Cryptanalysis of large RSA exponent by using the LLL algorithm

Applied Mathematics and Computation 169 (2005) 516–525 www.elsevier.com/locate/amc

Cryptanalysis of large RSA exponent by using the LLL algorithm Chien-Yuan Chen a, Cheng-Yuan Ku a

b,*

, David C. Yen

c

Department of Information Engineering, I-Shou University, Kaohsiung County, Taiwan, ROC b Department of Information Management, National Chung Cheng University, 160, San-Hsing, Ming-Hsiung, Chia-Yi County, Taiwan, ROC c Department of Decision Sciences and Management Information Systems, Miami University, Oxford, OH 45056, USA

Abstract The study of paper ‘‘Cryptanalysis of RSA with Private Key d less than N0.292, [IEEE Trans. Information Theory, 46 (2000) 1339], which Boneh and Durfee published in IEEE Transactions on Information Theory in July 2000, supported that when d < N0.292, the RSA system can be cracked by using the LLL algorithm. In this paper, we find ways to utilize the LLL algorithm to break the RSA system even when the value of d is large. According to the proposed cryptanalysis, if d satisfies jk  dj < N0.25, the RSA system will be possible to be resolved computationally.
2004 Elsevier Inc. All rights reserved. Keywords: Cryptanalysis; LLL algorithm; RSA system; RSA exponent; Public key encryption

*

Corresponding author. E-mail addresses: [email protected] (C.-Y. Chen), [email protected], cooperku@ mis.ccu.edu.tw (C.-Y. Ku), [email protected] (D.C. Yen). 0096-3003/$ - see front matter
2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.10.082

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

517

1. Introduction To speed up the signature generation of RSA system, some studies were performed to use a secret exponent d [2,3]. Unfortunately, Wiener
s [3,4] study showed that if d < 13 N 0:25 , d can be resolved by using the continued fraction method. Furthermore, the study from Verheul and Tilborg [5] made some improvement to Wiener
s scheme. In this aforementioned study, it found that when d > 13 N 0:25 , it is possible to expose d in less time required than the time spent for an exhaustive search. On the other hand, consider the case that d is large such that jk  dj < 13 N 0:25 , where k is the minimal universal exponent of N. To deal with this case, Chen et al. [2,4] showed that d can be discovered by using the continued fraction method. Recently, the study of Boneh
s and Durfee
s [1] has improved Wiener
s result by using the LLL algorithm [6]. It was showed in their study that when d < N0.292, one can discover d. In this paper, the authors try to use the LLL algorithm to resolve the RSA system [7] when d is large. According to the proposed cryptanalysis here, if d satisfies jk  dj < N0.25, d can be discovered. This paper is organized as follows. In Section 2, some preliminary facts are introduced, which will be used throughout this entire paper. Section 3 provides a review of the scheme proposed by Boneh and Durfee. A new cryptanalysis is presented in Section 4 and finally, the last section concludes this manuscript.

2. Preliminaries In this section, some facts that will be used throughout this paper are briefly introduced. To begin with, let L be a lattice spanned by hV1, V2, . . . , Vwi, where V1, V2, . . . , Vw 2 Zn are linear independent vectors with n P w. The equation of L = {kiVijki 2 Z} can be proposed. When w = n, the lattice L is full rank. Then, the determinant of L is just equal to the determinant of the w · w matrix whose rows are the basis vectors V1, V2, . . . , Vw. That is to say detðLÞ ¼ j detðV 1 ; V 2 ; . . . ; V w Þj: The Gram-Schmidt process can be applied to the vectors V1, V2, . . . , Vw and get V 1 ; V 2 ; . . . ; V w . Because hV i ; V j i ¼ 0, the resulting equation can be obtained detðLÞ ¼ j detðV 1 ; V 2 ; . . . ; V w Þj: ¼ j detðV 1 ; V 2 ; . . . ; V w Þj: ¼

w Y i¼1

kV i k:

518

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

Given hV1, V2, . . . , Vwi, the LLL algorithm will produce an LLL-reduced basis of L, say hb1, b2, . . . , bwi. It runs in polynomial time at most O (w6 log3 B), where B = maxikVik. According to the study of Lenstra et al. [6], the following lemmas can be presented and discussed. Lemma 2.1. Let {b1, b2, . . . , bw} be an LLL-reduced basis of a lattice L. Then kb1 k52w=2 detðLÞ

1=w

:

