Factoring RSA Modulus Using Prime Reconstruction from Random Known Bits
This paper discusses the factorization of the RSA modulus N (i.e., N = pq, where p, q are primes of same bit size) by reconstructing the primes from randomly known bits. The reconstruction method is a modified brute-force search exploiting the known bits to prune wrong branches of the search tree, thereby reducing the total search space towards possible factorization. Here we revisit the work of Heninger and Shacham in Crypto 2009 and provide a combinatorial model for the search where some random bits of the primes are known. This shows how one can factorize N given the knowledge of random bits in the least significant halves of the primes. We also explain a lattice based strategy in this direction. More importantly, we study how N can be factored given the knowledge of some blocks of bits in the most significant halves of the primes. We present improved theoretical result and experimental evidences in this direction.
KeywordsFactorization Prime reconstruction Random known bits RSA
Unable to display preview. Download preview PDF.
- 3.Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1996)Google Scholar
- 7.Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
- 10.May, A.: Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey. In: LLL+ 25 Conference in honour of the 25th birthday of the LLL algorithm (2007), http://www.cits.rub.de/personen/may.html