Factoring RSA Moduli with Weak Prime Factors

In this paper, we study the problem of factoring an RSA modulus N = pq in polynomial time, when p is a weak prime, that is, p can be expressed as ap = u 0 + M 1 u 1 + … + M k u k for some k integers M 1,…, M k and k + 2 suitably small parameters a, u 0,…u k . We further compute a lower bound for the set of weak moduli, that is, moduli made of at least one weak prime, in the interval [22n ,22(n + 1)] and show that this number is much larger than the set of RSA prime factors satisfying Coppersmith’s conditions, effectively extending the likelihood for factoring RSA moduli. We also prolong our findings to moduli composed of two weak primes.

[1]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[2]  Benne de Weger,et al.  Cryptanalysis of RSA with Small Prime Difference , 2002, Applicable Algebra in Engineering, Communication and Computing.

[3]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[6]  E. T. An Introduction to the Theory of Numbers , 1946, Nature.

[7]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[8]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[9]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[10]  Dongdai Lin,et al.  New Results on Solving Linear Equations Modulo Unknown Divisors and its Applications , 2014, IACR Cryptol. ePrint Arch..

[11]  Carl Pomerance,et al.  The Development of the Number Field Sieve , 1994 .

[12]  Johan Håstad,et al.  On Using RSA with Low Exponent in a Public Key Network , 1985, CRYPTO.

[13]  Abderrahmane Nitaj,et al.  Another Generalization of Wiener's Attack on RSA , 2008, AFRICACRYPT.

[14]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[15]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[16]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[17]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[18]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[19]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[20]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..