Solving Linear Equations Modulo Unknown Divisors: Revisited
Abstract
We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor p for a known composite integer N. In CaLC 2001, HowgraveGraham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt’08) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS’12). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc.

We improve May’s results (PKC’04) on small secret exponent attack on RSA variant with moduli \(N = p^rq\) (\(r\ge 2\)).

We experimentally improve Boneh et al.’s algorithm (Crypto’98) on factoring \(N=p^rq\) (\(r\ge 2\)) with known bits problem.

We significantly improve JochemszMay’ attack (Asiacrypt’06) on Common Prime RSA.

We extend Nitaj’s result (Africacrypt’12) on weak encryption exponents of RSA and CRTRSA.
Keywords
Latticebased analysis Linear modular equations RSA1 Introduction
Latticebased cryptanalysis is a very useful tool in various cryptographic systems, e.g., historically, it was used to break the MerkleHellman knapsack cryptosystem [34]. The basic idea of the latticebased approach is that if the system parameters of the target problem can be transformed into a basis of a certain lattice, one can find some short vectors in the desired lattice using dedicated algorithms, like the LLLalgorithm [20]. One may then hope that the secret key can be recovered once the solutions from these short vectors are extracted. Although in most cases this assumption is not rigorous in theory, it usually works well in practice.
In the above approach, a key step is to construct the desired lattice. In 1997, Coppersmith [5] presented a subtle lattice construction method, and used it to find small roots of modular equations of special forms. Since then, this approach has been widely applied in the analysis of RSA. Among them, one of the most important applications is to solve approximate integer common divisor problem (ACDP), namely, given two integers that are nearmultiples of a hidden integer, output that hidden integer. We note that ACDP was first introduced by HowgraveGraham [15], which in turn has many important applications such as building fully homomorphic cryptosystems [37].
In 2003, May [21] generalized HowgraveGraham’s strategy by using a univariate linear polynomial to an arbitrary monic modular polynomial of degree \(\delta \), i.e. \(f(x)=x^{\delta }+a_{\delta 1}x^{\delta 1}+\ldots +a_0 \text { mod } p\) where \(\delta \ge 1\). As an important application, this algorithm can be used to solve the problem of factoring with known bits on Takagi’s moduli \(N=p^rq\) (\(r>1\)) [2].
1.1 Our Contributions
In this paper, we focus on the following three types of extensions of previous equations.
The second is a special case of Eq. (2): \(a_0=0\), described in Sect. 4.
Notice that our generalized equations employ many parameters. The reason why we introduce these parameters is based on the fact that some attacks on RSA variants (such as Takagi’s RSA variant [35]) can be reduced to solving this kind of equations. However, previous algorithms [4, 12, 23] do not seem to work in this situation. The difficulty lies in how to wisely embed this algebraic information in the lattice construction.
We solve the above equations by introducing new techniques. More precisely, we present a novel way to select appropriate polynomials in constructing desired lattice. Compared with previous algorithms, our algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants. We elaborate them below. We further conjecture that our new algorithms may find new applications in various other contexts.
Small Secret Exponent Attack on Multipower RSA. In multipower RSA algorithm, suppose that the public key is (N, e), where \(N=p^rq\) for some fixed \(r\ge 2\) and p, q are of the same bitsize. The secret key d satisfies \(ed\equiv 1 \text { mod } \phi (N)\), where \(\phi (N)\) is Euler’s \(\phi \)function. In Crypto’99, Takagi [35] showed that when the secret exponent \(d< N^{\frac{1}{2(r+1)}}\), one can factorize N. Later in PKC’04, May [22] improved Takagi’s bound to \(N^{\max \{\frac{r}{(r+1)^2}, \frac{(r1)^2}{(r+1)^2}\}}\). In this paper, we further improve May’s bound to \(N^{\frac{r(r1)}{(r+1)^2}}\), which is better than May’s result when \(r>2\), and is also independent of the value of public exponent e. Similar as [22], our result also directly implies an improved partial key exposure attack for secret exponent d with known most significant bits (MSBs) or least significant bits (LSBs). Our improvements are based on our algorithm of solving the first type equations, with the observation that \(\gcd (ed1,N)=p^{r1}\) but \(N\equiv 0 \text { mod } p^r\).
