1: \documentclass[11pt]{amsart}
2:
3: \usepackage{amsthm}
4:
5: %\pagestyle {myheadings} \markboth{ \hfill {Andrej Dujella} \hfill
6: %}
7: % { \hfill {Continued fractions and RSA} \hfill }
8:
9:
10: \newtheorem{theorem}{Theorem}
11: \newtheorem{lemma}{Lemma}
12: \newtheorem{corollary}{Corollary}
13: \newtheorem{definition}{Definition}
14: \newtheorem{remark}{Remark}
15: \newtheorem{example}{Example}
16: \newtheorem{proposition}{Proposition}
17:
18: \newcommand {\pf} {\mbox{\sc Proof. \,\,}}
19:
20: \newcommand {\qqed} {\null \hfill \rule{2mm}{2mm}}
21:
22:
23: \begin {document}
24:
25: \title[Continued fractions and RSA]{Continued fractions and RSA with small secret exponent }
26:
27:
28: \author
29: {{\sc Andrej Dujella} }
30:
31: \date{}
32:
33: \begin{abstract}
34: \noindent Extending the classical Legendre's result, we describe
35: all solutions of the inequality $|\alpha - a/b| < c/b^2$ in terms
36: of convergents of continued fraction expansion of $\alpha$.
37: Namely, we show that $a/b = (rp_{m+1} \pm sp_m) / (rq_{m+1} \pm
38: sq_m)$ for some nonnegative integers $m,r,s$ such that $rs < 2c$.
39: As an application of this result, we describe a modification of
40: Verheul and van Tilborg variant of Wiener's attack on RSA
41: cryptosystem with small secret exponent.
42: \end{abstract}
43:
44: \maketitle
45:
46: \footnotetext{ {\it 2000 Mathematics Subject Classification.}
47: 11A55, 94A60.
48:
49: {\it Key words and phrases.} Continued fractions, Diophantine
50: approximations, RSA cryptosystem,
51: cryptanalysis.}
52:
53: \section{Introduction}
54:
55: The most popular public key cryptosystem in use today is
56: the RSA \cite{RSA}. Its security is based on
57: the difficulty of finding the prime factors of large
58: integers.
59:
60: The modulus $n$ of a RSA cryptosystem is the product of two large
61: primes $p$ and $q$. The public exponent $e$ and the secret
62: exponent $d$ are related by $ed\equiv 1 \pmod{\varphi(n)}$, where
63: $\varphi(n)= (p-1)(q-1)=n-p-q+1$. In a typical RSA cryptosystem
64: $p$ and $q$ have approximately the same number of bits, and $e<n$.
65: The encryption and decryption algorithms are given by $C= M^e
66: \bmod n$, $M=C^d \bmod n$.
67:
68: To speed up the RSA encryption or decryption one may try to use small
69: public or secret decryption exponent.
70: The choice of a small $e$ or $d$ is especially
71: interesting when there is a large difference in computing power
72: between two communicating devices,
73: e.g. in communication between a smart card and a larger computer.
74: In this situation,
75: it would be desirable for the
76: smart card to have a small secret exponent, and for the
77: larger computer to have a small public exponent in order
78: to reduce the processing required in the smart card.
79:
80: However, in 1990 Wiener \cite{Wiener} described an attack on a
81: typical RSA with small secret exponent. He showed that if
82: $d<n^{0.25}$, then $d$ is the denominator of some convergent of
83: the continued fraction expansion of $e/n$, and therefore $d$ can
84: be computed efficiently from the public key $(n,e)$. His result is
85: based on the classical Legendre's theorem on Diophantine
86: approximations of the form $|\alpha - \frac{a}{b}| <
87: \frac{1}{2b^2}$. Pinch \cite{Pinch} extended the attack to some
88: other cryptosystems. In 1997, Verheul and van Tilborg proposed an
89: extension of Wiener's attack that allows the RSA cryptosystem to
90: be broken by an exhaustive search when $d$ is a few bits longer
91: than $n^{0.25}$.
92:
93: In this paper, we will generalize Legendre's result to Diophantine
94: approximations of the form $|\alpha - \frac{a}{b}| <
95: \frac{c}{b^2}$. We will show that this result leads to the more
96: efficient variant of the above mentioned attacks.
97:
98: \bigskip
99:
100: Our attack on RSA will closely follow Wiener's ideas, but let us
101: very briefly mention some other attacks on RSA with small exponent
102: $d$. In 1999, Boneh and Durfee \cite{B-D1} proposed an attack on
103: RSA with small secret exponent which is based on Coppersmith's
104: lattice-based technique for finding small roots of bivariate
105: modular polynomial equation \cite{Cop}. The attack works if $d<
106: n^{0.292}$. Similar attack was proposed Bl\"omer and May if $d<
107: n^{0.29}$. Recently, it was noted by Hinek, Low and Teske
108: \cite{H-L-T} (see also \cite{Hinek}) that these theoretical bounds
109: on $d$ are not correct (some quantity which appears in the
110: analysis is not negligible). Also, it should be noted that the
111: Coppersmith's theorem is for univariate case; in the bivariate
112: case it is only a heuristic result for now. On the other hand, it
113: seems that these attacks work well in practice.
