Factoring \(N=p^rq^s\) for Large r and s

  • Jean-Sébastien CoronEmail author
  • Jean-Charles Faugère
  • Guénaël Renault
  • Rina Zeitoun
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9610)


Boneh et al. showed at Crypto 99 that moduli of the form \(N=p^rq\) can be factored in polynomial time when \(r \simeq \log p\). Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. In this paper we show that \(N=p^rq^s\) can also be factored in polynomial time when r or s is at least \((\log p)^3\); therefore we identify a new class of integers that can be efficiently factored.

We also generalize our algorithm to moduli with k prime factors \(N= \prod _{i=1}^{k} p_i^{r_i}\); we show that a non-trivial factor of N can be extracted in polynomial-time if one of the exponents \(r_i\) is large enough.


  1. [BCF+14]
    Bi, J., Coron, J.-S., Faugère, J.-C., Nguyen, P.Q., Renault, G., Zeitoun, R.: Rounding and chaining lll: finding faster small roots of univariate polynomial congruences. IACR Cryptology ePrint Archive, 2014 (2014)Google Scholar
  2. [BD00]
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339 (2000)CrossRefMathSciNetzbMATHGoogle Scholar
  3. [BDHG99]
    Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring tex \(n=p^{r} q\) for large \(r\). In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. [BM05]
    Blömer, J., May, A.: A tool kit for finding small roots of bivariate polynomials over the integers. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 251–267. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. [CFRZ15]
    Coron, J.-S., Faugere, J.-C., Renault, G., Zeitoun, R.: Factoring \({N}=p^r q^s\) for large \(r\) and \(s\). Cryptology ePrint Archive, Report 2015/071 (2015). Full version of this paper
  6. [Co96a]
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  7. [Co96b]
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  8. [Cop97]
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997). Journal version of [Co96b, Co96a]CrossRefMathSciNetzbMATHGoogle Scholar
  9. [DN00]
    Durfee, G., Nguyên, P.Q.: Cryptanalysis of the RSA schemes with short secret exponent from asiacrypt ’99. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. [HG97]
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  11. [JM07]
    Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. [Len87]
    Lenstra, H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987)CrossRefMathSciNetzbMATHGoogle Scholar
  13. [LKYL00]
    Lim, S., Kim, S., Yie, I., Lee, H.: A generalized takagi-cryptosystem with a modulus of the form \(p^{r} q^{s}\). In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 283–294. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. [LLL82]
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)Google Scholar
  15. [May04]
    May, A.: Computing the RSA secret key is deterministic polynomial time equivalent to factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. [NS09]
    Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)CrossRefMathSciNetzbMATHGoogle Scholar
  17. [NSV11]
    Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity: extended abstract. In: Proceedings of the STOC 2011, pp. 403–412. ACM (2011)Google Scholar
  18. [Tak97]
    Takagi, T.: Fast RSA-type cryptosystems using n-adic expansion. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 372–384. Springer, Heidelberg (1997)Google Scholar
  19. [Tak98]
    Takagi, T.: Fast RSA-type cryptosystem modulo \(p^{k}q\). In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
    Email author
  • Jean-Charles Faugère
    • 2
    • 3
    • 4
  • Guénaël Renault
    • 2
    • 3
    • 4
  • Rina Zeitoun
    • 5
  1. 1.University of LuxembourgLuxembourg CityLuxembourg
  2. 2.INRIA, POLSYS, Centre Paris-RocquencourtLe ChesnayFrance
  3. 3.Sorbonne Universités, UPMC Univ Paris 06, Équipe POLSYS, LIP6 UPMCParisFrance
  4. 4.CNRS, UMR 7606, LIP6 UPMCParisFrance
  5. 5.Oberthur TechnologiesColombesFrance

Personalised recommendations