Abstract
In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is based on combining r equations to solve one multivariate modular equation by a generic lattice approach. Since the equation form is similar to multi-prime \(\varPhi \)-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bahig, H.M., Bhery, A., Nassr, D.I.: Cryptanalysis of multi-prime RSA with small prime difference. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 33–44. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34129-8_4
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \({N}^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)
Boneh, D., Shacham, H.: Fast variants of RSA. CryptoBytes 5(1), 1–9 (2002)
Ciet, M., Koeune, F., Laguillaumie, F., Quisquater, J.J.: Short private exponent attacks on fast variants of RSA. Technical report, UCL Crypto Group Technical Report Series CG-2002/4, Université Catholique de Louvain (2002)
Collins, T., Hopkins, D., Langford, S., Sabin, M.: Public key cryptographic apparatus and method, US Patent#5,848,159 (1997)
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). doi:10.1007/3-540-68339-9_16
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). doi:10.1007/3-540-68339-9_14
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)
Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_29
Coron, J.-S.: Finding small roots of bivariate integer polynomial equations: a direct approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74143-5_21
De Weger, B.: Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput. 13(1), 17–28 (2002)
Herrmann, M., May, A.: Solving linear equations modulo divisors: on factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89255-7_25
Hinek, M.J.: On the security of multi-prime RSA. J. Math. Cryptology 2(2), 117–147 (2008)
Hinek, M.J., Low, M.K., Teske, E.: On some attacks on multi-prime RSA. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 385–404. Springer, Heidelberg (2003). doi:10.1007/3-540-36492-7_25
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). doi:10.1007/BFb0024458
Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen-plaintext attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_16
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 126(3), 649–673 (1987)
Lu, Y., Zhang, R., Peng, L., Lin, D.: Solving linear equations modulo unknown divisors: revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 189–213. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_9
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39059-3_9
Takayasu, A., Kunihiro, N.: General bounds for small inverse problems and its applications to multi-prime RSA. In: Lee, J., Kim, J. (eds.) ICISC 2014. LNCS, vol. 8949, pp. 3–17. Springer, Cham (2015). doi:10.1007/978-3-319-15943-0_1
Tosu, K., Kunihiro, N.: Optimal bounds for multi-prime \(\varPhi \)-hiding assumption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 1–14. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31448-3_1
Xu, J., Hu, L., Sarkar, S., Zhang, X., Huang, Z., Peng, L.: Cryptanalysis of multi-prime \(\varPhi \)-hiding assumption. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 440–453. Springer, Cham (2016). doi:10.1007/978-3-319-45871-7_26
Zhang, H., Takagi, T.: Attacks on multi-prime RSA with small prime difference. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 41–56. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39059-3_4
Zhang, H., Takagi, T.: Improved attacks on multi-prime RSA with small prime difference. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 97(7), 1533–1541 (2014)
Acknowledgments
The first author is supported by China Scholarship Council Grant No. 201606340061. This research was partially supported by JST CREST Grant Number JPMJCR14D6, Japan and JSPS KAKENHI Grant Number 16H02780, and National Natural Science Foundation of China (Grant Nos. 61522210, 61632013), 100 Talents Program of Chinese Academy of Sciences, and the Fundamental Research Funds for the Central Universities in China (Grant No. WK2101020005).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
AÂ Algorithms
1.1 A.1Â The Direct Method
1.2 A.2Â The Optimized Method
In Takayasu-Kunihiro lattice construction, we carefully work out the selection of polynomials by considering the sizes of root bounds. For example, we deal with \(u_1+p^{r-2}u_2+p^{r-1}=0\bmod {Q_{r-1}}\) in our optimized method. We use \(u_2^{i_2}(u_1+p^{r-2}u_2+p^{r-1})^{i_1}N^{\max \{t-i_1,0\}}\) as the shift polynomials with positive integers m and t that will be optimized later. The indexes \(i_1\) and \(i_2\) satisfy \(0\le i_1+i_2\le m\) and \(0\le \gamma _1i_1+\gamma _2i_2\le \beta t\) in order to select as many helpful polynomials as possible and to let the basis matrix be triangular.
Thus, the shift polynomials modulo \(p^t\) have the common roots for \(u_1\) and \(u_2\). We span a lattice by the coefficient vectors of above shift polynomials and the equations are derived from the reduced LLL basis vectors. The small roots can be easily recovered by Gröbner basis computation.
BÂ More Details About the Experimental Results
More graphs about the experimental results are showed below. Firstly, as showed in Figs. 1 and 2, upper bound on \(\gamma \) gets better when the lattice dimension increases. For the direct method, upper bound on \(\gamma \) remains stable when the lattice dimension is between 50 and 170. For the optimized method, the value is between 60 and 300.
We then show the experimental results for \(r=3\) using the direct method in Fig. 3. As the size of the modulus increases, \(\gamma \) finally arrives around 0.113. This value is beyond the asymptotic bound \(\frac{1}{9}\) of previous Zhang-Takagi method.
The remaining graphs are related to the experiments for \(3\le r\le 7\) with various moduli using the optimized method. The lattice dimension of each experiment is set around 300. From Figs. 4, 5, 6, 7 and 8, we find that upper bound on \(\gamma \) is higher for smaller modulus and then goes to a lower value. Also it will finally arrive at a certain value that may be determined by the lattice dimension.
Another observation is that these lattices whose dimension is around 300 seem less effective for moduli with larger bit-size. To be specific, it is less effective for the moduli of greater than 500-bit when \(r=3\). The critical bit-size is 700-bit for \(r=4, 5\) and 1000-bit for \(r=6, 7\). Thus, we guess that the lattices used in our experiments are effective for the prime factor of less than 160-bit. To obtain desired upper bounds, we need to apply some lattices with huge dimension.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zheng, M., Kunihiro, N., Hu, H. (2017). Improved Factoring Attacks on Multi-prime RSA with Small Prime Difference. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10342. Springer, Cham. https://doi.org/10.1007/978-3-319-60055-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-60055-0_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60054-3
Online ISBN: 978-3-319-60055-0
eBook Packages: Computer ScienceComputer Science (R0)