Solving Linear Equations Modulo Unknown Divisors: Revisited

1.1 Our Contributions

In this paper, we focus on the following three types of extensions of previous equations.

The second is a special case of Eq. (2): \(a_0=0\), described in Sect. 4.

Notice that our generalized equations employ many parameters. The reason why we introduce these parameters is based on the fact that some attacks on RSA variants (such as Takagi’s RSA variant [35]) can be reduced to solving this kind of equations. However, previous algorithms [4, 12, 23] do not seem to work in this situation. The difficulty lies in how to wisely embed this algebraic information in the lattice construction.

We solve the above equations by introducing new techniques. More precisely, we present a novel way to select appropriate polynomials in constructing desired lattice. Compared with previous algorithms, our algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants. We elaborate them below. We further conjecture that our new algorithms may find new applications in various other contexts.

Small Secret Exponent Attack on Multi-power RSA. In multi-power RSA algorithm, suppose that the public key is (N, e), where \(N=p^rq\) for some fixed \(r\ge 2\) and p, q are of the same bit-size. The secret key d satisfies \(ed\equiv 1 \text { mod } \phi (N)\), where \(\phi (N)\) is Euler’s \(\phi \)-function. In Crypto’99, Takagi [35] showed that when the secret exponent \(d< N^{\frac{1}{2(r+1)}}\), one can factorize N. Later in PKC’04, May [22] improved Takagi’s bound to \(N^{\max \{\frac{r}{(r+1)^2}, \frac{(r-1)^2}{(r+1)^2}\}}\). In this paper, we further improve May’s bound to \(N^{\frac{r(r-1)}{(r+1)^2}}\), which is better than May’s result when \(r>2\), and is also independent of the value of public exponent e. Similar as [22], our result also directly implies an improved partial key exposure attack for secret exponent d with known most significant bits (MSBs) or least significant bits (LSBs). Our improvements are based on our algorithm of solving the first type equations, with the observation that \(\gcd (ed-1,N)=p^{r-1}\) but \(N\equiv 0 \text { mod } p^r\).

Factoring Multi-power Moduli with Known Bits. In 1999, Boneh et al. [2] extended factoring with high bits problem to moduli of the form \(N=p^rq (r\ge 2)\). They showed that this moduli can be factored in polynomial-time in the bit-length of N if \(r=\varOmega (\sqrt{\frac{\log N}{\log \log N}})\). Applying our algorithm of solving the first type equations, we can directly get another method to settle the problem of [2]. Though we can not get an asymptotic improvement, in practice, especially for large r, our new method performs better than [2].

Weak Encryption Exponents of RSA and CRT-RSA. In Africacrypt’12, Nitaj [26] presented some attacks on RSA and CRT-RSA (the public exponent e and the private CRT-exponents \(d_p\) and \(d_q\) satisfy \(ed_p\equiv 1 \text { mod } (p-1)\) and \(ed_q \equiv 1 \text { mod } (q-1)\)). His attacks are based on Herrmann-May’s technique [12] for finding small solutions of modular equations. In particular, he reduced his attacks to solving bivariate linear modular equations modulo unknown divisors: \(ex+y\equiv 0 \text { mod } p\) for some unknown p that divides the known modulus N. Noticing that his equations are homogeneous, we can improve his results with our algorithm of solving second type equations.

Small Secret Exponent Attack on Common Prime RSA. We give a simple but effective attack on an RSA variant called Common Prime RSA. This variant was originally introduced by Wiener [38] as a countermeasure for his continued fraction attack. He suggested to choose p and q such that \(p-1\) and \(q-1\) share a large common factor. In 2006, Hinek [13] revisited the security of Common Prime RSA, in the same year, Jochemsz and May [17] proposed a heuristic attack, and showed that parts of key space suggested by Hinek is insecure. In this paper, we further improve Jochemsz-May’s bound by using our algorithm of solving third type equations.

Experimental Results. For all these attacks, we carry out experiments to verify the validity of our algorithms. These experimental results show that our attacks are effective.

