Small CRT Exponent RSA s00145-018-9282-3

J Cryptol (2019) 32:1337–1382
https://doi.org/10.1007/s00145-018-9282-3
Small CRT-Exponent RSA Revisited∗

Atsushi Takayasu†
The University of Tokyo, Tokyo, Japan
National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan
takayasu@msit.i.u-tokyo.ac.jp
Yao Lu
The University of Tokyo, Tokyo, Japan
Liqiang Peng
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
of Sciences, Beijing, China
Data Assurance and Communication Security Research Center, Chinese Academy of Sciences,
Beijing, China
lqpeng@is.ac.cn
Communicated by Serge Vaudenay.

Received 29 August 2017 / Revised 30 January 2018
Online publication 22 February 2018
Abstract. Since May (Crypto’02) revealed the vulnerability of the small CRT-exponent
RSA using Coppersmith’s lattice-based method, several papers have studied the problem
and two major improvements have been made. (1) Bleichenbacher and May (PKC’06)
proposed an attack for small dq when the prime factor p is significantly smaller than
the other prime factor q; the attack works for p < N 0.468 . (2) Jochemsz and May
(Crypto’07) proposed an attack for small d p and dq when the prime factors p and q are
balanced; the attack works for d p , dq < N 0.073 . Even a decade has passed since their
proposals, the above two attacks are still considered as the state of the art, and no im-
provements have been made thus far. A novel technique seems to be required for further
improvements since it seems that the attacks have been studied with all the applicable
techniques for Coppersmith’s methods proposed by Durfee–Nguyen (Asiacrypt’00),
Jochemsz–May (Asiacrypt’06), and Herrmann–May (Asiacrypt’09, PKC’10). Since it
seems that the attacks have been studied with all the applicable techniques for Cop-
persmith’s methods proposed by Durfee–Nguyen (Asiacrypt’00), Jochemsz–May (Asi-
acrypt’06), and Herrmann–May (Asiacrypt’09, PKC’10), improving the previous results
seem technically hard. In this paper, we propose two improved attacks on the small CRT-
∗ This paper is the full version of [56]. This research was supported by JST CREST Grant Number
JPMJCR14D6, Japan, JSPS KAKENHI Grant Number 17H06571, Japan, the National Natural Science
Foundation of China (Grants 61702505, 61472417, 61732021, 61502488, 61602471, 61772520), National
Cryptography Development Fund (MMJJ20170115, MMJJ20170124) and the Fundamental Theory and
Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grants
Y7Z0341103, Y7Z0321102).
† During the work, the author was supported by a JSPS Fellowship for Young Scientists.
© International Association for Cryptologic Research 2018

1338 A. Takayasu et al.
exponent RSA: a small dq attack for p < N 0.5 (an improvement of Bleichenbacher–
May’s) and a small d p and dq attack for d p , dq < N 0.122 (an improvement of Jochemsz–
May’s). The latter result is also an improvement of our result in the proceeding version
(Eurocrypt ’17); d p , dq < N 0.091 . We use Coppersmith’s lattice-based method to solve
modular equations and obtain the improvements from a novel lattice construction by
exploiting useful algebraic structures of the CRT-RSA key generation equation. We ex-
plicitly show proofs of our attacks and verify the validities by computer experiments. In
addition to the two main attacks, we also propose small dq attacks on several variants
of RSA.
Keywords. CRT-RSA, Cryptanalysis, Coppersmith’s method, Lattices,
LLL algorithm.
1. Introduction
1.1. Background
Let N = pq be a public RSA modulus whose prime factors p and q are usually the same
bitsize. A public exponent e and a secret exponent d satisfy ed = 1 mod ( p −1)(q −1).
For encryption/verifying (resp. decryption/signing), the heavy modular exponentiation
of e (resp. d) modulo N has to be computed. To resolve the issue, using a small public
or secret exponent may be the most simple approach. However, Wiener [57] showed
that a public RSA modulus is factorized in polynomial time when the secret exponent
is too small such that d < N 0.25 . Boneh and Durfee [3] revisited the problem with
Coppersmith’s lattice-based method [8,20] and improved the bound to d < N 0.284 .
Furthermore, in the same work, the bound was improved to d < N 0.292 by exploiting
sublattice structures from the previous one although the proof is involved.
To simultaneously thwart the small secret exponent attack and achieve fast decryp-
tion/signing, the Chinese Remainder Theorem (CRT) is often used as described by
Quisquater and Couvreur [40]. Instead of the original secret exponent d, there are CRT-
exponents d p and dq that satisfy
ed p = 1 mod ( p − 1) and edq = 1 mod (q − 1).
The PKCS#1 standard [39] has specified that an RSA secret key should be ( p, q, d, d p ,
dq , q −1
p ), where d p and dq are the CRT-exponents.
Then a natural question to ask is whether there exist analogous attacks of the Boneh–
Durfee [3] to the small CRT-exponents. The first affirmative answer was given by May
(Crypto’02) [29]. May analyzed the unbalanced RSA whose prime factor p is signifi-
cantly smaller than the other prime factor q, and proposed an attack for a small dq with
an arbitrary large d p . The paper contains two attacks, where the former attack works for
p < N 0.382 . The latter attack works only for smaller p, however, is better than the former
attack for p < N 0.23 in the sense that a larger dq can be recovered. Since May’s attack
works only in the unbalanced setting, it is an interesting open question if the attacks can
be improved to cover the balanced RSA.
Subsequently, several improved attacks on the small CRT-exponent RSA have been
proposed. Bleichenbacher and May (PKC’06) [5] revisited May’s work [29] in the same
attack scenario and proposed an improved attack. The attack works for a larger p such
that p < N 0.468 , and recovers a larger dq than May’s attack for any size of p. However,
Small CRT-Exponent RSA Revisited 1339
Bleichenbacher–May’s improved attack could still not cover balanced prime factors.
To attack the balanced RSA, Bleichenbacher and May analyzed other attack scenarios,
where both d p and dq are small in the same work. They proposed an attack which works
when e is significantly smaller than N . Although the same situation was already studied
by Galbraith et al. [14], Sun and Wu [45], their attacks only work for a smaller e. Finally,
Jochemsz and May (Crypto’07) [22] proposed the first attack that works for a full size
e when d p , dq < N 0.073 .
In the past decade, no improved attacks of Bleichenbacher–May [5] and Jochemsz–
May [22] have been proposed. Hence, following these attacks seems to be the best way
to study the security of the CRT-RSA. Indeed, until recently, several papers followed the
attacks and reported the vulnerabilities of the CRT-RSA, e.g., an attack on Takagi’s RSA
[43], an attack on the RSA with multiple exponent pairs [35], and partial key exposure
attacks [4,27,44,49,51].
1.2. Technical Hardness

Coppersmith introduced two lattice-based methods, to solve a modular equation [8]
and an integer equation [7]. May’s attack and Bleichenbacher–May’s attack used the
former method, whereas Jochemsz–May’s attack used the latter method. Both methods
first construct a lattice and then solve equations with a small root in polynomial time
using the LLL lattice reduction [25]. In this research area, constructing better attacks is
equivalent to designing better lattices that contain the more useful algebraic structure
of the equation. For the purpose, several useful strategies and techniques for lattice
constructions have been introduced thus far. Currently best known small CRT-exponent
attacks [5,22,29] are based on the state of the art lattice constructions: the Durfee–
Nguyen technique (Asiacrypt’00) [12] and the Jochemsz–May strategy (Asiacrypt’06)
[21]. Since the Durfee–Nguyen technique is useful to handle the relation N = pq and
the Jochemsz–May construction yields good lattices for arbitrary polynomials, these
approaches [5,29] seem appropriate to study the attack. Moreover, to the best of our
knowledge, there remained no useful strategies to analyze the attack scenarios at that
time. After the proposals of [5,22,29], a new technique called unravelled linearization
was introduced by Herrmann and May (Asiacrypt’09) [18]. The technique has been used
to study various attack scenarios on RSA, e.g., [6,15,16,19,23,24,37,38,47,48,50,52–
55], and drastically developed the research area. For example, Herrmann and May [19]
showed an elementary proof of Boneh–Durfee’s stronger attack [3] for d < N 0.292
by exploiting the sublattice structures. However, unfortunately, unravelled linearization
could not improve small CRT-exponent attacks. Although Herrmann and May (PKC’10)
[19] tried to exploit sublattice structures, they could not obtain better asymptotic bounds.
Therefore, obtaining better bounds seems technically hard.
1.3. Our Results

In this paper, we develop a novel lattice construction that enables us to exploit more use-
ful algebraic structures of the CRT-RSA key generation equation. A basic application of
the technique is an improved small dq attack for unbalanced prime factors (Sect. 3). As
opposed to the previous results by May [29] and Bleichenbacher–May [5], our attack
is the first result to reach a meaningful bound, i.e., p < N 0.5 . Hence, we solve one
of the major open problems for the security of the small CRT-exponent RSA. More-
over, our attack can recover a larger dq than [5,29] for any size of p. In addition, our
attack requires less lattice dimensions than Bleichenbacher–May’s attack [5] since our
technique exploits sublattice structures from [5]’s lattice, where the approach is similar
to Boneh–Durfee [3]. Indeed, our experiments show that Bleichenbacher–May’s attack
works better than their theoretical analyses. Hence, our careful analysis successfully fills
the gap between theoretical and experimental behaviors.
We claim that our lattice construction is not limited to the small dq attack. The con-
struction is also applicable to a small d p and dq attack (Sect. 4) that improves Jochemsz–
May’s attack [22]. As we mentioned, small dq attacks [5,29] and small d p and dq attacks
[22] were studied with different approaches in previous works; the former attack used
Coppersmith’s modular method, whereas the latter attack used Coppersmith’s integer
method. However, our powerful lattice construction enables us to improve these attacks
in the same manner. Our attack works for d p , dq < N 0.122 with a full size e where
the exponent of N is about 40% larger than Jochemsz–May’s attack. Notice that our
proposed attack in this paper is much better than that in our proceeding version [56] that
works when d p , dq < N 0.091 .
Recently, numerous papers [13,17,26,28,34–36,41–43,47,50,52] have been studying
the security of RSA variants. Hence, we show several extensions for our small dq attack
on the RSA variants (Sect. 5), i.e., the Multi-Prime RSA, Takagi’s RSA, and the RSA
with multiple exponent pairs. Our attacks significantly improve previous attacks on these
variants [35,43].
1.4. Key Technique

We show an overview of our technique. The CRT-RSA key generation for dq is written
as
edq = 1 + k(q − 1) (1)
with some integer k. By multiplying the equation by p, we obtain
edq p = p + k(N − p) = N + (k − 1)(N − p). (2)
Recall in May’s and Bleichenbacher–May’s attack scenario [5,29], the prime p is sig-
nificantly smaller than the other prime q. They solved the latter equation (2) modulo
e to recover unknown (k − 1, p). Since the prime p is significantly smaller than the
other prime q, to construct better attacks, solving Eq. (2) is more promising approach
than solving Eq. (1) to recover (k, q). Hence, only Eq. (2) is used in previous attacks.
However, it means that the constructions of previous attacks significantly rely on the fact
that p is much smaller than q. As a result, these attacks do not work when p is close to
N 0.5 .
What we focus on is a fact that Eqs. (1) and (2) are essentially the same; there are two
representations for the same CRT-RSA key generation. As opposed to previous works,
our improved lattice constructions utilize the algebraic structure of both Eqs. (1) and (2)
simultaneously, not only the equation (2). The two representations are compatible in the
sense that the combination enables us to exploit more useful algebraic structures. More
specifically, we use Eqs. (1) and (2), where the proportion can be adaptively determined
by the sizes of p and q. Then, to solve the modulo e equation as previous works, our
framework always yields the better lattices than previous approaches. Our attacks are
better than Bleichenbacher–May’s attack for any size of p.
At a glance, our lattice construction technique is specialized to the improvement of
Bleichenbacher–May’s attack. As we pointed out, May’s attack and Bleichenbacher–
May’s attack used Coppersmith’s method to solve a modular equation [8,20], whereas
Jochemsz–May’s attack used the method to solve an integer equation [7,11]. The mod-
ular equation for the former attack and the integer equation for the latter attack have
completely different algebraic structures. However, surprisingly, our powerful lattice
construction enables us to construct better lattices and improves Jochemsz–May’s at-
tack, too. It suggests that the construction is quite useful to study the security of CRT-RSA
over a wide range.
2. Preliminaries
Consider a modular equation h(x1 , . . . , xr ) = 0 (mod W ), where all the absolute values
of the target solutions (x̃1 , . . . , x̃r ) are bounded above by X 1 , . . . , X r . When rj=1 X j
is reasonably smaller than W , Coppersmith’s method can find all the solutions in poly-
nomial time. In this section, we recall a simplified reformulation of the method proposed
by Howgrave–Graham [20] and its basis tools, i.e., Howgrave–Graham’s lemma and the
LLL algorithm.
Let h(x1 , . . . , xr ) denote the norm of a polynomial which represents the Euclidean
norm of the coefficient vector. The following Howgrave–Graham’s lemma reduces the
modular equations into integer equations.
Lemma 1. (Howgrave–Graham’s Lemma [20]) Let h̃(x1 , . . . , xr ) ∈ Z[x1 , . . . , xr ] be

a polynomial with at most n monomials. Let m, W, X 1 , . . . , X r be positive integers.
Suppose that:
1. h̃(x̃1 , . . . , x̃r ) = 0 (mod W m ),√where |x̃1 | < X 1 , . . . , |x̃r | < X r ,
2. h̃(x1 X 1 , . . . , xr X r ) < W m / n.
Then h̃(x̃1 , . . . , x̃r ) = 0 holds over the integers.
To solve r -variate modular equations h(x1 , . . . , xr ) = 0 (mod W ), it suffices to find

r new polynomials h̃ 1 (x1 , . . . , xr ), . . . , h̃ r (x1 , . . . , xr ) whose root is the same as the
original one, i.e., (x1 , . . . , xr ) = (x̃1 , . . . , x̃r ), and whose norms are small enough to
satisfy Howgrave–Graham’s lemma.
To find such small norm polynomials from the original modular polynomial h(x1 , . . . ,
xr ), lattices and the LLL algorithm are used. An n-dimensional lattice is an additive dis-
crete subgroup of Zn . In other words, a lattice represents all integer linear combinations of
its basis vectors. All vectors are row representation throughout the paper. Let b1 , . . . , bm
m in Z . A lattice spanned by these vectors
be n-dimensional linearly independent vectors n
as a basis is defined as L(b1 , . . . , bm ) := { j=1 c j b j : c j ∈ Z for all j = 1, 2, . . . , n}.

We also use a matrix representation for the basis. We define a basis matrix B as m × n
matrix which has the basis vectors b1 , . . . , bm in each row. A lattice spanned by a basis
matrix B is denoted as L(B). We call a lattice full-rank if and only if n = m. The

determinant of a lattice det(L(B)) is defined as the m-dimensional volume of the fun-
damental parallelepiped; P(B) := {cB : c ∈ Rm , 0≤ c j < 1, for all j = 1, 2, . . . , m}.
The determinant can be computed as det(L(B)) = det(B B T ) in general and that of a
full-rank lattice can be computed as det(L(B)) = | det(B)|. In this paper, we only use a
full-rank lattice. More specifically, we only use a lattice with a triangular basis matrix.
Hence, the determinant of the lattice can be computed easily as the absolute value of a
product of all diagonal entries.
Lattices have been used in various ways in cryptographic research. See [9,10,30–32]
for more information. In cryptanalysis, finding nonzero short lattice vectors is usually
an essential operation. In this paper, we recall the LLL algorithm [25] that outputs short
lattice vectors in polynomial time.
Proposition 1. (LLL algorithm [25,30]) Given linearly independent vectors b1 , . . . , bn

in Zn , the LLL algorithm finds new basis vectors b̃1 , . . . , b̃n for a lattice L(b1 , . . . , bn )
that satisfy
b̃ j ≤ 2n(n−1)/4(n− j+1) det(L(B)))1/(n− j+1) for 1 ≤ j ≤ n,
in time polynomial in n and the maximum input length of b1 , . . . , bn .
Again, we explain how to solve the modular equation h(x1 , . . . , xr ) = 0 (mod W ).

