# Cryptanalysis of an RSA variant with moduli N=prql

• 1 The University of Tokyo, Tokyo, Japan
• 2 Institute of Information Engineering, Beijing, P. R. China
• 3 Indian Institute of Technology, Madras, India
Yao Lu
, Liqiang Peng
and Santanu Sarkar

## Abstract

In this paper we study an RSA variant with moduli of the form $N=pr⁢ql$ ($r>l≥2$). This variant was mentioned by Boneh, Durfee and Howgrave-Graham []. Later Lim, Kim, Yie and Lee [] showed that this variant is much faster than the standard RSA moduli in the step of decryption procedure. There are two proposals of RSA variants when $N=pr⁢ql$. In the first proposal, the encryption exponent e and the decryption exponent d satisfy $e⁢d≡1modpr-1⁢ql-1⁢(p-1)⁢(q-1)$, whereas in the second proposal $e⁢d≡1mod(p-1)⁢(q-1)$. We prove that for the first case if $d, one can factor N in polynomial time. We also show that polynomial time factorization is possible if $d for the second case. Finally, we study the case when few bits of one prime are known to the attacker for this variant of RSA. We show that given $min⁡(lr+l,2⁢(r-l)r+l)⁢log2⁡p$ least significant bits of one prime, one can factor N in polynomial time.

## 1 Introduction

Since the RSA public key cryptosystem has been proposed, this public key scheme is possibly the most studied topic in cryptology world. To achieve high efficiency in the decryption phase, many variants of RSA schemes have been proposed.

At Crypto 1997, Takagi  proposed an RSA-type cryptosystems using n-adic expansion. One important variant of RSA is multi-power RSA , proposed by Takagi in 1998. In multi-power RSA, the RSA modulus N is of the form $N=pr⁢q$, where $r≥2$. Compared to standard RSA, it is more efficient in both key generation and decryption. Besides, moduli of this type has been applied in many cryptographic designs, e.g., the Okamoto–Uchiyama cryptosystem , or better known via EPOC and ESIGN , which uses the modulus $N=p2⁢q$.

At Indocrypt 2000, Lim, Kim, Yie and Lee  extended Takagi’s cryptosystem to include moduli of the form $N=pr⁢ql$, where $r,l≥2$. They showed that the choice of either $pr⁢qr+1$, $pr-1⁢qr+1$ or $pr-2⁢qr+2$ is optimal under the assumption that the sum of exponents is fixed. For example, they claimed that 8192-bit RSA will be fifteen times faster than standard RSA if one takes $N=p2⁢q3$. In Crypto 1999, Boneh, Durfee and Howgrave-Graham  also mentioned as an open problem to factor $pr⁢ql$ using lattice-based approach.

Surprisingly, there had been very little research into the security RSA-type schemes with moduli $N=pr⁢ql$ for $r,l≥2$. Therefore, it is important to investigate the safety parameters of their algorithm.

### 1.1 Related works

The security of this variant of RSA, like that of standard RSA, is based on the hardness of factoring large integers. Until now there is no known polynomial time algorithm to factorize large numbers except quantum algorithms. However, in a real-world implementation, partial information regarding the secret prime p can be leaked by side-channel attacks (known as factoring with known bits problem), hence it is crucial to study how this affects the factoring problem. In fact, there have been a number of results in this direction.

1. For the case of standard RSA with modulus $N=p⁢q$: In 1985, Rivest and Shamir  first studied this problem, they designed an algorithm to factor N given $23$-fraction of the bits of p. In 1996, Coppersmith  improved this bound to $12$. Note that for the above results, the unknown bits are within one consecutive block. The case of $n(n≥2)$ blocks was first considered by Herrmann and May in .
2. For the case of multi-power RSA with moduli $N=pr⁢q$ ($r≥2$): In 1999, Boneh, Durfee and Howgrave-Graham  showed that N can be recovered efficiently given $1r+1$-fraction of the most significant bits (MSBs) of p. In 2013, Lu, Zhang and Lin  considered the case of n$(n≥2)$ blocks.

To speed up decryption, the small secret exponent d is often used in some cryptographic applications. However, it is well known that the RSA scheme is easily broken if the secret exponent d is too small (known as small secret exponent attack). In 1990, by utilizing the continued fraction method, Wiener  showed that the standard RSA scheme can be broken when $d≤N0.25$. Later, in 1999, Boneh and Durfee  improved Wiener’s bound to $N0.292$. Recently, in , Herrmann and May gave an elementary proof for the Boneh–Durfee’s bound, and in , Kunihiro, Shinohara and Izu also investigated this problem. However, $N0.292$ is still the best bound at present.

For the case of multi-power RSA, there exists two variants. In the first variant, $e⁢d≡1modpr-1⁢(p-1)⁢(q-1)$ while in the second variant, $e⁢d≡1mod(p-1)⁢(q-1)$. For the first variant, in 1999, Takagi  showed that when the secret exponent $d≤N1/(2⁢(r+1))$, one can factorize N. Later in 2004, May  improved Takagi’s bound to $Nmax⁡{r⁢(r+1)-2,(r-1)2⁢(r+1)-2}$. Recently, Sarkar  used a lattice-based method to improve the previous bounds when $r≤5$. In , the authors further improved May’s bound to $Nr⁢(r-1)⁢(r+1)-2$, which is better than May’s result when $r>2$. For the second variant, in 2008, Itoh, Kunihiro and Kurosawa  showed that d can be recovered from if $d.

