are,
z 1 = 78214488852833 , z 2 = 81546995635627 , z 3 = 268274979696656
ϕ ( N 1 ) = 330296126221226061977286874278835760293956
ϕ ( N 2 ) = 187396362359066080306393381432741963476000
ϕ ( N 3 ) = 216436372402461777071093307335033501180256 .
Next, from Algorithm 6, we compute W s for s = 1 , 2 , 3 .
W 1 = 1201930848666443078622
W 2 = 998486676567755264568
W 3 = 1211972451664108229712 .
Finally, solving the quadratic equation x 2 W s x + N s = 0 for s = 1 , 2 , 3 yields ( p 1 , q 1 ) , ( p 2 , q 2 ) , and ( p 3 , q 3 ) which lead to the factorization of three RSA moduli N 1 , N 2 , N 3 . That is,
p 1 = 776645004884812569823 , q 1 = 425285843781630508799
p 2 = 747935011770876784817 , q 2 = 250551664796878479751
p 3 = 994294007747013311743 , q 3 = 217678443917094917969 .
From our result, one can observe that we get d N 0.3455 , which is larger than Blömer–May’s bound x < 1 3 N 0.25 , as reported in Reference [12]. Our d N 0.3455 is also larger than Nitaj et al.’s bound x N 0.344 , as reported in Reference [13].

