Research article Special Issues

Concurrent factorization of RSA moduli via weak key equations

  • The Rivest-Shamir-Adleman (RSA) algorithm is a widely utilized technique in asymmetric cryptography, primarily for verifying digital signatures and encrypting messages. Its security relies on the integer factorization problem's difficulty, which is computationally infeasible with large security parameters. However, this study revealed scenarios where an attacker can concurrently factorize multiple RSA moduli Ni=piqi under specific conditions. The attack is feasible when the attacker possesses a set of RSA key pairs with certain flaws, allowing each Ni to be factored in polynomial time. We identified vulnerabilities in RSA keys that satisfy particular equations by applying Diophantine approximation and Coppersmith's lattice-based technique. For instance, the study demonstrates that if RSA public exponents ei and moduli Ni adhere to eir(Nipiqi+ui)si=ti, where r,si,ui, and ti are small integers, then all Ni can be factorized simultaneously. Additionally, another vulnerability arises when RSA parameters satisfy eiris(Nipiqi+ui)=ti, enabling concurrent factorization with small integers s,ri,ui, and ti. This research expands the understanding of RSA security by identifying specific conditions under which RSA public-key pairs can be compromised. These findings are relevant to the broader field of cryptography and the ongoing efforts to secure communication systems against sophisticated adversaries.

    Citation: Wan Nur Aqlili Ruzai, You Ying, Khairun Nisak Muhammad, Muhammad Asyraf Asbullah, Muhammad Rezal Kamel Ariffin. Concurrent factorization of RSA moduli via weak key equations[J]. AIMS Mathematics, 2024, 9(10): 28211-28231. doi: 10.3934/math.20241368

    Related Papers:

    [1] Tariq Shah, Muhammad Zohaib, Qin Xin, Bander Almutairi, Muhammad Sajjad . Generalization of RSA cryptosystem based on 2n primes. AIMS Mathematics, 2023, 8(8): 18833-18845. doi: 10.3934/math.2023958
    [2] Hanan Alohali, Muhammad Bilal Khan, Jorge E. Macías-Díaz, Fahad Sikander . On $ \left(\mathit{p}, \mathit{q}\right) $-fractional linear Diophantine fuzzy sets and their applications via MADM approach. AIMS Mathematics, 2024, 9(12): 35503-35532. doi: 10.3934/math.20241685
    [3] Xiaodan Yuan, Jiagui Luo . On the Diophantine equation $\frac{1}{x}+\frac{1}{y}+\frac{1}{z}=\frac{1}{3p}$. AIMS Mathematics, 2017, 2(1): 111-127. doi: 10.3934/Math.2017.1.111
    [4] Ramkumar Kasinathan, Ravikumar Kasinathan, Dumitru Baleanu, Anguraj Annamalai . Well posedness of second-order impulsive fractional neutral stochastic differential equations. AIMS Mathematics, 2021, 6(9): 9222-9235. doi: 10.3934/math.2021536
    [5] Limin Zhou, Qiuyang Wang . Simple PKE schemes from the TSPEM problem. AIMS Mathematics, 2024, 9(8): 22197-22212. doi: 10.3934/math.20241079
    [6] Majid Khan, Hafiz Muhammad Waseem . An efficient confidentiality scheme based on quadratic chaotic map and Fibonacci sequence. AIMS Mathematics, 2024, 9(10): 27220-27246. doi: 10.3934/math.20241323
    [7] Yuchan Qi, Huaning Liu . Binary sequences and lattices constructed by discrete logarithms. AIMS Mathematics, 2022, 7(3): 4655-4671. doi: 10.3934/math.2022259
    [8] Wedad Albalawi, Muhammad Imran Liaqat, Fahim Ud Din, Kottakkaran Sooppy Nisar, Abdel-Haleem Abdel-Aty . Well-posedness and Ulam-Hyers stability results of solutions to pantograph fractional stochastic differential equations in the sense of conformable derivatives. AIMS Mathematics, 2024, 9(5): 12375-12398. doi: 10.3934/math.2024605
    [9] Shuqin Zhang, Jie Wang, Lei Hu . On definition of solution of initial value problem for fractional differential equation of variable order. AIMS Mathematics, 2021, 6(7): 6845-6867. doi: 10.3934/math.2021401
    [10] Muhammad Asim Khan, Norma Alias, Umair Ali . A new fourth-order grouping iterative method for the time fractional sub-diffusion equation having a weak singularity at initial time. AIMS Mathematics, 2023, 8(6): 13725-13746. doi: 10.3934/math.2023697
  • The Rivest-Shamir-Adleman (RSA) algorithm is a widely utilized technique in asymmetric cryptography, primarily for verifying digital signatures and encrypting messages. Its security relies on the integer factorization problem's difficulty, which is computationally infeasible with large security parameters. However, this study revealed scenarios where an attacker can concurrently factorize multiple RSA moduli Ni=piqi under specific conditions. The attack is feasible when the attacker possesses a set of RSA key pairs with certain flaws, allowing each Ni to be factored in polynomial time. We identified vulnerabilities in RSA keys that satisfy particular equations by applying Diophantine approximation and Coppersmith's lattice-based technique. For instance, the study demonstrates that if RSA public exponents ei and moduli Ni adhere to eir(Nipiqi+ui)si=ti, where r,si,ui, and ti are small integers, then all Ni can be factorized simultaneously. Additionally, another vulnerability arises when RSA parameters satisfy eiris(Nipiqi+ui)=ti, enabling concurrent factorization with small integers s,ri,ui, and ti. This research expands the understanding of RSA security by identifying specific conditions under which RSA public-key pairs can be compromised. These findings are relevant to the broader field of cryptography and the ongoing efforts to secure communication systems against sophisticated adversaries.



    Information technology is the cornerstone of contemporary society, permeating nearly every facet of daily life. The rapid expansion of today's technological landscape generates an ever-increasing volume of data. As this digital universe expands, the imperative to safeguard and preserve data privacy intensifies, a concern shared by individuals and organizations alike. Security has long been a paramount issue within the realm of computing, particularly concerning the secure transmission of information and data across the Internet. Across various channels, whether via the Internet or through smart devices, reports of data thefts and breaches have shown a consistent upward trend [1]. In response to these challenges, researchers and cryptographers endeavour to innovate novel cryptographic models and enhance existing cryptographic algorithms. These advancements are geared toward practical implementation in real-world applications, aiming to enhance user privacy, fortify data security, strengthen authentication mechanisms, and address many related features [2].

