Small Private Exponent Attacks on RSA Using Continued Fractions and Multicore Systems

Abstract

The RSA (Rivest–Shamir–Adleman) asymmetric-key cryptosystem is widely used for encryptions and digital signatures. Let $(n,e)$ be the RSA public key and d be the corresponding private key (or private exponent). One of the attacks on RSA is to find the private key d using continued fractions when d is small. In this paper, we present a new technique to improve a small private exponent attack on RSA using continued fractions and multicore systems. The idea of the proposed technique is to find an interval that contains $\varphi \left(n\right),$ and then propose a method to generate different points in the interval that can be used by continued fraction and multicore systems to recover the private key, where $\varphi$ is Euler’s totient function. The practical results of three small private exponent attacks on RSA show that we extended the previous bound of the private key that is discovered by continued fractions. When n is 1024 bits, we used 20 cores to extend the bound of d by $0.016$ for de Weger, Maitra-Sarkar, and Nassr et al. attacks in average times 7.67 h, 2.7 h, and 44 min, respectively.

1. Introduction

In 1978, Rivest, Shamir and Adleman [1] proposed the first asymmetric-key cryptosystem (RSA) for encryptions and digital signatures. Its security is based on the difficulty of factoring a large integer $n=p_1{p}_2$ that is a product of two large prime numbers $p_1$ and $p_2,$ with $p_1>p_2,$ of the same bit-sizes, i.e., $p_2<p_1<2p_2$. Although there is a quantum algorithm that factors integers in polynomial time [2], there is no polynomial time algorithm for factoring integers in classical computers.

The RSA encryption process of a message x is computing $x^e(modn),$ where $(n,e)$ is the RSA public key. The RSA decryption process of the ciphertext y is computing $y^d(modn),$ where d is the private key and satisfies that $ed-1=k\varphi \left(n\right)$ for some integer $k,$ where $\varphi \left(n\right)=(p_1-1)(p_2-1)$ is Euler’s totient function. The RSA encryption and decryption processes take times $O(loge{log}^{2}n)$ and $O(logd{log}^{2}n),$ respectively.

In order to speed up the decryption process, one might be tempted to use a small private exponent $d=n^{\delta },$, i.e., $\delta$ is small. Wiener [3] showed that if $d<\frac{1}{3}{n}^{1/4},$ i.e., $\delta \le 1/4,$ then d is one of the denominators of the convergents of the continued fraction expansion of $\frac{e}{n},$ and thus RSA is insecure. Boneh and Durfee [4] used the lattice reduction to improve the bound of d to be $n^{0.292},$ where their method is based on Coppersmith’s [5] technique to find small roots of modular polynomial equations.

Many other strategies [6,7,8,9,10] for improving the bound of d were inspired by Wiener’s result. They mainly try to find an approximation of $\varphi \left(n\right)$ better than n or to find a better lattice to recover large $d.$

For example, de Weger [6] used $n+1-2\sqrt{n}$ as an estimation of $\varphi \left(n\right)$ to recover d when $\delta <3/4-\beta ,$ where $p_1-p_2=n^{\beta },0.25<\beta \le 0.5.$ Maitra and Sarkar [9] used $n+1-\frac{3\sqrt{2}}{2}\sqrt{n}$ as an estimation of $\varphi \left(n\right)$ to recover d when $|2p_2-p_1|$ is small. Note that if $p_1-p_2=n^{\beta },0\le \beta \le 0.25,$ then Fermat’s factoring method [6,11,12,13] factorizes n in polynomial time.

In order to unify small private exponent attacks on RSA and to determine a universal attack using continued fractions or lattices, the authors in [14,15] proposed concepts of the Wiener and Coppersmith intervals using continued fractions and lattices, respectively. An integer interval I is called Wiener’s interval if each $m\in I$ satisfies Wiener’s attack, i.e., $|\frac{e}{m}-\frac{k}{d}|<\frac{1}{2d^2}.$ While an interval I is called Coppersmith’s interval if each $m\in I$ satisfies that the tuple $(u_0,v_0)=(k,\varphi \left(n\right)-m)$ is a root of the polynomial $F(u,v)=uv+mu+1(mode).$

In this paper, we are interested in improving the bound of d by:

• Proposing an interval I that contains $\varphi \left(n\right),$ Section 3. The proposed interval is not necessary a Wiener or Coppersmith interval. It is sufficient to find an approximation $m\in I$ of $\varphi \left(n\right)$ such that $|\frac{e}{m}-\frac{k}{d}|<\frac{1}{2d^2},$ i.e., Wiener’s attack using continued fraction succeeds.
• Proposing a new strategy to search for $m\in I$ such that $|\frac{e}{m}-\frac{k}{d}|<\frac{1}{2d^2}.$
• Using multicore systems to accelerate finding $m\in I$ such that $|\frac{e}{m}-\frac{k}{d}|<\frac{1}{2d^2}.$ The interval I is divided into subintervals of the same length approximately. Then each core searches for such m in one subinterval. We choose that the number of subintervals is equal to the number of available cores.

