A New LSB Attack on Special-Structured RSA Primes

Abstract

Asymmetric key cryptosystem is a vital element in securing our communication in cyberspace. It encrypts our transmitting data and authenticates the originality and integrity of the data. The Rivest–Shamir–Adleman (RSA) cryptosystem is highly regarded as one of the most deployed public-key cryptosystem today. Previous attacks on the cryptosystem focus on the effort to weaken the hardness of integer factorization problem, embedded in the RSA modulus, N=pq. The adversary used several assumptions to enable the attacks. For examples, p and q which satisfy Pollard’s weak primes structures and partial knowledge of least significant bits (LSBs) of p and q can cause N to be factored in polynomial time, thus breaking the security of RSA. In this paper, we heavily utilized both assumptions. First, we assume that p and q satisfy specific structures where p=am+rp and q=bm+rq for a,b are positive integers and m is a positive even number. Second, we assume that the bits of rp and rq are the known LSBs of p and q respectively. In our analysis, we have successfully factored N in polynomial time using both assumptions. We also counted the number of primes that are affected by our attack. Based on the result, it may poses a great danger to the users of RSA if no countermeasure being developed to resist our attack.

Full text

symmetry
S
S
Article
A New LSB Attack on Special-Structured RSA Primes
Amir Hamzah Abd Ghafar 1, Muhammad Rezal Kamel Ariffin 1,2,* and
Muhammad Asyraf Asbullah 1,3
1Institute for Mathematical Research, Universiti Putra Malaysia,
Serdang 43400, Selangor Darul Ehsan, Malaysia; amirghafar87@gmail.com (A.H.A.G.);
ma_asyraf@upm.edu.my (M.A.A.)
2Department of Mathematics, Faculty of Science, Universiti Putra Malaysia,
Serdang 43400, Selangor Darul Ehsan, Malaysia
3Centre of Foundation Studies for Agricultural Science, Universiti Putra Malaysia,
Serdang 43400, Selangor Darul Ehsan, Malaysia
*Correspondence: rezal@upm.edu.my
Received: 13 February 2020; Accepted: 17 March 2020; Published: 20 May 2020


Abstract:
Asymmetric key cryptosystem is a vital element in securing our communication in
cyberspace. It encrypts our transmitting data and authenticates the originality and integrity of
the data. The Rivest–Shamir–Adleman (RSA) cryptosystem is highly regarded as one of the most
deployed public-key cryptosystem today. Previous attacks on the cryptosystem focus on the effort
to weaken the hardness of integer factorization problem, embedded in the RSA modulus,
N=pq
.
The adversary used several assumptions to enable the attacks. For examples,
p
and
q
which satisfy
Pollard’s weak primes structures and partial knowledge of least significant bits (LSBs) of
p
and
q
can cause
N
to be factored in polynomial time, thus breaking the security of RSA. In this paper, we
heavily utilized both assumptions. First, we assume that
p
and
q
satisfy specific structures where
p=am+rp
and
q=bm+rq
for
a
,
b
are positive integers and
m
is a positive even number. Second,
we assume that the bits of
rp
and
rq
are the known LSBs of
p
and
q
respectively. In our analysis,
we have successfully factored
N
in polynomial time using both assumptions. We also counted the
number of primes that are affected by our attack. Based on the result, it may poses a great danger to
the users of RSA if no countermeasure being developed to resist our attack.
Keywords: cryptography; RSA cryptosystem; RSA cryptanalysis; partial key exposure attack
1. Introduction
One of the earliest asymmetric key cryptosystems is the Rivest–Shamir–Adleman (RSA)
cryptosystem, introduced by Rivest, Shamir and Adleman in 1978 [
1
]. Its simple and
easy-to-understand mathematical design makes it compelling to be used in the early ages of digital
cyberspace technology. Since then, it is considered as the most widely known asymmetric key
cryptosystem. In its key generation algorithm, an RSA modulus,
N=pq
is computed where
p
and
q
, called RSA primes are two distinct primes such that
p<q<
2
p
. From the values of
p
and
q
, another parameter called RSA public exponent,
e
is obtained which satisfies
e<φ(N)
and
gcd(e
,
φ(N)) =
1 where
φ(N)=(p−
1
)(q−
1
)
. An RSA private exponent,
d
that satisfies
ed ≡
1
(mod N)
then is computed. One of the security strength of RSA is integer factorization problem and it
is embedded in the RSA modulus since
p
and
q
are very large
n−
bit primes (typically,
n=
1024). The
problem is deemed infeasible to be solved by current computing machines and the best algorithm to
solve the problem, called general number field sieve (GNFS) [
2
] is still running in sub-exponential time.
Past attacks on RSA by Pollard in 1974 [
3
] have shown that primes with particular structures are
vulnerable to be factored in polynomial time, which is easily computed by any modern computers.
Symmetry 2020,12, 838; doi:10.3390/sym12050838 www.mdpi.com/journal/symmetry