At first, we construct n polynomials h 1 (x1 , . . . , xr ), . . . , h n (x1 , . . . , xr ) that have the
root (x̃1 , . . . , x̃r ) modulo W m with some positive integer m. Then we construct n ba-
sis vectors b1 , . . . , bn and equivalently its matrix representation B. Each elements of a
vector b j for j = 1, 2, . . . , n is a coefficient of h j (x1 X 1 , . . . , xr X r ). Since all vectors
in a lattice L(B) are integer linear combinations of the basis vectors, all polynomials
whose coefficients are derived from lattice vectors have the root (x̃1 , . . . , x̃r ) modulo
W m . We apply the LLL algorithm to a lattice basis B and obtain r LLL-reduced vec-
tors b̃1 , . . . , b̃r . Then new polynomials h̃ 1 (x1 , . . . , xr ), . . . , h̃ r (x1 , . . . , xr ) which are
derived from the above r LLL-reduced vectors satisfy Howgrave–Graham’s lemma pro-
vided that det(L(B)))1/n < W m . Here, we omit small terms that do not depend on W .
When we obtain r polynomials h̃ 1 (x1 , . . . , xr ), . . . , h̃ r (x1 , . . . , xr ), the root (x̃1 , . . . , x̃r )
can easily be recovered by computing resultant or Gröbner bases for the polynomials.
We should note that the method needs heuristic argument for multivariate problems.
The polynomials h̃ 1 (x1 , . . . , xr ), . . . , h̃ n (x1 , . . . , xr ) derived from LLL output vectors
have no assurance of algebraic independency. In this paper, we assume that the polynomi-
als are algebraic independent as previous works [5,22,29] since there exist few negative
reports. Moreover, we justify the validity of our attacks by computer experiments.
3. Small dq Attack
In this section, we propose an attack for small dq where p is significantly smaller than
q. The attack improves Bleichenbacher–May’s attack [5].
3.1. An Overview of the Lattice Construction

At first, we explain our strategy for lattice constructions. Since our lattice construction is
highly technical, we show toy examples that compare previous lattices [5,29] and ours.
We hope that these examples help readers to understand our lattice construction easily.
Recall the CRT-RSA key generation;
edq = 1 + k(q − 1)
with some integer k. If we can solve the following modular equation:
f q (xq , yq ) = 1 + xq (yq − 1) = 0 (mod e)
whose root is (xq , yq ) = (k, q), a public modulus N can be factorized. However, since
the prime factor q is significantly larger than the other prime factor p, i.e., p = N β and
q = N 1−β for β ≤ 1/2, May [29] multiplied the above equation by p and obtained the
following equation:
edq p = p + k(N − p) = N + (k − 1)(N − p).
Hence, if the following modular equation can be solved, the public modulus N can be
factorized:
f p (x p , y p ) = N + x p (N − y p ) = 0 (mod e)
whose root is (x p , y p ) = (k − 1, p). Let e = N α and dq = N δ . Then the absolute

values of the root (x p , xq , y p , yq ) is bounded above by X p := N α+β+δ−1 , X q :=
N α+β+δ−1 , Y p := N β , Yq := N 1−β , respectively, within constant factors. Later we
also use a notation X := X p = X q . In this setting, the other CRT-exponent d p can be
arbitrary large such that d p ≈ N β .
3.1.1. May’s Matrix

May [29] solved the modular equation f p (x p , y p ) = 0 under the standard lattice con-
struction which can be captured by Jochemsz–May’s strategy [22]. For example, al-
though we omit the detail, he constructed the basis matrix as the following:
⎛ ⎞
e
⎜ 0 eX p ⎟
⎜ ⎟
⎜ N N X p −X p Y p ⎟
⎜ ⎟
⎜0 0 0 eY p ⎟,
⎜ ⎟
⎜0 0 N X p Y p N Y p −X p Y p2 ⎟
⎜ ⎟
⎝0 0 0 0 0 eY p2 ⎠
0 0 0 0 N X p Y p N Y p2 −X p Y p3
2
where the rows consist of coefficients of seven polynomials:
e, ex p , f p (x p , y p ), ey p , y p f p (x p , y p ), ey 2p , y 2p f p (x p , y p ).
All the polynomials share the common root as f p (x p , y p ) modulo e. In addition to the
base polynomials, i.e., e, ex p , f p (x p , y p ), he added extra y p -shifts, i.e., ey p , y p f p (x p ,
y p ), ey 2p , y 2p f p (x p , y p ). Applying the LLL reduction to the above matrix, polynomials
derived from the LLL output vectors satisfy Howgrave–Graham’s lemma when
X 4p Y p9 e4 < e7 ⇔ 4(α + β + δ − 1) + 9β < 3α

α + 13β
⇔δ <1− .
4
The core idea of the approach is solving Eq. (2) not (1) since p is significantly smaller
than q. Hence, if p becomes close to q such that β ≥ 0.382, May’s attack does not work.
3.1.2. Bleichenbacher–May Matrix

To improve May’s attack [29] based on the above matrix, Bleichenbacher and May [5]
made use of the relation y p yq = N as Durfee and Nguyen [12]. Although the exact
solution of y p is unknown, the relation enables us to reduce powers of Y p in the diagonal
entries by multiplying powers of yq to all the polynomials. By optimizing the powers of
yq , Bleichenbacher–May’s matrix always offers better results than May’s matrix.
To explain our improvement later, we modify Bleichenbacher–May’s matrix, where
the modified matrix offers the same bound as the original Bleichenbacher–May matrix.
The modification helps readers to understand the spirit of our improvement. Previous
May’s matrix used only extra y p -shifts; however, modified Bleichenbacher–May’s ma-
trix used both y p -shifts and yq -shifts. Hence, we omit ey 2p , y 2p f p (x p , y p ) from the above
matrix and add eyq , N −1 · yq f p (x p , y p ) in turn where the new polynomials share the
common root as f p (x p , y p ) modulo e:
⎛ ⎞
e
⎜ 0 eX p ⎟
⎜ ⎟
⎜ ⎟
⎜0 0 0 eY ⎟.
⎜ p ⎟
⎜0 0 N X Y N Y −X Y 2 ⎟
⎜ p p p p p ⎟
⎝0 0 0 0 0 eYq ⎠
0 −X p 0 0 0 Yq X p Yq
The rows consist of coefficients of seven polynomials:
e, ex p , f p (x p , y p ), ey p , y p f p (x p , y p ), eyq , N −1 · yq f p (x p , y p ) .
Although the precise definition of the polynomial selection is slightly different from the
one in the original paper, they are essentially the same in the sense that the above matrix
yields the same bound as the original Bleichenbacher–May attack. Applying the LLL
reduction to the above matrix, polynomials derived from the LLL output vectors satisfy
Howgrave–Graham’s lemma when
X 4p Y p4 Yq2 e4 < e7 ⇔ 4(α + β + δ − 1) + 4β + 2(1 − β) < 3α

1 α + 6β
⇔δ< − .
2 4
Compared with May’s matrix, the matrix reduces the powers of Y p by multiplying
the powers of Yq . It means that Bleichenbacher–May’s approach tries to control the
appearance of Y p and Yq . Then the attack works for larger p than May’s attack up to
p < N 0.468 . By optimizing the selection of y p -shifts and yq -shifts, Bleichenbacher–
May’s attack is always better than May’s attack.
3.1.3. Our Matrix

To improve the Bleichenbacher–May attack, what we focus on is the representation
of the polynomial. More concretely, previous works used only one representation, i.e.,
f p (x p , y p ), however, there is the other representation, i.e., f q (xq , yq ), for the same
polynomial. Indeed, a useful algebraic property can be exploited from the polynomial
f q (xq , yq ) by making use of the fact that xq = x p + 1. For the above Bleichenbacher–
May matrix to be triangular, the polynomial eyq is necessary. Since eYq is larger than
the modulus e, the polynomial does not contribute to maximize the solvable root bound
as explained in [31,46]. However, we make use of f q (xq , yq ) and show that the matrix
becomes triangular without eyq as follows:
⎛ ⎞
e
⎜ 0 eX p ⎟
⎜ ⎟
⎜ ⎟.
⎜0 0 0 eY ⎟
⎜ p ⎟
⎝0 0 N X p Y p N Y p −X p Y p2 ⎠
0 −X p 0 0 0 X q Yq
The rows consist of coefficients of six polynomials:
e, ex p , f p (x p , y p ), ey p , y p f p (x p , y p ), f q (xq , yq ) .
Although the above Bleichenbacher–May matrix used N −1 · yq f p (x p , y p ) in the bottom

row, we use f q (xq , yq ) in turn. Notice that f q (xq , yq ) = N −1 · yq f p (x p , y p ), and we
use the same polynomial as the Bleichenbacher–May; however, the algebraic structure
of f q (xq , yq ) , i.e., the relation xq = x p + 1, enables the matrix to be triangular without
eyq . The operation means that Bleichenbacher–May’s matrix contains better sublattices.
The representation f q (xq , yq ), which was not used by Bleichenbacher and May, enables
us to exploit the sublattices. Indeed, by construction, our matrix always outperforms
the above Bleichenbacher–May matrix with less lattice dimensions. Applying the LLL
reduction to our above matrix, polynomials derived from the LLL output vectors satisfy
Howgrave–Graham’s lemma when
X 3p X q Y p4 Yq e3 < e6 ⇔ 4(α + β + δ − 1) + 4β + (1 − β) < 3α

3 α + 7β
⇔δ< − .
4 4
Since β ≤ 1/2, the bound is always better than the above Bleichenbacher–May example.
3.1.4. May’s Modulo q Attack

We should notice that our lattice construction does not always offer the best attack.
More concretely, as we discussed above, our lattice offers better results than all the
existing lattices to solve f p (x p , y p ) = 0 and f q (xq , yq ) = 0. However, there is the
other formulations to attack CRT-RSA, i.e., May’s modulo q approach [29]. From the
CRT-RSA key generation edq = 1 + k(q − 1), May solved a modular equation;
x + ey = 0 (mod q)
whose root is (k − 1, dq ). Since the modulo e and the modulo q approach is different,
we should check which method is better. Although our modulo e attacks are the better in
most cases, we will show in Sect. 5.2 that the modulo p approach outperforms modulo
e approach for small d p attack with a modulus N = pr q.
3.2. Attack for Large e

Although the above discussion handled only toy examples, our approach improves an
asymptotic condition of the small CRT-exponent attack. In this section, we propose an
improved attack that works when α > β/(1 − β). The attack is the first result to cover
the desired bound, i.e., β < 1/2 with a full size e.
Theorem 1. Let N = pq be an RSA modulus, where p = N β and q = N 1−β for

β ≤ 1/2. Let e = N α and dq < N δ be a public/CRT-exponent, respectively, such that
edq = 1 (mod (q − 1)). Given public elements N and e, if N is sufficiently large and
√
(1 − β)(3 + 2β) − 2 β(1 − β)(αβ + 3α + β) β
δ< and α > ,
3+β 1−β
then N can be factorized in polynomial time by assuming that polynomials which are
derived from LLL-reduced bases are algebraically independent.
As opposed to previous results, when α = 1, the attack works to β < 1/2. Figure 1
shows comparison of our result and the Bleichenbacher–May for α = 1. Our attack
covers larger δ than the Bleichenbacher–May attack for all β.
Proof of Theorem 1. To solve the modular equation f q (xq , yq ) = 0 and equivalently

f p (x p , y p ) = 0, we use the following shift-polynomials:
Fig. 1. Comparison between our attack (Theorem 1) and the Bleichenbacher–May for α = 1.
j
g[i, j] (x p , y p ) := x p f pi (x p , y p )em−i ,

j
j] (x p , y p ) := y p f p (x p , y p )e ,
i m−i
g[i,

i− j j
g[i, j] (x p , x q , y p , yq ) := f p (x p , y p ) f q (xq , yq )em−i ,
with some positive integer m. For nonnegative integers i and j, all the shift-polynomials
share the same root as f p (x p , y p ) and f q (xq , yq ) modulo em . May [29] used the same
shift-polynomials as g[i, j] (x p , y p ) and g[i,
j] (x p , y p ). The (modified) Bleichenbacher–

May attack used an additional shift-polynomial which used only f p (x p , y p ). However,
as we showed an example in the previous section, we use the both representations
f p (x p , y p ) and f q (xq , yq ), simultaneously. Then we can construct triangular basis ma-
trix that generalize the toy example as follows.
Lemma 2. Let all the polynomials be defined as above. Let τ p and τq be constants
such that τ p ≥ 0 and 0 ≤ τq ≤ 1. Define sets of indices
Ix := {i = 0, 1, . . . , m; j = 0, 1, . . . , m − i},
I y, p := {i = 0, 1, . . . , m; j = 1, 2, . . . , τ p m},
I y,q := {i = 1, 2, . . . , m; j = 1, 2, . . . , τq i}.
Let B be a matrix whose rows consist of coefficients of g[i, j] (x p X p , y p Y p ), g[i,
j] (x p X p ,

y p Y p ), and g[i, j] (x p X p , xq X q , y p Y p , yq Yq ) with indices in Ix , I y, p , and I y,q , respec-

tively. If the shift-polynomials are ordered as
g[i, j] ≺ g[i, j] , g[i, j] ,

g[i, j] ≺ g[i
, j
] , g[i, j] ≺ g[i
, j
] , g[i, j] ≺ g[i
, j
] for i < i ,

g[i, j] ≺ g[i, j
] , g[i, j] ≺ g[i, j
] , g[i, j] ≺ g[i, j
] for j < j ,
and N −1 (mod em ) is multiplied appropriately, then the matrix becomes triangular with
diagonal entries
i+ j
• X p Y pi em−i for g[i, j] (x p X p , y p Y p ),
• X ip Y p
i+ j m−i
e for g[i, j] (x p X p , y p Y p ),
j
(x Y , x X , y Y , y Y ).
• X qi Yq em−i for g[i, j] p p q q p p q q
Here, we do not prove the lemma. In Sect. 3.4, we prove a more general form of the
statement, i.e., Lemma 3.
We compute the resulting condition of Theorem 1. The dimension n and the determi-
sY sY
nant of the lattice det(B) = X s X Y p p Yq q ese can be computed as:
1 + 2τ p + τq 2
n= 1+ 1+ 1= m + o(m 2 ),
2
(i, j)∈Ix (i, j)∈I y, p (i, j)∈I y,q
2 + 3τ p + 2τq 3
sX = (i + j) + i+ i= m + o(m 3 ),
6
(i, j)∈Ix (i, j)∈I y, p (i, j)∈I y,q
1 + 3τ p + 3τ p2
sY p = i+ (i + j) = m 3 + o(m 3 ),
6
(i, j)∈Ix (i, j)∈I y, p
τq2
sYq = j= m 3 + o(m 3 ),
6
(i, j)∈I y,q

se = (m − i) + (m − i) + (m − i)
(i, j)∈Ix (i, j)∈I y, p (i, j)∈I y,q
2 + 3τ p + τq 3
= m + o(m 3 ).
6
Applying the LLL reduction, the polynomials obtained from the output vectors satisfy
sY sY
Howgrave–Graham’s lemma if X s X Y p p Yq q ese < enm , i.e.,
2 + 3τ p + 2τq 1 + 3τ p + 3τ p2 τq2
(α + β + δ − 1) +β + (1 − β)
6 6 6
2 + 3τ p + τq 1 + 2τ p + τq
+α − <0
6 2
by omitting low-order terms of m. To minimize the left-hand side of the inequality, we

substitute the parameters
1 − 2β − δ 1−β −δ
τp = and τq = ,
2β 1−β
then the condition becomes

