Improved Factoring Attacks on Multi-prime RSA with Small Prime Difference

Abstract

In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is based on combining r equations to solve one multivariate modular equation by a generic lattice approach. Since the equation form is similar to multi-prime \(\varPhi \)-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.

Appendices

A Algorithms

1.1 A.1 The Direct Method

1.2 A.2 The Optimized Method

In Takayasu-Kunihiro lattice construction, we carefully work out the selection of polynomials by considering the sizes of root bounds. For example, we deal with \(u_1+p^{r-2}u_2+p^{r-1}=0\bmod {Q_{r-1}}\) in our optimized method. We use \(u_2^{i_2}(u_1+p^{r-2}u_2+p^{r-1})^{i_1}N^{\max \{t-i_1,0\}}\) as the shift polynomials with positive integers m and t that will be optimized later. The indexes \(i_1\) and \(i_2\) satisfy \(0\le i_1+i_2\le m\) and \(0\le \gamma _1i_1+\gamma _2i_2\le \beta t\) in order to select as many helpful polynomials as possible and to let the basis matrix be triangular.

Thus, the shift polynomials modulo \(p^t\) have the common roots for \(u_1\) and \(u_2\). We span a lattice by the coefficient vectors of above shift polynomials and the equations are derived from the reduced LLL basis vectors. The small roots can be easily recovered by Gröbner basis computation.

B More Details About the Experimental Results

More graphs about the experimental results are showed below. Firstly, as showed in Figs. 1 and 2, upper bound on \(\gamma \) gets better when the lattice dimension increases. For the direct method, upper bound on \(\gamma \) remains stable when the lattice dimension is between 50 and 170. For the optimized method, the value is between 60 and 300.

We then show the experimental results for \(r=3\) using the direct method in Fig. 3. As the size of the modulus increases, \(\gamma \) finally arrives around 0.113. This value is beyond the asymptotic bound \(\frac{1}{9}\) of previous Zhang-Takagi method.

The remaining graphs are related to the experiments for \(3\le r\le 7\) with various moduli using the optimized method. The lattice dimension of each experiment is set around 300. From Figs. 4, 5, 6, 7 and 8, we find that upper bound on \(\gamma \) is higher for smaller modulus and then goes to a lower value. Also it will finally arrive at a certain value that may be determined by the lattice dimension.

Fig. 1.

The experimental results of upper bound on \(\gamma \) with various lattice dimensions and the same bit-size moduli for \(r=3\) using the direct method

Fig. 2.

The experimental results of upper bound on \(\gamma \) with various lattice dimensions and the same bit-size moduli for \(r=4\) using the optimized method

Fig. 3.

The experimental results of upper bound on \(\gamma \) with various moduli for \(r=3\) using the direct method

Fig. 4.

The experimental results of upper bound on \(\gamma \) with various moduli for \(r=3\) using the optimized method

Fig. 5.

The experimental results of upper bound on \(\gamma \) with various moduli for \(r=4\) using the optimized method

Fig. 6.

The experimental results of upper bound on \(\gamma \) with various moduli for \(r=5\) using the optimized method

Fig. 7.

The experimental results of upper bound on \(\gamma \) with various moduli for \(r=6\) using the optimized method

Fig. 8.

The experimental results of upper bound on \(\gamma \) with various moduli for \(r=7\) using the optimized method

Another observation is that these lattices whose dimension is around 300 seem less effective for moduli with larger bit-size. To be specific, it is less effective for the moduli of greater than 500-bit when \(r=3\). The critical bit-size is 700-bit for \(r=4, 5\) and 1000-bit for \(r=6, 7\). Thus, we guess that the lattices used in our experiments are effective for the prime factor of less than 160-bit. To obtain desired upper bounds, we need to apply some lattices with huge dimension.