Towards Optimal Bounds for Implicit Factorization Problem
Abstract
We propose a new algorithm to solve the Implicit Factorization Problem, which was introduced by May and Ritzenhofen at PKC’09. In 2011, Sarkar and Maitra (IEEE TIT 57(6): 4002–4013, 2011) improved May and Ritzenhofen’s results by making use of the technique for solving multivariate approximate common divisors problem. In this paper, based on the observation that the desired root of the equations that derived by Sarkar and Maitra contains large prime factors, which are already determined by some known integers, we develop new techniques to acquire better bounds. We show that our attack is the best among all known attacks, and give experimental results to verify the correctness. Additionally, for the first time, we can experimentally handle the implicit factorization for the case of balanced RSA moduli.
Keywords
Lattices Implicit factorization problem Coppersmith’s method LLL algorithm1 Introduction
The RSA cryptosystem is the most widely used publickey cryptosystem in practice, and its security is closely related to the difficulty of Integer Factorization Problem (IFP): if IFP is solved then RSA is broken. It is conjectured that factoring cannot be solved in polynomialtime without quantum computers.
In Eurocrypt’85, Rivest and Shamir [20] first studied the factoring with known bits problem. They showed that \(N=pq\) (p, q is of the same bit size) can be factored given \(\frac{2}{3}\)fraction of the bits of p. In 1996, Coppersmith [2] improved [20]’s bound to \(\frac{1}{2}\). Note that for the above results, the unknown bits are within one consecutive block. The case of n blocks was later considered in [7, 15].
Motivated by the cold boot attack [4], in Crypto’09, Heninger and Shacham [6] considered the case of known bits are uniformly spread over the factors p and q, they presented a polynomialtime attack that works whenever a 0.59fraction of the bits of p and q is given. As a followup work, Henecka et al. [5] focused on the attack scenario that allowed for error correction of secret factors, which called Noisy Factoring Problem. Later, Kunihiro et al. [12] discussed secret key recovery from noisy secret key sequences with both errors and erasures. Recently, Kunihiro and Honda [11] discussed how to recover RSA secret keys from noisy analog data.
1.1 Implicit Factorization Problem (IFP)
The above works require the knowledge of explicitly knowing bits of secret factor. In PKC’09, May and Ritzenhofen [18] introduced a new factoring problem with implicit information, called Implicit Factorization Problem (IFP). Consider that \(N_{1}=p_{1}q_{1},\ldots ,N_{k}=p_{k}q_{k}\) be nbit RSA moduli, where \(q_{1},\ldots ,q_{k}\) are \(\alpha n(\alpha \in (0,1))\)bit primes: Given the implicit information that \(p_{1},\ldots ,p_{k}\) share certain portions of bit pattern, under what condition is it possible to factorize \(N_{1},\ldots ,N_{k}\) efficiently? This problem can be applied in the area of malicious generation of RSA moduli, i.e. the construction of backdoored RSA moduli. Besides, it also helps to understand the complexity of the underlying factorization problem better.
Since then, there have been many cryptanalysis results for this problem [3, 14, 18, 19, 21, 22, 23]. Sarkar and Maitra [22] developed a new approach, they used the idea of [10], which is for the approximate common divisor problem (ACDP), to solve the IFP, and managed to improve the previous bounds significantly.
1.2 Our Contributions
Comparison of our generalized bounds against previous bounds
[18]  [3]  [22]  [14]  [19]  This paper  

\(\beta n\)bit LSBs case (\(\beta > \cdot \))  \(\frac{k}{k1}\alpha \)    \( F(\alpha ,k)\)  \( H(\alpha ,k)\)  \( G(\alpha ,k)\)  \(T(\alpha ,k)\) 
\(\gamma n\)bit MSBs case (\(\gamma > \cdot \))    \(\frac{k}{k1}\alpha +\frac{6}{n}\)  \( F(\alpha ,k)\)  \(H(\alpha ,k)\)  \( G(\alpha ,k)\)  \(T(\alpha ,k)\) 
\(\gamma n\)bit MSBs and \(\beta n\)bit LSBs together case (\(\gamma +\beta > \cdot \))      \(F(\alpha ,k)\)  \( H(\alpha ,k)\)  \( G(\alpha ,k)\)  \(T(\alpha ,k)\) 
\(\delta n\)bit in the Middle case (\(\delta > \cdot \))    \(\frac{2k}{k1}\alpha +\frac{7}{n}\)         
Technically, our algorithm is also to find a small root of Eq. (1). Concretely, our improvement is based on the observation that for \(2\le i \le k\), \(u^{(0)}_i\) contains a large prime \(q_i\), which is already determined by \(N_i\).