3.1 Our Main Result

Proof

Consider the following univariate linear polynomial:

$$\begin{aligned} f_1(x)=a_{0}+ a_{1}x\text { mod } p^v \end{aligned}$$

where N is known to be a multiple of \(p^u\) for known u and unknown p. Here we assume that \(a_1=1\), since otherwise we can multiply \(f_1\) by \(a_1^{-1} \text { mod } N\). Let \(f(x)=a_1^{-1}f_1(x) \text { mod } N\).

We define a collection of polynomials as follows:

$$\begin{aligned} g_{k}(x):=f^{k}(x)N^{\max \{\lceil \frac{v(t-k)}{u} \rceil ,0 \}} \end{aligned}$$

for \(k=0,\ldots ,m\) and integer parameters t and m with \(t=\tau m\) \((0\le \tau <1)\), which will be optimized later. Note that for all k, \(g_{k}(y)\equiv 0 \text { mod } p^{vt}\).

Let \(X:=N^{uv\beta ^2-\epsilon } (=N^\gamma )\) be the upper bound on the desired root y. We will show that this bound can be achieved for any chosen value of \(\epsilon \) by ensuring that \(m\ge m^{*}:=\lceil \frac{\beta (2u+v-uv\beta )}{\epsilon } \rceil -1\)

We build a lattice \(\mathcal {L}\) of dimension \(d=m+1\) using the coefficient vectors of \(g_{k}(xX)\) as basis vectors. We sort these polynomials according to the ascending order of g, i.e., \(g_k < g_l\) if \(k<l\). Figure 1 shows an example for the parameters \(\beta =0.25, u=3, v=2, t=6, m=8\).

Open image in new window

From the triangular matrix of the lattice basis, we can compute the determinant as the product of the entries on the diagonal as \(\det (\mathcal {L}) = X^{s} N^{s_N}\) where

$$\begin{aligned} s= & {} \sum _{k=0}^{m}k=\frac{m(m+1)}{2} \\ s_{N}= & {} \sum _{k=0}^{t-1} \ \lceil \frac{v(t-k)}{u} \rceil = \sum _{k=0}^{t-1} \left( \frac{v(t-k)}{u} +c_k \right) = \frac{v \tau m (\tau m+1)}{2u}+\sum _{k=0}^{t-1}c_k \end{aligned}$$

Here we rewrite \(\lceil \frac{v(t-k)}{u} \rceil \) as \(\left( \frac{v(t-k)}{u} +c_k \right) \) where \(c_k \in [0,1 )\). To obtain a polynomial with short coefficients that contains all small roots over integer, we apply LLL-basis reduction algorithm to the lattice \(\mathcal {L}\). Lemma 1 gives us an upper bound on the norm of the shortest vector in the LLL-reduced basis; if the bound is smaller than the bound given in Lemma 2, we can obtain the desired polynomial. We require the following condition:

$$\begin{aligned} 2^{\frac{d-1}{4}} \det (\mathcal {L})^{\frac{1}{d}} < \frac{N^{v\beta \tau m}}{\sqrt{d}} \end{aligned}$$

where \(d=m+1\). We plug in the values for \(\det (\mathcal {L})\) and d, and obtain

$$\begin{aligned} 2^{\frac{m(m+1)}{4}}(m+1)^{\frac{m+1}{2}} X^{\frac{m(m+1)}{2}} < N^{v\beta \tau m(m+1) -\frac{v \tau m (\tau m +1) }{2u} -\sum _{k=0}^{t-1} c_k} \end{aligned}$$

To obtain the asymptotic bound, we let m grow to infinity. Note that for sufficiently large N the powers of 2 and \(m+1\) are negligible. Thus, we only consider the exponent of N. Then we have

$$\begin{aligned} X< N^{2 v\beta \tau - \frac{v\tau (\tau m+1)}{u(m+1)}-\frac{2\sum _{k=0}^{t-1}c_k}{m(m+1)}} \end{aligned}$$

