Next Article in Journal
Optimal View Estimation Algorithm and Evaluation with Deviation Angle Analysis
Previous Article in Journal
Integrating Feature Selection and Deep Learning: A Hybrid Approach for Smart Agriculture Applications
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Improved Cryptanalysis of Some RSA Variants

1
ACSA Laboratory, Department of Mathematics and Computer Science, Sciences Faculty, Mohammed First University, Oujda 60000, Morocco
2
The Nicolas Oresme Laboratory of Mathematics, University of Caen Normandy, 14000 Caen, France
*
Author to whom correspondence should be addressed.
Algorithms 2025, 18(4), 223; https://doi.org/10.3390/a18040223
Submission received: 27 February 2025 / Revised: 30 March 2025 / Accepted: 9 April 2025 / Published: 12 April 2025
(This article belongs to the Special Issue Algorithmic Innovations in Cryptanalysis of Public Key Cryptography)

Abstract

:
Several RSA variants enforce a constraint between their public and private keys through the relation e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) , where p and q are the prime factors of their RSA modulus N = p q . In this paper, we introduce a novel attack on RSA variant schemes where the public exponent satisfies an equation of the form e u z ( mod ( p 2 1 ) ( q 2 1 ) ) , with sufficiently small | z | , | u | , in a scenario where the attacker has access to an approximation of one of the prime factors. Our new attack utilizes Coppersmith’s method, combined with lattice basis reduction techniques, to efficiently recover the prime factors of the RSA modulus in these scenarios. This method offers a significant improvement over prior attacks on RSA variants with small private exponents or partial prime information.

Graphical Abstract

1. Introduction

Following the publication of the groundbreaking work of Diffie and Hellman [1], the first public-key scheme was introduced by Rivest, Shamir, and Adleman [2]. This system is known as RSA and remains widely used in practical applications. Its security is rooted in computationally hard problems, particularly the integer factorization problem. The cryptosystem involves generating two large prime numbers p and q with equal bit lengths, and producing the RSA modulus N = p q . A public exponent is an integer e selected so that it is prime relative to φ ( N ) , where φ ( N ) = ( p 1 ) ( q 1 ) denotes the Euler totient function. The private exponent d is defined as the inverse of e modulo φ ( N ) , satisfying the key equation e d 1 ( mod φ ( N ) ) . The public key comprises ( N , e ) , while the private key consists of ( N , d ) . For a message m such that m < N , encryption is achieved using c m e ( mod N ) . Decryption then recovers m via m c d ( mod N ) .
Encryption and decryption processes can be computationally expensive with large numbers, and using small exponents can improve the efficiency of RSA. However, in 1990, Wiener [3] established that RSA is susceptible to attacks when d < 1 3 N 1 / 4 . Later, Boneh and Durfee [4] refined this limit up to N 0.292 . These findings have spurred ongoing efforts to enhance the efficiency and security of RSA, leading to the development of various alternative variants. Noteworthy examples include CRT-RSA [5] and Multi-Prime RSA [6]. Additionally, other modifications and variants of the RSA scheme have emerged, wherein the Euler totient function φ ( N ) = ( p 1 ) ( q 1 ) is substituted with different formulations.
In 1995, Kuwakado et al. [7] proposed a variant of the RSA cryptosystem that utilizes singular cubic curves, specifically curves with the equation y 2 x 3 + b x 2 ( mod N ) , where N = p q is the RSA modulus, and b is an integer in Z N . In this scheme, the public exponent e is chosen such that gcd ( e , ψ ( N ) ) = 1 , where ψ ( N ) = ( p 2 1 ) ( q 2 1 ) . The private exponent d is determined by the congruence d 1 e ( mod ( p 2 1 ) ( q 2 1 ) ) .
In 2002, Elkamchouchi et al. [8] introduced an RSA variant using the arithmetic of the ring of Gaussian integers Z [ i ] . This cryptosystem employs moduli of the form N = P Q , with Gaussian prime numbers P and Q . The central key equation governing the encryption and decryption process is given by e d 1 ( mod ( | P | 2 1 ) ( | P | 2 1 ) ) . Notably, when | P | = p and | P | = q are both prime integers, this relation reduces to e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) .
In 2003, Said and Loxton [9] presented a modified version of the LUC cryptosystem [10]. In this scheme, the modulus is N = p q , where p and q are prime numbers, and the public exponent e and the private exponent d are constrained by the equation e d 1 ( mod ψ ( N ) ) , where ψ ( N ) = ( p 2 1 ) ( q 2 1 ) represents a generalized Euler totient function.
The RSA cryptosystem and its variants are used in several real-world applications, to secure email communications, e-commerce, digital signatures and verifications, VPNs and network security, and digital certificates such as TLS [11]. As a consequence, any attack on RSA and its variants is closely scrutinized by security specialists and cryptography system designers.
Besides Wiener’s attack [3] and its refinement by Boneh and Durfee [4], a range of other attacks have been developed for the various RSA variants.
In [12], Peng et al. examined the equation e d k ( p 2 1 ) ( q 2 1 ) = 1 , where e = N α and d = N δ , using Coppersmith’s method. Their findings improved upon previous attacks and demonstrated that if δ < 2 α , the factorization of the modulus N can be achieved in polynomial time.
In 2024, Feng et al. [13] proposed a novel partial prime exposure attack on RSA variants defined by the key equation e d k ( p 2 1 ) ( q 2 1 ) = 1 . They demonstrated that if N = p q is an RSA modulus, where p ˜ is an approximation of p with | p p ˜ | = N σ , and if e = N α and d < N δ , then the factorization of N can be efficiently determined under the following conditions:
δ < 2 2 α σ , if 2 σ < α < 9 2 σ , 2 1 3 α 3 2 σ , if 9 2 σ α < 6 9 2 σ .

