The Improved Estimation of the Least Upper Bound to Search for RSA's Private key

Abstract

RSA is known as one of the best techniques for securing secret information across an unsecured network. The private key which is one of private parameters is the aim for attackers. However, it is exceedingly impossible to derive this value without disclosing all unknown parameters. In fact, many methods to recover the private key were proposed, the performance of each algorithm is acceptable for the different cases. For example, Wiener's attack is extremely efficient when the private key is very small. On the other hand, Fermat's factoring can quickly break RSA when the difference between two large prime factors of the modulus is relatively small. In general, if all private parameters are not disclosed, attackers will be able to confirm that the private key is unquestionably inside the scope [3, n - 2], where n is the modulus. However, this scope has already been reduced by increasing the greatest lower bound to [d_il, n - 2], where d_il ≥ 3. The aim of this paper is to decrease the least upper bound to narrow the scope that the private key will remain within this boundary. After finishing the proposed method, the new scope of the private key can be allocated as [d_il, d_ir], where d_ir ≤ n - 2. In fact, if the private key is extremely close to the new greatest lower bound, it can be retrieved quickly by performing a brute force attack, in which d_ir is decreased until it is equal to the private key. The experimental results indicate that the proposed method is extremely effective when the difference between prime factors is close to each other and one of two following requirement holds: the first condition is that the multiplier of Euler totient function is very close to the public key's small value whereas the second condition is that the public key should be large whenever the multiplier is far enough.

1. Introduction

At present, data transfer over network channel is the preferred method due to its convenience and speed. However, network channel is referred as the unsecured channel. In other word, if the secret data being transferred across a network channel is very important and there is no securing algorithm in place to protect it, then attackers can simply entrap the data. Prior to transferring any important or private information over an unsecured connection, it should be encased by some securing algorithms. Cryptography [1] is one of the beneficial techniques for protecting data prior to transmission via an unsecured channel by using encryption and decryption processes. The concept of using cryptography to secure the information is as follows: First, the secret message which is called the plaintext is encrypted by using the secret key. In fact, the encrypted message is referred to the ciphertext and it is transmitted to the recipient instead of the secret message. On receiver side, after the ciphertext has arrived, the original plaintext can be recovered using the secret key and a decryption process. In general, cryptography is classified into two broad categories. Each type has its own unique advantages and disadvantages. The first is symmetric key cryptography which uses the same key, referred to the secret key for both the encryption and decryption. The advantage is related to time required to complete the process. On the other hand, the disadvantage refers to the method in which an attacker might avoid exchanging the secret key between senders and receivers. Asymmetric key cryptography, on the other hand, is also known as public key cryptography. The key concept is to the different keys that must be chosen to encrypt the plaintext and decrypt the ciphertext. One key which is kept secretly is called the private key and the other key which is disclosed to everyone is called the public key. In fact, these keys are mathematically related to each other. The advantage is that the secret channel to exchange the key is eliminated. However, the disadvantage is that the procedure is quite time consuming to complete the process. Therefore, both of symmetric key cryptography and public key cryptography are integrated in the real situation in order to increase the performance.

RSA [2] is the best well-known public key cryptography. It is chosen to apply with a variety of applications to secure the information such as [3], [4], [5], [6], [7], [8]. However, to avoid intruder attacks, the modulus bit length (n) should be assigned at least 1024 bits. Therefore, one of the two keys must be a large integer. In fact, in order to ensure that RSA is extremely secure, the private key (d) should be large. Although, RSA is still difficult to be broken (all parameters are strong), many algorithms can break RSA when certain parameters are weak. Moreover, many weak parameters are disclosed such as a low private key [9], a high private key [10], a low prime factor [11] and the small distance between two prime factors [12]. In this paper, two weak parameters are presented. The first weakness is the small public key and the short distance between it and the multiplier of Euler totient function. The other weakness is the large public key and the high distance between the high public key and the multiplier of Euler totient function. In addition, there should be a little difference between two prime factors. Moreover, the new method for estimating initial value of the private key that effectively addresses both weaknesses is also proposed.

Assuming that all private parameters are hidden and if intruders want to recover d, they will clearly recognize that the position of d must be located within the following scope: d ∈ [3, n - 2]. This scope is costly since the length of n is allocated at least 1024 bits. If brute force attack is selected to find d, then the cost of computation is quite high. The method in [13] was proposed to estimate the new greatest lower bound as [d_il, n – 2], where d_il ≥ 3. Therefore, this method can recover d rapidly if d is a small integer. However, it is still inefficient when d is a large integer. In fact, the aim of the proposed method is to estimate the new least upper bound as [3, d_ir], when d_ir ≤ n – 2. Therefore, if the proposed method is combined with the method in [13], the scope is narrowed, or d ∈ [d_il, d_ir].

2. Related Works

In this section, the overviews of RSA and many techniques to break this algorithm will be mentioned.