Factoring Multipower Moduli with Known Bits. In 1999, Boneh et al. [2] extended factoring with high bits problem to moduli of the form \(N=p^rq (r\ge 2)\). They showed that this moduli can be factored in polynomialtime in the bitlength of N if \(r=\varOmega (\sqrt{\frac{\log N}{\log \log N}})\). Applying our algorithm of solving the first type equations, we can directly get another method to settle the problem of [2]. Though we can not get an asymptotic improvement, in practice, especially for large r, our new method performs better than [2].
Weak Encryption Exponents of RSA and CRTRSA. In Africacrypt’12, Nitaj [26] presented some attacks on RSA and CRTRSA (the public exponent e and the private CRTexponents \(d_p\) and \(d_q\) satisfy \(ed_p\equiv 1 \text { mod } (p1)\) and \(ed_q \equiv 1 \text { mod } (q1)\)). His attacks are based on HerrmannMay’s technique [12] for finding small solutions of modular equations. In particular, he reduced his attacks to solving bivariate linear modular equations modulo unknown divisors: \(ex+y\equiv 0 \text { mod } p\) for some unknown p that divides the known modulus N. Noticing that his equations are homogeneous, we can improve his results with our algorithm of solving second type equations.
Small Secret Exponent Attack on Common Prime RSA. We give a simple but effective attack on an RSA variant called Common Prime RSA. This variant was originally introduced by Wiener [38] as a countermeasure for his continued fraction attack. He suggested to choose p and q such that \(p1\) and \(q1\) share a large common factor. In 2006, Hinek [13] revisited the security of Common Prime RSA, in the same year, Jochemsz and May [17] proposed a heuristic attack, and showed that parts of key space suggested by Hinek is insecure. In this paper, we further improve JochemszMay’s bound by using our algorithm of solving third type equations.
Experimental Results. For all these attacks, we carry out experiments to verify the validity of our algorithms. These experimental results show that our attacks are effective.
2 Preliminary
In 1982, Lenstra, Lenstra and Lov\(\acute{a}\)sz proposed the LLLalgorithm [20] that can find vectors in polynomialtime whose norm is small enough to satisfy the following condition.
Lemma 1
In practice, it is widely known that the LLLalgorithm tends to output the vectors whose norms are much smaller than theoretically predicted.
In 1997, Coppersmith [5] described a latticebased technique to find small roots of modular and integer equations. Later, HowgraveGraham [14] reformulated Coppersmith’s ideas of finding modular roots. The main idea of Coppersmith’s method is to reduce the problem of finding small roots of \(f(x_1,\dots ,x_n) \text { mod } N\) to finding roots over the integers. Therefore, one can construct a collection of polynomials that share a common root modulo \(N^m\) for some wellchosen integer m. Then one can construct a lattice by defining a lattice basis via these polynomial’s coefficient vectors. Using lattice basis reduction algorithms (like LLLalgorithm [20]), one can find a number of linear equations with sufficiently small norm. HowgraveGraham [14] showed a sufficient condition to quantify the term sufficiently small. Next we review this useful lemma.
Let \(g(x_{1},\cdots ,x_{k})=\sum _{i_{1},\cdots ,i_{k}}a_{i_{1},\cdots ,i_{k}}x^{i_{1}}_{1}\cdots x_{k}^{i_{k}}\). We define the norm of g by the Euclidean norm of its coefficient vector: \( g  ^{2}=\sum _{i_{1},\cdots ,i_{k}}a^{2}_{i_{1},\cdots ,i_{k}}\).
Lemma 2
 1.
