Show Summary Details
More options …

# Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board Member: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Dawson, Ed / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

4 Issues per year

CiteScore 2016: 0.74

SCImago Journal Rank (SJR) 2016: 0.463
Source Normalized Impact per Paper (SNIP) 2016: 0.778

Mathematical Citation Quotient (MCQ) 2016: 0.16

Online
ISSN
1862-2984
See all formats and pricing
More options …
Volume 11, Issue 2 (Jun 2017)

# Cryptanalysis of an RSA variant with moduli N=prql

Yao Lu
/ Liqiang Peng
/ Santanu Sarkar
Published Online: 2017-05-16 | DOI: https://doi.org/10.1515/jmc-2016-0025

## Abstract

In this paper we study an RSA variant with moduli of the form $N={p}^{r}{q}^{l}$ ($r>l\ge 2$). This variant was mentioned by Boneh, Durfee and Howgrave-Graham [2]. Later Lim, Kim, Yie and Lee [11] showed that this variant is much faster than the standard RSA moduli in the step of decryption procedure. There are two proposals of RSA variants when $N={p}^{r}{q}^{l}$. In the first proposal, the encryption exponent e and the decryption exponent d satisfy $ed\equiv 1mod{p}^{r-1}{q}^{l-1}\left(p-1\right)\left(q-1\right)$, whereas in the second proposal $ed\equiv 1mod\left(p-1\right)\left(q-1\right)$. We prove that for the first case if $d<{N}^{1-\left(3r+l\right){\left(r+l\right)}^{-2}}$, one can factor N in polynomial time. We also show that polynomial time factorization is possible if $d<{N}^{\left(7-2\sqrt{7}\right)/\left(3\left(r+l\right)\right)}$ for the second case. Finally, we study the case when few bits of one prime are known to the attacker for this variant of RSA. We show that given $\mathrm{min}\left(\frac{l}{r+l},\frac{2\left(r-l\right)}{r+l}\right){\mathrm{log}}_{2}p$ least significant bits of one prime, one can factor N in polynomial time.

Keywords: Coppersmith’s method; lattices; RSA; RSA variants

MSC 2010: 94A60

## References

• [1]

D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than ${N}^{0.292}$, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349. Google Scholar

• [2]

D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring $N={p}^{r}q$ for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787. Google Scholar

• [3]

D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260. Google Scholar

• [4]

J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring $N={p}^{r}{q}^{s}$ for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

• [5]

M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424. Google Scholar

• [6]

M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69. Google Scholar

• [7]

N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142. Google Scholar

• [8]

K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406. Google Scholar

• [9]

N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277. Google Scholar

• [10]

A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534. Google Scholar

• [11]

S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294. Google Scholar

• [12]

Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus $N={p}^{r}q$ with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71. Google Scholar

• [13]

Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

• [14]

A. May, Secret exponent attacks on RSA-type schemes with moduli $N={p}^{r}q$, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230. Google Scholar

• [15]

T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318. Google Scholar

• [16]

R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34. Google Scholar

• [17]

S. Sarkar, Small secret exponent attack on RSA variant with modulus $N={p}^{r}q$, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392. Google Scholar

• [18]

T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384. Google Scholar

• [19]

T. Takagi, Fast RSA-type cryptosystem modulo ${p}^{k}q$, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326. Google Scholar

• [20]

M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558.

• [21]

The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

Revised: 2017-01-18

Accepted: 2017-04-23

Published Online: 2017-05-16

Published in Print: 2017-06-01

Funding Source: National Natural Science Foundation of China

Award identifier / Grant number: 61472417

Yao Lu is supported by Project CREST, JST and Liqiang Peng is supported by the National Key Basic Research Program of China (Grant 2013CB834203) and the National Natural Science Foundation of China (Grant 61472417).

Citation Information: Journal of Mathematical Cryptology, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976,

Export Citation

© 2017 Walter de Gruyter GmbH, Berlin/Boston.