We provide a new method of constructing an optimal
lattice. Applying our method to the cryptanalysis of the short exponent
RSA, we obtain our results which extend Boneh and Durfee's work. Our
attack methods are based on a generalization to multivariate modular polynomial
equation. The results illustrate the fact that one should be careful
when using RSA key generation process with special parameters.

1. Introduction

The RSA [1] cryptosystem is the most widely used public-key cryptosystem. The modulo N of RSA cryptosystem is the product of two large prime numbers p and q, without loss of generality, we assume that p<q. The public exponent e and the secret exponent d satisfy the equation

ed≡1(modϕ(N)),
where ϕ(N)=(p-1)(q-1) is Euler’s totient function. In a typical RSA cryptosystem, p and q have approximately the same number of bits and e<N. The most basic security requirement for public key cryptosystem is that it should be hard to recover the secret key from the public key.

In order to speed up the decryption or signing process, one might be tempted to use small secret exponent. Unfortunately, Wiener [2] showed that if d<N1/4, then the factorization of N can be found in polynomial time using only the public information (N,e). In 1996, Coppersmith [3] introduced two methods for finding small roots of polynomial equations using lattice reduction, where one is for the univariate modular case and the other is for the bivariate case over the integers. Coppersmith’s technique has been found many applications for breaking variants of RSA; for example, Boneh and Durfee [4] improved the bound of secret exponent to d<N0.292, Coron and May [5] applied Coppersmith’s technique to show the deterministic equivalence between recovering the secret exponent d and factoring N, and May [6] presented two polynomial time attacks for the case of imbalanced prime factors p and q.

For a given RSA modulo N, it is not difficult to get a polynomial time algorithm for finding [N], where [N] is the integral part of N. Then p and q can be rewritten as p=[N]-x0 and q=[N]+y0, where x0,y0 are unknown positive integers. Our observation is that the bound of secret exponent d of balanced RSA is related to the bound of |x0-y0|. For instance, when p and q are twin prime numbers, that is, q-p=2, then p is a root of the following polynomial:

N=x(x+2).
Therefore, for any security exponent d, there often exists an algorithm that factors N with polynomial time. In general case, relations between the bound |x0-y0| and the bound of secret exponent d are obtained. Boneh and Durfee’s results in [4] are special cases of our results in this paper.

We reduce our method into two cases according to the size of the public exponent e and obtain the results by applying a new method of constructing a lattice basis. When e is large, set fe(x,y):=x(y-A)+1, then the polynomial fe(x,y) has (k,U) as a root modulo e, where U=y0-x0 and k satisfies

ed+k(N+1-p-q)=1.
Let

gi1i2(x,y)=xi1yi2lkfe(x,y)kem-k,
for k=0,…,m, where l is a leading monomial of fe (for a detailed definition, see Section 3). All the polynomials gi1i2 have the root (k,U) modulo em. A lattice L is defined by taking the coefficient vectors of gi1i2(xX,yY) as a basis. In general, one can force the matrix of the lattice to be lower triangular. According to the LLL-algorithm, one hopes that the dimension of the lattice is as large as possible and entries of the diagonal are as small as possible. The following definitions are useful for describing our method clearly.

Definition 1.1.

Suppose a lattice L is spanned by vectors {b1,b2,…,bω} and the matrix describing L is a lower triangular. A vector of which the last entry of the row exceeds the modulo of the lattice is called a bad vector. A vector of which the last entry of the row is less than the modulo of the lattice is called a good vector. A lattice spanned by a basis of which all its vectors are good is called an optimal lattice.

The key ingredient of the lattice reduction technique is to construct an optimal lattice of which the dimension is as large as possible. Jochemsz and May’s strategy of constructing a lattice basis [7] is to chose a continued subset of the polynomials gi1i2 as a lattice basis in which there may be some bad vectors. Our most significant contribution is that we can discard all the unnecessary bad vectors in a lattice basis with a simple new way and construct a lattice whose dimension of the lattice is large enough. We construct an optimal lattice basis by choosing a discontinued subset of the polynomials gi1i2. When e is small, a difference polynomial is chosen; similar methods but more complicated are applied to construct a lattice basis. In order to show that our method is practical, the properties of resultant are considered also in this paper.