### 1.2 Our contributions

In this paper,1 we analyze the security of RSA-type schemes with moduli $N=pr⁢ql$, where $r>l≥2$ and $gcd⁡(r,l)=1$. Admittedly, RSA-type schemes with moduli $N=pr⁢ql$ have very limited application. However, as rightly mentioned in  a significant fraction of cryptography is still based on RSA and so it is important to study these RSA-type moduli. Throughout the paper, we assume that $q, which means $p≈q$.

### Small secret exponent attacks on RSA-type schemes with moduli $N=pr⁢ql$.

Considering the form of the moduli $N=pr⁢ql$, there are also two variants of encryption and decryption phases. In the first variant, e and d satisfy $e⁢d≡1modpr-1⁢ql-1⁢(p-1)⁢(q-1)$. In the second variant, e and d satisfy $e⁢d≡1mod(p-1)⁢(q-1)$. For these two variants, we give the analysis respectively.

For the equation $e⁢d≡1modpr-1⁢ql-1⁢(p-1)⁢(q-1)$, we solve a small solution d of the modular equation $e⁢x-1≡0modpr-1⁢ql-1$. We introduce a new technique to select more helpful polynomials which are used to construct a lattice. We show that when

$d

one can recover d in polynomial time. Note that when $l=1$, our result is the same as the result of .

For the equation $e⁢d≡1mod(p-1)⁢(q-1)$, we solve a small solution $(k,p,q)$ of the modular equation $x⁢(y-1)⁢(z-1)+1=0mode$, where $k=e⁢d-1(p-1)⁢(q-1)$. By utilizing the property $pr⁢ql=N$, we give a method of lattice construction and show that when

$d

the small solution $(k,p,q)$ can be found. Note that when $l=1$, our result is exactly the general bound of .

### Factoring RSA moduli $N=pr⁢ql$ with partial known bits.

In the conclusion of Boneh, Durfee and Howgrave-Graham’s paper , the authors raised a question that whether one can generalize the factoring with partial known bits to the integers of the form $N=pr⁢ql$. In this paper, we answered this question firmly that we only need a $min⁡(lr+l,2⁢(r-l)r+l)$-fraction of least significant bits (LSBs) of p in order to factor N in polynomial time. Independently, Coron, Faugère, Renault and Zeitoun  also studied this problem. We give a comparison with their method and give an improvement for certain parameters. Besides, we also extend to the case of the arbitrary number n ($n≥2$) of unknown blocks.

### Experimental results.

To verify the correctness of our above attacks, we have performed the experiments in Magma 2.11 computer algebra system on a PC with Intel(R) Core(TM) Duo CPU (2.53 GHz, 1.9 GB RAM Windows 7). And the experimental results demonstrate that the performance of our algorithms is effective.

## 2 Preliminaries

Consider w linearly independent vectors $𝒃1,…,𝒃w∈ℤn$. The set

$ℒ={𝒃:𝒃=∑i=1wci⁢𝒃i,c1,…,cw∈ℤ}$

is called an w-dimensional lattice with basis $B={𝒃1,…,𝒃w}$. A lattice is of full rank when $w=n$ and in this paper we only use such lattices. The determinant of L is defined as $det⁡(ℒ)=det⁡(M)$, where the rows of M are the vectors from B. When $𝒃1,…,𝒃w∈ℤn$, the lattice $ℒ$ is called an integer lattice.

In 1982, Lenstra, Lenstra and Lovász  proposed a polynomial time algorithm (known as LLL-Algorithm); let us first state the LLL-Algorithm.

Lemma 1 (LLL Algorithm).

Let $L$ be a lattice of dimension w. Within polynomial time, LLL-Algorithm outputs a set of reduced basis vectors $𝐯i$, $1⩽i⩽w$, that satisfies

$∥𝒗1∥⩽∥𝒗2∥⩽⋯⩽∥𝒗i∥⩽2w⁢(w-1)4⁢(w+1-i)⁢det⁡(ℒ)1w+1-i.$

Let $g⁢(x1,…,xk)=∑i1,…,ikai1,…,ik⁢x1i1⁢⋯⁢xkik$. We define the norm of g by the Euclidean norm of its coefficient vector:

$∥g∥2=∑i1,…,ikai1,…,ik2.$

Also we need the following result due to Howgrave-Graham .

Lemma 2 (Howgrave-Graham).

Let $g⁢(x1,…,xk)∈Z⁢[x1,…,xk]$ be an integer polynomial that consists of at most w monomials. Suppose that

1. (i)$g⁢(y1,…,yk)=0modem$ for $|y1|⩽X1,…,|yk|⩽Xk$,
2. (ii)$∥g⁢(x1⁢X1,…,xk⁢Xk)∥.

Then $g⁢(y1,…,yk)=0$ holds over integers.

Suppose we have $w(>k)$ polynomials $b1,…,bw$ in the variables $x1,…,xk$ such that

$b1⁢(y1,…,yk)=⋯=bw⁢(y1,…,yk)=0modem$

with

$|y1|≤X1,…,|yk|≤Xk.$

Now we construct a lattice $ℒ$ with the coefficient vectors of $b1⁢(x1⁢X1,…,xk⁢Xk),…,bw⁢(x1⁢X1,…,xk⁢Xk)$. After lattice reduction, we get k polynomials $v1⁢(x1,…,xk),…,vk⁢(x1,…,xk)$ such that

$v1⁢(y1,…,yk)=⋯=vk⁢(y1,…,yk)=0modem$

which correspond to first k vectors of the reduced basis. Also by the property of the LLL-Algorithm, we have

$∥v1⁢(x1⁢X1,…,xk⁢Xk)∥≤⋯≤∥vk⁢(x1⁢X1,…,xk⁢Xk)∥≤2w⁢(w-1)4⁢(w+1-k)⁢det⁡(ℒ)1w+1-k.$

Hence by Lemma 2, if

$2w⁢(w-1)4⁢(w+1-k)⁢det⁡(ℒ)1w+1-k

then we have $v1⁢(y1,…,yk)=⋯=vk⁢(y1,…,kk)=0$. Next we want to find $y1,…,yk$ from $v1,…,vk$.

