## 1 Introduction

Since the RSA public key cryptosystem has been proposed, this public key scheme is possibly the most studied topic in cryptology world. To achieve high efficiency in the decryption phase, many variants of RSA schemes have been proposed.

At Crypto 1997, Takagi [18] proposed an RSA-type cryptosystems using *n*-adic expansion.
One important variant of RSA is multi-power RSA [19], proposed by Takagi in 1998. In multi-power RSA, the RSA modulus *N* is of the form

At Indocrypt 2000, Lim, Kim, Yie and Lee [11] extended Takagi’s cryptosystem to include moduli of the form

Surprisingly, there had been very little research into the security RSA-type schemes with moduli

### 1.1 Related works

The security of this variant of RSA, like that of standard RSA, is based on the hardness of factoring large integers. Until now there is no known polynomial time algorithm to factorize large numbers except quantum algorithms. However, in a real-world implementation, partial information regarding the secret prime *p* can be leaked by side-channel attacks (known as *factoring with known bits problem*), hence it is crucial to study how this affects the factoring problem. In fact, there have been a number of results in this direction.

- •For the case of standard RSA with modulus
: In 1985, Rivest and Shamir [16] first studied this problem, they designed an algorithm to factor$N=pq$ *N*given -fraction of the bits of$\frac{2}{3}$ *p*. In 1996, Coppersmith [3] improved this bound to . Note that for the above results, the unknown bits are within one consecutive block. The case of$\frac{1}{2}$ blocks was first considered by Herrmann and May in [5].$n(n\ge 2)$ - •For the case of multi-power RSA with moduli
($N={p}^{r}q$ ): In 1999, Boneh, Durfee and Howgrave-Graham [2] showed that$r\ge 2$ *N*can be recovered efficiently given -fraction of the most significant bits (MSBs) of$\frac{1}{r+1}$ *p*. In 2013, Lu, Zhang and Lin [12] considered the case of*n* blocks.$\left(n\ge 2\right)$

To speed up decryption, the small secret exponent *d* is often used in some cryptographic applications. However, it is well known that the RSA scheme
is easily broken if the secret exponent *d* is too small (known as *small secret exponent attack*). In 1990, by utilizing the continued fraction method, Wiener [20] showed that the standard RSA scheme can be broken when

For the case of multi-power RSA, there exists two variants. In the
first variant, *N*. Later in 2004, May [14] improved Takagi’s bound to *d* can be recovered from if

### 1.2 Our contributions

In this paper,^{1} we analyze the security of RSA-type schemes with moduli

### Small secret exponent attacks on RSA-type schemes with moduli $N={p}^{r}{q}^{l}$ .

Considering the form of the moduli *e* and *d* satisfy *e* and *d* satisfy

For the equation *d* of the modular equation

one can recover *d* in polynomial time. Note that when

For the equation

the small solution

### Factoring RSA moduli $N={p}^{r}{q}^{l}$ with partial known bits.

In the conclusion of Boneh, Durfee and Howgrave-Graham’s paper [2], the authors raised a question that whether one can generalize the
factoring with partial known bits to the integers of the form *p*
in order to factor *N* in polynomial time.
Independently, Coron, Faugère, Renault and Zeitoun [4] also studied this problem. We give a comparison with their method and give an improvement
for certain parameters.
Besides, we also extend to the case of the arbitrary number *n* (

### Experimental results.

To verify the correctness of our above attacks, we have performed the experiments in Magma 2.11 computer algebra system on a PC with Intel(R) Core(TM) Duo CPU (2.53 GHz, 1.9 GB RAM Windows 7). And the experimental results demonstrate that the performance of our algorithms is effective.

## 2 Preliminaries

Consider *w* linearly independent vectors

is called an *w*-dimensional lattice with basis *L* is defined as
*M* are the vectors from *B*. When

In 1982, Lenstra, Lenstra and Lovász [10] proposed a polynomial time algorithm (known as LLL-Algorithm); let us first state the LLL-Algorithm.