3.2.4. The Attack on t RSA Moduli N s = p s q s Satisfying e s d s k ϕ ( N s ) = z s

In this section, we present another case in which t RSA moduli satisfies t equations of the form e s d s k ϕ ( N s ) = z s for unknown positive integers d s , k, and z s for s = 1 , , t , which can be simultaneously factored in polynomial time. In this case, every pair of the RSA instances has its own unique decryption exponent d s .
Theorem 17.
Let N s = p s q s be t RSA moduli for s   =   1 , , t and let ( e s , N s ) be a public key pair and ( d s , N s ) be a private key pair with condition e s < ϕ ( N s ) and the given relation e s d s z s ( mod ϕ ( N s ) ) is satisfied. Let e = min { e s } = N α be t public exponents. If there exist positive integers d s < N γ , k < N γ , for all γ = ( 1 + 2 α ) t 2 ( 4 t + 1 ) such that the equation e s d s k ϕ ( N s ) = z s holds, then t prime factors of RSA moduli N s can be found successfully in polynomial time.
Proof of Theorem 17
For t 3 and suppose N s = p s q s to be t RSA moduli for s = 1 , , t . Suppose that e = min { e s } = N α are t public exponents and suppose that d s < N γ . Then, equation e s d s k ϕ ( N s ) = z s can be rewritten as,
e s d s k ( N s ( p s + q s ) + 1 ) = z s e s d s k N s a 2 + b 2 a b N s + a 2 + b 2 a b N s ( N s ϕ ( N s ) + 1 ) + 1 = z s k N s a 2 + b 2 a b N s + 1 e s d s = z s k N s ϕ ( N s ) + 1 a 2 + b 2 a b N s e s .
Let N = max { N s } for s = 1 , , t , and d s < N γ , k < N γ , z s < N γ be positive integers and a 2 + b 2 a b N s + ϕ ( N s ) N s 1 < N 2 γ ( a 2 + b 2 a b + 2 ) N , e = min { e s } = N α , then we have,
z s k N s ϕ ( N s ) + 1 a 2 + b 2 a b N s e s z s + k a 2 + b 2 a b N s N s + ϕ ( N s ) 1 e s < N γ + N γ N 2 γ ( a 2 + b 2 a b + 2 ) N N α < a b N 3 γ 1 2 α .
Hence, we get,
k N s a 2 + b 2 a b N s + 1 e s d s < a b N 3 γ 1 2 α .
We now proceed to show the existence of integer k and t integers d s . Let ε = a b N 3 γ 1 2 α and γ = ( 1 + 2 α ) t 2 ( 4 t + 1 ) . Then, we get,
N γ ε j = N γ a b N 3 γ 1 2 α t = a b t 2 N γ + 3 γ t t 2 α t = a b t 2 .
Following Theorem 9, we have a b t 2 < 2 t ( t 3 ) 4 × 3 t for t 2 , then we get N γ ε t < 2 t ( t 3 ) 4 × 3 t . It follows that if k < N γ , then k < 2 t ( t 3 ) 4 × 3 t × ε t for s = 1 , , t . Finally,
k N s a 2 + b 2 a b N s + 1 e s d s < ε .
This satisfies the conditions of Theorem 9 and we proceed to find the values of d s and k for s = 1 , , t . Next, from the equation e s d s k ϕ ( N s ) = z s we compute,
ϕ ( N s ) = e s d s z s k p s + q s = N s ϕ ( N s ) + 1
Finally, by finding the roots of the quadratic equation x 2 ( N s ϕ ( N s ) + 1 ) x + N s = 0 , the prime factors p s and q s can be found, which lead to the factorization of t RSA moduli N s for s = 1 , , t . ☐
Let,
X 1 = N 1 a 2 + b 2 a b N 1 + 1 e 1 , X 2 = N 2 a 2 + b 2 a b N 2 + 1 e 2 X 3 = N 3 a 2 + b 2 a b N 3 + 1 e 3
Define,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T ( X 3 ) ] 0 T 0 0 0 0 T 0 0 0 0 T
Taking suitable small positive integers a and b, the matrix M can be used in computing the reduced basis after we apply the LLL algorithm.
Algorithm 7 Theorem 17
1:
Initialization: The public key tuple ( N s , e s , z s , α , γ ) satisfying Theorem 17.
2:
Choose a, b and t to be suitable small positive integers and N = max { N s } for s = 1 , , t .
3:
forany ( a , b , t , N , γ ) do
4:
     ε = a b N 3 γ 1 2 α
5:
     e = : min { e s } : = N α
6:
     T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] for t 2 .
7:
endfor
8:
Consider the lattice L spanned by the matrix M as stated above.
9:
Applying the LLL algorithm to L , we obtain the reduced basis matrix K.
10:
forany ( M , K ) do
11:
     J : = = M 1
12:
     Q = J K .
13:
endfor
14:
Produce d s , k from Q
15:
foreach triplet ( d s , k , e s , z s ) do
16:
     ϕ ( N s ) : = e s d s z s k
17:
     W s : = N s ϕ ( N s ) + 1 .
18:
endfor
19:
Solve the quadratic equation x 2 W s x + N s = 0
20:
return the prime factors ( p s , q s ) .
Example 5.
In what follows, we give a numerical example to illustrate how our attack of Theorem 17 works on t RSA Moduli. We consider the following three RSA moduli and their corresponding public exponents,
N 1 = 336942490676287248746778854034851937369893
N 2 = 668105444816109132056919917066428038906749
N 3 = 639755280744251044114047220423078131849607
e 1 = 216385769902449684764280685469492987883161
e 2 = 2771656074511409731272546199640816528153287
e 3 = 1987635316084364424107099117207438936875885 .
Observe that,
N = max { N 1 , N 2 , N 3 } = 668105444816109132056919917066428038906749 e s = min { e 1 , e 2 e 3 } = 216385769902449684764280685469492987883161 ,
with e s = min { e 1 , e 2 , e 3 } = N α for α = 0.9882936490 . By using a = 3 , b = 2 and since t = 3 , we will have from Algorithm 7 γ = ( 1 + 2 α ) j 2 ( 4 t + 1 ) = 0.3434523805 and ε = a b N 3 γ 1 2 α = 0.00001994181860 .
Applying Theorem 9 and using Algorithm 7, we compute,
T = [ 3 t + 1 × 2 ( t + 1 ) ( t 4 ) 4 × ε t 1 ] = 256091979900000000000 .
Consider the lattice L spanned by the matrix,
M = 1 [ T ( X 1 ) ] [ T ( X 2 ) ] [ T ( X 3 ) ] 0 T 0 0 0 0 T 0 0 0 0 T
Therefore, by applying the LLL algorithm to L , we obtain the reduced basis with the following matrix,
K = 475374059459089 261893631007311 36395361888534 199732740251281 1289880599128957 2285004592985757 1543204053684258 795956829369853 1037212131324544 196749388649856 1127770407188736 2527706537969024 1215125997180921 973858878471321 2293826172011526 1849797988697991
Next, from Algorithm 7 we compute Q = K · J ,
Q = 475374059459089 740222980786823 114588530795597 153007476978677 1289880599128957 2008522011135318 310924670404006 415170689585032 1037212131324544 1615082355210807 250019141530540 333844912543661 1215125997180921 1892118784706700 292905134341853 391109610085597
From the first row of matrix J, one can observe that we obtain k , d 1 , d 2 , and d 3 as follows,
k = 475374059459089 , d 1 = 740222980786823 , d 2 = 114588530795597 , d 3 = 153007476978677 .
Using Algorithm 7, we compute ϕ ( N s ) = e s d s z s k for s = 1 , 2 , 3 , where z 1 , z 2 , z 3 are,
z 1 = 254677352608291 , z 2 = 170274159918143 , z 3 = 138475454795345
ϕ ( N 1 ) = 336942490676287248745614825672641206658508
ϕ ( N 2 ) = 668105444816109132055284112629804447897564
ϕ ( N 3 ) = 639755280744251044112444603349851200819200 .
Next, from Algorithm 7 we compute W s for s = 1 , 2 , 3 .
W 1 = 1164028362210730711386
W 2 = 1635804436623591009186
W 3 = 1602617073226931030408 .
Finally, solving the quadratic equation x 2 ( N s W s x + N s = 0 for s = 1 , 2 , 3 yields ( p 1 , q 1 ) , ( p 2 , q 2 ) , and ( p 3 , q 3 ) , which lead to the factorization of three RSA moduli N 1 , N 2 , N 3 . That is,
p 1 = 624417203774295157627 , q 1 = 539611158436435553759
p 2 = 847203991351099142923 , q 2 = 788600445272491866263
p 3 = 849683014443852067207 , q 3 = 752934058783078963201 .
From our result, one can observe that we get min { d 1 , d 2 , d 3 } N 0.336 , which is larger than Blömer–May’s bound x < 1 3 N 0.25 , as reported in Reference [12].

