Cryptanalysis of Dual RSA

Abstract

In 2007, Sun et al. (IEEE Trans Inf Theory 53(8):2922–2933, 2007) presented new variants of RSA, called Dual RSA, whose key generation algorithm outputs two distinct RSA moduli having the same public and private exponents, with an advantage of reducing storage requirements for keys. These variants can be used in some applications like blind signatures and authentication/secrecy. In this paper, we give an improved analysis on Dual RSA and obtain that when the private exponent is smaller than \(N^{0.368}\), the Dual RSA can be broken, where N is an integer with the same bitlength as the modulus of Dual RSA. The point of our work is based on the observation that we can split the private exponent into two much smaller unknown variables and solve a related modular equation on the two unknown variables and other auxiliary variables by making use of lattice based methods. Moreover, we extend this method to analyze the common private exponent RSA scheme, a variant of Dual RSA, and obtain a better bound than previous analyses. While our analyses cannot be proven to work in general, since we rely on some unproven assumptions, our experimental results have shown they work in practice.

Appendices

Appendix 1: Proof of Lemma 3

In this section, we give a simple proof of Lemma 3.

Proof

It is clear that

$$\begin{aligned} \int _{t-1}^{m}x^rdx<\sum \limits _{k=t}^{m}k^r<\int _{t}^{m+1}x^rdx, \end{aligned}$$

namely,

$$\begin{aligned}&\frac{1-\tau '}{r+1}m^{r+1}+o(m^{r+1})=\frac{m^{r+1}-(t-1)^{r+1}}{r+1}<\sum \limits _{k=t}^{m}k^r\\&<\frac{(m+1)^{r+1}-t^{r+1}}{r+1}=\frac{1-\tau '}{r+1}m^{r+1}+o(m^{r+1}). \end{aligned}$$

Note that the difference \(\frac{(m+1)^{r+1}-t^{r+1}}{r+1}-\frac{m^{r+1}-(t-1)^{r+1}}{r+1}\) contains only the terms \(m^i\) with lower order i than \(m^{r+1}\), the desired claim holds. \(\square \)

Appendix 2: General calculation of the determinant of \({\mathcal {L}}_2\)

The detailed formula for the determinant of the lattice \({\mathcal {L}}_2\) in Sect. 3 is

$$\begin{aligned} \det ({\mathcal {L}}_2)=U^{S_u}X^{S_x}Y^{S_y}Z^{S_z}(el_{21}')^{S_e}, \end{aligned}$$

where

$$\begin{aligned} S_u= & {} \sum _{k=0}^{m}\sum _{j=0}^{m-k}\sum _{i=0}^{m-k-j}k+\sum _{j=1}^{t}\sum _{k= \lfloor \frac{m}{t}\rfloor j}^{m}\sum _{l=0}^{k}l\\= & {} \frac{1}{24}m^4 + \left( \frac{1}{4}+\frac{t}{6}\right) m^3 + \left( \frac{11}{24}+\frac{t}{2}\right) m^2 + \left( \frac{1}{4}+\frac{t}{3}\right) m + \left( \frac{1}{12}t+\frac{1}{12}t^2\right) \lfloor \frac{m}{t}\rfloor \\&-\left( \frac{1}{24}t^2+\frac{1}{12}t^3+\frac{1}{24}t^4\right) {\lfloor \frac{m}{t}\rfloor }^3. \end{aligned}$$

In order to optimize the choice of t, we represent t as \(\tau m\), where \(\tau \in [0,1]\). We have that

$$\begin{aligned} S_u\approx & {} \frac{1}{24}m^4 + \left( \frac{1}{4}+\frac{\tau m}{6}\right) m^3 + \left( \frac{11}{24}+\frac{\tau m}{2}\right) m^2 + \left( \frac{1}{4}+\frac{\tau m}{3}\right) m + \left( \frac{1}{12}+\frac{1}{12}\tau m\right) m \\&-\left( \frac{1}{24\tau m}+\frac{1}{12}+\frac{1}{24}\tau m\right) m^3\\= & {} \left( \frac{1}{24}+\frac{\tau }{8}\right) m^4 + \left( \frac{1}{3}+\frac{\tau }{2}\right) m^3 + \left( \frac{11}{24}+\frac{5\tau }{12}-\frac{1}{24\tau }\right) m^2+\frac{1}{3}m. \end{aligned}$$