Symmetry 2020,12, 838 2 of 13
In his attacks, Pollard showed that if
p−
1 or
q−
1 are constituted of small primes, then there is a
factoring algorithm to factor
N=pq
in polynomial time. Another method in attacking RSA assumes
that several bits of
p
and
q
are known by the adversary and this weakens the hardness of factoring
N
. Particularly, ref. [
4
] showed that 1
/
2 least significant bits (LSBs) of the RSA primes are sufficient
to factor
N
in polynomial time. Random reconstruction algorithm by Heninger and Shacham also
showed that it can efficiently recover all of the RSA keys given 0.57 fraction of the random bits of each
p
and
q
[
5
]. Later, Maitra et al. [
6
] provided a combinatorial model of Heninger’s work and was able
to reconstruct the LSBs of RSA primes using modified brute-force by shortening the total search space.
The LSBs discussed in the prior attacks of RSA are commonly gathered by side-channel attack.
It is one of the prominent methods to collect the physical outputs or side-effects of cryptographic
devices during the computing processes [
7
]. The outputs or side-effects include but are not limited to
the computational time and power of decryption [
8
,
9
], emission heat and electromagnetic radiation of
the devices [10], cache behavior [11] and sound of processor during computations [12].
About This Paper
The results in this paper are the extensions from our papers in [
13
] and [
14
]. In this paper,
we assume that certain LSBs of the RSA primes are known. We show that only a small amount of
LSBs are required in our attack to factor
N
in polynomial time given that the RSA primes satisfy
specified structures. We also show the abundance of primes that can satisfy the structures and no
proper checking mechanism has been done in any standard RSA libraries to hinder the usage of such
primes. This shows the risks inherent in the existing method to generate RSA keys may produces RSA
modulus that falls under our attack.
2. Preliminaries
In this section, we provide some helpful lemmas which results are applied to make our
attack successful.
Lemma 1. Let a,r∈Z+and m ≥2be an even number. If √am+r=am/2 +ethen e<r
2am/2 .
Proof. Let am+rbe an integer where a∈Z+. Then
√am+r<ram+r2
4a−m+r=r(am/2 +r
2a−m/2)2=am/2 +r
2a−m/2
Since √am+r=am/2 +ethen e<r
2am/2 . This terminates the proof.
Suppose
N=pq
is a valid RSA modulus where
p=am+rp
and
q=bm+rq
. Let
a
,
b∈Z+
, we
can see that
ab
is unknown if
p
and
q
are secret values. Using the result from Lemma 1, we find the
lower and upper bounds of N1/2 −(ab)m/2 in the following lemma.
Lemma 2.
Let
a
,
b∈Z+
and
m≥
2be an even number such that
a<b<(
2
am+
1
)1
m
. Suppose
N= (am+rp)(bm+rq)
where
rp≤rq<Nγ
. If
rp<
2
am/2
and
rq<
2
bm/2
then
(rprq)1/2 <N1/2 −
(ab)m/2 <rq
2+2m
2−1rp+1.
Proof.
To prove the lower bound, first we need to show that
amrq+bmrp>
2
(ab)m/2 (rprq)1/2
.
Observe that
am/2r1/2
q−bm/2r1/2
p2=amrq+bmrp−2(ab)m/2 (rprq)1/2 .
Since
am/2r1/2
q−bm/2r1/2
p2
will always be positive value, it implies that
amrq+bmrp>
2(ab)m/2 (rprq)1/2 . Then