114:
115:
116:
117: \section{Wiener's attack on RSA} \label{sec:wie}
118:
119: In 1990, Wiener \cite{Wiener} described a polynomial time
120: algorithm for breaking a typical (i.e. $p$ and $q$ are of the
121: same size and
122: $e<n$) RSA cryptosystem if the secret exponent $d$ has at most
123: one-quarter as many bits as the modulus $n$. The Wiener's attack
124: is usually described in the following form (see
125: \cite{B-notices,Smart}):
126:
127: If $p<q<2p$, $e<n$ and $d<\frac{1}{3}\sqrt[4]{n}$, then $d$ is the
128: denominator of a convergent of the continued fraction expansion of
129: $\frac{e}{n}$.
130:
131: The starting point is the basic relation between exponents
132: $$ed\equiv 1 \pmod{\varphi(n)}.$$ This means that there is an
133: integer $k$ such that $ed- k\varphi(n)=1$. Now, $ \varphi(n)
134: \approx n$ implies $\frac{k}{d} \approx \frac{e}{n}$. More
135: precisely, we have $ n-3\sqrt{n} < \varphi(n) < n$ and $$ \Big|
136: \frac{k}{d} - \frac{e}{n} \Big| < \frac{3k}{d\sqrt{n}} <
137: \frac{1}{2d^2}. $$ Hence, by Legendre's theorem, $\frac{k}{d}$ is
138: a convergent of continued fraction expansion of $\frac{e}{n}$.
139:
140: If $[a_0;a_1,a_2, ...]$ is the continued fraction expansion
141: of a real number $\alpha$, then the convergents $\frac{p_j}{q_j}$
142: satisfy $p_0=a_0$, $q_0=1$, $p_1=a_0a_1+1$, $q_1=a_1$,
143: \begin{eqnarray*}
144: p_i &=& a_ip_{i-1}+p_{i-2}, \\ q_i &=& a_iq_{i-1}+q_{i-2}.
145: \end{eqnarray*}
146: Therefore, the denominators grow exponentially. This means that
147: total number of convergents of $\frac{e}{n}$ is of order $O(\log{n})$.
148: If a convergent can be tested in polynomial time, this
149: will give us a polynomial algorithm to determine $d$.
150:
151: Wiener proposed the following method for testing convergents. Let
152: $\frac{a}{b}$ be a convergent of $\frac{e}{n}$. If it is the
153: correct guess for $\frac{k}{d}$, than $\varphi(n)$ can be computed
154: from $\varphi(n) = (p-1)(q-1)= (be-1)/a$. Now we can compute
155: $\frac{p+q}{2}$ from the identity $$ \frac{pq - (p-1)(q-1) +1}{2}
156: = \frac{p+q}{2}, $$ and $\frac{q-p}{2}$ from the identity $(
157: \frac{p+q}{2} )^2 - pq = ( \frac{q-p}{2} )^2$. If the numbers
158: $\frac{p+q}{2}$ and $\frac{q-p}{2}$, obtained by these identities,
159: are positive integers, then the convergent $\frac{a}{b}$ is
160: correct guess for $\frac{k}{d}$. We can also recover easily $p$
161: and $q$ from $\frac{p+q}{2}$ and $\frac{q-p}{2}$.
162:
163: Another possibility for detecting the correct convergent is by
164: testing which one gives a $d$ which satisfies $(M^e)^d =
165: M\pmod{n}$ for some random value of $M$.
166:
167:
168: \begin{example} \label{ex:1}
169: {\rm Let $n=7978886869909$, $e=3594320245477$, and assume that
170: $d<561$. Continued fraction expansion of $\frac{e}{n}$ is $$ [0;
171: 2, 4, 1, 1, 4, 1, 2, 31, 21, 1, 3, 1, 16, 3, 1, 114, 10, 1, 4, 5,
172: 1, 2], $$ and the convergents are $$ 0,\, \frac{1}{2},\,
173: \frac{4}{9},\, \frac{5}{11},\, \frac{9}{20},\, \frac{41}{91},\,
174: \frac{50}{111},\, \frac{141}{313},\, \frac{4421}{9814},\, \ldots
175: \,.$$ Applying test $(2^e)^d \equiv 2 \pmod{n}$, we obtain
176: $d=313$. Of course, the same result can be obtained with the
177: original Wiener's test. For $\frac{a}{b}=\frac{141}{313}$ we find
178: $\frac{p+q}{2}= 2878805$, $\frac{q-p}{2}=555546$, and this yields
179: the factorization $n=2323259 \cdot 3434351$ }
180: \end{example}
181:
182: \bigskip
183:
184: We have seen in the previous example that the correct convergent
185: was the last convergent with denominator less than
186: $\frac{1}{3}\sqrt[4]{n}$. This suggests that perhaps it is not
187: necessary to test all convergents. We will justify this assertion.
188:
189: To do that, we need more precise estimate of $| \frac{k}{d} -
190: \frac{e}{n}|$, which corresponds to better approximation of
191: $\varphi(n)$. Assume that $p < q < 2p$. Then $\frac{(p+q)^2}{n} =
192: 2+ \frac{p^2+q^2}{pq}$ and thus $2\sqrt{n} < p+q <
193: \frac{3\sqrt{2}}{2} \sqrt{n} < 2.1214 \sqrt{n}$. This implies $$
194: \frac{k}{d} - \frac{e}{n} = \frac{k(p+q)-k-1}{dn} >
195: \frac{2k(\sqrt{n}-1)}{dn}. $$ Since $\frac{k}{d} > \frac{e}{n}
196: \cdot \frac{n}{n-2\sqrt{n}+1}$, we obtain
197: \begin{equation} \label{>}
198: \frac{k}{d} - \frac{e}{n} > \frac{2e}{n\sqrt{n}}.