Setting \(\tau =u \beta \), and noting that \(\sum _{k=0}^{t-1}c_k \le t\) ¹, the exponent of N can be lower bounded by

$$\begin{aligned} uv\beta ^2 - \frac{v\beta (1-u\beta )}{m+1}-\frac{2u\beta }{m+1} \end{aligned}$$

We appropriate the negative term \(\frac{*}{m+1}\) by \(\frac{*}{m}\) and obtain

$$\begin{aligned} uv\beta ^2 -\frac{\beta (2u+v-uv\beta )}{m} \end{aligned}$$

Enduring that \(m\ge m^{*}\) will then gurantee that X satisfies the required bound for the chosen value of \(\epsilon \).

The running time of our method is dominated by LLL-algorithm, which is polynomial in the dimension of the lattice and in the maximal bit-size of the entries. We have a bound for the lattice d

$$\begin{aligned} d=m+1\ge \lceil \frac{\beta (2u+v-uv\beta )}{\epsilon } \rceil \end{aligned}$$

Since \(u\beta <1\), then we obtain \(d=\mathcal {O}(\epsilon ^{-1})\). The maximal bit-size of the entries is bounded by

$$\begin{aligned} \max \{ \frac{vt}{u} \log (N), duv \beta ^2\log (N) \}=\max \{ v\beta d \log (N), duv\beta ^2 \log (N)\} \end{aligned}$$

Since \(u\beta <1\) and \(d=\mathcal {O}(\epsilon ^{-1})\), the bit-size of the entries can be upperbounded by

$$\begin{aligned} \max \{ \mathcal {O}(v\beta \epsilon ^{-1})\log (N), \mathcal {O}(v\beta \epsilon ^{-1}) \log (N)\} =\mathcal {O}(v\epsilon ^{-1}\log (N)) \end{aligned}$$

Nguyen and Stehlé [25] proposed a modified version of the LLL-algorithm called \(L^2\)-algorithm. The \(L^2\)-algorithm achieves the same approximation quality for a shortest vectors as the LLL-algorithm, but has an improved worst case running time anlaysis. Its running time is \(\mathcal {O}(d^5(d+\log b_d)\log b_d)\), where \(\log b_d\) is the maximal bit-size of an entry in lattice. Thus, we can obtain the running time of our algorithm

$$\begin{aligned} \mathcal {O}\left( \left( \frac{1}{\epsilon } \right) ^5 \left( \frac{1}{\epsilon }+ \frac{v\log N}{\epsilon }\right) \frac{v\log N}{\epsilon }\right) \end{aligned}$$

Therefore, the running time of our algorithm is \(\mathcal {O}(\epsilon ^{-7}v^2\log ^2 N)\). Eventually, the vector output by LLL-algorithm gives a univariate polynomial g(x) such that \(g(y)=0\), and one can find the root of g(x) over the integers.    \(\square \)

Extension to Arbitrary Degree. We can generalize the result of Theorem 2 to univariate polynomials with arbitrary degree.

Specifically, the result in [23] can be viewed as a special case of our algorithm when \(u=v\).

Extension to More Variables. We also generalize the result of Theorem 2 from univariate linear equations to an arbitrary number of n variables \(x_1,\ldots ,x_n\) \((n\ge 2)\).

3.2 Analysis of Multi-power RSA

We apply our algorithm to analyze an RSA variant, namely multi-power RSA, with moduli \(N=p^r q\) (\(r\ge 2\)). Compared to the standard RSA, the multi-power RSA is more efficient in both key generation and decryption. Besides, moduli of this type have been applied in many cryptographic designs, e.g., the Okamoto-Uchiyama cryptosystem [27], or better known via EPOC and ESIGN [8], which uses the modulus \(N=p^2 q\).

Using our algorithm of Theorem 2, we give two attacks on multi-power RSA: small secret exponent attack and factoring with known bits.

