Abstract
Let \(N=pq\) be an RSA modulus with unknown factorization. The RSA cryptosystem can be attacked by using the key equation \(ed-k(p-1)(q-1)=1\). Similarly, some variants of RSA, such as RSA combined with singular elliptic curves, LUC and RSA with Gaussian primes can be attacked by using the key equation \(ed- k\left( p^2-1\right) \left( q^2-1\right) =1\). In this paper, we consider the more general equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) and present a new attack that finds the prime factors p and q in the case that u, v and w satisfy some specific conditions. The attack is based on Coppersmith’s technique and improves the former attacks.
Y. Pan was supported by the NNSF of China (No. 61572490 and No. 11471314), and by the National Center for Mathematics and Interdisciplinary Sciences, CAS.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
In 1978, Rivest, Shamir and Adleman [19] invented the RSA cryptosystem. Nowadays, it is the most widely used public key cryptosystem and serves for encryption and signature. The security of RSA is based on the difficulty of factoring specific large integers, called RSA moduli. An RSA modulus is in the form \(N=pq\) where p and q are large prime numbers of the same size. The public exponent in RSA is an integer e satisfying \(\gcd (e,(p-1)(q-1))=1\) while the private exponent is the integer d satisfying \(ed\equiv 1\pmod {(p-1)(q-1)}\). Since its invention, the RSA cryptosystem has been intensively studied for vulnerabilities. Many attacks on RSA exploit the RSA key equation \(ed-k(p-1)(q-1)=1\). A few attacks are based on the continued fraction algorithm such as Wiener’s attack [22] and most of the attacks are based on lattice reduction techniques, introduced by Coppersmith [8] (see [2, 3, 10, 15]). Combining both techniques, Blömer and May [1] presented an attack using the generalized key equation \(ex+y=k(p-1)(q-1)\) for suitably small integers x, k and y.
Many variants of RSA have been proposed for improving the security or reducing the encryption or the decryption time (see [4, 18, 21]). The variants of RSA in [7, 9, 13, 20] make use of a public exponent e and a private exponent d satisfying the equation
In [5], Bunder et al. proposed an attack on these variants by using the continued fraction algorithm approach. Setting \(e=N^\beta \), they showed that one can solve the Eq. 1 and find the prime factors p and q if \(d=N^\delta \) and \(\delta <\frac{1}{2}(3-\beta )\). This was recently improved to \(\delta <2-\sqrt{\beta }\) by Peng et al. [17] and by Zheng et al. [23] by using lattice reduction techniques and Coppersmith’s method.
In this paper we consider the generalized equation
This equation can be transformed into the modular equation
We set \(e=N^\beta \), \(u=N^\delta \), \(w=N^\gamma \) and using lattice reduction techniques and Coppermith’s method, we show that one can solve the Eq. (3) and find the prime factors p and q under the condition
where \(\varepsilon \) is a small positive constant. Observe that the key Eq. (1) is a special case of the Eq. (3) where \(w=1\) and \(\gamma =0\). In this special case, the condition (4) becomes
which is slightly worst than the condition \(\delta <2-\sqrt{\beta }\) derived by the method of Peng et al. [17]. Apart this special case, our method supersedes the method of Peng et al. since their method works only for \(w=1\) while our method works for any \(w=N^\gamma \) under the condition (4).
In [6], Bunder et al. studied the Eq. (2) using a combination of the continued fraction algorithm and Coppersmith’s method. They showed that this equation can be solved whenever
The first condition implies the following one
which is worst than our condition with \(\gamma =0\). As a consequence, our new method can be seen as an extension of the method of Bunder et al. [6].
The rest of the paper is organized as follows. In Sect. 2, we briefly describe the RSA variants that use exponents satisfying \(ed\equiv 1\pmod {\left( p^2-1\right) \left( q^2-1\right) }\). We also recall some facts on Coppersmith’s method and lattice basis reduction. In Sect. 3, we present our attack. In Sect. 4, we present a comparison with existing attacks. We conclude the paper in Sect. 5.
2 Preliminaries
In this section, we briefly present some variants of the RSA cryptosystem that use the key equation \(ed\equiv 1\pmod {\left( p^2-1\right) \left( q^2-1\right) }\). We also present Coppersmith’s method and lattice basis reduction.
2.1 LUC Cryptosystem
LUC cryptosystem, introduced by Smith and Lennon [20] in 1993 is based on Lucas functions. A related cryptosystem was propose by Castagnos [7] in 2007. Both cryptosystems use an RSA modulus \(N=pq\), a public exponent e, and a private exponent satisfying a key equation \(ed-k\left( p^2-1\right) \left( q^2-1\right) =1\) which can be generalized by the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\).