    In the domain of cryptographic algorithms, the RSA public key cryptographic algorithm stands out as one of the earliest and most widely adopted. Known as the RSA cryptosystem, it takes its name from its creators: Ron Rivest, Adi Shamir, and Leonard Adleman, who introduced RSA in their seminal 1977 paper [3]. Contemporary applications of the traditional RSA algorithm encompass key exchanges, digital signatures, and secure communication protocols employed in web browsers, chat applications, email services, VPNs, and other methods necessitating secure data transmission between entities. Initially, a fundamental aspect of the RSA cryptosystem involves multiplying two random prime numbers, denoted as p and q, resulting in the RSA modulus, represented by N. Selecting p and q must adhere to the constraint q<p<2q to prevent factorization using general factoring techniques. Subsequently, the Euler's totient function for N, denoted as ϕ(N), is computed as (p1)(q1). Once ϕ(N) is determined, an integer e less than ϕ(N) is chosen. The private key component, d, is computed such that ed1(modϕ(N)). Next, the pair (N,e) is made publicly available for any encryptor, and the pair (d,N) is only available for the decryptor, with p, q, and ϕ(N) remaining as secret parameters.

    RSA's strength is primarily based on the significant challenge of addressing the integer factorization problem (IFP) for a large integer N and the challenge of resolving the eth root problem. While RSA is generally considered secure, several attacks have been designed to exploit the structure of its key equation. The quadratic sieve (QS) is an efficient algorithm for factoring N, functioning in sub-exponential time due to the use of large n-bit primes for RSA primes p and q [4]. Regarding algorithmic efficiency, the general number field sieve (GNFS) is also highly effective within sub-exponential time, typically with n set to 1024 bits [5]. Note that QS is favored for its simplicity over GNFS and is the fastest method for factoring integers below 100 decimal digits. However, for integers in the 110 to 120 digits range, GNFS outperforms QS.

    In 2013, the government digital IDs agenda with RSA keys of Taiwanese citizens was signed by certificate authorities (CAs) and kept in the Citizen Digital Certificates (CDCs) database. As reported in [6], an attack successfully obtained the prime factors of 184 distinct RSA keys of 1024-bit size, revealing significant susceptibility in the RSA keys and emphasizing the need for robust cryptographic practices. Similarly, in 2017, [7] identified vulnerabilities in both Belgium's e-ID cards and Estonia's digital identity cards, compromising millions of RSA keys. This attack allowed the private key to be derived from the public key, contradicting the RSA principle that factoring the primes of the public key should be computationally infeasible. Due to shortcuts in key generation, it has become possible to factorize 1024-bit keys in minutes and 2048-bit keys in weeks. Ongoing research into RSA public key aggregation is crucial to prevent such vulnerabilities. Note that both notorious cryptanalysis incidents used Coppersmith's partial-key-recovery technique.

    In the context of related work, it is crucial to consider advancements in other areas of secure communication and computational frameworks. For instance, the study in [8] explores using advanced neural network architectures in the Internet of Things (IoT) for police applications. Using memristive systems enhances neural networks' dynamic analysis and performance, which can be crucial for real-time data processing and security in IoT environments. Although this study focuses on a different application area, the underlying principle of improving system robustness and security is highly relevant to our work on RSA vulnerabilities. The techniques developed in memristive neural networks could inspire new approaches to strengthening cryptographic systems. Similarly, [9] emphasizes the importance of privacy protection in the Internet of Medical Things (IoMT). By leveraging hyperchaotic behaviour in memristive Hopfield neural networks (HNN), this study addresses the need for secure data transmission and storage in medical applications. This study's emphasis on privacy and data protection parallels our objective of identifying and mitigating vulnerabilities in RSA encryption, ensuring the confidentiality and integrity of sensitive information. Additionally, [10] explores the design of complex dynamical systems with hidden and hyperchaotic behaviours. Developing fractional-order systems with multi-scroll attractors highlights the potential for creating intricate and secure communication protocols. The insights gained from analysing these systems can be applied to cryptographic research, particularly in developing new algorithms that resist attacks by leveraging the unpredictable nature of hyperchaotic systems. This aligns with our study's focus on addressing the inherent weaknesses in RSA by exploring new mathematical models and techniques.

    Moreover, [11] introduces a Fibonacci-like prime sequence for prime numbers, the study showcases the utility of such sequences in predicting orbits within a fractal space. This concept relates to our work because both studies use advanced mathematical techniques to solve complex problems. In our cryptanalysis, the identification of weak RSA key equations and the concurrent factorization of multiple RSA moduli are achieved through sophisticated mathematical approaches such as Diophantine approximation and Coppersmith's lattice-based method. The Fibonacci-like prime sequence offers a novel perspective that could inspire further exploration of mathematical structures in cryptographic applications, potentially leading to new methods for identifying and mitigating vulnerabilities. Thus, integrating advanced mathematical techniques and dynamic system analysis, as seen in the referenced studies, provides valuable insights that can be applied to cryptographic research. Our findings on RSA vulnerabilities contribute to the ongoing efforts to enhance the security of encryption systems, ensuring the protection of sensitive information in various applications, from IoT and IoMT to broader communication frameworks. The practical implications of our study highlight the need for continuous evaluation and improvement of cryptographic protocols to stay ahead of potential adversaries.

    This cryptanalysis study explores an adversary's ability to access k RSA moduli, Ni=piqi, and their public exponents ei. We present two attacks exploiting weak RSA key equations. The study demonstrates the simultaneous factorization of k RSA moduli (Ni,ei) using a constant r that satisfies eir(Nipiqi+ui)si=ti. Our primary finding reveals that weaknesses in RSA public-key pairs can be exploited under certain conditions, allowing an adversary to simultaneously factorize multiple RSA moduli Ni. Another vulnerability is identified when RSA parameters satisfy eiris(Nipiqi+ui)=ti, allowing concurrent factorization with small, unknown integers s,ri,ui, and ti. Resolving the factorization of each RSA modulus, Ni, using lattice basis reduction enabled the discovery of this vulnerability. Our study demonstrates this new attack and includes a comparative evaluation with existing research, highlighting the novelty and significance of our findings, which extend the comprehension of RSA vulnerabilities and its security measures.

