Implicit factorization of unbalanced RSA moduli
نویسندگان
چکیده
Let N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 share an amount of their Most Significant Bits (MSBs) or an amount of their Least Significant Bits (LSBs). Using a method based on the continued fraction algorithm, we propose a method that leads to the factorization of N1 and N2. Using simultaneous diophantine approximations and lattice reduction, we extend the method to factor k ≥ 3 RSA moduli Ni = piqi, i = 1, . . . , k given the implicit information that there exist unknown multiples a1p1, . . . , akpk sharing an amount of their MSBs or their LSBs. Also, this paper extends many previous works where similar results were obtained when the pi’s share their MSBs or their LSBs.
منابع مشابه
A Simple Improvement for Integer Factorizations with Implicit Hints
In this paper, we describe an improvement of integer factorization of k RSA moduli Ni = piqi (1 ≤ i ≤ k) with implicit hints, namely all pi share their t least significant bits. May et al. reduced this problem to finding a shortest (or a relatively short) vector in the lattice of dimension k obtained from a given system of k RSAmoduli, for which they applied Gaussian reduction or the LLL algori...
متن کاملImplicit Factoring with Shared Most Significant and Middle Bits
We study the problem of integer factoring given implicit information of a special kind. The problem is as follows: let N1 = p1q1 and N2 = p2q2 be two RSA moduli of same bit-size, where q1,q2 are α-bit primes. We are given the implicit information that p1 and p2 share t most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of N1 and N2 in pol...
متن کاملFactoring Unbalanced Moduli with Known Bits
Let n = pq > q be an rsa modulus. This note describes a lll-based method allowing to factor n given 2 log2 q contiguous bits of p, irrespective to their position. A second method is presented, which needs fewer bits but whose length depends on the position of the known bit pattern. Finally, we introduce a somewhat surprising ad hoc method where two different known bit chunks, totalling 3 2 log2...
متن کاملImplicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint
We address the problem of polynomial time factoring RSA moduli N1 = p1q1 with the help of an oracle. As opposed to other approaches that require an oracle that explicitly outputs bits of p1, we use an oracle that gives only implicit information about p1. Namely, our oracle outputs a different N2 = p2q2 such that p1 and p2 share the t least significant bits. Surprisingly, this implicit informati...
متن کاملFactoring RSA Moduli with Weak Prime Factors
In this paper, we study the problem of factoring an RSA modulus N = pq in polynomial time, when p is a weak prime, that is, p can be expressed as ap = u0 + M1u1 + . . . + Mkuk for some k integers M1, . . . ,Mk and k+2 suitably small parameters a, u0, . . . uk. We further compute a lower bound for the set of weak moduli, that is, moduli made of at least one weak prime, in the interval [2, 2] and...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2014 شماره
صفحات -
تاریخ انتشار 2014