2.1 RSA Scheme

RSA [2] is the best well-known public key cryptography. It was proposed by R. Rivest, A. Shamir and L. Adleman in 1977. In fact, RSA’s name is derived from the initial letter of their surnames. RSA is administered by three main processes. The first process is key generation which is the process to create a pair of keys. The procedures in this process are as follows: it is begun by generating two large prime numbers, p and q where p < q, randomly to find the modulus, n = p*q, and Euler totient function, Φ (n) = (p – 1)*(q – 1). The next step is to select the public key, e, that must be in the following condition: 1 < e < Φ (n) and gcd(e, Φ (n)) = 1. After, e is found, the private key, d, can be computed from e*d mod Φ (n) = 1 by using Extended Euclidean Algorithm such as [14], [15], [16]. The second process is the encryption process, which is the process of converting the original plaintext into the ciphertext. The equation is c = m^e mod n, where m is the original plaintext and c is the ciphertext. The last process is the decryption process for recovering the original plaintext by using the following equation: m = c^d mod n.

Private parameters for RSA scheme are p, q, d and Φ (n). Therefore, intruders must locate at least one of them in order to recover m. In fact, for the real situation, they are all strongly allocated to prevent easily attacks. However, RSA may be broken when at least one of the private parameters is vulnerable. In the next topic in the related works section discusses an overview of several attacking algorithms is provided, highlighting how the performance of each algorithm is customized to the various weak points.

2.2 Overviews of some algorithms to break RSA

In fact, there are a variety of algorithms that can be chosen to break RSA whenever its vulnerabilities are discovered.

Wiener’s attack [17] is the technique which was presented by Michael J. Wiener in 1990 to recover d. His theorem relies mostly on the continuous fraction as its mathematical basis.

In addition, Wiener’s attack is particularly effective when \(\begin{aligned}d<\frac{1}{3} n^{\frac{1}{4}}\\\end{aligned}\). Therefore, it implies that the small private key is the weak point of RSA.

Besides, in 1999, D. Boneh and G. Durfee [18] presented the modified version of Wiener’s attack. Although, \(\begin{aligned}d>\frac{1}{3} n^{\frac{1}{4}}\\\end{aligned}\), d is still rapidly recovered whenever d < n^0.292. In order to avoid trapping d by using this method, d should be assigned larger than n^0.292.

In 2017, the technique [10] was presented to accelerate the decryption process of RSA by utilizing the new exponent. In fact, this method has highly performance when d is large, because the new exponent which is mathematically related with d and Φ (n) becomes small. On the other hand, if d is too large, this method may be selected to find d.

Trial division algorithm (TDA) is the method for discovering p and q by for factoring n. It is divided into two techniques. The first way [19] is to select 3 as the initial divisor which is always increased by two when the remainder exists. This approach can quickly discover p and q when p is a small integer, as it is particularly efficient when p is small. Therefore, the small prime factor is also a weakness of RSA. However, \(\begin{aligned}\lfloor\sqrt{n}\rfloor\\\end{aligned}\) is chosen as the first divisor for the second technique [20] and it is always decreased when there is the remainder. Therefore, if p is extremely close to \(\begin{aligned}\lfloor\sqrt{n}\rfloor\\\end{aligned}\), it can be recovered very fast.

Fermat’s Factorization algorithm (FFA) [21] is the factoring method which was proposed by Pierre de Fermat. A composite integer with two prime factors can be represented as the difference between two perfect square integers. In fact, when two prime factors are close in proximity to one another, they can be computed rapidly. Furthermore, other FFA-improved algorithms such as [22], [23], [24], [25], [26] were proposed to increase computation speed.

Pollard’ s p -1 [27] is the method that was presented by J. Pollard in 1974. Assuming that all prime factors of p – 1 or q – 1 are a small integer. This method is extremely efficient in recovering both p and q. That is, another weak point is that all prime factors of p - 1 and q – 1 must be small.

In 2020, the new methodology [28] to recover d was proposed. Assuming that Φ (n) = ad + b where a | b and a | Φ(n), then the original plaintext can be computed by using the following equation: \(\begin{aligned}m=\left(c^{-1}\right)^{\frac{b}{a}}\\\end{aligned}\) mod n. Moreover, this equation can be chosen to apply with brute force attack to find d. The experimental results in the paper showed that when a is large and \(\begin{aligned}\frac{b}{a}\end{aligned}\) is small, a short time to complete the operation is required.

The simplest technique is brute force attack. It can be selected to find d directly to locate one of two prime factors. In general, to limit the scope of d, it must first be analyzed. Due to the fact that Φ (n) is the hidden parameter, the scope of d will be assigned as [3, n – 2] which is a very large range. Moreover, brute force attack can be selected to find d in two ways. The first way is to assign the initial value of d which is equal to the greatest lower bound and it must be increased when it is not certainly the real private key. That mean, this method is suitable for the small private key. On the other hand, the other way is to assign the initial value of d as n – 2 and it is decreased when it is not the target. Therefore, this method is suitable for the high private key.