1.1. Our Contribution

In the attack proposed by Feng et al. [13], the key strategy for breaking the schemes with the equation
e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) ,
involves transforming the key equation into a modular polynomial equation of the form
x 1 ( x 2 2 + a x 2 + b ) 1 ( mod e ) .
By solving this equation, the extracted solution satisfies
( x 1 , x 2 ) = ( k , p + q p ˜ q ˜ ) ,
where p ˜ and q ˜ are approximations of the primes p and q, respectively. This enabled them to break the schemes in some scenarios.
In this paper, we extend the work of Feng et al. [13] by transforming the extended key equation
e u z ( mod ( p 2 1 ) ( q 2 1 ) ) ,
into the generalized modular equation
x 1 ( x 2 2 + a x 2 + b ) x 3 ( mod e ) .
We demonstrate how the solution of this modular equation can be applied to attack the RSA variants characterized by the key equation e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) , whenever two parameters u and z exist such that e u z ( mod ( p 2 1 ) ( q 2 1 ) ) , and are sufficiently small, in addition to a known approximation of one of the RSA prime factors.
Notice that the equation e u z ( mod ( p 2 1 ) ( q 2 1 ) ) is a generalization of the standard key equation e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) , and the private exponent d and u are related by the formula
u d z ( mod ( p 2 1 ) ( q 2 1 ) ) .
As a byproduct, we design a polynomial-time algorithm for attacking the mentioned schemes for a significantly broader range of public exponents compared to existing methods.

1.2. The Structure of the Paper

The remainder of this paper is organized in five sections. Section 2 presents some necessary preliminaries. Section 3 introduces our novel attack. Section 4 offers a comparison between our attack and existing ones. Section 5 presents two detailed numerical experiments that demonstrate the effectiveness of our proposed attack. Finally, Section 6 concludes the paper.

2. Preliminaries

In this section, we present fundamental results and important concepts that are pertinent to our main result.

2.1. Useful Lemmas

Given a positive integer of the form N = p q with q < p < 2 q , the following result provides the limiting values for p and q in relation to N, as well as the prime sum p + q (see [14]).
Lemma 1. 
Let p and q be prime numbers satisfying N = p q and q < p < 2 q . Then, one finds that
2 2 N 1 2 < q < N 1 2 < p < 2 N 1 2 , p + q < 3 N 1 2 .
The subsequent result shows that, given an approximation of p for a modulus N = p q , one can also approximate both q and p + q (see [13]).
Lemma 2. 
Let N = p q be the product of two prime numbers p and q with q < p < 2 q . Assume that p ˜ is a known approximation of p with | p p ˜ | N σ . Then, q ˜ = N p ˜ approximates q, and
| q q ˜ | < N σ , | p + q ( p ˜ + q ˜ ) | < 2 N σ .

2.2. Schemes with the Key Equation e d k ( p 2 1 ) ( q 2 1 ) = 1

In 1995, Kuwakado et al. [7] introduced a cryptographic scheme utilizing a specific elliptic curve, defined by the equation
y 2 x 3 + b x 2 ( mod N ) ,
where N = p q represents an RSA modulus. In this scheme, the public key is represented by the pair ( N , e ) , with e chosen to satisfy
gcd e , ( p 2 1 ) ( q 2 1 ) = 1 .
The private key is ( N , d ) , where d is determined such that
d 1 e ( mod ( p 2 1 ) ( q 2 1 ) ) .
The encryption of the message ( m x , m y ) is performed by computing
b m y 2 m x 3 m x 2 ( mod N ) ,
after which the ciphertext ( c x , c y ) is obtained by applying the encryption operation e to ( m x , m y ) on the elliptic curve.
Decryption is carried out by first computing
b c y 2 c x 3 c x 2 ( mod N ) ,
and then applying the decryption operation d to ( c x , c y ) on the curve to recover the original plaintext ( m x , m y ) .
In 2002, Elkamchouchi et al. [8] proposed a cryptosystem in which arithmetic operations are carried out over Z [ i ] , the ring of Gaussian integers, rather than the standard integers. In this scheme, the modulus is a standard N = p q , and the public and private exponents are related by e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) . For encryption, the plaintext m Z [ i ] is transformed into the ciphertext c m e ( mod N ) , and the decryption is performed using m c d ( mod N ) .
In [9,15], alternative RSA variants were introduced, where the modulus is expressed as N = p q , and the exponents e and d are interlinked by the key equation
e d 1 ( mod ( p 2 1 ) ( q 2 1 ) ) .

