DOI QR코드

DOI QR Code

The Improved Estimation of the Least Upper Bound to Search for RSA's Private key

  • Somsuk, Kritsanapong (Department of Computer and Communication Engineering, Faculty of Technology, Udon Thani Rajabhat University, UDRU)
  • Received : 2021.01.24
  • Accepted : 2022.05.31
  • Published : 2022.06.30

Abstract

RSA is known as one of the best techniques for securing secret information across an unsecured network. The private key which is one of private parameters is the aim for attackers. However, it is exceedingly impossible to derive this value without disclosing all unknown parameters. In fact, many methods to recover the private key were proposed, the performance of each algorithm is acceptable for the different cases. For example, Wiener's attack is extremely efficient when the private key is very small. On the other hand, Fermat's factoring can quickly break RSA when the difference between two large prime factors of the modulus is relatively small. In general, if all private parameters are not disclosed, attackers will be able to confirm that the private key is unquestionably inside the scope [3, n - 2], where n is the modulus. However, this scope has already been reduced by increasing the greatest lower bound to [dil, n - 2], where dil ≥ 3. The aim of this paper is to decrease the least upper bound to narrow the scope that the private key will remain within this boundary. After finishing the proposed method, the new scope of the private key can be allocated as [dil, dir], where dir ≤ n - 2. In fact, if the private key is extremely close to the new greatest lower bound, it can be retrieved quickly by performing a brute force attack, in which dir is decreased until it is equal to the private key. The experimental results indicate that the proposed method is extremely effective when the difference between prime factors is close to each other and one of two following requirement holds: the first condition is that the multiplier of Euler totient function is very close to the public key's small value whereas the second condition is that the public key should be large whenever the multiplier is far enough.

Keywords

1. Introduction

At present, data transfer over network channel is the preferred method due to its convenience and speed. However, network channel is referred as the unsecured channel. In other word, if the secret data being transferred across a network channel is very important and there is no securing algorithm in place to protect it, then attackers can simply entrap the data. Prior to transferring any important or private information over an unsecured connection, it should be encased by some securing algorithms. Cryptography [1] is one of the beneficial techniques for protecting data prior to transmission via an unsecured channel by using encryption and decryption processes. The concept of using cryptography to secure the information is as follows: First, the secret message which is called the plaintext is encrypted by using the secret key. In fact, the encrypted message is referred to the ciphertext and it is transmitted to the recipient instead of the secret message. On receiver side, after the ciphertext has arrived, the original plaintext can be recovered using the secret key and a decryption process. In general, cryptography is classified into two broad categories. Each type has its own unique advantages and disadvantages. The first is symmetric key cryptography which uses the same key, referred to the secret key for both the encryption and decryption. The advantage is related to time required to complete the process. On the other hand, the disadvantage refers to the method in which an attacker might avoid exchanging the secret key between senders and receivers. Asymmetric key cryptography, on the other hand, is also known as public key cryptography. The key concept is to the different keys that must be chosen to encrypt the plaintext and decrypt the ciphertext. One key which is kept secretly is called the private key and the other key which is disclosed to everyone is called the public key. In fact, these keys are mathematically related to each other. The advantage is that the secret channel to exchange the key is eliminated. However, the disadvantage is that the procedure is quite time consuming to complete the process. Therefore, both of symmetric key cryptography and public key cryptography are integrated in the real situation in order to increase the performance.

RSA [2] is the best well-known public key cryptography. It is chosen to apply with a variety of applications to secure the information such as [3], [4], [5], [6], [7], [8]. However, to avoid intruder attacks, the modulus bit length (n) should be assigned at least 1024 bits. Therefore, one of the two keys must be a large integer. In fact, in order to ensure that RSA is extremely secure, the private key (d) should be large. Although, RSA is still difficult to be broken (all parameters are strong), many algorithms can break RSA when certain parameters are weak. Moreover, many weak parameters are disclosed such as a low private key [9], a high private key [10], a low prime factor [11] and the small distance between two prime factors [12]. In this paper, two weak parameters are presented. The first weakness is the small public key and the short distance between it and the multiplier of Euler totient function. The other weakness is the large public key and the high distance between the high public key and the multiplier of Euler totient function. In addition, there should be a little difference between two prime factors. Moreover, the new method for estimating initial value of the private key that effectively addresses both weaknesses is also proposed.

Assuming that all private parameters are hidden and if intruders want to recover d, they will clearly recognize that the position of d must be located within the following scope: d ∈ [3, n - 2]. This scope is costly since the length of n is allocated at least 1024 bits. If brute force attack is selected to find d, then the cost of computation is quite high. The method in [13] was proposed to estimate the new greatest lower bound as [dil, n – 2], where dil ≥ 3. Therefore, this method can recover d rapidly if d is a small integer. However, it is still inefficient when d is a large integer. In fact, the aim of the proposed method is to estimate the new least upper bound as [3, dir], when dir ≤ n – 2. Therefore, if the proposed method is combined with the method in [13], the scope is narrowed, or d ∈ [dil, dir].

2. Related Works

In this section, the overviews of RSA and many techniques to break this algorithm will be mentioned.

2.1 RSA Scheme

RSA [2] is the best well-known public key cryptography. It was proposed by R. Rivest, A. Shamir and L. Adleman in 1977. In fact, RSA’s name is derived from the initial letter of their surnames. RSA is administered by three main processes. The first process is key generation which is the process to create a pair of keys. The procedures in this process are as follows: it is begun by generating two large prime numbers, p and q where p < q, randomly to find the modulus, n = p*q, and Euler totient function, Φ (n) = (p – 1)*(q – 1). The next step is to select the public key, e, that must be in the following condition: 1 < e < Φ (n) and gcd(e, Φ (n)) = 1. After, e is found, the private key, d, can be computed from e*d mod Φ (n) = 1 by using Extended Euclidean Algorithm such as [14], [15], [16]. The second process is the encryption process, which is the process of converting the original plaintext into the ciphertext. The equation is c = me mod n, where m is the original plaintext and c is the ciphertext. The last process is the decryption process for recovering the original plaintext by using the following equation: m = cd mod n.