In the beginning of 2021, the method [13] to estimate the new greatest lower bound which is always equal or larger than 3 was proposed. Assuming that d_il is represented as the new greatest lower bound, it can be calculated by using the following equation: \(\begin{aligned}d_{i l}=\left\lceil\frac{2 n-3}{3 e}\right\rceil\\\end{aligned}\). Therefore, scope of d is reduced to [d_il, n – 2].

2.3 Considering the patterns of p + q

In fact, many methods to analyze the patterns of p + q were proposed. Once all patterns are found, the computation time to recover d is reduced.

Assigning LSG_m(z) is represented as the last m digits of z and LSG(z) is represented as the last digit of z when z ∈¢. In 2017, the methodology [29] to search for all possible values of LSG_m(p) and LSG_m(q) was proposed to find all possible values of LSG_m(p + q) and LSG_m(p – q). However, only LSG_m(p + q) is focused in this paper. Assuming that a pair of LSG_m(p) and LSG_m(q) which LSG_m(LSG_m(p) * LSG_m(q)) = LSG_m(n) is found, either rule 1 or rule 2 is selected to find other pairs.

Rule 1: If LSG(p) = LSG(q), LSG_m((p + 10^m-1)(q + 9*10^m-1)) = LSG_m((p + 9*10^m-1)(q +10^m-1)) = LSG_m(n).

Rule 2: If LSG(p) ≠ LSG(q), there is two odd integers, k₁ and k₂ where k₁, k₂ = 1, 3, 7 or 9 and (LSG(p)*k₂ + LSG(q)*k₁) mod 10 = 0, that LSG_m((p + k₁*10^m-1)(q + k₂*10^m-1)) = LSG_m(n).

Example 1: After using Rule 2, all pairs of LSG₂(p) and LSG₂(q) which LSG₂(LSG₂(p)*LSG₂(q)) = LSG₂(n) = 73 are found as follows: (07, 39), (17, 69), (27, 99), (37, 29), (47, 59), (57, 89), (67, 19), (77, 49), (87, 79), (97, 09), (01, 73), (11, 43), (21, 13), (31, 83), (41, 53), (51, 23), (61, 93), (71, 63), (81, 33), (91, 03)

After all pairs of LSG_m(p) and LSG_m(q) are found, all possible values of LSG_m(p + q) are also calculated by using LSG_m(p + q) = LSG_m(LSG_m(p) + LSG_m(q)).

Example 2: After all pairs of LSG₂(p) and LSG₂(q) which LSG₂(LSG₂(p)*LSG₂(q)) = LSG₂(n) = 73 are found, all possible values of LSG₂(p + q) are as follows:

S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94}

Where S is set of all possible values of LSG₂(p + q) that LSG₂(LSG₂(p)*LSG₂(q)) = LSG₂(n) = 73

The benefit of S is that it eliminates irrelevant values of this set from the computation, as p + q may not be the actual result.

In fact, the patterns of p + q can be thoroughly analyzed when m is larger.

Furthermore, in 2016, the patterns of \(\begin{aligned}\frac{p+q}{2}\end{aligned}\) [30] are analyzed by considering the forms of n that are divided into three forms. Assuming that a = n mod 4, b = n mod 6 and c = n mod 20, there are 16 patterns of \(\begin{aligned}x=\frac{p+q}{2}\end{aligned}\) which are shown in Table 1.

Table 1. Patterns of \(\begin{aligned}\frac{p+q}{2}\end{aligned}\) that are considered from 3 forms of n

After computing three forms of n, the solution will be found in just one of the cases in Table 1. Therefore, many steps can be eliminated from the computation. In fact, the type of an even or odd number is disclosed from a, the result of x mod 3 is disclosed from b and LSG(x) is known from c.

In [31], the other pattern of p + q is also discovered. It is based on the result of (n + 1) mod 8. In fact, if the result of (n + 1) mod 8 is equal to 0, then the result of (p + q) mod 8 must be also equal to 0. This concept is applicable to a wide variety of brute force attack, as many loops may be omitted when the result of (n + 1) mod 8 is equal to 0.

3. The Proposed Method

In this paper, the new greatest lower bound, d_ir, to find d is proposed. In fact, after the method in [13] was proposed, the position of d must be inside the scope [d_il, n – 2]. That is, the initial value can be assigned as d_il in order to initiate a brute force attack to find d from left to right. On the other hand, this method becomes inefficient when d is large. In this case, using brute force attack to search for d from right to left is more appropriate. That is, the initial value is started as n – 2. However, n – 2 is still far from d which is always less than Φ (n). Therefore, in this paper, d_ir which is always equal to or less than n – 2 is presented.

The information in Fig. 1 shows the parameters associated with RSA on the number line. It implies that d_ir is always equal to or less than n – 2. Therefore, if this value is found, the scope of d is narrowed in which the position of d is certainly at [d_il, d_ir].

