Implicit Factoring with Shared Most Significant and Middle Bits

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6056)


We study the problem of integer factoring given implicit information of a special kind. The problem is as follows: let N 1 = p 1 q 1 and N 2 = p 2 q 2 be two RSA moduli of same bit-size, where q 1, q 2 are α-bit primes. We are given the implicit information that p 1 and p 2 share t most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of N 1 and N 2 in polynomial time as soon as t ≥ 2 α + 3. Subsequently, we heuristically generalize the method to k RSA moduli N i  = p i q i where the p i ’s all share t most significant bits (MSBs) and obtain an improved bound on t that converges to t ≥ α + 3.55... as k tends to infinity. We study also the case where the k factors p i ’s share t contiguous bits in the middle and find a bound that converges to 2α + 3 when k tends to infinity. This paper extends the work of May and Ritzenhofen in [9], where similar results were obtained when the p i ’s share least significant bits (LSBs). In [15], Sarkar and Maitra describe an alternative but heuristic method for only two RSA moduli, when the p i ’s share LSBs and/or MSBs, or bits in the middle. In the case of shared MSBs or bits in the middle and two RSA moduli, they get better experimental results in some cases, but we use much lower (at least 23 times lower) lattice dimensions and so we obtain a great speedup (at least 103 faster). Our results rely on the following surprisingly simple algebraic relation in which the shared MSBs of p 1 and p 2 cancel out: q 1 N 2 − q 2 N 1 = q 1 q 2 (p 2 − p 1). This relation allows us to build a lattice whose shortest vector yields the factorization of the N i ’s.


implicit factorization lattices RSA 


  1. 1.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997); Computational algebra and number theory, London (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking rsa variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206. ACM, New York (1983)Google Scholar
  7. 7.
    Lehmer, D.H., Powers, R.E.: On factoring large numbers. Bulletin of the AMS 37, 770–776 (1931)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Lenstra, A.K., Lenstra Jr., H.W.: The development of the number field sieve. Lecture Notes in Mathematics, vol. 1554. Springer, Berlin (1993)zbMATHGoogle Scholar
  9. 9.
    May, A., Ritzenhofen, M.: Implicit factoring: On polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 1–14. Springer, Heidelberg (2009)Google Scholar
  10. 10.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: a cryptographic perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, Boston (2002)zbMATHGoogle Scholar
  11. 11.
    Morrison, M.A., Brillhart, J.: A method of factoring and the factorization of F 7. Mathematics of Computation 29(129), 183–205 (1975)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Nguyen, P.Q., Stehlé, D.: Floating-point lll revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Pujol, X., Stehlé, D.: Rigorous and efficient short lattice vectors enumeration. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 390–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  15. 15.
    Sarkar, S., Maitra, S.: Further Results on Implicit Factoring in Polynomial Time. Advances in Mathematics of Communications 3(2), 205–217 (2009)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: FOCS, pp. 124–134. IEEE, Los Alamitos (1994)Google Scholar
  17. 17.
    Vanstone, S.A., Zuccherato, R.J.: Short rsa keys and their generation. J. Cryptology 8(2), 101–114 (1995)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.UPMC, Université Paris 06, LIP6Paris, Cedex 5France
  2. 2.INRIA, Centre Paris-Rocquencourt, SALSA Project-teamParis, Cedex 5France
  3. 3.CNRS, UMR 7606, LIP6Paris, Cedex 5France

Personalised recommendations