We use the proposed strategy to study practically the possibility of attacking RSA when $d=n^{\delta }<\sqrt{n}.$ Estimating a small interval that contains $\varphi \left(n\right)$ is not simple. Therefore, we estimate the interval based on some conditions on the primes factors of n as we will see in Section 3. The practical study of the proposed method shows that we succeed to factor n with $\delta$ greater than previously discovered using continued fractions.

The organization of this paper is as follows. Section 2 includes a brief background on continued fractions and a review of some results on small private exponent attacks on RSA. In Section 3, we propose three intervals that contain $\varphi \left(n\right)$ for three attacks on RSA. Each attack has different conditions on the prime factors $p_1$ and/or $p_2.$ In Section 4, we present a new technique to search for m in the estimated intervals to find a good approximation of $\varphi \left(n\right).$ Section 5 includes using multicore systems to study practically how the proposed technique can improve three attacks on RSA, i.e., extend the bound of $\delta$ in three attacks. The theoretical study of the complexity of the proposed attacks is presented in Section 6. The conclusion and future works are given in Section 7.

2. Preliminaries

This section presents a definition of continued fractions, how to calculate continued fractions and some theorems and lemmas necessary in this paper.

Given a non-negative rational number $r,$ a (finite) continued fraction expansion [16,17] of r (or simply we write $\mathcal{CF}\left(r\right))$ is an expression of the form:

$$r=r_1+\frac{1}{r_2+\frac{1}{r_3+\dots +\frac{1}{r_s}}}.$$

This expansion is denoted by $s-tuple$ of non-negative integers $[r_1,r_2,\dots ,r_s].$

The following steps are a polynomial time algorithm [18] of order $O\left(lo{g}^{2}y\right)$ for computing a unique $\mathcal{CF}\left(r\right)$ for the rational number $r=\frac{x}{y},$ where $x<y$ are two positive integers such that $gcd(x,y)=1:$

• $r_0=x/y.$
• Compute $r_i=\frac{1}{r_{i-1}-\lfloor r_{i-1}\rfloor },1\le i\le s,$ where $s\le 2logy$ is the smallest value of i such that $\lfloor c_i\rfloor =c_i.$
• Return $[r_1,r_2,\dots ,r_s],$ where $r_s>1.$

The $\mathcal{CF}\left(r\right)$ is infinite in case of r is irrational number, i.e.,

$$r_1+\frac{1}{r_2+\frac{1}{r_3+\dots +\frac{1}{\dots }}}.$$

In this case, we write the expansion as $[r_1,r_2,\dots ].$

Theorem 1.

((Legendre) [19]) Let λ be a real number, and $u,$v be two positive integers such that $gcd(u,v)=1.$ If

$$|\lambda -\frac{u}{v}|<\frac{1}{2v^2},$$

then $\frac{u}{v}$ is a convergent of $\mathcal{CF}\left(\lambda \right).$

Lemma 1

([20,21]). If n is a product of two primes $p_1$ and $p_2$ of the same size, then $n+1-\frac{3\sqrt{2}}{2}\sqrt{n}<\varphi \left(n\right)<n+1-2\sqrt{n}.$

Theorem 2.

([6]) Let $n=p_1{p}_2$ be a product of two primes $p_1,p_2$ of the same size, with $p_1>p_2.$ Suppose that $1<e,d<\varphi \left(n\right)$ satisfy $ed\equiv 1(mod\varphi (n\left)\right)$ and $d=n^{\delta }$. Given n and $e,$ the integer n can be factored in polynomial time in $logn$ if

$$\delta <\frac{3}{4}-\beta \mathit{using}\mathit{continued}\mathit{fraction}$$

(1)

$$\delta <\frac{1}{6}(4\beta +5)-\frac{1}{3}\sqrt{(4\beta +5)(4\beta -1)}\mathit{using}\mathit{lattice}$$

(2)

where $p_1-p_2=n^{\beta }.$

Proposition 1.

([9]) Suppose that l is a positive integer, and $n=p_1{p}_2$ is a product of two primes $p_1$ and $p_2.$ If $p_2>\frac{2l+2}{4l+1}{p}_1,$ then $|\frac{3}{\sqrt{2}}\sqrt{n}-(p_1+p_2)|<\frac{l{(2p_2-p_1)}^2}{(\frac{3}{\sqrt{2}}+2)\sqrt{n}}.$

Theorem 3.