Symmetry 2020,12, 838 3 of 13
q(am+rp)(bm+rq) = q(ab)m+amrq+bmrp+rprq
>q(ab)m+2(ab)m/2(rprq)1/2 +rprq
=qabm/2 + (rprq)1/22
= (ab)m/2 + (rprq)1/2
Thus,
q(am+rp)(bm+rq)−(ab)m/2 =N1/2 −(ab)m/2 >(rprq)1/2
. To prove the upper bound, since
pam+rp=am/2 +e1and pbm+rq=bm/2 +e2. Then, based on Lemma 1,
N1/2 =q(am+rp)(bm+rq) = q(am+rp)q(bm+rq)
= (am/2 +e1)(bm/2 +e2) = (ab)m/2 +am/2 e2+bm/2 e1+e1e2
<(ab)m/2 +am/2 rq
2bm/2 +bm/2 rp
2am/2 +rp
2am/2
rq
2bm/2 (1)
If rp<2am/2 and rq<2bm/2 then
rp
2am/2
rq
2bm/2 =rprq
4(ab)m/2 <4(ab)m/2
4(ab)m/2
=1. (2)
If a<b<(2am+1)1
m, then Equation (1) becomes
N1/2 −(ab)m/2 <am/2 rq
2bm/2 +bm/2 rp
2am/2 +1
=a
bm/2 rq
2+b
am/2 rp
2+1
<(1)m/2 rq
2+(2)m/2 rp
2+1
=rq
2+2m
2−1rp+1.
This terminates the proof.
By obtaining the lower and upper bounds of
N1/2 −(ab)m/2
in Lemma 2, we have gathered a
result that can be useful in our attack later. Throughout this paper, we focus on the RSA primes in
the forms of
p=am+rp
and
q=bm+rq
. Therefore, we define LSBs in the next definition based on
these forms.
Definition 1
(Least Significant Bits (LSBs) of Primes)
.
Let
l1
,
l2
,
m∈Z+
. Suppose
p=am+rp
and
q=bm+rqare primes. Suppose there exist unknown a0and b0such that
p= (2l1·a0)m+rp(3)
and
q= (2l2·b0)m+rq. (4)
Then we define rpand rqto be k-many LSBs of p and q respectively where k ≤l1m,l2m satisfies
rp≡p(mod 2l1m)(5)

Symmetry 2020,12, 838 4 of 13
and
rq≡q(mod 2l2m). (6)
To identify primes that satisfy Equations
(3)
and
(4)
, we observe the binary representations of
am
and
bm
. Their LSBs must have
k
many consecutive 0’s to satisfy
p=am+rp
and
q=bm+rq
.
Particularly, let
rpi
be the binary representation of
a
and
rqi
be the binary representation of
b
where
i=1, 2, . . . , n. Observe
am=rp1rp2. . . rp(n−k)
| {z }
n−kmany bits of 1 and 0’s
kmany bits of 0’s
z }| {
rp(n−k+1). . . rpn(7)
bm=rq1rq2. . . rq(n−k)
| {z }
n−kmany bits of 1 and 0’s
kmany bits of 0’s
z }| {
rq(n−k+1). . . rqn(8)
The random reconstruction algorithm [
5
], which was improved by [
6
], is one of the efficient algorithms
used to find the LSBs of RSA primes. Thus, it can be utilized to find the values of
rp
and
rq
that satisfy
Equations (5) and (6).
3. Our Attack
Before we proceed to show how
N
can be factored in polynomial time using previous results,
we define the term ‘sufficiently small’ that is used to justify our attack.
Definition 2.
We define
sufficiently small
value in this paper to be a value smaller than the largest feasible
value of the lowest security level to be brute forced by current computing machine.
Remark 1.
The latest recommendation for key management by NIST [
15
] stated that the lowest security level is
112-bit. This implies that the largest feasible value of this security level to be brute forced by current computing
machine is 2
112
. Based on Definition 2, a value lower than 2
112
is considered sufficiently small. This value can
be changed in the future, depends on the future advancements of computing technology.
Now we are ready to show how RSA modulus can be factored in polynomial time by using this
next theorem.
Theorem 1.
Let
a
,
b∈Z+
and
m≥
2be an even number such that
a<b<(
2
am+
1
)1
m
. Suppose
N=pq = (am+rp)(bm+rq)
is a valid RSA modulus. Let
rp≡p(mod
2
m)
and
rq≡q(mod
2
m)
where
rp<
2
am/2
and
rq<
2
bm/2
such that
max{rp
,
rq}<
2
k
. If 2
k−12m
2+1
is a sufficiently small value as
defined in Definition 2and k many LSBs of p and q are known then N can be factored in polynomial time.
Proof. From Lemma 2we can see that (rprq)1/2 <N1/2 −(ab)m/2 <rq
2+2m
2−1rp+1. Thus,
N1/2 −rq
2+2m
2−1rp+1<(ab)m/2 <N1/2 −(rprq)1/2. (9)
Suppose
rp
and
rq
are known LSBs of
p
and
q
respectively. The LSB values may be obtained from
side-channel attacks described previously in Section 1. Since
max{rp
,
rq}<
2
k
, then the difference
between the upper and lower bounds of Equation (9) is