Similarly,

$$\begin{aligned} S_x&= \sum _{k=0}^{m}\sum _{j=0}^{m-k}\sum _{i=0}^{m-k-j}i\\&= \frac{1}{24}m^4 + \frac{1}{4}m^3 + \frac{11}{24}m^2 + \frac{1}{4}m,\\ S_y&= \sum _{j=1}^{t}\sum _{k=\lfloor \frac{m}{t}\rfloor j}^{m}\sum _{l=0}^{k}j\\&= \left( \frac{t}{4}+\frac{t^2}{4}\right) m^2 + \left( \frac{3t}{4}+\frac{3t^2}{4}\right) m - \left( \frac{t}{12}+\frac{t^2}{4}+\frac{t^3}{6}\right) \lfloor \frac{m}{t}\rfloor - \left( \frac{t^2}{8}+\frac{t^3}{4}+\frac{t^4}{8}\right) {\lfloor \frac{m}{t}\rfloor }^2\\&\quad + \frac{t}{2} + \frac{t^2}{2}\\&\approx \frac{\tau ^2}{8}m^4 + \frac{7\tau ^2}{12}m^3 - \left( \frac{1}{8}-\frac{\tau }{2}-\frac{\tau ^2}{2}\right) m^2 - \left( \frac{1}{12}-\frac{\tau }{2}\right) m,\\ S_z&= \sum _{k=0}^{m}\sum _{j=0}^{m-k}\sum _{i=0}^{m-k-j}j+\sum _{j=1}^{t}\sum _{k= \lfloor \frac{m}{t}\rfloor j}^{m}\sum _{l=0}^{k}\left( k-l\right) \\&= \frac{1}{24}m^4 + \left( \frac{1}{4}+\frac{t}{6}\right) m^3 + \left( \frac{11}{24}+\frac{t}{2}\right) m^2 + \left( \frac{1}{4}+\frac{t}{3}\right) m + \left( \frac{t}{12}+\frac{t^2}{12}\right) \lfloor \frac{m}{t}\rfloor \\&\quad -\left( \frac{t^2}{24}+\frac{t^3}{12}+\frac{t^4}{24}\right) {\lfloor \frac{m}{t}\rfloor }^3\\&\approx \left( \frac{1}{24}+\frac{\tau }{8}\right) m^4 + \left( \frac{1}{6}+\frac{\tau }{2}\right) m^3 + \left( \frac{11}{24}+\frac{5\tau }{12}-\frac{1}{24\tau }\right) m^2+\frac{1}{3}m,\\ S_e&= \sum _{k=0}^{m}\sum _{j=0}^{m-k}\sum _{i=0}^{m-k-j}\left( m-k\right) +\sum _{j=1}^{t}\sum _{k= \lfloor \frac{m}{t}\rfloor j}^{m}\sum _{l=0}^{k}\left( m-l\right) \\&= \frac{1}{8}m^4 + \left( \frac{3}{4}+\frac{t}{3}\right) m^3 + \left( \frac{11}{8}+t\right) m^2 + \left( \frac{3}{4}+\frac{2t}{3}\right) m - \left( \frac{t}{4}+\frac{t^2}{4}\right) m\lfloor \frac{m}{t}\rfloor \\&\quad - \left( \frac{t}{12}+\frac{t^2}{4}+\frac{t^3}{6}\right) m{\lfloor \frac{m}{t}\rfloor }^2- \left( \frac{t}{12}+\frac{t^2}{12}\right) \lfloor \frac{m}{t}\rfloor + \left( \frac{t^2}{24}+\frac{t^3}{12}+\frac{t^4}{24}\right) {\lfloor \frac{m}{t}\rfloor }^3\\&\approx \left( \frac{1}{8}+\frac{5\tau }{24}\right) m^4 + \left( \frac{7}{12}+\frac{3\tau }{4}\right) m^3 + \left( \frac{9}{8}+\frac{7\tau }{12}-\frac{1}{24\tau }\right) m^2 + \frac{2}{3}m. \end{aligned}$$