\(g(y_{1},\cdots ,y_{k})=0 \text { mod } p^{m}\) for \(\mid y_{1} \mid \leqslant X_{1},\cdots , \mid y_{k}\mid \leqslant X_{k}\) and
 2.
\( g(x_{1}X_{1},\cdots ,x_{k}X_{k}) < \frac{p^{m}}{\sqrt{w}} \)
Then \(g(y_{1},\cdots ,y_{k})=0\) holds over integers.
Combining Lemmas 1 and 2, we can get following theorem.
Theorem 1
Additionally sometimes our attacks rely on a wellknown assumption which was widely used in the literatures [1, 9, 12].
Assumption 1
The latticebased construction yields algebraically independent polynomials. The common roots of these polynomials can be efficiently computed using the Gr\(\mathrm {\ddot{o}}\)bner basis technique.
Note that the time complexity of Gr\(\mathrm {\ddot{o}}\)bner basis computation is in general doubly exponential in the degree of the polynomials.
We would like to point out that our subsequent complexity considerations solely refer to our lattice basis reduction algorithm, that turns the polynomial \(f(x_1,\dots ,x_n) \text { mod } N\) into the number of n polynomials over the integers. We assume that the running time of the Gr\(\mathrm {\ddot{o}}\)bner basis computation is negligible compared to the time complexity of the LLLalgorithm, since in general, our algorithm yields more than the number of n polynomials, so one can make use of these additional polynomials to speed up the Gr\(\mathrm {\ddot{o}}\)bner basis computation.
3 The First Type of Equations
In this section, we address how to solve \(f_1(x)=a_0+a_1x \text { mod } p^v \ (v \ge 1)\) for some unknown p where \(p^u\) divides a known modulus N (i.e. \(N\equiv 0 \text { mod } p^u\), \(u\ge 1\)). In particular, HowgraveGraham’s result [15] can be viewed as a special case of our algorithm when \(u=1\), \(v=1\).
3.1 Our Main Result
Theorem 2
For every \(\epsilon >0\), let N be a sufficiently large composite integer (of unknown factorization) with a divisor \(p^u\) (\(p\ge N^{\beta }\), \(u\ge 1\)). Let \(f_1(x)\in \mathbb {Z}[x]\) be a univariate linear polynomial whose leading coefficient is coprime to N. Then one can find all the solutions y of the equation \(f_1(x)=0 \text { mod } p^v\) with \(v\ge 1\), \(\left y \right \le N^{\gamma }\) if \(\gamma < uv\beta ^{2}\epsilon \). The time complexity is \(\mathcal {O}(\epsilon ^{7}v^2\log ^2 N)\).
Proof
Let \(X:=N^{uv\beta ^2\epsilon } (=N^\gamma )\) be the upper bound on the desired root y. We will show that this bound can be achieved for any chosen value of \(\epsilon \) by ensuring that \(m\ge m^{*}:=\lceil \frac{\beta (2u+vuv\beta )}{\epsilon } \rceil 1\)
Extension to Arbitrary Degree. We can generalize the result of Theorem 2 to univariate polynomials with arbitrary degree.
Theorem 3
For every \(\epsilon >0\), let N be a sufficiently large composite integer (of unknown factorization) with a divisor \(p^u\) (\(p\ge N^{\beta }\), \(u\ge 1\)). Let \(f_1(x)\in \mathbb {Z}[x]\) be a univariate polynomial of degree \(\delta \) whose leading coefficient is coprime to N. Then one can find all the solutions y of the equation \(f_1(x)=0 \ (\text { mod } \ p^v)\) with \(v\ge 1\), \(\left y \right \le N^{\gamma }\) if \(\gamma < \frac{uv\beta ^{2}}{\delta }\epsilon \). The time complexity is \(\mathcal {O}(\epsilon ^{7}\delta ^5 v^2\log ^2 N)\).
Specifically, the result in [23] can be viewed as a special case of our algorithm when \(u=v\).