Small Secret Exponent Attack on Multi-power RSA. There are two variants of multi-power RSA. In the first variant \(ed\equiv 1 \text { mod } p^{r-1}(p-1)(q-1)\), while in the second variant \(ed \equiv 1 \text { mod } (p-1)(q-1)\). In [16], the authors proved that the second variant is vulnerable when \(d< N^{\frac{2-\sqrt{2}}{r+1}}\).

In this section, we focus on the first variant. In Crypto’99, Takagi [35] proved that when the decryption exponent \(d<N^{\frac{1}{2(r+1)}}\), one can factorize N in polynomial-time. Later, in PKC’04, May [22] improved Takagi’s bound to \(N^{\max \{\frac{r}{(r+1)^2}, \frac{(r-1)^2}{(r+1)^2}\}}\). Based on the technique of Theorem 2, we can further improve May’s bound to \(N^{\frac{r(r-1)}{(r+1)^2}}\).

Recently, Sarkar [30, 31] improved May’s bound for modulus \(N=p^rq\), however, unlike our method, his method can not applied for public key exponents e of arbitrary size. In addition, we get better experimental results for the case of \(r>2\) (see Sect. 3.2).

Partial Key-Exposure Attacks on Multi-power RSA. Similar to the results of [22], the new attack of Theorem 4 immediately implies partial key exposure attacks for d with known MSBs/LSBs. Following we extend the approach of Theorem 4 to partial key exposure attacks.

In [31], for 1024-bit \(N=p^3q\), Sarkar considered \(\delta =0.27\) using a lattice with dimension 220, while we can achieve \(\delta =0.359\) using a lattice with dimension 41. Besides, Sarkar also stated that “for \(r=4,5\), lattice dimension in our approach becomes very large to achieve better results. Hence in these cases we can not present experiment results to show the improvements over existing results." In Table 2, we can see that our experimental results are better than Sarkar’s for \(r > 2\).

Applying our algorithm of Theorem 2, and setting \(\beta =\frac{1}{r+1}, u=r, v=1\), we can also find all roots \(x_0\) with

$$\begin{aligned} \vert x_{0}\vert \le N^{uv\beta ^{2}-\epsilon } = N^{\frac{r}{(r+1)^2}-\epsilon } \end{aligned}$$

in time \(\mathcal {O}(\epsilon ^{-7} \log ^{2}N)\).

Open image in new window

Note that we obtain the same asymptotic bound and running time complexity as BDH method. But, as opposed to BDH method, our algorithm is more flexible in choosing the lattice dimension. For example, in the case of \(r=10\), BDH method only works on the lattice dimension of \(11*m \ (m\in \mathbb {Z}^{+})\) while our method can work on any lattice dimension \(m \ (m\in \mathbb {Z}^{+})\). Figure 2 shows a comparsion of these two methods in terms of the size of \(\tilde{p} \ (\tilde{p}=N^{\gamma })\) that can be achieved. We can see that to achieve the same \(\gamma \), we require smaller lattice dimensions than BDH method. Our algorithm is especially useful for large r. Actually our lattice is the same to the lattice of BDH method if the lattice dimensions are \(11*m \ (m\in \mathbb {Z}^{+})\).

4.1 Our Main Result

Comparisons with Previous Methods. For \(u=1, v=1\), the upper bound \(\delta _1 +\delta _2\) of Theorem 7 is \(\beta ^2\), that is exactly May’s results [21] on univariate linear polynomial \(f(x)=x+a\). Actually the problem of finding a small root of homogeneous polynomial \(f(x_1,x_2)\) can be transformed to find small rational roots of univariate linear polynomial F(z) i.e. \(F(\frac{x_2}{x_1})=f(x_1,x_2)/x_1\) (the discussions of the small rational roots can be found on pp. 413 of Joux’s book [18]).

Our result improves Herrmann-May’s bound \(3\beta -2 +2(1-\beta )^{\frac{3}{2}}\) up to \(\beta ^2\) if \(a_0=0\). As a concrete example, for the case \(\beta =0.5\), our method improves the upper size of \(X_1 X_2\) from \(N^{0.207}\) to \(N^{0.25}\).

