Attacking RSA with a Composed Decryption Exponent Using Unravelled Linearization

Abstract

Recently, Nitaj and Douh presented a new attack on RSA with a composed decryption exponent. To be specific, they assumed that the decryption exponent in RSA is of the form \(d=Md_1+d_0\) where \(M\) is a known positive integer and \(d_0\) and \(d_1\) are two suitably small unknown integers. They gave a lattice-based decryption exponent recovery attack on this kind of RSA when the exponent \(d\) is under a larger bound than the well-known one \(N^{0.292}\) given by Boneh and Durfee. In this paper, we reconsider the same problem and present a new attack by using the unravelled linearization technique proposed by Herrmann and May at Asiacrypt 2009. Our result is theoretically better than that of Nitaj and Douh and more importantly, is more efficient in terms of the dimension of lattice involved in the attack.

Appendices

A Dimension and Determinant of the Lattice \(L\)

The dimension of the lattice \(L\) in Sect. 4.2 is

$$\begin{aligned} \mathrm{dim}(L)=\omega =\sum _{j=0}^{m}\sum _{k=0}^{m-j}\sum _{i=0}^{m-j-k}1+ \sum _{j=1}^{t}\sum _{k=\left\lfloor \!\frac{m}{t}\!\right\rfloor j}^{m}\sum _{l=0}^{k}1. \end{aligned}$$

(11)

The determinant of \(L\) is

$$\begin{aligned} \det (L)=X^{s_x}Y^{s_y}Z^{s_z}U^{s_u}M_e^{s_e}, \end{aligned}$$

(12)

where the \(s_x\), \(s_y\), \(s_z\), \(s_u\) and \(s_e\) are as follows:

$$\begin{aligned} s_x&=\sum _{j=0}^{m}\sum _{k=0}^{m-j}\sum _{i=0}^{m-j-k}i,\\ s_y&=\sum _{j=1}^{t}\sum _{k=\left\lfloor \!\frac{m}{t}\!\right\rfloor j}^{m}\sum _{l=0}^{k}j,\\ s_z&=\sum _{j=0}^{m}\sum _{k=0}^{m-j}\sum _{i=0}^{m-j-k}j+\sum _{j=1}^{t} \sum _{k=\left\lfloor \!\frac{m}{t}\!\right\rfloor j}^{m}\sum _{l=0}^{k}l,\\ s_u&=\sum _{j=0}^{m}\sum _{k=0}^{m-j}\sum _{i=0}^{m-j-k}k+\sum _{j=1}^{t} \sum _{k=\left\lfloor \!\frac{m}{t}\!\right\rfloor j}^{m}\sum _{l=0}^{k}(k-l),\\ s_e&=\sum _{j=0}^{m}\sum _{k=0}^{m-j}\sum _{i=0}^{m-j-k}(m-k)+\sum _{j=1}^{t} \sum _{k=\left\lfloor \!\frac{m}{t}\!\right\rfloor j}^{m}\sum _{l=0}^{k}(m-(k-l)). \end{aligned}$$

For sufficiently large \(m\) and \(t=\tau m\), the above values can be rewritten as:

$$\begin{aligned} \omega&=\frac{1}{6}(1+2\tau )m^3+o(m^3),&s_x&=\frac{1}{24}m^4+o(m^4),\\ s_y&=\frac{1}{8}\tau ^2m^4+o(m^4),&s_z&=\frac{1}{24}(1+3\tau )m^4+o(m^4),\\ s_u&=\frac{1}{24}(1+3\tau )m^4+o(m^4),&s_e&=\frac{1}{24}(3+5\tau )m^4+o(m^4). \end{aligned}$$

B Dimension and Determinant of the Lattice in [14]

Denote the lattice in [14] as \(L'\). For integers \(m\) and \(t\), the dimension of \(L'\) is given as:

$$\begin{aligned} \mathrm{dim}(L')=\frac{1}{6}(m+1)(m+2)(m+3t+3), \end{aligned}$$

(13)

and the determinant is given as:

$$\begin{aligned} \det (L')=\bar{X}^{n_x}\bar{Y}^{n_y}\bar{Z}^{n_z}M_e^{n_e}, \end{aligned}$$

(14)

where the \(n_x\), \(n_y\), \(n_z\) and \(n_e\) are as follows:

$$\begin{aligned} n_x&= \frac{1}{24}m(m+1)(m+2)(m+4t+3),\\ n_y&= \frac{1}{12}m(m+1)(m+2)(m+2t+3),\\ n_z&= \frac{1}{24}(m+1)(m+2)(m^2+3m+4tm+6t^2+6t),\\ n_e&= \frac{1}{24}m(m+1)(m+2)(3m+8t+9), \end{aligned}$$

and \(\bar{X}\), \(\bar{Y}\) and \(\bar{Z}\) are the bound of the roots.