    The remainder of this paper is organized in the following manner. The essential background information, including foundational theorems on continued fractions, lattice basis reduction, simultaneous Diophantine approximations, and other relevant theorems, is provided in Section 2. Our main work, including the proof of our primary attack and illustrative numerical examples, is presented in Section 3. This is followed by a comparison of our results with previously documented attacks on k RSA moduli instances in Section 4. Finally, the paper concludes with a summary of our findings and key takeaways in Section 5.

    First, we introduce an essential tool for solving Diophantine equations. Continued fractions approximate rational and irrational numbers, forming the foundation for constructing the RSA cryptanalysis (and its variants). Continued fractions are defined as follows:

    Definition 2.1. Given any positive ξR, start with ξ0=ξ. For each i=1,2,,n, define ξi as xi and let ξi+1=1ξixi until ξnZ. As a result, ξ can be represented as continued fractions in the following form:

    ξ=x0+1x1+1x2+1x3+1+1xn. (2.1)

    For simplicity, a continued fraction is an expression created by iteratively representing a number as the sum of its integer part and the reciprocal of another number. This process is repeated by writing the new number as the sum of its integer part and another reciprocal, and so on. A finite continued fraction, or terminated continued fraction, stops this iteration after a certain number of steps, using an integer instead of another continued fraction. Conversely, an infinite continued fraction continues indefinitely. In both types, all integers in the sequence, except for the first, must be positive. The integers xi are known as the coefficients or terms of the continued fraction.

    The convergents xy of ξ are fractions denoted by xy=[x0,x1,,xi] for i0. Importantly, suppose ξ=xy is a rational number with gcd(x,y)=1. In that case, the continued fraction expansion of ξ can be determined using the Euclidean algorithm in O(log(y)) time.

    According to Theorem 2.1 (Legendre's theorem), the unknown integers m and n are guaranteed to be among the list of convergents in the continued fraction expansion of a rational number χ, which satisfies the inequality specified in (2.2).

    Theorem 2.1. Consider a rational number χ and let m and n be positive integers such that gcd(m,n)=1. If the inequality

    |χmn|<12n2, (2.2)

    is satisfied, then mn is a convergent in the continued fraction expansion of χ.

    Proof. Please see [12] for the proof.

    The primes in the RSA cryptosystem's key generation should be of the same bit size to enhance its security. Allowing uneven factors is a potential security risk because the "small" factor could be easily found. Hence, the notation q<p<2q indicates that the primes p,q are balanced. Recalled that in Lemma 2.1, we have fixed the lower and upper bounds of the RSA primes of modulus N as follows:

    Lemma 2.1. For an RSA modulus N=pq with p and q being primes of equal bit length such that q<p<2q, the following inequality is satisfied:

    2N2<q<N<p<2N.

    Proof. Please see Lemma 1 of [13] for the proof.

    In the subsequent Lemma 2.2, we demonstrate that the term p+q adheres to the inequalities given in (2.3):

    Lemma 2.2. For an RSA modulus N=pq with p and q being primes of equal bit length with the condition q<p<2q, the following statement is true:

    2N<p+q<32N2. (2.3)

    Proof. Please see Lemma 1 of [14] for the proof.

    Given an accurate approximation of any multiple of a divisor of N, Coppersmith's general result directly offers an efficient factoring method, as shown in Theorems 2.2 and 2.3. These theorems demonstrate that the remaining bits can be determined if a significant portion of p bits are known.

    Theorem 2.2. Consider an RSA modulus N=pq with p>q. Suppose there is an unknown integer b that is not divisible by q and an approximation ˜p of bp such that

    |bp˜p|<N14. (2.4)

    In this case, N can be factorized in polynomial time relative to logN.

    Proof. Please see [15] for the proof.

    Theorem 2.3. Suppose N=pq is an RSA modulus with p>q. Let b be an unknown integer that does not divide by q. Given an approximation ˜p of bp satisfying

    |bp˜p|<2N14, (2.5)

    then N can be factorized in polynomial time relative to logN.

    Proof. Please see [15] for the proof.

    As a result, having an approximation of p+q allows us to determine an integer p.

    Lemma 2.3. Suppose N=pq is a valid RSA modulus satisfying q<p<2q. Let S denote the approximation of p+q where S>2N12 and fulfills:

    |p+qS|<pq3(p+q)N14.

    Then an integer p can be estimated as:

    ˜P=(S+S24N)2.

    This approximation guarantees that:

    |p˜P|<N14.

    Proof. Suppose that S>2N12 and let D=S24N. We have

    |(pq)2D2|=|(pq)2(S24N)|=|p22pq+q2S2+4pq|=|p2+2pq+q2S2|=|(p+q)2S2|. (2.6)

    Observe that (2.6) can also be written as:

    (pq+D)|pqD|=(p+q+S)|p+qS|. (2.7)

    Dividing (2.7) by (pq+D) will yield

    |pqD|=|p+qS|(p+q+S)(pq+D).

    Next, suppose |p+qS|<pq3(p+q)N14. Since pq3(p+q)N14<N14, then

    p+q+S<2(p+q)+N14<3(p+q).

    Considering pq+D>pq, we infer that:

    |pqD|<3(p+q)|p+qS|pq<3(p+q)pqpq3(p+q)N14=N14.

    Next, set ˜p=S+D2 which yields:

    |p˜p|=|pS+D2|=|p+qS+pqD|2|p+qS|2+|pqD|2<12pq3(p+q)N14+12N14<N14,

    where we used 12pq3(p+q)<12.

    Using Lemma 2.2, we can straightforwardly deduce:

    ϕ(N)=N+1(p+q)>N+132N2>12N.

    Suppose we satisfy specific conditions for approximating the term p+q via S. We can apply the same concept when estimating an integer p via ˜P, ensuring the error is less than N1/4. A notable benefit of the LLL algorithm, as discussed in [16], is its proficiency in addressing simultaneous Diophantine approximations (see Theorem 2.4).

    Theorem 2.4. Let α1,α2,,αn be a set of rational numbers, and let 0<ε<1. Suppose there exists an algorithm capable of efficiently computing a sequence of integers pi and an integer q with a computation time that is polynomial in log(pi) such that i=1,2,,k. The theorem holds under the following conditions:

    maxi|qαipi|<ε and q2k(k3)/43kεk.

