New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method
This paper presents new short decryption exponent attacks on RSA, which successfully leads to the factorization of RSA modulus <inline-formula> <math display="inline"> <semantics> <mrow> <mi>N</mi> <mo>=</mo> <mi>p</mi> <mi>...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2018-12-01
|
| Series: | Cryptography |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2410-387X/3/1/2 |
| id |
doaj-6e6be974c7b74e97b1fc09efa1befe04 |
|---|---|
| record_format |
Article |
| collection |
DOAJ |
| language |
English |
| format |
Article |
| sources |
DOAJ |
| author |
Muhammad Rezal Kamel Ariffin Saidu Isah Abubakar Faridah Yunos Muhammad Asyraf Asbullah |
| spellingShingle |
Muhammad Rezal Kamel Ariffin Saidu Isah Abubakar Faridah Yunos Muhammad Asyraf Asbullah New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method Cryptography RSA modulus primes difference cryptanalysis short decryption exponent attacks continued fraction |
| author_facet |
Muhammad Rezal Kamel Ariffin Saidu Isah Abubakar Faridah Yunos Muhammad Asyraf Asbullah |
| author_sort |
Muhammad Rezal Kamel Ariffin |
| title |
New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method |
| title_short |
New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method |
| title_full |
New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method |
| title_fullStr |
New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method |
| title_full_unstemmed |
New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference Method |
| title_sort |
new cryptanalytic attack on rsa modulus <i>n</i> = <i>pq</i> using small prime difference method |
| publisher |
MDPI AG |
| series |
Cryptography |
| issn |
2410-387X |
| publishDate |
2018-12-01 |
| description |
This paper presents new short decryption exponent attacks on RSA, which successfully leads to the factorization of RSA modulus <inline-formula> <math display="inline"> <semantics> <mrow> <mi>N</mi> <mo>=</mo> <mi>p</mi> <mi>q</mi> </mrow> </semantics> </math> </inline-formula> in polynomial time. The paper has two parts. In the first part, we report the usage of the small prime difference method of the form <inline-formula> <math display="inline"> <semantics> <mrow> <mrow> <mo stretchy="false">|</mo> </mrow> <msup> <mi>b</mi> <mn>2</mn> </msup> <mi>p</mi> <mo>−</mo> <msup> <mi>a</mi> <mn>2</mn> </msup> <mrow> <mi>q</mi> <mo stretchy="false">|</mo> <mo><</mo> </mrow> <msup> <mi>N</mi> <mi>γ</mi> </msup> </mrow> </semantics> </math> </inline-formula> where the ratio of <inline-formula> <math display="inline"> <semantics> <mfrac> <mi>q</mi> <mi>p</mi> </mfrac> </semantics> </math> </inline-formula> is close to <inline-formula> <math display="inline"> <semantics> <mfrac> <msup> <mi>b</mi> <mn>2</mn> </msup> <msup> <mi>a</mi> <mn>2</mn> </msup> </mfrac> </semantics> </math> </inline-formula>, which yields a bound <inline-formula> <math display="inline"> <semantics> <mrow> <mi>d</mi> <mo><</mo> <mfrac> <msqrt> <mn>3</mn> </msqrt> <msqrt> <mn>2</mn> </msqrt> </mfrac> <msup> <mi>N</mi> <mrow> <mfrac> <mn>3</mn> <mn>4</mn> </mfrac> <mo>−</mo> <mi>γ</mi> </mrow> </msup> </mrow> </semantics> </math> </inline-formula> from the convergents of the continued fraction expansion of <inline-formula> <math display="inline"> <semantics> <mfrac> <mi>e</mi> <mrow> <mi>N</mi> <mo>−</mo> <mo stretchy="false">⌈</mo> <mfrac> <mrow> <msup> <mi>a</mi> <mn>2</mn> </msup> <mo>+</mo> <msup> <mi>b</mi> <mn>2</mn> </msup> </mrow> <mrow> <mi>a</mi> <mi>b</mi> </mrow> </mfrac> <msqrt> <mi>N</mi> </msqrt> <mo stretchy="false">⌉</mo> <mo>+</mo> <mn>1</mn> </mrow> </mfrac> </semantics> </math> </inline-formula>. The second part of the paper reports four cryptanalytic attacks on <i>t</i> instances of RSA moduli <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo>=</mo> <msub> <mi>p</mi> <mi>s</mi> </msub> <msub> <mi>q</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula> for <inline-formula> <math display="inline"> <semantics> <mrow> <mi>s</mi> <mo>=</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mo>…</mo> <mo>,</mo> <mi>t</mi> </mrow> </semantics> </math> </inline-formula> where we use <inline-formula> <math display="inline"> <semantics> <mrow> <mi>N</mi> <mo>−</mo> <mo