199: \end{equation}
200: In the opposite direction we have
201: $$ \frac{k}{d} - \frac{e}{n} < \frac{2.1214 k}{d\sqrt{n}}. $$
202: We may assume that $n>{10}^8$. Then $\frac{k}{d} < 1.00023 \frac{e}{n}$,
203: and finally
204: \begin{equation} \label{<}
205: \frac{k}{d} - \frac{e}{n} < \frac{2.122\, e}{n\sqrt{n}}.
206: \end{equation}
207: Similarly we find that
208: $$ \frac{k}{d} - \frac{e}{n} <
209: \frac{3.183\, e}{n\sqrt{n}}$$
210: if $p < q < 8p$.
211:
212: In the rest of the paper we will work under the assumption that
213: $p<q<2p$, but the arguments can be easily modified to the case
214: $p<q<8p$.
215:
216: From (\ref{>}) and (\ref{<}) we may conclude that $\frac{k}{d}$
217: is unique (odd) convergent satisfying $$ \frac{2e}{n\sqrt{n}} <
218: \frac{k}{d} - \frac{e}{n} < \frac{2.122\, e}{n\sqrt{n}}. $$
219: Indeed, this follows from the fact that if $p_m/q_m$ and
220: $p_{m+2}/q_{m+2}$ are two successive (odd) convergents of a real
221: number $\alpha$, then $p_{m+2}/q_{m+2}$ at least twice better
222: approximation of $\alpha$ than $p_{m}/q_{m}$, which is direct
223: consequence of the following well-known property of convergents
224: (see \cite[Theorems 9 and 13]{Hin})
225: \begin{equation} \label{hin}
226: \frac{1}{q_m(q_{m+1}+q_m)} <
227: \Big| \alpha -\frac{p_m}{q_m} \Big| < \frac{1}{q_m q_{m+1}} .
228: \end{equation}
229: Furthermore, if $\frac{k}{d}=\frac{p_m}{q_m}$, then $$
230: \frac{n\sqrt{n}}{4.244e} < q_mq_{m+1} < \frac{n\sqrt{n}}{2e}, $$
231: and $m$ is the unique odd positive integer satisfying this
232: inequality. This observations lead to an efficient algorithm for
233: finding the correct convergent in the Wiener's attack. Namely,
234: $\frac{k}{d}=\frac{p_m}{q_m}$, where $m$ is the smallest odd
235: positive integer such that $q_mq_{m+1} >
236: \frac{n\sqrt{n}}{4.244e}.$
237:
238: \bigskip
239:
240: As suggested in the original Wiener's paper, the attack can be
241: slightly improved by using better approximation to $\frac{k}{d}$,
242: e.g. $\frac{e}{f}$, where $f=n-\lfloor 2\sqrt{n} \rfloor +1$. This
243: can be combined with known extensions of Legendre's theorem.
244: Namely, there is an old result of Fatou \cite{Fatou} (see also
245: \cite[p. 16]{Lang}) which says that if $| \alpha - \frac{a}{b}| <
246: \frac{1}{b^2}$, then $\frac{a}{b} = \frac{p_{m}}{q_{m}}$ or
247: $\frac{p_{m+1}\pm p_{m}}{q_{m+1}\pm q_{m}}$. In 1981, Worley
248: \cite{Wor} (see also \cite{D-J} and \cite{O-L-W}) proved that $|
249: \alpha - \frac{a}{b}| < \frac{2}{b^2}$ implies $\frac{a}{b} =
250: \frac{p_{m}}{q_{m}}$, $\frac{p_{m+1}\pm p_{m}}{q_{m+1}\pm q_{m}}$,
251: $\frac{2p_{m+1}\pm p_{m}}{2q_{m+1}\pm q_{m}}$, $\frac{3p_{m+1}+
252: p_{m}}{3q_{m+1}+ q_{m}}$, $\frac{p_{m+1}\pm 2p_{m}}{q_{m+1}\pm
253: 2q_{m}}$ or $\frac{p_{m+1}- 3p_{m}}{q_{m+1}- 3q_{m}}$.
254:
255: We have $$ 0< \frac{k}{d} - \frac{e}{f} <
256: \frac{0.1221}{\sqrt{n}}.$$ If $d<4.04 \sqrt[4]{n}$, then
257: $\frac{0.1221}{\sqrt{n}} < \frac{2}{d^2}$ and $d$ can be found in
258: polynomial time (which extends the Wiener's attack by the factor
259: 12).
260:
261: More general extensions of Wiener's attack will be considered in
262: next sections.
263:
264:
265: \section{Verheul and van Tilborg variant of Wiener's attack} \label{sec:VT}
266:
267: In 1997, Verheul and van Tilborg \cite{V-vT} proposed the
268: following extension of Wiener's attack.
269:
270: Let $m$ be the largest (odd) integer satisfying
271: $\frac{p_m}{q_m} - \frac{e}{n} > \frac{2.122\, e}{n\sqrt{n}}$.
272: Search for $\frac{k}{d}$ between fractions of the form
273: $\frac{r p_{m+1}+s p_m}{rq_{m+1}+ s q_m}$ ,
274: i.e. consider the system
275: \begin{eqnarray*}
276: r p_{m+1}+s p_m &=& k \\
277: r q_{m+1}+ s q_m &=& d.
