Analytical cryptanalysis upon N = p2q utilizing Jochemsz-May strategy

This paper presents a cryptanalytic approach on the variants of the RSA which utilizes the modulus N = p2q where p and q are balanced large primes. Suppose e∈Z+ satisfying gcd(e, ϕ(N)) = 1 where ϕ(N) = p(p − 1)(q − 1) and d < Nδ be its multiplicative inverse. From ed − kϕ(N) = 1, by utilizing the extended strategy of Jochemsz and May, our attack works when the primes share a known amount of Least Significant Bits(LSBs). This is achievable since we obtain the small roots of our specially constructed integer polynomial which leads to the factorization of N. More specifically we show that N can be factored when the bound δ<119−294+18γ. Our attack enhances the bound of some former attacks upon N = p2q.


Introduction
Secure communication up till the 70's was executed through symmetrical ways. In other word, both of the encryption and decryption processes used the same key. Later in 1978, the first assymetric cryptosystem went public and solved the problematic issue of distributing keys. This cryptosystem used different keys to encrypt and decrypt the data. It is known as the RSA cryptosystem [1]. The construction of the RSA algorithms comprise of key generation, encryption and decryption. During the key generation process, two large balanced primes p and q are generated and the modulus N = pq is computed. Next, let e be a random integer such that gcd (e, ϕ(N)) = 1 where ϕ(N) = (p − 1)(q − 1) is the Euler totient function. Let d be its multiplicative inverse of e such that ed � 1 mod ϕ(N). Let (N, e) be publicised for encryption purpose while p, q, ϕ(N), d are kept private. For decryption process, private parameter d is needed. The mathematical difficulty of the RSA cryptosystem relies on the hardness of solving the integer factorization problem on N = pq, solving the key equation ed − kϕ(N) = 1 and solving the RSA diophantine key equation that is, C � M e mod N. Up until today, the RSA cryptosystem has remained secure.
In 1990, [2] found out a potential weakness on this cryptosystem. He proved that if d < 1 3 N 1 4 , then one can factor N by using the continued fractions expansion method. In the following years, more resarchers worked on the same objective as [2] and managed to enhance  [3] came out with an astounding method that is very useful to find the roots of either univariate or multivariate polynomial. Since then, this method has been used extensively in both cryptography and cryptanalysis. [4] utilized this method in their attack and they improved the bound of [2] up to d < N 0.292 . Another potential weakness upon the RSA cryptosystem is when there is leaked information regarding either the MSB(s) or LSB(s) of the private keys which is known as partial key exposure attack. In 1998, [5] proved that the whole value of d could be retrieved if a quater of d is known [6], and [7] also showed that if the primes share either MSB(s) or LSB(s), then the modulus can be factored in polynomial time. Later in 2014, [8] published an attack on RSA cryptosystem when the primes share the LSB(s) and there exists two public exponents such that their private exponents share their MSB(s).
Multi-Power RSA is one of the variants of the RSA whereby the modulus N = p r q for r � 2 is utilized. This type of modulus provides advantage for both key generation and the decryption algorithms provided the Chinese Remainder Theorem is utilized [9]. Among cryptosystems that utilize this fact are designs by [10][11][12]. Through their papers, the designers managed to show that their cryptosystems had low computing costs compared to the standard RSA.
As such, the study of the Integer Factorization Problem of N = p r q becomes important. [13] proved that N = p r q is factorable for large r, when r ffi log p. Since then, many attackers made an attempt to cryptanalyse the multi-power RSA modulus. For instance, [14] showed that the modulus N = p r q is more vulnerable compared to N = pq. For r = 2, the author proved that N can be factored if d < N 0.292 . In 2014, [15] presented his proof that N = p 2 q can be factored by using lattice reduction techniques provided d < N 0.395 .

