Cryptanalysis of RSA Variants with Modified Euler Quotient

  • Mengce ZhengEmail author
  • Noboru Kunihiro
  • Honggang Hu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10831)


The standard RSA scheme provides the key equation \(ed\equiv 1\pmod {\varphi (N)}\) for \(N=pq\), where \(\varphi (N)=(p-1)(q-1)\) is Euler quotient (or Euler’s totient function), e and d are the public and private keys, respectively. It has been extended to the following variants with modified Euler quotient \(\omega (N)=(p^2-1)(q^2-1)\), which in turn indicates the modified key equation is \(ed\equiv 1\pmod {\omega (N)}\).

  • An RSA-type scheme based on singular cubic curves \(y^2\equiv x^3+bx^2\pmod {N}\) for \(N=pq\).

  • An extended RSA scheme based on the field of Gaussian integers for \(N=PQ\), where P, Q are Gaussian primes with \(p=|P|\), \(q=|Q|\).

  • A scheme working in quadratic field quotients using Lucas sequences with an RSA modulus \(N=pq\).

In this paper, we investigate some key-related attacks on such RSA variants using lattice-based techniques. To be specific, small private key attack, multiple private keys attack, and partial key exposure attack are proposed. Furthermore, we provide the first results for multiple private keys attack and partial key exposure attack when analyzing the RSA variants with modified Euler quotient.


RSA variants Modified Euler quotient Lattice Multiple private keys attack Partial key exposure attack 



The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work was partially supported by National Natural Science Foundation of China (Grant Nos. 61522210, 61632013).


  1. 1.
    Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013). Scholar
  2. 2.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003). Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999). Scholar
  4. 4.
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998). Scholar
  5. 5.
    Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A new attack on three variants of the RSA cryptosystem. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 258–268. Springer, Cham (2016). Scholar
  6. 6.
    Bunder, M., Tonien, J.: New attack on the RSA cryptosystem based on continued fractions. Malays. J. Math. Sci. 11(S3), 45–57 (2017)MathSciNetGoogle Scholar
  7. 7.
    Castagnos, G.: An efficient probabilistic public-key cryptosystem over quadratic fields quotients. Finite Fields Appl. 13(3), 563–576 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). Scholar
  9. 9.
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). Scholar
  10. 10.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004). Scholar
  12. 12.
    Coron, J.-S.: Finding small roots of bivariate integer polynomial equations: a direct approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007). Scholar
  13. 13.
    Elkamchouchi, H., Elshenawy, K., Shaban, H.: Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In: ICCS 2002, vol. 1, pp. 91–95. IEEE (2002)Google Scholar
  14. 14.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005). Scholar
  15. 15.
    Fiat, A.: Batch RSA. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 175–185. Springer, New York (1990). Scholar
  16. 16.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  17. 17.
    Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010). Scholar
  18. 18.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). Scholar
  19. 19.
    Howgrave-Graham, N., Seifert, J.-P.: Extending Wiener’s attack in the presence of many decrypting exponents. CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999). Scholar
  20. 20.
    Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). Scholar
  21. 21.
    Jochemsz, E., May, A.: A polynomial time attack on RSA with private CRT-exponents smaller than N0.073. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 395–411. Springer, Heidelberg (2007). Scholar
  22. 22.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Scholar
  23. 23.
    Kuwakado, H., Koyama, K., Tsuruoka, Y.: New RSA-type scheme based on singular cubic curves \({y^2\equiv x^3+bx^2}\) (mod \({n}\)). IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E78–A(1), 27–33 (1995)Google Scholar
  24. 24.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm - Survey and Applications. ISC, pp. 315–348. Springer, Heidelberg (2010). Scholar
  26. 26.
    Peng, L., Hu, L., Lu, Y., Sarkar, S., Xu, J., Huang, Z.: Cryptanalysis of variants of RSA with multiple small secret exponents. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 105–123. Springer, Cham (2015). Scholar
  27. 27.
    Peng, L., Hu, L., Lu, Y., Wei, H.: An improved analysis on three variants of the RSA cryptosystem. In: Chen, K., Lin, D., Yung, M. (eds.) Inscrypt 2016. LNCS, vol. 10143, pp. 140–149. Springer, Cham (2017). Scholar
  28. 28.
    Quisquater, J.J., Couvreur, C.: Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 18(21), 905–907 (1982)CrossRefGoogle Scholar
  29. 29.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM CCS 2009, pp. 199–212. ACM Press, Chicago (2009)Google Scholar
  30. 30.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Sarkar, S.: Small secret exponent attack on RSA variant with modulus \(N=p^r q\). Des. Codes Cryptogr. 73(2), 383–392 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Sarkar, S.: Revisiting prime power RSA. Discrete Appl. Math. 203, 127–133 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Sarkar, S., Maitra, S.: Cryptanalytic results on ‘Dual CRT’ and ‘Common Prime’ RSA. Des. Codes Cryptogr. 66(1–3), 157–174 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Sarkar, S., Venkateswarlu, A.: Partial key exposure attack on CRT-RSA. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 255–264. Springer, Cham (2014). Scholar
  35. 35.
    Takagi, T.: Fast RSA-type cryptosystem modulo pkq. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998). Scholar
  36. 36.
    Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Cham (2014). Scholar
  37. 37.
    Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA: achieving the Boneh-Durfee bound. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 345–362. Springer, Cham (2014). Scholar
  38. 38.
    Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA with multiple exponent pairs. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 243–257. Springer, Cham (2016). Scholar
  39. 39.
    Takayasu, A., Kunihiro, N.: A tool kit for partial key exposure attacks on RSA. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 58–73. Springer, Cham (2017). Scholar
  40. 40.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    Zheng, M., Hu, H.: Cryptanalysis of prime power RSA with two private exponents. Sci. China Inf. Sci. 58(11), 1–8 (2015)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.CAS Key Laboratory of Electromagnetic Space InformationUniversity of Science and Technology of ChinaHefeiChina
  2. 2.The University of TokyoTokyoJapan

Personalised recommendations