Notes on Small Private Key Attacks on Common Prime RSA

We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA.


Introduction
Common prime RSA, i.e., an enhanced RSA [RSA78] variant, was first mentioned by Wiener [Wie90], and later refined and named by Hinek [Hin06].This RSA variant involves two balanced primes p and q with a special structure that provides resistance against previous attacks.Hinek defines p = 2ga+1 and q = 2gb+1, where a and b are coprime positive integers, and g is a prime.Besides, h = 2gab + a + b is ensured to be a prime, and hence (pq − 1)/2 equaling to gh is a semiprime.
Its public/private exponents e, d are defined in the key equation ed ≡ 1 (mod lcm(p − 1, q − 1)).As lcm(p − 1, q − 1) = lcm(2ga, 2gb) = 2gab, we have for an unknown integer k relatively prime to 2g.We denote the greatest common divisor as g ≃ N γ , and its private exponent as d ≃ N δ .We have 0 < γ < 1/2 for balanced primes, and hence e is approximately 2gab, implying e ≃ N 1−γ .Cryptanalysis of common prime RSA has been extensively conducted by various previous works [Hin06, JM06, SM13, LZPL15, ML20], focusing mainly on polynomial-time small private key attacks.We briefly summarize the results of attack bounds on δ as follows.
Wiener's Attack.Wiener [Wie90] used a continued fraction attack to prove that given a public key (N, e) with δ < 1/4 − γ/2, one can factorize the common prime RSA modulus N in polynomial time.
Hinek's Attack.Hinek [Hin06] conducted a systematical study on common prime RSA with two lattice-based attacks.To be concrete, N can be factorized in polynomial time when δ < γ 2 or δ < 2γ/5.
Sarkar-Maitra's Attack.Sarkar and Maitra [SM13] showed two improved latticebased attacks.One is applicable for γ ≤ 0.051 under a complicated condition, and another is applicable for 0.051 < γ ≤ 0.2087 with the following bound.
Lu et al.'s Attack.Lu et al. [LZPL15] further analyzed the security of common prime RSA by solving simultaneous modular equations and obtained an improvement for γ ≥ 0.3872.The bound on δ has been further improved to Mumtaz-Luo's Attack.Mumtaz and Luo [ML20] applied solving multivariate polynomial equations using a generalized lattice-based method for small private key attack on common prime RSA.They proposed an attack that works when It is worth noting that Mumtaz-Luo's attack utilized incorrect or incomplete parameters, rendering their findings inapplicable.Our examination reveals the presence of incorrect parameters and incomplete conditions, prompting us to make the necessary corrections to their approach.Consequently, we present a refined security assessment of common prime RSA based on small private key attacks, offering a detailed illustration of its insecure and secure boundaries.
In this work, we adopt lattice-based integer polynomial solving strategy [Cop97], a technique commonly employed in previous cryptanalysis.We carefully check the relevant parameters associated with the specific solving condition in Mumtaz-Luo's attack and identify instances of inappropriate usage and missing explanations.Subsequently, we propose corrective measures, leading to the refinement of our small private key attack through a discussion of an optimizing parameter.Our refined attack is effective for the following bound on δ.
Taking into account previous small private key attacks as well as our refined one, we present an illustrative security assessment of common prime RSA in Figure 1.The rest of this paper is structured as follows.In Section 2, we provide an introduction to lattice-based solving method, along with a solving condition for multivariate polynomial equations.We review Mumtaz-Luo's attack to point out several existing flaws, and present our corrections with a refined small private key attack on common prime RSA in Section 3 and Section 4. We validate our proposed corrected attack through intensive numerical experiments in Section 5. Finally, we conclude the paper in Section 6.

Preliminaries
The fundamental concepts include the lattice reduction algorithm, notably the LLL algorithm by Lenstra, Lenstra, and Lovasz [LLL82], and Coppersmith's latticebased method [Cop97], which was later refined as Howgrave-Graham's lemma [How97].Additionally, a solving condition essential for finding the root of integer polynomials is introduced.For a more comprehensive understanding, interested readers can refer to [May03,May10].
Let us begin by defining lattice L as the set of all integer linear combinations of linearly independent vectors ⃗ b 1 , . . ., ⃗ b ω .In other words, it can be expressed as The lattice determinant, denoted as det(L), is calculated as det(BB T ), where each ⃗ b i is considered as a row vector of the basis matrix B. When dealing with a full-rank lattice with ω = n, the determinant becomes det(L) = |det(B)|.
