Abstract

We provide a new method of constructing an optimal lattice. Applying our method to the cryptanalysis of the short exponent RSA, we obtain our results which extend Boneh and Durfee's work. Our attack methods are based on a generalization to multivariate modular polynomial equation. The results illustrate the fact that one should be careful when using RSA key generation process with special parameters.

1. Introduction

The RSA [1] cryptosystem is the most widely used public-key cryptosystem. The modulo of RSA cryptosystem is the product of two large prime numbers and , without loss of generality, we assume that . The public exponent and the secret exponent satisfy the equation

where is Euler’s totient function. In a typical RSA cryptosystem, and have approximately the same number of bits and . The most basic security requirement for public key cryptosystem is that it should be hard to recover the secret key from the public key.

In order to speed up the decryption or signing process, one might be tempted to use small secret exponent. Unfortunately, Wiener [2] showed that if then the factorization of can be found in polynomial time using only the public information . In 1996, Coppersmith [3] introduced two methods for finding small roots of polynomial equations using lattice reduction, where one is for the univariate modular case and the other is for the bivariate case over the integers. Coppersmith’s technique has been found many applications for breaking variants of RSA; for example, Boneh and Durfee [4] improved the bound of secret exponent to , Coron and May [5] applied Coppersmith’s technique to show the deterministic equivalence between recovering the secret exponent and factoring , and May [6] presented two polynomial time attacks for the case of imbalanced prime factors and .

For a given RSA modulo , it is not difficult to get a polynomial time algorithm for finding , where is the integral part of . Then and can be rewritten as and , where are unknown positive integers. Our observation is that the bound of secret exponent of balanced RSA is related to the bound of . For instance, when and are twin prime numbers, that is, , then is a root of the following polynomial:

Therefore, for any security exponent , there often exists an algorithm that factors with polynomial time. In general case, relations between the bound and the bound of secret exponent are obtained. Boneh and Durfee’s results in [4] are special cases of our results in this paper.

We reduce our method into two cases according to the size of the public exponent and obtain the results by applying a new method of constructing a lattice basis. When is large, set then the polynomial has as a root modulo , where and satisfies

Let

for where is a leading monomial of (for a detailed definition, see Section 3). All the polynomials have the root modulo . A lattice is defined by taking the coefficient vectors of as a basis. In general, one can force the matrix of the lattice to be lower triangular. According to the -algorithm, one hopes that the dimension of the lattice is as large as possible and entries of the diagonal are as small as possible. The following definitions are useful for describing our method clearly.

Definition 1.1. Suppose a lattice is spanned by vectors and the matrix describing is a lower triangular. A vector of which the last entry of the row exceeds the modulo of the lattice is called a bad vector. A vector of which the last entry of the row is less than the modulo of the lattice is called a good vector. A lattice spanned by a basis of which all its vectors are good is called an optimal lattice.

The key ingredient of the lattice reduction technique is to construct an optimal lattice of which the dimension is as large as possible. Jochemsz and May’s strategy of constructing a lattice basis [7] is to chose a continued subset of the polynomials as a lattice basis in which there may be some bad vectors. Our most significant contribution is that we can discard all the unnecessary bad vectors in a lattice basis with a simple new way and construct a lattice whose dimension of the lattice is large enough. We construct an optimal lattice basis by choosing a discontinued subset of the polynomials . When is small, a difference polynomial is chosen; similar methods but more complicated are applied to construct a lattice basis. In order to show that our method is practical, the properties of resultant are considered also in this paper.

The paper is organized as follows: some lattice preliminaries are given in Section 2. Section 3 shows the proposed method of attacking the RSA with large . Section 4 shows the method of attacking the RSA with small . The last section is the conclusion.

2. Lattice Theory

Let be linearly independent vectors with . A lattice spanned by is the set of all integer linear combinations of . Such a set of vectors ’s is called a lattice basis. We say that the lattice is full rank if

Let be a bivariate polynomial with coefficients in the ring of integers. The Euclidean norm of is defined as the norm of the coefficient vector

Lemma 2.1. Let be a basis. On input the -algorithm outputs another basis with in time polynomial in and in the bit-size of the entries in .

Based on the -algorithm, Coppersmith [3] presented a method of finding small solutions to the modular polynomial which has the desired small root over the integers. Howgrave-Graham [8] formulated a useful condition on how to find such a polynomial in terms of normal of a polynomial.

Lemma 2.2 (Howgrave-Graham [8]). Let which is the sum of at most monomials. Suppose that where and Then holds over the integers.

