MPEMathematical Problems in Engineering1563-51471024-123XHindawi Publishing Corporation42134810.1155/2010/421348421348Research ArticleA New Method of Constructing a Lattice Basis and Its Applications to Cryptanalyse Short Exponent RSAWangMingqiangZhangHaifengJiangJ.School of MathemticsShandong University 250100 JinanChinasdu.edu.cn201008032010201010122009220220102010Copyright © 2010This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

We provide a new method of constructing an optimal lattice. Applying our method to the cryptanalysis of the short exponent RSA, we obtain our results which extend Boneh and Durfee's work. Our attack methods are based on a generalization to multivariate modular polynomial equation. The results illustrate the fact that one should be careful when using RSA key generation process with special parameters.

1. Introduction

The RSA  cryptosystem is the most widely used public-key cryptosystem. The modulo N of RSA cryptosystem is the product of two large prime numbers p and q, without loss of generality, we assume that p<q. The public exponent e and the secret exponent d satisfy the equation

ed1(modϕ(N)), where ϕ(N)=(p-1)(q-1) is Euler’s totient function. In a typical RSA cryptosystem, p and q have approximately the same number of bits and e<N. The most basic security requirement for public key cryptosystem is that it should be hard to recover the secret key from the public key.

In order to speed up the decryption or signing process, one might be tempted to use small secret exponent. Unfortunately, Wiener  showed that if d<N1/4, then the factorization of N can be found in polynomial time using only the public information (N,e). In 1996, Coppersmith  introduced two methods for finding small roots of polynomial equations using lattice reduction, where one is for the univariate modular case and the other is for the bivariate case over the integers. Coppersmith’s technique has been found many applications for breaking variants of RSA; for example, Boneh and Durfee  improved the bound of secret exponent to d<N0.292, Coron and May  applied Coppersmith’s technique to show the deterministic equivalence between recovering the secret exponent d and factoring N, and May  presented two polynomial time attacks for the case of imbalanced prime factors p and q.

For a given RSA modulo N, it is not difficult to get a polynomial time algorithm for finding [N], where [N] is the integral part of N. Then p and q can be rewritten as p=[N]-x0 and q=[N]+y0, where x0,y0 are unknown positive integers. Our observation is that the bound of secret exponent d of balanced RSA is related to the bound of |x0-y0|. For instance, when p and q are twin prime numbers, that is, q-p=2, then p is a root of the following polynomial:

N=x(x+2). Therefore, for any security exponent d, there often exists an algorithm that factors N with polynomial time. In general case, relations between the bound |x0-y0| and the bound of secret exponent d are obtained. Boneh and Durfee’s results in  are special cases of our results in this paper.

We reduce our method into two cases according to the size of the public exponent e and obtain the results by applying a new method of constructing a lattice basis. When e is large, set fe(x,y):=x(y-A)+1, then the polynomial fe(x,y) has (k,U) as a root modulo e, where U=y0-x0 and k satisfies

ed+k(N+1-p-q)=1. Let

gi1i2(x,y)=xi1yi2lkfe(x,y)kem-k, for k=0,,m, where l is a leading monomial of fe (for a detailed definition, see Section 3). All the polynomials gi1i2 have the root (k,U) modulo em. A lattice L is defined by taking the coefficient vectors of gi1i2(xX,yY) as a basis. In general, one can force the matrix of the lattice to be lower triangular. According to the LLL-algorithm, one hopes that the dimension of the lattice is as large as possible and entries of the diagonal are as small as possible. The following definitions are useful for describing our method clearly.

Definition 1.1.

Suppose a lattice L is spanned by vectors {b1,b2,,bω} and the matrix describing L is a lower triangular. A vector of which the last entry of the row exceeds the modulo of the lattice is called a bad vector. A vector of which the last entry of the row is less than the modulo of the lattice is called a good vector. A lattice spanned by a basis of which all its vectors are good is called an optimal lattice.