Our contribution
We are working on the same purpose as the previous researchers which is to find other weakness of the RSA in order to enhance its security. Therefore in this paper, we present an attack on the modulus N = p 2 q where the primes share a known amount of LSB(s). Note that this is an extended result from [8]. We apply the strategy of Jochemsz and May to find small roots of our integer polynomial and show that the modulus N can be factored when d < N δ where d < 11 9 À 2 9 ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi 4 þ 18g p : The construction of this paper is as follows. In Section 1, we intoduce the mechanisms and some results that will be used throughout this paper. In Section 2, we present the result on our attack theoretically. We also make a comparison with the previous attacks. Finally we conclude in Section 4.

Materials and methods
This section will discuss briefly on lattice basis reduction, Howgrave-Graham theorem, and useful lemmas that will be needed in this study.

Lattice
Suppose o; n 2 Z þ with ω � n. Let v 1 , � � �, v ω be linearly independent vectors in real numbers field. A lattice L is spanned by a set of linear combination {v 1 , � � �, v ω } in the form with the dimension of ω. The lattice is called full rank if the dimension ω = n. Thus, the determinant is calculated by taking the absolute value of the determinant of the matrix whose rows consist of {v 1 , � � �, v ω } [16]. [17] formulated LLL algorithm to find a short basis vector in time polynomial. Theorem 1 [17] Let L be the lattice generated by a set of basis fv 1 ; . . . ; v o g and has the dimension ω. The reduced basis fb 1 ; . . . ; b o g produced by the LLL algorithm satisfies Since its invention, LLL algorithm has been extensively applied in order to find reduced basis vectors in a lattice. For instance, [3] introduced a method to find a small roots of modular polynomial. Applying the LLL algorithm to find a reduced basis of the lattice generated by the modular polynomial, [3] managed to obtain the roots of the polynomial. Later, [18] described an alternative to Coppersmith's method and he came out with the following theorem.
. . . ; x ð0Þ n Þ ¼ 0 holds over integers. Remark that our attack relies on a notable assumption that also had been used in some earlier proposed attacks such as [4,15,19]. Assumption 1. The construction of LLL algorithm produces a number of coprime polynomials. The roots of these polynomials can be computed efficiently using the resultant technique.

Approximation of primes in RSA
The following results by [20] show an approximation of the size of the primes and approximation of N − ϕ(N). These results will be used to approximate the bound for one of the variables in our polynomial.
Lemma 1 Let N = p 2 q with q < p < 2q. Then

Prime sharing bits
The following lemma is reformulated from result [8]. It considers the case when the modulus N = p 2 q consists of two primes that share a known amount of their LSBs. Lemma 3 Let N = p 2 q be the modulus and suppose that p − q = 2 b u for a known value of b.