*Let $L$ be a lattice of dimension w. Within polynomial time, LLL-Algorithm outputs a set of reduced basis vectors ${\mathbf{v}}_{i}$, $1\u2a7di\u2a7dw$, that satisfies*

Let *g* by the Euclidean norm of its coefficient vector:

Also we need the following result due to Howgrave-Graham [7].

*Let *

- (i)
$g({y}_{1},\dots ,{y}_{k})=0mod{e}^{m}$ *for* ,$\left|{y}_{1}\right|\u2a7d{X}_{1},\dots ,\left|{y}_{k}\right|\u2a7d{X}_{k}$ - (ii)
.$\parallel g({x}_{1}{X}_{1},\dots ,{x}_{k}{X}_{k})\parallel <\frac{{e}^{m}}{\sqrt{w}}$

*Then *

Suppose we have

with

Now we construct a lattice *k* polynomials

which
correspond to first *k* vectors of the reduced basis. Also by the property of the LLL-Algorithm,
we have

Hence by Lemma 2, if

then we have

Although our technique works in practice as noted from the experiments we perform, we need a heuristic assumption for theoretical results.

The lattice-based construction yields algebraically independent polynomials. The common roots of these polynomials can be efficiently computed using the Gröbner basis technique.

We also use the following theorem [13].

*Let N be a sufficiently large composite integer (of unknown factorization) with a divisor *

*The running time of the algorithm is polynomial in *

## 3 Small secret exponent attacks on RSA-type schemes with moduli $N={p}^{r}{q}^{l}$

In this section we consider the situation when the secret exponent *d* is small.

### 3.1 The first variant

At first, we study the first variant of encryption and decryption phases: *e* and *d* satisfy

*For every *

*e*be the public key exponent and let

*d*be the private key exponent satisfying

*Then N can be factored in polynomial time.*

Since

Then we want to find the root

Multiplying the inverse of *e* modulo *N*, we can obtain the equation

where *E* denotes the inverse of *e* modulo *N*. Note that *N* (

Since

for *m*, *i*,

Let *X**d*. We built a lattice *g*, i.e.,

From the triangular matrix of the lattice basis, we can compute the determinant as the product of the entries on the diagonal as *s* as

The computation of

for *p*. Therefore, we let *p* and *q* at the same time.

Define Δ as

Note that

Notice that for

however, for

Then we can calculate

Here we rewrite

for

for

Furthermore, we rewrite

where

To obtain a polynomial with short coefficients that contains all small roots over integer, we apply the LLL-Basis Reduction Algorithm to the lattice

where

To obtain the asymptotic bound, we let *m* grow to infinity. Note that for sufficiently large *N* the powers of 2 and *N*. Then we obtain that

where

Now we have to decide the optimized values of *N* as a function

Using

Solving the above equations, we get

Putting the values of

We appropriate the terms *m*, and obtain

We can express how *m* depends on the error term ϵ:

This concludes the proof of Theorem 1. ∎

Table 1 lists some theoretical and experimental results with 1000-bit *N*. In all experiments, we obtained an univariate integer equation with desired integer solution *d*. Thus we can obtain *d*.

The first variant: experimental results for small *d*.

theoretical | experimental | time (in seconds) | experimental | time (in seconds) | |

0.560 | 0.520 | 77.751 | 0.530 | 4433.798 | |

0.653 | 0.600 | 64.257 | 0.620 | 4177.972 | |

0.694 | 0.650 | 61.059 | 0.660 | 3209.409 | |

0.719 | 0.650 | 52.120 | 0.680 | 2894.411 |

### 3.2 The second variant

In the following we study the second variant of encryption and decryption phases: *e* and *d* satisfy

*For every *

*e*be the public key exponent and let

*d*be the private key exponent satisfying

*Then N can be factored in polynomial time.*

Since

Obviously, *p* and *q* can be estimated as *k* can be bounded as follows:

Usually, α is chosen as *X**Y**Z**G* of polynomials sharing the desired root modulo

