Implicit Factoring with Shared Most Significant and Middle Bits

We study the problem of integer factoring given

implicit

information of a special kind. The problem is as follows: let

N

1

 = 

p

1

q

1

and

N

2

 = 

p

2

q

2

be two RSA moduli of same bit-size, where

q

1

,

q

2

are

α

-bit primes. We are given the

implicit

information that

p

1

and

p

2

share

t

most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of

N

1

and

N

2

in polynomial time as soon as

t

 ≥ 2

α

 + 3. Subsequently, we heuristically generalize the method to

k

RSA moduli

N

i

 = 

p

i

q

i

where the

p

i

’s all share

t

most significant bits (MSBs) and obtain an improved bound on

t

that converges to

t

 ≥ 

α

 + 3.55... as

k

tends to infinity. We study also the case where the

k

factors

p

i

’s share

t

contiguous bits in the middle and find a bound that converges to 2

α

 + 3 when

k

tends to infinity. This paper extends the work of May and Ritzenhofen in [9], where similar results were obtained when the

p

i

’s share least significant bits (LSBs). In [15], Sarkar and Maitra describe an alternative but heuristic method for only two RSA moduli, when the

p

i

’s share LSBs and/or MSBs, or bits in the middle. In the case of shared MSBs or bits in the middle and two RSA moduli, they get better experimental results in some cases, but we use much lower (at least 23 times lower) lattice dimensions and so we obtain a great speedup (at least 10

3

faster). Our results rely on the following surprisingly simple algebraic relation in which the shared MSBs of

p

1

and

p

2

cancel out:

q

1

N

2

 − 

q

2

N

1

 = 

q

1

q

2

(

p

2

 − 

p

1

). This relation allows us to build a lattice whose shortest vector yields the factorization of the

N

i

’s.