Furthermore, from Jutla
s study [8], it be defined as V min ¼ mini kV i k for a basis hV1, V2, . . . , Vwiof a lattice L. For b2, the second small vector of an LLL-reduced basis of a lattice L, Jutla
s study [8] further, introduced the following lemma. Lemma 2.2. Let L be a lattice spanned by hV1, V2, . . . , Vwiand let hb1, b2, . . . , bwibe an LLL-reduced basis of L. If V min P 1, then kb2 k52w=2 detðLÞ

1=ðw1Þ

:

To look for b1 or b2, the following lemmas will be obtained from the study of Boneh and Durfee [1]. Lemma 2.3. y) be a sum of at most w monomials, where P Let the polynomial h(x,P h(x, y) = ijaijxiyj with khðx; yÞk ¼ ð ij ja2ij jÞ1=2 for aij 2 Z. Assume that (a) h(x0, y0) = 0 mod em for some positive integer m where x0 < X and y0 < Y, and (b) kh(xX, yY)k < em/(w)1/2. Then, h(x0, y0) = 0 holds for any integer. 3. A review of Boneh and Durfee’s scheme In this section, Boneh and Durfee
s scheme will be reviewed to attack the RSA system with smaller secret exponent d. From the RSA system, the resulting equation can be represented. ed ¼ k 0 k þ 1;

ð3:1Þ

where e is the public exponent and k 0 an integer. Let N = pq. Assume that gcd((p  1), (q  1)) = 2. Then, k = (N + 1  p  q)/2 can be obtained. As a result, Eq. (3.1) can be rewritten as ed þ kððN þ 1Þ=2  ðp þ qÞ=2Þ ¼ 1;

ð3:2Þ

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

519

where k = k 0 . Let A = (N + 1)/2 and S =  (p + q)/2. Then, the mod e presented below can be assumed, kðA þ SÞ ¼ 1 mod e:

ð3:3Þ

d

Suppose d < N and e N. From Eq. (3.1), jkj < de=k 6 3de=N < 3ed :

ð3:4Þ

Similarly, the following result can be assumed jSj < 2N 0:5 ¼ 2e0:5 :

ð3:5Þ

From the aforementioned Eqs. (3.3), (3.4), and (3.5), the problem such as finding the integers k and S satisfying kðA þ SÞ ¼ 1 mod e; where jkj < ed and jSj < e0:5

ð3:6Þ

will be apparent. Now, the above problem can be rewritten as: Given a polynomial f(x, y) = x(A + y)  1, find an (x0, y0) satisfying f ðx0 ; y 0 Þ ¼ 0 mod e; where jx0 j < ed and y 0 < e0:5 :

ð3:7Þ

To find a solution of Eq. (3.7), the idea of Boneh and Durfee
s scheme can be described and summarized as follows. Firstly, the aforementioned study tried to remove the modular operation of Eq. (3.7). The LLL algorithm was utilized to find a polynomial T1(x, y) containing a factor f(x, y) such that T1(x0, y0) = 0. Unfortunately, only one polynomial is not sufficient to find the solution (x0, y0). Therefore, based on the discussion in Lemma 2.2, another polynomial T2(x, y) satisfying T2(x0, y0) = 0 can be found using the aforementioned study. Having two polynomials T1(x, y) and T2(x, y), the solution (x0, y0) can be computed according to the resultant h(x) = Resy(T1, T2) and T1(x, y) = 0. Now, this study will proceed to the discussion to find the first polynomial T1(x, y). From the Eq. (3.7) discussed earlier, the upper bound of jx0j is X = ed, while the upper bound of jy0j is Y = e0.5. To apply Lemma 2.3 to finding a solution (x0, y0), the following polynomials need to be further defined. gik ðx; yÞ ¼ xi f k ðx; yÞemk and hjk ðx; yÞ ¼ y j f k ðx; yÞemk ;

ð3:8Þ

where k = 0, 1, . . . , m, i = 0, 1, . . . , m  k, j = 0, 1, . . . , t, for some parameters m and t. Since gik(x0, y0) = 0 mod em and hjk(x0, y0) = 0 mod em, the condition (a) of Lemma 2.3 is, thus, satisfied. As a result, the remaining task will be a look for a polynomial T1(x, y), which is a linear combination of the polynomials gik(xX, yY) and hjk(xX, yY), with a small norm such that condition (b) discussed in Lemma 2.3 will be satisfied. Consequently, according to Lemma 2.3, T1(x, y) will satisfy T1(x0, y0) = 0. Moreover, to find the polynomial T1(x, y) should be focused next. Because T1(x, y) is a linear combination of the polynomials gik(x, y) and hjk(x, y), a lattice spanned by these corresponding coefficient vectors can be constructed. Using the LLL algorithm, a sufficiently