Private parameters for RSA scheme are p, q, d and Φ (n). Therefore, intruders must locate at least one of them in order to recover m. In fact, for the real situation, they are all strongly allocated to prevent easily attacks. However, RSA may be broken when at least one of the private parameters is vulnerable. In the next topic in the related works section discusses an overview of several attacking algorithms is provided, highlighting how the performance of each algorithm is customized to the various weak points.

2.2 Overviews of some algorithms to break RSA

In fact, there are a variety of algorithms that can be chosen to break RSA whenever its vulnerabilities are discovered.

Wiener’s attack [17] is the technique which was presented by Michael J. Wiener in 1990 to recover d. His theorem relies mostly on the continuous fraction as its mathematical basis.

In addition, Wiener’s attack is particularly effective when \(\begin{aligned}d<\frac{1}{3} n^{\frac{1}{4}}\\\end{aligned}\). Therefore, it implies that the small private key is the weak point of RSA.

Besides, in 1999, D. Boneh and G. Durfee [18] presented the modified version of Wiener’s attack. Although, \(\begin{aligned}d>\frac{1}{3} n^{\frac{1}{4}}\\\end{aligned}\), d is still rapidly recovered whenever d < n0.292. In order to avoid trapping d by using this method, d should be assigned larger than n0.292.

In 2017, the technique [10] was presented to accelerate the decryption process of RSA by utilizing the new exponent. In fact, this method has highly performance when d is large, because the new exponent which is mathematically related with d and Φ (n) becomes small. On the other hand, if d is too large, this method may be selected to find d.

Trial division algorithm (TDA) is the method for discovering p and q by for factoring n. It is divided into two techniques. The first way [19] is to select 3 as the initial divisor which is always increased by two when the remainder exists. This approach can quickly discover p and q when p is a small integer, as it is particularly efficient when p is small. Therefore, the small prime factor is also a weakness of RSA. However, \(\begin{aligned}\lfloor\sqrt{n}\rfloor\\\end{aligned}\) is chosen as the first divisor for the second technique [20] and it is always decreased when there is the remainder. Therefore, if p is extremely close to \(\begin{aligned}\lfloor\sqrt{n}\rfloor\\\end{aligned}\), it can be recovered very fast.

Fermat’s Factorization algorithm (FFA) [21] is the factoring method which was proposed by Pierre de Fermat. A composite integer with two prime factors can be represented as the difference between two perfect square integers. In fact, when two prime factors are close in proximity to one another, they can be computed rapidly. Furthermore, other FFA-improved algorithms such as [22], [23], [24], [25], [26] were proposed to increase computation speed.

Pollard’ s p -1 [27] is the method that was presented by J. Pollard in 1974. Assuming that all prime factors of p – 1 or q – 1 are a small integer. This method is extremely efficient in recovering both p and q. That is, another weak point is that all prime factors of p - 1 and q – 1 must be small.

In 2020, the new methodology [28] to recover d was proposed. Assuming that Φ (n) = ad + b where a | b and a | Φ(n), then the original plaintext can be computed by using the following equation: \(\begin{aligned}m=\left(c^{-1}\right)^{\frac{b}{a}}\\\end{aligned}\) mod n. Moreover, this equation can be chosen to apply with brute force attack to find d. The experimental results in the paper showed that when a is large and \(\begin{aligned}\frac{b}{a}\end{aligned}\) is small, a short time to complete the operation is required.

The simplest technique is brute force attack. It can be selected to find d directly to locate one of two prime factors. In general, to limit the scope of d, it must first be analyzed. Due to the fact that Φ (n) is the hidden parameter, the scope of d will be assigned as [3, n – 2] which is a very large range. Moreover, brute force attack can be selected to find d in two ways. The first way is to assign the initial value of d which is equal to the greatest lower bound and it must be increased when it is not certainly the real private key. That mean, this method is suitable for the small private key. On the other hand, the other way is to assign the initial value of d as n – 2 and it is decreased when it is not the target. Therefore, this method is suitable for the high private key.

In the beginning of 2021, the method [13] to estimate the new greatest lower bound which is always equal or larger than 3 was proposed. Assuming that dil is represented as the new greatest lower bound, it can be calculated by using the following equation: \(\begin{aligned}d_{i l}=\left\lceil\frac{2 n-3}{3 e}\right\rceil\\\end{aligned}\). Therefore, scope of d is reduced to [dil, n – 2].

2.3 Considering the patterns of p + q

In fact, many methods to analyze the patterns of p + q were proposed. Once all patterns are found, the computation time to recover d is reduced.

Assigning LSGm(z) is represented as the last m digits of z and LSG(z) is represented as the last digit of z when z ∈¢. In 2017, the methodology [29] to search for all possible values of LSGm(p) and LSGm(q) was proposed to find all possible values of LSGm(p + q) and LSGm(p – q). However, only LSGm(p + q) is focused in this paper. Assuming that a pair of LSGm(p) and LSGm(q) which LSGm(LSGm(p) * LSGm(q)) = LSGm(n) is found, either rule 1 or rule 2 is selected to find other pairs.

Rule 1: If LSG(p) = LSG(q), LSGm((p + 10m-1)(q + 9*10m-1)) = LSGm((p + 9*10m-1)(q +10m-1)) = LSGm(n).

Rule 2: If LSG(p) ≠ LSG(q), there is two odd integers, k1 and k2 where k1, k2 = 1, 3, 7 or 9 and (LSG(p)*k2 + LSG(q)*k1) mod 10 = 0, that LSGm((p + k1*10m-1)(q + k2*10m-1)) = LSGm(n).