√
(1 − β)(3 + 2β) − 2 β(1 − β)(αβ + 3α + β)
δ<
3+β
as required. To satisfy the restriction τ p ≥ 0, α > β/(1 − β) should hold. The other
parameter τq always satisfies 0 ≤ τq ≤ 1.
3.3. Attack for Small e

The attack of Theorem 1 works only for α > β/(1 − β). The constraint comes from
the fact that the parameter τ p used in the proof should be nonnegative. To capture
the other case, i.e., α ≤ β/(1 − β), under the same algorithm construction, we set
the parameters τ√ p = 0 and τq = (1 − β − δ)/(1 − β), then the attack works for
δ < 2(1 − β) − (1 + α)(1 − β).
However, by modifying the lattice construction, a better result can be obtained as
follows.
Theorem 2. Let N = pq be an RSA modulus, where p < N β and q ≥ N 1−β for

β ≤ 1/2. Let e = N α and dq < N δ be a public/CRT-exponent, respectively, such that
edq = 1 (mod (q − 1)). Given public elements N and e, if N is sufficiently large and
β
δ <1−β − αβ(1 − β) for β(1 − β) ≤ α ≤ ,
1−β
√
As we claimed, the bound of Theorem 2 is better than δ < 2(1−β)− (1 + α)(1 − β)
that can be obtained from the same algorithm construction as Theorem 1. We show the
proof of Theorem 2. The proof is more technical than that of Theorem 1; however, the
spirit is almost the same. In the subsequent sections, lattices that are similar to that of
Theorem 2 will be used.
Proof of Theorem 2. To solve the modular equation f q (xq , yq ) = 0 and equivalently

f p (x p , y p ) = 0, we use the following shift-polynomials:
g[i, j],λ (x p , xq , y p , yq ) := x p f pλi (x p , y p ) f q(1−λ)i (xq , yq )em−i ,

j

j λi (1−λ)i
g[i, j],λ (x p , x q , y p , yq ) := yq f p (x p , y p ) f q (xq , yq )em−i ,
with some positive integer m and a parameter 0 < λ ≤ 1. For nonnegative integers i
and j, all the shift-polynomials share the common root as f p (x p , y p ) and f q (xq , yq )
modulo em . Here, notice that λi + (1 − λ)i = i for all i. The shift-polynomials

g[i, j] (x p , y p ) and g[i, j] (x p , y p ) used in the proof of Theorem 1 is the special case of

g[i, j],λ (x p , xq , y p , yq ) and g[i, j],λ (x p , x q , y p , yq ) for λ = 1. As the attack of Theorem 1,

we use both representations f p (x p , y p ) and f q (xq , yq ) simultaneously for all shift-
polynomials. Using these shift-polynomials, we can construct triangular basis matrix as
follows.
Lemma 3. Let all the polynomials be defined as above. Let τ be a constant such that
1 − λ < τ ≤ 1. Let m be a positive integer. Define sets of indices as
Ix := {i = 0, 1, . . . , m; j = 0, 1, . . . , m − i},
I yq := {i = 1, 2, . . . , m; j = 1, 2, . . . , τ i − (1 − λ)i}.
Let B be a matrix whose rows consist of coefficients of g[i, j],λ (x p X p , xq X q , y p Y p , yq Yq )

and g[i, j],λ (x p X p , x q X q , y p Y p , yq Yq ) with indices in Ix and I y,q , respectively. If the

shift-polynomials are ordered as
g[i, j],λ ≺ g[i, j],λ ,

g[i, j],λ ≺ g[i

, j
],λ , g[i, j],λ ≺ g[i
, j
],λ for i < i ,

g[i, j],λ ≺ g[i, j

],λ , g[i, j],λ ≺ g[i, j
],λ for j < j ,
diagonal entries
i+ j λi
• X p Y p em−i for g[i, j],λ (x p X p , xq X q , y p Y p , yq Yq ) with i such that i = 0 or
λi − λ(i − 1) = 1,
i+ j (1−λ)i m−i
• X q Yq e for g[i, j],λ (x p X p , xq X q , y p Y p , yq Yq ) with i such that i = 0
and λi − λ(i − 1) = 0,
(1−λ)i+ j m−i
• X qi Yq e for g[i, j],λ (x p X p , x q X q , y p Y p , yq Yq ).
A proof of the lemma is the most technical part of this paper. We prove it in Sect. 3.4.
sY sY
nant of the lattice det(B) = X s X Y p p Yq q ese can be computed as:
λ+τ 2
n= 1+ 1= m + o(m 2 ),
2
(i, j)∈Ix (i, j)∈I yq
λ+τ 3
sX = (i + j) + i= m + o(m 3 ),
3
λ2
sY p = λi = m 3 + o(m 3 ),
6
(i, j)∈Ix
τ2 3
sYq = (1 − λ)i + ((1 − λ)i + j) = m + o(m 3 ),
6
1+λ+τ 3
se = (m − i) + (m − i) = m + o(m 3 ).
6
sY sY
Howgrave–Graham’s lemma if X s X Y p p Yq q ese < enm , i.e.,

λ+τ λ2 τ2 1+λ+τ λ+τ
(α + β + δ − 1) +β + (1 − β) + α − <0
3 6 6 6 2

set the parameters
1−β −δ 1−β −δ
λ= and τ = ,
β 1−β
then the condition becomes

δ <1−β − αβ(1 − β)
as required. To satisfy the restrictions 0 < λ ≤ 1 and 1 − λ < τ ≤ 1, β(1 − β) ≤ α ≤

β/(1 − β) should hold.
As opposed to the attack of Theorem 1, that of Theorem 2 is applicable to a balanced
RSA, i.e., β = 1/2, for α ≤ 1. For a balanced RSA, we substitute β = 1/2 and the
attack becomes as follows.
Theorem 3. Let N = pq be an RSA modulus, where the prime factors p and q are the
same bitsize. Let e = N α and dq < N δ be a public/CRT-exponent, respectively, such
that edq = 1 (mod (q − 1)). Given public elements N and e, if N is sufficiently large
and
√
1− α 1
δ< for α ≥ ,
2 4
By construction, the attack always outperforms that under Bleichenbacher–May’s

lattice construction. We also compare our attack with that of Lu et al. [29] (Theorem 9
of [28]) that follows May’s modulo q approach.
Theorem 4. ([28]) Let N = pq be an RSA modulus, where the prime factors p and q
are the same bitsize. Let e = N α and dq < N δ be a public/CRT-exponent, respectively,
such that edq = 1 (mod (q − 1)). Given public elements N and e, if
Fig. 2. Comparison between our attack (Theorem 3) and the attack of Lu et al. (Theorem 4) [28].
3 − 4α
δ< ,
8
Figure 2 shows comparison of our attack (Theorem 3) and that of Lu et al. (Theorem 4).
Our attack is better for all 1/4 < α < 1.
3.4. Proof of Lemma 3

In this section, we show a proof of Lemma 3 that is the most technical part of this paper.
Before the detailed proof, we explain the spirit of our triangular matrix. The polynomials
that we use contain four variables x p , xq , y p , yq . Furthermore, there are two algebraic
relations: xq = x p + 1 and y p yq = N . By using the latter relation, i.e., y p yq = N , we
transform all monomials as they do not have both y p and yq , simultaneously, where the
same operation was also done in previous works [5,12]. Moreover, we use an additional
trick. By using the former relation, i.e., xq = x p + 1, we transform all monomials
as they do not have both x p and xq , simultaneously. More concretely, the variable x p
appears only in monomials, where powers of y p are nonnegative, whereas the variable
xq appears only in monomials, where powers of yq are positive. The simple operation
is the key technique of this paper. To visualize the operation, we show some examples
of our triangular matrix in Tables 1 and 2 . We hope that the examples help reader to
understand our technique easily.
Then we show the proof of Lemma 3.
Table 1. Example of a matrix for m = 3 and λ = τ = 1/2.
1 xp x 2p x 3p x p yp x 2p y p
e3 e3
x p e3 X p e3
x 2p e3 X 2p e3
x 3p e3 X 3p e3
f p e2 N e2 N X p e2 −X p Y p e2
x p f p e2 N X p e2 N X 2p e2 −X 2p Y p e2
x 2p f p e2 N X 2p e2 N X 3p e2
f p fq e − 2X p e − 2X 2p e N −1 X 2p Y p e
x p f p fq e − 2X 2p e − 2X 3p e
f p2 f q − 3N 2 X p −6N 2 X 2p − 3N 2 X 3p 3N X 2p Y p
yq f p e2 −X p e2
yq f p2 f q 3X 2p 3X 3p
x 3p y p xq2 yq xq3 yq x 3p y 2p xq yq xq3 yq2
e3
x p e3
x 2p e3
x 3p e3
f p e2
x p f p e2
x 2p f p e2 −X 3p Y p e2
f p fq e X q2 Yq e
x p f p fq e N −1 X 3p Y p e −X q2 Yq e X q3 Yq e
f p2 f q 3N X 3p Y p N 2 X q3 Yq −X 3p Y p2
yq f p e2 X q Yq e2
yq f p2 f q − 3N −1 X 3p Y p 3X q2 Yq − 3X q3 Yq X q3 Yq2
Proof of Lemma 3. Since all the polynomials
g[i, j],λ (x p , xq , y p , yq ) = x p f pλi (x p , y p ) f q(1−λ)i (xq , yq )em−i

j
j
for i = 0 have only one monomial x p em , these polynomials generate triangular basis
j
matrix with diagonal entries X p em . Then the remaining proof is inductive; we show that
the basis matrix is still triangular with other polynomials.
At first, we assume that polynomials g[i
, j
],λ (x p , xq , y p , yq ) such that g[i
, j
],λ (x p , xq ,
y p , yq ) ≺ g[i, j],λ (x p , xq , y p , yq ) generate a triangular matrix as stated in Lemma 3.
Then, we show that a matrix is still triangular with a new polynomial g[i, j],λ (x p , xq , y p ,
i+ j λi i+ j (1−λ)i m−i
yq ) whose diagonal is X p Y p em−i or X q Yq e . By definition,
g[i, j],λ (x p , xq , y p , yq ) = x p f pλi (x p , y p ) f q(1−λ)i (xq , yq )em−i

j
= x p (N + N x p − x p y p )λi (1 − xq + xq yq )(1−λ)i em−i .
j
Table 2. Example of a matrix for m = 3 and λ = τ = 2/3.
1 xp x 2p x 3p x p yp x 2p y p x 3p y p
e3 e3
x p e3 X p e3
x 2p e3 X 2p e3
x 3p e3 X 3p e3
f p e2 N e2 N X p e2 −X p Y p e2
x p f p e2 N X p e2 N X 2p e2 −X 2p Y p e2
x 2p f p e2 N X 2p e2 N X 3p e2 −X 3p Y p e2
f p2 e N 2e 2N 2 X p e N 2 X 2p e −2N X p Y p e −2N X 2p Y p e
x p f p2 e N 2 X pe 2N 2 X 2p e N 2 X 3p e −2N X 2p Y p e −2N X 3p Y p e
f p2 f q − 3X p −6X 2p − 3X 3p 3N −1 X 2p Y p 3N −1 X 3p Y p
yq f p e2 −X p e2
yq f p2 e − 2X p e − 2X 2p e N −1 X 2p Y p e
yq2 f p2 e X 2p e
yq f p2 f q 3X 2p 3X 3p −N −1 X 3p Y p
x 2p y 2p x 3p y 2p xq3 yq xq yq xq2 yq xq2 yq2 xq3 yq2
e3
x p e3
x 2p e3
x 3p e3
f p e2
x p f p e2
x 2p f p e2
f p2 e X 2p Y p2 e
x p f p2 e X 3p Y p2 e
f p2 f q −N −2 X 3p Y p2 X q3 Yq
yq f p e2 X q Yq e2
yq f p2 e X q2 Yq e
yq2 f p2 e 2X q Yq e − 2X q2 Yq e X q2 Yq2 e
yq f p2 f q −3X q3 Yq 3X q2 Yq X q3 Yq2
From the relation xq = x p + 1 and equivalently x p = xq − 1, the polynomial becomes
= x p (N xq − x p y p )λi (x p + xq yq )(1−λ)i em−i .
j
By expanding (N xq − x p y p )λi and (x p + xq yq )(1−λ)i , the polynomial becomes
⎛ ⎞
λi

λi
= xp ⎝ (−x p y p )i p · (N xq )λi−i p ⎠
j
ip
i p =0
⎛ ⎞
(1 − λ)i
(1−λ)i
(1−λ)i−i
×⎝ (xq yq ) q · x p
i q ⎠ em−i
iq
i q =0
λi (1−λ)i

λi (1 − λ)i
= (−1)i p
ip iq
i p =0 i q =0
(1−λ)i+i p −i q + j λi−i p +i q i q i p m−i
× N λi−i p x p xq yq y p e .
From the relation y p yq = N , we modify all the monomial so that y p and yq do not
appear in each monomial, simultaneously. Then, the polynomial becomes
(1−λ)i
λi
λi (1 − λ)i
= (−1)i p
ip iq
i q =0 i p =i q
(1−λ)i+i p −i q + j λi−i p +i q i p −i q m−i
× N λi−i p +iq x p xq yp e
(1−λ)i
(1−λ)i−1
λi (1 − λ)i
+ (−1)i p
ip iq
i p =0 i q =i p +1
(1−λ)i+i p −i q + j λi−i p +i q i q −i p m−i
× N λi x p xq yq e .
Notice that there are no monomials that have y p and yq , simultaneously. The exponents
of y p in the first summation are nonnegative, whereas the exponents of yq in the second
summation are positive. Hence, as we discussed above, we replace all xq in the first
summation by x p + 1 and replace all x p in the second summation by xq − 1. Then, the
polynomial becomes
(1−λ)i
λi
λi (1 − λ)i
= (−1)i p N λi−i p +iq
ip iq
i q =0 i p =i q
(1−λ)i+i p −i q + j i −i
× xp + 1)λi−i p +iq y pp q em−i
(x p
(1−λ)i
(1−λ)i−1
i p λi (1 − λ)i
+ (−1) N λi
ip iq
i p =0 i q =i p +1
λi−i p +i q i q −i p m−i
× (xq − 1)(1−λ)i+i p −iq + j xq yq e
(1−λ)i
λi λi−i
p +iq
λi (1 − λ)i λi − i p + i q
= (−1)i p N λi−i p +iq
ip iq kp
i q =0 i p =i q k p =0
i+ j−k p i p −i q m−i
× xp yp e
(1−λ)i
(1−λ)i−1 p −iq + j
(1−λ)i+i
i p +kq λi (1 − λ)i
+ (−1)
ip iq
i p =0 i q =i p +1 kq =0

(1 − λ)i + i p − i q + j i+ j−kq i q −i p m−i
× · N λi xq yq e .
kq
The polynomial has monomials for variables

i i
• x ppx y ppy for i py = 0, 1, . . . , λi,
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i,
for some i px and i q x , respectively. When λi − λ(i − 1) = 1, all polynomials
g[i
, j
],λ (x p , xq , y p , yq ) that have diagonal entries for the following variables satisfy
g[i
, j
],λ (x p , xq , y p , yq ) ≺ g[i, j],λ (x p , xq , y p , yq ):
i i
• x ppx y ppy for i py = 0, 1, . . . , λi − 1,
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i.
Since the remaining monomial in g[i, j],λ (x p , xq , y p , yq ) is only one element for a vari-
i+ j λi
able x p y p . Hence, as stated in Lemma 3, the diagonal for g[i, j],λ (x p , xq , y p , yq )
i+ j λi
such that λi − λ(i − 1) = 1 is X p Y p em−i . As the same way, we can prove that
the diagonal for g[i, j],λ (x p , xq , y p , yq ) such that i = 0 and λi − λ(i − 1) = 1 is
i+ j (1−λ)i m−i
X q Yq e .
Next, we assume that polynomials g[i
, j
],λ (x p , xq , y p , yq ) and g[i