stretchy="false">⌈</mo> <mfrac> <mrow> <msup> <mi>a</mi> <mn>2</mn> </msup> <mo>+</mo> <msup> <mi>b</mi> <mn>2</mn> </msup> </mrow> <mrow> <mi>a</mi> <mi>b</mi> </mrow> </mfrac> <msqrt> <mi>N</mi> </msqrt> <mo stretchy="false">⌉</mo> <mo>+</mo> <mn>1</mn> </mrow> </semantics> </math> </inline-formula> as an approximation of <inline-formula> <math display="inline"> <semantics> <mrow> <mi>ϕ</mi> <mo stretchy="false">(</mo> <mi>N</mi> <mo stretchy="false">)</mo> </mrow> </semantics> </math> </inline-formula> satisfying generalized key equations of the shape <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <mi>d</mi> <mo>−</mo> <msub> <mi>k</mi> <mi>s</mi> </msub> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <mn>1</mn> </mrow> </semantics> </math> </inline-formula>, <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <msub> <mi>d</mi> <mi>s</mi> </msub> <mo>−</mo> <mi>k</mi> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <mn>1</mn> </mrow> </semantics> </math> </inline-formula>, <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <mi>d</mi> <mo>−</mo> <msub> <mi>k</mi> <mi>s</mi> </msub> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <msub> <mi>z</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula>, and <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <msub> <mi>d</mi> <mi>s</mi> </msub> <mo>−</mo> <mi>k</mi> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <msub> <mi>z</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula> for unknown positive integers <inline-formula> <math display="inline"> <semantics> <mrow> <mi>d</mi> <mo>,</mo> <mspace width="4pt"></mspace> <msub> <mi>k</mi> <mi>s</mi> </msub> <mo>,</mo> <mspace width="4pt"></mspace> <msub> <mi>d</mi> <mi>s</mi> </msub> <mo>,</mo> <mspace width="4pt"></mspace> <msub> <mi>k</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula>, and <inline-formula> <math display="inline"> <semantics> <msub> <mi>z</mi> <mi>s</mi> </msub> </semantics> </math> </inline-formula>, where we establish that <i>t</i> RSA moduli can be simultaneously factored in polynomial time using combinations of simultaneous Diophantine approximations and lattice basis reduction methods. In all the reported attacks, we have found an improved short secret exponent bound, which is considered to be better than some bounds as reported in the literature. |
| topic |
RSA modulus primes difference cryptanalysis short decryption exponent attacks continued fraction |
| url |
https://www.mdpi.com/2410-387X/3/1/2 |
| work_keys_str_mv |
AT muhammadrezalkamelariffin newcryptanalyticattackonrsamodulusiniipqiusingsmallprimedifferencemethod AT saiduisahabubakar newcryptanalyticattackonrsamodulusiniipqiusingsmallprimedifferencemethod AT faridahyunos newcryptanalyticattackonrsamodulusiniipqiusingsmallprimedifferencemethod AT muhammadasyrafasbullah newcryptanalyticattackonrsamodulusiniipqiusingsmallprimedifferencemethod |
| _version_ |
1725189616168861696 |
| spelling |
doaj-6e6be974c7b74e97b1fc09efa1befe042020-11-25T01:06:33ZengMDPI AGCryptography2410-387X2018-12-0131210.3390/cryptography3010002cryptography3010002New Cryptanalytic Attack on RSA Modulus <i>N</i> = <i>pq</i> Using Small Prime Difference MethodMuhammad Rezal Kamel Ariffin0Saidu Isah Abubakar1Faridah Yunos2Muhammad Asyraf Asbullah3Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, Selangor 43400, MalaysiaAl-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, Selangor 43400, MalaysiaAl-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, Selangor 43400, MalaysiaAl-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, Universiti Putra Malaysia, Selangor 43400, MalaysiaThis paper presents new short decryption exponent attacks on RSA, which successfully leads to the factorization of RSA modulus <inline-formula> <math display="inline"> <semantics> <mrow> <mi>N</mi> <mo>=</mo> <mi>p</mi> <mi>q</mi> </mrow> </semantics> </math> </inline-formula> in polynomial time. The paper has two parts. In the first part, we report the usage of the small prime difference method of the form <inline-formula> <math display="inline"> <semantics> <mrow> <mrow> <mo stretchy="false">|</mo> </mrow> <msup> <mi>b</mi> <mn>2</mn> </msup> <mi>p</mi> <mo>−</mo> <msup> <mi>a</mi> <mn>2</mn> </msup> <mrow> <mi>q</mi> <mo stretchy="false">|</mo> <mo><</mo> </mrow> <msup> <mi>N</mi> <mi>γ</mi> </msup> </mrow> </semantics> </math> </inline-formula> where