The LLL algorithm [LLL82] is a key mathematical tool for efficiently finding approximately short lattice vectors.As proven by [May03], the LLL algorithm yields a reduced basis (⃗ v 1 , ⃗ v 2 , . . ., ⃗ v ω ) with the following property.
Lemma 1.The LLL algorithm outputs a reduced basis Its time complexity is polynomial in ω and in logarithmic maximal input vector.
An essential lemma introduced by Howgrave-Graham [How97] provides a principle for determining whether the root of a modular polynomial equation also corresponds to a root over the integers.This lemma concerns an integer polynomial x n ] be an integer polynomial, consisting of at most ω monomials.If the two following conditions are satisfied: Then g(x ⋆ 1 , . . ., x ⋆ n ) = 0 holds over the integers.
Combining the LLL algorithm's outputs with Howgrave-Graham's lemma, we can efficiently solve modular/integer polynomial equations.Suppose that we have calculated the first ℓ many reduced vectors, the key to success lies in satisfying the condition 2 ω(ω−1) . We always have ℓ < ω ≪ R and hence it further leads to det(L) < R ω−ϵ with a tiny error term ϵ.We finally derive the following asymptotic solving condition as det which allows us to effectively solve given modular/integer polynomial equations.The lattice-based solving strategy involves the following stages.Initially, we generate a set of shift polynomials using the provided polynomial f (x 1 , . . ., x n ) and upper bounds X 1 , . . ., X n .These shift polynomials are specifically designed to share a common root modulo R. Subsequently, we create a lattice by converting the coefficient vectors of each shift polynomial g i (x 1 X 1 , . . ., x n X n ) into row vectors of a lattice basis matrix.Utilizing the LLL algorithm, we then obtain first few reduced vectors.These vectors are further transformed into integer polynomials h i (x 1 , . . ., x n ).Once we ensure that the resulting integer polynomials h i (x 1 , . . ., x n ) are algebraically independent, the equation system can be effectively solved using trivial methods, thus extracting the desired root.
Several studies have focused on constructing an elegant lattice basis matrix with optimized solving conditions, including works such as [BM05, JM06, TK13, LZPL15].In this paper, we adopt Jochemsz-May's strategy [JM06], which involves creating a triangular basis matrix, where det(L) is easy to compute as multiplication of matrix's diagonal elements.For a comprehensive and detailed explanation, refer to Section 4.
To find the roots of a given trivariate integer polynomial in the specific form as we should establish upper bounds X 1 , X 2 , and X 3 for the unknown variables x 1 , x 2 , and x 3 .Additionally, X ∞ is defined as the maximal individual term value related to the trivariate polynomial, which is given by To proceed, we introduce the parameter R = X ∞ X , where s is a positive integer, and t = τ s with τ ≥ 0 to be determined and optimized during the subsequent lattice construction.
We then construct a basis matrix using coefficient vectors of shift polynomials using two monomial sets S and M. We define x 3 ) mod R to set the constant term as 1.The corresponding shift polynomials are given by Upon straightforward and meticulous computations with the above parameters, we establish a parameterized solving condition.We obtain the first two vectors of the reduced basis under the proposed procedure and transform them into two polynomials f 1 (x 1 , x 2 , x 3 ) and f 2 (x 1 , x 2 , x 3 ) that share a common root over the integers.The extraction of the common root can be accomplished using resultant computation or Gröbner basis computation [BWK93].The running time primarily depends on computing the reduced lattice basis and recovering the desired root, both of which can be efficiently achieved in polynomial time with respect to the inputs.
The lattice-based solving strategy is a heuristic approach, as there is no assurance that the derived integer polynomials will always be algebraically independent.However, in the realm of lattice-based attacks, it is commonly assumed that the polynomials obtained through the LLL algorithm possess algebraic independence.
(4) Furthermore, it leads to Multiplying them together yields which simplifies to They merge the variable k with a and b, resulting in the following trivariate integer polynomial.