Example 1: After using Rule 2, all pairs of LSG2(p) and LSG2(q) which LSG2(LSG2(p)*LSG2(q)) = LSG2(n) = 73 are found as follows: (07, 39), (17, 69), (27, 99), (37, 29), (47, 59), (57, 89), (67, 19), (77, 49), (87, 79), (97, 09), (01, 73), (11, 43), (21, 13), (31, 83), (41, 53), (51, 23), (61, 93), (71, 63), (81, 33), (91, 03)

After all pairs of LSGm(p) and LSGm(q) are found, all possible values of LSGm(p + q) are also calculated by using LSGm(p + q) = LSGm(LSGm(p) + LSGm(q)).

Example 2: After all pairs of LSG2(p) and LSG2(q) which LSG2(LSG2(p)*LSG2(q)) = LSG2(n) = 73 are found, all possible values of LSG2(p + q) are as follows:

S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94}

Where S is set of all possible values of LSG2(p + q) that LSG2(LSG2(p)*LSG2(q)) = LSG2(n) = 73

The benefit of S is that it eliminates irrelevant values of this set from the computation, as p + q may not be the actual result.

In fact, the patterns of p + q can be thoroughly analyzed when m is larger.

Furthermore, in 2016, the patterns of \(\begin{aligned}\frac{p+q}{2}\end{aligned}\) [30] are analyzed by considering the forms of n that are divided into three forms. Assuming that a = n mod 4, b = n mod 6 and c = n mod 20, there are 16 patterns of \(\begin{aligned}x=\frac{p+q}{2}\end{aligned}\) which are shown in Table 1.

Table 1. Patterns of \(\begin{aligned}\frac{p+q}{2}\end{aligned}\) that are considered from 3 forms of n

E1KOBZ_2022_v16n6_2074_t0001.png 이미지

After computing three forms of n, the solution will be found in just one of the cases in Table 1. Therefore, many steps can be eliminated from the computation. In fact, the type of an even or odd number is disclosed from a, the result of x mod 3 is disclosed from b and LSG(x) is known from c.

In [31], the other pattern of p + q is also discovered. It is based on the result of (n + 1) mod 8. In fact, if the result of (n + 1) mod 8 is equal to 0, then the result of (p + q) mod 8 must be also equal to 0. This concept is applicable to a wide variety of brute force attack, as many loops may be omitted when the result of (n + 1) mod 8 is equal to 0.

3. The Proposed Method

In this paper, the new greatest lower bound, dir, to find d is proposed. In fact, after the method in [13] was proposed, the position of d must be inside the scope [dil, n – 2]. That is, the initial value can be assigned as dil in order to initiate a brute force attack to find d from left to right. On the other hand, this method becomes inefficient when d is large. In this case, using brute force attack to search for d from right to left is more appropriate. That is, the initial value is started as n – 2. However, n – 2 is still far from d which is always less than Φ (n). Therefore, in this paper, dir which is always equal to or less than n – 2 is presented.

The information in Fig. 1 shows the parameters associated with RSA on the number line. It implies that dir is always equal to or less than n – 2. Therefore, if this value is found, the scope of d is narrowed in which the position of d is certainly at [dil, dir].

E1KOBZ_2022_v16n6_2074_t0002.png 이미지

Fig. 1. The position of each parameter on number line

Before estimating dir, the integer which is equal or larger than Φ(n) must be found. Due to the fact that Φ(n) = (p – 1)*(q – 1) = n – (p + q) + 1, the patterns of p + q should be analyzed to estimate the integer which is close to Φ(n) and is still larger than this value.

From Table 1, it implies that the result of n mod 4 can disclose the result of \(\begin{aligned}\frac{p+q}{2}\end{aligned}\) which is an even number or odd number. However, the result of n mod 20 can also disclose this type. Moreover, the patterns of LSGm(p + q) are deeper than the patterns analyzed from n mod 20. Therefore, three techniques for analyzing the patterns of p + q from n mod 6, n + 1 mod 8 and LSGm(n) are selected to find the integer in the condition.

In [31], it shows that the result of (p + q) mod 8 is equal to 0 when (n + 1) mod 8 = 0. However, if (n + 1) mod 8 ≠ 0, it must be also analyzed to find all possible value of (p + q) mod 8.

Theorem 1: The results of (p + q) mod 8 are shown in Table 2, The expansion of [31].

Table 2. The result of (p +q) mod 8

E1KOBZ_2022_v16n6_2074_t0003.png 이미지

Proof: There are 15 cases as follows:

Case 1: p mod 8 = 1 and q mod 8 = 1

Then, (p*q + 1) mod 8 = ((p mod 8) * (q mod 8) + 1 mod 8) mod 8 = (1*1 + 1) mod 8 = 2

And, (p + q) mod 8 = ((p mod 8) + (q mod 8)) mod 8 = (1 + 1) mod 8 = 2

Case 2: p mod 8 = 1 and q mod 8 = 3 (The same result with p mod 8 = 3 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*3 + 1) mod 8 = 4

And, (p + q) mod 8 = (1 + 3) mod 8 = 4

Case 3: p mod 8 = 1 and q mod 8 = 5 (The same result with p mod 8 = 5 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*5 + 1) mod 8 = 6

And, (p + q) mod 8 = (1 + 5) mod 8 = 6

Case 4: p mod 8 = 1 and q mod 8 = 7 (The same result with p mod 8 = 7 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*7 + 1) mod 8 = 0

And, (p + q) mod 8= (1 + 7) mod 8 = 0

Case 5: p mod 8 = 1 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*9 + 1) mod 8 = 2

And, (p + q) mod 8 = (1+ 9) mod 8 = 2

Case 6: p mod 8 = 3 and q mod 8 = 3

Then, (p*q + 1) mod 8 = (3*3 + 1) mod 8 = 2

And, (p + q) mod 8 = (3+ 3) mod 8 = 6

Case 7: p mod 8 = 3 and q mod 8 = 5 (The same result with p mod 8 = 5 and q mod 8 = 3)

