Minkowski sum based lattice construction for solving simultaneous modular equations and applications to RSA

We investigate a lattice construction method for the Coppersmith technique for finding small solu-tions of a modular equation. We consider its variant for simultaneous equations and propose a methodto construct a lattice by combining lattices for solving single equations. As applications, we consider(i) a new RSA cryptanalysis for multiple short secret exponents, (ii) its partial key exposure situation,and (iii) investigating the hardness of finding a certain amount of LSBs of the RSA secret exponent.More precisely, our algorithm can factor an RSA modulus from l ≥ 2 pairs of RSA public exponentswith the common modulus corresponding to secret exponents smaller than N (9l−5)/(12l+4), which im-proves on the previously best known result N (3l−1)/(4l+4) by Sarkar and Maitra [41, 42]. For partialkey exposure situation, we also can factor the modulus if β − δ/2 + 1/4 < (3l − 1)(3l + 1), whereβ and δ are bit-lengths /n of the secret exponent and its exposed LSBs, respectively. Particularly,letting β = 1, which means that the secret exponent is full-sized, the necessary amount of exposedbits is [5/2− 2(3l− 1)/(3l+ 1)]n, which is less than n for l ≥ 3. Suppose we have an algorithm thatrecovers the above amount of d from e and N satisfying e ≈ N . We showed that N can be factored inpolynomial time in logN under a heuristic assumption that the Coppersmith technique works. Whenl becomes large, the necessary amount becomes 0.5n bits. Hence, we conclude that recovering thelower half of LSBs of d is polynomial time equivalent to the factoring under the heuristic assumption.From the last result, we propose a half-amount conjecture that roughly, factoring RSA modulus ispolynomial-time equivalent to any continued bits of secret information such as p, q, d, p + q and p − q(or dp and dq for RSA-CRT). It is supported from several results, e.g., Coppersmith [12] shows thatrecovering the upper half of p is equivalent to factoring.