Conference Paper

Implicit Factoring with Shared Most Significant and Middle Bits.

DOI: 10.1007/978-3-642-13013-7_5 Conference: Public Key Cryptography - PKC 2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Paris, France, May 26-28, 2010. Proceedings
Source: DBLP

ABSTRACT We study the problem of integer factoring given implicit information of a special kind. The problem is as follows: let N
1 = p
1
q
1 and N
2 = p
2
q
2 be two RSA moduli of same bit-size, where q
1, q
2 are α-bit primes. We are given the implicit information that p
1 and p
2 share t most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of N
1 and N
2 in polynomial time as soon as t ≥ 2 α + 3. Subsequently, we heuristically generalize the method to k RSA moduli N

i
= p

i

q

i
where the p

i
’s all share t most significant bits (MSBs) and obtain an improved bound on t that converges to t ≥ α + 3.55... as k tends to infinity. We study also the case where the k factors p

i
’s share t contiguous bits in the middle and find a bound that converges to 2α + 3 when k tends to infinity. This paper extends the work of May and Ritzenhofen in [9], where similar results were obtained when the
p

i
’s share least significant bits (LSBs). In [15], Sarkar and Maitra describe an alternative but heuristic method for only two
RSA moduli, when the p

i
’s share LSBs and/or MSBs, or bits in the middle. In the case of shared MSBs or bits in the middle and two RSA moduli, they
get better experimental results in some cases, but we use much lower (at least 23 times lower) lattice dimensions and so we
obtain a great speedup (at least 103 faster). Our results rely on the following surprisingly simple algebraic relation in which the shared MSBs of p
1 and p
2 cancel out: q
1
N
2 − q
2
N
1 = q
1
q
2 (p
2 − p
1). This relation allows us to build a lattice whose shortest vector yields the factorization of the N

i
’s.

Download full-text

Full-text

Available from: Guénaël Renault, Jul 16, 2014
0 Followers
 · 
110 Views
  • [Show abstract] [Hide abstract]
    ABSTRACT: Let \(N_{1} = p_{1}q_{1}\) and \(N_{2} = p_{2}q_{2}\) be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor \(N_{1}\) and \(N_{2}\) given the implicit information that \(p_{1}\) and \(p_{2}\) share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples \(a_{1}p_{1}\) and \(a_{2}p_{2}\) of the prime factors \(p_{1}\) and \(p_{2}\) share an amount of their Most Significant Bits (MSBs) or an amount of their Least Significant Bits (LSBs). Using a method based on the continued fraction algorithm, we propose a method that leads to the factorization of \(N_{1}\) and \(N_{2}\) . Using simultaneous diophantine approximations and lattice reduction, we extend the method to factor \(k\ge 3\) RSA moduli \(N_{i}=p_{i}q_{i}, i=1,\ldots ,k\) given the implicit information that there exist unknown multiples \(a_{1}p_{1}, \ldots , a_kp_k\) sharing an amount of their MSBs or their LSBs. Also, this paper extends many previous works where similar results were obtained when the \(p_{i}\) ’s share their MSBs or their LSBs.
    Journal of Applied Mathematics and Computing 06/2014; 48(1-2). DOI:10.1007/s12190-014-0806-1
  • [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we present some problems and their solutions exploiting lattice based root finding techniques. In [Cryptography and lattices. 1st international conference, CaLC 2001, Lect. Notes Comput. Sci. 2146, 51–66 (2001; Zbl 1006.94528)] N. Howgrave-Graham proposed a method to find the Greatest Common Divisor (GCD) of two large integers when one of the integers is exactly known and the other one is known approximately. In this paper, we present three applications of the technique. The first one is to show deterministic polynomial time equivalence between factoring N (N=pq, where p>q or p,q are of same bit size) and knowledge of q -1 modp. Next, we consider the problem of finding smooth integers in a short interval. The third one is to factorize N given a multiple of the decryption exponent in RSA. In [Advances in cryptology – ASIACRYPT 2006, Lect. Notes Comput. Sci. 4284, 267–282 (2006; Zbl 1172.94577)] E. Jochemsz and A. May presented a general strategy for finding roots of a polynomial. We apply that technique to solve the following two problems. The first one is to factorize N given an approximation of a multiple of the decryption exponent in RSA. The second one is to solve the implicit factorization problem given three RSA moduli considering certain portions of LSBs as well as MSBs of one set of three secret primes are same.
    Advances in Mathematics of Communications 11/2010; 2010(4):146. DOI:10.3934/amc.2010.4.519 · 0.65 Impact Factor
  • Source