Then, (p*q + 1) mod 8 = (3*5 + 1) mod 8 = 0

And, (p + q) mod 8 = (3+ 5) mod 8 = 0

Case 8: p mod 8 = 3 and q mod 8 = 7 (The same result with p mod 8 = 7 and q mod 8 = 3)

Then, (p*q + 1) mod 8 = (3*7 + 1) mod 8 = 6

And, (p + q) mod 8= (3+ 7) mod 8 = 2

Case 9: p mod 8 = 3 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 3)

Then, (p*q + 1) mod 8 = (3*9 + 1) mod 8 = 4

And, (p + q) mod 8= (3+ 9) mod 8 = 4

Case 10: p mod 8 = 5 and q mod 8 = 5

Then, (p*q + 1) mod 8 = (5*5 + 1) mod 8 = 2

And, (p + q) mod 8 = (5+ 5) mod 8 = 2

Case 11: p mod 8 = 5 and q mod 8 = 7 (The same result with p mod 8 = 7 and q mod 8 = 5)

Then, (p*q + 1) mod 8 = (5*7 + 1) mod 8 = 4

And, (p + q) mod 8= (5+ 7) mod 8 = 4

Case 12: p mod 8 = 5 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 5)

Then, (p*q + 1) mod 8 = (5*9 + 1) mod 8 = 6

And, (p + q) mod 8 = (5+ 9) mod 8 = 6

Case 13: p mod 8 = 7 and q mod 8 = 7

Then, (p*q + 1) mod 8 = (7*7 + 1) mod 8 = 2

And, (p + q) mod 8= (7+ 7) mod 8 = 6

Case 14: p mod 8 = 7 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 7)

Then, (p*q + 1) mod 8 = (7*9 + 1) mod 8 = 0

And, (p + q) mod 8 = (7+ 9) mod 8 = 0

Case 15: p mod 8 = 9 and q mod 8 = 9

Then, (p*q + 1) mod 8 = (9*9 + 1) mod 8 = 2

And, (p + q) mod 8 = (9+ 9) mod 8 = 2

Therefore, all results of (p + q) mod 8 are matched with the information in Table 2.

In fact, considering the patterns of (p + q) mod 8, (p + q) mod 3 and LSGm(p + q) together are the key to find i which must be selected as the variable in theorem 2.

Theorem 2 Assigning i is represented as the distance between the traditional initial value of p + q which is equal to \(\begin{aligned}2\lceil\sqrt{n}\rceil\\\end{aligned}\) and the improved initial value, then

\(\begin{aligned}d \leq\left\lfloor\frac{1+(e-1) *(n-2\lceil\sqrt{n}\rceil-i+1)}{e}\right\rfloor\\\end{aligned}\)

Proof:

From 

Φ (n) = (p – 1)*(q – 1)

= pq – (p + q) + 1 

= n – (p + q) + 1

In general, \(\begin{aligned}p+q \geq 2\lceil\sqrt{n}\rceil\\\end{aligned}\), see in [12]

Then,

\(\begin{aligned}\Phi(n) \leq n-(2\lceil\sqrt{n}\rceil)+1\\\end{aligned}\)

However, after using the technique to analyze all patterns of LSGm(p + q), (p + q) mod 3 and (p + q) mod 8, then \(\begin{aligned}p+q \geq 2\lceil\sqrt{n}\rceil+i\\\end{aligned}\), therefore

\(\begin{aligned}\Phi(n) \leq n-(2\lceil\sqrt{n}\rceil+i)+1\\\end{aligned}\)

Then,

\(\begin{aligned}\Phi(n) \leq(n-2\lceil\sqrt{n}\rceil-i+1)\\\end{aligned}\)

From, 

ed mod Φ (n) = 1

Hence

ed = 1 + kΦ (n)

Or, 

ed ≈ kΦ (n)

Because, both of e and d is less than Φ (n), it implies that k < e or k ≤ e – 1

Then, 

ed < 1 + eΦ (n)

That means, 

ed ≤ 1 + (e – 1) *Φ (n)

From,

\(\begin{aligned}\Phi(n) \leq(n-2\lceil\sqrt{n}\rceil-i+1)\\\end{aligned}\), then

\(\begin{aligned}e d \leq 1+(e-1) *(n-2\lceil\sqrt{n}\rceil-i+1)\\\end{aligned}\)

Or,

\(\begin{aligned}d \leq \frac{1+(e-1) *(n-2[\sqrt{n}]-i+1)}{e}\\\end{aligned}\)

In fact, d is always an integer,

Therefore,

\(\begin{aligned}d \leq\left\lfloor\frac{1+(e-1) *(n-2[\sqrt{n} \mid-i+1)}{e}\right\rfloor\\\end{aligned}\)

Therefore, assigned dir is the new initial value to find d from right to left, it can be estimated by using the following equation:

\(\begin{aligned}d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2[\sqrt{n} \mid-i+1)}{e}\right\rfloor\\\end{aligned}\) (1)

Where, d ≤ dir ≤ n -2

Example 3: Assuming n = 167556124362173, e = 3499 and all pairs of LSG2(p + q) are disclosed as follows: S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94} (using theorems in [29]), Finding the least upper bound of d by using theorem 2. (The private parameters are p = 24163669, q = 6934217, Φ (n) = 167556093264288 and d = 134178957795523)

Sol.

Before using the equation in theorem 2, the variable, i, must be found,

First, two forms of n must be checked,

Because (167556124362173 + 1) mod 8 = 6, then the result of (p + q) mod 8 = 2, 6.

Furthermore, (p + q) mod 3 must be equal to 0, because 178719335848973 mod 6 = 5.

Next, the initial value of p + q which is equal to \(\begin{aligned}g=2\lceil\sqrt{n}\rceil\\\end{aligned}\) must be calculated, \(\begin{aligned}2[\sqrt{167556124362173}]=25888696\\\end{aligned}\).