2.2 RSA Type Schemes Based on Singular Cubic Curves
In 1995, Kuwakado, Koyama, and Tsuruoka [13] proposed a new cryptosystem based on the singular cubic with equation
where \(N=pq\) is an RSA modulus. In this cryptosystem, the encryption and the decryption keys satisfy an equation of the form \(ed-k\left( p^2-1\right) \left( q^2-1\right) =1\). A generalization of this equation is \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\).
2.3 RSA with Gaussian Primes
A variant of RSA was introduced in 2002 by Elkamchouchi, Elshenawy and Shaban [9]. It is an extension of the RSA cryptosystem to the domain of Guassian integers. Gaussian integers are complex numbers of the form \(z=a+bi\) where a and b are integers and \(i^2=-1\). The norm of a Gaussian integer is \(|a+bi|=\sqrt{a^2+b^2}\). In the RSA variant with Gaussian integers, the modulus is \(N=PQ\), a product of two Gaussian integer primes P and Q and the public and private exponents satisfy \(ed-k\left( |P|^2-1\right) \left( |Q|^2-1\right) =1\). If \(P=p\) and \(Q=q\) are integer primes, then \(ed\,-\,k\left( p^2-1\right) \left( q^2-1\right) =1\). This can be generalized as \(eu\,-\,\left( p^2-1\right) \left( q^2-1\right) v=w\).
2.4 Coppersmith’s Method
In 1996, Coppersmith [8] proposed two methods related to finding small modular roots of univariate polynomials and small integer roots of bivariate polynomials. Since then, many techniques have been proposed for more variables (see [16]). Let
be a polynomial with \(\omega \) monomials. Its Euclidean norm is
The following result was proposed by Howgrave-Graham [11] to find the small modular roots of a polynomial.
Theorem 1
Let e be a positive integer and \(h(x,y,z)\in \mathbb {Z}[x,y,z]\) be a polynomial with at most \(\omega \) monomials. Suppose that
where \(|x_0|<X\), \(|y_0|<Y\), \(|z_0|<Z\). Then \(h\left( x_0,y_0,z_0\right) =0\) holds over the integers.
Coppersmith’s method enables to find several polynomials that can be used in Howgrave-Graham’s Theorem 1. This is possible by applying a lattice reduction technique such as the LLL algorithm [14] to a lattice with a given basis. In general, the LLL algorithm produces a reduced basis with relatively small norms such as in the following result (see [15]).
Theorem 2
(LLL). Let \(\mathcal {L}\) be a lattice spanned by a basis \((u_1,\ldots ,u_\omega )\). Then the LLL algorithm outputs a new basis \((b_1,\ldots ,b_\omega )\) satisfying
where \(\det (\mathcal {L})\) is the determinant of the lattice.
We assume that if \(h_1,h_2,h_3\in \mathbb {Z}[x,y,z]\) are three polynomials produced by Coppersmith’s method, then the ideal generated by the polynomial equations \(h_1(x,y,z) = 0\), \(h_2(x,y,z) = 0\), \(h_3(x,y,z) = 0\) has dimension zero. Then, a system of polynomials sharing the root can be solved by using Gröbner basis computation or resultant techniques.
3 The Attack
Theorem 3
Let \(N=pq\) be an RSA modulus and \(e=N^\beta \) be a public exponent. Suppose that e satisfies the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) with \(u<N^\delta \) and \(|w|<N^\gamma \). If
then one can factor N in polynomial time.
Proof
Let \(N=pq\) be an RSA modulus. Let e be a public exponent satisfying \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) with \(|w|<eu\). Suppose that \(e=N^\beta \), \(u<N^\delta \) and \(|w|<N^\gamma \). Then
where we used \(\left( p^2-1\right) \left( q^2-1\right) \approx N^2\). It follows that the solution (u, v, w) of the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) satisfies \(u<N^\delta \), \(v<2N^{\beta +\delta -2}\) and \(|w|<N^\gamma \). We set
This means that the solution (u, v, w) satisfies \(u<N^\delta \), \(v<X\) and \(|w|<Z\). Moreover, since p and q are of the same size, then we have \(p+q<3N^{\frac{1}{2}}=Y\).
Transforming the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\), we get a modular one, namely \(-v\left( (N+1)^2-(p+q)^2\right) -w\equiv 0\pmod e.\) This can be rewritten as
Consider the polynomial
where \(a_1=-(N+1)^2\). Then \((x,y,z)=(v,p+q,-w)\) is a solution of the polynomial modular equation \(f(x,y,z)\equiv 0\pmod e\). To find the small solutions of the equation \(f(x,y,z)\equiv 0\pmod {e}\), we apply Coppersmith’s method combined with the extended strategy of Jochemsz and May [12] for finding small modular roots.