Although our technique works in practice as noted from the experiments we perform, we need a heuristic assumption for theoretical results.

Assumption 3.

The lattice-based construction yields algebraically independent polynomials. The common roots of these polynomials can be efficiently computed using the Gröbner basis technique.

We also use the following theorem .

Theorem 4.

Let N be a sufficiently large composite integer (of unknown factorization) with a divisor $pr$ ($p≥Nβ$ and an integer $r≥1$). Let $f⁢(x1,…,xn)∈Z⁢[x1,…,xn]$ be a linear polynomial in n variables. Under Assumption 3, we can find all the solutions $(x10,…,xn0)$ of the equation $f⁢(x1,…,xn)=0modp$ with $|x10|≤Nγ1,…,|xn0|≤Nγn$ if

$∑i=1nγi<1r⁢(1-(1-r⁢β)n+1n-(n+1)⁢(1-r⁢β)⁢(1-1-r⁢βn)).$

The running time of the algorithm is polynomial in $log⁡N$ but exponential in n.

## 3 Small secret exponent attacks on RSA-type schemes with moduli $N=pr⁢ql$

In this section we consider the situation when the secret exponent d is small.

### 3.1 The first variant

At first, we study the first variant of encryption and decryption phases: e and d satisfy

$e⁢d≡1modpr-1⁢ql-1⁢(p-1)⁢(q-1).$

Theorem 1.

For every $ϵ>0$, let $N=pr⁢ql$, where $r,l$ ($r>l$) are two known positive integers and $p,q$ are primes of the same bit-size. Let e be the public key exponent and let d be the private key exponent satisfying $e⁢d≡1modϕ⁢(N)$. Suppose that

$d

Then N can be factored in polynomial time.

Proof.

Since $ϕ⁢(N)=pr-1⁢ql-1⁢(p-1)⁢(q-1)$, we have the following equation:

$e⁢d-1=k⁢pr-1⁢ql-1⁢(p-1)⁢(q-1) for some ⁢k∈ℕ.$

Then we want to find the root $x0=d$ of the polynomial

$f1⁢(x)=e⁢x-1modpr-1⁢ql-1.$

Multiplying the inverse of e modulo N, we can obtain the equation

$f⁢(x)=(E-x)modpr-1⁢ql-1,$

where E denotes the inverse of e modulo N. Note that N ($N≡0modpr⁢ql$) is a known multiple of the unknown $pr-1⁢ql-1$.

Since $r>l$, we define the following collection of polynomials:

$gi⁢(x):=fi⁢(x)⁢Nmax⁡{0,⌈(r-1)⁢(t1-i)r⌉,⌈(l-1)⁢(t2-i)l⌉}$

for $i=0,…,m$ and positive integer parameters m, $t1$ and $t2$ with $t1=τ1⁢m,t2=τ2⁢m$$(0≤τ1,τ2<1)$, which will be optimized later. Note that for all i, $gi⁢(d)≡0mod(p(r-1)⁢t1⁢q(l-1)⁢t2)$.

Let X$(X=Nγ)$ be the upper bound on the desired root d. We built a lattice $ℒ$ of dimension $d=m+1$ using the coefficient vectors of $gi⁢(x⁢X)$ as basis vectors. We sorted the polynomials according to the ascending order of g, i.e., $gi if $i.

From the triangular matrix of the lattice basis, we can compute the determinant as the product of the entries on the diagonal as $det⁡(ℒ)=Xs⁢NsN$. We can calculate s as

$s=∑i=0mi=m⁢(m+1)2.$

The computation of $sN$ is somewhat complicated. At first, we have $t1. Otherwise, since $r>l$, we have

$⌈(r-1)⁢(t1-i)r⌉≥⌈(l-1)⁢(t2-i)l⌉$

for $i=0,…,t1$, in this case, we only consider the exponents of p. Therefore, we let $t1 to consider the exponents of p and q at the same time.

Define Δ as

$Δ:=⌈l⁢(r-1)⁢t1-r⁢(l-1)⁢t2r-l⌉.$

Note that $Δ. In order to get $Δ>0$, we have to satisfy the condition

$l⁢(r-1)⁢t1>r⁢(l-1)⁢t2$

Notice that for $i=0,1,…,Δ-1$, we have

$⌈(r-1)⁢(t1-i)r⌉>⌈(l-1)⁢(t2-i)l⌉;$

however, for $i=Δ,Δ+1,…,t2$, we have

$⌈(r-1)⁢(t1-i)r⌉<⌈(l-1)⁢(t2-i)l⌉.$

Then we can calculate $sN$ as

$sN=∑i=0Δ-1⌈(r-1)⁢(t1-i)r⌉+∑i=Δt2⌈(l-1)⁢(t2-i)l⌉$
$=(r-1)⁢(2⁢t1⁢Δ-Δ2)2⁢r+(l-1)⁢(t2-Δ)22⁢l+Δ⁢(r-1)2⁢r+(t2-Δ)⁢(l-1)2⁢l+∑i=0t2ci.$

Here we rewrite

$⌈(r-1)⁢(t1-i)r⌉=(r-1)⁢(t1-i)r+ci$

for $i=0,…,Δ-1$, and

$⌈(l-1)⁢(t2-i)l⌉=(l-1)⁢(t2-i)l+ci$

for $i=Δ,…,t2$, where $ci∈[0,1)$.