Because 25888696 mod 8 = 0, then g = 25888696 + 2 = 25888698

Because 25888698 mod 3 = 0, then g= 25888698

Because LSG2(25888698) = 98 is not a member in S, then this value is certainly not the real value of p + q. Therefore, it can be reassigned as 25888706. However, 25888706 mod 3 = 2 ≠ 0, then the next value of g should be 25888714. In addition, 25888714 mod 3 = 1 ≠ 0, then the next value of g should be 25888726. However, 25888726 mod 3 = 1 ≠ 0, then the next value of g should be 25888734. In fact, 25888734 mod 3 = 0 and 25888734 mod 8 = 6. Therefore, it is chosen as the new initial value. Furthermore, i can be calculated from i = 25888734 – 25888696 = 38.

From the equation (1),

\(\begin{aligned}d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2[\sqrt{n}\rceil-i+1)}{e}\right\rfloor\\\end{aligned}\)

\(\begin{aligned} d_{i r} & =\left\lfloor\frac{1+(3499-1) *(167556124362173-2\lceil\sqrt{167556124362173}-38+1)}{3499}\right\rfloor \\ & =167508211620489\end{aligned}\\\)

Usually, the tradition initial value to find the private key from right to left is begun as dr = n – 2 = 167556124362171, that means the distance (s) to find d is decreased as:

\(\begin{aligned}\begin{array}{l}s=\frac{d_{r}-d_{i r}}{2} \\ =\frac{167556124362171-167508211620489}{2} \\ =23956370841\end{array}\\\end{aligned}\)

Therefore, the distance (tr) between dir and d is as follows:

\(\begin{aligned} t_{r} & =\frac{d_{i r}-d}{2} \\ t_{r} & =\frac{167508211620489-134178957795523}{2} \\ & =16664626912483\end{aligned}\\\)

Assuming that the method in [13] is selected to find d, dil has to be computed from the following equation:

\(\begin{aligned} d_{i l} & =\left\lceil\frac{2 n-3}{3 e}\right\rceil \\ & =\left\lceil\frac{2 * 167556124362173-3}{3 * 3499}\right\rceil \\ & =31924573567\end{aligned}\\\)

Therefore, the distance (tl) between dil and d is as follows:

\(\begin{aligned}\begin{array}{l}t_{l}=\frac{d-d_{i l}}{2} \\ =\frac{134178957795523-31924573567}{2} \\ =67073516610978\end{array}\\\end{aligned}\)

Then total loops to find d by using the proposed method is less than the method in [13]. In fact, the reason is that k = 2802 (ed = 2802*Φ (n) + 1) in this example is quite large that is more suitable for the proposed method. On the other hand, it becomes unsuitable for the method in [13] which is highly efficient when k is a small integer.

In addition, the information in example 4 will show the case of e and d that the proposed method can be selected to find d very fast.

Example 4: Assuming n = 1907322773, e = 7603 and all pairs of LSG2(p + q) are disclosed as follows: S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94} (using theorems in [29]), Finding the least upper bound of d by using theorem 2. (The private parameters are p = 41981, q = 45433, Φ (n) = 1907235360 and d = 1906984507)

Sol.

Before, using the equation in theorem 2, the variable, i, must be found,

First, two forms of n must be checked,

Because (1907322773 + 1) mod 8 = 6, then the result of (p + q) mod 8 = 2, 6.

Furthermore, (p + q) mod 3 must be equal to 0, because 1907322773 mod 6 = 5.

Next, the initial value of p + q which is equal to \(\begin{aligned}g=2\lceil\sqrt{n}\rceil\\\end{aligned}\) must be calculated, \(\begin{aligned}\lceil 2 \sqrt{1907322773}\rceil=87346\\\end{aligned}\).

Because 87346 mod 8 = 2, then g = 87346

Because 87346 mod 3 = 1, then g should be increased. However, g = 87354 is the minimum integer that is larger than 87346 and this value is still in the case of (p + q) mod 8 = 2 or 6 and (p + q) mod 3 = 0. Therefore, g = 87354.

Because LSG2(87354) = 54 is already a member in S, therefore, it is chosen as the new initial value. Furthermore, i can be calculated from i = 87354 – 87346 = 8. From the equation in theorem,

\(\begin{aligned}\begin{array}{l} d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2\lceil\sqrt{n}\rfloor-i+1)}{e}\right\rfloor \\ d_{i r}=\left\lfloor\frac{1+(7603-1) *(1907322773-2[\sqrt{1907322773}\rfloor-8+1)}{7603}\right\rfloor \\ =1906984566\end{array}\\\end{aligned}\)

Because d is always an odd integer, then dir = 1906984566 – 1 = 1906984565 Therefore, the distance (tr) between dir and d is as follows:

\(\begin{aligned} t_{r} & =\frac{d_{i r}-d}{2} \\ t_{r} & =\frac{1906984565-1906984507}{2} \\ & =29\end{aligned}\\\)

Although, d which is in this example is very large, the distance between the new initial value and the target is only 29. Therefore, it consumes only a little time to recover d. In fact, the reason that the proposed method can recover d very fast is k = 7602 (e*d = 1 + 7602*Φ (n)) that is the maximum value.

Moreover, if \(\begin{aligned}2\lceil\sqrt{n}\rceil+1=p+q\\\end{aligned}\) and k = e – 1, dir is certainly equal to d. Therefore, d can be recovered by using the equation (1).

In addition, after dir is found, d can be recovered by using algorithm 1.

Algorithm 1 Finding d' by using brute force attack from right to left with the new initial value

Input: dir, e, n

Output: d' (d' is possible to be equal to d)

1. Selecting m, 1 < m < n

2. c ← me mod n

3. a ← c-1 mod n

4. a ← a2 mod n

5. t ← dir

6. h ← ct mod n

7. i ← 0

8. While h ≠ m do

9. h ← h*a mod n

10. i ← i + 1

11. End While

12. d' ← dir – 2*i

In fact, d' is very high possible to be equal to d. However, if d' is not still equal to d, then the loop in line 8 to 10 is required again with the present value of i to find the period value which will be occurred when h becomes to m again. In addition, various unrelated integers will be removed when the period value is found.

