Page 1
Implicit Factoring with Shared Most Significant and Middle Bits
JeanCharles Faugère, Raphaël Marinier, and Guénaël Renault
UPMC, Université Paris 06, LIP6
INRIA, Centre ParisRocquencourt, SALSA Projectteam
CNRS, UMR 7606, LIP6
4, place Jussieu
75252 Paris, Cedex 5, France
jeancharles.faugere@inria.fr, raphael.marinier@polytechnique.edu,
guenael.renault@lip6.fr
Keywords: implicit factorization, lattices, RSA
The corresponding paper version of this extended abstract is accepted for PKC2010 [3]
The problem of factoring integers given additional information about their factors has been stud
ied since 1985. In [6], Rivest and Shamir showed that N = pq of bitsize n and with balanced factors
(log2(p) ≈ log2(q) ≈n
returns then
is mostly of cryptographic nature. In fact, during an attack of an RSAencrypted exchange, the cryptan
alyst may have access to additional information beyond the RSA public parameters (e,N), that may be
gained for instance through sidechannel attacks revealing some of the bits of the secret factors. Besides,
some variations of the RSA Cryptosystem purposely leak some of the secret bits (for instance, [8]). In
1996, Rivest and Shamir’s results were improved in [2] by Coppersmith applying latticebased methods
to the problem of finding small integer roots of bivariate integer polynomials (the now socalled Copper
smith’s method). It requires only half of the most significant bits of p to be known to the cryptanalyst
(that isn
2) can be factored in polynomial time as soon as we have access to an oracle that
3most significant bits (MSBs) of p. Beyond its theoretical interest, the motivation behind this
4).
In PKC 2009, May and Ritzenhofen [5] significantly reduced the power of the oracle. Given an RSA
modulus N1= p1q1, they allow the oracle to output a new and different RSA modulus N2= p2q2such that
p1and p2share at least t least significant bits (LSBs). Note that the additional information here is only
implicit: the attacker does not know the actual value of thet least significant bits of the pi’s, he only knows
that p1and p2share them. In the rest of the paper, we will refer to this problem as the problem of implicit
factoring. When q1and q2are αbit primes, May and Ritzenhofen’s latticebased method rigorously finds
in quadratic time the factorization of N1and N2when t ≥ 2α +3. Besides, their technique heuristically
generalizes to k−1 oracle queries that give access to k different RSA moduli Ni= piqiwith all the pi’s
sharing t least significant bits. With k−1 queries the bound on t improves to: t ≥
results are of interest for unbalanced RSA moduli: for instance, if N1= p1q1, N2= p2q2are 1000bit
RSA moduli and the qi’s are 200bit primes, knowing that p1and p2share at least 403 least significant
bits out of 800 is enough to factorize N1and N2in polynomial time. Note also that the method absolutely
requires that the shared bits be the least significant ones. They finally apply their method to factorize k
nbit balanced RSA moduli Ni= piqiunder some conditions and with an additional exhaustive search of
2
k
k−1α. Note that these
n
4.
Very recently, in [7], Sarkar and Maitra applied Coppersmith and Gröbnerbasis techniques on the
problem of implicit factoring, and improved heuristically the bounds in some of the cases. Contrary to
197
Page 2
[5], their method applies when either (or both) LSBs or MSBs of p1, p2are shared (or when bits in the
middle are shared). Namely, in the case of shared LSBs they obtain better theoretical bounds on t than
[5] as soon as α ≥ 0.266n. Besides, their experiments often perform better than their theoretical bounds,
and they improve in practice the bound on t of [5] when α ≥ 0.21n. Note finally that their bounds are
very similar in the two cases of shared MSBs and shared LSBs. Readers interested in getting their precise
bounds may refer to their paper [7].
