Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Journal of Mathematical Cryptology

Managing Editor: Magliveras, Spyros S. / Steinwandt, Rainer / Trung, Tran

Editorial Board: Blackburn, Simon R. / Blundo, Carlo / Burmester, Mike / Cramer, Ronald / Gilman, Robert / Gonzalez Vasco, Maria Isabel / Grosek, Otokar / Helleseth, Tor / Kim, Kwangjo / Koblitz, Neal / Kurosawa, Kaoru / Lauter, Kristin / Lange, Tanja / Menezes, Alfred / Nguyen, Phong Q. / Pieprzyk, Josef / Rötteler, Martin / Safavi-Naini, Rei / Shparlinski, Igor E. / Stinson, Doug / Takagi, Tsuyoshi / Williams, Hugh C. / Yung, Moti

CiteScore 2017: 1.43

SCImago Journal Rank (SJR) 2017: 0.293
Source Normalized Impact per Paper (SNIP) 2017: 1.117

Mathematical Citation Quotient (MCQ) 2017: 0.51

See all formats and pricing
More options …
Volume 11, Issue 2


Cryptanalysis of an RSA variant with moduli N=prql

Yao Lu / Liqiang Peng / Santanu Sarkar
Published Online: 2017-05-16 | DOI: https://doi.org/10.1515/jmc-2016-0025


In this paper we study an RSA variant with moduli of the form N=prql (r>l2). This variant was mentioned by Boneh, Durfee and Howgrave-Graham [2]. Later Lim, Kim, Yie and Lee [11] showed that this variant is much faster than the standard RSA moduli in the step of decryption procedure. There are two proposals of RSA variants when N=prql. In the first proposal, the encryption exponent e and the decryption exponent d satisfy ed1modpr-1ql-1(p-1)(q-1), whereas in the second proposal ed1mod(p-1)(q-1). We prove that for the first case if d<N1-(3r+l)(r+l)-2, one can factor N in polynomial time. We also show that polynomial time factorization is possible if d<N(7-27)/(3(r+l)) for the second case. Finally, we study the case when few bits of one prime are known to the attacker for this variant of RSA. We show that given min(lr+l,2(r-l)r+l)log2p least significant bits of one prime, one can factor N in polynomial time.

Keywords: Coppersmith’s method; lattices; RSA; RSA variants

MSC 2010: 94A60


  • [1]

    D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than N0.292, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349. Google Scholar

  • [2]

    D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N=prq for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787. Google Scholar

  • [3]

    D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260. Google Scholar

  • [4]

    J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring N=prqs for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

  • [5]

    M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424. Google Scholar

  • [6]

    M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69. Google Scholar

  • [7]

    N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142. Google Scholar

  • [8]

    K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406. Google Scholar

  • [9]

    N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277. Google Scholar

  • [10]

    A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534. Google Scholar

  • [11]

    S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294. Google Scholar

  • [12]

    Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus N=prq with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71. Google Scholar

  • [13]

    Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

  • [14]

    A. May, Secret exponent attacks on RSA-type schemes with moduli N=prq, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230. Google Scholar

  • [15]

    T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318. Google Scholar

  • [16]

    R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34. Google Scholar

  • [17]

    S. Sarkar, Small secret exponent attack on RSA variant with modulus N=prq, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392. Google Scholar

  • [18]

    T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384. Google Scholar

  • [19]

    T. Takagi, Fast RSA-type cryptosystem modulo pkq, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326. Google Scholar

  • [20]

    M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558. CrossrefGoogle Scholar

  • [21]

    The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

About the article

Received: 2016-05-07

Revised: 2017-01-18

Accepted: 2017-04-23

Published Online: 2017-05-16

Published in Print: 2017-06-01

Funding Source: National Natural Science Foundation of China

Award identifier / Grant number: 61472417

Yao Lu is supported by Project CREST, JST and Liqiang Peng is supported by the National Key Basic Research Program of China (Grant 2013CB834203) and the National Natural Science Foundation of China (Grant 61472417).

Citation Information: Journal of Mathematical Cryptology, Volume 11, Issue 2, Pages 117–130, ISSN (Online) 1862-2984, ISSN (Print) 1862-2976, DOI: https://doi.org/10.1515/jmc-2016-0025.

Export Citation

© 2017 Walter de Gruyter GmbH, Berlin/Boston.Get Permission

Citing Articles

Here you can find all Crossref-listed publications in which this article is cited. If you would like to receive automatic email messages as soon as this article is cited in other publications, simply activate the “Citation Alert” on the top of this page.

Khalid El Makkaoui, Abderrahim Beni-Hssane, and Abdellah Ezzati
Journal of Ambient Intelligence and Humanized Computing, 2018
Khalid El Makkaoui, Abderrahim Beni-Hssaneb, Abdellah Ezzatia, and Anas El-Ansarib
Procedia Computer Science, 2017, Volume 113, Page 33

Comments (0)

Please log in or register to comment.
Log in