The paper is organized as follows: some lattice preliminaries are given in Section 2. Section 3 shows the proposed method of attacking the RSA with large e. Section 4 shows the method of attacking the RSA with small e. The last section is the conclusion.

2. Lattice Theory

Let b1,b2,…,bω∈ℤn be linearly independent vectors with ω≤n. A lattice L spanned by {b1,b2,…,bω} is the set of all integer linear combinations of b1,b2,…,bω. Such a set of vectors bi’s is called a lattice basis. We say that the lattice is full rank if ω=n.

Let f(x,y)=∑i,jaijxiyj∈ℤ[x,y] be a bivariate polynomial with coefficients aij in the ring of integers. The Euclidean norm of f is defined as the norm of the coefficient vector ∥f∥2=∑ijaij2.

Lemma 2.1.

Let B={b1,b2,…,bn} be a basis. On input B, the L3-algorithm outputs another basis {v1,v2,…,vn} with
∥v1∥≤∥v2∥≤2n/4det(L)1/(n-1),
in time polynomial in n and in the bit-size of the entries in B.

Based on the LLL-algorithm, Coppersmith [3] presented a method of finding small solutions to the modular polynomial which has the desired small root over the integers. Howgrave-Graham [8] formulated a useful condition on how to find such a polynomial in terms of normal of a polynomial.

Let h(x,y)∈ℤ[x,y] which is the sum of at most ω monomials. Suppose that h(x0,y0)≡0modφm, where |x0|<X,|y0|<Y and ∥h(xX,yY)∥<φm/ω. Then h(x0,y0)=0 holds over the integers.

3. The Case for Large <inline-formula><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M92"><mml:mrow><mml:mi>e</mml:mi></mml:mrow></mml:math></inline-formula>

Let e,d be integers such that ed≡1(modϕ(N)). It follows that there exists an integer k satisfying

ed+k(N+1-p-q)=1.
Suppose that the public key and the security key satisfy e<Nα,d<Nβ for some α,β. In this section, we consider the case that e is of the same order of magnitude as N and therefore α is very close to 1.

By (3.1), we have

k<2edN≤Nα+β-1.
Rewriting p=[N]-x0, q=[N]+y0, A=N+1-2[N], and U=y0-x0, we obtain

k(A-U)≡1(mode).
Suppose fe(x,y):=x(y-A)+1, then the polynomial fe(x,y) has (k,U) as a root modulo e.

A monomial l of fe, with coefficient al, is called a leading monomial if there are no monomials in fe besides l that is divisible by l. Here the leading monomial of fe is xy and its coefficient is 1. Let ε>0 be an arbitrarily small constant. Depending on 1/ε, we fix an integer m. For k∈{0,…,m+1}, we define the sets Mk of monomials as

M0:={xi1yi2∣xi1yi2isamonomialoffem}⋃1≤j≤t{xi1yi1+j∣1≤i1≤m},Mk:={xi1yi2∣xi1yi2isamonomialoffemandxi1yi2lkisamonomialoffem-k}⋃1≤j≤t{xi1yi1+j∣k≤i1≤m},
where t is a parameter to be chosen later. We note that each set Mk in [7] is the whole monomials of fem-k, while, in our method, we discard all bad rows of the lattice and consider part monomials of fem-k.

We define the following shift polynomials

gi1i2(x,y)=xi1yi2lkfe(x,y)kem-k,
for k=0,…,m, and xi1yi2∈Mk∖Mk+1.