Extension to More Variables. We also generalize the result of Theorem 2 from univariate linear equations to an arbitrary number of n variables \(x_1,\ldots ,x_n\) \((n\ge 2)\).
Proposition 1
Proof
3.2 Analysis of Multipower RSA
We apply our algorithm to analyze an RSA variant, namely multipower RSA, with moduli \(N=p^r q\) (\(r\ge 2\)). Compared to the standard RSA, the multipower RSA is more efficient in both key generation and decryption. Besides, moduli of this type have been applied in many cryptographic designs, e.g., the OkamotoUchiyama cryptosystem [27], or better known via EPOC and ESIGN [8], which uses the modulus \(N=p^2 q\).
Using our algorithm of Theorem 2, we give two attacks on multipower RSA: small secret exponent attack and factoring with known bits.
Small Secret Exponent Attack on Multipower RSA. There are two variants of multipower RSA. In the first variant \(ed\equiv 1 \text { mod } p^{r1}(p1)(q1)\), while in the second variant \(ed \equiv 1 \text { mod } (p1)(q1)\). In [16], the authors proved that the second variant is vulnerable when \(d< N^{\frac{2\sqrt{2}}{r+1}}\).
In this section, we focus on the first variant. In Crypto’99, Takagi [35] proved that when the decryption exponent \(d<N^{\frac{1}{2(r+1)}}\), one can factorize N in polynomialtime. Later, in PKC’04, May [22] improved Takagi’s bound to \(N^{\max \{\frac{r}{(r+1)^2}, \frac{(r1)^2}{(r+1)^2}\}}\). Based on the technique of Theorem 2, we can further improve May’s bound to \(N^{\frac{r(r1)}{(r+1)^2}}\).
Theorem 4
Proof
Recently, Sarkar [30, 31] improved May’s bound for modulus \(N=p^rq\), however, unlike our method, his method can not applied for public key exponents e of arbitrary size. In addition, we get better experimental results for the case of \(r>2\) (see Sect. 3.2).
Comparisons of May’s bound, Sarkar’s bound and ours on \(\delta \)
Partial KeyExposure Attacks on Multipower RSA. Similar to the results of [22], the new attack of Theorem 4 immediately implies partial key exposure attacks for d with known MSBs/LSBs. Following we extend the approach of Theorem 4 to partial key exposure attacks.
Theorem 5
(MSBs). Let \(N=p^rq\), where \(r\ge 2\) is a known integer and p, q are primes of the same bitsize. Let e be the public key exponent and d be the private key exponent, satisfying \(ed=1 \text { mod } \phi (N)\). For every \(\epsilon >0\), given \(\tilde{d}\) such that \(d\tilde{d}< N^{\frac{r(r1)}{(r+1)^2}\epsilon }\), then N can be factored in polynomialtime.
Proof
Theorem 6
(LSBs). Let \(N=p^rq\), where \(r\ge 2\) is a known integer and p, q are primes of the same bitsize. Let e be the public key exponent and d be the private key exponent, satisfying \(ed=1 \text { mod } \phi (N)\). For every \(\epsilon >0\), given \(d_{0},M\) with \(d=d_0 \text { mod } M\) and \( M> N^{\frac{3r+1}{(r+1)^2}+\epsilon }\), then N can be factored in polynomialtime.
Proof
Experimental results of the attack from Theorem 4
N (bits)  r  e (bits)  dpred (bits)  (m, t)  dim (\(\mathcal {L}\))  dexp (bits)  \(\delta \)  Time (sec) 

1536  2  1536  341  (30, 20)  31  318  0.207  3155.687 
2048  3  2048  768  (20, 15)  21  706  0.345  749.167 
2048  3  4096  768  (20, 15)  21  706  0.345  745.170 
2048  3  2048  768  (40, 30)  41  735  0.359  37800.462 
2560  4  2560  1228  (20, 16)  21  1136  0.444  1245.754 
2560  4  2560  1228  (30, 24)  31  1167  0.456  12266.749 
In [31], for 1024bit \(N=p^3q\), Sarkar considered \(\delta =0.27\) using a lattice with dimension 220, while we can achieve \(\delta =0.359\) using a lattice with dimension 41. Besides, Sarkar also stated that “for \(r=4,5\), lattice dimension in our approach becomes very large to achieve better results. Hence in these cases we can not present experiment results to show the improvements over existing results." In Table 2, we can see that our experimental results are better than Sarkar’s for \(r > 2\).