, j
],λ (x p , xq , y p , yq )
such that g[i

, j
],λ (x p , xq , y p , yq ) ≺ g[i,

j],λ (x p , x q , y p , yq ) generate a triangular matrix

as stated in Lemma 3. Then, we show that a matrix is still triangular with a new polyno-

i (1−λ)i+ j em−i . By definition,
mial g[i, j],λ (x p , x q , y p , yq ) whose diagonal is X q Yq

jλi (1−λ)i
g[i, j],λ (x p , x q , y p , yq ) = yq f p (x p , y p ) f q (xq , yq )em−i
= yq (N + N x p − x p y p )λi (1 − xq + xq yq )(1−λ)i em−i .
j
From the relation xq = x p + 1 and equivalently x p = xq − 1, the polynomial becomes
= yq (N xq − x p y p )λi (x p + xq yq )(1−λ)i em−i .
j
By expanding (N xq − x p y p )λi and (x p + xq yq )(1−λ)i ,
⎛ ⎞
λi

λi
= ⎝ (−x p y p )i p · (N xq )λi−i p ⎠
j
yq
ip
i p =0
⎛ ⎞
(1 − λ)i
(1−λ)i
(1−λ)i−i
×⎝ (xq yq )iq · x p q ⎠ m−i
e
iq
i q =0
λi (1−λ)i

λi (1 − λ)i
= (−1) ip
ip iq
i p =0 i q =0
(1−λ)i+i p −i q λi−i p +i q i q + j i p m−i
× N λi−i p x p xq yq y p e .
λi min{i p −
j,(1−λ)i}
i p λi (1 − λ)i
= (−1)
ip iq
i p= j i p =0
(1−λ)i+i p −i q λi−i p +i q i p −i q − j m−i
× N λi−i p +iq + j x p xq yp e
min{iq +
(1−λ)i j−1,λi}
λi (1 − λ)i
+ (−1)i p
ip iq
i q =0 i p =0
(1−λ)i+i p −i q λi−i p +i q i q −i p + j m−i
× N λi x p xq yq e .
of y p in the first summation are nonnegative, whereas the exponents of yq in the second
summation are positive. Hence, as we discussed above, we replace all xq in the first
summation by x p + 1 and replace all x p in the second summation by xq − 1. Then, the
polynomial becomes
λi min{i p −
j,(1−λ)i}
λi (1 − λ)i
= (−1) ip
N λi−i p +iq + j ·
ip iq
i p= j i p =0
(1−λ)i+i p −i q i −i − j
xp + 1)λi−i p +iq y pp q em−i
(x p
min{iq +
(1−λ)i j−1,λi}
λi (1 − λ)i
+ (−1)i p N λi ·
ip iq
i q =0 i p =0
λi−i p +i q i q −i p + j m−i
(xq − 1)(1−λ)i+i p −iq xq yq e
j,(1−λ)i} λi−(i p −i q )
λi min{i p −
λi (1 − λ)i λi − (i p − i q )
= (−1)i p
ip iq kp
i p= j i p =0 k p =0
λi−i p +i q + j
N ·
i−k i −i − j
x p p y pp q em−i
min{iq +
(1−λ)i j−1,λi} (1−λ)i−(i q −i p )

i p +kq λi (1 − λ)i
+ (−1)
ip iq
i q =0 i p =0 kq =0

(1 − λ)i − (i q − i p )
N λi ·
kq
i−kq i q −i p + j m−i
N λi xq yq e .
Table 3. For 1000-bit RSA moduli, asymptotic and experimental comparisons of small dq attacks.
Bitsize of q Bleichenbacher–May [5] Our work

Asymptotic Expt. dim. LLL time Asymptotic Expt. dim. LLL time Gröbner basis time
(min) (min) (s)
305 0.210 0.160 63 53 0.230 0.170 56 15 77

355 0.140 0.100 63 44 0.164 0.100 58 16 35
405 0.075 0.050 63 35 0.103 0.054 66 57 161
440 0.033 0.010 63 35 0.064 0.012 66 60 68

i i
• x ppx y ppy for i py = 0, 1, . . . , λi − j,
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i + j,

for some i px and i q x , respectively. Notice that g[i

, j
],λ (x p , xq , y p , yq ) ≺ g[i, j],λ (x p , x q ,
i i
y p , yq ) hold for all (i
, j
), and all x ppx y ppy are diagonal entries of g[i
, j
],λ (x p , xq , y p , yq ).
All polynomials g[i

, j
],λ (x p , xq , y p , yq ) that have diagonal entries for the following
variables satisfy g[i

, j
],λ (x p , xq , y p , yq ) ≺ g[i,

j],λ (x p , x q , y p , yq ):
i i
• xqq x yqqy for i qy = 1, 2, . . . , (1 − λ)i − 1.
Since the remaining monomial in g[i, j],λ (x p , xq , y p , yq ) is only one element for a vari-
(1−λ)i+ j
able xqi yq . Hence, as stated in Lemma 3, the diagonal for g[i, j],λ (x p , x q , y p , yq )
(1−λ)i+ j m−i
is X qi Yq e .
At the end of this section, we briefly show how to deduce Lemma 2 from Lemma 3. The
collection of shift-polynomials g[i, j] (x p , y p ) and g[i,
(x , x , y , y ) in Lemma 2 are
j] p q p q
essentially the same as g[i, j],λ (x p , xq , y p , yq ) and g[i,
(x , ,
j],λ p x q y p , yq ) in Lemma 3 for
λ = 1. Hence, by setting the parameters (λ, τ ) in Lemma 3 as (1, τq ), Lemma 3 shows
that g[i, j] (x p , y p ) and g[i,
(x , x , y , y ) in Lemma 2 generate a triangular matrix.

j] p q p q
To complete the proof of Lemma 2, we also use May’s result [29] that showed that
polynomials g[i, j] (x p , y p ) and g[i,
j] (x p , y p ) generate a triangular matrix. As a result,

(x , x , y , y ) in Lemma 2 generate a triangular

g[i, j] (x p , y p ), g[i, j] (x p , y p ), and g[i, j] p q p q
matrix.
3.5. Experimental Results

We have implemented the experiment program in Magma 2.11 computer algebra sys-
tem [2] on a PC with Intel(R) Core(TM) Duo CPU(3.30GHz, 4.0GB RAM Windows 7).
Table 3 lists some theoretical and experimental results on factoring two 1000-bit RSA
moduli with varying bitsize of q. In all experiments, we successfully find the factoriza-
tion of these RSA moduli. In practice, we always obtained sufficient polynomials with
small norm and were able to extract the desired root by computing Gröbner bases for
these polynomials. And the computation was fast in practice when we used as many
polynomials as possible.
Table 4. Asymptotic bounds and lattice dimension for small δ with fixed lattice dimensions.
β = 0.45
δ 0.010 0.020 0.030 0.040 0.052
dim. 110 180 335 1057 Asymptotic
β = 0.48
δ 0.002 0.005 0.010 0.015 0.020
dim. 462 650 1395 5262 Asymptotic
Fig. 3. Comparison of the achievable bound depending on the lattice dimension. The left and the right figures
are for β = 0.35 and β = 0.40, respectively.
In [5], the experimental results are much better than their theoretical analysis. For
example, for 440-bit factor q, with a lattice dimension of 63, in theory the attack should
not work (we can recover the small private key d p up to a size of N −0.083 ), however,
in practice, we succeed for d p with bitsize a 0.010-fraction of N . Since our lattice
construction captures the underlying sublattice structure of [5]’s desired lattice, we can
do better than [5]: with a lattice dimension of 66, experimentally we can reconstruct d p
with a size of N 0.012 .
Note that our result of Theorem 1 is an asymptotic improvement. In Table 4, we
present numerical values of δ for different values of β and lattice dimension. Moreover,
compared with [5], our method requires smaller lattice dimensions. For β = 0.35 and
β = 0.40, Fig. 3 shows a comparison of these two approaches in the terms of the bitsize
of small secret exponent d p that can be attacked.
4. Small d p and dq Attack
In this section, we propose an attack when both d p and dq are small. The attack improves
Jochemsz–May’s attack [22] by utilizing our lattice construction technique. Furthermore,
the attack that we propose in this section is better than that in our proceeding version
[56].
4.1. Our Attack

Recall the CRT-RSA key generation;
edq = 1 + kq (q − 1) and ed p = 1 + k p ( p − 1)
with some integers kq and k p . Hence, if we can solve the following simultaneous modular
equations, RSA modulus N can be factorized:
f q,1 (xq,1 , yq ) = 1 + xq,1 (yq − 1) = 0 mod e,

f p,2 (x p,2 , y p ) = 1 + x p,2 (y p − 1) = 0 mod e,
where the root is (xq,1 , x p,2 , yq , y p ) = (kq , k p , q, p).

In addition, by multiplying p and q to the key generation equations, respectively, the
following representations can be obtained:
edq p = p + kq (N − p) = N + (kq − 1)(N − p),

ed p q = q + k p (N − q) = N + (k p − 1)(N − q).
Then, we can also use the following modular equations:
f p,1 (x p,1 , y p ) = N + x p,1 (N − y p ) = 0 mod e,

f q,2 (xq,2 , yq ) = N + xq,2 (N − yq ) = 0 mod e,
where the root is (x p,1 , xq,2 , y p , yq ) = (kq − 1, k p − 1, p, q).

To summarize the above discussion, we want to solve the following simultaneous
modular equations:
f p,1 (x p,1 , y p ) = N + x p,1 (N − y p ) = 0 mod e,

f q,1 (xq,1 , yq ) = 1 + xq,1 (yq − 1) = 0 mod e,
f p,2 (x p,2 , y p ) = 1 + x p,2 (y p − 1) = 0 mod e,
f q,2 (xq,2 , yq ) = N + xq,2 (N − yq ) = 0 mod e,
where the root is (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) = (kq − 1, kq , k p , k p − 1, p, q). Let
e = N α , d p < N δ , and dq < N δ for a balanced RSA, i.e, q < p < 2q. The absolute
values of x p,1 , xq,1 , x p,2 , xq,2 are bounded above by X = N α+δ−1/2 within constant
factors, whereas the absolute values of y p and yq are bounded above by Y = N 1/2
within constant factors.
Unfortunately, an approach to solve the above four equations simultaneously does
not offer an improvement. The approach gives us only the same bound as Theorem 3.
Hence, we use an additional algebraic relation. From the CRT-RSA key generation,
edq = 1 + kq (q − 1) and ed p = 1 + k p ( p − 1),

⇔ kq − 1 = kq q (mod e) and k p − 1 = k p p (mod e).
By multiplying these two equations, we obtain
(kq − 1)(k p − 1) = kq k p N (mod e).
Then the following new equation can be obtained:
h(x p,1 , xq,1 , x p,2 , xq,2 ) = (N − 1)x p,1 x p,2 + x p,1 + N x p,2 = 0 (mod e)
= (N − 1)xq,1 xq,2 + N xq,1 + xq,2 = 0 (mod e).
The polynomial also has two representations as the previous polynomials. Notice that
the same equation as h(x p,1 , xq,1 , x p,2 , xq,2 ) was already used by Galbraith et al. [14].
We make use of these equations and obtain the following result.
Theorem 5. Let N = pq be an RSA modulus, where p and q are the same bitsize. Let
e = N α and d p , dq < N δ be a public/CRT-exponent, respectively, such that edq = 1
(mod (q − 1)) and ed p = 1 (mod ( p − 1)). Given public elements N and e, if N is
sufficiently large and

1 α 7
δ< − for α ≥ ,
2 7 16
√
For the full size e, the attack works for δ < 1/2 − 1/ 7 = 0.122 · · · which is
better than Jochemsz–May’s bound [22], i.e., δ < 0.073. Our attack is better than all
existing attacks. Furthermore, the result proposed
√ in this paper is much better than our
proceeding version [56], i.e., δ < 1/2 − 1/ 6 = 0.091 · · · . We obtain the improvement
by exploiting sublattice structures from the lattice in [56]. Therefore, our proposed attack
in this paper is practically faster than our previous attack [56].
Proof of Theorem 5. To solve the above modular equations, we use the following shift-
polynomials:
g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )

j j (i 1 +i 2 )/2 i 1 i2
:= x p,1
1 2
x p,2 yq f p,1 (x p,1 , y p ) f p,2 (x p,2 , y p )·
h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ,
g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )
(i 1 +i 2 )/2− j1
:= yq i1
f p,1 i2
(x p,1 , y p ) f p,2 (x p,2 , y p )em−(i1 +i2 ) ,
g[i
1 ,i2 , j2 ],q (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )
(i 1 +i 2 )/2+ j2
:= yq i1
f p,1 i2
(x p,1 , y p ) f p,2 (x p,2 , y p )em−(i1 +i2 ) ,
with some positive integer m. For nonnegative integers i 1 , i 2 , j1 , i 2 , and u, all the shift-
polynomials share the common root as f p,1 (x p,1 , y p ), f p,2 (x p,2 , y p ), f q,1 (xq,1 , yq ),
f q,2 (xq,2 , yq ), and h(x p,1 , xq,1 , x p,2 , xq,2 ) modulo em . Then we can construct triangular
basis matrix as follows.
Lemma 4. Let all the polynomials be defined as above. Let τ be a constant such that
1/2 ≤ τ ≤ 1. Define sets of indices as
⎧ ⎫
⎪
⎪ i 1 = 0, 1, . . . , m2 ; i 2 = 0, 1, . . . , m2 ; j1 = 0; j2 = 0; ⎪
⎪
⎪
⎪ ⎪
⎪
⎪
⎪ u = 0, 1, . . . , min{ m
− i 1 , m
− i 2 }, and ⎪
⎪
⎪
⎪
2 2 ⎪
⎪
⎪
⎪ i 1 = 0, 1, . . . , m
− 1; i 2 = 1, 2, . . . , m
; j 1 = 1; j2 = 0; ⎪
⎪
⎨ 2 2 ⎬
u = 0, 1, . . . , min{ 2 − i 1 − 1, 2 − i 2 }, and
m m
Ix = ,
⎪ i 1 = 0, 1, . . . , 2 ; i m 2 = 0; j1 = 1, 2, . . . , 2 − i 1 ; j2 = 0; ⎪
m m
⎪ ⎪
⎪
⎪ ⎪
⎪
⎪
⎪ u = 0, 1, . . . , 2 − i 1 − j1 , and ⎪
⎪
⎪
⎪ ⎪
⎪
⎪
⎪ i 1 = 0; i 2 = 0, 1, . . . , m
; j1 = 0; j 2 = 1, 2, . . . , m
− i 2 ; ⎪
⎪
⎩ 2 2 ⎭
u = 0, 1, . . . , 2 − i 2 − j2 ,
m
m m
I y, p = i 1 = 0, 1, . . . , ; i 2 = 0, 1, . . . , ; j1 = 1, 2, . . . , τ (i 1 + i 2 )
2 2
−(i 1 + i 2 )/2, } ,
m m
I y,q = i 1 = 0, 1, . . . , ; i 2 = 0, 1, . . . , ; j2 = 1, 2, . . . , τ (i 1 + i 2 )
2 2
−(i 1 + i 2 )/2, } ,
Let B be a matrix whose rows consist of coefficients of g[i1 ,i2 , j1 , j2 ,u] (x p,1 X p,1 , xq,1
X q,1 , x p,2 X p,2 , xq,2 X q,2 , y p Y p , yq Yq ), g[i
1 ,i2 , j1 ], p (x p,1 X p,1 , xq,1 X q,1 , x p,2 X p,2 , xq,2
X q,2 , y p Y p , yq Yq ), and g[i
1 ,i2 , j2 ],q (x p,1 X p,1 , xq,1 X q,1 , x p,2 X p,2 , xq,2 X q,2 , y p Y p , yq Yq )
with indices in Ix , I y, p , and I y,q , respectively. If the shift-polynomials are ordered as
g[i1 ,i2 , j1 , j2 ,u] ≺ g[i