([9]) Let l be a positive integer, and $n=p_1{p}_2$ be a product of two primes $p_1$ and $p_2$ with $p_2>\frac{2l+2}{4l+1}{p}_1,2p_2-p_1=n^{\theta },$ and $d=n^{\delta }.$ Then n can be factored in polynomial time in $logn$ when

$$\delta <\frac{3}{4}-\theta -\tau$$

(3)

where $2\tau >(log\frac{4l}{\frac{3}{\sqrt{2}}+2})\left(\frac{1}{logn}\right).$

Theorem 4

([14]). Let $(n=p_1{p}_2,e),$ and $d=n^{\delta }$ be the public and private keys of RSA, respectively, where $p_1>p_2$ and $2p_1<n-\frac{9}{4}\sqrt{n}.$ If $p_0\ge \sqrt{n}$ is an approximation for $p_1$ such that

$$|p_1-p_0|\le \frac{1}{8}{n}^{\alpha },\alpha \le \frac{1}{2},\delta <\frac{1-\alpha }{2}$$

(4)

Then $[n+1-{\lambda }_1,n+1-{\lambda }_2]$ is a Wiener’s interval for $(n,e),$ where

$$\begin{array}{c}\hfill {\lambda }_1=\left\{\begin{array}{cc}{p}_0+\frac{n}{p_0}+\frac{1}{8}{n}^{\alpha },\hfill & p_0\le p_1;\hfill \\ & \\ p_0+\frac{n}{p_0-\frac{1}{8}{n}^{\alpha }},\hfill & p_1\le p_0 and \sqrt{n}\le p_0-\frac{1}{8}{n}^{\alpha };\hfill \\ & \\ 2\sqrt{n}+\frac{1}{8}{n}^{\alpha },\hfill & p_1\le p_0 and p_0-\frac{1}{8}{n}^{\alpha }<\sqrt{n}.\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill {\lambda }_2=\left\{\begin{array}{cc}{p}_0+\frac{n}{p_0+\frac{1}{8}{n}^{\alpha }},\hfill & p_0\le p_1;\hfill \\ & \\ \frac{n}{p_0}+p_0-\frac{1}{8}{n}^{\alpha },\hfill & p_1\le p_0 and \sqrt{n}\le p_0-\frac{1}{8}{n}^{\alpha };\hfill \\ & \\ \sqrt{n}+\frac{n}{\sqrt{n}+\frac{1}{8}{n}^{\alpha }},\hfill & p_1\le p_0 and p_0-\frac{1}{8}{n}^{\alpha }<\sqrt{n}.\hfill \end{array}\right.\end{array}$$

3. Estimation of $\mathbf{\varphi }\left(\mathbf{n}\right)$

The main problem of using CFs in small private exponent attacks of RSA is to find a good approximation of $\varphi \left(n\right)$ to use it in Theorem 1. In this section, we estimate an interval I that contains $\varphi \left(n\right),$ i.e., determine the lower and upper bounds of $\varphi \left(n\right).$ In fact, estimating a small interval that contains $\varphi \left(n\right)$ is not easy. It is known that computing $\varphi \left(n\right)$ is computationally equivalent to factoring $n.$ Thus, we try to estimate I based on some conditions on the prime factors $p_1$ and $p_2$ of $n.$

In the following, we consider three cases for the prime factors $p_1$ and $p_2:$   

Attack 1: In [6], if $p_1-p_2=n^{\beta }$, $0.25\le \beta \le 0.5,$ then

$$\begin{array}{cc}\hfill n+1-\sqrt{n^{2\beta }+4n}& \le n+1-\sqrt{{(p_1-p_2)}^2+4n}\hfill \\ \hfill & =n+1-(p_1+p_2)=\varphi \left(n\right)\hfill \\ \hfill & <n-2\sqrt{n}\hfill \end{array}$$

Thus,

$$I=[n+1-\sqrt{n^{2\beta }+4n},n-2\sqrt{n}].$$

Attack 2: Using Proposition 1 and Theorem 3 if for a positive integer l, $\frac{2l+2}{4l+1}{p}_1$ and $2p_2-p_1=n^{\theta },$$\delta <\frac{3}{4}-\theta -\tau ,$ $2\tau >(log\frac{4l}{\frac{3}{\sqrt{2}}+2})\left(\frac{1}{logn}\right),$ then

$$|\frac{3\sqrt{2}}{2}\sqrt{n}-(p_1+p_2)|<\frac{l{(2p_2-p_1)}^2}{(\frac{3\sqrt{2}}{2}+2)\sqrt{n}}$$

Therefore,

$$n+1-\frac{3\sqrt{2}}{2}\sqrt{n}<\varphi \left(n\right)<n+1-\frac{3\sqrt{2}}{2}\sqrt{n}+\frac{l{(2p_2-p_1)}^2}{(\frac{3\sqrt{2}}{2}+2)\sqrt{n}}$$

It is clear that if $\frac{l}{\frac{3\sqrt{2}}{2}+2}<n^{ϵ},$ for a small value $ϵ,$ then

$$I=[n+1-\frac{3\sqrt{2}}{2}\sqrt{n},n+1-\frac{3\sqrt{2}}{2}\sqrt{n}+n^{2\theta -0.5+ϵ}].$$