    Proof. Refer to [17] for the proof.

    A method for factoring the prime numbers pi and qi by solving equations involving multiple RSA moduli is detailed in Theorem 2.5.

    Theorem 2.5. Suppose there are k RSA moduli Ni=piqi, with N being the smallest among them, and k public exponents ei for i=1,2,,k, where k2. Let δ as δ=k2(k+1). If there exists an integer x<Nδ and k integers yi<Nδ and |zi|<piqi3(pi+qi)yiN1/4, satisfying the Diophantine equation eixyiϕ(Ni)=zi, then k RSA moduli, specifically, N1,,Nk, can be factorized in polynomial time.

    Proof. Refer to [17] for the proof.

    This section describes conditions under which an attacker can factorize k RSA moduli Ni concurrently. This vulnerability occurs when the attacker accesses RSA public-key pairs with specific vulnerabilities, allowing each Ni to be efficiently factored in polynomial time. Notably, this vulnerability was identified by employing the lattice basis reduction method to solve the factorization of each RSA modulus Ni. The RSA keys under consideration have parameters that meet the following equations:

    ● Case Ⅰ: eirsi(Nipiqi+ui)=ti.

    ● Case Ⅱ: eiris(Nipiqi+ui)=ti.

    Based on the earlier motivation, we introduce another vulnerability in the RSA cryptosystem. This newly discovered weakness is revealed when an attacker acquires a collection of RSA key pairs with specific flaws, enabling each Ni to be factored within polynomial time. Assume the RSA public tuples (Ni,ei) fulfil the following system of equations:

    eir(Nipiqi+ui)si=ti,

    where concurrent factorization of the system is possible if the integers r,ui,si, and ti are suitably small and unknown. This vulnerability was identified by factorizing each RSA modulus Ni using the lattice basis reduction method. The following theorem outlines the specific conditions for this cryptanalysis approach.

    Theorem 3.1. Examine k RSA moduli, each represented as Ni=piqi, where this holds true for each i from 1 to k, with k3. Denote by N the smallest among these moduli and by ei the corresponding public exponents. Assume there exists a fixed integer r<Nδ, k integers si<Nδ, and positive integers ui such that ui+|ti|si<piqipi+qiN0.25 for each i, where δ=k2(k+1). If the values meet the conditions of the system of equations

    eir(Nipiqi+ui)si=ti,

    then it is possible to efficiently factor the primes of k RSA moduli Ni.

    Proof. Assume k3 where k RSA moduli Ni=piqi are valid for i=1,,k. The equation eir(Nipiqi+ui)si=ti can be rewritten as:

    eirNisi(piqi+ui)si=tieirNisi=ti(pi+qiui)si. (3.1)

    Dividing (3.1) with Ni+ui will yield

    |eirNisi|=|ti(pi+qiui)si|Ni. (3.2)

    From (3.1), let N=minNi and assume that si<Nδ, ui>0, and ui+|ti|si<piqipi+qiN0.25. Then we can have |ti|<piqipi+qisiN0.25<siN0.25<NδN0.25<Nδ+0.25. Since from Lemma 2.2, pi+qi<32N2, hence we obtain

    |ti(pi+qiui)si|Ni|ti|+|(pi+qiui)si|N<|ti|+|(pi+qi)si|N<Nδ+0.25+Nδ32N2N=Nδ+0.25+322Nδ+0.5N<5Nδ+0.5N=5Nδ0.5. (3.3)

    Plugging (3.3) into (3.2), we get

    |eirNi+uisi|<5Nδ0.5.

    The existence of an integer r is demonstrated as follows. Let δ=k2(k+1) and ε=5Nδ12. Here, we get:

    Nδεk=NδNkδk2(5)k=Nδ(1+k)k2(5)k. (3.4)

    Since δ=k2(k+1), (3.4) becomes

    Nk2(k+1)(1+k)k2(5)k=N0(5)k=(5)k<2k(k3)43k. (3.5)

    Combining (3.4) and (3.5), we obtain

    Nδ<2k(k3)43kεk.

    Hence, if r<Nδ, it follows that r<2k(k3)43kεk. Consequently, it holds that:

    |eirNisi|<ε,r<2k(k3)43kεk,

    which meets the conditions stated in Theorem 2.4, allowing for the successful determination of rZ and siZ. Subsequently, via the equation eir(Nipiqi+ui)si=ti will lead us to:

    eir+si(pi+qi)si(Ni+ui)=tieirsi+pi+qiNiui=tisipi+qi(Nieirsi)=tisi+ui|pi+qi(Nieirsi)|=|tisi+ui|.

    Given that |ti|si+ui<piqipi+qiN14 and Xi=Nieirsi is an integer close to the sum of pi+qi with an absolute difference smaller than piqipi+qiN14, it is possible to approximate pi via ˜Pi=12(Xi+X2i4Ni), where |pi˜Pi|<N14i. Therefore, Theorem 2.5 states that it is possible to concurrently determine the prime factors of N1,N2,,Nk within polynomial time.

    Algorithm 1 is introduced next to demonstrate the process of factorizing Ni=piqi according to the approach described in Theorem 3.1.

    Algorithm 1 Simultaneous factorization of k RSA moduli via theorem 3.1
      Input: A set of k3 RSA public tuples (Ni,ei) for each i from 1 to k.
      Output: The corresponding prime numbers pi and qi or .
       1: Choose N to be the minimum of N1,N2,,Nk.
       2: Calculate the value of δ via δ=k2(k+1).
       3: Calculate the value of ε via ε=5Nδ12.
       4: Determine C via C=[2(k+1)(k4)43k+1ε(k+1)] and ci=[CeiNi].
       5: Form a lattice L using the matrix A elements.
       6: Execute the LLL algorithm on matrix A to generate a reduced basis matrix B.
       7: Determine matrix D by calculating D=BA1.
       8: Assign labels to each element in the first row of D from left to right, denoting them as r,s1,,sk.
       9: For i=1,2,,k do.
      10:       Calculate Xi=[Nieirsi].
      11:       Calculate ˜Pi=12(Xi+X2i4Ni).
      12:       Utilize Coppersmith's method on ˜Pi to determine the value of pi.
      13:       Complete the factorization of Ni by computing qi=Nipi.
      14:       If qi is an integer, then return pi,qi.
      15:       Else the algorithm has failed or return .
      16: end for

    To demonstrate the attack detailed in Theorem 3.1 and implemented via Algorithm 1, we present the following example. This attack was performed on a Windows 10 system, utilizing a computer equipped with an Intel (R) Core (TM) i5-8265U CPU running at 1.60 GHz and 12.0 GB of RAM.