1 ,i2 , j1 ], p , g[i
1 ,i2 , j2 ],q ,
g[i1
,i2
, j1
, j2
,u
] ≺ g[i1 ,i2 , j1 , j2 ,u] for i 1
+ i 2
< i 1 + i 2 ,
g[i1
,i2
, j1
, j2
,u
] ≺ g[i1 ,i2 , j1 , j2 ,u] for i 1
+ i 2
= i 1 + i 2 , u
< u,
g[i1
,i2
, j1
,0,u] ≺ g[i1 ,i2 , j1 ,0,u] for i 1
+ i 2
= i 1 + i 2 , j1
< j1 ,
g[i1
,i2
,0, j2
,u] ≺ g[i1 ,i2 ,0, j2 ,u] for i 1
+ i 2
= i 1 + i 2 , j2
< j2 ,
g[i

,i
, j
] , g[i

,i
, j
],q ≺ g[i
1 ,i2 , j1 ], p , g[i
1 ,i2 , j2 ],q for i 1
+ i 2
< i 1 + i 2 ,
1 2 1 1 2 2
g[i

,i
, j
] ≺ g[i
1 ,i2 , j1 ], p for i 1
+ i 2
= i 1 + i 2 , j1
< j1 ,
1 2 1
g[i

,i
, j
],q ≺ g[i
1 ,i2 , j2 ],q for i 1
+ i 2
= i 1 + i 2 , j2
< j2 ,
1 2 2
diagonal entries
i + j1 +u i + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
• X p,1
1 2
X p,2 Yp e for g[i1 ,i2 , j1 , j2 ,u] if i 1 + i 2 is odd,
i 1 + j1 +u i 2 + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
• X q,1 X q,2 Yq e for g[i1 ,i2 , j1 , j2 ,u] if i 1 + i 2 is even,
(i 1 +i 2 )/2+ j1 m−(i 1 +i 2 )
• X ip,1
1
X ip,2
2
Yp e for g[i
1 ,i2 , j1 ], p ,
(i 1 +i 2 )/2+ j2 m−(i 1 +i 2 )
i1
• X q,1 i2
X q,2 Yq e for g[i
1 ,i2 , j2 ],q .
The proof will appear in Sect. 4.2.

nant of the lattice det(B) = X s X Y sY ese can be computed as:
τ 3
n= 1+ 1+ 1= m + o(m 3 ),
4
(i 1 ,i 2 , j1 , j2 ,u)∈Ix (i 1 ,i 2 , j1 )∈I y, p (i 1 ,i 2 , j2 )∈I y,q

sX = (i 1 + i 2 + j1 + j2 + 2u) + (i 1 + i 2 )
(i 1 ,i 2 , j1 , j2 ,u)∈Ix (i 1 ,i 2 , j1 )∈I y, p

+ (i 1 + i 2 )
(i 1 ,i 2 , j2 )∈I y,q
7τ 4
= m + o(m 4 ),
48
i1 + i2 i1 + i2
sY = +
(i 1 ,i 2 , j1 , j2 ,u)∈Ix
2 (i 1 ,i 2 , j1 , j2 ,u)∈Ix
2
s.t. i 1 +i 2 is odd s.t. i 1 +i 2 is even

i1 + i2 i1 + i2
+ + j1 + + j2
2 2
(i 1 ,i 2 , j1 )∈I y, p (i 1 ,i 2 , j2 )∈I y,q
7τ 2
= m 4 + o(m 4 ),
96

se = (m − (i 1 + i 2 + u))
(i 1 ,i 2 , j1 , j2 ,u)∈Ix

+ (m − (i 1 + i 2 )) + (m − (i 1 + i 2 ))
(i 1 ,i 2 , j1 )∈I y, p (i 1 ,i 2 , j2 )∈I y,q
1 + 5τ 4
= m + o(m 4 ).
48
Howgrave–Graham’s lemma if X s X Y sY ese < enm , i.e.,

1 7τ 1 7τ 2 1 + 5τ τ
α+δ− · + · +α· <α· .
2 48 2 96 48 4

set the parameters τ = 1 − 2δ, then the condition becomes

1 α
δ< −
2 7
as required. To satisfy the restriction τ ≥ 1/2, δ ≤ 1/4 and equivalently α ≥ 7/16

should hold.
4.2. Proof of Lemma 4

In this subsection, we show a proof of Lemma 4. Similarly as the proof of Lemma 3,
we first explain the spirit of our triangular matrix. The polynomials that we use contain
six variables x p,1 , xq,1 , x p,2 , xq,2 , y p , yq , and there are three algebraic relations: xq,1 =
x p,1 + 1, x p,2 = xq,2 + 1 and y p yq = N . By using the last relation, i.e., y p yq = N ,
we transform all monomials as they do not have both y p and yq , simultaneously, where
the same operation was also done in Sect. 3.4. By using the former two relations, i.e.,
xq,1 = x p,1 + 1 and x p,2 = xq,2 + 1, we transform all monomials as they do not have
both x p,1 , xq,1 , simultaneously, and both x p,2 , xq,2 , simultaneously. More concretely,
the variable x p,1 and x p,2 appear only in monomials, where exponents of y p are positive,
whereas the variable xq,1 and xq,2 appear only in monomials, where exponents of yq are
nonnegative. The operation is a direct extension of that in Sect. 3.
Then we show the proof of Lemma 4.
Proof of Lemma 4.. When (i 2 , j2 , u) = (0, 0, 0),

j j (i 1 +i 2 )/2 i 1 i2
:= x p,1
1 2
x p,2 yq f p,1 (x p,1 , y p ) f p,2 (x p,2 , y p )h u (x p,1 , x p,2 , xq,1 , xq,2 )
m−(i 1 +i 2 +u)
×e
j i /2 i 1
= x p,1
1
yq 1 f p,1 (x p,1 , y p )em−i1
i /2 i /2
N i1 /2 x p,1
j1
= f p,11 (x p,1 , y p ) f q,11 (xq,1 , yq )em−i1 .
Notice that the polynomials are similar to g[i, j],λ (x p , xq , y p , yq ) for λ = 1/2 in
Lemma 3. Then, the polynomials generate triangular basis matrix as claimed in Lemma 4.
Similarly, the polynomials g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) for (i 1 , j1 , u) =
(0, 0, 0) generate triangular basis matrix. Since the proof is completely the same as that
of Lemma 3, we omit it here. Then, the remaining proof is inductive; we show that the
basis matrix is still triangular with other polynomials.
At first, we assume that polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) such
that g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) ≺ g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 ,
y p , yq ) generate a triangular matrix as stated in Lemma 4. Then, we show that a matrix is
still triangular with a new polynomial g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) whose
i 1 + j1 +u i 2 + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
diagonal is x p,1 x p,2 yp e . By definition,

j j (i 1 +i 2 )/2 i 1 i2
= x p,1
1 2
x p,2 yq f p,1 (x p,1 , y p ) f p,2 (x p,2 , y p )h u
× (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u)
j j (i 1 +i 2 )/2 i1 i

= x p,1
1 2
x p,2 yq N + x p,1 (N − y p ) 1 + x p,2 (y p − 1) 2
× h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) .
From the relation xq,1 = x p,1 + 1, x p,2 = xq,2 + 1 and equivalently x p,1 = xq,1 − 1,
xq,2 = x p,2 − 1, the polynomial becomes
j j (i 1 +i 2 )/2 i1 i

= x p,1
1 2
x p,2 yq N xq,1 − x p,1 y p −xq,2 + x p,2 y p 2
× h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) .
i i
By expanding N xq,1 − x p,1 y p 1 and −xq,2 + x p,2 y p 2 , the polynomial becomes
(i +i )/2
yq 1 2 h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
j j
= x p,1
1 2
x p,2
⎛ ⎞
i1
i i p,1
⎝ 1
−x p,1 y p (N xq,1 )i1 −i p,1 ⎠
i p,1
i p,1 =0
⎛ ⎞
i2
i i p,2
⎝ 2
x p,2 y p (−xq,2 )i2 −i p,2 ⎠
i p,2
i p,2 =0
(i +i )/2
yq 1 2 h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
j j
= x p,1
1 2
x p,2
⎛ ⎞
i1 i2
⎝ i1 i2 i p,1 i p,2 i 1 −i p,1 i 2 −i p,2 i p,1 +i p,2
⎠
(−1)i p,1 +i2 −i p,2 N i1 −i p,1 x p,1 x p,2 xq,1 xq,2 y p
i p,1 i p,2
i p,1 =0 i p,2 =0
(i +i 2 )/2 u
= yq 1 h (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
⎛
1 +i 2
i min{i 1 ,i p }

⎝ i2 i1
(−1)2i p,1 +i2 −i p N i1 −i p,1 ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i p,1 + j1 i p −i p,1 + j2 i 1 −i p,1 i 2 −i p +i p,1 i p

x p,1 x p,2 xq,1 xq,2 yp .
From the relation y p yq = N , we modify all the monomials so that y p and yq do not
= h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·

⎛
1 +i 2
i min{i 1 ,i p }

⎝ i2 i1
(−1)2i p,1 +i2 −i p N i1 −i p,1 +(i1 +i2 )/2 ·
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 }
i p,1 + j1 i p −i p,1 + j2 i 1 −i p,1 i 2 −i p +i p,1 i p −(i 1 +i 2 )/2

x p,1 x p,2 xq,1 xq,2 yp
+ h u (x p,1 , x p,2 , xq,1 , xq,2 )em−(i1 +i2 +u) ·
⎛
(i 1
+i 2 )/2 min{i 1 ,i p }

⎝ i2 i1
(−1)2i p,1 +i2 −i p N i1 −i p,1 +i p ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i + j1 i p −i p,1 + j2 i 1 −i p,1 i 2 −i p +i p,1 (i 1 +i 2 )/2−i p

p,1
x p,1 x p,2 xq,1 xq,2 yq .
Notice that there are no monomials that have y p and yq simultaneously. The exponents
of y p in the first summation are positive, whereas the exponents of yq in the second
summation are nonnegative.
By expanding
h u (x p,1 , x p,2 , xq,1 , xq,2 ) = (N x p,2 xq,1 − x p,1 xq,2 )u

u
u
= (N x p,2 xq,1 ) (−x p,1 xq,2 )u− ,

=0
the polynomial becomes
1 +i 2
i min{i 1 ,i p }
u

i2 i1 u
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0
(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +(i1 +i2 )/2+ ·

i p,1 + j1 +u− i p −i p,1 + j2 + i 1 −i p,1 + i 2 −i p +i p,1 +u− i p −(i 1 +i 2 )/2 m−(i 1 +i 2 +u)
x p,1 x p,2 xq,1 xq,2 yp e
(i 1
+i 2 )/2 min{i 1 ,i p }
u

i2 i1 u
+
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 } =0
2i p,1 +i 2 −i p +u−
(−1) N i1 −i p,1 +i p + ·
i + j1 +u− i p −i p,1 + j2 + i 1 −i p,1 + i 2 −i p +i p,1 +u− (i 1 +i 2 )/2−i p m−(i 1 +i 2 +u)
p,1
x p,1 x p,2 xq,1 xq,2 yq e .
Next, as we discussed above, we replace all xq,1 , xq,2 in the first summation by
x p,1 + 1, x p,2 − 1, respectively, and replace all x p,1 , x p,2 in the second summation by
xq,1 − 1, xq,2 + 1, respectively. Then, the polynomial becomes
1 +i 2
i min{i 1 ,i p }
u

i2 i1 u
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0
(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +(i1 +i2 )/2+ ·

i + j1 +u− i p −i p,1 + j2 +
p,1
x p,1 x p,2 (x p,1 + 1)i1 −i p,1 +
i −(i 1 +i 2 )/2 m−(i 1 +i 2 +u)
(x p,2 − 1)i2 −i p +i p,1 +u− y pp e
(i 1
+i 2 )/2 min{i 1 ,i p }
u

i2 i1 u
+
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 } =0
(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +i p + ·

i −i p,1 + i 2 −i p +i p,1 +u−
(xq,1 − 1)i p,1 + j1 +u− (xq,2 + 1)i p −i p,1 + j2 + xq,1
1
xq,2
(i 1 +i 2 )/2−i p m−(i 1 +i 2 +u)
yq e
1 +i 2
i min{i 1 ,i p }
u

i2 i1 u
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0
(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +(i1 +i2 )/2+ ·

i + j1 +u− i p −i p,1 + j2 + i p −(i 1 +i 2 )/2 m−(i 1 +i 2 +u)
p,1
x p,1 x p,2 yp e ·
⎛ ⎞
i 1 −i p,1 +
i 1 − i p,1 + i1 −i p,1 +−k p,1 ⎠
⎝ x p,1 ·
k p,1
k p,1 =0
⎛ ⎞
i 2 −i p +i p,1 +u−
i 2 − i p + i p,1 + u −
⎝ k p,2 i 2 −i p +i p,1 +u−−k p,2 ⎠
(−1) x p,2
k p,2
k p,2 =0
(i 1
+i 2 )/2 min{i 1 ,i p }
u

i2 i1 u
+
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 } =0
2i p,1 +i 2 −i p +u−
(−1) N i1 −i p,1 +i p + ·
i −i p,1 + i 2 −i p +i p,1 +u− (i 1 +i 2 )/2−i p m−(i 1 +i 2 +u)
1
xq,1 xq,2 yq e ·
⎛ ⎞
i p,1 + j1 +u−
i + j + u − + +u−−k
⎝ p,1 1
(−1)kq,1 xq,1
i p,1 j1 q,1 ⎠·
kq,1
kq,1 =0
⎛ ⎞
i p −i p,1 + j2 +
i + j + − i i p + j2 +−i p,1 −kq,2
⎝ p 2 p,1
xq,2 ⎠
kq,2
kq,2 =0
1 +i 2
i min{i 1 ,i p } u i 1 −i p,1 + i 2 −i p +i p,1 +u−
i2 i1 u
= ·
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2+1 i p,1 =max{0,i p −i 2 } =0 k p,1 =0 k p,2 =0

i 1 − i p,1 + i 2 − i p + i p,1 + u −
(−1)2i p,1 +i2 −i p +u−+k p,2 N i1 −i p,1 +(i1 +i2 )/2+ ·
k p,1 k p,2
i + j1 +u−k p,1 i 2 + j2 +u−k p,2 i p −(i 1 +i 2 )/2 m−(i 1 +i 2 +u)
1
x p,1 x p,2 yp e
(i 1
+i 2 )/2 min{i 1 ,i p } j1 +u− i p −i p,1 + j2 +
u i p,1 +
i2 i1 u
+ ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 } =0 kq,1 =0 kq,2 =0

i p,1 + j1 + u − i p + j2 + − i p,1
(−1)2i p,1 +i2 −i p +u−+kq,1 N i1 −i p,1 +i p + ·
kq,1 kq,2
i + j1 +u−kq,1 i 2 + j2 +u−kq,2 (i 1 +i 2 )/2−i p m−(i 1 +i 2 +u)
1
xq,1 xq,2 yq e .

i i i
• x p,1
px,1 px,2
x p,2 y ppy for i py = 1, 2, . . . , (i 1 + i 2 )/2,
i i i
• xq,1 xq,1 yq for i qy = 0, 1, . . . , (i 1 + i 2 )/2.
q x,1 q x,1 qy
When (i 1 + i 2 ) is odd, all polynomials g[i1