Fig. 1. The position of each parameter on number line

Before estimating d_ir, the integer which is equal or larger than Φ(n) must be found. Due to the fact that Φ(n) = (p – 1)*(q – 1) = n – (p + q) + 1, the patterns of p + q should be analyzed to estimate the integer which is close to Φ(n) and is still larger than this value.

From Table 1, it implies that the result of n mod 4 can disclose the result of \(\begin{aligned}\frac{p+q}{2}\end{aligned}\) which is an even number or odd number. However, the result of n mod 20 can also disclose this type. Moreover, the patterns of LSG_m(p + q) are deeper than the patterns analyzed from n mod 20. Therefore, three techniques for analyzing the patterns of p + q from n mod 6, n + 1 mod 8 and LSG_m(n) are selected to find the integer in the condition.

In [31], it shows that the result of (p + q) mod 8 is equal to 0 when (n + 1) mod 8 = 0. However, if (n + 1) mod 8 ≠ 0, it must be also analyzed to find all possible value of (p + q) mod 8.

Theorem 1: The results of (p + q) mod 8 are shown in Table 2, The expansion of [31].

Table 2. The result of (p +q) mod 8

Proof: There are 15 cases as follows:

Case 1: p mod 8 = 1 and q mod 8 = 1

Then, (p*q + 1) mod 8 = ((p mod 8) * (q mod 8) + 1 mod 8) mod 8 = (1*1 + 1) mod 8 = 2

And, (p + q) mod 8 = ((p mod 8) + (q mod 8)) mod 8 = (1 + 1) mod 8 = 2

Case 2: p mod 8 = 1 and q mod 8 = 3 (The same result with p mod 8 = 3 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*3 + 1) mod 8 = 4

And, (p + q) mod 8 = (1 + 3) mod 8 = 4

Case 3: p mod 8 = 1 and q mod 8 = 5 (The same result with p mod 8 = 5 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*5 + 1) mod 8 = 6

And, (p + q) mod 8 = (1 + 5) mod 8 = 6

Case 4: p mod 8 = 1 and q mod 8 = 7 (The same result with p mod 8 = 7 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*7 + 1) mod 8 = 0

And, (p + q) mod 8= (1 + 7) mod 8 = 0

Case 5: p mod 8 = 1 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 1)

Then, (p*q + 1) mod 8 = (1*9 + 1) mod 8 = 2

And, (p + q) mod 8 = (1+ 9) mod 8 = 2

Case 6: p mod 8 = 3 and q mod 8 = 3

Then, (p*q + 1) mod 8 = (3*3 + 1) mod 8 = 2

And, (p + q) mod 8 = (3+ 3) mod 8 = 6

Case 7: p mod 8 = 3 and q mod 8 = 5 (The same result with p mod 8 = 5 and q mod 8 = 3)

Then, (p*q + 1) mod 8 = (3*5 + 1) mod 8 = 0

And, (p + q) mod 8 = (3+ 5) mod 8 = 0

Case 8: p mod 8 = 3 and q mod 8 = 7 (The same result with p mod 8 = 7 and q mod 8 = 3)

Then, (p*q + 1) mod 8 = (3*7 + 1) mod 8 = 6

And, (p + q) mod 8= (3+ 7) mod 8 = 2

Case 9: p mod 8 = 3 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 3)

Then, (p*q + 1) mod 8 = (3*9 + 1) mod 8 = 4

And, (p + q) mod 8= (3+ 9) mod 8 = 4

Case 10: p mod 8 = 5 and q mod 8 = 5

Then, (p*q + 1) mod 8 = (5*5 + 1) mod 8 = 2

And, (p + q) mod 8 = (5+ 5) mod 8 = 2

Case 11: p mod 8 = 5 and q mod 8 = 7 (The same result with p mod 8 = 7 and q mod 8 = 5)

Then, (p*q + 1) mod 8 = (5*7 + 1) mod 8 = 4

And, (p + q) mod 8= (5+ 7) mod 8 = 4

Case 12: p mod 8 = 5 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 5)

Then, (p*q + 1) mod 8 = (5*9 + 1) mod 8 = 6

And, (p + q) mod 8 = (5+ 9) mod 8 = 6

Case 13: p mod 8 = 7 and q mod 8 = 7

Then, (p*q + 1) mod 8 = (7*7 + 1) mod 8 = 2

And, (p + q) mod 8= (7+ 7) mod 8 = 6

Case 14: p mod 8 = 7 and q mod 8 = 9 (The same result with p mod 8 = 9 and q mod 8 = 7)

Then, (p*q + 1) mod 8 = (7*9 + 1) mod 8 = 0

And, (p + q) mod 8 = (7+ 9) mod 8 = 0

Case 15: p mod 8 = 9 and q mod 8 = 9

Then, (p*q + 1) mod 8 = (9*9 + 1) mod 8 = 2

And, (p + q) mod 8 = (9+ 9) mod 8 = 2

Therefore, all results of (p + q) mod 8 are matched with the information in Table 2.

In fact, considering the patterns of (p + q) mod 8, (p + q) mod 3 and LSG_m(p + q) together are the key to find i which must be selected as the variable in theorem 2.