Unfortunately, Sarkar and Maitra’s method is heuristic even in the case of two RSA moduli, and does
not generalize to k≥3 RSA moduli. In fact, when the pi’s share MSBs and/or LSBs, their method consists
in building a polynomial f1in three variables, whose roots are (q2+1,q1,p1−p2
of shared LSBs between p1and p2. That is,
2γ
represents the part of p1− p2where the shared bits
do not cancel out. To find the integer roots of f1, they use the Coppersmithlike technique of [4] which
consists in computing two (or more) new polynomials f2, f3,... sharing the same roots as f1. If the variety
defined by f1, f2, f3,... is 0dimensional, then the roots can be easily recovered computing resultants or
Gröbner basis. However, with an input polynomial with more than two variables, the method is heuristic:
there is no guarantee for the polynomials f1, f2, f3,... to define a 0dimensional variety. We reproduced
the results of Sarkar and Maitra and we observed that f1, f2, f3,... almost never defined a 0dimensional
variety. They observed however that it was possible to recover the roots of the polynomials directly by
looking at the coefficients of the polynomials in the Gröbner basis of the ideal generated by the fi’s, even
when the ideal was of positive dimension. The assumption on which their work relies is that it will always
be possible. For instance, in the case of shared MSBs between p1and p2, they found in their experiments
that the Gröbner basis contained a polynomial multiple of x−q2
to the factorization of N1and N2. They support their assumption by experimental data: in most cases their
experiments perform better than their theoretical bounds. It seems nevertheless that their assumption is
not fully understood.
2γ
), where γ is the number
p1−p2
q1y−1 whose coefficients lead immediately
Our contribution consists of a novel and rigorous latticebased method that address the implicit fac
toring problem when p1and p2share most significant bits. That is, we obtained an analog of May and
Ritzenhofen’s results for shared MSBs, and our method is rigorous contrary to the work of Sarkar and
Maitra in [7]. Namely, let N1= p1q1and N2= p2q2be two RSA moduli of same bitsize n. If q1,q2
are αbit primes and p1,p2share t most significant bits, our method provably factorizes N1and N2as
soon as t ≥ 2α +3 (which is the same as the bound on t for least significant bits in [5]). This is the first
rigorous bound on t when p1and p2share most significant bits. From this method, we deduce a new
heuristic latticebased for the case when p1and p2share t bits in the middle. Moreover, contrary to [7],
these methods heuristically generalize to an arbitrary number k of RSA moduli and do not depend on the
position of the shared bits in the middle, allowing us to factorize k RSA moduli as soon as t ≥
(resp. t ≥
cise bounds are stated later in this paper). A summary of the comparison of our method with the methods
in [5] and [7] can be found in table 1.
Let’s give the main idea of our method with 2 RSA moduli in the case of shared MSB’s. Consider the
lattice L spanned by the row vectors v1and v2of the following matrix:
?K
Consider also the following vector in L:
k
k−1α +6
2k
k−1α +7) most significant bits (resp. bits in the middle) are shared between the pi’s (more pre
0
K
N2
−N1
0
?
where K = ?2n−t+1
2?
v0= q1v1+q2v2= (q1K,q2K,q1q2(p2− p1))
The key observation is that the t shared significant bits of p1and p2cancel out in the algebraic relation
q1N2−q2N1= q1q2(p2− p1). Furthermore, we choose K in order to force the coefficients of a shortest
198
Page 3
Table 1: Comparison of our results against the results of [5] and [7]
k (number
of
moduli)
RSA
May, Ritzenhofen’s
Results [5]
Sarkar, Maitra’s Results [7]Our results
k = 2
When p1,p2 share
t LSBs:
ous bound
t ≥ 2α + 3 using
2dimensional
lattices of Z2.
rigor
of
When p1,p2 share either t LSBs or
MSBs: heuristic bound better than t ≥
2α +3 when α ≥ 0.266n, and experi
mentally better when α ≥ 0.21n. In the
case of t shared bits in the middle, bet
terboundthant ≥4α+7butdepending
on the position of the shared bits. Using
46dimensional lattices of Z46
When p1,p2share t MSBs: rig
orous boundoft ≥2α+3 using
2dimensional lattices of Z3. In
the case of t bits shared in the
middle: heuristic bound of t ≥
4α +7 using 3dimensional lat
tices of Z3.
k ≥ 3
When
all share t LSBs:
heuristic bound of
t ≥
kdimensional
lattices of Zk.
thepi’s
k
k−1α
using
Cannot be directly applied.