4. Conclusions

In this paper, it has been shown that our proposed cryptanalytic attacks on RSA modulus N = p q using the prime difference method can be used efficiently. The use of N a 2 + b 2 a b N + 1 as a good approximation of ϕ ( N ) is necessary as we have discovered a short decryption exponent bound d < 3 2 N 3 4 γ as a right candidate from the convergents of the continued fraction expansion of e N a 2 + b 2 a b N + 1 that led to the successful factorization of the RSA modulus in polynomial time. This paper also reported instances of factoring t RSA moduli by transforming generalized key equations e s d k s ϕ ( N s ) = 1 , e s d s k ϕ ( N s ) = 1 , e s d k s ϕ ( N s ) = z s , and e s d s k ϕ ( N s ) = z s , where s = 1 , , t into a simultaneous Diophantine approximations problem and later applied the LLL and lattice basis reduction methods, which produced a reduced basis that yielded the values of d , k s , d s k , and z s . Finally, we computed ϕ ( N s ) and solved a system of quadratic equation x 2 ( N s ϕ ( N s ) + 1 ) x + N s = 0 for s = 1 , 2 , 3 , which produce the roots ( p 1 , q 1 ) , ( p 2 , q 2 ) , and ( p 3 , q 3 ) as prime factors of t RSA moduli N 1 , N 2 , N 3 . In all the four attacks presented on t instances of RSA moduli N s = p s q s , we have improved the short secret exponent bound.

Author Contributions

All the authors made substantial contributions in the development of this paper. M.R.K.A. and S.I.A. oversaw the paper from its introduction to its conclusion. M.A.A. provided insight into the conceptualization of the paper and also into running the Maple for numerical examples, as contained in the paper. F.Y. provided thorough revision, including punctuations of the paper and made useful suggestions in improving the quality of the paper.