2.3. Lattice Reduction and Coppersmith’s Technique

Lattices are fundamental mathematical structures that play a crucial role in various branches of mathematics. They can be understood as discrete subgroups of finite-dimensional vector spaces. Formally, a Euclidean lattice is defined as follows:
Definition 1. 
Let u 1 , u 2 , , u ω R d be ω linearly independent vectors with ω d . The Euclidean lattice spanned by { u 1 , u 2 , , u ω } is the set
L = Z u 1 + Z u 2 + + Z u ω .
The collection { u 1 , u 2 , , u ω } is termed a basis for the lattice L , with ω and d corresponding to the rank and dimension of the lattice, respectively. When ω = d , the lattice L is said to have full rank.
A matrix representation of a lattice L can be described as follows: Let B R ω × d be the matrix whose rows correspond to the basis { u 1 , u 2 , , u ω } . Then, an element v belongs to L if, and only if, there exists x Z ω such that v = x B . The quantity defined by det ( L ) = det ( B t B ) is referred to as the determinant of the lattice, where B t denotes the transpose of the basis matrix B . For a lattice of full rank, the determinant simplifies to the form det ( L ) = | det ( B ) | .
It is a known fact that a lattice L of rank ω 2 has infinitely many bases, each consisting of ω vectors and having an identical determinant. Nevertheless, identifying a basis made up of short vectors is a computationally difficult task, particularly as the lattice dimensions grow.
In 1982, Lenstra, Lenstra, and Lovász [16] proposed the LLL algorithm, a polynomial-time method for computing a reduced basis with relatively short vectors. The following theorem, derived from [17], outlines the properties of a reduced basis generated by the LLL algorithm:
Theorem 1. 
For any lattice L R d defined by a basis { u 1 , u 2 , , u ω } . The LLL algorithm produces a reduced basis { v 1 , v 2 , , v ω } , such that
v 1 v 2 v j 2 ω ( ω 1 ) 4 ( ω + 1 j ) det ( L ) 1 ω + 1 j .
for every j = 1 , , ω .
Prior to 1996, polynomials of the form P ( z ) 0 ( mod M ) were typically solved when the modulus M had a known factorization, employing techniques like the Chinese Remainder Theorem and the properties of finite fields. In 1996, Coppersmith [18] presented an innovative approach for determining small roots of modular polynomial equations of the form
P ( z ) 0 ( mod M ) ,
even when the factorization of the modulus M was not available. This breakthrough was extended to multivariate polynomials, which are expressed as
P ( z 1 , z 2 , , z n ) = i 1 , i 2 , , i n ρ i 1 , i 2 , , i n z 1 i 1 z 2 i 2 z n i n ,
where ρ i 1 , i 2 , , i n Z . The Euclidean norm related to this polynomial is expressed as
P ( z 1 , z 2 , , z n ) = i 1 , i 2 , , i n ρ i 1 , i 2 , , i n 2 .
In 1997, Howgrave-Graham [19] revisited Coppersmith’s technique and proposed a new technique for finding small roots. This advance provided a key result that became foundational in the field.
Theorem 2 
(Howgrave-Graham). Let P ( z 1 , z 2 , , z n ) be a multivariate polynomial in Z [ z 1 , z 2 , , z n ] with no more than ω monomials. Let e and μ be positive integers. Then, the following statements
1. 
P z 1 ( 0 ) , z 2 ( 0 ) , , z n ( 0 ) 0 ( mod e μ ) ,
2. 
P ( z 1 Z 1 , z 2 Z 2 , , z n Z n )   < e μ ω ,
3. 
For all i = 1 , , n , | z i ( 0 ) |   < Z i ,
imply that P z 1 ( 0 ) , z 2 ( 0 ) , , z n ( 0 ) = 0 .
In systems involving more than two variables, extensions of Coppersmith’s method typically depend on heuristic approaches. For the purposes of this study, we make the following assumption [4,12,20,21]:
Assumption 1. 
The polynomials r 1 , r 2 , , r ω generated by the LLL algorithm are algebraically independent.
Based on this assumption, the unique solution z 1 ( 0 ) , z 2 ( 0 ) , , z n ( 0 ) to the system of polynomial equations r i ( z 1 , z 2 , , z n ) = 0 for i n , can be computed using methods such as the Gröbner basis or resultant computations.

3. Main Results

In this section, we introduce an efficient technique for breaking RSA variants characterized by the generalized key equation
e u z ( mod ( ( p 2 1 ) ( q 2 1 ) ) .