3. The Case for Large

Let be integers such that . It follows that there exists an integer satisfying

Suppose that the public key and the security key satisfy for some In this section, we consider the case that is of the same order of magnitude as and therefore is very close to .

By (3.1), we have

Rewriting , , and , we obtain

Suppose then the polynomial has as a root modulo

A monomial of , with coefficient is called a leading monomial if there are no monomials in besides that is divisible by . Here the leading monomial of is and its coefficient is . Let be an arbitrarily small constant. Depending on we fix an integer . For , we define the sets of monomials as

where is a parameter to be chosen later. We note that each set in [7] is the whole monomials of , while, in our method, we discard all bad rows of the lattice and consider part monomials of .

We define the following shift polynomials

for and

All the polynomials have the root modulo . We define a lattice by taking the coefficient vectors of as a basis. We can force the matrix describing to be lower triangular. It is not difficult to see that the sets can be rewritten as

As an example, we consider the case , and . From the definition of , we have

The matrix of the lattice for is shown in Table 1.

In general, we find that the condition , derived from Lemmas 2.1 and 2.2, can be reduced to

Assuming that , inequality (3.8) is equivalent to

By calculation, we obtain that

For any , the left hand side of (3.9) is minimized at . Plugging this value into (3.9) and omitting a neglect number, we have

Notice that there are some bad rows in the above lattice. Next, we refine the construction method and improve the above result. In fact, the following lattice is an optimal lattice.

For , let

The definition of shift polynomials is the same as above. From the definition of , we have

By some rather complex calculations, we obtain that

where The inequality (3.9) leads to

From Lemma 2.1 and the estimations of (3.8), it is easy to see that if

we are guaranteed to find two vectors in that are shorter than the bound . The vectors are the coefficient vectors of two bivariate polynomials and . By Howgrave-Graham's theorem, and have the same root over the integers. By taking resultant of and with respect to , we get with root . We can easily extract from with standard root finding algorithms. Therefore, we can find from or . This completes the description of the attack. The heuristic fact that we have in our approach is as follows.

Fact 1. The probability that the construction described above yields zero polynomial that is, is a zero polynomial is neglectable.

In practice, we can assume that is a nonzero polynomial. The following lemma shows that Fact 1 holds.

Lemma 3.1. Let and be defined as above. Then is a zero polynomial if and only if

Proof. Lemma 3.1 follows from Lemma 8.2 in [9].

In fact, if the polynomials are random chosen, then the probability that is a zero polynomial is neglectable. From the above discussion, we get the following result.

Theorem 3.2. Let be defined as above and . If then we can factor with polynomial time.

We note that when , the inequality in Theorem 3.2 becomes

which is the result in [4]

4. The Case for Small Exponent

In this section, we suppose that is smaller than . Rewriting

by (3.1), we have

Let

It is easy to see that has as a root modulo The similar method in section 3 can be applied to three variants polynomial . Here the leading monomial of is and the coefficient is . Let be an arbitrarily small constant. According to the size of , we fix an integer . For , let

and , where Define the sets of monomials as follows

We define the following shift polynomials:

for and

All the polynomials have the root modulo . We define a lattice by taking the coefficient vectors of as a basis. We can force the matrix describing to be lower triangular. The sets can be rewritten as follows:

For example, we consider the case From the definition of , we have

The matrix of the lattice for is shown in Table 2.

In general, we find that , derived from Lemmas 2.1 and 2.2, can be reduced to

Let . Hence, the inequality (4.9) is equivalent to

By calculation, we obtain that

Plugging these value into (4.10) and omitting the neglect terms, we get that

which guarantees that we can find three vectors in that are shorter than the bound . These vectors are the coefficient vectors of three trivariate polynomials , and . By Howgrave-Graham’s theorem, , and have the root over the integers. Afterward, we take the resultant of these integral polynomials with respect to the variable and obtain two bivariate polynomials and with root . By taking resultant of and with respect to , we get with root . can be easily extracted from with standard root finding algorithms. Therefore, we can find from or . Similarly, we can get . By and , then can be factored with polynomial time. This completes the description of the attack. The heuristic fact that we have in our approach is as follows.

Fact 2. The probability that the construction described above yields zero polynomial that is, is a zero polynomial is neglectable.

A similar discussion as Fact 1, we have that for random choice , , and the probability that is a zero polynomial is neglectable. Therefore, in practice, we can assume that is a nonzero polynomial.

Theorem 4.1. Let be defined as above and . If then we can factor with polynomial time, where .

As a special case of Theorem 4.1, one can see that when and there exists an algorithm that factors with polynomial time.