Theorem 2 Assigning i is represented as the distance between the traditional initial value of p + q which is equal to \(\begin{aligned}2\lceil\sqrt{n}\rceil\\\end{aligned}\) and the improved initial value, then

\(\begin{aligned}d \leq\left\lfloor\frac{1+(e-1) *(n-2\lceil\sqrt{n}\rceil-i+1)}{e}\right\rfloor\\\end{aligned}\)

Proof:

From 

Φ (n) = (p – 1)*(q – 1)

= pq – (p + q) + 1 

= n – (p + q) + 1

In general, \(\begin{aligned}p+q \geq 2\lceil\sqrt{n}\rceil\\\end{aligned}\), see in [12]

Then,

\(\begin{aligned}\Phi(n) \leq n-(2\lceil\sqrt{n}\rceil)+1\\\end{aligned}\)

However, after using the technique to analyze all patterns of LSG_m(p + q), (p + q) mod 3 and (p + q) mod 8, then \(\begin{aligned}p+q \geq 2\lceil\sqrt{n}\rceil+i\\\end{aligned}\), therefore

\(\begin{aligned}\Phi(n) \leq n-(2\lceil\sqrt{n}\rceil+i)+1\\\end{aligned}\)

Then,

\(\begin{aligned}\Phi(n) \leq(n-2\lceil\sqrt{n}\rceil-i+1)\\\end{aligned}\)

From, 

ed mod Φ (n) = 1

Hence

ed = 1 + kΦ (n)

Or, 

ed ≈ kΦ (n)

Because, both of e and d is less than Φ (n), it implies that k < e or k ≤ e – 1

Then, 

ed < 1 + eΦ (n)

That means, 

ed ≤ 1 + (e – 1) *Φ (n)

From,

\(\begin{aligned}\Phi(n) \leq(n-2\lceil\sqrt{n}\rceil-i+1)\\\end{aligned}\), then

\(\begin{aligned}e d \leq 1+(e-1) *(n-2\lceil\sqrt{n}\rceil-i+1)\\\end{aligned}\)

Or,

\(\begin{aligned}d \leq \frac{1+(e-1) *(n-2[\sqrt{n}]-i+1)}{e}\\\end{aligned}\)

In fact, d is always an integer,

Therefore,

\(\begin{aligned}d \leq\left\lfloor\frac{1+(e-1) *(n-2[\sqrt{n} \mid-i+1)}{e}\right\rfloor\\\end{aligned}\)

Therefore, assigned d_ir is the new initial value to find d from right to left, it can be estimated by using the following equation:

\(\begin{aligned}d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2[\sqrt{n} \mid-i+1)}{e}\right\rfloor\\\end{aligned}\) (1)

Where, d ≤ d_ir ≤ n -2

Example 3: Assuming n = 167556124362173, e = 3499 and all pairs of LSG₂(p + q) are disclosed as follows: S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94} (using theorems in [29]), Finding the least upper bound of d by using theorem 2. (The private parameters are p = 24163669, q = 6934217, Φ (n) = 167556093264288 and d = 134178957795523)

Sol.

Before using the equation in theorem 2, the variable, i, must be found,

First, two forms of n must be checked,

Because (167556124362173 + 1) mod 8 = 6, then the result of (p + q) mod 8 = 2, 6.

Furthermore, (p + q) mod 3 must be equal to 0, because 178719335848973 mod 6 = 5.

Next, the initial value of p + q which is equal to \(\begin{aligned}g=2\lceil\sqrt{n}\rceil\\\end{aligned}\) must be calculated, \(\begin{aligned}2[\sqrt{167556124362173}]=25888696\\\end{aligned}\).

Because 25888696 mod 8 = 0, then g = 25888696 + 2 = 25888698

Because 25888698 mod 3 = 0, then g= 25888698

Because LSG₂(25888698) = 98 is not a member in S, then this value is certainly not the real value of p + q. Therefore, it can be reassigned as 25888706. However, 25888706 mod 3 = 2 ≠ 0, then the next value of g should be 25888714. In addition, 25888714 mod 3 = 1 ≠ 0, then the next value of g should be 25888726. However, 25888726 mod 3 = 1 ≠ 0, then the next value of g should be 25888734. In fact, 25888734 mod 3 = 0 and 25888734 mod 8 = 6. Therefore, it is chosen as the new initial value. Furthermore, i can be calculated from i = 25888734 – 25888696 = 38.