Nevertheless, if the position of d is at the middle of [dil, dir], both of the proposed method and the method in [13] are not suitable to recover d, because computation costs are still high.

However, if this event is occurred, dmid should be selected as the initial value instead of dil and dir. This value can be estimated by using the equation (2).

\(\begin{aligned}d_{m i d}=\frac{d_{i r}+d_{i l}}{2}\\\end{aligned}\)       (2)

Although, dmid is closer to d than both of dir and dil (when the position of d is at the middle of [dir, dil]), it cannot be confirmed that dmid is larger or less than d. Therefore, after dmid is found, both of two ways for brute force attack, (left to right) and (right to left), must be selected to recover d.

Example 5: Assuming n = 1907322773, e = 1441 and all pairs of LSG2(p + q) are disclosed as follows: S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94} (using theorems in [29]), Finding the least upper bound of d by using theorem 2. (The private parameters are p = 41981, q = 45433, Φ (n) = 1907235360, k = 675 and d = 893396161)

Sol.

Because i = 8 is already calculated is example 4, dir can be estimated as follows:

\(\begin{aligned}\begin{array}{l} d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2\lceil\sqrt{n}\rceil-i+1)}{e}\right\rfloor \\ d_{i r}=\left\lfloor\frac{1+(1441-1) *(1907322773-2\lceil\sqrt{1907322773} \mid-8+1)}{1441}\right\rfloor \\ =1905911870, \text { because } d \text { is always an odd number, therefore, } d_{i r}=1905911869\end{array}\\\end{aligned}\)

Then,

\(\begin{aligned} t_{r} & =\frac{d_{i r}-d}{2} \\ t_{r} & =\frac{1905911869-893396161}{2} \\ & =506257854\end{aligned}\\\)

However, if dil is selected, it can be estimated as follows:

\(\begin{aligned}\begin{array}{l}d_{i l}=\left\lceil\frac{2 n-3}{3 e}\right\rceil \\ =\left\lceil\frac{2 * 1907322773-3}{3 * 1441}\right\rceil \\ =882408\end{array}\\\end{aligned}\)

Because d is always an odd number, therefore, dil = 882409

Then,

\(\begin{aligned}\begin{array}{l}t_{l}=\frac{d-d_{i l}}{2} \\ =\frac{893396161-882409}{2} \\ =446256876\end{array}\\\end{aligned}\)

In fact, dmid can be estimated by using equation (2)

\(\begin{aligned}\begin{array}{l}d_{\text {mid }}=\frac{d_{i r}+d_{i l}}{2} \\ =\frac{1905911869+882409}{2} \\ =953397139\end{array}\\\end{aligned}\)

In this example, dmid > d, then distance between dmid and d is as follows:

\(\begin{aligned}\begin{array}{l}t_{\text {mid }}=\frac{d_{\text {mid }}-d}{2} \\ =\frac{953397139-893396161}{2} \\ =30000489\end{array}\\\end{aligned}\)

Where, tmid is the distance between dmid and d

However, for the real situation, if dmid is selected, the process to find d has to execute two ways for brute force attack. Therefore,

tmid = 2*30000489 

= 60000978

Table 3. Comparison about total distance during three techniques from example 5

E1KOBZ_2022_v16n6_2074_t0004.png 이미지

The information in example 5 shows that if the position of d is close to the middle of [dil, dir], dmid which is the center between dir and dil is closer to d than both of dir and dil.

4. Experimental Results

In this section, the experimental results will be mentioned. It is divided into two parts. The first part is to analyze many pairs of e and d which are generated for the single value of n. This part is also divided into two experiments. One is for n which is generated from the same size of p and q. The other is the experiment of n which is generated from the different size of p and q. The second part is the comparison about loops computation to find d during the proposed method and the other algorithms. However, in this part, the weak parameters that respond well to the proposed method are chosen to strongly demonstrate that this method is highly efficient under these conditions.

The information in Table 4 that p and q have the same size (16 bits) shows that the distance to find d can be decreased about 99% whenever k = e – 1, because this value is selected for the proposed equation. Furthermore, for the same value of e – k and this value may be large, the distance will be more reduced when e is larger. The clearly example is shown in 18th row, 19th row and 20th row that the result of e – k = 10. For the 18th row, that e = 13 is the smallest in this group, the distance is decreased only 10%. However, the distance is decreased 46.57% in 19th row that the ratio is larger than 18th row. The reason is that e = 149539 is very larger than e = 19. Furthermore, the distance can be reduced 89.47% in 20th row, because e = 1658033 is the largest value in comparison to the other values that are generated from the same result of e – k = 10. In fact, the reason that the distance can be more decreased when e is large and the result of e – k is stable will be shown in theorem 3.

Table 4. Considering dir from each pair of (e, d) generating from n = 1907322773

E1KOBZ_2022_v16n6_2074_t0005.png 이미지

Theorem 3 Assuming e1*d1 = 1 + k1*Φ (n), e2*d2 = 1 + k2*Φ (n) where e1 and e2 are very large, e1 > e2 and e1 – k1 = e2 – k2 = s then d1 is always larger than d2.