All the polynomials gi1i2 have the root (k,U) modulo em. We define a lattice L by taking the coefficient vectors of gi1i2(xX,yY) as a basis. We can force the matrix describing L to be lower triangular. It is not difficult to see that the sets Mk can be rewritten as

M0:={xi1yi2∣0≤i2≤i1≤m}⋃1≤j≤t{xi1yi1+j∣1≤i1≤m},Mk:={xi1yi2∣k≤i2≤i1}⋃1≤j≤t{xi1yi1+j∣k≤i1≤m}.
As an example, we consider the case m=2, and t=1. From the definition of Mk, we have

M0={x2y3,x2y2,xy2,x2y,x2,xy,x,1},M1={x2y3,x2y2,xy2,x2y},M2={x2y3,x2y2}.
The matrix of the lattice for m=2 is shown in Table 1.

1

x

xy

x2

x2y

xy2

x2y2

x2y3

e2

e2

xe2

*

Xe2

fe

*

*

XYe

x2e2

*

*

*

X2e2

xfe

*

*

*

*

X2Ye

yfe

*

*

*

*

*

XY2e

f2

*

*

*

*

*

*

X2Y2

yf2

*

*

*

*

*

*

*

XY3

In general, we find that the condition det(L)<em(ω+1-n), derived from Lemmas 2.1 and 2.2, can be reduced to

Xs1Ys2<esN,for{st=∑xi1yi2∈M0it,t=1,2sN=∑k=1m|Mk|.
Assuming that |U|≤Nγ, inequality (3.8) is equivalent to

(α+β-1)s1+γs2-αsN<0.
By calculation, we obtain that

s1=m(m+1)(2m+4+3t)6,s2=m(m+1)(m+2)6+mt(m+t+2)2,sN=m(m-1)(m+1+3t)6.
For any m, the left hand side of (3.9) is minimized at t=m(1-β-γ)/2γ. Plugging this value into (3.9) and omitting a neglect number, we have

4αγ+2βγ+γ2-3β2-2γ+6β-3<0.

Notice that there are some bad rows in the above lattice. Next, we refine the construction method and improve the above result. In fact, the following lattice is an optimal lattice.

The definition of shift polynomials gi1i2(x,y) is the same as above. From the definition of Mk, we have

M0:={xi1yi2∣0≤i2≤i1≤m}⋃0≤k≤m⋃1≤j≤tk{xi1yi1+j∣i1=k},Mk:={xi1yi2∣k≤i2≤i1}⋃k≤l≤m⋃1≤j≤tl{xi1yi1+j∣i1=l}.
By some rather complex calculations, we obtain that

s1=m(m+1)(m+2)3+am(m+1)(2m+1)6,s2=m(m+1)(m+2)6+a2m(m+1)(2m+1)12+am(m+1)4+am(m+1)(2m+1)6,sN=m(m-1)(m+1)6+am(m+1)(2m+1)6,
where a=(2-α-β-γ)/γ. The inequality (3.9) leads to

-2α+2β+α2-β2+αγ<0.
From Lemma 2.1 and the estimations of (3.8), it is easy to see that if

-2α+2β+α2-β2+αγ<0,
we are guaranteed to find two vectors in L that are shorter than the bound em/dim(L). The vectors are the coefficient vectors of two bivariate polynomials h1(xX,yY) and h2(xX,yY). By Howgrave-Graham's theorem, h1(x,y) and h2(x,y) have the same root (k,U) over the integers. By taking resultant of h1(x,y) and h2(x,y) with respect to y, we get g(x) with root k. We can easily extract k from g(x) with standard root finding algorithms. Therefore, we can find U from h1(x,y) or h2(x,y). This completes the description of the attack. The heuristic fact that we have in our approach is as follows.

Fact 1.

The probability that the construction described above yields zero polynomial that is, g(x) is a zero polynomial is neglectable.

In practice, we can assume that g(x) is a nonzero polynomial. The following lemma shows that Fact 1 holds.

Lemma 3.1.

