Public Key Cryptography – PKC 2011

Volume 6571 of the series Lecture Notes in Computer Science pp 147-155

Cryptanalysis of the RSA Subgroup Assumption from TCC 2005

  • Jean-Sébastien CoronAffiliated withUniversité du Luxembourg
  • , Antoine JouxAffiliated withDirection générale de l’armement (DGA)Laboratoire PRISM, Université de Versailles–Saint-Quentin
  • , Avradip MandalAffiliated withUniversité du Luxembourg
  • , David NaccacheAffiliated withDépartement d’informatique, Groupe de cryptographie, École normale supérieure
  • , Mehdi TibouchiAffiliated withUniversité du LuxembourgDépartement d’informatique, Groupe de cryptographie, École normale supérieure


At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 22ℓ had a complexity of O(2). Accordingly, ℓ= 100 bits was suggested as a concrete parameter.

This paper exhibits an attack with a complexity of roughly 2ℓ/2 operations, suggesting that Groth’s original choice of parameters was overly aggressive. It also discusses the practicality of this new attack and various implementation issues.


rsa moduli hidden order subgroup cryptanalysis