520

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

small vector b1 can be found such that jb1j 5 2w/2det(L)1/w by Lemma 2.1. If the norm of b1 is less than em/(w)1/2 is ascertained, then Lemma 2.3 can be applied to find T1(x, y) = b1 such that T1(x0, y0) = 0. To successfully discover T1(x, y), 2w/2det(L)1/w < em/(w)1/2. Let a = (2ww)w/2 must, however, be ensured and the below equation be given, detðLÞ < emw =a:

ð3:9Þ

To get a lattice with a sufficiently small determinant, Boneh and Durfee built a lattice spanned by gik(xX, yY) and hjk(xX, yY), where k = 0, 1, . . . , m, i = 0, 1, . . . , m  k, j = 0, 1, . . . , t, for some parameters m and t. For example, when m = 3 and t = 1, the following matrix can be obtained (Table 1). Note that the row of the matrix denotes a vector and the ‘‘_’’ symbol denotes a non-zero entry. Because the matrix is a lower triangular matrix, the determinant of the lattice is the product of entries on the diagonal. Let det(L) = detx Æ dety, where detx denotes the determinant of the sub-matrix corresponding to gik(xX, yY) for i=0, 1, . . . , m  k, and dety that of the sub-matrix corresponding to hjk(xX, yY), for j = 0, 1, . . . , t. Then, the resulting equation can be presented.   detðLÞ ¼ emðmþ1Þðmþ2Þ=3 X mðmþ1Þðmþ2Þ=3 Y mðmþ1Þðmþ2Þ=6    etmðmþ1Þ=2 X tmðmþ1Þ=2 Y tðmþ1Þðmþtþ1Þ=2 : ð3:10Þ Because X = ed and Y = e0.5, the previous equation can be further represented as detðLÞ ¼ emðmþ1Þðmþ2Þð5þ4dÞ=12þtmðmþ1Þð1þdÞ=2þtðmþ1Þðmþtþ1Þ=4 :

ð3:11Þ

From Eq. (3.9), this study gets mðm þ 1Þðm þ 2Þð5 þ 4dÞ=12 þ tmðm þ 1Þð1 þ dÞ=2 þ tðm þ 1Þ  ðm þ t þ 1Þ=4 < mw:

ð3:12Þ

Because w = (m + 1)(m + 2)/2 + t(m + 1), Eq. (3.12) can be rewritten as 3t2 þ ð3  3m þ 6mdÞt þ mðm þ 2Þð1 þ 4dÞ < 0:

ð3:13Þ

Given a fixed m, the left-hand side is minimized at t = (m(1  2d)  1)/2. When t = (m(1  2d)  1)/2, the resulting equation becomes 12m2 d2 þ ð28m2 þ 20mÞd  ð7m2 þ 2m þ 3Þ < 0:

ð3:14Þ

It will, further, lead to 1=2

d < 7=6  ð7 þ 16=m þ 4=m2 Þ

=3 þ 5=ð6mÞ:

ð3:15Þ

When m goes to infinity, Eq. (3.15) turns out to be d < 7=6  ð7Þ

1=2

=3 0:285:

ð3:16Þ

1 e3 xe3 fe2 x2e3 xfe2 f2e x3e3 x2fe2 xf2e f3 ye3 yfe2 yf3e yf3

x2

x2y

x2y2

–

e3X2 – –

e2X2Y –

eX2Y2

–

– – –

x

xy

e3X –

e2XY

x3

x3y

x3y2

x3y3

e3X3 – – –

e2X3Y – –

eX3Y2 –

X3 Y 3

y

xy2

x2y3

x3y4

e3Y – – –

e2XY2 – –

eX2Y3 –

X3Y4

e3 –

–

–

– –

– –

– – –

– –

–

–

– –

–

–

–

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

Table 1 The matrix with m = 3 and t = 1

521

522

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

Furthermore, Boneh and Durfee showed that there is a sub-lattice with a smaller determinant in the original lattice L. Note that this sub-lattice is nolonger full rank. Working in this sub-lattice leads to ð3:17Þ

d < 0:292:

Therefore, when d < 0.292, the first polynomial T1(x, y) satisfying T1(x0, y0) = 0 over the integer can be discovered using the LLL algorithm. Next, the second polynomial T2(x, y) can be found by using Lemma 2.2. From the constructed lattice L, it is obvious that V min ¼ X m Y m which is greater than 1. According to Lemma 2.2, b2( = T2) can be found if detðLÞ < emðw1Þ =b; w

ð3:18Þ

(w1)/2

. From Eq. (3.18), d < 0.292 is further deduced. where b = (2 w) Having two polynomials T1(x, y) and T2(x, y), the resultant h(x) = Resy(T1, T2) can be computed. Note that x0 is a root of h(x). Consequently, by trying all roots of h(x), an y0 satisfying T1(x0, y0) = 0 can be found.