In Fig. 1, we give the comparison with previous bounds for the case \(k=2\). In Table 1, we list the comparisons between our generalized bounds and the previous bounds.
Recently in [19], Peng et al. proposed another method for the IFP. Instead of applying Coppersmith’s technique directly to the ACDP, Peng et al. utilized the lattice proposed by May and Ritzenhofen [18], and tried to find the coordinate of the desired vector which is not included in the reduced basis, namely they introduced a method to deal with the case when the number of shared bits is not large enough to satisfy the bound in [18].
In this paper, we also investigate Peng et al.’s method [19]. Surprisingly, we get the same result with a different method. In Sect. 5, we give the experimental data for our two methods.
2 Preliminaries
2.1 Notations

\(p_{1},\ldots ,p_{k}\) share \(\beta n\) LSBs where \(\beta \in (0,1)\);

\(p_{1},\ldots ,p_{k}\) share \(\gamma n\) MSBs where \(\gamma \in (0,1)\);

\(p_{1},\ldots ,p_{k}\) share \(\gamma n\) MSBs and \(\beta n\) LSBs together where \(\gamma \in (0,1)\) and \(\beta \in (0,1)\);
For simplicity, here we consider \(\alpha n\), \(\beta n \) and \(\gamma n\) as integers.
2.2 Lattice
Consider a set of linearly independent vectors \(u_{1},\ldots ,u_{w}\in \mathbb {Z}^{n}\), with \(w\leqslant n\). The lattice \(\mathcal {L}\), spanned by \(\{u_{1},\ldots ,u_{w}\}\), is the set of all integer linear combinations of the vectors \(u_{1},\ldots ,u_{w}\). The number w of vectors is the dimension of the lattice. The set \(u_{1},\ldots ,u_{w}\) is called a basis of \(\mathcal {L}\). In lattices with large dimension, finding the shortest vector is a very hard problem, however, approximations of a shortest vector can be obtained in polynomialtime by applying the wellknown LLL basis reduction algorithm [13].
Lemma 1
We also state a useful lemma from HowgraveGraham [9]. Let \(g(x_{1},\ldots ,x_{k})=\sum _{i_{1},\ldots ,i_{k}}a_{i_{1},\ldots ,i_{k}}x^{i_{1}}_{1}\cdots x_{k}^{i_{k}}\). We define the norm of g by the Euclidean norm of its coefficient vector: \( g  ^{2}=\sum _{i_{1},\ldots ,i_{k}}a^{2}_{i_{1},\ldots ,i_{k}}\).
Lemma 2
 1.
\(g(y_{1},\ldots ,y_{k})=0 \text {mod }p^{m}\) for some \(\mid y_{1} \mid \leqslant X_{1},\ldots , \mid y_{k}\mid \leqslant X_{k}\) and
 2.
\(\parallel g(x_{1}X_{1},\ldots ,x_{k}X_{k})\parallel < \frac{p^{m}}{\sqrt{w}} \)
Then \(g(y_{1},\ldots ,y_{k})=0\) holds over the integers.
The approach we used in the rest of the paper relies on the following heuristic assumption [7, 17] for computing multivariate polynomials.
Assumption 1
The latticebased construction in this work yields algebraically independent polynomials, this common roots of these polynomials can be computed using techniques like calculation of the resultants or finding a Gr\(\mathrm {\ddot{o}}\)bner basis.