The new attack
This section presents the attack on modulus N = p 2 q which works when there has a known amount of LSBs shared between the primes p and q. Proof. Suppose we have public exponent e and key equation Suppose that p − q = 2 b u. Then, from Lemma 3, p 2 + pq − p can be rewritten in the form p 2 + pq − p = 2 3b s + s 0 − v where s 0 � u À 1 0 ðN À u 3 0 Þðmod 2 3b Þ and u 0 is a solution of the modular equation p 3 � N (mod 2 b ). Thus, substitutes (4) from Lemma 3 into (5), we get ed À kðN À ð2 3b s þ s 0 À vÞÞ ¼ 1: Rearranging the equation, We transform (6) into and we fix the coefficients and the variables of the polynomial as follows: > > > : and Now, we consider the polynomial x 3 ) and can be solved by using Coppersmith's technique [3]. However, we choose to use the extended strategy of Jochemsz and May [21] due to its easier implementation. The following bounds will be needed: • max(e 1 , e 2 ) = N γ .
• p − q = 2 b u with 2 b � N α and a < 2 The bounds of the variables are fixed as follows: Let m; t 2 Z þ . The set S and M be defined as: 3 monomial of f mÀ 1 g and the set Neglecting the coefficients, we find the expansion of polynomial f m−1 (x 1 , x 2 , x 3 ) satisfies The monomials (7) can be categorised as: Consequently, the monomials for set M are Next, define Suppose that a 4 is coprime with R. We want to work with a polynomial that has constant term 1, thus we define f 0 ðx 1 ; x 2 ; x 3 Þ ¼ a À 1 4 f ðx 1 ; x 2 ; x 3 Þ mod R. Next, define the polynomials g and h as: The basis of a lattice L is built by using the coefficients of polynomials g and h with dimension In order to construct an upper triangular matrix, we perform the following ordering of the 3 and the monomials are lexicographically ordered if for the polynomials h: Refer S1 Table in S1 Appendix for the coefficient matrix of m = 3 and t = 1.
Next, define The determinant of L is then which can be simplified into All the polynomials g(x 1 , x 2 , x 3 ) and h(x 1 , x 2 , x 3 ) and their combinations share the root (d, k, 2 3b s − v) modulo R. A new basis with short vectors is produced after applying the LLL algorithm to the lattice L. For i = 1, 2, let f i (x 1 X 1 , x 2 X 2 , x 3 X 3 ) be two short vectors of the reduced basis. Each f i shares the roots (d, k, 2 3b s − v). Then by Theorem 3, we have In order to fulfill the condition of the bound proposed by [18], we force the polynomials f i for i = 1, 2 to fulfill the condition of 2 oðoÀ 1Þ 4ðoÀ 2Þ detðLÞ 1 oÀ 2 < R ffi ffi ffi ffi o p which then can be transformed into det ðLÞ < R o , that is Using ω = |M| and |M| − |MnS| = |S|, we get Using (9), we get Set t = τm, then, Using this, and after simplifying by m 3 , the inequality (10) transform into Substituting the values of X 1 , X 2 , X 3 and W from (8) we get or equivalently, Þt þ 1 36 ð6g þ 12d À 8Þ < 0: Differentiate the equation above with respect to τ, we get the optimal value t ¼ À 3dþ1 4 , this reduces to ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi 4 þ 18g p : Under this condition of δ, we find our reduced polynomials f, f 1 , f 2 with the root of (d, k, 2 3b s − v). By Assumption 1 in Section 2, the solution of the roots can be extracted using resultant technique. By using the third root 2 3b s − v, we compute p 2 + pq − p = 2 3b s + s 0 − v. This value is then used to find ϕ(N) and since ϕ(N) = p(p − 1)(q − 1) we can factor out p by taking the gcd (N, ϕ(N)). By knowing the value of p, we can factor the modulus N.

Comparison with the former attack
We compare our bounds with these three former attacks, [14, 15 and 19] that also work on modulus N = p r q but we specifically consider the case when r = 2. Their attacks focused on the RSA key equation ed − kϕ(N) = 1 where ϕ(N) = p r−1 (p r − 1)(q − 1). Note that in these former attacks, their primes do not share any amount of LSBs. Their bounds depend only on the value of r. We compare the results with various values of γ = log N (e). Our corollary is as follow. Corollary 1 Let N = p 2 q be the modulus where q < p < 2q. Let e be a public exponent satisfy- ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi 4 þ 18g p : Note that the bounds for δ of [14, 15 and 19] remain fixed because their bounds only depend on the value of r = 2. We describe their bound for d as in the Table 1 below. Table 2 shows that our bound improves the previous bounds. The value of δ increases inversely proportional to the value of γ.
From the fact that d > 1 À g and combining it with results from Corollary 1, d < 2 3 À 1 2 g, we have 1 À g < 11 9 À 2 9 ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffiffi 4 þ 18g p : From here, we can find the bound for the positive value of γ. A direct calculation shows that g < 2 3 . For small values of γ, this translates into d � N.

Conclusion
We describe an attack related to partial key exposure. Our attack works upon the modulus N = p 2 q where the primes share an amount of LSB(s). Based on the result of Nitaj et al. [8], we reformulate their lemma within our theorem and find the substitution for p 2 + pq − p which is the value of N − ϕ(N). We use the result from our lemma in our theorem which then yields a set of integer polynomials. By applying the extended strategy of Jochemsz and May, one is able to determine the small roots of our integer polynomial and thus factoring the modulus N. We show that N can be factored when d < N δ for d < 2 3 þ 3 2 a À 1 2 g where 0 < g < 2 3 . As such, we manage to improve the bounds of some previous attacks on the modulus N = p 2 q.