278: \end{eqnarray*}
279: The determinant of the system satisfies
280: $|p_{m+1}q_m - q_{m+1}p_m| = 1$, and therefore
281: the system has (positive) integer solutions:
282: \begin{eqnarray*}
283: r &=& dp_{m} -k q_m \\
284: s &=& kq_{m+1}- d p_{m+1} .
285: \end{eqnarray*}
286: If $r$ and $s$ are small, then they can be found
287: by an exhaustive search.
288:
289: \bigskip
290:
291: Let us estimate the number of steps in this exhaustive search,
292: i.e. let us find upper bounds for $r$ and $s$. Let
293: $d=D\sqrt[4]{n}$.
294:
295: From (\ref{hin}) it follows $r = dq_m \Big(\frac{p_m}{q_m} -
296: \frac{k}{d} \Big) < \frac{d}{q_{m+1}}$. The estimate for $s$
297: depends on the sign of the number $\frac{e}{n} -
298: \frac{p_{m+1}}{q_{m+1}} - \frac{2.122e}{n\sqrt{n}}$. (We may
299: expect that this number will be positive in 50\% of the cases.)
300: Assume that $\frac{e}{n} - \frac{p_{m+1}}{q_{m+1}} >
301: \frac{2.122e}{n\sqrt{n}}$. Then $$s = dq_{m+1} \Big(\frac{k}{d} -
302: \frac{p_{m+1}}{q_{m+1}} \Big) < 2dq_{m+1} \Big(\frac{e}{n} -
303: \frac{p_{m+1}}{q_{m+1}} \Big) < \frac{2d}{q_{m+2}}. $$ Since $$
304: \frac{1}{q_{m+2}^2(a_{m+3}+2)} < \frac{p_{m+2}}{q_{m+2}} -
305: \frac{e}{n} < \frac{2.122 e}{n\sqrt{n}} <
306: \frac{2.122}{\sqrt{n}},$$ we have $$q_{m+2} >
307: \frac{\sqrt[4]{n}}{\sqrt{2.122(a_{m+3}+2)}}.$$ Also, $q_{m+1} >
308: \frac{q_{m+2}}{a_{m+2}+1}$. Putting all these estimates together
309: we obtain
310: \begin{eqnarray*}
311: r &<& \sqrt{2.122(a_{m+3}+2)}(a_{m+2}+1)D, \\
312: s &<& \sqrt{2.122(a_{m+3}+2)}D.
313: \end{eqnarray*}
314: Hence, in this case the number of steps is bounded by
315: $$2.122(a_{m+3}+2)(a_{m+2}+1)D^2.$$
316:
317: \medskip
318:
319: Assume now that $\frac{e}{n} - \frac{p_{m+1}}{q_{m+1}} \leq
320: \frac{2.122e}{n\sqrt{n}}$. Then $$s = dq_{m+1} \Big(\frac{k}{d} -
321: \frac{p_{m+1}}{q_{m+1}} \Big) < dq_{m+1} \Big(\frac{p_m}{q_m} -
322: \frac{p_{m+1}}{q_{m+1}} \Big) = \frac{d}{q_{m}}.$$ Since in this
323: case is already $\frac{p_{m+1}}{q_{m+1}}$ close enough to
324: $\frac{e}{n}$, we have the estimate for $q_{m+1}$ which is
325: analogous to the estimate for $q_{m+2}$ in the previous case: $$
326: q_{m+1} > \frac{\sqrt[4]{n}}{\sqrt{2.122(a_{m+2}+2)}}.$$
327: This implies
328: \begin{eqnarray*}
329: r &<& \sqrt{2.122(a_{m+2}+2)}D, \\
330: s &<& \sqrt{2.122(a_{m+2}+2)}(a_{m+1}+1)D
331: \end{eqnarray*}
332: and in this case the number of steps is bounded by
333: $$2.122(a_{m+2}+2)(a_{m+1}+1)D^2.$$
334:
335: \bigskip
336:
337: In \cite{V-vT}, the authors propose that with reasonable
338: probability (20\%) the number of steps can be bounded by $256D^2$.
339: It is indeed true if we have in mind that partial quotients
340: $a_i$'s are usually very small. In \cite[p. 352]{Knuth} the
341: distribution of the partial quotients of a random real number
342: $\alpha$ is given. Approximately, $a_i$ will be 1 with probability
343: 41.5\%, $a_i=2$ with probability 17.0\%, $a_i=3$ with probability
344: 9.3\%, $a_i=4$ with probability 5.9\%, etc. Our analysis shows
345: that the success of Verheul and van Tilborg attack (when $D^2$ is
346: of reasonable size) depends heavily on the size of corresponding
347: partial quotients $a_{m+1}$, $a_{m+2}$ and $a_{m+3}$. And although
348: they are usually small, we cannot exclude the possibility that at
349: least one of them is large (see Examples \ref{ex:2} and
350: \ref{ex:3}). Namely, the probability that $a_i \geq x$ is equal to
351: $ \log_2(1+\frac{1}{x}),$ and this is a slowly decreasing
352: function.
353:
354: In Section \ref{sec:mod} we will propose a method how to overcome
355: this problem and remove the dependence on partial quotients. A
356: general result on Diophantine approximation from the next section
357: will allow us to obtain more precise information on $r$ and $s$
358: which will reduce the number of steps in the search.