Let m and t be positive integers to be specified later. For \(0\le k\le m\), define the set
A straightforward calculation shows that \(f^{m}(x,y,z)\) is
Hence, \(x^{i_1}y^{2i_2}z^{i_3}\) is a monomial of \(f^m(x,y,z)\) if
Similarly, \(x^{i_1}y^{2i_2}z^{i_3}\) is a monomial of \(f^{m-k}(x,y,z)\) if
From this, we deduce that for \(0\le k\le m\), if \(x^{i_1}y^{2i_2}z^{i_3}\) is a monomial of \(f^m(x,y,z)\), then \(\frac{x^{i_1}y^{2i_2}z^{i_3}}{\left( xy^2\right) ^k}\) is a monomial of \(f^{m-k}(x,y,z)\) if
This leads to a characterization of the set \(M_k\). For \(0\le k\le m\), we obtain
Replacing k by \(k+1\), we get
For \(0\le k\le m\), define the polynomials
Since for \(t\ge 1\), we have
then the polynomials \(g_{k,i_1,i_2,i_3}(x,y,z)\) reduce to the polynomials \(G_{k,i_1,i_2,i_3}(x,y,z)\) and \(H_{k,i_1,i_2,i_3}(x,y,z)\) where
Observe that for the target solution \((x,y,z)=(v,p+q,-w)\), the former polynomials satisfy
Let \(\mathcal {L}\) denote the lattice spanned by the coefficient vectors of the polynomials \(G_{k,i_1,i_2,i_3}(xX,yY,zZ)\) and \(H_{k,i_1,i_2,i_3}(xX,yY,zZ)\) where X, Y and Z are positive integers to be defined later. The ordering of rows is such that any polynomial \(G_{k,i_1,i_2,i_3}(xX,yY,zZ)\) is prior to any polynomial \(H_{k,i_1,i_2,i_3}(xX,yY,zZ)\). Inside each type of polynomial, the ordering of the tuples \((k,i_1,i_2,i_3)\) follows rule
Similarly, the monomials \(x^{i_1}y^{i_1}z^{i_1}\) in the columns are ordered following the rule
This leads to a left triangular matrix. As an example, for \(m=2\) and \(t=3\), the matrix is presented in the following triangular table where the non-zero terms are denoted \(*\).
Since the matrix is triangular, then only the diagonal terms contribute to the determinant. On the other hand, only e, X, Y and Z contribute to the determinant and we get the form
Using the construction of the polynomials \(G_{k,i_1,i_2,i_3}(x,y,z)\) and \(H_{k,i_1,i_2,i_3}(x,y,z)\), the exponents \(n_e\), \(n_X\), \(n_Y\), \(n_Z\), and the dimension \(\omega \) of the lattice are as follows
For \(t=\tau m\) and sufficiently large m, we can approximate the exponents \(n_e\), \(n_X\), \(n_Y\), \(n_Z\) by their leading term and get
Applying the LLL algorithm to the lattice \(\mathcal {L}\), we get a reduced basis where the three first vectors \(h_i(Xx,Yy,Zz)\), \(i=1,2,3\) satisfy the conditions \( \Vert h_1(Xx,Yy,Zz)\Vert \le \Vert h_2(Xx,Yy,Zz)\Vert \le \Vert h_3(Xx,Yy,Zz)\Vert , \) and
For comparison, Theorem 1 can be applied if
To this end, we set
or equivalently
Hence, using (6), we get
where the right side term is a small constant depending only on e and m. Plugging the values of \(n_e\), \(n_X\), \(n_Y\), \(n_Z\) and \(\omega \) from (8) as well as the values \(e= N^\beta \), \(X=2N^{\beta +\delta -2}\), \(Y=3N^{\frac{1}{2}}\), \(Z=N^{\gamma }\) in each term of (9), we get
where \(\varepsilon _1\), \(\varepsilon _2\) and \(\varepsilon _3\) are small positive constants depending on m, and N. It follows that the inequality (9) can be rewritten in terms of the exponents as
Setting \(\frac{-2\beta m\,-\,\varepsilon _3\,-\,\varepsilon _3\,-\,\varepsilon _1\varepsilon _2}{m^3}=-\varepsilon _4\) and rearranging, we get
The left side of (10) is optimal for \( \tau _0=1-\delta -\gamma . \) Plugging \(\tau _0\) in (10), we get
This inequality is valid if
where \(\varepsilon \) is a small positive constant depending on m and N. This terminates the proof. \(\square \)
4 Comparison with Existing Results
In [6], Bunder et al. combined the continued fraction algorithm and Coppersmith’s method to study the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\). They showed that it is possible to solve it if
In terms of \(e=N^\beta \), \(u=N^\delta \) and \(|w|=N^\gamma \), the first condition implies the following one
For \(\gamma =0\), that is \(w=1\), the bound of Theorem 3 becomes
Neglecting the \(\varepsilon \) term, the difference between the former bound and the bound of [6] is
A straightforward calculation shows that \(\delta _1\ge 0\). This shows that the bound of Theorem 3 is better than the bound of [6].