When the pi’s all share t
MSBs (resp. bits in the mid
dle): heuristic bound of t ≥
k
k−1α + δk(resp. t ≥
δk), with δk≤ 6 (resp. ≤ 7) and
using kdimensional (k(k+1)
dimensional) lattices of Z
2k
k−1α +
2

k(k+1)
2 .
vector of L on the basis (v1,v2) to be of the order of 2α≈ q1≈ q2. We proved a result stating that v0is
indeed a shortest vector of L (thus N1and N2can be factored in polynomial time) as soon as t ≥ 2α +3.
Besides, we generalized this construction to an arbitrary number of k RSA moduli such that a small vector
of the lattice harnesses the same algebraic relation, and to shared middle bits. However, the generalized
constructions in both cases become heuristic: we use the Gaussian heuristic to find a condition on t for
this vector to be a shortest of the lattice. More precisely, we obtained the following results
Theorem 1. Let N1= p1q1,N2= p2q2be two nbit RSA moduli, where the qi’s are αbit primes and
the pi’s are primes that share t most significant bits. If t ≥ 2α +3, then N1and N2can be factored in
quadratic time in n.
Let C(k,s,B) be the time to find a shortest vector of a kdimensional lattice of Zsgiven by Bbit basis
vectors. We have the following generalization and application which are stated under Gaussian heuris
tic (we assume that if ±v0is a vector of a ddimensional lattice L with norm smaller than
then it is a shortest vector of L):
?
d
2πeVol(L)
1
d
Theorem 2. Let N1= p1q1,...,Nk= pkqkbe k nbit RSA moduli, with the qi’s being αbit primes, and
the pi’s being primes that all sharet most significant bits. The Ni’s can be factored in time C(k,k(k+1)
as soon as
t ≥
2(k−1)
Theorem 3. Let N1= p1q1,...,Nk= pkqkbe k nbit RSA moduli, where the qi’s are αbit primes and
the pi’s are primes that all share t bits from the position t1to t2=t1+t. The Ni’s can be factored in time
C(k(k+1)
22
,n), as soon as
2
k−1α +
2
,n),
k
k−1α +1+
k
?
2+log2(k)
k
+log2(πe)
?
,k(k+1)
t ≥ 2α +
k+1
2(k−1)log2(2πe)
199
Page 4
We support these results by experimental facts. In order to check the validity of Gaussian heuristic in
our case and the quality of our bounds on t, we implemented the methods on Magma 2.15 [1].
The MSB case. We generated many random 1024bit RSA moduli, for various values of α and t. We
observed that the results were similar for other values of n. In the case where k = 2, we used the La
grange reduction to find with certainty a shortest vector of the lattice, and for 3 ≤ k ≤ 40 we compared
SchnorrEuchner’s algorithm (that provably outputs a shortest vector of the lattice) with LLL (that gives
an exponential approximation of a shortest vector). We used only LLL for k = 80.
We conducted experiments for k = 2,3,10,40 and 80, and for several values for α. In the rigorous case
k = 2, we observed that the attack consistently goes one bit further with 100% success rate than our
bound in Theorem 1. In all our experiments concerning the heuristic cases k ≥ 3, we observed that we
had 100% success rate (thus, Gaussian heuristic was always true in our case) when t was within the
bound of Theorem 2. That means that the assumption concerning the Gaussion heuristic was always true
in our experiments. Moreover, we were often able to go a few bits (up to 3) beyond the theoretical bound
on t. When the success rate was not 100% (that is, beyond our experimental bounds on t), we found
that Gaussian heuristic was not true in a very limited number of the cases (less than 3%). Finally, up
to dimension 80, LLL was always sufficient to find v0when t was within the bound of Theorem 2, and
SchnorrEuchner’s algorithm allowed us to go one bit further than LLL in dimension 40.
