A New Methodology to Find Private Key of RSA Based on Euler Totient Function

The aim of this paper is to present a new methodology to find the private key of RSA. A new initial value which is generated from a new equation is selected to speed up the process. In fact, after this value is found, brute force attack is chosen to discover the private key. In addition, for a proposed equation, the multiplier of Euler totient function to find both of the public key and the private key is assigned as 1. Then, it implies that an equation that estimates a new initial value is suitable for the small multiplier. The experimental results show that if all prime factors of the modulus are assigned larger than 3 and the multiplier is 1, the distance between an initial value and the private key is decreased about 66%. On the other hand, the distance is decreased less than 1% when the multiplier is larger than 66. Therefore, to avoid attacking by using the proposed method, the multiplier which is larger than 66 should be chosen. Furthermore, it is shown that if the public key equals 3, the multiplier always equals 2.


Introduction:
Nowadays, communication which is sent through opening a network such as internet and the machine is very popular because data is rapidly transmitted. However, opening a network is known as unsecure channel. With this problem, security and confidentiality of information becomes exceedingly important. Cryptography (1), which is one of security methods, is a technique to protect information by converting original message or plaintext as the unreadable message, or ciphertext. It is called the encryption process. In fact, ciphertext will be transmitted via the channel instead of plaintext. That means intruders cannot understand data which is trapped on the network. After ciphertext is arrived to receivers, they can use the decryption process to recover original plaintext.
The first generation of cryptography is called symmetric key cryptography (2). The secret key is selected for both of senders and receivers. Advanced Encryption Standard (AES) (1,2) is the highest performance in this group. However, the problem is about how to exchange the secret key over unsecure channel. Later, this problem was solved when W. Diffie and M. E. Hellman proposed the new technique which is called asymmetric key cryptography or public key cryptography (3) in 1976. A pair of keys, the public key and the private key, is selected for the processes. Nevertheless, this algorithm can be chosen for only exchanging the secret key. In 1978, RSA (4) which is the best well known of public key cryptography was presented by R.L. Rivest, A. Shamir and L. Adleman. In fact, RSA can be chosen to solve many problems such as data encryption, digital signature and key exchange. In addition, if the modulus is a big number, then it becomes very difficult to recover both prime numbers by using mathematical techniques such as factoring. However, the difficulty to break this system is also based on the type of computer and updating method. Therefore, RSA is still very hard to be attacked.
Assuming all parameters of RSA are strong and at least 4096 bits of modulus is chosen (5), no one can break RSA in polynomial time. One the other hand, if one of parameters becomes a weakness, RSA may be broken by using some of 339 prime numbers (6), small private key (7,8), small public key with some disclosed parameters (9) and common modulus attack (10) etc. In this paper, it is shown that if the multiplier, k, of Euler totient function is very small, time to break RSA can be decreased by using the proposed method. In fact, the proposed method which is suitable for small value of k is about estimating a new initial value, f, for the private key before finding the private key by using brute force attack. In addition, the distance is decreased about 66% when k equals 1. Furthermore, it is shown that when the public key equals 3 and prime factors are larger than 3, k always equals 2.

RSA Cryptosystem
RSA is the best well known public key cryptography. It can be applied with many tasks such as data encryption, digital signature and key exchange. For data encryption, it is divided into 3 processes as follows: 1) Key Generation: First, two secret prime numbers (p and q), p > q, are randomly generated to compute modulus, n = p*q and Euler totient function,  (n) = (p -1)*(q -1). Next, the public key, e, is randomly chosen with the following condition, 1 < e <  (n) and gcd(e,  (n)) = 1 . The last process is to find the private key, d, from ed  1 mod  (n) or ed = 1 + k  (n), by using Extended Euclidean algorithm (11,12). The published parameters are {e, n} and the secreted parameters are {d,  (n), p, q}.
2) Encryption process: Assuming m is represented as plaintext, the encryption equation is: where c is ciphertext which will be sent to receiver.
3) Decryption process: After c is arrived, m is recovered by using the decryption equation: However, for digital signature (13,14), the process is different from data encryption. Assuming z is represented as a hash value of the signature and h is the signed text. Therefore, h is computed from the following equation: In addition, the equation to verify the signed text is shown in the equation (4): Exploit parameters to break RSA In this section, the techniques to break RSA are presented. In fact, RSA is simply attacked when some parameters are weak.

Factoring
If n is factored, p and q are disclosed. After that, d can be easily recovered. In fact, it is very difficult to find p and q from at least 4096 bits of n when both of them are assigned as a strong parameter. On the other hand, RSA becomes an unsecured algorithm in the case that prime factors are a weak parameter because they are found by using some of factoring algorithms. The examples of factorization algorithms are as follows: 1) Trial division algorithm (TDA) (15,16) is the simplest algorithm. It chooses 3 as the first divisor and it will be increased by 2 when the result has a remainder. Therefore, TDA is suitable for small value of q. In addition, there is a different technique (17) to implement TDA by changing the sequence of divisor. The value of n   is selected as the first divisor and it will be decreased by 2 when the result has a remainder. In fact, n   is very close to p and q when pq is small.