Symmetry 2020,12, 838 5 of 13
N1/2 −(rprq)1/2 −N1/2 +rq
2+2m
2−1rp+1<2k2m
2−1+1
2−min{rp,rq}21/2 +1
=2k 2m
2+1
2!−min{rp,rq}+1
=2k−12m
2+1−min{rp,rq}+1 (10)
which is the size for set of integers to find
(ab)m/2
. If 2
k−12m
2+1
is sufficiently small as defined
in Definition 2, then we can find
(ab)m/2
in polynomial time. By computing
(ab)m/2 2
, we find
(ab)m. Then
N−rprq≡(am+rp)(bm+rq)−rprq
≡(ab)m+amrq+bmrp
≡amrq+bmrp(mod (ab)m).
Observe that from
rp<
2
am/2
and
rq<
2
bm/2
, then we can have
amrq+bmrp<(ab)m
. Thus,
we obtain the full integer
amrq+bmrp
without modular reduction. Since the values of
rp
,
rq
,
(ab)m
and
amrq+bmrpare known, we can find the roots of the following quadratic equation
X2−(amrq+bmrp)X+ ((ab)mrprq).
We find that x1=amrqand x2=bmrp. Since rpand rqare known, we can can obtain
am=x1
rqand bm=x2
rp.
Thus we can factor Nby calculating
N
bm+rq
=am+rp.
The next remark justifies our selection criteria on parameter m.
Remark 2.
Let
A
be the set of possible value of
(ab)m/2
. From Equation (9), we know that
A
will yield
a set of numbers between
N1/2 −rq
2+2m
2−1rp+1
and
N1/2 −(rprq)1/2
. If
m≥
2is an even integer,
then
(ab)m/2
will be an integer and causes
A
to be a finite set. However, if
m
is a positive odd integer, then
(ab)m/2
will be a real value and causes
A
to be an infinite set. The latter consequence will make our method to be
infeasible since there are infinite possible values of
(ab)m/2
to be tried on. Therefore,
m
must be an even integer
equals or greater than 2.
The following is an example to illustrate the result from Theorem 1.

Symmetry 2020,12, 838 6 of 13
Example 1. We use RSA-2048 modulus in this example. Specifically, we are given
N=25443213484803330676546636060506767271319211956273880351374351825
46256158013255117739836500456730264902937246910852858138318236603
28796126064275138262348021411229982061934595317738337964801727892
54233470084592231117946043667803816674367149523326731127008733355
36182425074366173327195127004160399499185526019310064433935140944
60366015740466980367515605709366458027738329608044170750026717443
54815841155246667831512956948961180313537576080810878904128457697
49463326499780838181084411701695971249384738323330037734781899087
42844727615199026762546947725863259415895257407078268520959081886
49384624121217162949627607660163
Suppose from side-channel attack described previously, we know the 12 LSBs of p and q. Particularly,
p=1 . . . 0000000000
| {z }
unknown 1024 bits
+101111001001
| {z }
known 12-bits
and
q=1 . . . 0000000000
| {z }
unknown 1024 bits
+100111101011
| {z }
known 12-bits
where
rp= (101111001001)2=3017 (11)
and
rq= (100111101011)2=2539 (12)
Then we set
i=l(rprq)1/2m
=2768.
Then we calculate
σ=h√Ni−i2and z ≡N−(rprq) (mod σ)(13)
and solve the equation
x1,2 =X2−zX +σrprq=0 (14)
We find that neither
x1
rq+rp
nor
x2
rp+rq
are integers. This means
x1
and
x2
are not our final solutions.
It also means
σ6= (ab)m
at this point. To find the correct
σ
, we have to iterate the computation of Equations (13)
and (14) using iterations of increasing values of
i
. This search can be done in polynomial time as
i
should be less
than
rq
2+
2
m
2−1rp+
1
=
7304 as stated in Lemma 2. In this case, we find the correct
σ
when
i=
2811. That is,
we compute