Let h1(x,y),h2(x,y), and g(x) be defined as above. Then g(x) is a zero polynomial if and only if gcd(h1(x,y),h2(x,y))≠1.

Proof.

Lemma 3.1 follows from Lemma 8.2 in [9].

In fact, if the polynomials h1,h2 are random chosen, then the probability that g(x) is a zero polynomial is neglectable. From the above discussion, we get the following result.

Theorem 3.2.

Let e,d be defined as above and U<Nγ. If
-2α+2β+α2-β2+αγ<0,
then we can factor N with polynomial time.

We note that when α=1, γ=1/2, the inequality in Theorem 3.2 becomes

β2-2β+12>0,
which is the result in [4]

4. The Case for Small Exponent <inline-formula><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M221"><mml:mrow><mml:mi>e</mml:mi></mml:mrow></mml:math></inline-formula>

In this section, we suppose that α is smaller than 1. Rewriting

p=[N]-x0,q=[N]+y0,A=1-2[N],U=y0-x0,
by (3.1), we have

ed+k(A-U)≡1(modN).
Let

fN(x,y,z)=yz-ex-Ay+1.
It is easy to see that fN(x,y,z) has (d,k,U) as a root modulo N. The similar method in section 3 can be applied to three variants polynomial fN. Here the leading monomial of fN is yz and the coefficient is 1. Let ε>0 be an arbitrarily small constant. According to the size of 1/ε, we fix an integer m. For k∈{0,…,m+1}, let

tk=ak-bm,t0=max{t1,…,tm},
and c=b/a, where a=(2-α-γ)/γ,b=β/γ. Define the sets Mk of monomials as follows

M0:={xi1yi2zi3∣xi1yi2zi3isamonomialoffm}⋃1≤j≤t0{xi1zj∣0≤i1≤m-cm}⋃cm≤k≤m⋃1≤j≤tk{xi1ykzk+j∣1≤i1≤m-k},Mk:={xi1yi2zi3∣xi1yi2zi3isamonomialoffmandxi1yi2zi3lkisamonomialoffm-k}⋃cm≤k≤m⋃k≤l≤m⋃1≤j≤tl{xi1ylzl+j∣1≤i1≤m-k}.
We define the following shift polynomials:

gi1i2i3(x,y,z)=xi1yi2zi3lkf(x,y,z)kNm-k,
for k=0,…,m, and xi1yi2zi3∈Mk∖Mk+1.

All the polynomials gi1i2i3 have the root (d,k,U) modulo Nm. We define a lattice L by taking the coefficient vectors of gi1i2i3(xX,yY,zZ) as a basis. We can force the matrix describing L to be lower triangular. The sets Mk can be rewritten as follows:

The matrix of the lattice for m=2 is shown in Table 2.

1

x

y

x2

y2

xy

yz

xyz

y2z

y2z2

N2

N2

xN2

*

XN2

yN2

*

*

YN2

x2N2

*

*

*

X2N2

y2N2

*

*

*

*

Y2N2

xyN2

*

*

*

*

*

XYN2

fN

*

*

*

*

*

*

YZN2

xfN

*

*

*

*

*

*

*

XYZN2

yfN

*

*

*

*

*

*

*

*

Y2ZN2

f2

*

*

*

*

*

*

*

*

*

Y2Z2N2

In general, we find that det(L)<Nm(ω+1-n), derived from Lemmas 2.1 and 2.2, can be reduced to

Xs1Ys2Zs3<NsN,for{st=∑xi1yi2zi3∈M0it,t=1,2,3,sN=∑k=1m|Mk|.
Let |U|≤Nγ. Hence, the inequality (4.9) is equivalent to

βs1+(α+β-1)s2+γs3≤sN.
By calculation, we obtain that

s1=m424+(a-b)424a3m4+O(m3),s2=m412+a4-2a3b+2ab3-b412a3m4+O(m3),sN=m424+(a-b)424a2m4+a4-2a3b+2ab3-b412a3m4+O(m3).
Plugging these value into (4.10) and omitting the neglect terms, we get that