Moreover, the dimension of \({\mathcal {L}}_2\) is

$$\begin{aligned} \dim ({\mathcal {L}}_2)&= \sum _{k=0}^{m}\sum _{j=0}^{m-k}\sum _{i=0}^{m-k-j}1+\sum _{j=1}^{t}\sum _{k= \lfloor \frac{m}{t}\rfloor j}^{m}\sum _{l=0}^{k}1\\&= \frac{1}{6}m^3 + \left( 1+\frac{t}{2}\right) m^2 + \left( \frac{11}{6}+\frac{3t}{2}\right) m + t + 1\\&\quad -\left( \frac{t}{4}+\frac{t^2}{4}\right) \lfloor \frac{m}{t}\rfloor - \left( \frac{t}{12}+\frac{t^2}{4}+\frac{t^3}{6}\right) {\lfloor \frac{m}{t}\rfloor }^2\\&\approx \left( \frac{1}{6}+\frac{\tau }{3}\right) m^3 + \left( \frac{3}{4}+\frac{5\tau }{4}\right) m^2 + \left( \frac{19}{12}+\tau -\frac{1}{12\tau }\right) m + 1. \end{aligned}$$

Appendix 3: Calculation of \(\epsilon \)

Here, we give the calculation of \(\epsilon \) in Sect. 3. To obtain integer equations, the following inequality should be satisfied,

$$\begin{aligned} \det ({\mathcal {L}}_2)\le (el_{21}')^{m(\dim ({\mathcal {L}}_2)-3)}, \end{aligned}$$

namely,

$$\begin{aligned}&U^{S_u}X^{S_x}Y^{S_y}Z^{S_z}(el_{21}')^{S_e}\le (el_{21}')^{m(\dim ({\mathcal {L}}_2)-3)} \end{aligned}$$

Putting the upper bounds of \(U,X,Y,Z,el_{21}'\) into the above inequality, we obtain the following sufficient condition,

$$\begin{aligned} N^{(S_x+S_z+S_u)\delta }<N^{\frac{5}{4}m(\dim ({\mathcal {L}}_2)-3)-\frac{5}{4}S_e-\frac{1}{2}S_y- \frac{1}{2}S_u+\frac{1}{4}S_z}, \end{aligned}$$

or equivalently,

$$\begin{aligned} \delta <\frac{\frac{5}{4}m(\dim ({\mathcal {L}}_2)-3)-\frac{5}{4}S_e-\frac{1}{2}S_y- \frac{1}{2}S_u+\frac{1}{4}S_z}{S_x+S_z+S_u} \end{aligned}$$

Putting the values of \(S_u,S_x,S_y,S_z,S_e\) and \(\dim ({\mathcal {L}}_2)\) into the above inequality, we obtain that

$$\begin{aligned} \delta&<\frac{2+6\tau -3\tau ^2}{6+12\tau }\\&-\frac{2\tau (265+570+3\tau ^2)+m(2-9\tau +70\tau ^2+ 9\tau ^3+12\tau ^4)+4m^2\tau (1+3\tau +3\tau ^3)}{6(1+2\tau )(22\tau +m(-2+33\tau +20\tau ^2) +2m^2\tau (7+12\tau )+3m^3\tau (1+2\tau ))} \end{aligned}$$

Putting an optimized value for \(\tau \), which is \(\tau =\frac{\sqrt{21}-3}{6}\), into the above inequality, we obtain

$$\begin{aligned} \delta <\frac{9-\sqrt{21}}{12}+\frac{28(-5+\sqrt{21})m^2+(-427+87\sqrt{21})m-4074+602\sqrt{21}}{2(21(\sqrt{21}-3)m^3+6(13\sqrt{21}-35)m^2+ (273-11\sqrt{21})m+462-66\sqrt{21})} \end{aligned}$$

The relation between m and small constant \(\epsilon \) can be expressed as

$$\begin{aligned} \epsilon =\frac{28(-5+\sqrt{21})m^2+(-427+87\sqrt{21})m-4074+602\sqrt{21}}{2(21(\sqrt{21}-3)m^3+6(13\sqrt{21}-35)m^2+ (273-11\sqrt{21})m+462-66\sqrt{21})} \end{aligned}$$

Obviously, when \(m\rightarrow \infty \), the small constant \(\epsilon \rightarrow 0\).