Furthermore, we rewrite

$Δ=l⁢(r-1)⁢t1-r⁢(l-1)⁢t2r-l+c′,$

where $c′∈[0,1)$; we have that

$sN=(r-1)⁢(l⁢(r-1)⁢t12-2⁢r⁢(l-1)⁢t1⁢t2+r⁢(l-1)⁢t22)2⁢r⁢(r-l)+c′⁢(r-l)-c′2⁢(r-l)+l⁢(r-1)⁢t12⁢r⁢l+∑i=0t2ci.$

To obtain a polynomial with short coefficients that contains all small roots over integer, we apply the LLL-Basis Reduction Algorithm to the lattice $ℒ$. Lemma 1 gives us an upper bound on the norm of the shortest vector in the LLL-reduced basis; if the bound is smaller than the bound given in Lemma 2, we can obtain the desired polynomial. We require the following condition:

$2ω-14⁢ω⁢det⁡(ℒ)1ω

where $ω=m+1$. When plug in the value for $det⁡(ℒ)$ and ω, we have that

$2m⁢(m+1)4⁢(m+1)m+12⁢Xm⁢(m+1)2

To obtain the asymptotic bound, we let m grow to infinity. Note that for sufficiently large N the powers of 2 and $m+1$ are negligible. Thus we only consider the exponent of N. Then we obtain that

$X

where $t1=τ1⁢m$ and $t2=τ2⁢m$.

Now we have to decide the optimized values of $τ1$ and $τ2$. We consider the exponent of N as a function $h⁢(τ1,τ2)$:

$h⁢(τ1,τ2)=2⁢(r-1)⁢τ1+2⁢(l-1)⁢τ2r+l-(r-1)⁢(l⁢(r-1)⁢τ12-2⁢r⁢(l-1)⁢τ1⁢τ2+r⁢(l-1)⁢τ22)r⁢(r-l).$

Using $hτ1′⁢(τ1,τ2)=0$ and $hτ2′⁢(τ1,τ2)=0$, we have

$l⁢(r-1)⁢(r+l)⁢τ1-r⁢(l-1)⁢(r+l)⁢τ2+r⁢(l-r)=0,$
$(r-1)⁢(r+l)⁢τ1-(r-1)⁢(r+l)⁢τ2+r-l=0.$

Solving the above equations, we get

$τ1=r⁢(r+l-2)(r+l)⁢(r-1),τ2=1.$

Putting the values of $τ1$ and $τ2$ into equation (3.1), we note that the condition is satisfied. Moreover, since $∑i=0t2ci, $1m2≤1m$ and $c′-c′⁣2<14$, inequality (3.2) can be reduced into,

$X

We appropriate the terms $m+1$ by m, and obtain

$X

We can express how m depends on the error term ϵ:

$m≥(15⁢l+1)⁢r4-(2⁢l2-10⁢l)⁢r3-(l3-6⁢l2+8⁢l)⁢r2+(2⁢l3-12⁢l2+6⁢l)⁢r+l4-4⁢l3+l24⁢ϵ⁢(r-l)⁢(r+l)3.$

This concludes the proof of Theorem 1. ∎

Table 1 lists some theoretical and experimental results with 1000-bit N. In all experiments, we obtained an univariate integer equation with desired integer solution d. Thus we can obtain d.

Table 1

The first variant: experimental results for small d.

 $dim⁢(ℒ)=20$ $dim⁢(ℒ)=40$ $(r,l)$ theoretical experimental time (in seconds) experimental time (in seconds) $(3,2)$ 0.560 0.520 77.751 0.530 4433.798 $(5,2)$ 0.653 0.600 64.257 0.620 4177.972 $(4,3)$ 0.694 0.650 61.059 0.660 3209.409 $(5,3)$ 0.719 0.650 52.120 0.680 2894.411

### 3.2 The second variant

In the following we study the second variant of encryption and decryption phases: e and d satisfy

$e⁢d≡1mod(p-1)⁢(q-1).$

Theorem 2.

For every $ϵ>0$, let $N=pr⁢ql$, where $r,l$ ($r>l$) are two known positive integers and $p,q$ are primes of the same bit-size. Let e be the public key exponent and let d be the private key exponent satisfying $e⁢d≡1mod(p-1)⁢(q-1)$. Suppose that

$d

Then N can be factored in polynomial time.

Proof.

Since $e⁢d-1=k⁢(p-1)⁢(q-1)$ for some $k∈ℕ$, we have the following modular equation:

$f⁢(x,y,z)=x⁢(y-1)⁢(z-1)+1mode.$

Obviously, $(k,p,q)$ is the desired solution. Then we have an estimation on the desired roots. Since $N=pr⁢ql$ and $p,q$ are primes of the same bit-size, p and q can be estimated as $N1r+l$. Letting $e=Nα$, we have $p,q≃e1α⁢(r+l)$. Furthermore, let $d. Then k can be bounded as follows:

$k=e⁢d-1(p-1)⁢(q-1)<2⁢e⁢dp⁢q<2⁢e1+δα-2α⁢(r+l).$

Usually, α is chosen as $2r+l$. In this case, we have $p,q≃e12$ and $k≃er+l2⁢δ$. Let X$(X=er+l2⁢δ)$, Y$(Y=e12)$ and Z$(Z=e12)$ be the upper bounds of desired roots $(p,q,k)$. In order to get desired solution, we define a list G of polynomials sharing the desired root modulo $em$,

$gi,j,k,b⁢(x,y,z)=xi⁢yj⁢zk⁢f⁢(x,y,z)b⁢em-b.$

To make the matrix triangular whose vectors are corresponding to the coefficients of polynomials, we need to append polynomials to list G as following ordered,

G=[] for $u=0$ to m for $i=0$ to $u-1$ do for $j=0$ to 1 do append $gu-i,j,0,i$ to G for $j=r-1$ to 1 do append $gu-i,j,1,i$ to G for $j=l-1$ to 1 do append $gu-i,r,j,i$ to G for $u=0$ to m do for $j=0$ to s do append $g0,j,0,u$ to G for $i=l-1$ in 1 do append $g0,r+j,i,u$ to G for $k=1$ to t do for $j=r-1$ to 0 do append $g0,j,k,u$ to G return G

where each occurrence of $yr⁢zl$ is replaced by N since $N=pr⁢ql$, $m,s,t$ are non-negative integers.