359:
360:
361: \section{Extension of Legendre's theorem}
362:
363: \begin{theorem} \label{tm:kbb}
364: Let $\alpha$ be an irrational number and let $a$, $b$ be coprime
365: nonzero integers, satisfying the inequality
366: \begin{equation} \label{kb2}
367: \Big| \alpha - \frac{a}{b} \Big| < \frac{c}{b^2},
368: \end{equation}
369: where $c$ is a positive real number. Then $(a,b) = (rp_{m+1} \pm
370: sp_{m},rq_{m+1} \pm sq_{m})$, for some nonnegative integers $m$,
371: $r$ and $s$ such that $rs < 2c$.
372: \end{theorem}
373:
374: \pf Assume that $\alpha < \frac{a}{b}$, the other case is
375: completely analogous. Let $m$ be the largest odd integer
376: satisfying $$ \alpha < \frac{a}{b} \leq \frac{p_m}{q_m}. $$ If
377: $\frac{a}{b} > \frac{p_1}{q_1}$, we will take $m=-1$, following
378: the convention that $p_{-1}=1$, $q_{-1}=0$.
379:
380: Let us define the numbers $r$ and $s$ by:
381: \begin{eqnarray*}
382: a &=& rp_{m+1} + sp_{m}, \\
383: b &=& rq_{m+1} + sq_{m}.
384: \end{eqnarray*}
385: Since $|p_{m+1}q_m - p_mq_{m+1}|=1$, we conclude that $r$ and $s$
386: are integers, and since $\frac{p_{m+1}}{q_{m+1}} < \frac{a}{b}
387: \leq \frac{p_m}{q_m}$, we have that $r\geq 0$ and $s>0$.
388:
389: From the maximality of $m$, we have that $$ \Big|
390: \frac{p_{m+2}}{q_{m+2}} - \frac{a}{b} \Big| < \Big| \alpha -
391: \frac{a}{b} \Big| < \frac{c}{b^2}. $$ But {\small
392: \begin{eqnarray*}
393: \Big| \frac{p_{m+2}}{q_{m+2}} - \frac{a}{b} \Big| &\!=\!&
394: \frac{(a_{m+2}q_{m+1}\!+\!q_m)(rp_{m+1}\!+\!sp_m) -
395: (a_{m+2}p_{m+1}\!+\!p_m)(rq_{m+1}\!+\!sq_m)}{bq_{m+2}} \\ &\!=\!&
396: \frac{sa_{m+2}-r}{bq_{m+2}}.
397: \end{eqnarray*}}
398: Therefore, we obtain $$ b(sa_{m+2}-r) < cq_{m+2}=
399: \frac{c}{s}((sa_{m+2}-r)q_{m+1} + b), $$ which implies
400: $$(sa_{m+2}-r)(b-\frac{c}{s} q_{m+1}) < \frac{c}{s} \, b. $$
401: Furthermore we have $$ \frac{1}{sa_{m+2}-r} >
402: \frac{b-\frac{c}{s}q_{m+1}}{\frac{c}{s}b} = \frac{s}{c}-
403: \frac{1}{r+\frac{sq_m}{q_{m+1}}} \geq \frac{s}{c}- \frac{1}{r}. $$
404: Therefore, we obtain the following inequality
405: \begin{equation} \label{rsin}
406: r^2 -sr a_{m+2} +c a_{m+2} >0.
407: \end{equation}
408: We will consider (\ref{rsin}) as a quadratic inequality in $r$.
409:
410: Assume for a moment that $s^2a_{m+2}\geq 4c$. Then $s^4a_{m+2}^2 -
411: 4cs^2a_{m+2} \geq (s^2a_{m+2} -4c)^2$, and therefore (\ref{rsin})
412: implies
413: \[ r <\frac{1}{2s}\Big( s^2 a_{m+2}-\sqrt{s^4 a_{m+2}^2-
414: 4cs^2a_{m+2}}\Big) \leq \frac{2c}{s}, \] or
415: \[ r >\frac{1}{2s}\Big( s^2a_{m+2}+\sqrt{s^4a_{m+2}^2- 4cs^2a_{m+2}}\Big)
416: \geq
417: \frac{1}{s}\Big(s^2a_{m+2} -2c). \]
418: The first possibility gives us the condition $rs < 2c$,
419: as claimed in the theorem.
420:
421: Let us consider the second possibility, i.e.
422: \begin{equation} \label{second}
423: rs > s^2a_{m+2} -2c.
424: \end{equation}
425: Let us define $t=sa_{m+2} - r$. Since $\frac{p_{m+2}}{q_{m+2}} <
426: \frac{a}{b}$, we conclude that $t$ is a positive integer. Now we
427: have
428: \begin{eqnarray*}
429: a &=& rp_{m+1} + sp_{m} = (sa_{m+2}-t)p_{m+1} + sp_m = sp_{m+2}-
430: tp_{m+1}, \\ b &=& rq_{m+1} + sq_{m} = (sa_{m+2}-t)q_{m+1} + sq_m
431: = sq_{m+2}- tq_{m+1},
432: \end{eqnarray*}
433: and the condition (\ref{second}) becomes $st < 2c$.
434:
435: Hence we proved the statement of the theorem under assumption
436: that $s^2a_{m+2}\geq 4c$.
437:
438: Assume now that $s^2a_{m+2} < 4c$. Since $r<sa_{m+2}$, we have
439: two possibilities. If $r< \frac{1}{2} sa_{m+2}$, then
440: $rs < \frac{1}{2} s^2a_{n+2} < 2c$, and if
441: $r\geq \frac{1}{2} sa_{m+2}$, then $t=sa_{m+2}-r \leq
442: \frac{1}{2} sa_{m+2}$ and $st \leq \frac{1}{2} s^2a_{m+2} < 2c$.