The key ingredient of the lattice reduction technique is to construct an optimal lattice of which the dimension is as large as possible. Jochemsz and May’s strategy of constructing a lattice basis  is to chose a continued subset of the polynomials gi1i2 as a lattice basis in which there may be some bad vectors. Our most significant contribution is that we can discard all the unnecessary bad vectors in a lattice basis with a simple new way and construct a lattice whose dimension of the lattice is large enough. We construct an optimal lattice basis by choosing a discontinued subset of the polynomials gi1i2. When e is small, a difference polynomial is chosen; similar methods but more complicated are applied to construct a lattice basis. In order to show that our method is practical, the properties of resultant are considered also in this paper.

The paper is organized as follows: some lattice preliminaries are given in Section 2. Section 3 shows the proposed method of attacking the RSA with large e. Section 4 shows the method of attacking the RSA with small e. The last section is the conclusion.

2. Lattice Theory

Let b1,b2,,bωn be linearly independent vectors with ωn. A lattice L spanned by {b1,b2,,bω} is the set of all integer linear combinations of b1,b2,,bω. Such a set of vectors bi’s is called a lattice basis. We say that the lattice is full rank if ω=n.

Let f(x,y)=i,jaijxiyj[x,y] be a bivariate polynomial with coefficients aij in the ring of integers. The Euclidean norm of f is defined as the norm of the coefficient vector f2=ijaij2.

Lemma 2.1.

Let B={b1,b2,,bn} be a basis. On input B, the L3-algorithm outputs another basis {v1,v2,,vn} with v1v22n/4det(L)1/(n-1), in time polynomial in n and in the bit-size of the entries in B.

Based on the LLL-algorithm, Coppersmith  presented a method of finding small solutions to the modular polynomial which has the desired small root over the integers. Howgrave-Graham  formulated a useful condition on how to find such a polynomial in terms of normal of a polynomial.

Lemma 2.2 (Howgrave-Graham [<xref ref-type="bibr" rid="B4">8</xref>]).

Let h(x,y)[x,y] which is the sum of at most ω monomials. Suppose that h(x0,y0)0modφm, where |x0|<X,|y0|<Y and h(xX,yY)<φm/ω. Then h(x0,y0)=0 holds over the integers.

3. The Case for Large <inline-formula><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M92"><mml:mrow><mml:mi>e</mml:mi></mml:mrow></mml:math></inline-formula>

Let e,d be integers such that ed1(modϕ(N)). It follows that there exists an integer k satisfying

ed+k(N+1-p-q)=1. Suppose that the public key and the security key satisfy e<Nα,d<Nβ for some α,β. In this section, we consider the case that e is of the same order of magnitude as N and therefore α is very close to 1.

By (3.1), we have

k<2edNNα+β-1. Rewriting p=[N]-x0, q=[N]+y0, A=N+1-2[N], and U=y0-x0, we obtain

k(A-U)1(mode). Suppose fe(x,y):=x(y-A)+1, then the polynomial fe(x,y) has (k,U) as a root modulo e.

A monomial l of fe, with coefficient al, is called a leading monomial if there are no monomials in fe besides l that is divisible by l. Here the leading monomial of fe is xy and its coefficient is 1. Let ε>0 be an arbitrarily small constant. Depending on 1/ε, we fix an integer m. For k{0,,m+1}, we define the sets Mk of monomials as

M0:={xi1yi2xi1yi2  is  a  monomial  of  fem}1jt{xi1yi1+j1i1m},Mk:={xi1yi2xi1yi2  is  a  monomial  of  fem  and  xi1yi2lk  is  a  monomial  of  fem-k}1jt{xi1yi1+jki1m}, where t is a parameter to be chosen later. We note that each set Mk in  is the whole monomials of fem-k, while, in our method, we discard all bad rows of the lattice and consider part monomials of fem-k.

We define the following shift polynomials

gi1i2(x,y)=xi1yi2lkfe(x,y)kem-k, for k=0,,m, and xi1yi2MkMk+1.