Proof: From,

\(\begin{aligned}d=\frac{1+k \Phi(n)}{e}\\\end{aligned}\)

Then, 

\(\begin{aligned}d_{1}=\frac{1+k_{1} \Phi(n)}{e_{1}} \;and \;d_{2}=\frac{1+k_{2} \Phi(n)}{e_{2}}\\\end{aligned}\)

Because, e1 – k1 = e2 – k2 = s, then k1 = e1 – s and k2 = e2 – s

Therefore,

\(\begin{aligned}d_{1}=\frac{1+\left(e_{1}-s\right) \Phi(n)}{e_{1}}\; and \;d_{2}=\frac{1+\left(e_{2}-s\right) \Phi(n)}{e_{2}}\\\end{aligned}\)

Because e1 and e2 are very large, then \(\begin{aligned}\frac{1}{e_{1}} \approx \frac{1}{e_{2}} \approx 0\\\end{aligned}\)

That mean, \(\begin{aligned}d_{1} \approx \frac{\left(e_{1}-s\right) \Phi(n)}{e_{1}}\; and \; d_{2} \approx \frac{\left(e_{2}-s\right) \Phi(n)}{e_{2}}\\\end{aligned}\)

Because, e1 > e2, then \(\begin{aligned}\frac{\left(e_{1}-s\right)}{e_{1}}>\frac{\left(e_{2}-s\right)}{e_{2}}\\\end{aligned}\)

Therefore, d1 is always larger than d2 when e1 – k1 = e2 – k2 = s

In addition, for the proposed equation, if e is very large, then \(\begin{aligned}\frac{(e-1)}{e} \approx 0.999 x x x\\\end{aligned}\). That mean, the scope of all possible values of dir is quite narrow. In Table 4, dir is during 1900145325 to 1907235359 when e > 269. Therefore, the proposed method is suitable for the case that the distance between e and k is quite far and e is a large number.

However, the ratio of decreased distance becomes small when k is very close to e and e is a large integer. Therefore, if k is very close to e, the proposed method has very high performance when e is small.

Therefore, it implies that the proposed method is suitable to be selected to recover d when one of two following conditions occurs.

1. k is very close to e and e is a small number

2. e and k must be large when the distance between e and k is far.

Furthermore, the information in this table is also shown that all values of dir are less than Φ (n) that is demonstrated in Fig. 2.

E1KOBZ_2022_v16n6_2074_f0003.png 이미지

Fig. 2. The position of each parameter in Table 4 on number line

In Table 5, although bits length of p and q are different, bits length of p and q are 13 and 19 in order, the proposed method is still high performance when characteristics of e and k are in one of two conditions above. However, dir may be farther from the target, because (\(\begin{aligned}n-2\lceil\sqrt{n}\rceil-i+1 ?'\\\end{aligned}\) is farther from Φ(n) n when it is compared with the other values of n which are generated from the same size of p and q and are also very close to n.

Table 5. Considering dir from each pair of (e, d) generating from n = 3187657073, p = 7193, q = 443161 (p = 13 bits, q = 19 bits)

E1KOBZ_2022_v16n6_2074_t0006.png 이미지

However, the information in this table is shown that some values of dir are larger than Φ (n). Therefore, number of loops to find d are still large when this event is occurred.

Therefore, from the information in Table 4 and Table 5, it implies that dir can be estimated well when one of two conditions is happened and the difference between p and q is a little.

In fact, to confirm that the proposed method performs well when the weak points are encountered. It is compared to the other methods to recover d. Then, all results are from the small result of e - k and the difference between p and q is rather minor. Furthermore, the compared methods are brute force attack (searching from right to left), the improved FFA [22], the improved TDA [20] and Pollard’s p – 1.

In Fig. 3, assuming that z is represented as the distance to find d, the information of y-axis is the logarithm of z and x-axis is bits length of modulus. The experimental results show that the distance to recover d by using the proposed method is the smallest. However, the distance from the improved FFA is close to the proposed method, because FFA is also suitable for the small result of p – q.

E1KOBZ_2022_v16n6_2074_f0001.png 이미지

Fig. 3. Logarithm of total loops for each algorithm

5. Conclusion

This paper presents the new least upper bound on the private key which is always equal or less than the difference between the modulus and 2. In fact, this value is selected as the new initial value for brute force attack by searching for the private key from right to left. That mean, this technique is appropriate for the large private key. Unfortunately, when the difference between the public key and the multiplier of Euler totient function is very small, this method is extremely efficient. However, if the result is high, the public key and the multiplier should be large as well. In addition, this method performs well when p and q is close to each other. Moreover, assuming the position of d is close to scope’s center, selecting the center between the new least upper bound and the greatest lower bound in [13] is preferable alternative. The experimental results demonstrate that if one of the weak points occurs, the proposed method can estimate the new initial value that is extremely close to the private key.