    Example 3.1. Assume an attacker has obtained three different RSA-256 moduli Ni, each paired with its respective public exponent ei, given by:

    N1=15498671550097317874000325521713072888209815771283424082567740030449146537211,e1=8124506337380515490766711101457874653400035582059124988826083358061484367919;N2=45466924318058459709686176924439022552298711950594090013987406587074535233259,e2=16102198214541781444411489979036444827470504513008138816987321564651598410513;N3=17437304443824569053279135598346130164658710365272925391550310539916852737229,e3=5605734312901512875793353915987968781210413282326733154728983299178754886809.

    Start by selecting N as the smallest among N1N3.

    N=15498671550097317874000325521713072888209815771283424082567740030449146537211.

    Setting k=3, we compute δ using the formula δ=k2(k+1)=0.3750. Subsequently, ε is determined by 5Nδ125.852×1010. The next step involves calculating:

    C=[2(k+1)(k4)43k+1ε(k+1)]=345332739100000000000000000000000000000.

    Additionally, for i=1,2,3, we compute:

    ci=[Cei(Ni+1)],

    which yielded the following results:

    c1=181025710381307170556997940432250134516,c2=122300250090817968499412983989936080793,c3=111017364591963408590726358270037864780.

    Proceeding to step 5, a lattice L is generated by the entries of the matrix A.

    A=[1c1c2c30C0000C0000C].

    Subsequently, the LLL algorithm is executed on matrix A to generate a reduced basis matrix B:

    B=[B11B12B13B14B21B22B23B24B31B32B33B34B41B42B34B44],

    which has the following entries:

    B11=13412150344881302146887292871,B31=45330317096288856394830337626,B12=40256743631042325819162164564,B32=14695828243710685836196099016,B13=15327238423192297988691073297,B33=47776834763861826340596182582,B14=20336643543331691800644016620,B34=62897224685379110891534212280,B21=19462069970085913825063307624,B41=84302773261406976645446061769,B22=45912856885306627310111650016,B42=39164202860686498472694918804,B23=32382937827588556411876865832,B43=54753406998703645880452502817,B24=57878066634331431109255082720,B44=46025141824011067239250404180.

    In step 7, we compute the matrix D by performing D=BA1.

    D=[D11D12D13D14D21D22D23D24D31D32D33D34D41D42D34D44],

    where

    D11=13412150344881302146887292871,D12=7030738094079049587443387317,D13=4749938698860636698956625881,D14=4311730155329241101548919906,D21=19462069970085913825063307624,D22=10202146054867081511116066681,D23=6892529306169411609547369167,D24=6256654735992653191546062897,D31=45330317096288856394830337626,D32=23762452629170958168210402367,D33=16053818505655285318475071292,D34=14572763512847056441589021734,D41=84302773261406976645446061769,D42=44192072424217091812394937682,D43=29855988401476166908699067823,D44=27101605656233717030337027181.

    In step 8, assign the labels r,s1s3 from left to right to the elements in the first row of D as follows:

    r=D21=13412150344881302146887292871,s1=D22=7030738094079049587443387317,s2=D23=4749938698860636698956625881,s3=D24=4311730155329241101548919906.

    Now, compute Xi via the formula Xi=[Nieirsi] which outputs:

    X1=269402126838606667907066115287494725655,X2=439723656699230572089169064734715107754,X3=274132486228506946820442084641848440683.

    Then, we compute ˜Pi=12(Xi+X2i4Ni) resulting in the following output:

    ˜P1=186137479859349591396353749057276843688,˜P2=273455664256156219005798240539525803548,˜P3=173806555546663035866787592776739545043.

    Observe that the value ˜Pi is an approximation of the prime pi and satisfies |pi~Pi|<N0.25. Therefore, we utilize Coppersmith's method on ˜Pi to determine pi:

    p1=186137479859349591396353749057276843697,p2=273455664256156219005798240539525803553,p3=173806555546663035866787592776739545059.

    Finally, we factor N1N3 by identifying q1q3 such that qi=Nipi. The obtained values are as follows:

    q1=83264646979257076510712366230217881963,q2=166267992443074353083370824195189304203,q3=100325930681843910953654491865108895631.

    Remark 3.1. It is crucial to observe that in Example 3.1, the value of r, which approximates N0.369, exceeds the thresholds set by previous research. Notably, it surpasses the limit of x<13N0.25 as reported in [18], as well as the bounds of xN0.344 found in [17] and dN0.345 in [19].

    Given the earlier motivation discussed, we highlight an additional vulnerability in the RSA encryption system. That is when an adversary obtains a collection of RSA public key pairs exhibiting certain vulnerabilities, this newfound weakness permits the simultaneous factorization of each Ni in polynomial time. In particular, the RSA keys in this collection include parameters that satisfy the conditions of the following system of equations:

    eiris(Nipiqi+ui)=ti,

    allowing for concurrent factorization if suitably small, unknown integers s,ui,ri, and ti are present. Notably, this vulnerability was discovered by successfully factoring each RSA modulus Ni via the lattice basis reduction method. The theorem below details this cryptanalytic technique.

    Theorem 3.2. Consider k RSA moduli of the form Ni=piqi for each i from 1 to k, with k3. Let N denote the largest modulus among these, and let ei be k public exponents where minei=Nα. Suppose there exists an integer s with s|ti|si+ui<piqipi+qiN14, where δ=k(2α1)2(k+1). These conditions must satisfy the equation

    eiris(Nipiqi+ui)=ti.

    Under these conditions, the factorization of all k RSA moduli can be performed simultaneously in polynomial time.