To make the matrix triangular whose vectors are corresponding to the coefficients of polynomials, we need to append polynomials to list *G* as following ordered,

G=[] forto $u=0$ mforto $i=0$ do for $u-1$ to 1 do append $j=0$ to ${g}_{u-i,j,0,i}$ Gforto 1 do append $j=r-1$ to ${g}_{u-i,j,1,i}$ Gforto 1 do append $j=l-1$ to ${g}_{u-i,r,j,i}$ Gforto $u=0$ mdo forto $j=0$ sdo appendto ${g}_{0,j,0,u}$ Gforin 1 do append $i=l-1$ to ${g}_{0,r+j,i,u}$ Gforto $k=1$ tdo forto 0 do append $j=r-1$ to ${g}_{0,j,k,u}$ GreturnG

where each occurrence of *N* since

Then we construct a lattice

with

Since there are three unknown variables, based on Lemma 1 and Lemma 2, one can obtain three polynomial equations which share the roots

Putting the upper bounds and the value of *N*, we obtain that

or equivalently,

Setting

Putting an optimized value for τ, which is

Then we have

The relation between the error term ϵ and *m* can be expressed as

This concludes the proof of Theorem 2. ∎

Table 2 lists some theoretical and experimental results. In all experiments, we obtained several integer equations which share desired roots and successfully obtained the roots by using Gröbner basis technique.

The second variant: experimental results for small *d*.

theoretical d | experimental d | time of | experimental d | time of | ||
---|---|---|---|---|---|---|

2000 | 200 bits | 29 bits | 35.350 | 71 bits | 2573.002 | |

3000 | 300 bits | 47 bits | 103.600 | 110 bits | 5197.392 |

## 4 Factoring RSA moduli $N={p}^{r}{q}^{l}$ with partial known bits

In this section, we assume that we are given the number of *k* LSBs of *p*: *p* that one has to know in order to
factor *N* in polynomial time. Below we present two methods to solve this problem.

### 4.1 The attack modulo *p*

The above problem can be reduced to solve modular univariate polynomial equation

We can apply Theorem 4 with *y* if

When

This bound is exactly the same as in [2]. As *p*. Thus the total complexity
to factor *P* is a polynomial. This method is very suitable for the case of

### 4.2 The attack modulo *pq*

Let us start with the following lemma.

*For a given integer k, consider the modular function *

Since the domain of

Above all, the solution

This concludes the proof of Lemma 1. ∎

We rewrite *N* by *r* and *l* must be odd; we may assume without loss of generality that *l* is odd.
Suppose that we have *k* LSBs of *p* and let us denote it as *k* LSBs of *q*: *k* LSBs of *pq*:

Now apply Theorem 4 with *y* if

After we get the value of *pq*, we can calculate

Then we can get *p*.
Since

LSBs of *p*.
Thus the total complexity to the factor *P* is a polynomial. This method is very suitable for the case of

### Comparison between the two methods.

In the first method, the attacker has to guess *p*) is superior to our second attack (modulo *pq*) in the case

We present our bounds

Factoring *N* with partial known bits of *p*.

attack modulo p | attack modulo pq | |||||||||
---|---|---|---|---|---|---|---|---|---|---|

theo. | expt. | dim. | time (sec.) | theo. | expt. | dim. | time (sec.) | |||

2500 | 500 | 200 | 260 | 21 | 19.095 | 200 | 260 | 21 | 760.661 | |

2500 | 500 | 200 | 230 | 41 | 832.983 | 200 | 230 | 41 | 42447.935 | |

3500 | 500 | 143 | 260 | 21 | 21.856 | 429 | – | 21 | – | |

3500 | 500 | 143 | 200 | 41 | 1205.591 | 429 | 497 | 41 | 86495.347 | |

4500 | 500 | 223 | 330 | 21 | 32.245 | 112 | 260 | 21 | 4018.133 | |

4500 | 500 | 223 | 280 | 41 | 1413.463 | 112 | 230 | 41 | 163533.305 |

### 4.3 Comparison with the work of Coron, Faugère, Renault and Zeitoun

Independently, Coron, Faugère, Renault and Zeitoun [4] also studied this problem; they showed that *r* or *l* is at least