Symmetry 2020,12, 838 7 of 13
σ=h√Ni−i2
=25443213484803330676546636060506767271319211956273880351374351825
46256158013255117739836500456730264902937246910852858138318236603
28796126064275138262348021411229982061934595317738337964801727892
54233470084592231117946043667803816674367149523326731127008733355
36182425074366173327195127004160399499185525929621955792730967217
57093357794065292733692579733017882760046777578179801403516768246
29246851968098638468612026451713499821263832772646855070783021404
05118967588741443353965388245391488440871378163462453288885183603
73902790724858882651191332644704993553711430100366047804022517832
60459933438910410000000000000000
and
z=N−(rprq) (mod σ)
=89688108641204173727032726579464016876338230259763485752676915520
29864369346509949197255689891871480293629009304972476804922737433
08164023833345436293443443589110393948271190234563044828085133601
59867584445896715483689419368903401441113556150811582658621838273
0671222071693656405388924690682306752949627600000000.
Using values of σand z, we solve the equation
x1,2 =X2−zX +σrprq=0. (15)
The solutions of Equation (15) are used to compute
N
x1
rq+rp
=p
=2076325666953480903251061985643543068723624934635381548413863
1458070722097244580144040973758980302401303555418169933522406
1662229162879643933792870833231736875142501533422110427899095
3517812060123279372587614099731233402621448865880933141145360
5245689592204158590965166633547679145670950934175191147210000
3017

Symmetry 2020,12, 838 8 of 13
and
N
x2
rp+rq
=q
=1225396087413168498292617260986889571145024632726919066571061
6588749446565648362779666067127897821347705191543359716126834
5944097932917669169852614268434890176706523882967335716979529
9071636233133238459212674004750005745005313778479423967599274
3740090403457711105290569800062341129610183840357926739210000
2539.
Hence, N has been successfully factored in polynomial time.
Remark 3.
From Example 1, we show that as small as 12-bits of LSBs are required to successfully execute our
attack. Hence, this put our method in advantage since it does not necessarily depend on side-channel attack [
7
]
to gather the LSBs. Instead, by using our method, an adversary can use brute-force approach to find the correct
LSBs since the required LSBs can be very small.
4. Numbers of Primes with Vulnerable Specialized Structures Against Random
Reconstruction Algorithm
From Equations (7) and (8) we can see that
rp1
until
rp(n−k)
must be another binary representation
of a squared number. The same case also applies on
rq1
until
rq(n−k)
In the next Theorem, we count the
number of squared numbers with n−kbit.
Theorem 2.
If
n
is any large positive integer and
k
is a small positive integer then there are at least
j2n−k
21−2−1
2ksquared numbers between 2n−k−1and 2n−k−1.
Proof.
Let
X={x2
i}
for
i={
1, 2, 3,
. . .}
be the set of all squared numbers between 2
n−k−1
and
2n−k−1. Particularly,
2n−k−1<x2
i<2n−k−1.
Then
21
2(n−k−1)<xi<2n−k−11
2⇒21
2(n−k−1)<xi<2n−k
2−12n−k
2+11
2. (16)
To find the least number of
i
, the amount of squared numbers between 2
n−k−1
and 2
n−k−
1, we compute
the difference between the upper bound and the lower bound of Equation (16) in integer form. That is,
2n−k
2−12n−k
2+11
2−21
2(n−k−1)>2n−k
2−12n−k
2−11
2−21
2(n−k−1)
=$2n−k
2−121
2−21
2(n−k−1)%
=j2n−k
2−1−21
2(n−k−1)k.
=j2n−k
21−2−1
2−1k.
If nis any large positive integer and kis a small positive integer then
j2n−k
21−2−1
2−1k≈j2n−k
21−2−1
2k.

