Weak Keys in RSA with Primes Sharing Least Significant Bits

Abstract

Let N = p q be an LSBS-RSA modulus where primes p and q have the same bit-length and share the m least significant bits, and (p − 1, q − 1) = 2. Given (N, e) with \(e\in \mathbb{Z}_{\frac{\phi(N)}{4}}^*\) that satisfies \(e w+z\cdot 2^{2(m-1)} =0 \pmod{\phi(N)/4}\) with \(0<w\leq \frac{1}{9}\sqrt{\frac{\phi(N)}{e}}N^{\frac{1}{4}+\theta}\) and \(|z|\leq c\frac{e w}{\phi(N)}N^{\frac{1}{4}-\theta}\), we can find p and q in polynomial time. We show that the number of these weak keys e is at least \(N^{\frac{3}{4}+\theta-\varepsilon}\), where θ = m/log₂ N, and there exists a probabilistic algorithm that can factor N in time \(O(N^{\frac{1}{4}-\theta+\varepsilon})\).

This research is partially supported by Project 973 (no: 2007CB807902) and the natural science foundation in Shandong province (no: Y2008A22) in China.