443:
444: \qed
445:
446: \begin{remark}
447: {\rm It is not clear from the proof whether above theorem is valid
448: for rationals $\frac{a}{b}$ such that $\frac{a}{b} <
449: \frac{p_0}{q_0}= \lfloor \alpha \rfloor$. But this case
450: corresponds to the minus case with $m=0$ is the statement of the
451: theorem. Indeed, let $\frac{s}{r} = \lfloor \alpha \rfloor -
452: \frac{a}{b}$. Then $\frac{a}{b} = p_0 - \frac{s}{r} = \frac{rp_0 -
453: s}{r} = \frac{rp_0 - sp_{-1}}{rq_0 - sq_{-1}}$, and $rs = b^2\cdot
454: \frac{s}{r} < b^2\cdot \frac{c}{b^2} = c$. }
455: \end{remark}
456:
457: \begin{remark}
458: {\rm The statement of the theorem is valid also for rational
459: numbers $\alpha$. Indeed, if $\alpha \in \mathbb{Q}$, then there
460: exist an integer $j\geq 0$ such that $\alpha = \frac{p_j}{q_j}$.
461: The proof is identical as in the irrational case, unless $\alpha <
462: \frac{a}{b} < \frac{p_{j-1}}{q_{j-1}}$ (or $\alpha > \frac{a}{b} >
463: \frac{p_{j-1}}{q_{j-1}}$). If we define positive integers $r$ and
464: $s$ by
465: \begin{eqnarray*}
466: a &=& rp_{j} + sp_{j-1}, \\
467: b &=& rq_{j} + sq_{j-1},
468: \end{eqnarray*}
469: then the inequalities $\Big| \alpha - \frac{a}{b}\Big| =
470: \frac{s}{bq_j} < \frac{c}{b^2}$ and $b>rq_j$ imply $rsq_j < sb <
471: cq_j$, and finally $rs < c$. }
472: \end{remark}
473:
474: \bigskip
475:
476: Similar result as our Theorem \ref{tm:kbb} was proved, with
477: different methods, by Worley. In \cite[Theorem 1]{Wor}, it was
478: shown that there are three types of solutions of the inequality
479: (\ref{kb2}). Two types correspond to $+$ and $-$ signs in
480: $(rp_{m+1} \pm sp_{m},rq_{m+1} \pm sq_{m})$, while Theorem
481: \ref{tm:kbb} shows that the third type can be omitted.
482:
483: \medskip
484:
485: Theorem \ref{tm:kbb} extends results for $c=1$ and $c=2$ cited in
486: Section \ref{sec:wie}. The result for $c=2$ has already found
487: applications in solving some Diophantine equations. In
488: \cite{O-L-W}, it is applied to the problem of finding positive
489: integers $a$ and $b$ such that $(a^2+b^2)/(ab+1)$ is an integer,
490: and in \cite{D-J} it is used for solving the family of Thue
491: inequalities $$|x^4 - 4cx^3y+(6c+2)x^2y^2 + 4cxy^2+y^4| \leq 6c+4.
492: $$ We hope that Theorem \ref{tm:kbb} will also find its
493: application in Diophantine analysis.
494:
495:
496:
497: \section{A variant of Wiener's attack} \label{sec:mod}
498:
499: In this section we propose new variant of Wiener's attack. It is
500: very similar to Verheul and van Tilborg attack, but instead of
501: exhaustive search after finding the appropriate starting
502: convergent, this new variant also uses estimates which follow from
503: Diophantine approximation (Theorem \ref{tm:kbb}).
504:
505: \medskip
506:
507: Let $m$ be the largest (odd) integer such that $$ \frac{p_m}{q_m}
508: > \frac{e}{n} + \frac{2.122 e}{n\sqrt{n}}. $$ We have two
509: possibilities depending on whether the inequality
510: $\frac{p_{m+2}}{q_{m+2}} \geq \frac{k}{d}$ is satisfied or not.
511:
512: Assume first that $\frac{p_{m+2}}{q_{m+2}} \geq \frac{k}{d}$. We
513: are searching for $\frac{k}{d}$ among the fractions of the form
514: $\frac{r'p_{m+3}+s'p_{m+2}}{r'q_{m+3}+s'q_{m+2}}$. As in Section
515: \ref{sec:VT}, we have $$ q_{m+2} >
516: \frac{\sqrt[4]{n}}{\sqrt{2.122(a_{m+3}+2)}}. $$ Now we have
517: \begin{eqnarray*}
518: r' &=& dq_{m+2}\Big( \frac{p_{m+2}}{q_{m+2}} - \frac{k}{d} \Big) <
519: dq_{m+2} \cdot \frac{0.122 e}{n\sqrt{n}} < 0.061 dq_{m+2}\Big(
520: \frac{p_{m+2}}{q_{m+2}} - \frac{e}{n} \Big) \\ &<& 0.061
521: \frac{d}{q_{m+3}} < \frac{0.061 \sqrt{2.122(a_{m+3}+2)}}{a_{m+3}}
522: \,D
523: \end{eqnarray*}
524: and
525: \begin{eqnarray*} s' &=& dq_{m+3}\Big( \frac{k}{d} -
526: \frac{p_{m+3}}{q_{m+3}} \Big) \leq dq_{m+3}\Big(
527: \frac{p_{m+2}}{q_{m+2}} - \frac{p_{m+3}}{q_{m+3}} \Big) =
528: \frac{d}{q_{m+2}} \\ &<& \sqrt{2.122(a_{m+3}+2)} \,D.