2)
Fermat's Factorization algorithm (FFA) (18,19,20,21) was discovered by P. der Fermat in 1600. He found that n can be rewritten as the difference between two perfect square numbers which are mathematically relative with p and q. In fact, FFA can find p and q very fast when the result of pq is small.

3)
Pollard's p -1 (22,23) was proposed by J. Pollard in 1974. Fermat's little theorem (24) is the main theorem of this algorithm. In fact, Pollard's p-1 has a very high performance when all prime factors of p -1 or q -1 are small.

4)
Generalized Trial Division (25) was presented by M. Sahin. The technique behind this algorithm is to find the result of gcd(x, n), where x   , which does not equal 1, because it is one of two prime factors of n. In fact, ip and jq, where i, j   , 1 < i < q and 1 < j < p, are all integers that gcd(ip, n) = p and gcd(jq, n) = q.

Wiener's attack
In 1990, M. Wiener (7,8) showed that d will be recovered very simple by using continued fraction to find

Hastad Broadcasting Attack
Hastad Broadcasting Attack (9) is the technique to find d when e = 3. The condition for this method to finish the process is that the same message must be selected to be encrypted with e = 3 and the different values of modulus. For example, c 1 = m e mod n 1 , c 2 = m e mod n 2 and c 3 = m e mod n 3 . Then, m can be recovered by using Chinese Remainder Theorem (CRT) (27,28).

Common Modulus Attack
Common Modulus Attack (10) is the idea to find m when it is encrypted two times with different public keys and common modulus, from c 1 = m e1 mod n and c 2 = m e2 mod n, where gcd(e 1 , e 2 ) = 1.

Partial Key Exposure attack
Assuming x is represented as bit length of n and the 4 x least significant bits of d is disclosed. The technique which is called Partial Key Exposure attack (10) can be chosen to recover d.

Brute force Attack
In fact, d should be assigned in the following condition, 1 < d <  (n), and it is always an odd number. Therefore, the concept of brute force attack is to find d by choosing d = 3 as the first value to compute t = ed mod  (n). If t = 1, then d is the private key. On the other hand, d must be increased by 2 when the result is not equal to 1 until the correct answer is found.
The proposed method to attack RSA In this paper, a new method to recover d in order to attack RSA is proposed. The key is to find an integer (f), where 3 < f < d, to be a new initial value instead of 3 for brute force attack. In general, if brute force attack is selected to find d, then the initial value is begun as 3. On the other hand, if f is chosen as an initial value, then the distance between the f to d decreased when it is compared with the distance between 3 and d. In fact, f can be estimated by finding the smallest integer which is possible to be  (n).

Lemma 1
The highest value of p + q is 3 + 3 n Proof: Because p > q, then assigning p = n + a and q = n -b, where a, b   So, p*q = ( n + a)*( n -b) = n + a nb n -ab Because n = p*q, then a n -b n -ab = 0. That means it implies that a is always larger than b. Therefore, assuming n is very close to p'*q', where p' = p + x, q' = qy and x, y   , the result of p' + q' must be larger than p + q. The reason is that x is always larger than y. Because 3 is the smallest prime number which is an odd integer and the result of 3* In fact, k   , that means the minimum of k is 1.
Assuming k = 1, then ed > 1 + n -(3 + The information in Fig. 1 is shown that the distance between d and f is smaller than the distance between d and 3. From both Examples 1 and 2, it implies that the difference between d and f in example 2 is very high when it is compared with the result in example 1. The reason is that k in example 2 is larger than the same parameter in example 1. In fact, the proposed technique is suitable for small value of k, because k = 1 is assigned in Theorem 1. Moreover, it is highly efficient with small value of q, because q = 3 is assigned in the same theorem. In general, k should be assigned as 1, because it is unknown value. However, in the next section, it is shown that if e = 3 and q > 3, then k always equals 2. Therefore, f can be expanded when the parameters are fallen in this case. That means, d is always larger than  (n) when k is higher than 2. However, it is impossible to occur. Therefore, assigning e = 3, the result which is fallen in range during 3 to  (n) must be generated from k = 1 or 2. In addition, it is shown in Table 1 that k = 2, k = 5 and k = 8 has the same value of d when e = 3 and n = 174279334060020221413.
Assuming k = 2, Therefore, it is possible to be occurred.
Assuming k = 1, Therefore, it is possible to occur. 342 Therefore, if e = 3 and gcd(e,  (n)) = 1, then only k = 1 or 2 can be chosen to generate different value of d. 