The New Attack

Theorem 3. 
Let ( N , e ) denote an RSA public key where N = p q , q < p < 2 q , and e = N α . Suppose that there are two parameters, | u | N δ and | z | N γ , such that e u z ( mod ψ ( N ) ) , with ψ ( N ) = ( p 2 1 ) ( q 2 1 ) . Assume also that p is approximated by p ˜ with an error bound of | p p ˜ |   N σ , where 0 σ 1 2 . If
2 σ < α < 2 σ a n d δ + γ 2 < 2 2 σ α ,
then the factorization of N can be performed in polynomial time.
Proof. 
Let p ˜ be a close approximation of p such that | p p ˜ |   N σ . By Lemma 2, the value q ˜ = N / p ˜ serves as an approximation for q, satisfying the bounds
| q q ˜ |   < N σ , | p + q p ˜ q ˜ | < 2 N σ .
Let x be an integer satisfying e u x ψ ( N ) = z . This can be rewritten as
x ψ ( N ) z ( mod e ) .
Write ψ ( N ) = y 2 + a y + b , for
a = 2 ( p ˜ + q ˜ ) , b = ( p ˜ + q ˜ ) 2 ( N + 1 ) 2 , y = p + q p ˜ q ˜ .
As a consequence, the triplet
x 1 ( 0 ) , x 2 ( 0 ) , x 3 ( 0 ) = ( x , y , z ) ,
is a solution of the equation
x 1 ( x 2 2 + a x 2 + b ) x 3 ( mod e ) .
To compute the root x 1 ( 0 ) , x 2 ( 0 ) , x 3 ( 0 ) , we employ an extended version of Coppersmith’s method. This involves analyzing the polynomial equation
f ( x 1 , x 2 , x 3 ) 0 ( mod e ) ,
where
f ( x 1 , x 2 , x 3 ) = x 1 ( x 2 2 + a x 2 + b ) x 3 .
Let x 4 = x 1 x 2 2 x 3 . Then, f ( x 1 , x 2 , x 3 ) = g ( x 1 , x 2 , x 4 ) , where
g ( x 1 , x 2 , x 4 ) = x 1 ( a x 2 + b ) + x 4 .
Building on Coppersmith’s method, we introduce an additional parameter ζ > 0 , which will be optimized, along with two integers μ and w, where 0 w μ . We then define the following list of polynomials:
G w , a , b ( x 1 , x 2 , x 3 , x 4 ) = x 1 a x 2 b x 3 μ a w g ( x 1 , x 2 , x 4 ) w e μ w , ( w , a , b ) C D ,
where
C = ( w , a , b ) | b = 0 , 1 , w = 0 , , μ , a = 1 , , μ w , D = ( w , a , b ) | b = 0 , , ζ , w = μ ζ b , , μ , a = 0 ,
and, in the computations, the term x 1 x 2 2 is replaced by x 4 + x 3 .
Given that x 1 ( 0 ) , x 2 ( 0 ) , x 3 ( 0 ) is a root of the equation
f ( x 1 , x 2 , x 3 ) 0 ( mod e ) .
Then, by defining x 4 ( 0 ) = x 1 ( 0 ) x 2 ( 0 ) 2 x 3 ( 0 ) , the triplet x 1 ( 0 ) , x 2 ( 0 ) , x 4 ( 0 ) satisfies the equation g ( x 1 , x 2 , x 4 ) 0 ( mod e ) . Furthermore, we observe that
G w , a , b x 1 ( 0 ) , x 2 ( 0 ) , x 3 ( 0 ) , x 4 ( 0 ) 0 ( mod e μ ) ,
for all ( w , a , b ) C D .
In Coppersmith’s technique, it is important to establish the bounds X 1 , X 2 , X 3 , and X 4 such that
x 1 ( 0 ) X 1 , x 2 ( 0 ) X 2 , x 3 ( 0 ) X 3 , x 4 ( 0 ) X 4 .
Using ψ ( N ) > N 2 2 and assuming that | z | < e | u | , we obtain the following estimate:
x 1 ( 0 ) = e u z ψ ( N ) < 4 e | u | N 2 4 N α + δ 2 .
To obtain a bound for x 4 ( 0 ) = x 1 ( 0 ) x 2 ( 0 ) 2 x 3 ( 0 ) , we suppose
x 3 ( 0 ) < x 1 ( 0 ) x 2 ( 0 ) 2 ,
so that x 4 ( 0 ) < 2 x 1 ( 0 ) x 2 ( 0 ) 2 . In addition to x 2 ( 0 ) < 2 N σ , the corresponding bounds are given by
X 1 = 4 N α + δ 2 , X 2 = 2 N σ , X 3 = N γ , X 4 = 2 X 1 X 2 2 = 32 N α + δ 2 ( 1 σ ) .
Next, we construct the lattice L represented by the matrix whose rows consist of the coefficient vectors of the polynomials G w , a , b ( X 1 x 1 , X 2 x 2 , X 3 x 3 , X 4 x 4 ) . A lower triangular matrix can be formed by considering the following criteria: The rows of this matrix correspond to the polynomials G w , a , b ( X 1 x 1 , X 2 x 2 , X 3 x 3 , X 4 x 4 ) and are arranged lexicographically, assuring that
G w , a , b ( X 1 x 1 , X 2 x 2 , X 3 x 3 , X 4 x 4 ) G w , a , b ( X 1 x 1 , X 2 x 2 , X 3 x 3 , X 4 x 4 ) ,
if w < w , or if w = w and a < a , or if w = w , a = a , and b < b . Similarly, the columns are represented by the monomials x 1 a x 2 b x 3 μ a w x 4 w , and the lexicographical ordering is as follows:
x 4 w x 1 a x 2 b x 3 μ a w x 4 w x 1 a x 2 b x 3 μ a w ,
if w < w , or if w = w and a < a , or if w = w , a = a , and b < b .
A typical example of the lattice basis matrix for μ = ζ = 2 and
f ( x 1 , x 2 , x 3 ) = x 1 ( x 2 2 + a x 2 + b ) x 3 ,
using x 1 x 2 2 = x 3 + x 4 , is provided in Table 1. The symbol ★ marks the non-zero entries.
By construction, the lattice basis matrix is lower triangular, and each diagonal entry takes the form X 1 a X 2 b X 3 μ a w X 4 w e μ w for some combination ( w , a , b ) belonging to C D . This shows that the determinant of the lattice can be expressed as
det ( L ) = X 1 n X 1 X 2 n X 2 X 3 n X 3 X 4 n X 4 e n e ,
with n X 1 = E ( a ) , n X 2 = E ( b ) , n X 3 = E ( μ a w ) , n X 4 = E ( w ) , n e = E ( μ w ) , and
E ( c ) = b = 0 1 w = 0 μ a = 1 μ w c + b = 0 ζ w = μ ζ b μ a = 0 0 c .
In order to optimize ζ , we replace it with μ ζ , and to facilitate the computations, we adopt the approximation x x for a real number x. Consequently, the exponents n X 1 , n X 2 , n X 3 , n X 4 , n e , along with the lattice dimension ω = E ( 1 ) , are governed by the following relations:
n X 1 = 1 3 μ 3 + o ( μ 3 ) n X 2 = 1 6 ζ 2 μ 3 + o ( μ 3 ) n X 3 = 1 6 ( ζ + 2 ) μ 3 + o ( μ 3 ) n X 4 = 1 3 ( ζ + 1 ) μ 3 + o ( μ 3 ) n e = 1 6 ( ζ + 4 ) μ 3 + o ( μ 3 ) ω = 1 2 ( ζ + 2 ) μ 2 + o ( μ 2 ) .
The LLL algorithm is applied to reduce the matrix M, yielding a reduced matrix M that preserves the determinant. From this reduced matrix, we construct ω polynomials r i ( x 1 , x 2 , x 3 , x 4 ) , where i = 1 , , ω , each of which satisfies the congruence
r i x 1 ( 0 ) , x 2 ( 0 ) , x 3 ( 0 ) , x 4 ( 0 ) 0 ( mod e μ ) .
In order to find the solution, we establish a connection between Theorems 1 and 2, concentrating on the scenario where j = 4 . Thus, we set
2 ω ( ω 1 ) 4 ( ω 3 ) det ( L ) 1 ω 3 < e μ ω .
By combining with (2), this simplifies to
e n e μ ( ω 3 ) X 1 n X 1 X 2 n X 2 X 3 n X 3 X 4 n X 4 < 1 2 ω ( ω 1 ) 4 ω ω 2 < 1 .
By considering the dominant terms in (3) along with the bounds in (1), and neglecting smaller values, we obtain
σ ζ 2 + ( γ + 2 δ + 4 σ 4 ) ζ + 2 α + 2 γ + 4 δ + 4 σ 8 < 0 ,
in which the optimal value for ζ is
ζ 0 = 2 δ γ 2 2 σ σ .
To ensure that ζ 0 > 0 , the parameters must satisfy
δ + γ 2 < 2 2 σ .
Plugging ζ 0 in (5), we arrive at
4 δ 2 4 ( γ 4 ) δ γ 2 + 8 α σ + 8 γ 16 < 0 .
Solving the former inequation for δ , we obtain
δ < 2 2 σ α γ 2 .
Using the assumption α > 2 σ and (6), we obtain
δ + γ 2 < min 2 2 σ α , 2 2 σ = 2 2 σ α .
In addition, given that δ 0 and γ 0 , the inequality
2 2 σ α > 0 ,
is satisfied if α < 2 σ .
Afterward, we select four reduced and algebraically independent polynomials, denoted as r i ( x 1 , x 2 , x 3 , x 4 ) for 1 i 4 . By solving the system of equations r i ( x 1 , x 2 , x 3 , x 4 ) = 0 for i = 1 , 2 , 3 , 4 over the integers, using either the Gröbner basis approach or resultant techniques, we can extract
x 2 ( 0 ) = p + q p ˜ q ˜ .
Finally, solving the system N = p q and x 2 ( 0 ) + p ˜ + q ˜ = p + q , we can recover p and q. This concludes the proof. □
A consequence of Theorem 3 is the following result, which concerns the case where the modulus N = p q is the product of two primes, p and q, with a sufficiently small difference | p q | .
Corollary 1. 
Let ( N , e ) denote an RSA public key where N = p q , with q < p < 2 q , and e = N α . Assume the existence of two parameters, | u | N δ and | z | N γ , such that e u z ( mod ψ ( N ) ) , where ψ ( N ) = ( p 2 1 ) ( q 2 1 ) . Furthermore, suppose that the prime difference | p q | N σ is small, with 0 σ 1 2 . If
2 σ < α < 2 σ a n d δ + γ 2 < 2 2 σ α ,
then we can recover p and q in polynomial time.
Proof. 
Assume that p q < N σ . According to Lemma 1, we have q < N < p , which implies that
0 < p N < p q N σ .
This suggests that p ˜ = N is a close approximation of p, with | p p ˜ | < N σ . Applying Theorem 3, we can factor N = p q under the conditions
2 σ < α < 2 σ and δ + γ 2 < 2 2 σ α .
This completes the proof. □