529: \end{eqnarray*}
530: Hence, $\frac{k}{d}$ can be recovered in at most $r's' <
531: \frac{0.1295(a_{m+3}+2)}{a_{m+3}} \,D^2 \leq 0.3885\,D^2$ steps.
532: Here $D=d/\sqrt[4]{n}$, as before.
533:
534: \medskip
535:
536: Assume now that $\frac{p_{m+2}}{q_{m+2}} < \frac{k}{d}$. We have
537: $$ \frac{k}{d} - \frac{e}{n} < \frac{2.122e}{n\sqrt{n}} <
538: \frac{2.122}{\sqrt{n}} = \frac{2.122D^2}{d^2}. $$ We are in the
539: conditions of the proof of Theorem \ref{tm:kbb}, and we conclude
540: that $\displaystyle{\frac{k}{d} =
541: \frac{rp_{m+1}+sp_{m}}{rq_{m+1}+sq_{m}}}$ or
542: $\displaystyle{\frac{k}{d} =
543: \frac{sp_{m+2}-tp_{m+1}}{sq_{m+2}-tq_{m+1}}}$, where $r$, $s$ and
544: $t$ are positive integers satisfying $rs < 4.244D^2$,
545: $st<4.244D^2$.
546:
547: From the Dirichlet's formula for the number of divisors we obtain
548: immediately that the number of possible pairs $(r,s)$ and $(s,t)$
549: is $O(D^2\log{D})$. However, $r$ and $s$ (resp. $s$ and $t$) are
550: not arbitrary. They satisfy the inequalities $r<a_{m+2}s$ and
551: $t<a_{m+2}s$, which imply $r<2.061\sqrt{a_{m+2}}D$ and
552: $t<2.061\sqrt{a_{m+2}}D$. In Section \ref{sec:VT} we found that
553: $s\leq s_1$, where $s_1=\lfloor \sqrt{2.122(a_{m+2}+2)}D \rfloor$
554: if $\displaystyle{\frac{e}{n} - \frac{p_{m+1}}{q_{m+1}} >
555: \frac{2.122e}{n\sqrt{n}}}$, and $s_1=\lfloor
556: \sqrt{2.122(a_{m+2}+2)} \\ (a_{m+1}+1)D \rfloor$ if
557: $\displaystyle{\frac{e}{n} - \frac{p_{m+1}}{q_{m+1}} \leq
558: \frac{2.122e}{n\sqrt{n}}}$. Let $\displaystyle{s_0=\Big\lfloor
559: 2.061 \frac{D}{\sqrt{a_{m+2}}} \Big\rfloor}$. We have the
560: following upper bound for the number of possible pairs $(r,s)$:
561: \begin{eqnarray*}
562: \lefteqn{a_{m+2}(1+2+\cdots+s_0) + \frac{D^2}{s_0+1} +
563: \frac{D^2}{s_0+2} + \cdots + \frac{D^2}{s_1}} \\ &\!<\!& a_{m+2}
564: s_0^2 + D^2(\log{\frac{s_1}{s_0+1}} +1) \\ &\!<\!& 5.248D^2 + D^2
565: \log(0.707 \max(\sqrt{(a_{m+3}\!+\!2)a_{m+2}},
566: (a_{m+2}\!+\!1)(a_{m+1}\!+\!1))).
567: \end{eqnarray*}
568: We have the same upper bound for the number of possible pairs
569: $(s,t)$.
570:
571: Hence, the number of steps in this attack is $O(D^2\log{A})$
572: $(A=\max \{a_i \,:\, i=m+1,m+2,m+3\})$. We may compare this with
573: Verheul \& van Tilborg attack where the number of steps was
574: $O(D^2A^2)$.
575:
576:
577: \bigskip
578:
579:
580:
581: \begin{example} \label{ex:2}
582: {\rm Let $n=7978886869909$, $e=4603830998027$, and assume that
583: $d<10000000$. Continued fraction expansion of $\frac{e}{n}$ is $$
584: [0, 1, 1, 2, 1, 2, 1, 18, 10, 1, 3, 3, 1, 6, 57, 2, 1, 2, 14, 7,
585: 1, 2, 1, 4, 6, 2], $$ and the convergents are $$ 0,\, 1,\,
586: \frac{1}{2},\, \frac{3}{5},\, \frac{4}{7},\, \frac{11}{19},\,
587: \frac{15}{26},\, \frac{281}{487},\, \frac{2825}{4896},\, \ldots
588: \,.$$ We find that $$\frac{281}{487} < \frac{e}{n} + \frac{2.122
589: e}{n\sqrt{n}} < \frac{11}{19}. $$ Hence $m=5$ and we are searching
590: for the secret exponent among the numbers of the form $26r+19s$ or
591: $487s - 26t$ or $4896r'+487s'$. By applying Wiener's test, we find
592: that $s=12195$, $t=77$ gives the correct value for $d$,
593: $d=5936963$.
594:
595: Let us compare these numbers $s$ and $t$ with the numbers
596: $r$ and $s$ obtained by an application of the Verheul and van Tilborg
597: attack to the same problem. We obtain the same number $s=12195$, but the other number $r=219433$ is much larger than $t=77$,
598: which is in a good agreement with our theoretical estimates.