Funding

This research work is funded by the Fundamental Research Grant Scheme [02-01-15-1745FR] provided by the Ministry of Higher Education, Malaysia.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  2. Dubey, M.K.; Ratan, R.; Verma, N.; Saxena, P.K. Cryptanalytic Attacks and Countermeasures on RSA. In Proceedings of the Third International Conference on Soft Computing for Problem Solving; Springer: New Delhi, India, 2014; pp. 805–819. [Google Scholar]
  3. Bach, E.; Miller, G.; Shallit, J. Sums of divisors, perfect numbers and factoring. SIAM J. Comput. 1986, 15, 1143–1154. [Google Scholar] [CrossRef]
  4. Hinek, M.J. Cryptanalysis of RSA and Its Variants; Chapman and Hall/CRC: Boca Raton, FL, USA, 2009. [Google Scholar]
  5. Wiener, M. Cryptanalysis of Short RSA Secret Exponents. IEEE Trans. Inform. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef]
  6. Boneh, D.; Glenn, D. Cryptanalysis of RSA with private key d less than N0.292. IEEE Trans. Inf. Theory 2000, 46, 1339–1349. [Google Scholar] [CrossRef]
  7. De Weger, B. Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput. 2002, 13, 17–28. [Google Scholar] [CrossRef]
  8. Maitra, S.; Sarkar, S. Revisiting Wiener’s attack–new weak keys in RSA. In International Conference on Information Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 228–243. [Google Scholar]
  9. Chen, C.Y.; Hsueh, C.C.; Lin, Y.F. A Generalization of de Weger’s Method. In Proceedings of the 2009 Fifth International Conference on Information Assurance and Security, Xi’an, China, 18–20 August 2009; Volume 1, pp. 344–347. [Google Scholar]
  10. Nitaj, A. Diophantine and lattice cryptanalysis of the RSA cryptosystem. In Artificial Intelligence, Evolutionary Computing and Metaheuristics; Springer: Berlin/Heidelberg, Germany, 2013; pp. 139–168. [Google Scholar]
  11. Asbullah, M.A. Cryptanalysis on the Modulus N = p2q and the Design of Rabin Cryptosystem without Decryption Failure. Ph.D. Thesis, Universiti Putra Malaysia, Selangor, Malaysia, 2015. [Google Scholar]
  12. Blömer, J.; May, A. A generalized Wiener attack on RSA. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2004; pp. 1–13. [Google Scholar]
  13. Nitaj, A.; Ariffin, M.R.; Nassr, D.I.; Bahig, H.M. New attacks on the RSA cryptosystem. In International Conference on Cryptology in Africa; Springer: Cham, Switzerland, 2014; pp. 178–198. [Google Scholar]
  14. Wang, X.; Xu, G.; Wang, M.; Meng, X. Mathematical Foundations of Public Key Cryptography; CRC Press: Boca Raton, FL, USA, 2016. [Google Scholar]
  15. Lenstra, A.K.; Lenstra, H.W.; Lovász, L. Factoring polynomials with rational coefficients. Mathematische Annalen 1982, 261, 515–534. [Google Scholar] [CrossRef]
Table 1. Comparison of the bounds on d for RSA modulus N = p q .
Table 1. Comparison of the bounds on d for RSA modulus N = p q .
AuthorsBound for dAssumed Interval for γ
[5] 1 3 N 1 4 Not applicable
[7] d < 1 8 N 3 4 γ 0.25 γ < 0.5
[8] d < N 1 γ 2 0.25 γ < 0.5
[9] d < N 3 4 γ 0.25 γ < 0.5
[10] d < 6 2 6 N 1 4 Not applicable
[11] d < 1 2 N 1 4 Not applicable
Our result d < 3 2 N 3 4 γ 0.25 γ < 0.5

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Cryptography EISSN 2410-387X Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top