4. Comparison with the Existing Attacks

In this section, we compare the bounds of our attack with those of previous approaches.

4.1. Comparison with Peng et al.’s Attack

In [12], Peng et al. proposed an attack against the RSA variants based on the key equation
e d k ( p 2 1 ) ( q 2 1 ) = 1 .
They demonstrated that the system is vulnerable when e = N α , d = N δ , and δ < 2 α . This represents the optimal bound for attacks targeting small private exponents in such schemes. This bound can be obtained by taking γ = 0 and σ = 1 2 . As a consequence, our attack can be seen as an extension of the attack of Peng et al.

4.2. Comparison with Feng et al.’s Attack

In [13], Feng et al. introduced an attack on cryptographic systems defined by the key equation e d k ( p 2 1 ) ( q 2 1 ) = 1 . They showed that for a modulus N = p q , where e = N α , d < N δ , and | p p ˜ | = N σ with p ˜ being an approximation of p, the scheme becomes susceptible to attack when δ < 2 2 α σ . This vulnerability threshold is derived by setting γ = 0 in Theorem 3, highlighting that the approach of Feng et al. is a particular case within the broader framework presented in our methodology.
Additionally, the number of exponents e of size N α that are prone to the attack of Feng et al. can be approximated by
# d d < N 2 2 σ α , gcd ( d , ψ ( N ) ) = 1 = O N 2 2 σ α ε ,
where ε is a small positive parameter representing the exponents that are not coprime with ψ ( N ) = ( p 2 1 ) ( q 2 1 ) .
Alternatively, the quantity of the weak exponents e of size N α associated with our attack can be expressed as
Q = # ( u , z ) | | u | N δ , | z | N γ , δ + 1 2 γ < 2 2 σ α , gcd ( u , ψ ( N ) ) = 1 .
Hence,
Q # ( u , z ) | | u | N δ , | z | N γ , | u | | z | < N 2 2 σ α , gcd ( u , ψ ( N ) ) = 1 .
By setting ρ = 2 2 σ α , and observing 1 | z | < N 2 ρ | u | 2 , where 1 | u | < N ρ , an upper bound for this quantity is determined by summing the possible values of | z | within the interval 1 , N 2 ρ | u | 2 for each u satisfying 1 | u | < N ρ . This results in
Q 4 u = 1 N ρ z = 1 N 2 ρ | u | 2 1 = 4 u = 1 N ρ N 2 ρ | u | 2 = 4 N 2 ρ u = 1 N ρ 1 | u | 2 2 π 2 3 N 2 ρ ,
where we utilized the established result k = 1 + 1 k 2 = π 2 6 . Thus,
Q = O N 2 2 2 σ α ε ,
where ε is a small positive constant representing the integers u that are not coprime with ψ ( N ) . This bound greatly exceeds the number of exponents e of size N α that are susceptible to the attack introduced by Feng et al. [13].

5. Experimental Results

In this section, we provide two small numerical examples to demonstrate that our new method successfully breaks the RSA variants where previous methods fail, and present a table to show that it also works for large examples of real-world size. The computations were carried out using SageMath 10.4 [22] on a PC running Ubuntu 22.04.3 LTS, equipped with an Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz (4 cores) and 8.00 GB of RAM.