Note that we obtain the same asymptotic bound and running time complexity as BDH method. But, as opposed to BDH method, our algorithm is more flexible in choosing the lattice dimension. For example, in the case of \(r=10\), BDH method only works on the lattice dimension of \(11*m \ (m\in \mathbb {Z}^{+})\) while our method can work on any lattice dimension \(m \ (m\in \mathbb {Z}^{+})\). Figure 2 shows a comparsion of these two methods in terms of the size of \(\tilde{p} \ (\tilde{p}=N^{\gamma })\) that can be achieved. We can see that to achieve the same \(\gamma \), we require smaller lattice dimensions than BDH method. Our algorithm is especially useful for large r. Actually our lattice is the same to the lattice of BDH method if the lattice dimensions are \(11*m \ (m\in \mathbb {Z}^{+})\).
Comparison of our experimental results with BDH method.
r  Theo.  Expt.  BDH method  Our method  

Dim  Time (in seconds)  Dim  Time (in seconds)  
5  84  164  30  112.914  26  29.281 
5  84  134  48  2874.849  46  1343.683 
10  46  186  44  670.695  34  259.298 
10  46  166  44  1214.281  41  917.801 
4 The Second Type of Equations
In this section, we study the problem of finding small roots of homogeneous linear polynomials \(f_2(x_1,x_2)=a_1 x_1 +a_2 x_2 \text { mod } p^v\) (\(v\ge 1\)) for some unknown p where \(p^u\) divides a known modulus N (i.e. \(N\equiv 0 \text { mod } p^u\), \(u\ge 1\)). Let \((y_1,y_2)\) be a small solution of \(f_2(x_1,x_2)\). We assume that we also know an upper bound \((X_1,X_2)\in \mathbb {Z}^{2}\) for the root such that \(y_1\le X_1,y_2\le X_2\).
4.1 Our Main Result
Theorem 7
For every \(\epsilon >0\), let N be a sufficiently large composite integer (of unknown factorization) with a divisor \(p^u\) (\(p\ge N^{\beta }\), \(u\ge 1\)). Let \(f_2(x_{1},x_{2})\in \mathbb {Z}[x_1,x_2]\) be a homogeneous linear polynomial in two variables whose coefficients are coprime to N. Then one can find all the solutions \((y_{1},y_{2})\) of the equation \(f_2(x_{1},x_{2})=0 \ (\text { mod } \ p^v)\) (\(v\ge 1\)) with \(\gcd (y_1,y_2)=1\), \( \left y_{1} \right \le N^{\gamma _{1}}, \left y_{2} \right \le N^{\gamma _{2}}\) if \(\gamma _{1}+\gamma _{2} < uv\beta ^{2}\epsilon \), and the time complexity of our algorithm is \(\mathcal {O}(\epsilon ^{7}v^2\log ^2 N)\).
Proof
Let \(X_{1},X_{2} (X_1=N^{\gamma _1}, X_2=N^{\gamma _2})\) be upper bounds on the desired root \((y_1,y_2)\), and define \(X_1X_2:=N^{uv\beta ^2\epsilon }\). We build a lattice \(\mathcal {L}\) of dimension \(d=m+1\) using the coefficient vectors of \(g_{k}(x_1 X_1,x_2 X_2)\) as basis vectors. We sort the polynomials according to the order as following: If \(k<l\), then \(g_k < g_l\).