In [17], Peng et al. proposed a lattice based method to solve the equation \(ed-k\left( p^2-1\right) \left( q^2-1\right) =1\) under the condition \(\delta <2-\sqrt{\beta }\) and \(\beta >1\). This is a special case of the general equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\). In this special case, we have \(w=N^\gamma =1\) and \(\gamma =0\), and the difference between the bound of Theorem 3 and the bound of [17] is
Again, a straightforward calculation shows that \(\delta _2\ge 0\). This means that the condition of Theorem 3 is not better than Peng al.’s bound. Nevertheless, our method is more general and can solve a variety of equations with \(w\ne 1\).
5 Conclusion
In this paper, we have studied the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) which is a generalization of the equation \(ed-k\left( p^2-1\right) \left( q^2-1\right) =1\). The latter equation is the key equation of some variants of the RSA cryptosystem with modulus \(N=pq\), public exponent e and private key d. We have showed that, under some conditions, it is possible to solve the equation \(eu-\left( p^2-1\right) \left( q^2-1\right) v=w\) and break the cryptosystem. The attack is based on applying Coppersmith’s method to a multivariate modular equation and can be seen as an extension of former attacks on such cryptosystems.
References
Blömer, J., May, A.: A generalized Wiener attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_1
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_1
Boneh, D.: Twenty years of attacks on the RSA cryptosystem. Notices Am. Math. Soc. 46(2), 203–213 (1999)
Boneh, D., Shacham, H.: Fast variants of RSA. CryptoBytes 5(1), 1–9 (2002)
Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A new attack on three variants of the RSA cryptosystem. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 258–268. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_16
Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A generalized attack on RSA type cryptosystems. Theor. Comput. Sci. 704, 74–81 (2017)
Castagnos, G.: An efficient probabilistic public-key cryptosystem over quadratic field quotients. Finite Fields Appl. 13(3–13), 563–576 (2007)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Elkamchouchi, H., Elshenawy, K., Shaban, H., Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In: Proceedings of the 8th International Conference on Communication Systems, pp. 91–95 (2002)
Hinek, M.J.: Cryptanalysis of RSA and its Variants. Chapman & Hall/CRC Cryptography and Network Security. CRC Press, Boca Raton (2010)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024458
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_18
Kuwakado, H., Koyama, K., Tsuruoka, Y.: A new RSA-type scheme based on singular cubic curves \(y^2=x^3+bx^2~(\text{ mod } \; n)\). IEICE Trans. Fundam. E78–A, 27–33 (1995)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)
May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis. University of Paderborn (2003). http://www.cits.rub.de/imperia/md/content/may/paper/bp.ps
May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 315–348. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-642-02295-1_10
Peng, L., Hu, L., Lu, Y., Wei, H.: An improved analysis on three variants of the RSA cryptosystem. In: Chen, K., Lin, D., Yung, M. (eds.) Inscrypt 2016. LNCS, vol. 10143, pp. 140–149. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54705-3_9
Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 18(21), 905–907 (1982)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Smith, P.J., Lennon, G.J.J.: LUC: a new public key cryptosystem. In: Ninth IFIP Symposium on Computer Science Security, pp. 103–117. Elseviver Science Publishers (1993)
Takagi, T.: Fast RSA-type cryptosystem modulo pkq. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055738
Wiener, M.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36, 553–558 (1990)
Zheng, M., Kunihiro, N., Hu, H.: Cryptanalysis of RSA variants with modified Euler quotient. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 266–281. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Nitaj, A., Pan, Y., Tonien, J. (2019). A Generalized Attack on Some Variants of the RSA Cryptosystem. In: Cid, C., Jacobson Jr., M. (eds) Selected Areas in Cryptography – SAC 2018. SAC 2018. Lecture Notes in Computer Science(), vol 11349. Springer, Cham. https://doi.org/10.1007/978-3-030-10970-7_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-10970-7_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-10969-1
Online ISBN: 978-3-030-10970-7
eBook Packages: Computer ScienceComputer Science (R0)