5.1. A Numerical Example with a Sufficiently Small Prime Gap

This numerical example illustrates how Theorem 3 can be leveraged to break the schemes when the difference between the RSA primes is sufficiently small.
Let us examine the following public parameters, with N being a 300-bit number and e being a 591-bit number
N = 154979168861015678139379817043779303050456195924935465847814228 2890859680277309141134732469 , e = 457288125509831890795785821136858794210767210242104567444220851 229578313165377666751566097358780811176150123829929919164675754 9806692842556025667935819822827034254195266303881105 .
This implies that e = N α , with α 1.9698 .
From Corollary 1, the quantity p ˜ = N provides an estimate for p, such that
p ˜ = 1244906297120452669049070335354223115387563820 .
The computation of p ˜ N subsequently results in
q ˜ = p ˜ N = 1244906297120452669049070335354223115387563821 .
The goal here is to solve the modular equation
x 1 ( x 2 2 + a x 2 + b ) x 3 ( mod e ) ,
where
a = 2 ( p ˜ + q ˜ ) , b = ( p ˜ + q ˜ ) 2 ( N + 1 ) 2 .
More specifically, we have
a = 4979625188481810676196281341416892461550255282 , b = 240185427808512116073417421646903712871170445256523888858285 019886634239027251972324059413204652277359229823499357615430045 0691818616461378580654179335980030497821387859658630076019 .
To implement the approach specified in Theorem 3, an attacker without knowledge of u, z, and, p can try different values for δ , γ , and σ . Assume that δ = 0.235 , γ = 0.294 , and σ = 0.484 such that | u | N δ , | z | N γ and | p p 1 | N σ . These values satisfy the necessary inequalities of Theorem 3, namely
2 σ 0.968 < α < 2 σ 4.132 ,
and
δ + γ 2 0.382 < 2 2 σ α 0.619 .
Next, we set the bounds
X 1 = 4 N α + δ 2 = 11831177466857048064 , X 2 = 2 N σ = 89768152296567761007830082898706151812104192 , X 3 = N γ = 328050238835591035454750720 , X 4 = 2 X 1 X 2 2 = 190678855617257854312232486748643825499976561448821233 845028452847741564061825373741977013396720419279470592 .
The lattice L is constructed by choosing μ = 5 and ζ = 4 and using the coefficient vectors of the polynomials G w , a , b ( X 1 x 1 , X 2 x 2 , X 3 x 3 , X 4 x 4 ) , where
G w , a , b ( x 1 , x 2 , x 3 , x 4 ) = x 1 a x 2 b x 3 μ a w g ( x 1 , x 2 , x 4 ) w e μ w , ( w , a , b ) C D ,
g ( x 1 , x 2 , x 4 ) = x 1 ( a x 2 + b ) + x 4 , and the substitution x 1 x 2 2 = x 3 + x 4 is also applied. The sets C and D are defined by
C = ( w , a , b ) | b = 0 , 1 , w = 0 , , μ , a = 1 , , μ w , D = ( w , a , b ) | b = 0 , , ζ , w = μ ζ b , , μ , a = 0 .
The lattice L has a dimension of ω = 50 . After applying the LLL reduction algorithm, an output of 50 polynomials is obtained. By leveraging the Gröbner basis method, four polynomials are extracted and solved over the integers, providing the desired solution
x 1 ( 0 ) = 2118139169990949806 , x 2 ( 0 ) = 390817915437012442315843242819187471908433 , x 3 ( 0 ) = 215787365557955890516827161 , x 4 ( 0 ) = 32352170256576205797755149595806747150304278873868333447245 5668311351552253549441721597993613823717973 .
Combining x 2 ( 0 ) + p ˜ + q ˜ = p + q with N = p q gives
p = 1267160034859286529528805631615411782484795507 , q = 1223043377297055821011650882335853635762240567 .
The LLL algorithm and Gröbner basis computations were completed in under 3.2 s. Notice that
e u z ( mod ( p 2 1 ) ( q 2 1 ) ) ,
where
u = 1112528697601846621961 .
The hypotheses x 3 ( 0 ) < x 1 ( 0 ) x 2 ( 0 ) 2 as well as | z | < e | u | are well satisfied as outlined in the proof of Theorem 3.
Next, one can compute the private exponent corresponding to e via
d 1 e ( mod ( p 2 1 ) ( q 2 1 ) ) .
Hence,
d = 605002709727751669617165546601883006212903964271667723683291 018629338222112941267558151236353614233660075317610862453388 60942430869431283894009332939209545056528528907125307870961 .
Observe that d = N δ 0 with δ 0 1.982 .
To experimentally validate the comparisons made in Section 4, we observed that | p p ˜ | N σ 0 , where σ 0 0.48062 .
Feng et al. [13] proposed an optimal bound for breaking RSA schemes, given by δ 0 < 2 2 σ 0 α , where d N δ 0 defines the threshold for partial prime exposure attacks. In the numerical example considered here, we calculate 2 2 σ 0 α 0.623 , which is smaller than δ 0 . This result demonstrates that Feng’s method is ineffective in compromising the system in this particular case.
In the same manner, the optimal bound for small private exponent attacks, as proposed by Peng et al. [12], is δ 0 < 2 α . In our case, we compute 2 α 0.596 , which is also smaller than δ 0 . This shows that their method is not sufficient to break the systems in this particular instance.