The vector output by LLLalgorithm gives a polynomial \(f^{'}(x_1,x_2)\) such that \(f^{'}(y_1,y_2)=0\). Let \(z=x_1 / x_2\), any rational root of the form \(y_1/y_2\) can be found by extracting the rational roots of \(f^{'}(z)=1/x_2^m f^{'}(x_1,y_1)\) with classical methods. \(\square \)
Comparisons with Previous Methods. For \(u=1, v=1\), the upper bound \(\delta _1 +\delta _2\) of Theorem 7 is \(\beta ^2\), that is exactly May’s results [21] on univariate linear polynomial \(f(x)=x+a\). Actually the problem of finding a small root of homogeneous polynomial \(f(x_1,x_2)\) can be transformed to find small rational roots of univariate linear polynomial F(z) i.e. \(F(\frac{x_2}{x_1})=f(x_1,x_2)/x_1\) (the discussions of the small rational roots can be found on pp. 413 of Joux’s book [18]).
Our result improves HerrmannMay’s bound \(3\beta 2 +2(1\beta )^{\frac{3}{2}}\) up to \(\beta ^2\) if \(a_0=0\). As a concrete example, for the case \(\beta =0.5\), our method improves the upper size of \(X_1 X_2\) from \(N^{0.207}\) to \(N^{0.25}\).
Extension to More Variables. We generalize the result of Theorem 7 to an arbitrary number of n variables \(x_1,\ldots ,x_n\). The proof of the following result is similar to that for Proposition 1, so we state only the result itself.
Proposition 2
4.2 Applications
In Africacrypt’12, Nitaj [26] presented a new attack on RSA. His attack is based on HerrmannMay’s method [12] for finding small roots of a bivariate linear equation. In particular, he showed that the public modulus N can be factored in polynomialtime for the RSA cryptosystem where the public exponent e satisfies an equation \(ex+y \equiv 0\ (\text { mod } \ p)\) with parameters x and y satisfying \(ex + y \not \equiv 0 \ (\text { mod } \ N)\) \(x<N^{\gamma }\) and \(y<N^{\delta }\) with \(\delta +\gamma \le \frac{\sqrt{2}1}{2}\).
Note that the equation of [26] is homogeneous, thus we can improve the upper bound of \(\gamma +\delta \) using our result in Theorem 7. In [29], Sarkar proposed another method to extend Nitaj’s weak encryption exponents. Here, the trick is to consider the fact that Nitaj’s bound can be improved when the unknown variables in the modular equation are unbalanced (x and y are of different bitsize). In general, Sarkar’s method is essentially HerrmannMay’s method, whereas our algorithm is simpler (see Theorem 7). We present our result below.
Theorem 8
Let \(N = pq\) be an RSA modulus with \(q < p <2q\). Let e be a public exponent satisfying an equation \(ex+y\equiv 0 \text { mod } p\) with \(x<N^{\gamma }\) and \(y<N^{\delta }\). If \(ex + y \not \equiv 0 \text { mod } N\) and \(\gamma +\delta \le 0.25\epsilon \), N can be factored in polynomialtime.
In [26], Nitaj also proposed a new attack on CRTRSA. Let \(N = pq\) be an RSA modulus with \(q < p <2q\). Nitaj showed that if \(e < N^{\frac{\sqrt{2}}{2}}\) and \(ed_p=1+k_p(p1)\) for some \(d_p\) with \(d_p < \frac{N^{\frac{\sqrt{2}}{4}}}{\sqrt{e}}\), N can be factored in polynomialtime. His method is also based on HerrmannMay’s method. Similarly we can improve Nitaj’s result in some cases using our idea as Theorem 7.
Theorem 9
Proof
Experimental results for weak encryption exponents
N (bit)  r  \(d_p\)pred (bits)  (m, t)  dim (\(\mathcal {L}\))  \(d_p\)exp (bits)  Time (sec) 

1024  1  128  (6, 3)  7  110  0.125 
1024  1  128  (10, 5)  11  115  1.576 
1024  1  128  (30, 15)  31  124  563.632 
Experimental Results. Table 4 shows the experimental results for RSA modulus N with 512bit primes p, q. In all of our experiments, we fix e’s length as 512bit, and so the scheme does not have a small CRT exponent modulo q. We also compute the number bits that one should theoretically be able to attack for \(d_p\) (column \(d_p\)pred of Table 4).