Symmetry 2020,12, 838 9 of 13
This terminates the proof.
Theorem 3.
Let
a
,
b∈Z+
and
m≥
2be an even number such that
a<b<(
2
am+
1
)1
m
. Suppose
N=pq = (am+rp)(bm+rq)
be a valid RSA modulus. Let
rp≡p(mod
2
m)
and
rq≡q(mod
2
m)
where
rp<
2
am/2
and
rq<
2
bm/2
such that
max{rp
,
rq}<
2
k
. Let
x>
0be an integer where
x2
is the smallest
squared number with n-bit size. If 2k−12m
2+1is a sufficiently small value as defined in Definition 2and k
many LSBs of p and q are known, then there are at most
j2n−k
21−2−1
2k
2


2k
log (x)2+2k
log x+j2n−k
21−2−1
2k2


candidates of p and q with size of n-bit such that p =am+rpand q =bm+rqsatisfy Theorem 1.
Proof.
Let
x>
0 be an integer where
x2
is the smallest squared number with
n−k
-bit. Let
f(x)
be the
prime-counting function between x2and x2+max{rp,rq}. Then
π∗
1(x) = x2+max{rp,rq}
log (x2+max{rp,rq})−x2
log x2≈x2+max{rp,rq}
log x2−x2
log x2
=x2+max{rp,rq} − x2
log x2=max{rp,rq}
log x2
<2k
log x2.
From Theorem 2, we know there are approximately
j2n−k
21−2−1
2k
squared numbers with
n−k
-bit
size where
n−k
is a large integer suitably used in RSA. Thus,
π∗
1(x)
for the consecutive squared
numbers are as follows:
π∗
1(x)<2k
log (x)2
π∗
1(x+1)<2k
log (x+1)2
π∗
1(x+2)<2k
log (x+2)2
.
.
.
.
.
.
π∗
1x+j2n−k
21−2−1
2k<2k
log x+j2n−k
21−2−1
2k2.
(17)
The summation of Equation (17) can be represented in the sum of arithmetic progression formula
where the number of
i
terms is multiplied by the sum of the first and last number in the progression
and dividing by 2. That is,

Symmetry 2020,12, 838 10 of 13
π∗
2=2n−k
21−2−1
2−1
∑
i=0
2k
log (x+i)2<j2n−k
21−2−1
2k
2π∗
1(x) + π∗
1x+j2n−k
21−2−1
2k
<j2n−k
21−2−1
2k
2


2k
log (x)2+2k
log x+j2n−k
21−2−1
2k2

(18)
This terminates the proof.
Result from Theorem 3shows there is a significant amount of primes that satisfy Theorem 1.
5. Comparative Analysis
Here we compare our results with the existing attacks with known bits of primes. The authors
of [
16
] introduced partial key exposure attacks with assumption that certain bits of primes can be
known by the adversary. They showed that 2
/
3 bits of
p
or
q
are sufficient to factor
N
using integer
programming technique. Later, ref. [
17
] reduced this value to 1
/
2 using LLL algorithm. The attack
from Herrmann and May later on required the known bits to be arranged in random blocks [18].
Heninger and Shacham’s attack is motivated by the so-called cold boot attack which targets the
memory in electronic chips to reconstruct the bits of the private keys given that the bits are from
random positions [
5
]. They successfully conducted the attack if 0.57 random bits of the primes are
known. It should be noted here their fraction value is much lower if they consider the random bits of
RSA private exponent,
d
(
dp
and
dq
in the case of CRT-RSA). Using a similar method, ref. [
6
] proved
that if the total LSBs from both
p
and
q
known is at least 50% of the total length of
N
, then
N
can be
factored using lattice-based method. Our method, unlike existing methods, utilize
k
-many LSBs of
the primes where
k
is less than the value of 2
k−12m
2+1
which is sufficiently small as defined in
Definition 2, as shown in Theorem 1.
The summaries of all the attacks are compiled in Table 1.
From Table 1, we can see that our method required less LSBs for the attack to be successful when
compared to [
5
,
6
]. That is, the attack required less computational time and space to be executed. It is
easy to see that if
N≈
2
2048
and
k=
80, then
rp
,
rq<N0.039
. This is a substantial improvement from
previous works.
We would like to point out the trade-off of our attack, namely the characteristics as mentioned in
Theorem 1. Nevertheless, our analysis shows that if
rp
and
rq
are bounded to 2
k
where
k
is stated as in
Definition 2, the side-channel attack can be conducted in reasonable time in order to identify whether
the primes in physical devices fall under the category as mentioned. This results in our research to be
of importance for real-world implementation of the RSA cryptosystem. Moreover, we have shown in
Section 4that the number of primes satisfying our conditions are exponentially many. This shows the
importance of our attack.