    Proof. Rewrite the equation eiris(Nipiqi+ui)=ti as eirisNi=tis(pi+qiui) and divide both sides of the equation by ei. Subsequently, take the absolute value on both sides of the equation, resulting in:

    |Niseiri|=|tis(pi+qiui)|ei. (3.6)

    Choose N=max{Ni} and assume that s<Nδ, ui>0, and |ti|s+ui<piqipi+qiN14. Consequently, |ti|<piqipi+qisN14<sN14<NδN14<Nδ+14. Utilizing Lemma 2.2, which asserts pi+qi<32N2, and considering minei=Nα, we derive:

    |tis(pi+qiui)|ei|ti|+s(pi+qiui)Nα<|ti|+s(pi+qi)Nα<Nδ+14+Nδ322N12Nα<5Nδ+12Nα=5Nδ+12α. (3.7)

    Substituting (3.7) into (3.6), we obtain

    |Niseiri|<5Nδ+12α.

    Our goal now is to verify the existence of an integer s. Define δ=k(2α1)2(k+1) and ϵ=5Nδ+12α. The subsequent calculations unfold as follows:

    Nδϵk=NδNkδ+k2kα(5)k=Nδ(1+k)+k2kα(5)k=Nk(2α1)2(k+1)(1+k)+k2kα(5)k=N0(5)k=(5)k<2k(k3)43k.

    Consequently, we derive

    Nδ<2k(k3)43kϵk.

    If s<Nδ, then s<2k(k3)43kϵk. Now, we summarize for:

    |Niseiri|<ϵ,s<2k(k3)43kϵk.

    Thus, the conditions of Theorem 2.4 are satisfied, which enables us to determine s and ri. Subsequently, using the equation eiris(Nipiqi+ui)=ti, we obtain:

    eiri+s(pi+qi)s(Ni+ui)=tieiris+pi+qiNiui=tispi+qi(Nieiris)=tis+ui|pi+qi(Nieiris)|=|tis+ui|.

    Since |ti|s+ui<piqipi+qiN14, it follows that |tis+ui|<|ti|s+ui<piqipi+qiN14 and Ai=Nieirs approximates pi+qi with an error less than piqipi+qiN14. Therefore, according to Lemma 3, let Bi=|A2i4Ni|, and we can determine an approximation ~Pi=12(Ai+Bi) of pi satisfying |pi~Pi|<N14.

    As a result, for each i=1,2,,k, we can determine pi using Theorem 2.5, thereby achieving the factorization of N1,N2,,Nk.

    Next, Algorithm 2 is provided to explain the steps involved in factorizing Ni=piqi using the methodology described in Theorem 3.2.

    Algorithm 2 Simultaneous factorization of k RSA moduli using theorem 3.2
      Input: k3 set of RSA public key sets (Ni,ei) such that i=1,2,,k.
      Output: The corresponding prime numbers pi and qi or .
       1: Select N as the maximum among N1,N2,,Nk.
       2: Determine α such that Nα=min(e1,e2,,ek).
       3: Compute δ using δ=k(2α1)2(k+1).
       4: Evaluate ϵ=5Nδ+12α.
       5: Calculate C=[3k+12(k+1)(k4)4ϵk1] and ci=[CNiei].
       6: Form the lattice L using the elements of matrix M.
       7: Apply the LLL algorithm to matrix L to obtain matrix K.
       8: Evaluate a matrix H via H=KM1.
       9: Extract each element from the first row of matrix H and denote them as s,r1,r2,,rk.
      10: For i=1,2,,k do.
      11:     Compute Ai=Nieiris and Bi=|A2i4Ni|.
      12:     Compute ~pi=12(Ai+Bi).
      13:     Utilize Coppersmith's method on ˜Pi to determine the value of pi.
      14:     Calculate qi=Nipi.
      15:     If qi ia an integer, then output pi,qi.
      16:     Else algorithm has failed or output .
      17: end for

    In this section, we illustrate to clarify the methodology outlined in Theorem 3.2, employing Algorithm 2. The attack detailed in Theorem 3.2 was executed on a Windows 10 system, using a computer equipped with an Intel(R) Core(TM) i5-8265U CPU operating at 1.60 GHz and 12.0 GB of RAM.

    Example 3.2. Suppose an attacker has acquired three distinct pairs of RSA-140 moduli Ni, each associated with its corresponding public exponent ei as follows:

    N1=207721379736588191166934250883799623994063,e1=14947091956444666045808009203078043358579,N2=800733525531802006632923165295502784854571,e2=52536194339797485372565490843212651987313,N3=679910618939422296290429319442096304194471,e3=7785970602573890898951075644388056538126.

    Start by selecting N as the maximum among N1N3 and e=min(e1,e2,e3).

    N=max(N1,N2,N3)=800733525531802006632923165295502784854571,e=min(e1,e2,e3)=7785970602573890898951075644388056538126.

    Since Nα=min(e1,e2,e3), we can get α=0.951981. Let k=3. Following this, we obtain δ=k(2α1)2(k+1)=0.338985 and ϵ=5Nδ+12α0.0000411678.

    Next, the following calculation is performed:

    C=[3k+12(k+1)(k4)4ϵk1]=14100171250000000000.

    Then, we calculate the following for i=1,2,3:

    ci=[CNiei],

    which yields the following results:

    c1=195951629595035077864,c2=214908597348891597486,c3=1231298787407458103035.

    Proceeding to step 6, we form a lattice using the entries of the matrix M as its generating elements.

    M=[1c1c2c30C0000C0000C]=[11959516295950350778642149085973488915974861231298787407458103035014100171250000000000000014100171250000000000000014100171250000000000].

    Subsequently, the LLL algorithm is executed on matrix M to generate a reduced basis matrix K:

    K=[326722351723363462121877030433355434729686682869639760271743908406525161876347267213699725019912821007117421180243277378527129252743848627544843505991976944087462473651534620382887036729425900725608810140562902638286245255736155].

    Next, compute matrix H=KM1:

    H=[32672235172336454049643158161497975812395885285310602519019927174390840652377645496218931414180091562724237300624917099124327737852712933808524677314913707926610180756212442200788248673462038288703674811232660680562527668621466893730232282085503183].

    Observe the first row of the matrix H as follows:

    [326722351723364540496431581614979758123958852853106025190199].

    Now, deduce the elements in the first row of H as s,r1r3 from left to right as follows:

    s=32672235172336,r1=454049643158161,r2=497975812395885,s3=2853106025190199.

