Deterministic Polynomial Time Equivalence Between Factoring and Key-Recovery Attack on Takagi’s RSA

  • Noboru Kunihiro
  • Kaoru Kurosawa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4450)


For RSA, May showed a deterministic polynomial time equivalence of computing d to factoring N( = pq). On the other hand, Takagi showed a variant of RSA such that the decryption algorithm is faster than the standard RSA, where N = p r q while \(ed=1 \bmod (p-1)(q-1)\). In this paper, we show that a deterministic polynomial time equivalence also holds in this variant. The coefficient matrix T to which LLL algorithm is applied is no longer lower triangular, and hence we develop a new technique to overcome this problem.


RSA factoring LLL algorithm 


  1. 1.
    Blömer, J., May, A.: A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 251–267. Springer, Heidelberg (2005)Google Scholar
  2. 2.
    Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring N = p r q for Large r. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Coron, J.S., May, A.: Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring. IACR ePrint Archive: Report 2004/208 (2004), to appear in Journal of CryptologyGoogle Scholar
  5. 5.
    Durfee, G., Nguyen, P.: Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt’99. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 14–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Fujioka, A., Okamoto, T., Miyaguchi, S.: ESIGN: An Efficient Digital Signature Implementation for Smart Cards. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 446–457. Springer, Heidelberg (1991)Google Scholar
  7. 7.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: IMA Int. Conf., pp. 131–142 (1997)Google Scholar
  8. 8.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    May, A.: Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Miller, G.L.: Riemann’s Hypothesis and Tests for Primality. In: Seventh Annual ACM Symposium on the Theory of Computing, pp. 234–239. ACM Press, New York (1975)CrossRefGoogle Scholar
  11. 11.
    Okamoto, T., Uchiyama, S.: A New Public Key Cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 310–318. Springer, Heidelberg (1998)Google Scholar
  12. 12.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Takagi, T.: Fast RSA-Type Cryptosystem Modulo p k q. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)Google Scholar
  14. 14.
    Takagi, T.: A Fast RSA-Type Public-Key Primitive Modulo p k q Using Hensel Lifting. IEICE Trans. Fundamentals 87-A(1), 94–101 (2004)Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Noboru Kunihiro
    • 1
  • Kaoru Kurosawa
    • 2
  1. 1.The University of Electro-CommunicationsJapan
  2. 2.Ibaraki UniversityJapan

Personalised recommendations