A Method for Solving Generalized Implicit Factorization Problem

Abstract

The problem of factoring RSA moduli with the implicit hint was firstly proposed by May and Ritzenhofen at PKC’09 where unknown prime factors of several RSA moduli shared some number of least significant bits (LSBs), and was later considered by Faugère et al. where some most significant bits (MSBs) were shared between the primes. Recently, Nitaj and Ariffin proposed a generalization of the implicit factorization problem. Let \( {\text{N}}_{1} = {\text{p}}_{1} {\rm{q}}_{1} \) and \( {\text{N}}_{2} = {\text{p}}_{2} {\rm{q}}_{2} \) be two distinct RSA moduli, Nitaj and Ariffin showed that when \( {\text{a}}_{1} {\rm{p}}_{1} \) and \( {\text{a}}_{2} {\rm{p}}_{2} \) share enough bits, \( {\text{N}}_{1} , {\rm{N}}_{2} \) can be factored in polynomial time, where \( {\text{a}}_{1} \) and \( {\text{a}}_{2} \) are some unknown positive integers. They also extended their work to the case of \( k\left( { \ge 3} \right) \) moduli. In this paper, we revisit Nitaj-Ariffin’s work and transform the problem into solving small roots of a modular equation. Then by utilizing Coppersmith’s method, for the case of two moduli we improve Nitaj-Ariffin’s result when the unknowns \( {\text{a}}_{1} ,{\rm{a}}_{2} \) are relatively small, and our result is always better than Nitaj-Ariffin’s result for the case of \( k\left( { \ge 3} \right) \) moduli.