Then we construct a lattice $ℒ1$ which is spanned by the coefficient vectors of $gi,j,k,l⁢(x⁢X,y⁢Y,z⁢Z)$. By some calculations, the determinant of $ℒ1$ is $det⁡(ℒ1)=XSx⁢YSy⁢ZSz⁢eSe$, where

$Sx=(2⁢r+2⁢l+3⁢τ⁢r+3⁢σ⁢l6)⁢m3+(r+2⁢l+τ⁢r+σ⁢l2)⁢m2+(r+4⁢l6)⁢m,$
$Sy=(l+3⁢σ⁢l+3⁢σ2⁢l6)⁢m3+(r2+2⁢τ⁢r2+2⁢r⁢l+4⁢σ⁢r⁢l-3⁢r+2⁢l-2⁢τ⁢r-4⁢σ⁢r+2⁢σ2⁢l+4⁢σ⁢l4)⁢m2$
$+(3⁢r2+6⁢τ⁢r2+18⁢r⁢l+12⁢σ⁢r⁢l-21⁢r+4⁢l-6⁢τ⁢r-12⁢σ⁢r+6⁢σ⁢l12)⁢m-(r-r⁢l),$
$Sz=(r+3⁢τ⁢r+3⁢τ2⁢r6)⁢m3+(l2+2⁢σ⁢l2+2⁢r-l+2⁢τ2⁢r+4⁢τ⁢r-2⁢σ⁢l4)⁢m2$
$+(9⁢l2+6⁢σ⁢l2+4⁢r-9⁢l+6⁢τ⁢r-6⁢σ⁢l12)⁢m+(l2-l2),$
$Se=(2⁢r+2⁢l+3⁢τ⁢r+3⁢σ⁢l6)⁢m3+(r+2⁢l+τ⁢r+σ⁢l2)⁢m2+(r+4⁢l6)⁢m,$

with $s=σ⁢m$ and $t=τ⁢m$. On the other hand,

$dim⁢(ℒ1)=(r+l+2⁢τ⁢r+2⁢σ⁢l2)⁢m2+(r+3⁢l+2⁢τ⁢r+2⁢σ⁢l2)⁢m+l.$

Since there are three unknown variables, based on Lemma 1 and Lemma 2, one can obtain three polynomial equations which share the roots $(k,p,q)$ over integers when

$2dim⁢(ℒ1)⁢(dim⁢(ℒ1)-1)4⁢(dim⁢(ℒ1)-2)⁢(XSx⁢YSy⁢ZSz⁢eSe)1dim⁢(ℒ1)-2

Putting the upper bounds and the value of $dim⁢(ℒ1)$ into the above inequality and neglecting the terms that do not depend on N, we obtain that

$e(r+l)⁢δ2

or equivalently,

$(r+l)⁢δ2

Setting $σ=τ$, moreover, since $m, $0≤τ≤1$ and $l, the left side of the above inequality can be bounded by

$(r+l)⁢(1+3⁢τ-3⁢τ2)12⁢m3-(2⁢τ+1)⁢r2+(2⁢τ2-6⁢τ+2⁢l+4⁢τ⁢l-1)⁢r-3⁢l-2⁢τ⁢l+2⁢τ⁢l2+l2+2⁢τ2⁢l8⁢m2(r+l)⁢(2+3⁢τ)6⁢m3+r+2⁢l+τ⁢r+τ⁢l2⁢m2+r+4⁢l6⁢m$
$-(6⁢τ+3)⁢r2-(13+12⁢τ-18⁢l-12⁢τ⁢l)⁢r+9⁢l2+6⁢τ⁢l2-17⁢l+4824⁢m+(2⁢r+l)⁢(l-1)4(r+l)⁢(2+3⁢τ)6⁢m3+r+2⁢l+τ⁢r+τ⁢l2⁢m2+r+4⁢l6⁢m$
$<(r+l)⁢(1+3⁢τ-3⁢τ2)12⁢m3-(2⁢τ+1)⁢r2+(2⁢τ2-6⁢τ+2⁢l+4⁢τ⁢l-1)⁢r-3⁢l-2⁢τ⁢l+2⁢τ⁢l2+l2+2⁢τ2⁢l8⁢m2(r+l)⁢(2+3⁢τ)6⁢m3$
$=1+3⁢τ-3⁢τ22⁢(2+3⁢τ)-3⁢((2⁢τ+1)⁢r2+(2⁢τ2-6⁢τ+2⁢l+4⁢τ⁢l-1)⁢r-3⁢l-2⁢τ⁢l+2⁢τ⁢l2+l2+2⁢τ2⁢l)4⁢(r+l)⁢(2+3⁢τ)⁢m$
$<1+3⁢τ-3⁢τ22⁢(2+3⁢τ)-3⁢(r2+2⁢r⁢l+l2-7⁢r-5⁢l)20⁢(r+l)⁢m.$

Putting an optimized value for τ, which is $τ=7-23$, into the above inequality, we obtain

$7-2⁢76-3⁢(r2+2⁢r⁢l+l2-7⁢r-5⁢l)20⁢(r+l)⁢m.$

Then we have

$δ<7-2⁢73⁢(r+l)-3⁢(r2+2⁢r⁢l+l2-7⁢r-5⁢l)10⁢(r+l)2⁢m.$

The relation between the error term ϵ and m can be expressed as

$m≥3⁢(r2+2⁢r⁢l+l2-7⁢r-5⁢l)10⁢(r+l)2⁢ϵ.$

This concludes the proof of Theorem 2. ∎

Table 2 lists some theoretical and experimental results. In all experiments, we obtained several integer equations which share desired roots and successfully obtained the roots by using Gröbner basis technique.

