Factoring RSA modulus using prime reconstruction from random known bits

Authors:
Subhamoy Maitra;Santanu Sarkar;Sourav Sen Gupta
Affiliations:
Indian Statistical Institute, Applied Statistics Unit, Kolkata, India;Indian Statistical Institute, Applied Statistics Unit, Kolkata, India;Indian Statistical Institute, Applied Statistics Unit, Kolkata, India
Venue:
AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa
Year:
2010

Citing 8
Cited 1

Efficient factoring based on partial information

Proc. of a workshop on the theory and application of cryptographic techniques on Advances in cryptology---EUROCRYPT '85
A course in computational algebraic number theory

A course in computational algebraic number theory
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
An Attack on RSA Given a Small Fraction of the Private Key Bits

ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Finding Small Roots of Univariate Modular Equations Revisited

Proceedings of the 6th IMA International Conference on Cryptography and Coding
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits

ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Reconstructing RSA Private Keys from Random Key Bits

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security

Generalized security analysis of the random key bits leakage attack

WISA'11 Proceedings of the 12th international conference on Information Security Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper discusses the factorization of the RSA modulus N (i.e., N=pq, where p, q are primes of same bit size) by reconstructing the primes from randomly known bits. The reconstruction method is a modified brute-force search exploiting the known bits to prune wrong branches of the search tree, thereby reducing the total search space towards possible factorization. Here we revisit the work of Heninger and Shacham in Crypto 2009 and provide a combinatorial model for the search where some random bits of the primes are known. This shows how one can factorize N given the knowledge of random bits in the least significant halves of the primes. We also explain a lattice based strategy in this direction. More importantly, we study how N can be factored given the knowledge of some blocks of bits in the most significant halves of the primes. We present improved theoretical result and experimental evidences in this direction.