Figure 3. Some of parameters in example 3 on Number Line
From Fig. 3, f' which is about 2f is chosen to be a new initial value of d.
In fact, f' can be estimated as 2f when e = 3 and q > 3 are selected as parameters of RSA algorithm.
In addition, if RSA is chosen for digital signature, both z and h must be disclosed. Moreover, h can be also recovered by using the following equation: In fact, z is always recovered by using equation (6), because t = h*z -(d-1) mod n = z d *z -(d-1) mod n = z However, it is not necessary to compute d -1 times of the multiplication. The process to find d is improved as follows: First, the process to find u, u = c * z -f mod n (7) And find t from, Therefore, it requires only d -f -1 times of modular multiplication and 1 times of modular exponentiation. In addition, loops of modular multiplication decreased as .
Assuming RSA is applied with digital signature, then both z and h can be found. On the other hand, only c will be known when RSA is chosen for data encryption. Because both of original plaintext and ciphertext must be chosen for the proposed algorithm, the proposed method can be chosen to find d when RSA is applied with digital signature. 2.
IF f is an even number then 3.
z  h e mod n 6.
t  h * u f mod n 8.
While t  z do 10.
t  t * u mod n 11.
d  f + i -1 Output: d

Experimental Results and Analysis
The aim of this section is to consider the performance of f which is generated from different values of k. The experiment is divided into 4 tables: Table 1 is the considering f from n = 174279334060020221413, which is the modulus from examples 1 to 3; Table 2 is to consider n = 10813049747177129789 (p = 85142123993520707, q = 127 and  (n) = 10727907623183608956). The difference between Table 1 and Table 2 is the aspect of pq. The result of pq is small in Table  1 but it is high in Table 2;  Table 3    The results from Table 1, Table 2 and Table 3 imply that: 1) The ratio between the decreased distance, df, and d is quite stable for the same value of k when d = 1+ Φ( ) kn e <  (n).
2) In fact, an exception is occurred when d >  (n), because d must be decreased in the following condition, 1 < d <  (n), and it also decreases value of k. Therefore, the ratio of this case is similar to the same pair of (e, d) which is generated from a smaller value of k. The example that the same pair of (e, d) can be generated from the different values of k, k = 2, k = 5 and k =8, and the ratio of them are 33% is shown in 4 th row, 11 th row and 16 th row of Table 1.
3) The size of e does not affect the ratio; it is shown in the 2 nd Row and the 3 rd Row that although e is alternated with d, the ratio is not changed. In fact, only size of k affects the ratio. 4) The maximum decreased distance is 66% for all the values of q > 3 and k = 1.
5) The ratio that is less than 1% is begun at k > 66. Therefore, to avoid attacking by using the proposed method k > 66. 6) From Theorem 2 and the results in Table 1, Table 2 and Table 3, it implies that d is rapidly recovered when e = 3, because k is stable (k = 2) and the ratio is always 33%. Therefore, we can estimate 99% of the ratio by using the equation In Table 4, q = 3 (n = 24473764731015097203, p = 8157921577005032401 and  (n) = 16315843154010064800) is chosen for the experiment to consider the performance of f. The reason is that q = 3 is assigned with the main equation in Theorem 1.
The results in Table 4 imply that, 1) f = d when k = 1, because q = 3 is chosen in the experiment.
2) For the same value of k, the ratio considered from q = 3 is always larger than the others which are generated from q > 3.
In addition, the proposed method will be compared with some other algorithms. In general, the prominent point of each method is different from each other. However, k = 1 and a small private key are assigned for all values in Fig. 1 to ensure that the proposed method is efficient when k is small. There are 4 compared methods as follows: 1) Brute force attack that the initial value is 3, this method is efficient when d is small.
2) The improvement of FFA in (21), this method is efficient when the result of pq is close to 0.
3) The improvement of TDA in (17), this method is efficient when q is close to n 4) Pollard's p -1, this method is efficient when all prime factors of p -1 or q -1 are small. 347 Assuming l is represented as total loops to finish the process of each algorithm, Fig. 4 shows the result of log 10 (l) from the proposed method and all compared methods. The experimental results show that the proposed method requires the smallest loops when k equals 1 and d is small. On the other hand, it cannot guarantee that the proposed method is the most efficient algorithm whenever k and d are not assigned in the conditions suitable for this method.
Therefore, the conclusion is that the proposed method is a special proposed method that is suitable for the small values of k and d.

Conclusion:
In this paper, the new technique to recover the private key (d) is proposed by estimating the new initial value, f, before using brute force attack.
In fact, f can be computed by choosing the smallest value which may be Euler totient function,  (n), instead of the real value of  (n) and selecting 1 instead of k. The method is suitable for the small value of k, especially k equals 1. In fact, assuming a prime factor (q) is higher than 3 and k equals 1, the distance between f and d decreased about 66%. On the other hand, the decreased distance is less than 1% when k is larger than 66. Therefore, to avoid attacking RSA by using the proposed technique, k should be assigned very large. Furthermore, d which is computed from 1+ Φ( ) kn e must be less than  (n). In addition, it is shown that k always equals 2 when e equals 3. However, if e and q equal 3, then k always equals 1.