In [4, p. 5], for the modulus *r* and *l* are first expressed as

After lattice reduction, suppose that the short vector is *u* is taken as *u* is set as *a* is taken as *b* is taken as

- •First suppose that both
. Now$a,b\ge 0$ *N*can be expressed as , where$N={p}^{r}{q}^{l}={p}^{u\alpha +a}{q}^{u\beta +b}={P}^{u}Q$ and$P={p}^{\alpha}{q}^{\beta}$ . It has been proved in [4, p. 18] that to factor$Q={p}^{a}{q}^{b}$ in polynomial time, the attacker has to guess$N={P}^{r}Q$ many bits of$\frac{c}{u+c}$ *P*to find*P*, where . Thus if$Q<{P}^{c}$ , it is required to guess$a,b\ge 0$ many bits of$\frac{c}{u+c}\mathrm{log}P$ *P*. Here we can take as$c=\frac{a+b}{\alpha +\beta}$ and$P\approx {p}^{\alpha +\beta}$ . Thus in this case the attacker has to guess$Q\approx {p}^{a+b}$ many bits.$\frac{a+b}{\left(\alpha +\beta \right)u+a+b}\cdot \left(\alpha +\beta \right)\mathrm{log}p$ - •Next suppose that
. Now express$a,b\le 0$ , where$N=\frac{{P}^{u}}{Q}$ and$P={p}^{\alpha}{q}^{\beta}$ . In this case it has been proved in [4, p. 8] that the attacker has to search over$Q={p}^{-a}{q}^{-b}$ . So the required guess in this case will be approximately$[0,2{Q}^{\frac{1}{u}}]$ bits.$\frac{-\left(a+b\right)}{u}\mathrm{log}p$

Although in most of the cases the bounds of [4] may found the optimal expressions of *N* of the form *N* in the form *N*.

More specifically, for the modulus of the form

It is easily checked that *i*-th minimum of lattice

According to *u* is taken as *N* should be expressed as *N* will be expressed as

Then for the first expression of *N*, it is required to guess *p*.

Based on our two methods of Section 3.1 and Section 3.2, the number of known LSBs of *p* which is required to factor

However, when we express *N* as

Actually, there does not exist any vector in the two-dimensional *u* should be taken as

Thus in general, the Coron–Faugère–Renault–Zeitoun approach cannot give optimal

### 4.4 Extend to more unknown blocks

We also consider the case of the number of *n* (

*Let *

We can reduce the above problem to solve the following multivariate linear polynomial equation:

where *k*-th unknown blocks start on the *l*-th bit position. Moreover, if *n* goes to infinity, from Theorem 4, we have

It shows that if *n* is very large, we can recover *p* regardless of *n*. Conversely, once a
*p* together with their positions are given, we are able to recover the missing bits. Suppose that

portion of known bits from *p*.
∎

Note that for

## 5 Conclusion

In this paper, we have considered the RSA variant with moduli of the form *d* such that *d* can be recovered in polynomial time. Then we have presented the partial known bits attacks and successfully factored

## References

- [1]↑
D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than N 0.292 {{{N}}^{0.292}}, IEEE Trans. Inform. Theory 46 (2000), no. 4, 1339–1349.

- [2]↑
D. Boneh, G. Durfee and N. Howgrave-Graham, Factoring N = p r q {{N}=p^{r}q} for large r, Advances in Cryptology – CRYPTO 1999, Lecture Notes in Comput. Sci. 1666, Springer, Berlin (1999), 787–787.

- [3]↑
D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, J. Cryptologyy 10 (1997), no. 4, 233–260.

- [4]↑
J. S. Coron, J. C. Faugère, G. Renault and R. Zeitoun, Factoring N = p r q s {{N}=p^{r}q^{s}} for large r and s, Topics in Cryptology – CT-RSA 2016, Lecture Notes in Comput. Sci. 9610, Springer, Berlin (2016), 448–464; https://eprint.iacr.org/2015/071.