    Then, define Ai=Nieiris and Bi=|A2i4Ni| which yield the following outputs:

    A1=1195802353093372472503,A2=1802897344297980320018,A3=1710450864196376374599,B1=773988209675892859456,B2=217955802743359334967,B3=453871879578853827542.

    Then, compute ~pi=12(Ai+Bi), which returns:

    ˜p1=984895281384632665980,˜p2=1010426573520669827493,˜p3=1082161371887615101071.

    Observe that the value ˜Pi is an approximation of the prime pi and satisfies |pi~Pi|<N0.25. Therefore, we utilize Coppersmith's method on ˜pi to determine pi. Finally, we complete the factorization of N1N3 by identifying q1q3 such that qi=Nipi. The obtained values are as follows:

    p1=984895281384632665981,q1=210907071708739806523,p2=792470770777310492489,q2=1010426573520669827539,p3=1082161371887615101073,q3=628289492308761273527.

    Remark 3.2. In Example 3.2, we observe that min(r1,r2,r3)N0.350 surpasses the limits set by previous research. Specifically, it exceeds the bounds established by Blömer-May (x<13N0.25) as documented in [18], by Ariffin et al. (dN0.336) as reported in [19], and by Nitaj et al. (xN0.337) as mentioned in [17].

    As shown in Table 1, our findings are compared with established cryptanalysis on multiple instances of RSA moduli, each represented as Ni=piqi. We classify these attacks based on the specific modifications made to the key equation's structure and the corresponding requirements to execute them. The table highlights the specific conditions and parameters under which these attacks succeed.

    Table 1.  Comparison of our attacks with established cryptanalysis of RSA moduli.
    Cryptanalysis Manipulated Key Equation Associated Requirements
    Hinek eidkiϕ(Ni)=1 The exponent d where d<Nδk,
    (2009, [20]) δ<12k2(k+1)ε
    where ε=logNk(6)
    Nitaj et al. eixiyϕ(Ni)=zi Fixed unknown y where y<Nδ,
    (2014, [17]) xi<Nδ, |zi|<piqi3(pi+qi)yN0.25,
    where δ=k(2α1)2(k+1), xi,yZ
    Ariffin et al. eidskϕ(Ns)=zs Fixed unknown k where k<Nγ,
    (2019, [19]) ds<Nγ,zs<Nγ,
    where γ=t(1+2α)2(4t+1)
    Ruzai et al. eix2y2iϕ(Ni)=zi Fixed unknown x where x2<Nδ,
    (2022, [2]) y2i<Nδ, |zi|<piqi3(pi+qi)y2iN14,
    where δ=k2(k+1), x2,y2iZ
    Ruzai et al. eix2iy2ϕ(Ni)=zi Fixed unknown y where y2<Nδ,
    (2024, [21]) x2i<Nδ, |zi|<piqi3(pi+qi)y2N14,
    where δ=k(2α1)2(k+1), x2,y2iZ
    Our result: Case Ⅰ eirsi(Nipiqi+ui)=ti Fixed unknown r where r<Nδ,
    (Theorem 3.1) si<Nδ, ui>0, |ti|si+ui<piqi(pi+qi)N14,
    where δ=k2(k+1)
    Our result: Case Ⅱ eiris(Nipiqi+ui)=ti Fixed unknown s where s<Nδ,
    (Theorem 3.2) ri<Nδ, ui>0, |ti|si+ui<piqi(pi+qi)N14,
    where minei=Nα,δ=k(2α1)2(k+1)

     | Show Table
    DownLoad: CSV

    Our comparison criteria include the type of RSA moduli, weaknesses exploited in the key generation process, and mathematical techniques, such as lattice basis reduction or Coppersmith's method. Our findings demonstrate broader applicability and robustness compared to previously documented attacks requiring specific conditions. This analysis underscores the significant impact of our contributions to cryptanalysis and the need to revisit RSA-based systems' security assumptions.

    In summary, Table 1 illustrates the advancements made by our study about existing cryptanalysis, reinforcing the importance of ongoing research to enhance RSA encryption security.

    In conclusion, our research has effectively shown the simultaneous factorization of (Ni,ei) for k RSA moduli instances. This was achieved by utilizing a constant value r that meets the weak RSA key equation eir(Nipiqi+ui)si=ti. Our study's key finding is that, given certain detailed conditions, an attacker can concurrently factorize multiple RSA moduli Ni. The defect occurs once the attacker obtains a collection of RSA key pairs with specific flaws, enabling each Ni to be factored concurrently in polynomial time, given the existence of suitably small, unknown integers r,si,ui, and ti.

    Additionally, we discovered another weakness where an adversary can exploit RSA parameters that satisfy the system of equations eiri(Nipiqi+ui)s=ti. These parameters can be factored simultaneously if the necessary small, unknown integers s,ri,ui, and ti are present. It is essential to note that this vulnerability was identified through the factorization of each RSA modulus Ni using Diophantine approximation and Coppersmith's lattice-based technique. Furthermore, our cryptanalysis demonstrates this new attack and provides a comparative analysis with existing research.

    Significantly, the results of this work broaden the scope of insecure RSA decryption exponents. For example, consider the case of rogue certificate authorities (RCAs). RCA can issue seemingly legitimate but compromised certificates, introducing hidden vulnerabilities into the public key infrastructure. These certificates can be exploited between issuance and discovery to compromise private keys. The existence of RCAs underscores the importance of identifying weak public keys. Since the weak keys often meet standard key generation criteria, the cryptosystem may continue operating undetected. If an adversary uncovers these certificates, they can exploit them to derive private keys, even without direct access to private information. Certificate authorities and organizations must adopt proactive strategies to mitigate these risks. Strengthening key generation practices, avoiding predictable patterns, and addressing weak keys as vulnerabilities can help reduce the risks. This paper explores a potential RCA methodology for the RSA cryptosystem, offering practical solutions to enhance cryptosystem resilience.

    Wan Nur Aqlili Ruzai: Writing-original draft, Writing-review & editing, Methodology, Conceptualization, Formal analysis; You Ying: Writing-original draft, Formal analysis, Software; Khairun Nisak Muhammad: Writing-review & editing, Validation; Muhammad Asyraf Asbullah: Conceptualization, Methodology, Funding acquisition, Validation, Writing-review & editing; Muhammad Rezal Kamel Ariffin: Supervision, Validation. All authors have read and approved the final version of the manuscript for publication.