All the polynomials gi1i2 have the root (k,U) modulo em. We define a lattice L by taking the coefficient vectors of gi1i2(xX,yY) as a basis. We can force the matrix describing L to be lower triangular. It is not difficult to see that the sets Mk can be rewritten as

M0:={xi1yi20i2i1m}1jt{xi1yi1+j1i1m},Mk:={xi1yi2ki2i1}1jt{xi1yi1+jki1m}. As an example, we consider the case m=2, and t=1. From the definition of Mk, we have

M0={x2y3,x2y2,xy2,x2y,x2,xy,x,1},M1={x2y3,x2y2,xy2,x2y},M2={x2y3,x2y2}. The matrix of the lattice for m=2 is shown in Table 1.

1xxyx2x2yxy2x2y2x2y3
e2e2

xe2*Xe2
fe**XYe
x2e2***X2e2
xfe****X2Ye
yfe*****XY2e

f2******X2Y2
yf2*******XY3

In general, we find that the condition det(L)<em(ω+1-n), derived from Lemmas 2.1 and 2.2, can be reduced to

Xs1Ys2<esN,for{st=xi1yi2M0it,t=1,2sN=k=1m|Mk|. Assuming that |U|Nγ, inequality (3.8) is equivalent to

(α+β-1)s1+γs2-αsN<0. By calculation, we obtain that

s1=m(m+1)(2m+4+3t)6,s2=m(m+1)(m+2)6+mt(m+t+2)2,sN=m(m-1)(m+1+3t)6. For any m, the left hand side of (3.9) is minimized at t=m(1-β-γ)/2γ. Plugging this value into (3.9) and omitting a neglect number, we have

4αγ+2βγ+γ2-3β2-2γ+6β-3<0.

Notice that there are some bad rows in the above lattice. Next, we refine the construction method and improve the above result. In fact, the following lattice is an optimal lattice.

For k{1,,m+1}, let

tk=2-α-β-γγk,t0=max{t1,,tm},M0:={xi1yi2xi1yi2  is  a  monomial  of  fem}0km1jtk{xi1yi1+ji1=k},Mk:={xi1yi2xi1yi2  is  a  monomial  of  fem  and  xi1yi2lk  is  a  monomial  of  fem-k}klm1jtl{xi1yi1+ji1=l}.

The definition of shift polynomials gi1i2(x,y) is the same as above. From the definition of Mk, we have

M0:={xi1yi20i2i1m}0km1jtk{xi1yi1+ji1=k},Mk:={xi1yi2ki2i1}klm1jtl{xi1yi1+ji1=l}. By some rather complex calculations, we obtain that

s1=m(m+1)(m+2)3+am(m+1)(2m+1)6,s2=m(m+1)(m+2)6+a2m(m+1)(2m+1)12+am(m+1)4+am(m+1)(2m+1)6,sN=m(m-1)(m+1)6+am(m+1)(2m+1)6, where a=(2-α-β-γ)/γ. The inequality (3.9) leads to

-2α+2β+α2-β2+αγ<0. From Lemma 2.1 and the estimations of (3.8), it is easy to see that if

-2α+2β+α2-β2+αγ<0, we are guaranteed to find two vectors in L that are shorter than the bound em/dim(L). The vectors are the coefficient vectors of two bivariate polynomials h1(xX,yY) and h2(xX,yY). By Howgrave-Graham's theorem, h1(x,y) and h2(x,y) have the same root (k,U) over the integers. By taking resultant of h1(x,y) and h2(x,y) with respect to y, we get g(x) with root k. We can easily extract k from g(x) with standard root finding algorithms. Therefore, we can find U from h1(x,y) or h2(x,y). This completes the description of the attack. The heuristic fact that we have in our approach is as follows.

Fact 1.

The probability that the construction described above yields zero polynomial that is, g(x) is a zero polynomial is neglectable.

In practice, we can assume that g(x) is a nonzero polynomial. The following lemma shows that Fact 1 holds.

Lemma 3.1.

Let h1(x,y),h2(x,y), and g(x) be defined as above. Then g(x) is a zero polynomial if and only if gcd(h1(x,y),h2(x,y))1.

Proof.

Lemma 3.1 follows from Lemma 8.2 in .

In fact, if the polynomials h1,h2 are random chosen, then the probability that g(x) is a zero polynomial is neglectable. From the above discussion, we get the following result.