Attack 3: Based on the result in [22], an approximation $p_0$ of the prime factor $p_1$ may be obtained by some expectations in side-channel attacks. In [14], if $p_2<p_1<2p_2$ and $p_0$ be an approximation of the prime factor $p_1$ where $|p_1-p_0|\le \frac{1}{2}{n}^{\alpha },$ then $\varphi \left(n\right)$ can be estimated to be in the interval

$$I=[n+1-(p_0+\frac{n}{p_0})-\frac{1}{2}{n}^{\alpha },n+1-(p_0+\frac{n}{p_0})+\frac{1}{2}{n}^{\alpha }].$$

The proof is as follows:

Let $p_1=c{n}^{1/2}.$ Then $p_2=\frac{1}{c}{n}^{1/2},$ where $1<c<\sqrt{2}$. We have $p_1+p_2=\frac{c^2+1}{c}{n}^{1/2}.$

Since $|p_1-p_0|\le \frac{1}{2}{n}^{\alpha },$ we have either $p_0\le p_1\le p_0+\frac{1}{2}{n}^{\alpha }$ or $p_0-\frac{1}{2}{n}^{\alpha }\le p_1\le p_0$.

If $p_0\le p_1\le p_0+\frac{1}{2}{n}^{\alpha },$ then $\frac{p_0}{\sqrt{n}}\le c\le \frac{p_0+\frac{1}{2}{n}^{\alpha }}{\sqrt{n}}.$ Therefore,

$$p_0+\frac{n}{p_0}\le p_1+p_2\le p_0+\frac{1}{2}{n}^{\alpha }+\frac{n}{p_0+\frac{1}{2}{n}^{\alpha }}.$$

Furthermore, if $p_0-\frac{1}{2}{n}^{\alpha }\le p_1\le p_0,$ then $\frac{p_0-\frac{1}{2}{n}^{\alpha }}{\sqrt{n}}\le c\le \frac{p_0}{\sqrt{n}}.$ Therefore,

$$p_0-\frac{1}{2}{n}^{\alpha }+\frac{n}{p_0-\frac{1}{2}{n}^{\alpha }}\le p_1+p_2\le p_0+\frac{n}{p_0}.$$

Therefore, either $p_0\le p_1\le p_0+\frac{1}{2}{n}^{\alpha }$ or $p_0-\frac{1}{2}{n}^{\alpha }\le p_1\le p_0,$ we have

$$|p_1+p_2-(p_0+\frac{n}{p_0})|\le \frac{1}{2}{n}^{\alpha }.$$

Thus,

$$\begin{array}{c}\hfill I=[n+1-(p_0+\frac{n}{p_0})-\frac{1}{2}{n}^{\alpha },n+1-(p_0+\frac{n}{p_0})+\frac{1}{2}{n}^{\alpha }].\end{array}$$

4. The Proposed Strategy

In this section, we propose a new strategy to search for $m\in I,$ such that $|\frac{e}{m}-\frac{k}{d}|<\frac{1}{2d^2}.$ In general, the proposed interval $I=[a,b]$ that contain $\varphi \left(n\right)$ are large. Since I is large, it is not feasible in polynomial time to test all integers in $I.$ The main problem is to determine the number of tested points, i.e., how many points are sufficient to find $\varphi \left(n\right)$ or to stop the search. Testing a fixed number L of points in I has a problem: if L is small, then we may not find the solution. Otherwise, i.e., if L is very large, then the distance between two consecutive points may be small and the time to find a solution may be large if the solution is in the last parts of $I.$ For this reason, we propose a new method to generate test points in I as follows (see Algorithm 1):

We first test whether $k/d$ is a convergent of $\mathcal{CF}(e/a)$ or $\mathcal{CF}(e/b).$ If $k/d$ is not a convergent of $\mathcal{CF}(e/a)$ or $\mathcal{CF}(e/b),$ we set the length $c=b-a$, $x_1=a,$$x_2=x_1+c,$ and then we repeat taking x as the midpoint between $x_1$ and $x_2,$ i.e., $x=(x_1+x_2)/2$ and check whether $k/d$ is a convergent of $\mathcal{CF}(e/x).$ If not, we repeat the previous steps with the length $c=c/2,$ change $x_1$ to be $x_2$ and $x_2$ to be $x_1+c$ until the midpoint x is greater than $b.$ For each new midpoint $x,$ the counter is increased by 1 as long as it does not exceed the maximum number of iterations $L.$ The loop is terminated either by:

• Finding a solution, Lines 19–20 in Algorithm 1.
• Exceed the maximum number of generated test points $L,$ Line 13 in Algorithm 1. This number can be replaced by a maximum time to find a solution.
• The number of round $i,$ i.e., number of iterations in the first while loop (Line 13 in Algorithm 1), is $i>\lfloor {log}_2(b-a)\rfloor ,$ i.e., $c\le 1.$ In this case, we exhausted most points in the interval and the total number of tested points is about

  $$2+\sum _{i=0}^{\lfloor {log}_2(b-a)\rfloor }{2}^i$$

  which is large when $b-a$ is large.