The middle bits case. Contrary to the case of shared MSBs, Gaussian heuristic may fail when we apply
our method with shared bits in the middle since there may exist some exceptional shortest vectors which
does not correspond to the solution of our problem. When k = 2 the phenomenon of exceptional short
vectors rarely appeared when t was within the bound of Theorem 3 (less than 1% of failure and did not
depend on the position of the bits, moreover, we were generally allowed to go 2 or 3 bits further with
90% of success). When k ≥ 3 it was not still the case. When SchnorrEuchner’s algorithm did not return
v0, we tried to find it in a reduced basis computed by LLL. Our experiments showed that for the same
size of problems the rate of success is approximately 80% when t was within the bound of Theorem 3
and allowed us to go one or two bits further with success rate ≈50%.
Efficiency comparisons. Additionally, we show in Table 2 the lowest value of t with 100% success rate
and the runningtime of LLL and SchnorrEuchner’s algorithm for several values of k (k RSA moduli
with pi’s factors sharing t MSBs). For each k, we show the worst runningtime we encountered when
running 10 tests on an Intel Xeon E5420 at 2.5Ghz. We see that all individual tests completed in less than
1 second for 2 ≤ k ≤ 20. We used SchnorrEuchner’s algorithm up to k = 60 where it took at most 6200
seconds. LLL completes under one minute for 20 ≤ k ≤ 40 and in less than 30 minutes for 40 ≤ k ≤ 80.
Applications of implicit factoring have not yet been extensively studied, and we believe that they
will develop. The introduction of [5] gives some ideas for possible applications. They include destructive
applications with malicious manipulation of public key generators, as well as possibly constructive ones.
Indeed, our work shows that whent ≥2α+3, it is as hard to factorize N1= p1q1, as generating N2= p2q2
with p2sharing t most significant bits with p1. This problem could form the basis of a cryptographic
primitive.
References
1. Wieb Bosma, John Cannon, and Catherine Playoust. The Magma algebra system I: The user language. J. Symbolic
Comput., 24(34):235–265, 1997. Computational algebra and number theory (London, 1993).
2. Don Coppersmith. Finding a small root of a bivariate integer equation; factoring with high bits known. In Ueli M.
Maurer, editor, EUROCRYPT, volume 1070 of Lecture Notes in Computer Science, pages 178–189. Springer,
1996.
200
Page 5
Table 2: Running time of LLL and SchnorrEuchner’s algorithm, and bound on t as k grows. (Shared MSBs with
α = 300 and n = 1024)
300
350
400
450
500
550
600
650
0 10 20 30 40 50 60 70 80
100
101
102
103
104
t (number of MSBs shared among the pi’s)
lattice reduction time (in seconds)
k (number of RSA moduli)
t
SchnorrEuchner
LLL
3. JeanCharles Faugère, Raphaël Marinier, and Guénaël Renault. Implicit factoring with shared most significant
and middle bits. In P.Q. Nguyen and D. Poincheval, editors, PKC, volume 6056 of Lecture Notes in Computer
Science, pages 70–87. SpringerVerlag, 2010.
4. Ellen Jochemsz and Alexander May. A strategy for finding roots of multivariate polynomials with new applica
tions in attacking rsa variants. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT, volume 4284 of Lecture Notes
in Computer Science, pages 267–282. Springer, 2006.
5. Alexander May and Maike Ritzenhofen. Implicit factoring: On polynomial time factoring given only an implicit
hint. In Stanislaw Jarecki and Gene Tsudik, editors, Public Key Cryptography, volume 5443 of Lecture Notes in
Computer Science, pages 1–14. Springer, 2009.
6. Ronald L. Rivest and Adi Shamir. Efficient factoring based on partial information. In Franz Pichler, editor,
EUROCRYPT, volume 219 of Lecture Notes in Computer Science, pages 31–34. Springer, 1985.
7. Santanu Sarkar and Subhamoy Maitra. Further Results on Implicit Factoring in Polynomial Time. Advances in
Mathematics of Communications, 3(2):205–217, 2009.
8. Scott A. Vanstone and Robert J. Zuccherato. Short rsa keys and their generation. J. Cryptology, 8(2):101–114,
1995.
201
Page 6
202
Download fulltext