Theorem 3.2.

Let e,d be defined as above and U<Nγ. If -2α+2β+α2-β2+αγ<0, then we can factor N with polynomial time.

We note that when α=1, γ=1/2, the inequality in Theorem 3.2 becomes

β2-2β+12>0, which is the result in 

4. The Case for Small Exponent <inline-formula><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M221"><mml:mrow><mml:mi>e</mml:mi></mml:mrow></mml:math></inline-formula>

In this section, we suppose that α is smaller than 1. Rewriting

p=[N]-x0,q=[N]+y0,A=1-2[N],U=y0-x0, by (3.1), we have

ed+k(A-U)1(modN). Let

fN(x,y,z)=yz-ex-Ay+1. It is easy to see that fN(x,y,z) has (d,k,U) as a root modulo N. The similar method in section 3 can be applied to three variants polynomial fN. Here the leading monomial of fN is yz and the coefficient is 1. Let ε>0 be an arbitrarily small constant. According to the size of 1/ε, we fix an integer m. For k{0,,m+1}, let

tk=ak-bm,t0=max{t1,,tm}, and c=b/a, where a=(2-α-γ)/γ,b=β/γ. Define the sets Mk of monomials as follows

M0:={xi1yi2zi3xi1yi2zi3  is  a  monomial  of  fm}1jt0{xi1zj0i1m-cm}cmkm1jtk{xi1ykzk+j1i1m-k},Mk:={xi1yi2zi3xi1yi2zi3  is  a  monomial  of  fm  and  xi1yi2zi3lk  is  a  monomial  of  fm-k}cmkmklm1jtl{xi1ylzl+j1i1m-k}. We define the following shift polynomials:

gi1i2i3(x,y,z)=xi1yi2zi3lkf(x,y,z)kNm-k, for k=0,,m, and xi1yi2zi3MkMk+1.

All the polynomials gi1i2i3 have the root (d,k,U) modulo Nm. We define a lattice L by taking the coefficient vectors of gi1i2i3(xX,yY,zZ) as a basis. We can force the matrix describing L to be lower triangular. The sets Mk can be rewritten as follows:

M0={xi1yi2zi30i1+i2m,and  0i3i2}1jt0{xi1zj0i1m-cm}cmkm1jtk{xi1ykzk+j1i1m-k},Mk={xi1yi2zi3ki1+i2m,and  ki3i2}cmkmklm1jtl{xi1ylzl+j1i1m-k}.

For example, we consider the case m=2. From the definition of Mk, we have

M0={y2z2,y2z,xyz,yz,y2,xy,x2,x,y,1},M1={y2z2,y2z,xyz,yz},M2={y2z2}.

The matrix of the lattice for m=2 is shown in Table 2.

1xyx2y2xyyzxyzy2zy2z2
N2N2

xN2*XN2
yN2**YN2
x2N2***X2N2
y2N2****Y2N2
xyN2*****XYN2

fN******YZN2
xfN*******XYZN2
yfN********Y2ZN2
f2*********Y2Z2N2

In general, we find that det(L)<Nm(ω+1-n), derived from Lemmas 2.1 and 2.2, can be reduced to

Xs1Ys2Zs3<NsN,for{st=xi1yi2zi3M0it,t=1,2,3,sN=k=1m|Mk|. Let |U|Nγ. Hence, the inequality (4.9) is equivalent to

βs1+(α+β-1)s2+γs3sN. By calculation, we obtain that

s1=m424+(a-b)424a3m4+O(m3),s2=m412+a4-2a3b+2ab3-b412a3m4+O(m3),sN=m424+(a-b)424a2m4+a4-2a3b+2ab3-b412a3m4+O(m3). Plugging these value into (4.10) and omitting the neglect terms, we get that