Table 2

The second variant: experimental results for small d.

 $dim⁢(ℒ1)=81$ $dim⁢(ℒ1)=148$ $(r,l)$ $log2⁢N$ theoretical d $(3,2)$ 2000 200 bits 29 bits 35.350 71 bits 2573.002 $(3,2)$ 3000 300 bits 47 bits 103.600 110 bits 5197.392

## 4 Factoring RSA moduli $N=pr⁢ql$ with partial known bits

In this section, we assume that we are given the number of k LSBs of p: $p~=pmod2k$. Our goal is to determinate the minimal amount of bits of p that one has to know in order to factor N in polynomial time. Below we present two methods to solve this problem.

### 4.1 The attack modulo p

The above problem can be reduced to solve modular univariate polynomial equation

$f⁢(x)=p~+2k⁢x=0modp.$

We can apply Theorem 4 with $n=1$, $β=1r+l$. Therefore, we can find all root y if

$|y|≤Nr(r+l)2.$

When $l=1$, the bound

$Nr(r+l)2=Nr(r+1)2=prr+1.$

This bound is exactly the same as in . As $Nr(r+l)2=prr+l$, the attacker has to guess $(1-rr+l)⁢log2⁡p=lr+l⁢log2⁡p$ LSBs of p. Thus the total complexity to factor $N=pr⁢ql$ is $2(lr+l⁢log2⁡p)⋅P⁢(log⁡N)$, where P is a polynomial. This method is very suitable for the case of $r≫l$.

### 4.2 The attack modulo pq

Lemma 1.

For a given integer k, consider the modular function $f⁢(x)=xwmod2k$ whose domain is the set ${1,3,…,2k-1}$. When w is odd and $x0w≡a⁢mod⁢ 2k$, then one can get $x0$.

Proof.

Since the domain of $f⁢(x)$ is ${1,3,…,2k-1}$, the range of $f⁢(x)$ is also ${1,3,…,2k-1}$. On the other hand, assume that $x1,x2∈{1,3,…,2k-1}$ and $x1w≡x2w⁢(mod⁢ 2k)$. Then we can obtain that $2k∣x1w-x2w$, namely $2k∣(x1-x2)(x1w-1+x1w-2x2+⋯+x2w-1)$. Since $x1,x2,w$ are odd integers, $x1w-1+x1w-2⁢x2+⋯+x2w-1$ is odd and $x1-x2∈{-2k+2,2k-2}$. Then one can get that $x1=x2$, namely $f⁢(x)$ is bijective.

Above all, the solution $x0$ is unique and it can be obtained as

$x0≡aw-1⁢mod⁢ 2k-1⁢mod⁢ 2k.$

This concludes the proof of Lemma 1. ∎

We rewrite N by $N=(p⁢q)l⁢pr-l$. Notice that at least one of r and l must be odd; we may assume without loss of generality that l is odd. Suppose that we have k LSBs of p and let us denote it as $p~$. So $p~=pmod2k$. Thus $ql=N⁢(p~r)-1modN$. Then by Lemma 1 we can calculate the number of k LSBs of q: $q~=qmod2k$. Using $p~$ and $q~$, we can get the number of k LSBs of pq: $c=p~⁢q~mod2k$. Now we reduce the above problem to solve a modular univariate polynomial equation

$f⁢(x)=c+2k⁢x=0modp⁢q.$

Now apply Theorem 4 with $n=1$, $β=2r+l$. Then we can find y if

$|y|≤N4⁢l(r+l)2.$

After we get the value of pq, we can calculate

$pr-l=N(p⁢q)l.$

Then we can get p. Since $N4⁢l(r+l)2=(p⁢q)2⁢lr+l$, the attacker has to guess

$(1-2⁢lr+l)⁢log2⁡p⁢q=r-lr+l⁢log2⁡p⁢q=2⁢(r-l)r+l⁢log2⁡p$

LSBs of p. Thus the total complexity to the factor $N=pr⁢ql$ is $2(2⁢(r-l)r+l⁢log2⁡p)⋅P⁢(log⁡N)$, where P is a polynomial. This method is very suitable for the case of $r≃l$.

### Comparison between the two methods.

In the first method, the attacker has to guess $lr+l⁢log⁡p$ bits whereas in the second method it is required to guess $2⁢(r-l)r+l$$log⁡p$ bits. Since $lr+l<2⁢(r-l)r+l$ if $2⁢r>3⁢l$, our first attack (modulo p) is superior to our second attack (modulo pq) in the case $2⁢r>3⁢l$.

We present our bounds $min⁡(lr+l,2⁢(r-l)r+l)$ in Figure 1. In Table 3, we give some experimental results of the above two methods.

