Factoring RSA Modulus with Known Bits from Both p and q: A Lattice Method
This paper investigates the problem of factoring RSA modulus N = pq with some known bits from both p and q. In Asiacrypt’08, Herrmann and May presented a heuristic algorithm to factorize N with the knowledge of a random subset of the bits (distributed over small contiguous blocks) of a factor. However, in a real attack, an adversary often obtain some bits which distributed in both primes. This paper studies this extended setting and introduces a lattice-based approach. Our strategy is an extension of Coppersmiths technique on more variables, thus it is a heuristic method, which we heuristically assumed that the polynomials resulting from the lattice basis reduction are algebraically independent. However, in our experiments, we have observed that the well-established assumption is not always true, and for these scenarios, we also propose a method to fix it.
Keywordslattices RSA Coppersmith’s method factoring with known bits
Unable to display preview. Download preview PDF.
- 2.Cannon, J., et al.: Magma computional algebraic sydstem (version: V2. 12-16) (2012), http://magma.maths.usyd.edu.au/magma/
- 7.Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 10.May, A.: New RSA vulnerabilities using lattice reduction methods. PhD thesis (2003)Google Scholar