Factoring RSA Modulus Using Prime Reconstruction from Random Known Bits
نویسندگان
چکیده
This paper discusses the factorization of the RSA modulus N (i.e., N = pq, where p, q are primes of same bit size) by reconstructing the primes from randomly known bits. The reconstruction method is a modified brute-force search exploiting the known bits to prune wrong branches of the search tree, thereby reducing the total search space towards possible factorization. Here we revisit the work of Heninger and Shacham in Crypto 2009 and provide a combinatorial model for the search where some random bits of the primes are known. This shows how one can factorize N given the knowledge of random bits in the least significant halves of the primes. We also explain a lattice based strategy in this direction. More importantly, we study how N can be factored given the knowledge of some blocks of bits in the most significant halves of the primes. We present improved theoretical result and experimental evidences in this direction.
منابع مشابه
How to Compress Rabin Ciphertexts and Signatures (and More)
Ordinarily, RSA and Rabin ciphertexts and signatures are log N bits, where N is a composite modulus; here, we describe how to “compress” Rabin ciphertexts and signatures (among other things) down to about (2/3) log N bits, while maintaining a tight provable reduction from factoring in the random oracle model. The computational overhead of our compression algorithms is small. We also improve upo...
متن کاملNew Partial Key Exposure Attacks on RSA Revisited
At CRYPTO 2003, Blömer and May presented new partial key exposure attacks against RSA. These were the first known polynomial-time partial key exposure attacks against RSA with public exponent e > N . Attacks for known most significant bits and known least significant bits were presented. In this work, we extend their attacks to multi-prime RSA. For r-prime RSA, these result in the first known p...
متن کاملFactoring a Multiprime Modulus N with Random Bits
In 2009, Heninger and Shacham presented an algorithm using the Hensel's lemma for reconstructing the prime factors of the modulus N = r1r2. This algorithm computes the prime factors of N in polynomial time, with high probability, assuming that a fraction greater than or equal to 59% random bits of its primes r1 and r2 is given. In this paper, we present the analysis of Hensel's lemma for a mult...
متن کاملFactoring RSA Moduli with Weak Prime Factors
In this paper, we study the problem of factoring an RSA modulus N = pq in polynomial time, when p is a weak prime, that is, p can be expressed as ap = u0 + M1u1 + . . . + Mkuk for some k integers M1, . . . ,Mk and k+2 suitably small parameters a, u0, . . . uk. We further compute a lower bound for the set of weak moduli, that is, moduli made of at least one weak prime, in the interval [2, 2] and...
متن کاملNew Attacks on the RSA Cryptosystem
This paper presents three new attacks on the RSA cryptosystem. The first two attacks work when k RSA public keys (Ni, ei) are such that there exist k relations of the shape eix−yiφ(Ni) = zi or of the shape eixi − yφ(Ni) = zi where Ni = piqi, φ(Ni) = (pi − 1)(qi − 1) and the parameters x, xi, y, yi, zi are suitably small in terms of the prime factors of the moduli. We show that our attacks enabl...
متن کامل