Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Generalized Implicit Factorization Problem

Yansong Feng, Abderrahmane Nitaj, Yanbin Pan

TL;DR

The paper introduces the Generalized Implicit Factorization Problem (GIFP), extending the Implicit Factorization Problem by allowing the shared $\gamma n$ consecutive bits between primes to occur at different positions. It reduces GIFP to an Approximate Common Divisor Problem and employs a lattice-based Coppersmith approach with a high-dimensional polynomial construction to factor two RSA moduli $N_1=p_1q_1$ and $N_2=p_2q_2$ when $p_1$ and $p_2$ share the bits with density $\gamma$ such that $\gamma > 4\alpha(1-\sqrt{\alpha})$ and $\alpha+\gamma \le 1$. The authors derive the lattice design, including a variable $w$ to reduce the determinant, and provide heuristic Assumption-based analysis alongside experimental validation that supports practicality and scalability, with open-source code available. This work broadens the threat model for RSA key generation by showing that relaxing bit-position constraints can still yield polynomial-time attacks, and it raises open questions about tightening the bound to match existing MSB/LSB results.$

Abstract

The Implicit Factorization Problem was first introduced by May and Ritzenhofen at PKC'09. This problem aims to factorize two RSA moduli $N_1=p_1q_1$ and $N_2=p_2q_2$ when their prime factors share a certain number of least significant bits (LSBs). They proposed a lattice-based algorithm to tackle this problem and extended it to cover $k>2$ RSA moduli. Since then, several variations of the Implicit Factorization Problem have been studied, including the cases where $p_1$ and $p_2$ share some most significant bits (MSBs), middle bits, or both MSBs and LSBs at the same position. In this paper, we explore a more general case of the Implicit Factorization Problem, where the shared bits are located at different and unknown positions for different primes. We propose a lattice-based algorithm and analyze its efficiency under certain conditions. We also present experimental results to support our analysis.

Generalized Implicit Factorization Problem

TL;DR

The paper introduces the Generalized Implicit Factorization Problem (GIFP), extending the Implicit Factorization Problem by allowing the shared consecutive bits between primes to occur at different positions. It reduces GIFP to an Approximate Common Divisor Problem and employs a lattice-based Coppersmith approach with a high-dimensional polynomial construction to factor two RSA moduli and when and share the bits with density such that and . The authors derive the lattice design, including a variable to reduce the determinant, and provide heuristic Assumption-based analysis alongside experimental validation that supports practicality and scalability, with open-source code available. This work broadens the threat model for RSA key generation by showing that relaxing bit-position constraints can still yield polynomial-time attacks, and it raises open questions about tightening the bound to match existing MSB/LSB results.$

Abstract

The Implicit Factorization Problem was first introduced by May and Ritzenhofen at PKC'09. This problem aims to factorize two RSA moduli and when their prime factors share a certain number of least significant bits (LSBs). They proposed a lattice-based algorithm to tackle this problem and extended it to cover RSA moduli. Since then, several variations of the Implicit Factorization Problem have been studied, including the cases where and share some most significant bits (MSBs), middle bits, or both MSBs and LSBs at the same position. In this paper, we explore a more general case of the Implicit Factorization Problem, where the shared bits are located at different and unknown positions for different primes. We propose a lattice-based algorithm and analyze its efficiency under certain conditions. We also present experimental results to support our analysis.
Paper Structure (12 sections, 4 theorems, 36 equations, 1 figure, 4 tables)

This paper contains 12 sections, 4 theorems, 36 equations, 1 figure, 4 tables.

Table of Contents

  1. Introduction
  2. Roadmap
  3. Notations and Preliminaries
  4. Notations
  5. Lattices, SVP, and LLL
  6. Coppersmith's method
  7. Generalized Implicit Factorization Problem
  8. Description of GIFP
  9. Algorithm for GIFP
  10. Experimental Results
  11. Conclusion and Open Problem
  12. Details of calculations in Section 3.2

Key Result

theorem \@thmcountertheorem

Given an $n$-dimensional lattice $\mathcal{L}$, we can find an LLL-reduced basis $\left\{\mathbf{v_1},\mathbf{v_2},\dots,\mathbf{v_n}\right\}$ of $\mathcal{L}$ in polynomial time, which satisfies

Figures (1)

  • Figure 1: Shared bits $M$ for $p_1$ and $p_2$

Theorems & Definitions (8)

  • definition \@thmcounterdefinition: Lattice
  • definition \@thmcounterdefinition: Shortest Vector Problem (SVP)
  • theorem \@thmcountertheorem: LLL Algorithm
  • theorem \@thmcountertheorem: Howgrave-Graham howgrave1997finding
  • definition \@thmcounterdefinition: GIFP($n, \alpha, \gamma$)
  • theorem \@thmcountertheorem
  • proof
  • lemma \@thmcounterlemma