,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) that
have diagonal entries for the following variables satisfy g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 ,
xq,2 , y p , yq ) ≺ g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ):
i i i
• x p,1
px,1 px,2
x p,2 y ppy for i py = 1, 2, . . . , (i 1 + i 2 )/2 − 1,
i i i
• xq,1 xq,1 yq for i qy = 0, 1, . . . , (i 1 + i 2 )/2.
q x,1 q x,1 qy
Hence, we focus on the monomials in g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) for
variables
i i (i +i )/2
• x p,1
px,1 px,2
x p,2 yp 1 2 for i px,1 = i 1 + j1 , i 1 + j1 + 1, . . . , i 1 + j1 + u; i px,2 =
i 2 + j2 , i 2 + j2 + 1, . . . , i 2 + j2 + u.
All polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) that have the above diagonal
i + j +u i + j +u (i +i )/2
entries for variables except x p,1 1 1 2
x p,2 2
yp 1 2 satisfy g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 ,
x p,2 , xq,2 , y p , yq ) ≺ g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ). Hence, as stated in
Lemma 4, the polynomial g[i1 ,i2 , j1 , j2 ,u] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) for odd (i 1 +i 2 ) has
i 1 + j1 +u i 2 + j2 +u (i 1 +i 2 )/2 m−(i 1 +i 2 +u)
a diagonal X p,1 X p,2 Yp e . Similarly, we can prove the state-
ment when (i 1 +i 2 ) is even. Hence, polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p ,
yq ) generate triangular basis matrix as stated in Lemma 4.
Next, we assume that polynomials g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) and
g[i

,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) such that g[i

,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 , y p ,
1 2 1 1 2 1
yq ) ≺ g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) generate a triangular matrix as stated
in Lemma 4. Then, we show that a matrix is still triangular with a new polynomial
(i +i )/2+ j1
g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) whose diagonal is x ip,11
x ip,2
2
yp 1 2
em−(i1 +i2 ) . By definition,
g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )
(i 1 +i 2 )/2− j1
= yq i1
f p,1 i2
(x p,1 , y p ) f p,2 (x p,2 , y p )em−(i1 +i2 )
(i +i )/2− j1 i i
= yq 1 2 N + x p,1 (N − y p ) 1 1 + x p,2 (y p − 1) 2 em−(i1 +i2 ) .
From the relation x p,1 = xq,1 − 1 and x p,2 = xq,2 + 1, the polynomial becomes
(i 1 +i 2 )/2− j1 i1 i

= yq N xq,1 − x p,1 y p −xq,2 + x p,2 y p 2 em−(i1 +i2 ) .
i i
By expanding N xq,1 − x p,1 y p 1 and −xq,2 + x p,2 y p 2 , the polynomial becomes
(i 1 +i 2 )/2− j1 m−(i 1 +i 2 )

= yq e ·
⎛ ⎞
i1
i
⎝ 1
−x p,1 y p p,1 (N xq,1 )i1 −i p,1 ⎠
i
i p,1
i p,1 =0
⎛ ⎞
i2
i
⎝ 2
x p,2 y p p,2 (−xq,2 )i2 −i p,2 ⎠
i
i p,2
i p,2 =0
(i +i )/2− j1 m−(i 1 +i 2 )
= yq 1 2 e ·
⎛ ⎞

i1 i2

⎝ i i −i −i +i
y pp,1 p,2 ⎠
i i i i i
(−1)i p,1 +i2 −i p,2 N i1 −i p,1 x p,1
1 2 p,1 p,2 1
x p,2 xq,1 p,1 xq,2
2 p,2
i p,1 i p,2
i p,1 =0 i p,2 =0
(i +i )/2− j1 m−(i 1 +i 2 )
=yq 1 2 e ·
⎛
1 +i 2
i min{i 1 ,i p }

⎝ i2 i1 i p,1
(−1)2i p,1 +i2 −i p N i1 −i p,1 x p,1
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i p −i p,1 i 1 −i p,1 i 2 −i p +i p,1 i p

x p,2 xq,1 xq,2 yp .
⎛
1 +i 2
i min{i 1 ,i p }

i2 i1
= ⎝ (−1)2i p,1 +i2 −i p
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 }
N i1 −i p,1 +(i1 +i2 )/2 ·

i i −i p,1 i 1 −i p,1 i 2 −i p +i p,1 i p −(i 1 +i 2 )/2+ j1

p,1
x p,1 p
x p,2 xq,1 xq,2 yp em−(i1 +i2 )
⎛
(i 1 +i
2 )/2− j1 min{i 1 ,i p }

i2 i1
+⎝ (−1)2i p,1 +i2 −i p N i1 −i p,1 +i p ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i p,1 i p −i p,1 i 1 −i p,1 i 2 −i p +i p,1 (i 1 +i 2 )/2−i p − j1

x p,1 x p,2 xq,1 xq,2 yq em−(i1 +i2 ) .
of y p in the first summation are positive, whereas the exponents of yq in the second
summation are nonnegative.
Next, as we discussed above, we replace all xq,1 , xq,2 in the first summation by
x p,1 + 1, x p,2 − 1, respectively, and replace all x p,1 , x p,2 in the second summation by
xq,1 − 1, xq,2 + 1, respectively. Then, the polynomial becomes
1 +i 2
i min{i 1 ,i p }

i2 i1
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 }
(−1)2i p,1 +i2 −i p N i1 −i p,1 +(i1 +i2 )/2 ·

i i −i p,1 i −(i +i )/2+ j
p,1
x p,1 p
x p,2 (x p,1 + 1)i1 −i p,1 (x p,2 − 1)i2 −i p +i p,1 y pp 1 2 1 m−(i 1 +i 2 )
e
(i 1 +i
2 )/2− j1 min{i 1 ,i p }

i2 i1
+ (−1)2i p,1 +i2 −i p N i1 −i p,1 +i p ·
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i −i p,1 i 2 −i p +i p,1 (i 1 +i 2 )/2−i p − j1 m−(i 1 +i 2 )
(xq,1 − 1) i p,1
(xq,2 + 1)i p −i p,1 xq,1
1
xq,2 yq e
1 +i 2
i min{i 1 ,i p }

i2 i1
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 }
(−1)2i p,1 +i2 −i p N i1 −i p,1 +(i1 +i2 )/2 ·

i i −i
p,1 m−(i 1 +i 2 ) i −(i +i )/2+ j
p,1
x p,1 p
x p,2 e y pp 1 2 1
·
⎛ ⎞
i 1 −i p,1
i 1 − i p,1 i1 −i p,1 −k p,1
⎝ x p,1 ⎠
k p,1
k p,1 =0
⎛ ⎞
i 2 −i p +i p,1
i − i + i −i +i −k
⎝ 2 p p,1 i
(−1) p,2 x p,2
k 2 p p,1 p,2 ⎠
k p,2
k p,2 =0
(i 1 +i
2 )/2− j1 min{i 1 ,i p }

i2 i1
+
i p − i p,1 i p,1
i p =0 i p,1 =max{0,i p −i 2 }
i −i p,1 i 2 −i p +i p,1
(−1)2i p,1 +i2 −i p N i1 −i p,1 +i p xq,1
1
xq,2 ·
⎛ ⎞
i p,1
(i 1 +i 2 )/2− j1 −i p m−(i 1 +i 2 ) i p,1 i p,1 −kq,1
yq e ⎝ (−1)kq,1 xq,1 ⎠
kq,1
kq,1 =0
⎛ ⎞
i p −i p,1
i p − i p,1 i p −i p,1 −kq,2 ⎠
⎝ xq,2
kq,2
kq,2 =0
1 +i 2
i min{i 1 ,i p } i 1 −i p,1 i 2 −i p +i p,1
i2 i1
=
i p − i p,1 i p,1
i p =(i 1 +i 2 )/2− j1 +1 i p,1 =max{0,i p −i 2 } k p,1 =0 k p,2 =0

i 1 − i p,1 i 2 − i p + i p,1
·
k p,1 k p,2
i −k p,1 i 2 −k p,2 i p −(i 1 +i 2 )/2+ j1 m−(i 1 +i 2 )

(−1)2i p,1 +i2 −i p +k p,2 N i1 −i p,1 +(i1 +i2 )/2 x p,1
1
x p,2 yp e
(i 1 +i
2 )/2− j1 min{i 1 ,i p } i p,1 i p −i p,1
i2 i1 i p,1 i p − i p,1
+ ·
i p − i p,1 i p,1 kq,1 kq,2
i p =0 i p,1 =max{0,i p −i 2 } kq,1 =0 kq,2 =0
i −kq,1 i 2 −kq,2 (i 1 +i 2 )/2− j1 −i p m−(i 1 +i 2 )
(−1)2i p,1 +i2 −i p +kq,1 N i1 −i p,1 +i p xq,1
1
xq,2 yq e .

i i i
• x p,1px,1 px,2
x p,2 y ppy for i py = 1, 2, . . . , (i 1 + i 2 )/2 + j1 ; i px,1 + i px,2 = i py + (i 1 +
i 2 )/2 − j1 , . . . , i 1 + i 2 ,
i q x,1 i q x,2 i qy
• xq,1 xq,2 yq for i qy = 0, 1, . . . , (i 1 + i 2 )/2 − j1 ; i q x,1 + i q x,2 = i qy − (i 1 +
i 2 )/2 + j1 , . . . , i 1 + i 2 .
(i +i )/2+ j
Since all these variables except x ip,1 1
x ip,2
2
yp 1 2 1
appear in diagonal entries of

g[i1
,i2
, j1
, j2
,u
] (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) or g[i
,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq )
1 2 1
such that g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) ≺ g[i

,i
, j
], p (x p,1 , xq,1 , x p,2 , xq,2 ,
1 2 1
y p , yq ), as stated in Lemma 4, the diagonal of g[i
1 ,i2 , j1 ], p (x p,1 , xq,1 , x p,2 , xq,2 , y p , yq ) in
(i +i )/2+ j
1 m−(i 1 +i 2 )
the triangular basis matrix is X ip,1
1
X ip,2
2
Yp 1 2 e . Similarly, we can prove
that the polynomials generate triangular basis matrix and the diagonal of g[i
1 ,i2 , j2 ],q (x p,1 ,
i1 i2 (i 1 +i 2 )/2+ j2 m−(i 1 +i 2 )
xq,1 , x p,2 , xq,2 , y p , yq ) is X q,1 X q,2 Yq e .
4.3. Experimental Results

We compare the practical behaviors between our previous attack in [56] and an improved
attack proposed in this version. Note that the improved lattice construction captures a
sublattice of our previous one [56], hence the experimental results do not change for
m = 4, 6. However since the new sets adopt lattices with much smaller dimension, we
greatly reduce the running time of LLL algorithm.
Moreover, for m = 8 we can reduce the dimension from about 500 of [56] to 180
which is acceptable for practical implementation, it means that we can further improve the
experimental results of our previous attack. We implemented the experiment programs of
both previous attack [56] and our improved one by Sage 7.4 and L 2 reduction algorithm
from Nguyen and Stehlé [33]. The calculations were performed on Intel Xeon E5-2637
processor running at 3.5GHz. By means of a comparison among the work of Herrmann–
May’s result [19], our previous attack [56], and the improved one, we list the experimental
results with varying bitsize of RSA moduli under small CRT-exponents in Table 5. In
all experiments, we successfully find the factorization of these RSA moduli. In practice,
we always obtained sufficient polynomials with small norm and were able to extract the
desired root by computing Gröbner bases for these polynomials. And the computation
was fast in practice when we used as many polynomials as possible. As it is shown, the
experimental results of small CRT-exponents attack can be further improved.
Table 5. Experimental results of small CRT-exponents attack.
N (bits) Herrmann–May’s Ours in [56] Ours

result [19]
d p , dq dim. d p , dq dim. LLL Gröbner d p , dq (m,dim.) LLL time Gröbner
(bits) (bits) time (in basis time (bits) (in sec.) basis time
sec.) (in sec.) (in sec.)
1000 11 30 33 95 25 0.2 33 (4,31) 1 0.3

1000 22 93 50 252 5194 30.2 50 (6,84) 230 28.2
1000 29 154 – – – – 62 (8,179) 34,577 1568.8
2000 21 30 66 95 81 0.5 66 (4,31) 2 0.6
2000 35 60 100 252 13,393 80.3 100 (6,84) 741 94.8
2000 47 105 – – – – 129 (8,177) 123,646 3835.8
5000 48 30 176 95 573 2.3 176 (4,31) 12 2.2
5000 89 60 261 252 71,249 305.9 261 (6,84) 4920 306.4
5000 113 93 – – – – 316 (8,177) 559,007 14,237.8
10000 96 30 351 95 2460 6.4 351 (4,31) 69 6.5
10000 179 60 530 252 306,604 757.2 530 (6,84) 23,559 872.1
5. Attacks on the Variants
In this section, we study small CRT-exponent attacks on the RSA variants, i.e., the Multi-
Prime RSA, Takagi’s RSA, and the RSA with multiple exponent pairs. We extend our
attack of Theorem 2 to the variants.
5.1. Multi-Prime RSA

In this section, we extends the small CRT-exponent attack for the Multi-Prime RSA as
follows.

Theorem 6. Let N = ri=1 pi be an RSA modulus, where r ≥ 2 and all the prime
factors p1 , . . . , pr are the same bitsize. Let e = N α and d pi < N δi be a public/CRT-
exponent, respectively, such that ed pi = 1 (mod ( pi − 1)) for all i = 1, . . . , r . Given
public elements N and e, if N is sufficiently large and
√
1− (r − 1)α r −1
min δi < for α > ,
i∈{1,...,r } r r2
We can successfully extend an attack for the Multi-Prime RSA in the sense that Theo-
rem 6 becomes the same as Theorem 3 for r = 2.
Proof of Theorem 6. Recall the CRT-RSA key generation;
ed pi = 1 + k pi ( pi − 1)
with some integer k pi . By multiplying an integer N / pi ,
ed pi N / pi = N / pi + k pi (N − N / pi ) = (k pi − 1)(N − N / pi ) + N .
Then we solve the following modular equations;
f N / pi (x N / pi , y N / pi ) := N + x N / pi (N − y N / pi ) = 0 (mod e),
f pi (x pi , y pi ) := 1 + x pi (y pi − 1) = 0 (mod e),
whose root is (x N / pi , x pi , y N / pi , y pi ) = (k pi − 1, k pi , N / pi , pi ). The absolute val-

ues of the root are bounded above by X := N α+δ−1/r for x N / pi and x pi , Y N / pi :=
N (r −1)/r , Y pi := N 1/r for y N / pi , y pi , respectively. We construct the same matrix as the
proof of Theorem 2 and the modular equation can be solved when

1 λ+τ r − 1 λ2 1 τ2 1+λ+τ λ+τ
α+δ− + · + · +α − < 0.
r 3 r 6 r 6 6 2
√
δ 1− (r −1)α
We set the parameters λ = 1−rr −1 , τ = 1 −r δ and the condition becomes δi < r
as required. To satisfy the restrictions of parameters, α > rr−1
2 should hold.
We also extend May’s modulo pi attack [29] for the Multi-Prime RSA as follows.

