Factoring Unbalanced Moduli with Known Bits
نویسندگان
چکیده
Let n = pq > q be an rsa modulus. This note describes a lll-based method allowing to factor n given 2 log2 q contiguous bits of p, irrespective to their position. A second method is presented, which needs fewer bits but whose length depends on the position of the known bit pattern. Finally, we introduce a somewhat surprising ad hoc method where two different known bit chunks, totalling 3 2 log2 q bits suffice to factor n.
منابع مشابه
Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint
We address the problem of polynomial time factoring RSA moduli N1 = p1q1 with the help of an oracle. As opposed to other approaches that require an oracle that explicitly outputs bits of p1, we use an oracle that gives only implicit information about p1. Namely, our oracle outputs a different N2 = p2q2 such that p1 and p2 share the t least significant bits. Surprisingly, this implicit informati...
متن کاملImplicit factorization of unbalanced RSA moduli
Let N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 shar...
متن کاملImplicit Factoring with Shared Most Significant and Middle Bits
We study the problem of integer factoring given implicit information of a special kind. The problem is as follows: let N1 = p1q1 and N2 = p2q2 be two RSA moduli of same bit-size, where q1,q2 are α-bit primes. We are given the implicit information that p1 and p2 share t most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of N1 and N2 in pol...
متن کاملOn Factoring Arbitrary Integers with Known Bits
We study the factoring with known bits problem, where we are given a composite integer N = p1p2 . . . pr and oracle access to the bits of the prime factors pi, i = 1, . . . , r. Our goal is to find the full factorization of N in polynomial time with a minimal number of calls to the oracle. We present a rigorous algorithm that efficiently factors N given (1− 1 r Hr) log N bits, where Hr denotes ...
متن کاملGeneric Attacks on Unbalanced Feistel Schemes with Expanding Functions
Unbalanced Feistel schemes with expanding functions are used to construct pseudo-random permutations from kn bits to kn bits by using random functions from n bits to (k−1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. Jutla [6] investigated such schemes, which he denotes by F d k , where d is the number of rounds. In this pap...
متن کامل