the ratio of <inline-formula> <math display="inline"> <semantics> <mfrac> <mi>q</mi> <mi>p</mi> </mfrac> </semantics> </math> </inline-formula> is close to <inline-formula> <math display="inline"> <semantics> <mfrac> <msup> <mi>b</mi> <mn>2</mn> </msup> <msup> <mi>a</mi> <mn>2</mn> </msup> </mfrac> </semantics> </math> </inline-formula>, which yields a bound <inline-formula> <math display="inline"> <semantics> <mrow> <mi>d</mi> <mo><</mo> <mfrac> <msqrt> <mn>3</mn> </msqrt> <msqrt> <mn>2</mn> </msqrt> </mfrac> <msup> <mi>N</mi> <mrow> <mfrac> <mn>3</mn> <mn>4</mn> </mfrac> <mo>−</mo> <mi>γ</mi> </mrow> </msup> </mrow> </semantics> </math> </inline-formula> from the convergents of the continued fraction expansion of <inline-formula> <math display="inline"> <semantics> <mfrac> <mi>e</mi> <mrow> <mi>N</mi> <mo>−</mo> <mo stretchy="false">⌈</mo> <mfrac> <mrow> <msup> <mi>a</mi> <mn>2</mn> </msup> <mo>+</mo> <msup> <mi>b</mi> <mn>2</mn> </msup> </mrow> <mrow> <mi>a</mi> <mi>b</mi> </mrow> </mfrac> <msqrt> <mi>N</mi> </msqrt> <mo stretchy="false">⌉</mo> <mo>+</mo> <mn>1</mn> </mrow> </mfrac> </semantics> </math> </inline-formula>. The second part of the paper reports four cryptanalytic attacks on <i>t</i> instances of RSA moduli <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo>=</mo> <msub> <mi>p</mi> <mi>s</mi> </msub> <msub> <mi>q</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula> for <inline-formula> <math display="inline"> <semantics> <mrow> <mi>s</mi> <mo>=</mo> <mn>1</mn> <mo>,</mo> <mn>2</mn> <mo>,</mo> <mo>…</mo> <mo>,</mo> <mi>t</mi> </mrow> </semantics> </math> </inline-formula> where we use <inline-formula> <math display="inline"> <semantics> <mrow> <mi>N</mi> <mo>−</mo> <mo stretchy="false">⌈</mo> <mfrac> <mrow> <msup> <mi>a</mi> <mn>2</mn> </msup> <mo>+</mo> <msup> <mi>b</mi> <mn>2</mn> </msup> </mrow> <mrow> <mi>a</mi> <mi>b</mi> </mrow> </mfrac> <msqrt> <mi>N</mi> </msqrt> <mo stretchy="false">⌉</mo> <mo>+</mo> <mn>1</mn> </mrow> </semantics> </math> </inline-formula> as an approximation of <inline-formula> <math display="inline"> <semantics> <mrow> <mi>ϕ</mi> <mo stretchy="false">(</mo> <mi>N</mi> <mo stretchy="false">)</mo> </mrow> </semantics> </math> </inline-formula> satisfying generalized key equations of the shape <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <mi>d</mi> <mo>−</mo> <msub> <mi>k</mi> <mi>s</mi> </msub> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <mn>1</mn> </mrow> </semantics> </math> </inline-formula>, <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <msub> <mi>d</mi> <mi>s</mi> </msub> <mo>−</mo> <mi>k</mi> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <mn>1</mn> </mrow> </semantics> </math> </inline-formula>, <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <mi>d</mi> <mo>−</mo> <msub> <mi>k</mi> <mi>s</mi> </msub> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <msub> <mi>z</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula>, and <inline-formula> <math display="inline"> <semantics> <mrow> <msub> <mi>e</mi> <mi>s</mi> </msub> <msub> <mi>d</mi> <mi>s</mi> </msub> <mo>−</mo> <mi>k</mi> <mi>ϕ</mi> <mrow> <mo stretchy="false">(</mo> <msub> <mi>N</mi> <mi>s</mi> </msub> <mo stretchy="false">)</mo> </mrow> <mo>=</mo> <msub> <mi>z</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula> for unknown positive integers <inline-formula> <math display="inline"> <semantics> <mrow> <mi>d</mi> <mo>,</mo> <mspace width="4pt"></mspace> <msub> <mi>k</mi> <mi>s</mi> </msub> <mo>,</mo> <mspace width="4pt"></mspace> <msub> <mi>d</mi> <mi>s</mi> </msub> <mo>,</mo> <mspace width="4pt"></mspace> <msub> <mi>k</mi> <mi>s</mi> </msub> </mrow> </semantics> </math> </inline-formula>, and <inline-formula> <math display="inline"> <semantics> <msub> <mi>z</mi> <mi>s</mi> </msub> </semantics> </math> </inline-formula>, where we establish that <i>t</i> RSA moduli can be simultaneously factored in polynomial time using combinations of simultaneous Diophantine approximations and lattice basis reduction methods. In all the reported attacks, we have found an improved short secret exponent bound, which is considered to be better than some bounds as reported in the literature.https://www.mdpi.com/2410-387X/3/1/2RSA modulusprimes differencecryptanalysisshort decryption exponentattackscontinued fraction |