From the equation (1),

\(\begin{aligned}d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2[\sqrt{n}\rceil-i+1)}{e}\right\rfloor\\\end{aligned}\)

\(\begin{aligned} d_{i r} & =\left\lfloor\frac{1+(3499-1) *(167556124362173-2\lceil\sqrt{167556124362173}-38+1)}{3499}\right\rfloor \\ & =167508211620489\end{aligned}\\\)

Usually, the tradition initial value to find the private key from right to left is begun as d_r = n – 2 = 167556124362171, that means the distance (s) to find d is decreased as:

\(\begin{aligned}\begin{array}{l}s=\frac{d_{r}-d_{i r}}{2} \\ =\frac{167556124362171-167508211620489}{2} \\ =23956370841\end{array}\\\end{aligned}\)

Therefore, the distance (t_r) between d_ir and d is as follows:

\(\begin{aligned} t_{r} & =\frac{d_{i r}-d}{2} \\ t_{r} & =\frac{167508211620489-134178957795523}{2} \\ & =16664626912483\end{aligned}\\\)

Assuming that the method in [13] is selected to find d, d_il has to be computed from the following equation:

\(\begin{aligned} d_{i l} & =\left\lceil\frac{2 n-3}{3 e}\right\rceil \\ & =\left\lceil\frac{2 * 167556124362173-3}{3 * 3499}\right\rceil \\ & =31924573567\end{aligned}\\\)

Therefore, the distance (t_l) between d_il and d is as follows:

\(\begin{aligned}\begin{array}{l}t_{l}=\frac{d-d_{i l}}{2} \\ =\frac{134178957795523-31924573567}{2} \\ =67073516610978\end{array}\\\end{aligned}\)

Then total loops to find d by using the proposed method is less than the method in [13]. In fact, the reason is that k = 2802 (ed = 2802*Φ (n) + 1) in this example is quite large that is more suitable for the proposed method. On the other hand, it becomes unsuitable for the method in [13] which is highly efficient when k is a small integer.

In addition, the information in example 4 will show the case of e and d that the proposed method can be selected to find d very fast.

Example 4: Assuming n = 1907322773, e = 7603 and all pairs of LSG₂(p + q) are disclosed as follows: S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94} (using theorems in [29]), Finding the least upper bound of d by using theorem 2. (The private parameters are p = 41981, q = 45433, Φ (n) = 1907235360 and d = 1906984507)

Sol.

Before, using the equation in theorem 2, the variable, i, must be found,

First, two forms of n must be checked,

Because (1907322773 + 1) mod 8 = 6, then the result of (p + q) mod 8 = 2, 6.

Furthermore, (p + q) mod 3 must be equal to 0, because 1907322773 mod 6 = 5.

Next, the initial value of p + q which is equal to \(\begin{aligned}g=2\lceil\sqrt{n}\rceil\\\end{aligned}\) must be calculated, \(\begin{aligned}\lceil 2 \sqrt{1907322773}\rceil=87346\\\end{aligned}\).

Because 87346 mod 8 = 2, then g = 87346

Because 87346 mod 3 = 1, then g should be increased. However, g = 87354 is the minimum integer that is larger than 87346 and this value is still in the case of (p + q) mod 8 = 2 or 6 and (p + q) mod 3 = 0. Therefore, g = 87354.

Because LSG₂(87354) = 54 is already a member in S, therefore, it is chosen as the new initial value. Furthermore, i can be calculated from i = 87354 – 87346 = 8. From the equation in theorem,

\(\begin{aligned}\begin{array}{l} d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2\lceil\sqrt{n}\rfloor-i+1)}{e}\right\rfloor \\ d_{i r}=\left\lfloor\frac{1+(7603-1) *(1907322773-2[\sqrt{1907322773}\rfloor-8+1)}{7603}\right\rfloor \\ =1906984566\end{array}\\\end{aligned}\)

Because d is always an odd integer, then d_ir = 1906984566 – 1 = 1906984565 Therefore, the distance (t_r) between d_ir and d is as follows:

\(\begin{aligned} t_{r} & =\frac{d_{i r}-d}{2} \\ t_{r} & =\frac{1906984565-1906984507}{2} \\ & =29\end{aligned}\\\)

Although, d which is in this example is very large, the distance between the new initial value and the target is only 29. Therefore, it consumes only a little time to recover d. In fact, the reason that the proposed method can recover d very fast is k = 7602 (e*d = 1 + 7602*Φ (n)) that is the maximum value.

Moreover, if \(\begin{aligned}2\lceil\sqrt{n}\rceil+1=p+q\\\end{aligned}\) and k = e – 1, d_ir is certainly equal to d. Therefore, d can be recovered by using the equation (1).

In addition, after d_ir is found, d can be recovered by using algorithm 1.

Algorithm 1 Finding d' by using brute force attack from right to left with the new initial value

Input: d_ir, e, n

Output: d' (d' is possible to be equal to d)

1. Selecting m, 1 < m < n

2. c ← m^e mod n

3. a ← c^-1 mod n

4. a ← a² mod n

5. t ← d_ir

6. h ← c^t mod n

7. i ← 0

8. While h ≠ m do

9. h ← h*a mod n

10. i ← i + 1

11. End While

12. d' ← d_ir – 2*i

In fact, d' is very high possible to be equal to d. However, if d' is not still equal to d, then the loop in line 8 to 10 is required again with the present value of i to find the period value which will be occurred when h becomes to m again. In addition, various unrelated integers will be removed when the period value is found.

Nevertheless, if the position of d is at the middle of [d_il, d_ir], both of the proposed method and the method in [13] are not suitable to recover d, because computation costs are still high.

However, if this event is occurred, d_mid should be selected as the initial value instead of d_il and d_ir. This value can be estimated by using the equation (2).

\(\begin{aligned}d_{m i d}=\frac{d_{i r}+d_{i l}}{2}\\\end{aligned}\)       (2)

Although, d_mid is closer to d than both of d_ir and d_il (when the position of d is at the middle of [d_ir, d_il]), it cannot be confirmed that d_mid is larger or less than d. Therefore, after d_mid is found, both of two ways for brute force attack, (left to right) and (right to left), must be selected to recover d.

Example 5: Assuming n = 1907322773, e = 1441 and all pairs of LSG₂(p + q) are disclosed as follows: S = {06, 14, 26, 34, 46, 54, 66, 74, 86, 94} (using theorems in [29]), Finding the least upper bound of d by using theorem 2. (The private parameters are p = 41981, q = 45433, Φ (n) = 1907235360, k = 675 and d = 893396161)

Sol.

Because i = 8 is already calculated is example 4, d_ir can be estimated as follows:

\(\begin{aligned}\begin{array}{l} d_{i r}=\left\lfloor\frac{1+(e-1) *(n-2\lceil\sqrt{n}\rceil-i+1)}{e}\right\rfloor \\ d_{i r}=\left\lfloor\frac{1+(1441-1) *(1907322773-2\lceil\sqrt{1907322773} \mid-8+1)}{1441}\right\rfloor \\ =1905911870, \text { because } d \text { is always an odd number, therefore, } d_{i r}=1905911869\end{array}\\\end{aligned}\)

Then,

\(\begin{aligned} t_{r} & =\frac{d_{i r}-d}{2} \\ t_{r} & =\frac{1905911869-893396161}{2} \\ & =506257854\end{aligned}\\\)

However, if d_il is selected, it can be estimated as follows:

\(\begin{aligned}\begin{array}{l}d_{i l}=\left\lceil\frac{2 n-3}{3 e}\right\rceil \\ =\left\lceil\frac{2 * 1907322773-3}{3 * 1441}\right\rceil \\ =882408\end{array}\\\end{aligned}\)

Because d is always an odd number, therefore, d_il = 882409

Then,

\(\begin{aligned}\begin{array}{l}t_{l}=\frac{d-d_{i l}}{2} \\ =\frac{893396161-882409}{2} \\ =446256876\end{array}\\\end{aligned}\)

In fact, d_mid can be estimated by using equation (2)

\(\begin{aligned}\begin{array}{l}d_{\text {mid }}=\frac{d_{i r}+d_{i l}}{2} \\ =\frac{1905911869+882409}{2} \\ =953397139\end{array}\\\end{aligned}\)

In this example, d_mid > d, then distance between d_mid and d is as follows:

\(\begin{aligned}\begin{array}{l}t_{\text {mid }}=\frac{d_{\text {mid }}-d}{2} \\ =\frac{953397139-893396161}{2} \\ =30000489\end{array}\\\end{aligned}\)

Where, t_mid is the distance between d_mid and d

However, for the real situation, if d_mid is selected, the process to find d has to execute two ways for brute force attack. Therefore,

t_mid = 2*30000489 

= 60000978

Table 3. Comparison about total distance during three techniques from example 5

The information in example 5 shows that if the position of d is close to the middle of [d_il, d_ir], d_mid which is the center between d_ir and d_il is closer to d than both of d_ir and d_il.

4. Experimental Results

In this section, the experimental results will be mentioned. It is divided into two parts. The first part is to analyze many pairs of e and d which are generated for the single value of n. This part is also divided into two experiments. One is for n which is generated from the same size of p and q. The other is the experiment of n which is generated from the different size of p and q. The second part is the comparison about loops computation to find d during the proposed method and the other algorithms. However, in this part, the weak parameters that respond well to the proposed method are chosen to strongly demonstrate that this method is highly efficient under these conditions.

The information in Table 4 that p and q have the same size (16 bits) shows that the distance to find d can be decreased about 99% whenever k = e – 1, because this value is selected for the proposed equation. Furthermore, for the same value of e – k and this value may be large, the distance will be more reduced when e is larger. The clearly example is shown in 18^th row, 19^th row and 20^th row that the result of e – k = 10. For the 18^th row, that e = 13 is the smallest in this group, the distance is decreased only 10%. However, the distance is decreased 46.57% in 19^th row that the ratio is larger than 18^th row. The reason is that e = 149539 is very larger than e = 19. Furthermore, the distance can be reduced 89.47% in 20^th row, because e = 1658033 is the largest value in comparison to the other values that are generated from the same result of e – k = 10. In fact, the reason that the distance can be more decreased when e is large and the result of e – k is stable will be shown in theorem 3.

Table 4. Considering d_ir from each pair of (e, d) generating from n = 1907322773

Theorem 3 Assuming e₁*d₁ = 1 + k₁*Φ (n), e₂*d₂ = 1 + k₂*Φ (n) where e₁ and e₂ are very large, e₁ > e₂ and e₁ – k₁ = e₂ – k₂ = s then d₁ is always larger than d₂.

Proof: From,

\(\begin{aligned}d=\frac{1+k \Phi(n)}{e}\\\end{aligned}\)

Then, 

\(\begin{aligned}d_{1}=\frac{1+k_{1} \Phi(n)}{e_{1}} \;and \;d_{2}=\frac{1+k_{2} \Phi(n)}{e_{2}}\\\end{aligned}\)

Because, e₁ – k₁ = e₂ – k₂ = s, then k₁ = e₁ – s and k₂ = e₂ – s

Therefore,

\(\begin{aligned}d_{1}=\frac{1+\left(e_{1}-s\right) \Phi(n)}{e_{1}}\; and \;d_{2}=\frac{1+\left(e_{2}-s\right) \Phi(n)}{e_{2}}\\\end{aligned}\)

Because e₁ and e₂ are very large, then \(\begin{aligned}\frac{1}{e_{1}} \approx \frac{1}{e_{2}} \approx 0\\\end{aligned}\)

That mean, \(\begin{aligned}d_{1} \approx \frac{\left(e_{1}-s\right) \Phi(n)}{e_{1}}\; and \; d_{2} \approx \frac{\left(e_{2}-s\right) \Phi(n)}{e_{2}}\\\end{aligned}\)

Because, e₁ > e₂, then \(\begin{aligned}\frac{\left(e_{1}-s\right)}{e_{1}}>\frac{\left(e_{2}-s\right)}{e_{2}}\\\end{aligned}\)

Therefore, d₁ is always larger than d₂ when e₁ – k₁ = e₂ – k₂ = s

In addition, for the proposed equation, if e is very large, then \(\begin{aligned}\frac{(e-1)}{e} \approx 0.999 x x x\\\end{aligned}\). That mean, the scope of all possible values of d_ir is quite narrow. In Table 4, d_ir is during 1900145325 to 1907235359 when e > 269. Therefore, the proposed method is suitable for the case that the distance between e and k is quite far and e is a large number.

However, the ratio of decreased distance becomes small when k is very close to e and e is a large integer. Therefore, if k is very close to e, the proposed method has very high performance when e is small.

Therefore, it implies that the proposed method is suitable to be selected to recover d when one of two following conditions occurs.

1. k is very close to e and e is a small number

2. e and k must be large when the distance between e and k is far.

Furthermore, the information in this table is also shown that all values of d_ir are less than Φ (n) that is demonstrated in Fig. 2.

Fig. 2. The position of each parameter in Table 4 on number line

In Table 5, although bits length of p and q are different, bits length of p and q are 13 and 19 in order, the proposed method is still high performance when characteristics of e and k are in one of two conditions above. However, d_ir may be farther from the target, because (\(\begin{aligned}n-2\lceil\sqrt{n}\rceil-i+1 ?'\\\end{aligned}\) is farther from Φ(n) n when it is compared with the other values of n which are generated from the same size of p and q and are also very close to n.

Table 5. Considering d_ir from each pair of (e, d) generating from n = 3187657073, p = 7193, q = 443161 (p = 13 bits, q = 19 bits)

However, the information in this table is shown that some values of d_ir are larger than Φ (n). Therefore, number of loops to find d are still large when this event is occurred.

Therefore, from the information in Table 4 and Table 5, it implies that d_ir can be estimated well when one of two conditions is happened and the difference between p and q is a little.

In fact, to confirm that the proposed method performs well when the weak points are encountered. It is compared to the other methods to recover d. Then, all results are from the small result of e - k and the difference between p and q is rather minor. Furthermore, the compared methods are brute force attack (searching from right to left), the improved FFA [22], the improved TDA [20] and Pollard’s p – 1.

In Fig. 3, assuming that z is represented as the distance to find d, the information of y-axis is the logarithm of z and x-axis is bits length of modulus. The experimental results show that the distance to recover d by using the proposed method is the smallest. However, the distance from the improved FFA is close to the proposed method, because FFA is also suitable for the small result of p – q.

Fig. 3. Logarithm of total loops for each algorithm

5. Conclusion

This paper presents the new least upper bound on the private key which is always equal or less than the difference between the modulus and 2. In fact, this value is selected as the new initial value for brute force attack by searching for the private key from right to left. That mean, this technique is appropriate for the large private key. Unfortunately, when the difference between the public key and the multiplier of Euler totient function is very small, this method is extremely efficient. However, if the result is high, the public key and the multiplier should be large as well. In addition, this method performs well when p and q is close to each other. Moreover, assuming the position of d is close to scope’s center, selecting the center between the new least upper bound and the greatest lower bound in [13] is preferable alternative. The experimental results demonstrate that if one of the weak points occurs, the proposed method can estimate the new initial value that is extremely close to the private key.