Figure 1 shows the idea of generating uniformly distributed $2^i$ test points in I for a round $i,$ where $c=\lfloor (b-a)/2^i\rfloor ,i\ge 0.$

For example, let $n=802117=761*991$ be an RSA modulus. We have I = [800218, 800326]. Figure 2 shows the generated test points in I for rounds $i=0,1,$ and $2,$ i.e., we repeat the second while loop (Lines 17–25) of Algorithm 1 three times $i=0,1,2.$ In Figure 3, we show the generation of the first fifty-five test points in the first 6 rounds (the sixth round is not completed).

Algorithm 1: Search for d

5. Implementation

In this section, we present the implementation of the proposed attack. The implementation is written in C/C++, compiled with GNU C++ Compiler, and run on an Intel(R) Xeon(R) E5645 CPU 2.40GHz running the Ubuntu operating system. We used GMP package [23], a free library for arbitrary precision arithmetic, and OpenMP (Open Multi-Processing) [24] to support multiprocessing programming in C.

The implementation considers the three attacks described in Section 3. If $\varphi \left(n\right)$ is expected to be in an interval $I=[a,b]$, then we distribute I on 20 threads. Let $S=\{a_0=a,a_1,\dots ,a_{20}=b\}$ be the set of end points of the 20 sub-intervals of $[a,b]$. Then thread number $i,$$1\le i\le 20,$ independently runs Algorithm 1 on the sub-interval $[a_{i-1},a_i[$. The size of the RSA modulus n conducted in the experimental study was 1024 bits, where each prime factor has 512 bits and was generated randomly. For most studied cases, the number of tested n is $100.$ The maximum value of test points was $L={10}^7.$

The First Attack: We consider the first attack in Section 3. We assume that $e\approx n$, $d=n^{\delta }$ and $p_1-p_2=n^{\beta },$ i.e., $\varphi \left(n\right)\in [n+1-\sqrt{n^{2\beta }+4n},n+1-2\sqrt{n}].$ Based on Equations (1) and (2), we study the performance of using the proposed technique to attack RSA when $\beta$ in the range $0.36\sim 0.5.$ For each selected value of $\beta ,$ we study the possibility of attack for different values of $\delta .$

Table 1. Performance of the first attack ($p_1-p_2=n^{\beta }$ and $d=n^{\delta }$) using 20 cores where t is the average of execution time (seconds) and l is the ceiling of the average number of test points.

$\mathit{\beta }$	$\mathit{\delta }$	Nu.	One Thread	20 Threads	Speedup
		Samples			(in Time)
0.5	0.256	100	$t=$ 0.043,  $l=$94	$t=$ 0.002,   $l=$ 4	21.5
	0.26	100	$t=$ 7.77,   $l=$ 15877	$t=$ 0.42,   $l=$ 856	18.5
	0.264	100	$t=$ 2002.6,   $l=$ 3097665	$t=$ 111.7,   $l=$ 112900	17.9
	0.268	20	-	$t=$ 39739.6,   $l=$ 500482
0.46	0.296	100	$t=$ 0.063, $l=$ 118	$t=$ 0.003, $l=$ 7	21
	0.3	100	$t=$ 10.854, $l=$ 23867	$t=$ 0.5781, $l=$ 1153	19
	0.304	100	$t=$ 3296.8, $l=$ 3660146	$t=$ 173.93, $l=$ 137063	18.9
	0.308	20	-	$t=$ 57539.5, $l=$ 555210
0.44	0.316	100	$t=$ 0.031, $l=$ 63	$t=$ 0.002, $l=$ 4	15.5
	0.32	100	$t=$ 5.22, $l=$ 11104	$t=$ 0.28, $l=$ 576	18.6
	0.324	100	$t=$ 1000.23, $l=$ 1406319	$t=$ 56.68, $l=$ 57944	17.6
	0.328	20	-	$t=$ 13288.79, $l=$ 172930
0.4	0.356	100	$t=$ 0.034, $l=$ 71	$t=$ 0.002, $l=$ 4	17
	0.36	100	$t=$ 5.024, $l=$ 12147	$t=$ 0.28, $l=$ 574	17.9
	0.364	100	$t=$ 1926.7, $l=$ 2158924	$t=$ 115.7, $l=$ 85716	16.6
	0.368	20	-	$t=$ 10148.54, $l=$ 130304
0.36	0.396	100	$t=$ 0.069, $l=$ 68	$t=$ 0.004, $l=$ 3	17.25
	0.4	100	$t=$ 5.37, $l=$ 12993	$t=$ 0.29, $l=$ 605	18.5
	0.404	100	$t=$ 1319.3, $l=$ 2102342	$t=$ 77.32, $l=$ 79480	17.0
	0.408	20	-	$t=$ 17501.6, $l=$ 222104

shows the average execution time and the (ceiling of) the average number of tested points of running the attack using single core and 20-cores. For $\beta =0.5,0.46,044,0.4,$ and $0.36$ we study $\delta$ in the ranges 0.256∼0.268, 0.296∼0.308, 0.316∼0.328, 0.356∼0.368, 0.396∼0.408, respectively. All values of $\delta$ in the table are greater than the bound of de Weger [6] using continued fractions, Equation (1). This means that the proposed method using continued fractions and 20 cores succeeded to extend the bound of $d.$ Furthermore, the results in the table show that $\delta$ is in the range of de Weger’s results [6] using lattice, Equation (2) The parallel (multicore) implementation of the attack speeds up the sequential implementation by $18.1$ on average.