5.2. A Numerical Example Highlighting the Use of a Proper Approximation

In this numerical example, we illustrate the process of recovering RSA primes when an integer that is near one of the RSA primes is accessible.
Consider the following public parameters, where N is a 602-bit number and e is a 1203-bit number
N = 966492835405917565828743876772306537872563335866019903185649724 585072428210443099203551461953784012336521319066373953079442564 5096246950121860628973430859686177613488569115359388469 , e = 777696331000137048626324377418300225698121769798015281961785263 396314104341430708362418250852799801319640832347407155148403524 830446594816250177319485494227260306500966008079178804053714386 550565059933158714405685845984477756481877004637940295537785063 120660318119031261121321236386018313549302989253240895952509090 12701494724121570822144212683726079127519436075 .
As a result, we obtain e = N α , where α 1.9996 . Suppose that p ˜ serves as an approximation for p
p ˜ = 364610523335379592284389421573659615395758581802091912160143469 2397675330348189905978392575 .
In addition,
q ˜ = p ˜ N = 26507540884027330731045765925267078004728846420158921488 30934441516667046167116343321796511 .
Using the same approach as before, we set δ = 0.5 , γ = 0.48 , and σ = 0.35 , assuming that | u | N δ , | z | N γ , and | p p ˜ | N σ , also setting μ = 3 and ζ = 2 , for which the lattice has dimension 21. This yields
b = 934108400890970063113012658149447009177943086257627895908427 452430596466687391156490830430984129377337370262845368309072316 837147048999456798902983065075413979216608100055377703331416184 593193736239252540424061026130258781942275427721679167321317591 128546008317439625034646622430589530983004348180039059143417035 28114881439971427073016598854361702457857015425504 , a = 125937186435130579918969416165266079088609409200736225408647382 67828684753030612498600378172 .
and
X 1 = 4 N α + δ 2 = 10526045218379553266784328389710180922200405020583 344587683953736983232496439578853778653184 , X 2 = 2 N σ = 442435044439138152363855736582994067244877411503118598 5007255552 , X 3 = N γ = 746268905988929664887076686742541830260450951567549101 674427835233703688367285274148864 , X 4 = 2 X 1 X 2 2 = 41209207783538205815969522326106407631768819589618604 56896053520766911584121244573412698478084094774623230437845253 00839108720405531155708393071899115390281782418196043961370236 047805596490885666949991968070301302915072 .
By applying the Gröbner basis technique, we choose four of these polynomials and find their integer solution, resulting in
x 1 ( 0 ) = 927289119299658614013919916110587398358183024721353315997217625 364986735038070234 , x 2 ( 0 ) = 81742039631074545148932102760 , x 3 ( 0 ) = 155307939029434956997630259985238998486681453560506681476796626 0825646610673424375909 , x 4 ( 0 ) = 619592431297889806198462072567183158811595584795214277160999337 875469111193070308053807933256693043581463662201635520498003358 3325318142491 .
By combining x 2 ( 0 ) + p ˜ + q ˜ = p + q with N = p q , we obtain
p = 364610523335379592284389421573659615395758581802091912160143439 2965580440330615005275393973 , q = 265075408840273307310457659252670780047288464201589214883093465 9206722305110146095092692353 .
The LLL algorithm and Gröbner basis computations were executed in less than 1 seconds. It is noteworthy that
e u z ( mod ( p 2 1 ) ( q 2 1 ) ) ,
where
u = 111378763389388734375287265457126953482575338986119066859878424 0128288156171976879 .
The conditions x 3 ( 0 ) < x 1 ( 0 ) x 2 ( 0 ) 2 and | z | < e | u | are both fulfilled, as shown in the proof of Theorem 3.
The private exponent corresponding to e is
d = 564448283796874259566671584629302225976460091746908933141533 804413103523490851354858189883202173086020496673336692715487 554862018821458311786572683162197275601409613473916288085307 058668848088231546671437275383745312900782226914748122021439 579982887102015568949798945581022534542357068682965632698913 800869603835969819422745866337071597390377632698184191607171 .
Notice that d = N δ 0 with δ 0 1.988 .
To rigorously validate the comparisons presented in Section 4, we note that
| p p ˜ | N σ 0 , where σ 0 0.1628 .
Next, we begin by considering the optimal bound for small private exponent attacks, as established by Peng et al. [12]. This bound is given by
δ 0 < 2 α .
For the parameters of our case, we compute
2 α 0.585 ,
which is smaller than δ 0 . This result demonstrates that Peng et al.’s method is inadequate for breaking the system in this particular instance.
Similarly, the optimal bound proposed by Feng et al. [13] is expressed as
δ 0 < 2 2 σ 0 α ,
where d N δ 0 represents the threshold for partial prime exposure attacks. For the numerical example under consideration, we calculate
2 2 σ 0 α 1.192 ,
and since this value is smaller than δ 0 , we conclude that Feng et al.’s method is also ineffective in compromising the systems for this particular case.

5.3. Experiments with Large Examples

We applied the procedure described in Theorem 3 to examine cases where the public key N , e involves large values. By conducting a series of computational tests, we successfully resolved the modular equation
x 1 ( x 2 2 + a x 2 + b ) x 3 ( mod e ) ,
where
a = 2 ( p ˜ + q ˜ ) , b = ( p ˜ + q ˜ ) 2 ( N + 1 ) 2 .
This method enables an efficient factorization of the modulus N = p q when an amount of the most significant bits of p is available. Moreover, the conditions d > N 2 α and d > N 2 2 α σ are satisfied, which demonstrates that the optimal bounds in the literature [12,13] fail to break these RSA variants.
The outcomes of these experiments are presented in Table 2, where each row specifies the corresponding parameters:
  • bl ( n ) represents the bit-length of the value n.
  • δ is a parameter where | u | N δ holds.
  • δ 0 denotes a parameter such that d N δ 0 .
  • α is defined through the relation e N α .
  • γ corresponds to a parameter satisfying | z | N γ .
  • σ is a parameter satisfying | p p ˜ | N σ .
  • Ns ( p ) denotes the number of known most significant bits of p.
  • μ and ζ are parameters involved in the construction of the lattice L , which has dimension ω as shown in Theorem 3.
  • T ( s ) refers to the computation time in seconds required for executing the LLL algorithm and the Gröbner basis computation.

6. Conclusions

In this paper, we presented an enhanced cryptanalytic approach that builds upon Coppersmith’s method and incorporates lattice basis reduction. We applied this technique to analyze several variants of RSA where the modulus is N = p q , the modified totient function is ψ ( N ) = ( p 2 1 ) ( q 2 1 ) , and the generalized key equation is e u z ( mod ψ ( N ) ) . Our method successfully enables the factorization of the RSA modulus N in polynomial time, even for real-world examples on a large scale. Our method works in the scenario where an amount of the most significant bits of p is known, and the unknown parameters u , z in the equation e u z ( mod ψ ( N ) ) are suitably small. Our method extends all methods where the equation is e d 1 ( mod ψ ( N ) ) with small d. In addition, the results of this paper highlight the superiority of our attack over existing techniques that are not based on quantum computation, especially in scenarios involving small private exponents and partial prime information.

Author Contributions

Conceptualization, M.R. and A.N.; methodology, M.R. and A.N.; software, M.R.; validation, M.R., A.N. and M.Z.; formal analysis, M.R. and A.N.; investigation, M.R. and A.N.; resources, M.R. and A.N.; data curation, M.R. and A.N.; writing—original draft preparation, M.R.; writing—review and editing, M.R. and A.N.; visualization, M.R. and A.N.; supervision, M.R., A.N. and M.Z.; project administration, M.R., A.N. and M.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
RSARivest, Shamir, Adleman
CRTChinese Remainder Theorem
LLLLenstra, Lenstra, and Lovász