Theorem 7. (Adapted from [28]) Let N = ri=1 pi be an RSA modulus, where r ≥ 2
and all the prime factors p1 , . . . , pr are the same bitsize. Let e = N α and d pi < N δi
be a public/CRT-exponent, respectively such that ed pi = 1 (mod ( pi − 1)) for all
i = 1, . . . , r . Given public elements N and e, if
r + 1 − r 2α
min δi < ,
i∈{1,...,r } 2r 2
We can successfully extend an attack for the Multi-Prime RSA in the sense that
Theorem 7 becomes the same as Theorem 4 for r = 2. We omit the proof since it is
almost the same as Theorem 9 of [28]. The bound of Theorem 6 is always better than or
equal to that of Theorem 7. Figure 4 shows comparison of the attack condition between
Theorem 6 and 7 for r = 3 and 4.
5.2. Takagi’s RSA

In this section, we extends the small CRT-exponent attack for Takagi’s RSA as follows.
Theorem 8. Let N = pr q be an RSA modulus, where r ≥ 1 and the prime factors p

and q are the same bitsize. Let e = N α and d p < N δ p , dq < N δq be a public/CRT-
Fig. 4. Comparisons between our attacks of Theorem 6 and 7. The left and the right figures are for r = 3 and
4, respectively.
exponent, respectively, such that ed p = 1 (mod ( p − 1)) and edq = 1 (mod (q − 1)).
Given public elements N and e, if N is sufficiently large and
√
1 − rα r
min{δ p , δq } < for α > ,
r +1 (r + 1)2
We can successfully extend an attack for Takagi’s RSA in the sense that Theorem 8
becomes the same as Theorem 3 for r = 1. Although Shinohara et al. [43] extended
Bleichenbacher–May’s attack, our attack is always better.
Proof of Theorem 8. Recall the CRT-RSA key generation;
ed p = 1 + k p ( p − 1) and edq = 1 + kq (q − 1)
with some integer k p and dq . By multiplying N / p = pr −1 q and N /q = pr , respectively,
ed p pr −1 q = pr −1 q + k p (N − pr −1 q) = (k p − 1)(N − pr −1 q) + N and
edq pr = pr + kq (N − pr ) = (kq − 1)(N − pr ) + N .
Then we solve the following modular equations for small d p ;
f pr −1 q (x pr −1 q , y pr −1 q ) := N + x pr −1 q (N − y pr −1 q ) = 0 (mod e),
f p (x p , y p ) := 1 + x p (y p − 1) = 0 (mod e),
whose root is (x pr −1 q , x p , y pr −1 q , y p ) = (k p − 1, k p , pr −1 q, p), and the following

modular equations for small dq ;
f pr (x pr , y pr ) := N + x pr (N − y pr ) = 0 (mod e),
f q (xq , yq ) := 1 + xq (yq − 1) = 0 (mod e),
Fig. 5. Comparisons between our attacks of Theorems 8 and 9 . The left and the right figures are for r = 2
and 3, respectively.
whose root is (x pr , xq , y pr , yq ) = (kq − 1, kq , pr , q). The absolute values of the root

are bounded above by X := N α+δ−1/(r +1) for x pr −1 q , x p , x pr , and xq , Yr := N r/(r +1)
for y pr −1 q and y pr , Y1 := N 1/(r +1) for y p and yq , respectively. For both small d p and
dq attacks, we construct the same matrix as the proof of Theorem 2 and the modular
equation can be solved when

1 λ+τ r λ2 1 τ2 1+λ+τ λ+τ
α+δ− + · + · +α − < 0.
r +1 3 r +1 6 r +1 6 6 2
1−(r +1)δ
We set the parameters λ = ,τ = 1 − (r + 1)δ and the condition becomes
√ r
1− r α
δ < (r +1) as required. To satisfy the restrictions of parameters, α > r
(r +1)2
should
hold.
We also extend May’s modulo a prime factor attack [29] for Takagi’s RSA as follows.
Theorem 9. (Adapted from [29]) Let N = pr q be an RSA modulus, where r ≥ 1 and

the prime factors p and q are the same bitsize. Let e = N α and d p < N δ p , dq < N δq
be a public/CRT-exponent, respectively, such that ed p = 1 (mod ( p − 1)) and edq = 1
(mod (q − 1)). Given public elements N and e, if
2r + 1 − (r + 1)2 α r + 2 − (r + 1)2 α
δp < or δq < ,
2(r + 1)2 2(r + 1)2
We can successfully extend an attack for the Takagi’s RSA in the sense that Theorem 9
becomes the same as Theorem 4 for r = 1. We omit the proof since it is almost the same
as Theorem 9 of [28]. The bound for δq of Theorem 8 is always better than or equal to
that of Theorem 9; however, the bound for δ p of Theorem 9 is better than or equal to that
of Theorem 8. Figure 5 shows comparison of the attack condition for small d p between
Theorem 8 and 9 for r = 2 and 3.
5.3. RSA with Multiple Exponent Pairs

In this section, we extends the small CRT-exponent attack for the RSA with multiple
exponent pairs as follows.
Theorem 10. Let N = pq be an RSA modulus, where the prime factors p and q
are the same bitsize. Let e = N α and dq, < N δ for = 1, . . . , r be a public/CRT
exponent, respectively, such that e dq, = 1 (mod (q − 1)). Given public elements N
and e1 , . . . , er , if N is sufficiently large and

1 α
δ< − ,
2 3r + 1
then N can be factorized in time polynomial in input length and exponential in r by

assuming that polynomials which are derived from LLL-reduced bases are algebraically
independent.
We can successfully extend the attack for RSA with multiple exponent pairs in the
sense that Theorem 10 becomes the same as Theorem 3 for r = 1. We do not think
May’s modulo q approach is an appropriate way for the attack scenario, and hence, we
do not extend it. Peng et al. proposed the attack (Theorem 2 of [35]) which extended
Bleichenbacher–May’s [5] and works when δ < (9r − 14)/(24r + 8) for an α = 1.
Theorem 10 is always better than the attack of Peng et al. Indeed, even if there are
infinitely many exponent pairs r , the attack of Peng et al. works for δ < 3/8, whereas
our attack works for the same bound of δ with only 21 exponent pairs. Figure 6 shows
comparison of recoverable sizes of dq between our attack and that of Peng et al. [35].
Proof of Theorem 10. Recall the CRT-RSA key generation for dq, ;
e dq, = 1 + k (q − 1)
with some integer k . By multiplying an integer p,
e dq, p = p + k (N − p) = (k − 1)(N − p) + N .
Then we solve the following modular equations;
f p, (x p, , y p, ) := N + x p, (N − y p ) = 0 (mod e ),

f q, (xq, , yq, ) := 1 + xq, (yq − 1) = 0 (mod e ),
whose root is (x p, , xq, , y p , yq ) = (k −1, k , p, q). The absolute values of the root are
bounded above by X := N α+δ−1/2 for x p, and xq, , Y := N 1/2 for y p , yq , respectively,
within constant factors.
To solve the modular equations, we use the following shift-polynomials
j i/2 i/2
g[i, j] (x p, , xq, , y p , yq ) := x p, f p, (x p, , y p ) f q, (xq, , yq )em−i ,
Fig. 6. Comparison between our attack (Theorem 10) and the attack of Peng et al. [35].

i/2+ j i/2− j
g[i, j] (x p, , x q, , y p , yq ) := f p, (x p, , y p ) f q, (xq, , yq )em−i ,

i/2− j i/2+ j
g[i, j] (x p, , x q, , y p , yq ) := f p, (x p, , y p ) f q, (xq, , yq )em−i ,
with some positive odd integer m. All the shift-polynomials share the common root
modulo em . Let τ be a constant such that 0 < τ ≤ 1. We use the shift-polynomials
!
1
g[i, j] (x p, , xq, , y p , yq ) for i = 0, 1, . . . , m; j = min 0, − 1 i , . . . , m − i,
2τ

g[i, j] (x p, , xq, , y p , yq ) for i = 1, 3, . . . , m; j = 1, 2, . . . , τ i − i/2,

g[i, j] (x p, , x q, , y p , yq ) for i = 0, 2, . . . , m − 1; j = 1, 2, . . . , τ i − i/2,
and construct a triangular basis matrix with diagonal entries

• X ip,
X
Y piY em−min{i X ,2iY −1} for i X = 1, 2, . . . , m; i Y = 0, 1, . . . , τ i X + o(i X ),
i X i Y m−min{i X ,2i Y }
• X q, Yq e for i X = 0, 1, . . . , m; i Y = 0, 1, . . . , τ i X + o(i X ).
As Boneh and Durfee’s attack was extended to multiple exponent pairs setting [47],
we use Minkowski sum based lattice method [1] and combine r lattices for dq, with
= 1, 2, . . . , r . Then the dimension n and the determinant of the combined lattice
X s X Y sY ese can be computed as follows:
τ (i X 1 +···+i X r ) τ (i X 1 +···+i X r )

m
m
m
m
n= ··· 1+ ··· 1
i X 1 =0 i X r =0 i Y =1 i X 1 =0 i X r =0 i Y =0
= r τ m r +1 + o(m r +1 ),
τ (i X 1 +···+i X r )

r
m
m r (3r + 1)τ r +2
sX = 2 ··· i X = m + o(m r +2 ),
6
=1 i X 1 =0 i X r =0 i Y =0
τ (i X 1 +···+i X r )

m
m r (3r + 1)τ 2 r +2
sY = 2 ··· iY = m + o(m r +2 ),
12
i X 1 =0 i X k =0 i Y =0
τ (i X 1 +···+i X r )

r
m
m
se = ··· (m − min{i X , 2i Y − 1})
=1 i X 1 =0 i X r =0 i Y =1
τ (i X 1 +···+i X r )

r
m
m
+ ··· (m − min{i X , 2i Y })
=1 i X 1 =0 i X r =0 i Y =0
(3r − 1)τ + 1 k+2
= m + o(m k+2 ).
6
Howgrave–Graham’s lemma if X s X Y sY ese < enm , i.e.,

1 r (3r + 1)τ 1 r (3r + 1)τ 2 (3r − 1)τ + 1
α+δ− + · +α·r − rτ < 0
2 6 2 12 6

set the parameters τ = 1 − 2δ, then the condition becomes

1 α
δ< −
2 3r + 1
as required.
6. Concluding Remarks and Open Problem
In this paper, we studied a lattice-based cryptanalysis of the small CRT-exponent RSA.