Symmetry 2020,12, 838 11 of 13
Table 1. Comparison of our method against existing attacks with known bits of primes.
Attacks Position of
Known Bits
Bits of Primes
Need to Be Known
Comments/
Remarks
Advantages/
Disadvantages
Rivest and
Shamir (1985)
LSBs or
MSBs
2/3 of the bits
of por q
Solving
integer
programming
problem
Coppersmith
(1996)
LSBs or
MSBs
1/2 of the bits
of por q
Using lattice-
based method
Herrmann and
May (2008)
Any
position
(in blocks)
loge(2)≈0.7
of the bits
of por q
Number of blocks
≈log log N
Heninger and
Shacham (2009)
Any
position
rp=Nδ1
rq=Nδ2
δ1+δ2≥0.57
of the bits
of por q
Using random
reconstruction
algorithm (RRA)
Maitra
et al. (2010) LSBs
rp=Nδ1
rq=Nδ2
δ1+δ2≥0.5
of the bits
of por q
Using RRA
together with
lattice-based
method
Advantages:
Fast speed
Disadvantages:
Requires
a lot
of known bits
Our method:
Theorem 1LSBs
rp,rq<2k
where 2kis
sufficiently small
as in Definition 2.
That is rp,rq<Nk
log2N.
Side-channel
attack of complexity
O(2k)where 2k
is sufficiently small
as in Definition 2.
Advantages:
Fast speed, requires
less known bits
Disadvantages:
Requires specific
hardware to conduct
side-channel attack
6. Countermeasure of the Attack
Although the attack seems to target a niche set of primes, there is no immediate noticeable
detection that can be implemented to overcome the attack. This means the prevention from utilizing
the weak primes must be applied in the RSA key generator with the full knowledge of the secret
parameters, pand q. The countermeasure is depicted in Figure 1.
Given N,pand q, if lN1/2 −jp1/2 k·jq1/2 kk
is a sufficiently small integer as defined in Definition 2, then RSA key generator must find
new por q.
Figure 1. Countermeasure of the Attack.
Since the computation is minimal, the prevention of the attack can be applied in the real-world
RSA implementation.
Example 2.
For a toy example of this countermeasure method, we revisit the values in Example 1. Given
N
,
p
,
q
from Example 1, we compute
lN1/2 −jp1/2 k·jq1/2 kk=2811.
Since 2811 is definitely sufficiently small based on Definition 2, an RSA key generator must find new
p
and
q. Let

Symmetry 2020,12, 838 12 of 13
p=10373821590420718162568315912935402272816716250952617784159371685
44340371332193665789760371540571568043597631052985984619935841269
00533099600902588040933556878478965238617603915696057625198338769
03361223061009707594893117366305299494205202223327617461773922102
7548212123977286017508681549015403870522203136301
q=11233601978358194938103618628808793989586489373749842937474042065
13933235347992919444792393988509367460666790358619415756939475813
80412937835561807122090537966641130001194088391044588117638361372
99643968716613613967481916652898906661611644105170965584735585835
3331398195279380078798660391902694277601327538353
be the the new p and q. Then,
N=11653538274128513578568669090454309990749271193335847349122392459
01318960034317752307651515404527551518430900334308748335133453988
21286310578795557118148985154417613224899775560303891043729606906
29637177530605885689603305847327219925303871989047949044982302417
19652217537589201420247464831069631221516545858847199510976358555
34569641991568190286013308968767353183943188900880965338613790529
14898692740675146768914029502466472816780769463189924714976665682
15047424802978071513075475252664886423135404769620269065551233781
80576090100374515694019647558981694450446331689603531906067965349
37648446600588401959096464052253
be the new RSA modulus, N. We compute
lN1/2 −jp1/2 k·jq1/2 kk =91788620433890001811698154984784049754386699417980052
34196964320832189804911338215937374325313217127978801
050344028808215933053746159321527280081664264988.
which is larger than 2112. Hence N is safe from our attack.
7. Conclusions
We have shown an attack on RSA modulus,
N=pq
where
p=am+rp
and
bm+rq
for
rp
and
rq
are
k
LSBs of
p
and
q
respectively. Our attack can be mounted successfully in polynomial time if
the LSBs of the primes are known and satisfy the conditions. We also show that there is a significant
number of primes with respect to their sizes that are vulnerable to our attack. This imposes a great
threat to the RSA users who might not realize that their RSA primes may fall under these vulnerable
primes. However, our suggestion on how to detect the vulnerable primes during the key generation
process may help to overcome this problem so that the RSA cryptosystem can still be applied.
Author Contributions:
Conceptualization, A.H.A.G., M.R.K.A. and M.A.A.; methodology, formal analysis, investigation,
writing—original draft preparation, A.H.A.G.; writing—review and editing, A.H.A.G., M.R.K.A. and M.A.A.; supervision
and funding acquisition, M.R.K.A. All authors have read and agreed to the published version of the manuscript.
Funding:
The research was supported by Ministry of Education of Malaysia with Fundamental Research Grant
Scheme (FRGS/1/2019/STG06/UPM/02/08).
Conflicts of Interest: The authors declare no conflict of interest.