β(3a3+(a-b)3(3a+b))+α(2a3+2(a+b)(a-b)3)+γ(a3+(a-b)3(a2-ab+2a+2b))-(3a3+(a-b)3(7a-3b))<0, which guarantees that we can find three vectors in L that are shorter than the bound Nm/dim(L). These vectors are the coefficient vectors of three trivariate polynomials f1(xX,yY,zZ), f2(xX,yY,zZ), and f3(xX,yY,zZ). By Howgrave-Graham’s theorem, f1(x,y,z), f2(x,y,z), and f3(x,y,z) have the root (d,k,U) over the integers. Afterward, we take the resultant of these integral polynomials with respect to the variable z and obtain two bivariate polynomials g1(x,y) and g2(x,y) with root (d,k). By taking resultant of g1(x,y) and g2(x,y) with respect to y, we get g(x) with root d. d can be easily extracted from g(x) with standard root finding algorithms. Therefore, we can find k from g1(x,y) or g2(x,y). Similarly, we can get U. By U=x0-y0 and N=([N])2+[N](y0-x0)-x0y0, then N can be factored with polynomial time. This completes the description of the attack. The heuristic fact that we have in our approach is as follows.

Fact 2.

The probability that the construction described above yields zero polynomial that is, g(x) is a zero polynomial is neglectable.

A similar discussion as Fact 1, we have that for random choice f1(x,y,z), f2(x,y,z), and f3(x,y,z), the probability that g(x) is a zero polynomial is neglectable. Therefore, in practice, we can assume that g(x) is a nonzero polynomial.

Theorem 4.1.

Let e,d be defined as above and U<Nγ. If β(3a3+(a-b)3(3a+b))+α(2a3+2(a+b)(a-b)3)+γ(a3+(a-b)3(a2-ab+2a+2b))-(3a3+(a-b)3(7a-3b))<0, then we can factor N with polynomial time, where a=(2-α-γ)/γ,b=β/γ.

As a special case of Theorem 4.1, one can see that when 2α+γ1.5 and dN1/2, there exists an algorithm that factors N with polynomial time.

5. Conclusion

In this paper, we obtained our results by taking advantage of lattice reduction technique. By improving the Jochemsz and May  strategy of constructing a lattice basis, we throw the bad rows in the lattice and obtain an optimal lattice. Applying the method of constructing an optimal lattice to cryptanalyse short exponent RSA, we get the main results which extend those of Boneh and Durfee in .

Acknowledgments

This work is supported by National 973 (Grant no. 2007CB807902), NSFC project under (Grant no. 60873041), nature science of Shandong province (Grant no. Y2008G23), and Doctoral Fund of Ministry of Education of China (Grant no. 20090131120012).

RivestR. L.ShamirA.AdlemanL.A method for obtaining digital signatures and public-key cryptosystemsCommunications of the ACM197821212012610.1145/359340.359342MR700103ZBL0368.94005WienerM. J.Cryptanalysis of short RSA secret exponentsIEEE Transactions on Information Theory199036355355810.1109/18.54902MR1053848ZBL0703.94004CoppersmithD.Small solutions to polynomial equations, and low exponent RSA vulnerabilitiesJournal of Cryptology199710423326010.1007/s001459900030MR1476612ZBL0912.11056BonehD.DurfeeG.Cryptanalysis of RSA with private key d less than N0.292IEEE Transactions on Information Theory20004641339134910.1109/18.850673MR1768552ZBL1001.94031CoronJ.-S.MayA.Deterministic polynomial-time equivalence of computing the RSA secret key and factoringJournal of Cryptology2007201395010.1007/s00145-006-0433-6MR2340188ZBL1115.68074MayA.Cryptanalysis of unbalanced RSA with small CRT-exponent2442Proceedings of the 22nd Annual International Cryptology Conference (Crypto '02)2002Springer242256Lecture Notes in Computer ScienceMR2054824ZBL1026.94535JochemszE.MayA.A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variantsProceedings of the 12th International Conference on the Theory and Application of Cryptology and Information Security2006267282Howgrave-GrahamN.Finding small roots of univariate modular equations revisited1355Proceedings of the 6th IMA International Conference on Cryptography and Coding1997Springer131142Lecture Notes in Computer Science10.1007/BFb0024458MR1660500ZBL0922.11113LangS.Algebra20022113rdNew York, NY, USASpringerxvi+914Graduate Texts in MathematicsMR1878556