We developed a new lattice construction technique that is specialized to the CRT-RSA key
generation and proposed several improved attacks. When a prime factor p is significantly
smaller than the other prime factor q with a small dq , we solved an open problem which
was claimed in [5,29]; we proposed an attack which works for p < N 0.5 . When both
d p and dq are small, we proposed an attack which works for d p , dq < N 0.122 with a
full size e. We also proposed attacks on the RSA variants, i.e., the Multi-Prime RSA,
Takagi’s RSA, and RSA with multiple exponent pairs.
In Sect. 4, we obtain the improvement by exploiting sublattice structures from [56]. Al-
though the experimental results based on the sublattice provide better matching between
achievable sizes of d p , dq and the theoretically predicted bound than the previous lattice
in [56], there still exists a gap. In other words, it seems that there is still room for im-
provements of the bound N 0.122 by this approach. Specifically, for the 31-dimensional
lattices (resp. 84-dimensional lattices), the theoretically predicted bound δ should be
0.00 (resp. 0.03), however, we successfully find integer equations when δ ≤ 0.03 (resp.
δ ≤ 0.05). We think that the reason for this gap derives from that to make the matrix
triangular, we can not only remove the unhelpful polynomials. The open problem is how
to further improve this bound to fill the gap between achievable bound in experiments
and the theoretically predicted bound. We hope our novel lattice construction can be
fully analyzed and lead to a better results.
Acknowledgements
We would like to thank Shuichi Katsumata for his helpful comments. We also thank the
anonymous reviewers for their useful comments and suggestions.
References
[1] Y. Aono, Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s tech-
nique and applications to RSA. in Colin Boyd and Leonie Simpson, editors, Information Security and
Privacy—18th Australasian Conference, ACISP 2013, Volume 7959 of Lecture Notes in Computer Sci-
ence (Springer, 2013), pp. 88–103
[2] W. Bosma, J.J. Cannon, Catherine Playoust, The magma algebra system I: the user language. J. Symb.
Comput., 24(3/4), 235–265, 1997.
[3] D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 . IEEE Trans. Information
Theory, 46(4), 1339–1349 (2000).
[4] J. Blömer, A. May, New partial key exposure attacks on RSA, in Dan Boneh, editor, Advances in
Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Volume 2729 of Lecture
Notes in Computer Science (Springer, 2003), pp. 27–43
[5] D. Bleichenbacher, A. May, New attacks on RSA with small secret CRT-exponents, in Moti Yung,
Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Public Key Cryptography—PKC 2006, 9th
International Conference on Theory and Practice of Public-Key Cryptography, volume 3958 of Lecture
[6] A. Bauer, D. Vergnaud, J.-C. Zapalowicz, Inferring sequences produced by nonlinear pseudorandom
number generators using Coppersmith’s methods, in Marc Fischlin, Johannes A. Buchmann, and Mark
Manulis, editors, Public Key Cryptography-PKC 2012—15th International Conference on Practice and
Theory in Public Key Cryptography, volume 7293 of Lecture Notes in Computer Science (Springer,
2012), pp. 609–626
[7] D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known,
in Ueli M. Maurer, editor, Advances in Cryptology—EUROCRYPT ’96, International Conference on
the Theory and Application of Cryptographic Techniques, volume 1070 of Lecture Notes in Computer
Science (Springer, 1996), pp. 178–189
[8] D. Coppersmith, Finding a small root of a univariate modular equation, in Ueli M. Maurer, editor,
Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application
of Cryptographic Techniques, Volume 1070 of Lecture Notes in Computer Science (Springer, 1996), pp.
155–165
[9] D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J.
Cryptology, 10(4), 233–260 (1997)
[10] D. Coppersmith, Finding small solutions to small degree polynomials, in Joseph H. Silverman, editor,
Cryptography and Lattices, International Conference, CaLC 2001, Volume 2146 of Lecture Notes in
Computer Science (Springer, 2001), pp. 20–31
[11] J. Coron, Finding small roots of bivariate integer polynomial equations revisited, in Christian Cachin
and Jan Camenisch, editors, Advances in Cryptology—EUROCRYPT 2004, International Conference on
the Theory and Applications of Cryptographic Techniques, Volume 3027 of Lecture Notes in Computer
[12] G. Durfee, P.Q. Nguyen, Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt
’99, in Tatsuaki Okamoto, editor, Advances in Cryptology—ASIACRYPT 2000, 6th International Con-
ference on the Theory and Application of Cryptology and Information Security, Volume 1976 of Lecture
[13] M.F. Esgin, M.S. Kiraz, O. Uzunkol, A new partial key exposure attack on multi-power RSA, in Andreas
Maletti, editor, Algebraic Informatics—6th International Conference, CAI 2015, Volume 9270 of Lecture
[14] S.D. Galbraith, C. Heneghan, J.F. McKee, Tunable balancing of RSA, in Colin Boyd and Juan
Manuel González Nieto, editors, Information Security and Privacy, 10th Australasian Conference, ACISP
2005, Volume 3574 of Lecture Notes in Computer Science (Springer, 2005), pp. 280–292
[15] M. Herrmann, Lattice-Based Cryptanalysis Using Unravelled Linearization. Ph.D. thesis, der Ruhr-
University Bochum (2011)
[16] Z. Huang, L. Hu, J. Xu, Attacking RSA with a composed decryption exponent using unravelled lineariza-
tion, in Dongdai Lin, Moti Yung, and Jianying Zhou, editors, Information Security and Cryptology—10th
International Conference, Inscrypt 2014, Volume 8957 of Lecture Notes in Computer Science (Springer,
2014), pp. 207–219
[17] Z. Huang, L. Hu, J. Xu, L. Peng, Y. Xie, Partial key exposure attacks on Takagi’s variant of RSA,
in Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, Applied Cryptography and Net-
work Security—12th International Conference, ACNS 2014, Volume 8479 of Lecture Notes in Computer
[18] M. Herrmann, A. May, Attacking power generators using unravelled linearization: when do we output
too much? in Mitsuru Matsui, editor, Advances in Cryptology - ASIACRYPT 2009, 15th International
Conference on the Theory and Application of Cryptology and Information Security, Volume 5912 of
Lecture Notes in Computer Science (Springer, 2009), pp. 487–504
[19] M. Herrmann, A. May, Maximizing small root bounds by linearization and applications to small secret
exponent RSA, in Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography—PKC
2010, 13th International Conference on Practice and Theory in Public Key Cryptography, Volume 6056
of Lecture Notes in Computer Science (Springer, 2010), pp. 53–69
[20] N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, in Michael Darnell,
editor, Cryptography and Coding, 6th IMA International Conference, Volume 1355 of Lecture Notes in
Computer Science (Springer, 1997), pp. 131–142
[21] E. Jochemsz, A. May, A strategy for finding roots of multivariate polynomials with new applications in
attacking RSA variants, in Xuejia Lai and Kefei Chen, editors, Advances in Cryptology—ASIACRYPT
2006, 12th International Conference on the Theory and Application of Cryptology and Information
Security, Volume 4284 of Lecture Notes in Computer Science (Springer, 2006), pp. 267–282
[22] E. Jochemsz, A. May, A polynomial time attack on RSA with private CRT-exponents smaller than
N 0.073 , in Alfred Menezes, editor, Advances in Cryptology—CRYPTO 2007, 27th Annual International
Cryptology Conference, Volume 4622 of Lecture Notes in Computer Science (Springer, 2007), pp. 395–
411
[23] N. Kunihiro, N. Shinohara, T. Izu, A unified framework for small secret exponent attack on RSA. IEICE
Transactions97-A(6), 1285–1295 (2014)
[24] N. Kunihiro, On optimal bounds of small inverse problems and approximate GCD problems with higher
degree, in Dieter Gollmann and Felix C. Freiling, editors, Information Security—15th International
Conference, ISC 2012, Volume 7483 of Lecture Notes in Computer Science (Springer, 2012), pp. 55–69
[25] A.K. Lenstra, H.W.jun. Lenstra, Lászlo Lovász, Factoring polynomials with rational coefficients. Math.
Ann., 261, 515–534 (1982).
[26] Y. Lu, R. Zhang, D. Lin, Factoring multi-power RSA modulus N = pr q with partial known bits, in Colin
Boyd and Leonie Simpson, editors, Information Security and Privacy—18th Australasian Conference,
ACISP 2013, Volume 7959 of Lecture Notes in Computer Science (Springer, 2013), pp. 57–71
[27] Y. Lu, R. Zhang, D. Lin, New partial key exposure attacks on CRT-RSA with large public exponents,
in Ioana Boureanu, Philippe Owesarski, and Serge Vaudenay, editors, Applied Cryptography and Net-
work Security—12th International Conference, ACNS 2014, Volume 8479 of Lecture Notes in Computer
[28] Y. Lu, R. Zhang, L. Peng, D. Lin, Solving linear equations modulo unknown divisors: Revisited, in Tetsu
Iwata and Jung Hee Cheon, editors, Advances in Cryptology—ASIACRYPT 2015—21st International
Conference on the Theory and Application of Cryptology and Information Security, Volume 9452 of
[29] A. May, Cryptanalysis of unbalanced RSA with small CRT-exponent, in Moti Yung, editor, Advances
in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Volume 2442 of
[30] A. May, New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn
(2003)
[31] A. May, Using LLL-reduction for solving RSA and factorization problems, in Phong Q. Nguyen and
Brigitte Vallée, editors, The LLL Algorithm-Survey and Applications, Information Security and Cryp-
tography (Springer, 2010), pp. 315–348
[32] P.Q. Nguyen, J. Stern, The two faces of lattices in cryptology, in Joseph H. Silverman, editor, Cryptog-
raphy and Lattices, International Conference, CaLC 2001, Volume 2146 of Lecture Notes in Computer
[33] Phong Q. Nguyen, Damien Stehlé, An LLL algorithm with quadratic complexity. SIAM J. Comput.,
39(3), 874–903 (2009).
[34] L. Peng, L. Hu, Z. Huang, J. Xu, Partial prime factor exposure attacks on RSA and its Takagi’s vari-
ant, in Javier Lopez and Yongdong Wu, editors, Information Security Practice and Experience—11th
International Conference, ISPEC 2015, Volume 9065 of Lecture Notes in Computer Science (Springer,
2015), pp. 96–108
[35] L. Peng, L. Hu, Y. Lu, S. Sarkar, J. Xu, Z. Huang, Cryptanalysis of variants of RSA with multiple small
secret exponents, in Alex Biryukov and Vipul Goyal, editors, Progress in Cryptology-INDOCRYPT
2015—16th International Conference on Cryptology in India, Volume 9462 of Lecture Notes in Computer
[36] L. Peng, L. Hu, Y. Lu, Improved results on cryptanalysis of prime power RSA, in Seokhie Hong and
Jong Hwan Park, editors, Information Security and Cryptology-ICISC 2016—19th International Con-
ference, Volume 10157 of Lecture Notes in Computer Science (2016), pp. 287–303
[37] L. Peng, L. Hu, Y. Lu, H. Wei, An improved analysis on three variants of the RSA cryptosystem, in Kefei
Chen, Dongdai Lin, and Moti Yung, editors, Information Security and Cryptology—12th International
Conference, Inscrypt 2016, Volume 10143 of Lecture Notes in Computer Science (Springer, 2016), pp.
140–149
[38] L. Peng, L. Hu, Y. Lu, J. Xu, Z. Huang, Cryptanalysis of dual RSA. Des. Codes Cryptography83(1),
1–21 (2017).
[39] PKCS#1, RSA cryptography specifications version 2.0. http://www.ietf.org/rfc/rfc2437.txt
[40] J.-J. Quisquater, C. Couvreur, Fast decipherment algorithm for RSA public-key cryptosystem. Electron-
ics Letters, 18(2), 905–907 (1982)
[41] S. Sarkar, Small secret exponent attack on RSA variant with modulus N = pr q. Des. Codes Cryptog-
raphy, 73(2), 383–392 (2014)
[42] S. Sarkar, Revisiting prime power RSA. Discrete Applied Mathematics, 203, 127–133 (2016)
[43] N. Shinohara, T. Izu, N. Kunihiro, Small secret CRT-exponent attacks on Takagi’s RSA. IEICE Trans-
actions, 94-A(1), 19–27 (2011)
[44] S. Sarkar, S. Maitra, Partial key exposure attack on CRT-RSA, in Michel Abdalla, David Pointcheval,
Pierre-Alain Fouque, and Damien Vergnaud, editors, Applied Cryptography and Network Security, 7th
International Conference, ACNS 2009, Volume 5536 of Lecture Notes in Computer Science (2009), pp.
473–484
[45] H.-M. Sun, M.-E. Wu, An approach towards rebalanced RSA-CRT with short public exponent. IACR
Cryptology ePrint Archive, 2005, 53 (2005)
[46] A. Takayasu, N. Kunihiro, Better lattice constructions for solving multivariate linear equations modulo
unknown divisors. IEICE Transactions, 97-A(6), 1259–1272 (2014).
[47] A. Takayasu, N. Kunihiro, Cryptanalysis of RSA with multiple small secret exponents, in Willy Susilo
and Yi Mu, editors, Information Security and Privacy—19th Australasian Conference, ACISP 2014,
Volume 8544 of Lecture Notes in Computer Science (Springer, 2014), pp. 176–191
[48] A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA: achieving the boneh-durfee bound, in
Antoine Joux and Amr M. Youssef, editors, Selected Areas in Cryptography-SAC 2014—21st Interna-
tional Conference, Volume 8781 of Lecture Notes in Computer Science (Springer, 2014), pp. 345–362
[49] A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: better cryptanalysis to full size
encryption exponents, in Tal Malkin, Vladimir Kolesnikov, Allison Bishop Lewko, and Michalis Poly-
chronakis, editors, Applied Cryptography and Network Security—13th International Conference, ACNS
[50] A. Takayasu, N. Kunihiro, How to generalize RSA cryptanalyses, in Chen-Mou Cheng, Kai-Min Chung,
Giuseppe Persiano, and Bo-Yin Yang, editors, Public-Key Cryptography-PKC 2016—19th IACR Inter-
national Conference on Practice and Theory in Public-Key Cryptography, Volume 9615 of Lecture Notes
in Computer Science (Springer, 2016), pp. 67–97
[51] A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: general improvement for the
exposed least significant bits, in Matt Bishop and Anderson C. A. Nascimento, editors, Information
Security—19th International Conference, ISC 2016, Volume 9866 of Lecture Notes in Computer Science,
(Springer, 2016), pp. 35–47
[52] A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA with multiple exponent pairs, in Joseph K.
Liu and Ron Steinfeld, editors, Information Security and Privacy—21st Australasian Conference, ACISP
[53] A. Takayasu, N. Kunihiro, Small secret exponent attacks on RSA with unbalanced prime factors, in 2016
International Symposium on Information Theory and Its Applications, ISITA 2016 (IEEE, 2016), pp.
236–240
[54] A. Takayasu, N. Kunihiro, General bounds for small inverse problems and its applications to multi-prime
RSA. IEICE Transactions, 100-A(1), 50–61 (2017)
[55] A. Takayasu, N. Kunihiro, A tool kit for partial key exposure attacks on RSA, in Helena Handschuh,
editor, Topics in Cryptology-CT-RSA 2017—The Cryptographers’ Track at the RSA Conference 2017,
Volume 10159 of Lecture Notes in Computer Science (Springer, 2017), pp. 58–73
[56] A. Takayasu, Y. Lu, L. Peng, Small CRT-exponent RSA revisited, in Jean-Sébastien Coron and Jes-
per Buus Nielsen, editors, Advances in Cryptology-EUROCRYPT 2017—36th Annual International
Conference on the Theory and Applications of Cryptographic Techniques, Volume 10211 of Lecture
Notes in Computer Science (2017), pp. 130–159
[57] M.J. Wiener, Cryptanalysis of short RSA secret exponents. IEEE Trans. Information Theory, 36(3),
553–558 (1990)

Small CRT Exponent RSA s00145-018-9282-3

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Small CRT Exponent RSA s00145-018-9282-3

Uploaded by

Copyright:

Available Formats

J Cryptol (2019) 32:1337–1382

Small CRT-Exponent RSA Revisited∗

Communicated by Serge Vaudenay.

© International Association for Cryptologic Research 2018

1.2. Technical Hardness

1.3. Our Results

1.4. Key Technique

edq = 1 + k(q − 1) (1)

with some integer k. By multiplying the equation by p, we obtain

edq p = p + k(N − p) = N + (k − 1)(N − p). (2)

Lemma 1. (Howgrave–Graham’s Lemma [20]) Let h̃(x1 , . . . , xr ) ∈ Z[x1 , . . . , xr ] be

To solve r -variate modular equations h(x1 , . . . , xr ) = 0 (mod W ), it suffices to find

as a basis is defined as L(b1 , . . . , bm ) := { j=1 c j b j : c j ∈ Z for all j = 1, 2, . . . , n}.

matrix B is denoted as L(B). We call a lattice full-rank if and only if n = m. The

Proposition 1. (LLL algorithm [25,30]) Given linearly independent vectors b1 , . . . , bn

b̃ j ≤ 2n(n−1)/4(n− j+1) det(L(B)))1/(n− j+1) for 1 ≤ j ≤ n,

in time polynomial in n and the maximum input length of b1 , . . . , bn .

Again, we explain how to solve the modular equation h(x1 , . . . , xr ) = 0 (mod W ).

3.1. An Overview of the Lattice Construction

with some integer k. If we can solve the following modular equation:

f q (xq , yq ) = 1 + xq (yq − 1) = 0 (mod e)

edq p = p + k(N − p) = N + (k − 1)(N − p).

whose root is (x p , y p ) = (k − 1, p). Let e = N α and dq = N δ . Then the absolute

3.1.1. May’s Matrix

where the rows consist of coefficients of seven polynomials:

X 4p Y p9 e4 < e7 ⇔ 4(α + β + δ − 1) + 9β < 3α

3.1.2. Bleichenbacher–May Matrix

The rows consist of coefficients of seven polynomials:

X 4p Y p4 Yq2 e4 < e7 ⇔ 4(α + β + δ − 1) + 4β + 2(1 − β) < 3α

3.1.3. Our Matrix

The rows consist of coefficients of six polynomials:

Although the above Bleichenbacher–May matrix used N −1 · yq f p (x p , y p ) in the bottom

X 3p X q Y p4 Yq e3 < e6 ⇔ 4(α + β + δ − 1) + 4β + (1 − β) < 3α

3.1.4. May’s Modulo q Attack

3.2. Attack for Large e

Theorem 1. Let N = pq be an RSA modulus, where p = N β and q = N 1−β for

Proof of Theorem 1. To solve the modular equation f q (xq , yq ) = 0 and equivalently

j] (x p , y p ). The (modified) Bleichenbacher–

Let B be a matrix whose rows consist of coefficients of g[i, j] (x p X p , y p Y p ), g[i,

y p Y p ), and g[i, j] (x p X p , xq X q , y p Y p , yq Yq ) with indices in Ix , I y, p , and I y,q , respec-

g[i, j] ≺ g[i, j] , g[i, j] ,

by omitting low-order terms of m. To minimize the left-hand side of the inequality, we

then the condition becomes

3.3. Attack for Small e

Theorem 2. Let N = pq be an RSA modulus, where p < N β and q ≥ N 1−β for

Proof of Theorem 2. To solve the modular equation f q (xq , yq ) = 0 and equivalently

g[i, j],λ (x p , xq , y p , yq ) := x p f p λi (x p , y p ) f q(1−λ)i (xq , yq )em−i ,

g[i, j],λ (x p , xq , y p , yq ) and g[i, j],λ (x p , x q , y p , yq ) for λ = 1. As the attack of Theorem 1,

Let B be a matrix whose rows consist of coefficients of g[i, j],λ (x p X p , xq X q , y p Y p , yq Yq )

and g[i, j],λ (x p X p , x q X q , y p Y p , yq Yq ) with indices in Ix and I y,q , respectively. If the

g[i, j],λ ≺ g[i, j],λ ,

g[i, j],λ ≺ g[i

g[i, j],λ ≺ g[i, j

• X qi Yq e for g[i, j],λ (x p X p , x q X q , y p Y p , yq Yq ).

by omitting low-order terms of m. To minimize the left-hand side of the inequality, we

then the condition becomes

as required. To satisfy the restrictions 0 < λ ≤ 1 and 1 − λ < τ ≤ 1, β(1 − β) ≤ α ≤

By construction, the attack always outperforms that under Bleichenbacher–May’s

3.4. Proof of Lemma 3

Table 1. Example of a matrix for m = 3 and λ = τ = 1/2.

Proof of Lemma 3. Since all the polynomials

g[i, j],λ (x p , xq , y p , yq ) = x p f p λi (x p , y p ) f q(1−λ)i (xq , yq )em−i

g[i, j],λ (x p , xq , y p , yq ) := x p f pλi (x p , y p ) f q(1−λ)i (xq , yq )em−i ,

g[i, j],λ (x p , xq , y p , yq ) = x p f pλi (x p , y p ) f q(1−λ)i (xq , yq )em−i

g[i, j],λ (x p , xq , y p , yq ) = x p f pλi (x p , y p ) f q(1−λ)i (xq , yq )em−i

By expanding (N xq − x p y p )λi and (x p + xq yq )(1−λ)i , the polynomial becomes

By expanding (N xq − x p y p )λi and (x p + xq yq )(1−λ)i ,

j j (i 1 +i 2 )/2 i1 i

j j (i 1 +i 2 )/2 i1 i

(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +(i1 +i2 )/2+ ·

(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +(i1 +i2 )/2+ ·

(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +i p + ·

(−1)2i p,1 +i2 −i p +u− N i1 −i p,1 +(i1 +i2 )/2+ ·

(i 1 +i 2 )/2− j1 i1 i

(i 1 +i 2 )/2− j1 m−(i 1 +i 2 )

N i1 −i p,1 +(i1 +i2 )/2 ·

(−1)2i p,1 +i2 −i p N i1 −i p,1 +(i1 +i2 )/2 ·

(−1)2i p,1 +i2 −i p N i1 −i p,1 +(i1 +i2 )/2 ·

i −k p,1 i 2 −k p,2 i p −(i 1 +i 2 )/2+ j1 m−(i 1 +i 2 )