Table 3

Factoring N with partial known bits of p.

 attack modulo p attack modulo pq $(r,l)$ $log2⁡N$ $log2⁡p$ theo. expt. dim. time (sec.) $(3,2)$ 2500 500 200 260 21 19.095 200 260 21 760.661 $(3,2)$ 2500 500 200 230 41 832.983 200 230 41 42447.935 $(5,2)$ 3500 500 143 260 21 21.856 429 – 21 – $(5,2)$ 3500 500 143 200 41 1205.591 429 497 41 86495.347 $(5,4)$ 4500 500 223 330 21 32.245 112 260 21 4018.133 $(5,4)$ 4500 500 223 280 41 1413.463 112 230 41 163533.305

### 4.3 Comparison with the work of Coron, Faugère, Renault and Zeitoun

Independently, Coron, Faugère, Renault and Zeitoun  also studied this problem; they showed that $N=pr⁢ql$ can be factored in polynomial time when r or l is at least $(log⁡p)3$. In the following remark, we will briefly discuss their idea. Moreover, based on an observation of the short vectors in a two-dimensional lattice which has been introduced in , we further improved Coron–Faugère–Renault–Zeitoun’s bound for the moduli with form of $N=pr⁢ql$, where $r=2⁢k+1,l=k+1$ and $k∈ℤ+$.

In [4, p. 5], for the modulus $N=pr⁢ql$, r and l are first expressed as $r=u⋅α+a$ and $l=u⋅β+b$, where the integers $u,α,β,a,b$ should satisfy certain conditions. To find such integers, it is required to apply the LLL-Algorithm on the two-dimensional lattice which is spanned by the row vectors of the following matrix:

$(⌊r13⌋-l0r).$

After lattice reduction, suppose that the short vector is $v=(⌊r13⌋⋅α,-l⋅α+r⋅β)$ for some $β∈ℤ$. Now if $β=0$ or $⌊rα⌋≤lβ$, u is taken as $⌊rα⌋$. On the other hand if $β≠0$ and $⌊rα⌋>lβ$, u is set as $⌈rα⌉$. Finally, a is taken as $r-u⁢α$ and b is taken as $l-u⁢β$. It has been proved in [4, Lemma 1] that either both $a,b≥0$ or $a,b≤0$.

1. First suppose that both $a,b≥0$. Now N can be expressed as $N=pr⁢ql=pu⁢α+a⁢qu⁢β+b=Pu⁢Q$, where $P=pα⁢qβ$ and $Q=pa⁢qb$. It has been proved in [4, p. 18] that to factor $N=Pr⁢Q$ in polynomial time, the attacker has to guess $cu+c$ many bits of P to find P, where $Q. Thus if $a,b≥0$, it is required to guess $cu+c⁢log⁡P$ many bits of P. Here we can take $c=a+bα+β$ as $P≈pα+β$ and $Q≈pa+b$. Thus in this case the attacker has to guess $a+b(α+β)⁢u+a+b⋅(α+β)⁢log⁡p$ many bits.
2. Next suppose that $a,b≤0$. Now express $N=PuQ$, where $P=pα⁢qβ$ and $Q=p-a⁢q-b$. In this case it has been proved in [4, p. 8] that the attacker has to search over $[0,2⁢Q1u]$. So the required guess in this case will be approximately $-(a+b)u⁢log⁡p$ bits.

Although in most of the cases the bounds of  may found the optimal expressions of $N=pr⁢ql$, for some values of $r,l$ they could not give the best bound. For example, based on Coron–Faugère–Renault–Zeitoun’s method, the modulus N of the form $p2⁢k+1⁢qk+1$, $k≥2$, should be expresses as $N=Pk⁢Q$, where $P=p2⁢q$ and $Q=p⁢q$; however, when we express N in the form $Pk+1Q$, where $P=p2⁢q$ and $Q=p$, the less number of known bits is required to factor N.

More specifically, for the modulus of the form $N=p2⁢k+1⁢qk+1$, it is required in  to apply the LLL-Algorithm on the lattice $ℒ$ which is spanned by the row vectors of the following matrix:

$(⌊(2⁢k+1)13⌋-(k+1)02⁢k+1).$

It is easily checked that $λ1⁢(ℒ)=(2⁢⌊(2⁢k+1)13⌋,-1)$ and $λ2⁢(ℒ)=(⌊(2⁢k+1)13⌋,k)$, where the minima $λi⁢(ℒ)$ denotes the i-th minimum of lattice $ℒ$.

According to $λ1⁢(ℒ)$, we have that $α=2,β=1$. Furthermore, since $⌊2⁢k+1α⌋=k≤k+1β$, based on Coron–Faugère–Renault–Zeitoun’s method , u is taken as $⌊2⁢k+1α⌋=k$. Furthermore, the modulus N should be expressed as $Pk⁢Q$, where $P=p2⁢q$ and $Q=p⁢q$. Moreover, for the second shortest vector $λ2⁢(ℒ)$, the modulus N will be expressed as $P2⁢k+1Q$, where $P=p⁢q$ and $Q=qk$.

Then for the first expression of N, it is required to guess $63⁢k+2⁢log⁡p$ bits. And for the second expression, the number of required known bits is $k2⁢k+1⁢log⁡p$ bits of p.

Based on our two methods of Section 3.1 and Section 3.2, the number of known LSBs of p which is required to factor $N=p2⁢k+1⁢qk$ is

$min⁡(k+12⁢k+1+k+1,2⁢(2⁢k+1-(k+1))2⁢k+1+k+1)=k+13⁢k+2.$

However, when we express N as $Pk+1Q$, where $P=p2⁢q$ and $Q=p$, in this case the attacker has to search over $[0,2⁢p1k+1]$. Namely, the required guess in this case will be approximately $1k+1⁢log⁡p$ bits.