3 Our New Analysis for Implicit Factorization
As described in the previous section, we will use the fact the desired common root of the target equations contains large prime factors \(q_i\) (\(2\le i \le k\)) which are already determined by \(N_i\) to improve SarkarMaitra’s results.
3.1 Analysis for Two RSA Moduli: The MSBs Case
Theorem 1
Proof
Let \(\widetilde{p_2}=p_1 p_2\). We have \(N_1=p_1 q_1\), \(N_2=p_2 q_2=p_1 q_2 \widetilde{p_2} q_2\), and \(\gcd (N_1, N_2+\widetilde{p_2}q_2)=p_1\). Then we want to recover \(q_2,\widetilde{p_2}\) from \(N_1, N_2\). We focus on a bivariate polynomial \(f(x,y)=N_2+xy\) with the root \((x^{(0)},y^{(0)})=(q_2,\widetilde{p_2})\) modulo \(p_1\). Let \(X=N^{\alpha },Y=N^{1\alpha \gamma },Z=N^{1\alpha }\) be the upper bounds of \(q_2,\widetilde{p_2},p_2\). In the following we will use the fact that the small root \(q_2\) is already determined by \(N_2\) to improve SarkarMaitra’s results.
To keep the lattice determinant as small as possible, we try to eliminate the factor of \(N_2^{i}\) in the coefficient of diagonal entry. Since \(\gcd (N_1,N_2)=1\), we only need to multiply the corresponding polynomial with the inverse of \(N_2^{i}\) modulo \(N_1^t\).
Compare to SarkarMaitra’s lattice, the coefficient vectors \(g_k (xX,yY,zZ)\) of our lattice contain less powers of X, which decreases the determinant of the lattice spanned by these vectors, however, on the other hand, the coefficient vectors contain powers of Z, which in turn increases the determinant. Hence, there is a tradeoff and one has to optimize the parameter s subject to a minimization of the lattice determinant. That is the key reason why we can get better result than SarkarMaitra’s results.
We have to find two short vectors in lattice \(\mathcal {L}\). Suppose that these two vectors are the coefficient vectors of two trivariate polynomial \(f_1(xX,yY,zZ)\) and \(f_2(xX,yY,zZ)\). These two polynomials have the root \((q_2,\widetilde{p_2},p_2)\) over the integers. Then we can eliminate the variable z from these polynomials by setting \(z=\frac{N_2}{x}\). Finally, we can extract the desired root \((q_2,\widetilde{p_2})\) from the new two polynomials if these polynomials are algebraically independent. Therefore, our attack relies on Assumption 1.
We are able to confirm Assumption 1 by various experiments later. This shows that our attack works very well in practice.
One can refer to Fig. 1 for the comparison with previous theoretical results.
3.2 Extension to k RSA Moduli
In this section, we give an analysis for k (\(k> 2\)) RSA moduli.
Theorem 2
Proof
One can refer to Table 1 for the comparison with previous theoretical results.
3.3 Extension to the LSBs Case.
In the following, we show a similar result in the case of \(p_{1},\ldots ,p_{k}\) share some MSBs and LSBs together. This also takes care of the case when only LSBs are shared.
Theorem 3
Proof
4 Revisiting Peng et al.’s Method [19]
In [19], Peng et al. gave a new idea for IFP. In this section, we revisit Peng et al.’s method and modify the construction of lattice which is used to solve the homogeneous linear modulo equation. Therefore, a further improved bound on the shared LSBs and MSBs is obtained.
Recall the method proposed by May and Ritzenhofen in [18], the lower bound on the number of shared LSBs has been determined, which can ensure the vector \((q_1,\cdots ,q_k)\) is shortest in the lattice, namely the desired factorization can be obtained by lattice basis reduction algorithm.