599:
600: }
601: \end{example}
602:
603: \bigskip
604:
605:
606: \begin{example} \label{ex:3}
607: {\rm Let us take $n=7978886869909$ again. For
608: $1000 \leq d \leq 1000000$, we compare the
609: quantities $rs$, obtained by Verheul and van Tilborg attack,
610: with the quantity $D^2$. The maximal value for $rs/D^2$ is $78464.2$
611: and it is attained for $d=611131$. There are 591
612: $d$'s for which $rs/D^2$ is greater than 1000.
613: The average value of
614: $rs/D^2$ for $d$ in the given interval is $15.69$.
615:
616: Similar analysis for the attack introduced in this section gives
617: that the average value of the quantity $\min(rs,st,r's')/D^2$ for
618: $d$ in interval $1000 \leq d \leq 1000000$ is $0.8397$, with
619: maximal value 4.026 attained for $d=437561 $.
620:
621: }
622: \end{example}
623:
624: \bigskip
625:
626: \begin{thebibliography}{99}
627:
628: \small{
629:
630: \bibitem{B-M}
631: BL\"OMER, J.---MAY, A.: {\it Low secret exponent RSA revisited},
632: Cryptography and Lattice - Proceedings of CaLC 2001, Lecture Notes
633: in Comput. Sci. {\bf 2146} (2001), 4--19.
634:
635: \bibitem{B-notices}
636: BONEH, D.: {\it Twenty years of attacks on the RSA cryptosystem},
637: Notices Amer. Math. Soc. {\bf 46} (1999),
638: 203--213.
639:
640: \bibitem{B-D1}
641: BONEH, D.---DURFEE, G.: {\it Cryptanalysis of RSA with private key
642: $d$ less than $N^{0.292}$}, Advances in Cryptology - Proceedings
643: of Eurocrypt '99, Lecture Notes in Comput. Sci. {\bf 1952} (1999),
644: 1--11.
645:
646: \bibitem{Cop}
647: COPPERSMITH, D.: {\it Small solutions to polynomial equations,
648: and low exponent RSA vulnerabilities}, J. Cryptology
649: {\bf 10} (1997), 233--260.
650:
651: \bibitem{D-J}
652: DUJELLA, A.---JADRIJEVI\'C, B: {\it A family of quartic Thue
653: inequalities}, Acta Arith. {\bf 111} (2004), 61-76.
654:
655: \bibitem{Fatou}
656: FATOU, P.: {\it Sur l'approximation des incommenurables et les
657: series trigonometriques}, C. R. Acad. Sci. (Paris)
658: {\bf 139} (1904), 1019-1021.
659:
660: \bibitem{Hinek}
661: HINEK, M. J.: Low Public Exponent Partial Key and Low Private
662: Exponent Attcks on Multi-prime RSA, Master's thesis,
663: University of Waterloo, 2002.
664:
665: \bibitem{H-L-T}
666: HINEK, M. J.---LOW, M. K.---TESKE, E.: {\it On some attacks on
667: multi-prime RSA}, Proceedings of SAC 2002, Lecture Notes in
668: Comput. Sci. {\bf 2595} (2003), 385--404.
669:
670: \bibitem{Hin}
671: KHINCHIN, A. Ya.: Continued Fractions, Dover, New York, 1997.
672:
673: \bibitem{Knuth}
674: KNUTH, D.: The Art of Computer Programing, Vol. 2, Seminumerical
675: Algorithms, 2nd edition, Addison-Wesley, New York, 1981.
676:
677: \bibitem{Lang}
678: LANG, S.: Introduction to Diophantine Approximations,
679: Addison-Wesley, Reading, 1966.
680:
681: \bibitem{O-L-W}
682: OSGOOD, C. F.---LUCA, F.---WALSH, P. G.: {\it Diophantine
683: approximations and a problem from the 1988 IMO}, Rocky Mountain J.
684: Math., to appear.
685:
686: \bibitem{Pinch}
687: PINCH, R. G. E.: {\it Extending the Wiener attack to RSA-type
688: cryptosystems}, Electronics Letters {\bf 31} (1995), 1736--1738.
689:
690: \bibitem{RSA}
691: RIVEST, R. L.---SHAMIR, A.---ADLEMAN, L.: {\it A method for
692: obtaining digital signatures and publi-key cryptosystems},
693: Communications of the ACM {\bf 21} (1978), 120--126.
694:
695: \bibitem{Smart}
696: SMART, N.: Cryptography: An Introduction, McGraw-Hill, London,
697: 2002.
698:
699: \bibitem{V-vT}
700: VERHEUL, E. R.---VAN TILBORG, H. C. A.: {\it Cryptanalysis of `less
701: short' RSA secret exponents}, Appl. Algebra Engrg. Comm. Computing
702: {\bf 8} (1997), 425--435.
703:
704: \bibitem{Wiener}
705: WIENER, M. J.: {\it Cryptanalysis of short RSA secret exponents},
706: IEEE Trans. Inform. Theory {\bf 36} (1990), 553--558.
707:
708: \bibitem{Wor}
709: WORLEY, R. T.: {\it Estimating $|\alpha - p/q|$}, J. Austral.
710: Math. Soc. {\bf 31} (1981), 202--206.
711:
712: }
713: \end{thebibliography}
714:
715: \bigskip
716:
717: {\small \noindent Department of Mathematics \\ University of
718: Zagreb
719: \\ Bijeni\v cka cesta 30, 10000 Zagreb \\ Croatia \\
720: {\em E-mail address}: {\tt duje@math.hr}}
721:
722: \end{document}
723:
724:
725:
726:
727: \end{document}
728: