Implicit Factoring with Shared Most Significant and Middle Bits

We study the problem of integer factoring given implicit information of a special kind. The problem is as follows: let N1 = p1q1 and N2 = p2q2 be two RSA moduli of same bit-size, where q1,q2 are α-bit primes. We are given the implicit information that p1 and p2 share t most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of N1 and N2 in polynomial time as soon as t ≥ 2α +3. Subsequently, we heuristically generalize the method to k RSA moduli Ni = piqi where the pi’s all share t most significant bits (MSBs) and obtain an improved bound on t that converges to t ≥ α +3.55 . . . as k tends to infinity. We study also the case where the k factors pi’s share t contiguous bits in the middle and find a bound that converges to 2α + 3 when k tends to infinity. This paper extends the work of May and Ritzenhofen in [9], where similar results were obtained when the pi’s share least significant bits (LSBs). In [15], Sarkar and Maitra describe an alternative but heuristic method for only two RSA moduli, when the pi’s share LSBs and/or MSBs, or bits in the middle. In the case of shared MSBs or bits in the middle and two RSA moduli, they get better experimental results in some cases, but we use much lower (at least 23 times lower) lattice dimensions and so we obtain a great speedup (at least 103 faster). Our results rely on the following surprisingly simple algebraic relation in which the shared MSBs of p1 and p2 cancel out: q1N2− q2N1 = q1q2(p2− p1). This relation allows us to build a lattice whose shortest vector yields the factorization of the Ni’s.