References

  1. K. Halunen and O.M. Latvala, "Review of the use of human senses and capabilities in cryptography," Computer Science Review, vol. 39, pp. 1 - 10, 2021.
  2. R.L. Rivest, A. Shamir and L. Adleman, "A method for obtaining digital signatures and public key cryptosystems," Communications of ACM, vol. 21, pp. 120 - 126, 1978. https://doi.org/10.1145/359340.359342
  3. V. Guleria, S. Sabir and D.C. Mishra, "Security of multiple RGB images by RSA cryptosystem combined with FrDCT and Arnold transform," Journal of Information Security and Applications, vol. 54, pp. 1 - 13, 2020.
  4. L. Yang, T. Shanyu, L. Ran, Z. Liping and M. Zhao, "Secure and robust digital image watermarking scheme using logistic and RSA encryption," Expert Systems with Applications, vol. 97, pp. 95 - 105, 2018. https://doi.org/10.1016/j.eswa.2017.12.003
  5. K. Jiao, G. Ye, Y. Dong, X. Huang and J. He, "Image Encryption Scheme Based on a Generalized Arnold Map and RSA Algorithm," Security and Communication Networks, vol. 2020, pp. 1 - 14, 2020.
  6. C.L. Chen and C.C. Chen, "A Verifiable and Traceable Secondhand Digital Media Market Protocol," KSII Transactions on Internet and Information Systems, vol. 5, pp. 1472 - 1491, 2011. https://doi.org/10.3837/tiis.2011.08.007
  7. K. Somsuk and M. Thakong, "Authentication system for e-certificate by using RSA's digital signature," TELKOMNIKA Telecommunication, Computing, Electronics and Control, vol. 18, pp. 2948 - 2955, 2020. https://doi.org/10.12928/telkomnika.v18i6.17278
  8. K. Sharma, A. Agrawal, D. Pandey, R.A. Khan and S. K. Dinkar, "RSA based encryption approach for preserving confidentiality of big data," Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 5, pp. 2088-2097, 2022. https://doi.org/10.1016/j.jksuci.2019.10.006
  9. M.E. Wu, C.M. Chen, Y.H. Lin and H.M. Sun, "On the Improvement of Wiener Attack on RSA with Small Private Exponent," The Scientific World Journal, vol. 2014, pp. 1 - 9, 2014.
  10. K. Somsuk, "The New Equation for RSA's Decryption Process Appropriate with High Private Key Exponent," in Proc. of International Computer Science and Engineering Conference, pp. 1-5, November 15 - 18, 2017.
  11. S. Murat, "Generalized Trial Division," International Journal of Contemporary Mathematical Science, vol. 6(2), pp. 59 - 64, 2011.
  12. M.E. Wu, R. Tso and H.M. Sun, "On the improvement of Fermat factorization using a continued fraction technique," Future Generation Computer Systems, vol. 30(1), pp.162 - 168, 2014. https://doi.org/10.1016/j.future.2013.06.008
  13. K. Somsuk, "A New Methodology to Find Private Key of RSA Based on Euler Totient Function," Baghdad Science Journal, vol. 18(2), pp.338-348, 2021. https://doi.org/10.21123/bsj.2021.18.2.0338
  14. K.G. Chol, L.S. Chol and H.H. Cho, "Fast rebalanced RSA signature scheme with typical prime generation," Theoretical Computer Science, vol. 830 - 831, pp.1 - 19, 2020. https://doi.org/10.1016/j.tcs.2020.04.024
  15. S.M. Sedjelmaci, "On a parallel extended Euclidean algorithm," in Proc. of ACS/IEEE International Conference on Computer Systems and Applications, pp. 235 - 241, June 25 - 29, 2001.
  16. D. Chandravathi and P.V. Lakshmi, "Privacy Preserving Using Extended Euclidean Algorithm Applied To RSA-Homomorphic Encryption Technique," International Journal of Innovative Technology and Exploring Engineering, vol. 8, pp.3175 - 3179, 2019. https://doi.org/10.35940/ijitee.J1236.0881019
  17. M. Wiener, "Cryptanalysis of short RSA secret exponents," IEEE Transactions on Information Theory, vol. 36, pp. 553-558, 1990. https://doi.org/10.1109/18.54902
  18. D. Boneh, and G. Durfee, "Cryptanalysis of RSA with Private Key d less than N0.292," in Proc. of Advances in Cryptology - EUROCRYPT '99, pp. 1 - 11, 1999.
  19. N. Lal, A. P. Singh and S. Kumar, "Modified trial division algorithm using KNJ-factorization method to factorize RSA public key encryption," in Proc. of International Conference on Contemporary Computing and Informatics, pp. 992-995, November 27 - 29, 2014.
  20. K. Somsuk, T. Chiawchanwattana and C. Sanemueang, "Estimating the new Initial Value of Trial Division Algorithm for Balanced Modulus to Decrease Computation Loops," in Proc. of International Joint Conference on Computer Science and Software Engineering, pp. 143-147, July 10 - 12, 2019.
  21. B.R. Ambedkar, A. Gupta, P. Gautam and S.S. Bedi, "An Efficient Method to Factorize the RSA Public Key Encryption," in Proc. of International Conference on Communication Systems and Network Technologies, pp. 108 - 111, June 3 - 5, 2011.
  22. K. Somsuk, "The improvement of initial value closer to the target for Fermat's factorization algorithm," Journal of Discrete Mathematical Sciences and Cryptography, vol. 21, pp. 1573 - 1580, 2018. https://doi.org/10.1080/09720529.2018.1502737
  23. J. McKee, "Speeding Fermat's factoring method," Mathematics of Computation, vol. 68, pp. 1729 - 1737, 1999. https://doi.org/10.1090/S0025-5718-99-01133-3
  24. K. Omar, "Algorithm for factoring some RSA and Rabin moduli," Journal of Discrete Mathematical Sciences and Cryptography, vol. 11(5), pp. 537 - 543, 2008. https://doi.org/10.1080/09720529.2008.10698205
  25. Q. Huang, Y.T. Li, Y. Zhang and C. Lu, "A Modified Non-Sieving Quadratic Sieve For Factoring Simple Blur Integers," in Proc. of International Conference on Multimedia and Ubiquitous Engineering, pp. 729 - 732, April 729 - 732, 2007.
  26. H.M. Bahig, M.A. Mahdi, K.A. Alutaibi, A. AlGhadhban and H.M. Bahig, "Performance Analysis of Fermat Factorization Algorithms," International Journal of Advanced Computer Science and Applications, vol. 11(12), pp. 340 - 352, 2020.
  27. J. M. Pollard, "Theorems of factorization and primality testing," Mathematical Proceedings of the Cambridge Philosophical Society, vol. 76(3), pp. 521 - 528, 1974.
  28. K. Somsuk, "The new Weakness of RSA and The Algorithm to Solve this Problem," KSII Transactions on Internet and Information Systems, vol. 14(9), pp. 3841 - 3857, 2020. https://doi.org/10.3837/tiis.2020.09.015
  29. K. Somsuk and K. Tientanopajai, "An Improvement of Fermat's Factorization by Considering the Last m Digits of Modulus to Decrease Computation Time," International Journal of Network Security, vol. 19(1), pp. 99 - 111, 2017.
  30. K. Somsuk and K. Tientanopajai, "Improving fermat factorization algorithm by dividing modulus into three forms," KKU Engineering Journal, vol. 43, pp. 350 - 353, 2016.
  31. Y.B. Hammad, G. Carter and E. Dawson, "RAK factoring algorithm," Australasian Journal of Combinatorics, vol. 33(1), pp. 291 - 305, 2005.