Symmetry 2020,12, 838 13 of 13
Abbreviations
The following abbreviations are used in this manuscript:
LSB Least significant bits
MSB Most significant bits
RRA random reconstruction algorithm
RSA Rivest–Shamir–Adleman
References
1.
Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems.
Commun. ACM 1978,21, 120–126. [CrossRef]
2.
Buhler, J.P.; Lenstra, H.W.; Pomerance, C. Factoring integers with the number field sieve. In The Development
of the Number Field Sieve; Springer: Berlin/Heidelberg, Germany 1993; pp. 50–94.
3.
Pollard, J.M. Theorems on factorization and primality testing. Math. Proc. Camb. Philos. Soc.
1974
,76,
521–528. [CrossRef]
4.
Boneh, D.; Durfee, G.; Frankel, Y. An attack on RSA given a small fraction of the private key bits.
In International Conference on the Theory and Application of Cryptology and Information Security; Springer:
Berlin/Heidelberg, Germany, 1998; pp. 25–34.
5.
Heninger, N.; Shacham, H. Reconstructing RSA private keys from random key bits. In Advances in
Cryptology-CRYPTO 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 1–17.
6.
Maitra, S.; Sarkar, S.; Gupta, S.S. Factoring RSA modulus using prime reconstruction from random known
bits. In International Conference on Cryptology in Africa; Springer: Berlin/Heidelberg, Germany, 2010; pp. 82–99.
7.
Kocher, P.; Jaffe, J.; Jun, B.; Rohatgi, P. Introduction to differential power analysis. J. Cryptogr. Eng.
2011
,
1, 5–27. [CrossRef]
8.
Kocher, P.C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual
International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1996; pp. 104–113.
9.
Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Annual International Cryptology Conference; Springer:
Berlin/Heidelberg, Germany, 1999; pp. 388–397.
10.
Martinasek, Z.; Zeman, V.; Trasy, K. Simple electromagnetic analysis in cryptography. Int. J. Adv. Telecommun.
Electrotech. Signals Syst. 2012,1, 13–19. [CrossRef]
11.
Cho, J.; Kim, T.; Kim, S.; Im, M.; Kim, T.; Shin, Y. Real-Time Detection for Cache Side Channel Attack using
Performance Counter Monitor. Appl. Sci. 2020,10, 984. [CrossRef]
12.
Genkin, D.; Shamir, A.; Tromer, E. RSA key extraction via low-bandwidth acoustic cryptanalysis. In Annual
Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2014; pp. 444–461.
13.
Ghafar, A.H.A.; Ariffin, M.R.K.; Asbullah, M.A. Extending Pollard Class of Factorable RSA
Modulus. In Proceedings of the 6th International Cryptology and Information Security Conference 2018
(CRYPTOLOGY2018), Port Dickson, Negeri Sembilan, Malaysia, 9–11 July 2018; p. 103.
14.
Ghafar, A.; Ariffin, M.; Asbullah, M. A New Attack on Special-Structured RSA Primes. Malays. J. Math. Sci.
2019,13, 111–125.
15.
Barker, E.; Dang, Q. Recommendation for Key Management, Part 1: General; NIST Special Publication 800-57
Part 1, Revision 4; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2016.
16.
Rivest, R.L.; Shamir, A. Efficient factoring based on partial information. In Workshop on the Theory and
Application of of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1985; pp. 31–34.
17.
Coppersmith, D. Finding a small root of a bivariate integer equation; factoring with high bits
known. In International Conference on the Theory and Applications of Cryptographic Techniques; Springer:
Berlin/Heidelberg, Germany, 1996; pp. 178–189.
18.
Herrmann, M.; May, A. Solving linear equations modulo divisors: On factoring given any bits. In International
Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg,
Germany, 2008; pp. 406–424.
c
2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).