β(3a3+(a-b)3(3a+b))+α(2a3+2(a+b)(a-b)3)+γ(a3+(a-b)3(a2-ab+2a+2b))-(3a3+(a-b)3(7a-3b))<0,
which guarantees that we can find three vectors in L that are shorter than the bound Nm/dim(L). These vectors are the coefficient vectors of three trivariate polynomials f1(xX,yY,zZ), f2(xX,yY,zZ), and f3(xX,yY,zZ). By Howgrave-Graham’s theorem, f1(x,y,z), f2(x,y,z), and f3(x,y,z) have the root (d,k,U) over the integers. Afterward, we take the resultant of these integral polynomials with respect to the variable z and obtain two bivariate polynomials g1(x,y) and g2(x,y) with root (d,k). By taking resultant of g1(x,y) and g2(x,y) with respect to y, we get g(x) with root d. d can be easily extracted from g(x) with standard root finding algorithms. Therefore, we can find k from g1(x,y) or g2(x,y). Similarly, we can get U. By U=x0-y0 and N=([N])2+[N](y0-x0)-x0y0, then N can be factored with polynomial time. This completes the description of the attack. The heuristic fact that we have in our approach is as follows.

Fact 2.

The probability that the construction described above yields zero polynomial that is, g(x) is a zero polynomial is neglectable.

A similar discussion as Fact 1, we have that for random choice f1(x,y,z), f2(x,y,z), and f3(x,y,z), the probability that g(x) is a zero polynomial is neglectable. Therefore, in practice, we can assume that g(x) is a nonzero polynomial.

Theorem 4.1.

Let e,d be defined as above and U<Nγ. If
β(3a3+(a-b)3(3a+b))+α(2a3+2(a+b)(a-b)3)+γ(a3+(a-b)3(a2-ab+2a+2b))-(3a3+(a-b)3(7a-3b))<0,
then we can factor N with polynomial time, where a=(2-α-γ)/γ,b=β/γ.

As a special case of Theorem 4.1, one can see that when 2α+γ≤1.5 and d≤N1/2, there exists an algorithm that factors N with polynomial time.

5. Conclusion

In this paper, we obtained our results by taking advantage of lattice reduction technique. By improving the Jochemsz and May [7] strategy of constructing a lattice basis, we throw the bad rows in the lattice and obtain an optimal lattice. Applying the method of constructing an optimal lattice to cryptanalyse short exponent RSA, we get the main results which extend those of Boneh and Durfee in [4].

Acknowledgments

This work is supported by National 973 (Grant no. 2007CB807902), NSFC project under (Grant no. 60873041), nature science of Shandong province (Grant no. Y2008G23), and Doctoral Fund of Ministry of Education of China (Grant no. 20090131120012).

RivestR. L.ShamirA.AdlemanL.A method for obtaining digital signatures and public-key cryptosystemsWienerM. J.Cryptanalysis of short RSA secret exponentsCoppersmithD.Small solutions to polynomial equations, and low exponent RSA vulnerabilitiesBonehD.DurfeeG.Cryptanalysis of RSA with private key d less than N0.292CoronJ.-S.MayA.Deterministic polynomial-time equivalence of computing the RSA secret key and factoringMayA.Cryptanalysis of unbalanced RSA with small CRT-exponent2442Proceedings of the 22nd Annual International Cryptology Conference (Crypto '02)2002Springer242256Lecture Notes in Computer ScienceMR2054824ZBL1026.94535JochemszE.MayA.A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variantsProceedings of the 12th International Conference on the Theory and Application of Cryptology and Information Security2006267282Howgrave-GrahamN.Finding small roots of univariate modular equations revisited1355Proceedings of the 6th IMA International Conference on Cryptography and Coding1997Springer131142Lecture Notes in Computer Science10.1007/BFb0024458MR1660500ZBL0922.11113LangS.