CT-RSA 2016: Topics in Cryptology - CT-RSA 2016 pp 448-464

# Factoring $$N=p^rq^s$$ for Large r and s

• Jean-Sébastien Coron
• Jean-Charles Faugère
• Guénaël Renault
• Rina Zeitoun
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9610)

## Abstract

Boneh et al. showed at Crypto 99 that moduli of the form $$N=p^rq$$ can be factored in polynomial time when $$r \simeq \log p$$. Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. In this paper we show that $$N=p^rq^s$$ can also be factored in polynomial time when r or s is at least $$(\log p)^3$$; therefore we identify a new class of integers that can be efficiently factored.

We also generalize our algorithm to moduli with k prime factors $$N= \prod _{i=1}^{k} p_i^{r_i}$$; we show that a non-trivial factor of N can be extracted in polynomial-time if one of the exponents $$r_i$$ is large enough.

## References

1. [BCF+14]
Bi, J., Coron, J.-S., Faugère, J.-C., Nguyen, P.Q., Renault, G., Zeitoun, R.: Rounding and chaining lll: finding faster small roots of univariate polynomial congruences. IACR Cryptology ePrint Archive, 2014 (2014)Google Scholar
2. [BD00]
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key $$d$$ less than $$N^{0.292}$$. IEEE Trans. Inf. Theory 46(4), 1339 (2000)
3. [BDHG99]
Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring tex $$n=p^{r} q$$ for large $$r$$. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)
4. [BM05]
Blömer, J., May, A.: A tool kit for finding small roots of bivariate polynomials over the integers. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 251–267. Springer, Heidelberg (2005)
5. [CFRZ15]
Coron, J.-S., Faugere, J.-C., Renault, G., Zeitoun, R.: Factoring $${N}=p^r q^s$$ for large $$r$$ and $$s$$. Cryptology ePrint Archive, Report 2015/071 (2015). http://eprint.iacr.org/. Full version of this paper
6. [Co96a]
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)
7. [Co96b]
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)
8. [Cop97]
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997). Journal version of [Co96b, Co96a]
9. [DN00]
Durfee, G., Nguyên, P.Q.: Cryptanalysis of the RSA schemes with short secret exponent from asiacrypt ’99. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)
10. [HG97]
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
11. [JM07]
Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than $$N^{0.073}$$. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007)
12. [Len87]
Lenstra, H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987)
13. [LKYL00]
Lim, S., Kim, S., Yie, I., Lee, H.: A generalized takagi-cryptosystem with a modulus of the form $$p^{r} q^{s}$$. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 283–294. Springer, Heidelberg (2000)
14. [LLL82]
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)Google Scholar
15. [May04]
May, A.: Computing the RSA secret key is deterministic polynomial time equivalent to factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)
16. [NS09]
Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)
17. [NSV11]
Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity: extended abstract. In: Proceedings of the STOC 2011, pp. 403–412. ACM (2011)Google Scholar
18. [Tak97]
Takagi, T.: Fast RSA-type cryptosystems using n-adic expansion. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 372–384. Springer, Heidelberg (1997)Google Scholar
19. [Tak98]
Takagi, T.: Fast RSA-type cryptosystem modulo $$p^{k}q$$. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)

© Springer International Publishing Switzerland 2016

## Authors and Affiliations

• Jean-Sébastien Coron
• 1
Email author
• Jean-Charles Faugère
• 2
• 3
• 4
• Guénaël Renault
• 2
• 3
• 4
• Rina Zeitoun
• 5
1. 1.University of LuxembourgLuxembourg CityLuxembourg
2. 2.INRIA, POLSYS, Centre Paris-RocquencourtLe ChesnayFrance
3. 3.Sorbonne Universités, UPMC Univ Paris 06, Équipe POLSYS, LIP6 UPMCParisFrance
4. 4.CNRS, UMR 7606, LIP6 UPMCParisFrance
5. 5.Oberthur TechnologiesColombesFrance