- [5]↑
M. Herrmann and A. May, Solving linear equations modulo divisors: On factoring given any bits, Advances in Cryptology – ASIACRYPT 2008, Lecture Notes in Comput. Sci. 5350, Springer, Berlin (2008), 406–424.

- [6]↑
M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography – PKC 2010, Lecture Notes in Comput. Sci. 6056, Springer, Berlin (2010), 53–69.

- [7]↑
N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Crytography and Coding – IMACC 1997, Lecture Notes in Comput. Sci. 1355, Springer, Berlin (1997), 131–142.

- [8]↑
K. Itoh, N. Kunihiro and K. Kurosawa, Small secret key attack on a variant of RSA (due to Takagi), Topics in Cryptology – CT-RSA 2008, Lecture Notes in Comput. Sci. 4964, Springer, Berlin (2008), 387–406.

- [9]↑
N. Kunihiro, N. Shinohara and T. Izu, A unified framework for small secret exponent attack on RSA, Selected Areas in Cryptography – SAC 2011, Lecture Notes in Comput. Sci. 7118, Springer, Berlin (2012), 260–277.

- [10]↑
A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), no. 4, 515–534.

- [11]↑
S. Lim, S. Kim, I. Yie and H. Lee., , Progress in Cryptology – INDOCRYPT 2000, Lecture Notes in Comput. Sci. 1977, Springer, Berlin (2000), 283–294.

- [12]↑
Y. Lu, R. Zhang and D. Lin, Factoring multi-power RSA modulus N = p r q {{N}=p^{r}q} with partial known bits, Information Security and Privacy – ACISP 2013, Lecture Notes in Comput. Sci. 7959, Springer, Berlin (2013), 57–71.

- [13]↑
Y. Lu, R. Zhang, L. Peng and D. Lin, Solving linear equations modulo unknown divisors: revisited, Advances in Cryptology – ASIACRYPT 2015, Lecture Notes in Comput. Sci. 9452, Springer, Berlin (2015), 189–213; https://eprint.iacr.org/2014/343.

- [14]↑
A. May, Secret exponent attacks on RSA-type schemes with moduli N = p r q {N=p^{r}q}, Public Key Cryptography – PKC 2004, Lecture Notes in Comput. Sci. 2947, Springer, Berlin (2004), 218–230.

- [15]↑
T. Okamoto and S. Uchiyama, A new public-key cryptosystem as secure as factoring, Advances in Cryptology – EUROCRYPT 1998, Lecture Notes in Comput. Sci. 1403, Springer, Berlin (1998), 308–318.

- [16]↑
R. Rivest and A. Shamir, Efficient factoring based on partial information, Advances in Cryptology – EUROCRYPT 1985, Lecture Notes in Comput. Sci. 219, Springer, Berlin (1986), 31–34.

- [17]↑
S. Sarkar, Small secret exponent attack on RSA variant with modulus N = p r q {N=p^{r}q}, Des. Codes Cryptogr. 73 (2014), no. 2, 383–392.

- [18]↑
T. Takagi, Fast RSA-type cryptosystems using n-adic expansion, Advances in Cryptology – CRYPTO 1997, Lecture Notes in Comput. Sci. 1294, Springer, Berlin (1997), 372–384.

- [19]↑
T. Takagi, Fast RSA-type cryptosystem modulo p k q {p^{k}q}, Advances in Cryptology – CRYPTO 1998, Lecture Notes in Comput. Sci. 1462, Springer, Berlin (1998), 318–326.

- [20]↑
M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), no. 3, 553–558.

- [21]↑
The EPOC and the ESIGN Algorithms, IEEE P1363: Protocols from other families of Public-Key algorithms, 1998, http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html.

## Footnotes

^{1}

This is a thoroughly revised and extended version
of the paper “Cryptanalysis of an RSA variant with moduli