Peng et al. took into consideration the lattice introduced in [18] and discussed a method which can deal with the case when the number of shared LSBs is not enough to ensure that the desired factorization can be solved by applying reduction algorithms to the lattice. More narrowly, since \((q_1,\cdots ,q_k)\) is in the lattice, it can be represented as a linear combination of reduced lattice basis. Hence the problem of finding \((q_1,\cdots ,q_k)\) is transformed into solving a homogeneous linear equation with unknown moduli. Peng et al. utilized the result from Herrmann and May [7] to solve the linear modulo equation and obtain a better result.
Based on the experiments, the size of the reduced basis can be roughly estimated as Gaussian heuristic. We estimate the length of \(\lambda _i\) and the size of \(l_{ij}\) as \(\text {det}(L_2)^{\frac{1}{k}}=2^{\frac{nt(k1)}{k}}\), hence the solution of (3) is \(x_i\approx \frac{q_i}{kl_{ij}}\approx 2^{\alpha n\frac{nt(k1)}{k}\text {log}_2k}\le 2^{\alpha n\frac{nt(k1)}{k}}\).
In this paper, we notice that the linear modular equation is homogeneous which is a variant of Herrmann and May’s equation, hence we utilize the following theorem which is proposed by Lu et al. in [16] to modify the construction of lattice used in [19].
Theorem 4
The above result can be easily extend to MSBs case using the technique in [19]. Surprisingly we get the same result as Theorem 2 by modifying Peng et al.’s technique.
5 Experimental Results
k  Bitsize of \((p_i,q_i)\), i.e., \(((1\alpha )\text {log}_2N_i,\alpha \text {log}_2N_i)\)  No. of shared MSBs in \(p_i\) [22]  No. of shared MSBs in \(p_i\) (Sect. 3)  

Theo.  Expt.  Dim  Time of \(L^3\)  Theo.  Expt.  (m,t,s)  Dim  Time of \(L^3\)  
2  (874,150)  278  289  16  1.38  257  265  (45,38,6)  46  2822.152 
2  (824,200)  361  372  16  1.51  322  330  (45,36,9)  46  2075.406 
2  (774,250)  439  453  16  1.78  378  390  (45,34,11)  46  1655.873 
2  (724,300)  513  527  16  2.14  425  435  (45,32,13)  46  1282.422 
3  (774,250)  352  375  56  51.04  304  335  (13,11,1)  105  11626.084 
3  (724,300)  417  441  56  70.55  346  375  (13,11,2)  105  10060.380 
3  (674,350)  480  505  56  87.18  382  420  (13,11,2)  105  14614.033 
3  (624,400)  540  569  56  117.14  411  435  (13,10,3)  105  5368.806 
3  (512,512)          450  460  (13,9,4)  105  2012.803 
k  Bitsize of \((p_i,q_i)\), i.e., \(((1\alpha )\text {log}_2N_i,\alpha \text {log}_2N_i)\)  No. of shared MSBs in \(p_i\) [19]  No. of shared MSBs in \(p_i\) (Sect. 4)  

Theo.  Expt.  dim  Time of \(L^3\)  theo.  Expt.  (m,t)  Dim  Time of \(L^3\)  
2  (874,150)  267  278  190  1880.10  257  265  (45,7)  46  410.095 
2  (824,200)  340  357  190  1899.21  322  335  (45,9)  46  470.827 
2  (774,250)  405  412  190  2814.84  378  390  (45,11)  46  918.269 
2  (724,300)  461  470  190  2964.74  425  440  (45,13)  46  1175.046 
3  (774,250)  311  343  220  6773.48  304  335  (13,2)  105  4539.301 
3  (724,300)  356  395  220  7510.86  346  380  (13,2)  105  8685.777 
3  (674,350)  395  442  220  8403.91  382  420  (13,2)  105  10133.233 
3  (624,400)  428  483  220  9244.42  410  435  (13,3)  105  22733.589 
3  (512,512)  476        450  490  (13,4)  105  49424.252 
Note that in the practical experiments, we always found many integer equations which share desired roots over the integers when the numbers of shared bits is greater than the listed results. It means that in the reduced basis, there are several vectors that satisfy HowgraveGraham’s bound. Moreover, the more integer equations corresponding to the vectors we choose, the less time calculating Gr\(\mathrm {\ddot{o}}\)bner basis. For an instance, when \(k=3\), \((m,t,s)=(13,9,4)\) and the bitlengths of p and q are both 512bits, we constructed a 105dimensional lattice and by applying the \(L^3\) algorithm to the lattice, we successfully collected 74 polynomial equations which share desired roots over the integers when \(q_1,q_2,q_3\) shared 460 MSBs. When we chose all of integer equations, the calculation of Gr\(\ddot{o}\)bner basis took 12.839 s.