    The authors sincerely thank the anonymous reviewers for their insightful comments and constructive suggestions.

    This research was made possible through financial support from Universiti Putra Malaysia.

    The authors declare no conflict of interest.



    [1] A. Nitaj, M. R. K. Ariffin, N. N. H. Adenan, T. S. C. Lau, J. Chen, Security issues of novel RSA variant, IEEE Acce., 10 (2022), 53788–53796. https://doi.org/10.1109/ACCESS.2022.3175519 doi: 10.1109/ACCESS.2022.3175519
    [2] W. N. A. Ruzai, A. Nitaj, M. R. K. Ariffin, Z. Mahad, M. A. Asbullah, Increment of insecure RSA private exponent bound through perfect square RSA diophantine parameters cryptanalysis, Comput. Stand. Inter., 80 (2022), 103584. https://doi.org/10.1016/j.csi.2021.103584 doi: 10.1016/j.csi.2021.103584
    [3] R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Commun. ACM., 21 (1978), 17–28.
    [4] T. R. Herman, L. Walter, D. Winter, Factoring with the quadratic sieve on large vector computers, J. Comput. Appl. Math., 27 (1989), 267–278. https://doi.org/10.1016/0377-0427(89)90370-1 doi: 10.1016/0377-0427(89)90370-1
    [5] A. H. A. Ghafar, M. R. K. Ariffin, S. M. Yasin, S. H. Sapar, Partial key attack given MSBs of CRT-RSA private keys, Mathematics, 8 (2020), 2188. https://doi.org/10.3390/math8122188 doi: 10.3390/math8122188
    [6] D. J. Bernstein, Y. A. Chang, C. M. Cheng, L. P. Chou, N. Heninger, T. Lange, et al., Factoring RSA keys from certified smart cards: Coppersmith in the wild, Adv. Crypt.-ASIACR., 2013,341–360. https://doi.org/10.1007/978-3-642-42045-0_18
    [7] M. Nemec, M. Sys, P. Svenda, D. Klinec, V. Matyas, The return of Coppersmith's attack: Practical factorization of widely used RSA moduli, Proc. 2017 ACM SIGSAC Conf. Comput. Commun. Secur., 2017, 1631–1648. https://doi.org/10.1145/3133956.3133969
    [8] H. Lin, X. Deng, F. Yu, Y. Sun, Grid multi-butterfly memristive neural network with three memristive systems: Modeling, dynamic analysis, and application in police IoT, IEEE Int. Things J., 2024. https://doi.org/10.1109/JIOT.2024.3409373
    [9] H. Lin, X. Deng, F. Yu, Y. Sun, Diversified butterfly attractors of memristive HNN with two memristive systems and application in IoMT for privacy protection, IEEE Trans. Comput.-Aided Design Int. Circu. Syst., 2024. https://doi.org/10.1109/TCAD.2024.3429410
    [10] F. Yu, S. Xu, Y. Lin, T. He, C. Wu, H. Lin, Design and analysis of a novel fractional-order system with hidden dynamics, hyperchaotic behavior and multi-scroll attractors, Mathematics, 12 (2024), 2227. https://doi.org/10.3390/math12142227 doi: 10.3390/math12142227
    [11] J. H. He, Q. Yang, C. H. He, A. A. Alsolami, Unlocking the plants' distribution in a fractal space, Fractals, 31 (2023), 2350102. https://doi.org/10.1142/S0218348X23501025 doi: 10.1142/S0218348X23501025
    [12] M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory, 36 (1990), 553–558. https://doi.org/10.1109/18.54902 doi: 10.1109/18.54902
    [13] A. Nitaj, Another generalization of Wiener's attack on RSA, Prog. Crypt.-AFRICACRYPT, 2008,174–190. https://doi.org/10.1007/978-3-540-68164-9_12
    [14] A. Nitaj, Diophantine and lattice cryptanalysis of the RSA cryptosystem, Artif. Intell. Evolut. Comput. Metah., 2013,139–168. https://doi.org/10.1007/978-3-642-29694-9_7
    [15] D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptology, 10 (1997), 233–260. https://doi.org/10.1007/s001459900030 doi: 10.1007/s001459900030
    [16] A. K. Lenstra, H. W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients, Mathemat. Annalen, 261 (1982), 515–534. https://doi.org/10.1007/BF01457454 doi: 10.1007/BF01457454
    [17] A. Nitaj, M. R. K. Ariffin, D. I. Nassr, H. M. Bahig, New attacks on the RSA cryptosystem, in Prog. Crypt.-AFRICACRYPT, 2014,178–198. https://doi.org/10.1007/978-3-319-06734-6_12
    [18] J. Blömer, A. May, A generalized Wiener attack on RSA, Publ. Key Crypt.-PKC, 2004, 1–13. https://doi.org/10.1007/978-3-540-24632-9_1
    [19] M. R. K. Ariffin, S. I. Abubakar, F. Yunos, M. A. Asbullah, New cryptanalytic attack on RSA modulus N=pq using small prime difference method, Cryptography, 3 (2019), 2. https://doi.org/10.3390/cryptography3010002 doi: 10.3390/cryptography3010002
    [20] M. J. Hinek, Cryptanalysis of RSA and its Variants, New York: Chapman and Hall/CRC, 2009. https://doi.org/10.1201/9781420075199
    [21] W. N. A. Ruzai, M. R. K. Ariffin, M. A. Asbullah, A. H. Abd Ghafar, New simultaneous Diophantine attacks on generalized RSA key equations, J. King Saud Univ.-Computer Inf. Sci., 36 (2024), 102074. https://doi.org/10.1016/j.jksuci.2024.102074 doi: 10.1016/j.jksuci.2024.102074
  • This article has been cited by:

    1. Wan Nur Aqlili Ruzai, Normahirah Nek Abd Rahman, Muhammad Asyraf Asbullah, Another Look at the Security Analysis of the Modulus N = p2q by Utilizing an Approximation Approach for ϕ(N), 2024, 1016-2526, 123, 10.52280/pujm.2024.56(5)01
  • Reader Comments
  • © 2024 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Metrics

Article views(808) PDF downloads(54) Cited by(1)

Figures and Tables

Tables(1)

/

DownLoad:  Full-Size Img  PowerPoint
Return
Return

Catalog