Actually, there does not exist any vector in the two-dimensional $ℒ$ which will express $N=p2⁢k+1⁢qk$ as $Pk+1Q$, where $P=p2⁢q$ and $Q=p$. Since according to Coron–Faugère–Renault–Zeitoun’s method , if one wants to express $N=p2⁢k+1⁢qk$ as $Pk+1Q$, where $P=p2⁢q$ and $Q=p$, one should have that $α=2$, $β=1$ and $u=k+1$. However, for $α=2$ and $β=1$, we have $⌊2⁢k+1α⌋≤k+1β$; then u should be taken as $⌊2⁢k+1α⌋=k$, which contradicts $u=k+1$.

Thus in general, the Coron–Faugère–Renault–Zeitoun approach cannot give optimal $u,α,β$. For $r≤20$ and $2≤l, we search exhaustively to find optimal $u,α,β$. Optimal bounds are presented in Figure 2.

### 4.4 Extend to more unknown blocks

We also consider the case of the number of n ($n≥2$) unknown blocks.

Theorem 2.

Let $N=pr⁢ql$, where p and q are of equal length. Suppose that a $lr⁢ln⁡(r+ll)$-fraction of the bits is known for n blocks in p (n is large). Then, under Assumption 3, we can recover p. The running time of the algorithm is polynomial in $log⁡N$ but exponential in n.

Proof.

We can reduce the above problem to solve the following multivariate linear polynomial equation:

$f⁢(x1,x2,…,xn)=a0+a1⁢x1+a2⁢x2+…+an⁢xn=0modp,$

where $ak=2l$ if the k-th unknown blocks start on the l-th bit position. Moreover, if n goes to infinity, from Theorem 4, we have

$limn→∞⁡(1r⁢(1-(1-r⁢β)n+1n-(n+1)⁢(1-r⁢β)⁢(1-1-r⁢βn)))=β+(1-r⁢β)⁢ln⁡(1-r⁢β)r.$

It shows that if n is very large, we can recover p regardless of n. Conversely, once a $(1-1r⁢β)⁢ln⁡(1-r⁢β)$ portion of the bits from p together with their positions are given, we are able to recover the missing bits. Suppose that $|p|=|q|$, i.e. $β=1r+l$. Then we need a

$(1-1r⁢β)⁢ln⁡(1-r⁢β)=(1-r+lr)⁢ln⁡(1-rr+l)=-lr⁢ln⁡(lr+l)=lr⁢ln⁡(r+ll)$

portion of known bits from p. ∎

Note that for $l=1$, this is exactly the result of .

## 5 Conclusion

In this paper, we have considered the RSA variant with moduli of the form $N=pr⁢ql$, where $r>l≥2$, and we have given some cryptanalytic results for this kind of RSA variant. For the small secret exponent attacks, we have two cases of encryption and decryption exponents: $e⁢d≡1⁢mod⁡pr-1⁢ql-1⁢(p-1)⁢(q-1)$ and $e⁢d≡1⁢mod⁡(p-1)⁢(q-1)$. For these two cases, we have given the lattice-based attacks and obtained the upper bounds of decryption exponents d such that d can be recovered in polynomial time. Then we have presented the partial known bits attacks and successfully factored $N=pr⁢ql$ when least significant bits of one prime are known.

## References

• 

D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 {{{N}}^{0.292}}, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349.

• 

D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N = p r q {{N}=p^{r}q} for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787.

• 

D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260.

• 

J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring N = p r q s {{N}=p^{r}q^{s}} for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

• 

M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424.

• 

M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69.

• 

N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142.

• 

K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406.

• 

N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277.

• 

A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.

• 

S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294.

• 

Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus N = p r q {{N}=p^{r}q} with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71.

• 

Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

• 

A. May, Secret exponent attacks on RSA-type schemes with moduli N = p r q {N=p^{r}q}, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.

• 

T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.

• 

R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34.

• 

S. Sarkar, Small secret exponent attack on RSA variant with modulus N = p r q {N=p^{r}q}, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392.

• 

T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384.

• 

T. Takagi, Fast RSA-type cryptosystem modulo p k q {p^{k}q}, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.

• 

M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558.

• 

The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

## Footnotes

1

This is a thoroughly revised and extended version of the paper “Cryptanalysis of an RSA variant with moduli $N=pr⁢ql$” that has been presented at WCC 2015, April 13–17, 2015, Paris, France. There is no formal proceedings for WCC 2015. Section 4.3 of this paper is the additional contribution that was not appeared in the workshop version.

If the inline PDF is not rendering correctly, you can download the PDF file here.

• 

D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 {{{N}}^{0.292}}, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349.

• 

D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N = p r q {{N}=p^{r}q} for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787.

• 

D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260.

• 

J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring N = p r q s {{N}=p^{r}q^{s}} for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

• 

M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424.

• 

M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69.

• 

N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142.

• 

K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406.

• 

N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277.

• 

A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.

• 

S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294.

• 

Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus N = p r q {{N}=p^{r}q} with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71.

• 

Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

• 

A. May, Secret exponent attacks on RSA-type schemes with moduli N = p r q {N=p^{r}q}, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.

• 

T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.

• 

R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34.

• 

S. Sarkar, Small secret exponent attack on RSA variant with modulus N = p r q {N=p^{r}q}, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392.

• 

T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384.

• 

T. Takagi, Fast RSA-type cryptosystem modulo p k q {p^{k}q}, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.

• 

M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558.

• 

The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

OPEN ACCESS

### Journal of Mathematical Cryptology

JMC is a forum for original research articles in the area of mathematical cryptology. Works in the theory of cryptology and articles linking mathematics with cryptology are welcome. Submissions from all areas of mathematics significant for cryptology are published, including but not limited to, algebra, algebraic geometry, coding theory, combinatorics, number theory, probability and stochastic processes.

### Search   