Extension to More Variables. We generalize the result of Theorem 7 to an arbitrary number of n variables \(x_1,\ldots ,x_n\). The proof of the following result is similar to that for Proposition 1, so we state only the result itself.

4.2 Applications

In Africacrypt’12, Nitaj [26] presented a new attack on RSA. His attack is based on Herrmann-May’s method [12] for finding small roots of a bivariate linear equation. In particular, he showed that the public modulus N can be factored in polynomial-time for the RSA cryptosystem where the public exponent e satisfies an equation \(ex+y \equiv 0\ (\text { mod } \ p)\) with parameters x and y satisfying \(ex + y \not \equiv 0 \ (\text { mod } \ N)\) \(|x|<N^{\gamma }\) and \(|y|<N^{\delta }\) with \(\delta +\gamma \le \frac{\sqrt{2}-1}{2}\).

Note that the equation of [26] is homogeneous, thus we can improve the upper bound of \(\gamma +\delta \) using our result in Theorem 7. In [29], Sarkar proposed another method to extend Nitaj’s weak encryption exponents. Here, the trick is to consider the fact that Nitaj’s bound can be improved when the unknown variables in the modular equation are unbalanced (x and y are of different bit-size). In general, Sarkar’s method is essentially Herrmann-May’s method, whereas our algorithm is simpler (see Theorem 7). We present our result below.

In [26], Nitaj also proposed a new attack on CRT-RSA. Let \(N = pq\) be an RSA modulus with \(q < p <2q\). Nitaj showed that if \(e < N^{\frac{\sqrt{2}}{2}}\) and \(ed_p=1+k_p(p-1)\) for some \(d_p\) with \(d_p < \frac{N^{\frac{\sqrt{2}}{4}}}{\sqrt{e}}\), N can be factored in polynomial-time. His method is also based on Herrmann-May’s method. Similarly we can improve Nitaj’s result in some cases using our idea as Theorem 7.

Experimental Results. Table 4 shows the experimental results for RSA modulus N with 512-bit primes p, q. In all of our experiments, we fix e’s length as 512-bit, and so the scheme does not have a small CRT exponent modulo q. We also compute the number bits that one should theoretically be able to attack for \(d_p\) (column \(d_p\)-pred of Table 4).

That is actually the attack described in Theorem 9. In [26], the author showed that for a 1024-bit modulus N, the CRT-exponent \(d_p\) is typically of size at most 110. We obtain better results in our experiments as shown in Table 4.

5.1 Our Main Result

Our main result is as follows:

Like [4, 36], we also consider the generalization to simultaneous linear equations of higher degree.

The proof is very similar to [4, 36], we omit it here.

5.2 Common Prime RSA

For a better comparison with the previous attacks, we give a brief review on all known attacks.

Wiener’s Attack [38]. Using a continued fraction attack, Wiener proved that given any valid Common Prime RSA public key (N, e) with private exponent \(d<N^{\frac{1}{4}-\frac{\gamma }{2}}\), namely \(\beta <\frac{1}{4}-\frac{\gamma }{2}\), one can factor N in polynomial-time.

Hinek’s Attack [13]. Hinek revisited this problem and proposed two lattice-based attacks. Due to Hinek’s work, when \(\beta <\gamma ^2\) or \(\beta <\frac{2}{5}\gamma \), N can be factored in polynomial-time.

One can check that when \(\gamma \ge 0.2087\), Jochemsz-May’s attack [17] is superior to other attacks. We use the algorithm of Theorem 10 to make an improvement on previous attacks when \(\gamma \ge 0.3872\). We give a comparison with Jochemsz-May’s attack in Fig. 3.

Our results improve Jochemsz-May’s attack dramatically when \(\gamma \) is large, for instance, when \(\gamma \) is close to 0.5, we improve the bound on \(\beta \) from 0.2752, which is the best result of previous attacks, to 0.5. Below is our main result.

Open image in new window