4. A new cryptanalysis Assume that d is large such that 0 < k  d < Nd. Let d 0 = k  d. Then, d < Nd. From Eq. (3.1), it can be represented as below. 0

eðk  d 0 Þ ¼ k 0 k þ 1:

ð4:1Þ

It implies that ed 0 ¼ ðe  k 0 Þk  1:

ð4:2Þ

0

Let k = e  k . Then, the resulting equation becomes ed 0 ¼ kk  1:

ð4:3Þ

Because k = A + S from the discussion in Section 3, Eq. (4.3) can be further rewritten as ed 0 ¼ kA þ kS  1:

ð4:4Þ

Then, the following equation can be found ed 0  kS þ 1 ¼ 0 mod A:

ð4:5Þ

From Eq. (4.3) and e < k, Eq. (4.6) can be obtained below. jkj < ed 0 =k < d 0 < N d Ad :

ð4:6Þ

0

Let S =  kS. Then Eq. (4.6) becomes jS 0 j ¼ jkSj < 2N dþ0:5 2Adþ0:5 :

ð4:7Þ

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

523

Similar to Boneh and Durfee
s study, the following problem can be deduced––to find integers d 0 and S 0 satisfying ed 0 þ S 0 þ 1 ¼ 0 mod A; where jd 0 j < Ad and jS 0 j < Adþ0:5 :

ð4:8Þ

Now, the above problem can be rewritten as follows. Given a polynomial f(x, y) = xe + y + 1, find an (x0, y0) satisfying f ðx0 ; y 0 Þ ¼ 0 mod A; where jx0 j < Ad and y 0 < Adþ0:5 :

ð4:9Þ

Apparently, the upper bound of jx0j is X = Ad; while the upper bound of jy0j is Y = Ad+0.5. To apply Lemma 2.3 to finding a solution (x0, y0), the following polynomials need to be defined: gik ðx; yÞ ¼ xi f k ðx; yÞAmk ;

ð4:10Þ

where k = 0, 1, . . . , m, i = 0, 1, . . . , m  k, for some parameter m. Note that gik(x0, y0) = 0 mod Am. Therefore, a polynomial T1(x, y) must be located which is a linear combination of the polynomials gik(xX, yY), with a small norm such that conditions (a) and (b) of Lemma 2.3 are both satisfied. Then, Lemma 2.3 can be utilized to find a T1(x, y) satisfying T1(x0, y0) = 0. Now the study will, further, focus on finding the polynomial T1(x, y) . Because T1(x, y) is a linear combination of the polynomials gik(x, y), a lattice spanned by these corresponding coefficient vectors can be constructed. Using the LLL algorithm, a sufficiently small vector b1 can be found such that jb1j 5 2w/2det(L)1/w by applying Lemma 2.1. If the norm of b1 which is less than Am/(w)1/2 can be ascertain, then Lemma 2.3 can be used to find T1(x, y) = b1 such that T1(x0, y0) = 0. To successfully discover T1(x, y), 2w/2det(L)1/w < Am/(w)1/2. Let a = (2ww)w/2 must, however, be ensured. Further, detðLÞ < Amw =a:

ð4:11Þ

Table 2 The matrix with m = 3 1 3

A xA3 fA2 x2A3 xfA2 f2A x3A3 x2fA2 xf2A f3

x2

xy

y2

–

A3X2 – –

A2XY –

AY2

–

– – –

x

y

A3X –

A2Y

x3

x2y

xy2

y3

A3X3 – – –

A2X2Y – –

AXY2 –

Y3

3

A –

–

–

– –

– –

– –

–

524

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

To get a lattice with a sufficiently small determinant, a lattice spanned by gik(xX, yY) can be built, where k = 0, 1, . . . , m, i = 0, 1, . . . , m  k, for some parameter m. For example, when m = 3, the following matrix can be presented (Table 2). Because the matrix is a lower triangular matrix, the determinant of the lattice is the product of entries on the diagonal. Then, the resulting equation becomes   detðLÞ ¼ Amðmþ1Þðmþ2Þ=3 X mðmþ1Þðmþ2Þ=6 Y mðmþ1Þðmþ2Þ=6 : ð4:12Þ Because X = Ad and Y = Ad+0.5, the previous equation can be rewritten as detðLÞ ¼ Amðmþ1Þðmþ2Þð5þ4dÞ=12 :