That is actually the attack described in Theorem 9. In [26], the author showed that for a 1024bit modulus N, the CRTexponent \(d_p\) is typically of size at most 110. We obtain better results in our experiments as shown in Table 4.
5 The Third Type of Equations
In this section, we give our main algorithm to find small roots of extended simultaneous modular univariate linear equations. At first, we introduce this kind of equations.
5.1 Our Main Result
Our main result is as follows:
Theorem 10
Proof
Like [4, 36], we also consider the generalization to simultaneous linear equations of higher degree.
Theorem 11
5.2 Common Prime RSA
For a better comparison with the previous attacks, we give a brief review on all known attacks.
Wiener’s Attack [38]. Using a continued fraction attack, Wiener proved that given any valid Common Prime RSA public key (N, e) with private exponent \(d<N^{\frac{1}{4}\frac{\gamma }{2}}\), namely \(\beta <\frac{1}{4}\frac{\gamma }{2}\), one can factor N in polynomialtime.
Hinek’s Attack [13]. Hinek revisited this problem and proposed two latticebased attacks. Due to Hinek’s work, when \(\beta <\gamma ^2\) or \(\beta <\frac{2}{5}\gamma \), N can be factored in polynomialtime.
One can check that when \(\gamma \ge 0.2087\), JochemszMay’s attack [17] is superior to other attacks. We use the algorithm of Theorem 10 to make an improvement on previous attacks when \(\gamma \ge 0.3872\). We give a comparison with JochemszMay’s attack in Fig. 3.
Theorem 12
Proof
Comparison of our theoretical and experimental results with existing works.
\(\gamma \)  Theorem of [17]  Our result  

Theo.  Expt.  Dim  Time (in seconds)  
0.40  0.237  0.256  0.220  86  12321.521 
0.42  0.245  0.294  0.260  113  53669.866 
0.45  0.256  0.354  0.320  105  29128.554 
0.48  0.268  0.415  0.390  98  15058.558 
6 Conclusion
In this paper, we consider three type of generalized equations and propose some new techniques to find small root of these equations. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants. Besides, we believe that our new algorithms may find new applications in various other contexts.
Footnotes
 1.
This estimation is rough, we can do it more precisely for specific parameters u, v. For example, for \(v=1\), we can get \(\sum _{k=0}^{t1}c_k \le \frac{t}{2}+1\).
 2.
Since this univariate equation is very special: \(f(x)=(x+a)^r\), in fact we can remove the quantity \(r^5\) from the time complexity of Theorem 1.
Notes
Acknowledgments
We would like to thank the anonymous reviewers for helpful comments. This research was supported by CREST, JST. Part of this work was also supported by Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06010703, No. XDA06010701 and No. XDA06010702), the National Key Basic Research Project of China (No. 2011CB302400 and No. 2013CB834203), and National Science Foundation of China (No. 61379139 and No. 61472417).