Thus, it turns to finding the root (x ⋆ , y ⋆ , z ⋆ ) = (d, ak, bk) of this trivariate integer polynomial.The estimated upper bound values are They employ generalized Coron's reformulation [Cor04,Cor07], similar to Jochemsz-May's strategy [JM06].The maximal coefficient W = ∥f (xX, yY, zZ)∥ ∞ is defined for f (x, y, z), but the specific value of W is not explicitly mentioned.Through generalized Coron's reformulation, they derive the following solving condition.
which coincides with the solving condition presented in [JM06].Subsequently, they use X, Y, Z, and W and simplify to obtain an inequality involving δ, γ, and an optimizing parameter τ .
To maximize its left side, they let Substituting τ back into (9), they obtain the inequality with respect to δ and γ.
Thus, they obtain the following bound, omitting the tiny term ϵ presented in the original bound [ML20, Formula (12)].
Mumtaz and Luo recover the root (x ⋆ , y ⋆ , z ⋆ ) = (d, ak, bk) through the resultant computation.Thus, they claim that the factorization of common prime modulus is done in polynomial time.However, their derivation from (8) to (9) is not smooth and intuitive, as W is not explicitly given during their analysis.Conversely, we aim to discover the value of W they use through the following inverse computation.Assuming that the condition (9) is correctly derived for X = N δ , Y = Z = N δ−γ+1/2 given in (7) and W = N ξ with a fixed ξ to be recovered, we have Simplifying it gives us After rearrangement, we have Comparing the corresponding coefficients in ( 9) and ( 12), we must ensure Solving the above simultaneous equations, we encounter a contradiction about ξ as follows.ξ = 2δ − 4γ + 3, ξ = 2δ − 14γ/3 + 10/3.
Even if we still assume that condition (9) is correct, the derived bound on δ is not accurate.Mumtaz-Luo's bound on δ is presented as However, it overestimates the capability of the small private key attack since they ignore a crucial prerequisite, i.e., τ ≥ 0, used in the lattice-based method.The optimizing parameter is set to τ = (3 − 2γ − 8δ)/(4δ) according to (10).Hence, we must ensure that 3 − 2γ − 8δ 4δ ≥ 0, which results in 3 − 2γ − 8δ ≥ 0. Therefore, we obtain another constrained bound on δ.
To conclude, Mumtaz-Luo's attack [ML20] suffers from several fatal flaws, rendering their attack result incorrect and inapplicable.The summary of these flaws is as follows.
Repetitive Approach.They use generalized Coron's reformulation to solve a trivariate integer polynomial, but the specific monomial form and its relevant unknown variables are the same as those analyzed in Jochemsz-May's attack [JM06, Section 5.2].
Incorrect Parameter W .The parameter W , referring to the maximal coefficient of f (xX, yY, zZ) with upper bounds X, Y, Z, is not explicitly provided.Moreover, the value of W implied by their analysis derivation contradicts itself, leading to uncertainty and inconsistency in their analysis.
Incorrect Bound on δ.They ignore a crucial prerequisite described in the latticebased method, where the optimizing parameter τ should satisfy τ ≥ 0. This oversight results in an incorrect bound on δ, and the theoretical bound values given in Theorem 1 do not agree with the ones presented in Table 2.
Incomplete Factorization.Their analysis lacks how to factorize the given common prime RSA modulus if the root (d, ak, bk) is recovered.This omission renders the proof of Theorem 1 incomplete and leaves their attack without a crucial step.
These mentioned flaws in Mumtaz-Luo's analysis raise significant concerns about the reliability and validity of their proposed attack.Addressing these issues is essential before considering the effectiveness of their approach in practical attack scenarios.

Corrections to Previous Cryptanalysis
In light of the flaws in Mumtaz-Luo's analysis [ML20], we present a refined small private key attack and make corrections to their previous findings.
The maximal term X ∞ is used in the solving condition, and it can be computed as We use one extra shift of x 1 in the lattice-based method as it is smaller than x 2 and x 3 .We construct two monomial sets S and M for s and t = τ s as follows.
We know the relationship between monomials x i 1 1 x i 2 2 x i 3 3 in S and M and the corresponding exponents i 1 , i 2 , i 3 via the expansion of f s−1 and f s .
The constant term of f (x 1 , x 2 , x 3 ) is required to be 1 and fortunately a 0 is exactly 1.Thus, We define the shift polynomials g [i 1 ,i 2 ,i 3 ] according to distinct (X 2 X 3 ) s−1 as follows.