ð4:13Þ

From Eq. (4.11), the following equation can be obtained. mðm þ 1Þðm þ 2Þð5 þ 4dÞ=12 < mw:

ð4:14Þ

Because w = (m + 1)(m + 2)/2, then ð4:15Þ

d < 0:25:

Therefore, when d < 0.25, the first polynomial T1(x, y) satisfying T1(x0, y0) = 0 over the integer can be discovered using the LLL algorithm. Next, the second polynomial T2(x, y) can be found by using Lemma 2.2. From the constructed lattice L; V min ¼ Y m which is greater than 1 can be reasonably assumed. According to Lemma 2.2, b2( = T2) can be found if detðLÞ < Amðw1Þ =b; w

where b = (2 w) represented.

(w1)/2

ð4:16Þ

. From Eq. (4.16), the following equation can be

mðm þ 1Þðm þ 2Þð5 þ 4dÞ=12 < mðw  1Þ:

ð4:17Þ

When m goes to infinity, d < 0.25 can be assumed as discussed earlier. Having two polynomials T1(x, y) and T2(x, y), the resultant h(x) = Resy(T1, T2) can be computed. Note that x0 is a root of h(x). Therefore, by trying all roots of h(x), an y0 satisfying T1(x0, y0) = 0 can be found. Once a solution (x0, y0) is obtained, k = gcd(ex0 + 1, y0) can be computed from Eq. (4.3). Please note that one assumption that k is coprime to S was made here. Furthermore, S can be discovered further by computing y0/k. Because k = A + S, d can be deduced by computing ((e  k)k + 1)/e.

5. Discussions and conclusions There are two major differences between Boneh and Durfee
s scheme and ours study. First, a new problem (4.9) was found instead of the original prob-

C.-Y. Chen et al. / Appl. Math. Comput. 169 (2005) 516–525

525

lem (3.7). This finding can be used in future related studies in this area. Second, the proposed constructed lattice is only spanned by gik(xX, yY). Note that hjk(xX, yY) are not involved. That
s because while det(L)1/w increases, the upper bound of d decreases. If such a condition is desirable to be improved, then there is a definite need to find a new polynomial h 0 . This polynomial will result in the condition that the upper bound of d increases while det(L)1/w also increases. Furthermore, this paper cryptanalyzes the RSA system with a large secret key d by improving Boneh
s and G. Durfee
s scheme. Instead of the following equation: kðA þ SÞ ¼ 1 mod e; where jkj < ed and jSj < e0:5 ; a new equation was found as below, ed 0 þ S 0 þ 1 ¼ 0 mod A; where jd 0 j < Ad and jS 0 j < Adþ0:5 : Then, the LLL algorithm can be utilized to find d 0 and S 0 . Having d 0 and S 0 , the secret key d can be discovered. Based on the proposed above cryptanalysis, the conclusion can be made that if d satisfies jk  dj < N0.25, the RSA system will be possible to be resolved computationally.

References [1] D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N0.292, IEEE Transaction on Information Theory 46 (2000) 1339–1349. [2] C.Y. Chen, C.C. Chang, W.P. Yang, Cryptanalysis of the secret exponent of the RSA scheme, Journal of Information Science Engineering 12 (1996) 277–290. [3] M.J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transaction on Information Theory 36 (1990) 553–558. [4] H.-M. Sun, W.-C. Yang, C.S. Laih, On the design of RSA with short secret exponent, Journal of Information Science and Engineering 18 (2002) 1–18. [5] E.R. Verheul, H.C.A. van Tilborg, Cryptanalysis of less short
RSA secret exponents, Applicable Algebra in Engineering: Communication and Computing 8 (1997) 425–435. [6] A. Lenstra, H. Lenstra, L. Lovasz, Factoring polynomial with rational coefficients, Mathematiche Annalen 261 (1982) 515–534. [7] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communication of the ACM 21 (1978) 120–126. [8] C. Jutla, On finding small solutions of modular multivariate polynomial equations, Proceedings of EUROCRYPT
98, Springer-Verlag, 1998, pp. 158–170.