References
 1.Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \({{N}}^{0.292}\). IEEE Trans. Inf. Theor. 46(4), 1339–1349 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
 2.Boneh, D., Durfee, G., HowgraveGraham, N.: Factoring \(N=p^{r}q\) for large \(r\). In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 326. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 3.Castagnos, G., Joux, A., Laguillaumie, F., Nguyen, P.Q.: Factoring \(pq^{2}\) with quadratic forms: nice cryptanalyses. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 469–486. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 4.Cohn, H., Heninger, N.: Approximate common divisors via lattices. ANTSX (2012)Google Scholar
 5.Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Crypt. 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 6.Coron, J.S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault attacks on RSA signatures with partially unknown messages. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 444–456. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 7.Coron, J.S., Naccache, D., Tibouchi, M.: Fault attacks against emv signatures. In: Pieprzyk, J. (ed.) CTRSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 8.The EPOC and the ESIGN Algorithms. IEEE P1363: Protocols from Other Families of PublicKey Algorithms (1998). http://grouper.ieee.org/groups/1363/StudyGroup/NewFam.html
 9.Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 10.Fouque, P.A., Guillermin, N., Leresteux, D., Tibouchi, M., Zapalowicz, J.C.: Attacking RSACRT signatures with faults on montgomery multiplication. J. Cryptogr. Eng. 3(1), 59–72 (2013). SpringerCrossRefzbMATHGoogle Scholar
 11.Herrmann, M.: Improved cryptanalysis of the multiprime \(\phi \)  hiding assumption. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 92–99. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 12.Herrmann, M., May, A.: Solving linear equations modulo divisors: on factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 13.Hinek, M.J.: Another look at small RSA exponents. In: Pointcheval, D. (ed.) CTRSA 2006. LNCS, vol. 3860, pp. 82–98. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 14.HowgraveGraham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997) Google Scholar
 15.HowgraveGraham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 16.Itoh, K., Kunihiro, N., Kurosawa, K.: Small secret key attack on a variant of RSA (due to Takagi). In: Malkin, T. (ed.) CTRSA 2008. LNCS, vol. 4964, pp. 387–406. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 17.Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 18.Joux, A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, Boca Raton (2009) CrossRefzbMATHGoogle Scholar
 19.Tosu, K., Kunihiro, N.: Optimal bounds for multiprime \(\Phi \)hiding assumption. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 1–14. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 20.Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
 21.May, A.: New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis (2003)Google Scholar
 22.May, A.: Secret exponent attacks on RSAtype schemes with moduli \(N={p^{r}q}\). In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 23.May, A.: Using LLLreduction for solving RSA and factorization problems. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, pp. 315–348. Springer, Heidelberg (2010)Google Scholar
 24.May, A., Ritzenhofen, M.: Implicit factoring: on polynomial time factoring given only an implicit hint. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 1–14. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 25.Nguên, P.Q., Stehlé, D.: Floatingpoint LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 26.Nitaj, A.: A new attack on RSA and CRTRSA. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 221–233. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 27.Okamoto, T., Uchiyama, S.: A new publickey cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998) CrossRefGoogle Scholar
 28.Rivest, R.L., Shamir, A.: Efficient factoring based on partial information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986) CrossRefGoogle Scholar
 29.Sarkar, S.: Reduction in lossiness of RSA trapdoor permutation. In: Bogdanov, A., Sanadhya, S. (eds.) SPACE 2012. LNCS, vol. 7644, pp. 144–152. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 30.Sarkar, S.: Revisiting prime power RSA. Cryptology ePrint Archive, Report 2015/774 (2015). http://eprint.iacr.org/
 31.Sarkar, S.: Small secret exponent attack on RSA variant with modulus \(N=p^{r}q\). Des. Codes Cryptogr. 73, 383–392 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 32.Sarkar, S., Maitra, S.: Approximate integer common divisor problem relates to implicit factorization. IEEE Trans. Inf. Theor. 57(6), 4002–4013 (2011)MathSciNetCrossRefGoogle Scholar
 33.Sarkar, S., Maitra, S.: Cryptanalytic results on Dual CRT and Common Prime RSA. Des. Codes Cryptgr. 66(1–3), 157–174 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 34.Shamir, A.: A polynomial time algorithm for breaking the basic MerkleHellman cryptosystem. In: FOCS 1982, pp. 145–152. IEEE (1982)Google Scholar
 35.Takagi, T.: Fast RSAtype cryptosystem modulo \(p^{k}q\). In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998) CrossRefGoogle Scholar
 36.Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 37.van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 38.Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theor. 36(3), 553–558 (1990)MathSciNetCrossRefzbMATHGoogle Scholar