The coefficient vectors of g [i 1 ,i 2 ,i 3 ] , where x i X i is substituted for each x i , generate a lattice L. We need to compute the lattice determinant det(L), and the diagonal elements of where Therefore, R in the left and right sides cancel each other out, and we obtain 3 ∈M\S i j and s 0 = |S|.By calculating s j for j = 0, 1, 2, 3 through the above deduction, we obtain Using t = τ s and skipping lower terms o(s 3 ) gives us We substitute the values of X 1 , X 2 , X 3 , X ∞ , s j for j = 0, 1, 2, 3 into (16).This results in the inequality Further simplifying, we get To minimize the left side, we find the optimizing value of τ = (2γ − 8δ + 1)/(4δ).Therefore, we get Simplifying it, we obtain 16δ 2 − 32(γ + 1)δ + 3(2γ + 1) 2 > 0.
From this inequality, we can deduce the bound on δ.
Once we have obtained more integer polynomials apart from f (x 1 , x 2 , x 3 ), and they share the common root (x ⋆ 1 , x ⋆ 2 , x ⋆ 3 ) = (d, ak, bk) over the integers, we can proceed to extract d, ak, and bk to factorize N .To factorize the given common prime RSA modulus N using the obtained values d, ak, and bk, we makes use of the fact that gcd(a, b) = 1.So, k = gcd(ak, bk) is first computed by k = gcd(x ⋆ 2 , x ⋆ 3 ).Then, we know a = x ⋆ 2 /k and b = x ⋆ 3 /k.Next, we apply ed = 2gabk + 1 with known a, b, and k to compute g = (ed − 1)/(2abk).Finally, using a, b, and g, we can find p = 2ga + 1 and q = 2gb + 1.These values of p and q give us the factorization of N .The root extraction and factorization can be done in time that is a polynomial regarding log N and s.
Remark 1.In addition to addressing the flaws in Mumtaz-Luo's analysis, we have further enhanced Jochemsz-May's attack by refining the bound on δ for 3/10 < γ < 1/2.It is important to note that Mumtaz-Luo's analysis essentially reproduces Jochemsz-May's attack, albeit with incorrect and incomplete derivation.

Validating Experiments
The experimental results are provided to demonstrate the performance of the proposed small private key attack based on Proposition 1.The experiments were carried out on a laptop running a 64-bit Windows 10 operating system with Ubuntu 22.04 installed on WSL 2. We utilized SageMath [The23] for conducting the experiments, and the parameters for generating the common prime RSA instances were randomly chosen.
Initially, we generated a common prime RSA modulus N with bit-size denoted by ℓ using a predetermined γ value.Subsequently, we generated the private exponent d with a predetermined bit-size in each experiment.To derive the public exponent e, we utilized ed ≡ 1 (mod lcm(p − 1, q − 1)).Additionally, the bit-size of d was gradually increased to achieve a larger δ for performing a successful small private key attack.
To execute the proposed attack, we carefully constructed a lattice via suitable integers s and t.Table 1 provided the experimental results for our proposed small private key attack.The column γℓ represents the bit-size of g in the generated common prime RSA instances, while ℓ e denotes the bit-size of e.The column δ t ℓ provides the theoretical bound on d, and the corresponding experimental result is presented in the column δ e ℓ.The column AR indicates the achieving rate δ e /δ t of our experimental bound in estimating the distance from the theoretical one.The lattice settings are controlled by s and t, with the lattice dimension specified in the ω column.The time consumption of our experiments is recorded in the Time column, measured in seconds.
Throughout each experiment, we collected sufficient integer polynomials that met the solvable requirements after running the LLL algorithm.As indicated in Table 1, the running time increases while the lattice dimension becomes higher or the given modulus gets larger.After obtaining the integer polynomial equations with a shared root, we successfully recovered (x ⋆ 1 , x ⋆ 2 , x ⋆ 3 ) in attacks on generated instances.Consequently, we retrieved d, ak, and bk, enabling us to factorize N using the root extraction approach.However, the experimental results fell short of reaching the theoretical bound, likely due to limited computing resources.It is

Figure 1 :
Figure 1:The shadows delineate the attack region on common prime RSA.These attack curves function as critical boundaries differentiating between secure and insecure common prime RSA settings.