Factoring RSA Modulus with Known Bits from Both p and q: A Lattice Method

  • Yao Lu
  • Rui Zhang
  • Dongdai Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


This paper investigates the problem of factoring RSA modulus N = pq with some known bits from both p and q. In Asiacrypt’08, Herrmann and May presented a heuristic algorithm to factorize N with the knowledge of a random subset of the bits (distributed over small contiguous blocks) of a factor. However, in a real attack, an adversary often obtain some bits which distributed in both primes. This paper studies this extended setting and introduces a lattice-based approach. Our strategy is an extension of Coppersmiths technique on more variables, thus it is a heuristic method, which we heuristically assumed that the polynomials resulting from the lattice basis reduction are algebraically independent. However, in our experiments, we have observed that the well-established assumption is not always true, and for these scenarios, we also propose a method to fix it.


lattices RSA Coppersmith’s method factoring with known bits 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Cannon, J., et al.: Magma computional algebraic sydstem (version: V2. 12-16) (2012),
  3. 3.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  5. 5.
    Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Herrmann, M., May, A.: Solving linear equations modulo divisors: On factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than n 0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    May, A.: New RSA vulnerabilities using lattice reduction methods. PhD thesis (2003)Google Scholar
  11. 11.
    Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  12. 12.
    Sarkar, S.: Partial key exposure: Generalized framework to attack RSA. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 76–92. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Yao Lu
    • 1
    • 2
  • Rui Zhang
    • 1
  • Dongdai Lin
    • 1
  1. 1.State Key Laboratory of Information Security (SKLOIS), Institute of Information Engineering (IIE)Chinese Academy of Sciences (CAS)China
  2. 2.University of Chinese Academy of Sciences (UCAS)China

Personalised recommendations