The Second Attack: We consider the second attack in Section 3. We assume that $e\approx n$, $d=n^{\delta }$ and $2p_2-p_1\le n^{\theta },$ i.e., $\varphi \left(n\right)\in [n+1-\frac{3\sqrt{2}}{2}\sqrt{n},n+1-\frac{3\sqrt{2}}{2}\sqrt{n}+n^{2\theta -0.5+ϵ}].$ Based on Equation (3), we study the performance of using multicore systems to attack RSA when $\theta$ in the range $0.36\sim 0.46.$ For each selected values of $\theta ,$ we study the possibility of attack for different values of $\delta .$

Table 2. Performance of the second attack ($2p_2-p_1=n^{\theta }$ and $d=n^{\delta }$) using 20 cores where t is the average execution time (seconds) and l is the ceiling of the average number of test points.

$\mathit{\theta }$	$\mathit{\delta }$	Nu.	One Thread	20 Threads	Speedup
		Samples			(in Time)
0.46	0.296	100	$t=$ 0.035, $l=$ 53	$t=$ 0.002,   $l=$ 4	17.5
	0.3	100	$t=$ 3.69, $l=$ 6639	$t=$ 0.23, $l=$ 486	16.0
	0.304	100	$t=$ 973.7, $l=$ 394798	$t=$ 61.38, $l=$ 15819	15.8
	0.308	20	-	$t=$ 20716.3, $l=$ 266455
0.44	0.316	100	$t=$ 0.020, $l=$ 38	$t=$ 0.001, $l=$ 2	20
	0.32	100	$t=$ 1.91, $l=$ 4488	$t=$ 0.10, $l=$ 207	19.1
	0.324	100	$t=$ 543.2, $l=$ 213884	$t=$ 30.19, $l=$ 7812	17.9
	0.328	20	-	$t=$ 7901.3, $l=$ 101421
0.4	0.356	100	$t=$ 0.019, $l=$ 34	$t=$ 0.001, $l=$ 2	19
	0.36	100	$t=$ 1.50, $l=$ 3096	$t=$ 0.09, $l=$ 202	16.6
	0.364	100	$t=$ 501.4, $l=$ 220657	$t=$ 27.43, $l=$ 7077	18.2
	0.368	20	-	$t=$6355.7 $l=$ 82008
0.36	0.396	100	$t=$ 0.019, $l=$ 37	$t=$ 0.001, $l=$ 2	19
	0.4	100	$t=$ 1.52, $l=$ 2551	$t=$ 0.10, $l=$ 203	15.2
	0.404	100	$t=$ 464.9, $l=$ 311345	$t=$ 32.83, $l=$ 8331	14.1
	0.408	20	-	$t=$ 4624.7, $l=$ 58978

shows the average execution time and the (ceiling of the) average number of tested points of running the attack using single core and 20-cores. For $\theta =0.46,0.44,0.4,$ and $0.36,$ we study $\delta$ in the ranges 0.296∼0.308, 0.316∼0.328, 0.356∼0.368 and 0.396∼0.408, respectively.

All values of $\delta$ in the table are greater than the bound of Maitra-Sarkar [9] using continued fractions, i.e., $\delta <3/4-\theta -\tau .$ This means that the proposed method using continued fractions and 20 cores succeeded to extend the bound of $d.$ The parallel (multicore) implementation of the attack speeds up the sequential implementation by $17.3$ on average

The Third Attack: we consider the third attack in Section 3. We assume that an approximation $p_0$ of $p_1$ is obtained where $|p_0-p_1|<\frac{1}{2}{n}^{\alpha },$ i.e.,

$$\varphi \left(n\right)\in [n+1-(p_0+\frac{n}{p_0})-\frac{1}{2}{n}^{\alpha },n+1-(p_0+\frac{n}{p_0})+\frac{1}{2}{n}^{\alpha }].$$

We study the performance of using multicore systems to attack RSA when $\alpha >0.25$, and and $\delta$ as in Equation (4). We choose $\alpha$ in the range 0.36∼0.46. For each selected value of $\alpha ,$ we study the possibility of the attack for different values of $\delta .$

Table 3. Performance of the third attack ( $p_2<p_1<2p_2$, $|p_0-p_1|=\frac{1}{2}{n}^{\alpha }$ and $d=n^{\delta }$) using 20 cores where t is the average of execution time (seconds) and l is the ceiling of the average number of test points.