Meanwhile our method of Sect. 4 is based on an improved method of [19], we present some numerical values for comparison with these two methods in Table 3. As it is shown, by using an improved method to solve the homogeneous equations, we obtained an improved bound on the numbers of shared bits and the experiments also showed this improvement. For a fixed dimension of lattice, similarly since entries of our constructed lattice is decided by m and t, the running time of LLL algorithm increases when t increases.
Note that the running time of the method of Sect. 3 is faster than the method of Sect. 4 when p and q get more balanced, especially for balanced moduli. For the unbalanced case, the method of Sect. 4 is faster.
Notes
Acknowledgments
We would like to thank the anonymous reviewers for helpful comments. Y. Lu was supported by CREST, JST. Part of this work was also supported by Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06010703, No. XDA06010701 and No. XDA06010702), the National Key Basic Research Project of China (No. 2011CB302400 and No. 2013CB834203), and National Science Foundation of China (No. 61379139 and No. 61472417).
References
 1.Cohn, H., Heninger, N.: Approximate common divisors via lattices. In: ANTS X (2012)Google Scholar
 2.Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 3.Faugère, J.C., Marinier, R., Renault, G.: Implicit factoring with shared most significant and middle bits. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 70–87. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 4.Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: coldboot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
 5.Henecka, W., May, A., Meurer, A.: Correcting errors in RSA private keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 6.Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 7.Herrmann, M., May, A.: Solving linear equations modulo divisors: on factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 8.Hoffstein, J., Pipher, J., Silverman, J.H.: An Introduction to Mathematical Cryptography. Springer, New York (2008)zbMATHGoogle Scholar
 9.HowgraveGraham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
 10.HowgraveGraham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, p. 51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 11.Kunihiro, N., Honda, J.: RSA meets DPA: recovering RSA secret keys from noisy analog data. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 261–278. Springer, Heidelberg (2014)Google Scholar
 12.Kunihiro, N., Shinohara, N., Izu, T.: Recovering RSA secret keys from noisy key bits with erasures and errors. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 180–197. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 13.Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
 14.Lu, Y., Zhang, R., Lin, D.: Improved bounds for the implicit factorization problem. Adv. Math. Comm. 7(3), 243–251 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 15.Lu, Y., Zhang, R., Lin, D.: Factoring multipower RSA modulus \(N=p^{r}q\) with partial known bits. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 57–71. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 16.Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 189–213. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_9 CrossRefGoogle Scholar
 17.A. May: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis (2003)Google Scholar
 18.May, A., Ritzenhofen, M.: Implicit factoring: on polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 1–14. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 19.Peng, L., Hu, L., Xu, J., Huang, Z., Xie, Y.: Further improvement of factoring RSA moduli with implicit hint. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 165–177. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 20.Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar
 21.Sarkar, S., Maitra, S.: Further results on implicit factoring in polynomial time. Adv. in Math. of Comm. 3(2), 205–217 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Sarkar, S., Maitra, S.: Approximate integer common divisor problem relates to implicit factorization. IEEE Trans. Inf. Theo. 57(6), 4002–4013 (2011)MathSciNetCrossRefGoogle Scholar
 23.Sarkar, S., Maitra, S.: Some applications of lattice based root finding techniques. Adv. in Math. of Comm. 4(4), 519–531 (2010)MathSciNetCrossRefzbMATHGoogle Scholar