Appendix 4: A toy example for Dual RSA

In this section, we list a toy example to illustrate how to use our proposed method to factor moduli of Dual RSA.

Let the bitlengths of the moduli be 500-bit and d be 150-bit. According to the generation algorithm of Dual RSA, we obtained a public key \((N_1,N_2,d)\) as follows:

$$\begin{aligned} N_1=&\, 7135418543774560722620140856776110776099430152802083718705188584711\\&73035771 1652789928260900564547301882240956144650493859335524017719\\&41419792453101151,\\ N_2=&\, 1262494347726269452835428085609115267467621516409305067920010895100\\&94544839\\&696275715987912623853646274164115460757884026862912198681781598176\\&0210768067,\\ e =&\, 7043158314088038309393193683910389656578829673760991492049371325888\\&47392277\\&060175063530352864840845280175949610611093971178549141900241836611\\&822135757. \end{aligned}$$

The private key d is 677313117573867402633263524191702602770017893.

Then following the proposed method, we firstly construct a 2-dimensional lattice \({\mathcal {L}}_1\) with basis matrix

$$\begin{aligned} \begin{pmatrix} A &{} \quad e\\ 0 &{} \quad N_1 \end{pmatrix}, \end{aligned}$$

where

$$\begin{aligned}&A=\,38928577510834635774545711842415248685844591047774069297132925411\\&8786021354. \end{aligned}$$

Then by using the \(L^3\) algorithm, we obtained the reduced basis \(\lambda _1=(l_{11},l_{12}),\lambda _2=(l_{21},l_{22})\), where

$$\begin{aligned} l_{11}=&81906780906035745678960413410183035383717865798051726503866519229867\\&8229690 8236271771441327079519778382134016486,\\ l_{12}=&-9758434302166796903621842285817642953335967903552086821928896109\\&061529963 153048214842815866341824648442630262043,\\ l_{21}=&1683235669163132255439190760451039442688294421050496235026030961750\\&27606814 72898699313228974046348039360839900794,\\ l_{22}=&1385895595846667659189647555914499161333016288680604411853371093204\\&58388222 86668923932358120498123831070081228692. \end{aligned}$$

Then we represented \(v=(Ad,1-k_1(p_1+q_1-1))\) as \(a_1\lambda _1+a_2\lambda _2\), where \(a_1\) and \(a_2\) are integers. Actually, the unknown coefficients are \(a_1=82889345\) and \(a_2=-24669842\). Thus, we obtained the following equation

$$\begin{aligned} d=a_1l_{11}'+a_2l_{21}', \end{aligned}$$

where

$$\begin{aligned} l_{11}'&=\frac{l_{11}}{A}=21040270706844959518058309326703397959,\\ l_{21}'&=\frac{l_{22}}{A}=43239074653951910529873089892757848361. \end{aligned}$$

Then the problem can be reduced into finding small roots \((k_2,-(p_2+q_2-1),a_1)\) of the following modular equation

$$\begin{aligned} f(x,y,z)=x(N_2+y)-el_{11}'z+1\,\,\,{\mathrm {mod}}\,\,el_{21}', \end{aligned}$$

where \(k_2=\frac{ed-1}{N_2-p_2-q_2+1}\).

Based on the method of selecting polynomials, when \(m=4\) and \(t=1\) we constructed a 40-dimensional lattice. Applying the \(L^3\) algorithm on the lattice, we could collect more than 30 polynomials shared the desired small roots. Using the Gröbner basis technique, we solved out the roots efficiently and this concluded our attack.