$\mathit{\alpha }$	$\mathit{\delta }$	Nu.	One Thread	20 Threads	Speedup
		Samples			(in Time)
0.46	0.274	100	$t=$ 0.013, $l=$ 26	$t=$ 0.001, $l=$ 2	13
	0.278	100	$t=$ 0.44, $l=$ 1121	$t=$ 0.03, $l=$ 53	14.6
	0.282	100	$t=$ 91.64, $l=$ 57602	$t=$ 5.189, $l=$ 1342	17.6
	0.286	20	-	$t=$ 966.6, $l=$ 13539
0.44	0.284	100	$t=$ 0.012, $l=$ 21	$t=$ 0.001, $l=$ 2	12
	0.288	100	$t=$ 0.28, $l=$ 610	$t=$ 0.02 $l=$ 35	14
	0.292	100	$t=$ 250.3, $l=$ 144888	$t=$ 13.49, $l=$ 3480	18.5
	0.296	20	-	$t=$ 3324.8, $l=$ 41458
0.4	0.304	100	$t=$ 0.015, $l=$ 31	$t=$ 0.001, $l=$ 2	15
	0.308	100	$t=$ 0.50, $l=$ 1441	$t=$ 0.03, $l=$ 71	16.6
	0.312	100	$t=$ 144.0, $l=$ 97241	$t=$ 8.39, $l=$ 2185	17.1
	0.316	20	-	$t=$ 1818.5, $l=$ 24390
0.36	0.324	100	$t=$ 0.012, $l=$ 25	$t=$ 0.001, $l=$ 2	12
	0.328	100	$t=$ 0.27, $l=$ 515	$t=$ 0.02, $l=$ 34	13.5
	0.332	100	$t=$ 58.12, $l=$ 36556	$t=$ 3.81, $l=$ 997	15.2
	0.336	20	-	$t=$ 4342.7, $l=$ 52888

shows the average execution time and the (ceiling of the) average number of tested points of running the attack using single core and 20-cores. For $\alpha =0.46,0.44,0.4,$ and $0.36$ we study $\delta$ in the ranges 0.274∼0.286, 0.284∼0.296, 0.304∼0.316, and 0.324∼0.336, respectively.

All values of $\delta$ in the table are greater than the bound of Equation (4) using continued fractions. This means that the proposed method using continued fractions and 20 cores succeeded to extend the bound of $d.$ The parallel (multicore) implementation of the attack speeds up the sequential implementation by $14.9$ on average.

Table 4. Comparison in the upper bound of $\delta$ between the proposed and previous attacks using continued fractions, where $\eta$ is a small positive number.

Conditions of Attacks	Bound of $\mathit{\delta }$	Our Result
$|p_1-p_2|\le n^{\beta }$	[6]
$0.25\le \beta \le 0.5$	$\delta <3/4-\beta$	$\delta <3/4-\beta +\eta$
$|2p_2-p_1|\le n^{\theta }$	[9]
$0.25\le \theta \le 0.5$	$\delta <3/4-\theta$	$\delta <3/4-\theta +\eta$
$p_0\ge \sqrt{n}$ is an approximation for $p_1$	[14]
$|p_1-p_0|\le \frac{1}{8}{n}^{\alpha }$, $\alpha \le \frac{1}{2}$	$\delta <\frac{1-\alpha }{2}$	$\delta <\frac{1-\alpha }{2}+\eta$

shows the upper bound of $\delta$ for the proposed attacks and previous attacks [6,9,14] using continued fractions. The proposed attack raises the previous bound of $\delta$ by $\eta .$ As we can see from Table 1, Table 2 and Table 3, the value of $\eta$ depends on the number of generated test points in $I.$ The execution times required to complete the attacks depend on the number of cores, type of attack, and $\eta .$ For example, if $\eta =0.016,$ then the execution time to find the private key for the third attack (Table 3) is 44 min on average, while the execution times are $7.67$ h for the first attack (Table 1) and $2.7$ h for the second attack (Table 2).

6. Complexity Analysis

Let $m_0$ be an approximation for $\varphi \left(n\right)$. In the following lemma, we show the relationship between the difference $m_0-\varphi \left(n\right)$ and the upper bounds of e and d.

Lemma 2.

Let n be a positive composite integer, $e=n^{\xi }$, $d=n^{\delta }$ and $e,d<\varphi \left(n\right),$ where $ed=1+k\varphi \left(n\right).$ If $|m-\varphi \left(n\right)|=n^{\gamma }$ and $8(1+ϵ)<n^{2-(\xi +\gamma +2\delta )}$ where $m,\varphi \left(n\right)>n/2$, then $k/d$ is a convergent of $\mathcal{CF}(e/m),$ i.e.,

$$\left|\frac{e}{m}-\frac{k}{d}\right|<\frac{1}{2d^2}$$

Proof. 

We have

$$\begin{array}{cc}\hfill \left|\frac{e}{m}-\frac{k}{d}\right|& =\left|\frac{1+k\varphi \left(n\right)-km}{md}\right|\hfill \\ \hfill & <\left|\frac{2k(n^{\gamma }+1)}{nd}\right|\hfill \end{array}$$

(5)

Also, we have $k=\frac{ed-1}{\varphi \left(n\right)}<\frac{2ed}{n}$, $k<2n^{\xi +\delta -1}$. Therefore, Equation (5) leads to

$$\begin{array}{cc}\hfill \left|\frac{e}{m}-\frac{k}{d}\right|& <4n^{\xi -2}(n^{\gamma }+1)\hfill \\ \hfill & <4(1+ϵ)n^{\xi +\gamma -2}\hfill \\ \hfill & <\frac{1}{2}{n}^{-2\delta }=\frac{1}{2d^2}\hfill \end{array}$$

□

Suppose that $\varphi \left(n\right)$ is in an interval $[a,b]$, i.e., $a\le \varphi \left(n\right)\le b$. We show, in the following theorem, the relationship between the length $b-a$ of this interval and the running time to retrieve the private exponent $d.$

Theorem 5.

Let $(n,e=n^{\xi })$ be a public key of RSA and $d=n^{\delta }$ be the corresponding private exponent. Suppose that we can estimate $\varphi \left(n\right)\in [a,b]$ for two known values a and b and we divide $[a,b]$ into $S-1$ subintervals of the same size such that

$$\frac{b-a}{S}\le \frac{1}{4(1+ϵ)}{n}^{2-(\xi +2\delta )}$$

for a small value $ϵ.$ Then d can be obtained in time in $llogn$.

Proof. 

Let $\{m_1,m_2,\dots ,m_S\}$ be points of a subdivision for the interval $[a,b]$ where $m_{i+1}-m_i=\lfloor \frac{b-a}{S}\rfloor$ for $i=1,2,\dots ,S-1$. We test for every $m_i$ whether $k/d$ is a convergent of $\mathcal{CF}(e/m_i).$ Let $m_{i_0}$ satisfies that

$$\left|m_{i_0}-\varphi \left(n\right)\right|\le \left|m_i-\varphi \left(n\right)\right|,1\le i\le S.$$

Thus, $|m_{i_0}-\varphi \left(n\right)|\le \lfloor \frac{b-a}{2S}\rfloor$. Thus, we have

$$\begin{array}{cc}\hfill |m_{i_0}-\varphi \left(n\right)|& \le \frac{b-a}{2S}\hfill \\ \hfill & \le \frac{1}{8(1+ϵ)}{n}^{2-(\xi +2\delta )}\hfill \end{array}$$

Let $\frac{b-a}{2S}=n^{\gamma },$ for some real number $\gamma .$ Then, we have $8(1+ϵ)<n^{2-(\xi +\gamma +2\delta )}$. By Lemma 2, $k/d$ is a convergent of $\mathcal{CF}(e/m_{i_0}).$ Since computing $\mathcal{CF}(e/m_i)$ takes a polynomial time in $logn$, so to test all $e/m_i,$$i=1,2,\dots ,S,$ we need a time of order $Slogn.$ □

Theorem 5 shows that the complexity of the proposed method depends on the size of S besides the length of $I.$

7. Conclusions and Future Works

The RSA cryptosystem is used in the most popular security products and protocols in use today. We have presented a new technique to improve a small private exponent attack on RSA. We have successfully raised the upper bound of the private exponent d by $\eta =0.016$ using continued fractions and multicore systems for three small private exponent attacks in RSA: de Weger [6], Maitra-Sarkar [9], and Nassr et al. [14]. The average execution times for the attacks are 7.67 h, 2.7 h, and 44 min, respectively. These results were obtained using 20 cores and for n with 1024 bits. The execution time and the value of $\eta$ can be improved by

• Finding a shorter interval for $\varphi \left(n\right),$, i.e., finding better lower and upper bounds of $\varphi \left(n\right).$ In particular, when the prime factors $p_1$ and $p_2$ satisfy some conditions as in the three attacks.
• Improving test points generation to find a value close to $\varphi \left(n\right).$ We have presented a new strategy (Algorithm 1) to generate such points.
• Increasing the number of cores.

Increasing the number of cores is necessary to complete the attack in a reasonable time, but it is expected that increasing the number of cores only will not increase $\eta$ dramatically since the proposed interval for $\varphi \left(n\right)$ is not small.

The results presented in the paper can be extended to different variations of RSA such as [25,26,27,28,29,30]. The results can also be applied to different attacks [4,31] on the private exponent of RSA that use lattices instead of continued fractions. It is also possible to use cloud systems (with thousands of cores) to implement the attacks.

Thus, interesting research questions raised by this study are (1) how to get better lower and upper bounds of $\varphi \left(n\right)$? (2) how to improve test point generation.