References

  1. Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory 1976, 22, 644–654. [Google Scholar] [CrossRef]
  2. Rivest, R.; Shamir, A.; Adleman, L. A Method for Obtaining digital signatures and public-key cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  3. Wiener, M. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef]
  4. Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N0.292, Advances in Cryptology-Eurocrypt’99. In Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1592; pp. 1–11. [Google Scholar]
  5. Quisquater, J.J.; Couvreur, C. Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 1982, 18, 905–907. [Google Scholar] [CrossRef]
  6. Collins, T.; Hopkins, D.; Langford, S.; Sabin, M. Public Key Cryptographic Apparatus and Method. US Patent #5,848,159, 8 December 1998. [Google Scholar]
  7. Kuwakado, H.; Koyama, K.; Tsuruoka, Y. A New RSA-Type Scheme Based on Singular Cubic Curves with equation y2x3 + bx2 (mod N). IEICE Trans. Fundam. 1995, 78, 27–33. [Google Scholar]
  8. Elkamchouchi, H.; Elshenawy, K.; Shaban, H. Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In Proceedings of the The 8th International Conference on Communication Systems, Singapore, 28–28 November 2002; Volume 1, pp. 91–95. [Google Scholar]
  9. Said, M.R.M.; Loxton, J. A cubic analogue of the RSA cryptosystem. Bull. Aust. Math. Soc. 2003, 68, 21–38. [Google Scholar] [CrossRef]
  10. Smith, P.J.; Lennon, M.J.J. LUC: A New Public Key System. In Proceedings of the ninth IFIP International Symposium on Computer Security, Toronto, ON, Canada, 12–14 May 1993; pp. 103–117. [Google Scholar]
  11. Boneh, D. Twenty years of attacks on the RSA cryptosystem. Notices Amer. Math. Soc. 1999, 46, 203–213. [Google Scholar]
  12. Peng, L.; Hu, L.; Lu, Y.; Wei, H. An improved analysis on three variants of the RSA cryptosystem. Int. Conf. Inf. Secur. Cryptol. 2016, 10143, 140–149. [Google Scholar]
  13. Feng, Y.; Nitaj, A.; Pan, Y. Partial prime factor exposure attacks on some RSA variants. Theor. Comput. Sci. 2024, 999, 114549. [Google Scholar] [CrossRef]
  14. Nitaj, A. Another Generalization of Wiener’s Attack on RSA; Africacrypt 2008 LNCS; Vaudenay, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5023, pp. 174–190. [Google Scholar]
  15. Castagnos, G. An efficient probabilistic public-key cryptosystem over quadratic fields quotients. Finite Fields Their Appl. 2007, 13, 563–576. [Google Scholar] [CrossRef]
  16. Lenstra, A.K.; Lenstra, H.W. Lovász, L. Factoring polynomials with rational coefficients. Math. Ann. 1982, 261, 513–534. [Google Scholar] [CrossRef]
  17. May, A. New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. Thesis, University of Paderborn, Paderborn, Germany, 2003. [Google Scholar]
  18. Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 1997, 10, 233–260. [Google Scholar] [CrossRef]
  19. Howgrave-Graham, N. Finding small roots of univariate modular equations revisited. In Proceedings of the IMA International Conference on Cryptography and Coding, LNCS 1355, Cirencester, UK, 17–19 December 1997; Springer: Berlin/Heidelberg, Germany, 1997; pp. 131–142. [Google Scholar]
  20. Jochemsz, E.; May, A. A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants; ASIACRYPT 2006, LNCS 4284; Springer: Berlin/Heidelberg, Germany, 2006; pp. 267–282. [Google Scholar]
  21. Zheng, M.; Kunihiro, N.; Yao, Y. Cryptanalysis of the RSA variant based on cubic Pell equation. Theor. Comput. Sci. 2021, 889, 135–144. [Google Scholar] [CrossRef]
  22. The Sage Developers: SageMath, the Sage Mathematics Software System (Version 10.4) (2025). Available online: https://www.sagemath.org (accessed on 8 April 2025).
Table 1. The lattice basis matrix for ( μ , ζ ) = ( 2 , 2 ) .
Table 1. The lattice basis matrix for ( μ , ζ ) = ( 2 , 2 ) .
G w , a , b x 3 2 x 1 x 3 x 1 x 2 x 3 x 1 2 x 1 2 x 2 x 3 x 4 x 2 x 3 x 4 x 1 x 4 x 1 x 2 x 4 x 4 2 x 2 x 4 2 x 2 2 x 4 2
G 0 , 0 , 0 e 2 X 3 2 00000000000
G 0 , 1 , 0 0 e 2 X 1 X 3 0000000000
G 0 , 1 , 1 00 e 2 X 1 X 2 X 3 000000000
G 0 , 2 , 0 000 e 2 X 1 2 00000000
G 0 , 2 , 1 0000 e 2 X 1 2 X 2 0000000
G 1 , 0 , 0 000 e X 3 X 4 000000
G 1 , 0 , 1 000 e X 2 X 3 X 4 00000
G 1 , 1 , 0 00000 e X 1 X 4 0000
G 1 , 1 , 1 00000 e X 1 X 2 X 4 000
G 2 , 0 , 0 0000 X 4 2 00
G 2 , 0 , 1 000 X 2 X 4 2 0
G 2 , 0 , 2 00 X 2 2 X 4 2
Table 2. Experiments for various values of ( N , e ) .
Table 2. Experiments for various values of ( N , e ) .
bl(N)bl(e) δ δ 0 α γ σ Ns ( p ) μ ζ ω T ( s )
102420470.3901.9942.000.4880.29321233528.00
110021980.4541.9992.000.4900.266250335210.09
120023980.4261.9992.000.5000.32521033529.98
130025980.4772.0002.000.5000.317237335210.48
140027970.4861.9992.000.5000.279310335214.81
150029970.4871.9992.000.5000.328255335213.15
160031990.4691.9992.000.5000.35523132405.34
170033990.4942.0002.000.5000.34726032405.69
180035950.4972.0002.000.5060.36624131221.38
190037940.4952.0002.000.5000.31635031221.98
204840960.4872.0002.000.4880.36926922210.5
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Rahmani, M.; Nitaj, A.; Ziane, M. Improved Cryptanalysis of Some RSA Variants. Algorithms 2025, 18, 223. https://doi.org/10.3390/a18040223

AMA Style

Rahmani M, Nitaj A, Ziane M. Improved Cryptanalysis of Some RSA Variants. Algorithms. 2025; 18(4):223. https://doi.org/10.3390/a18040223

Chicago/Turabian Style

Rahmani, Mohammed, Abderrahmane Nitaj, and Mhammed Ziane. 2025. "Improved Cryptanalysis of Some RSA Variants" Algorithms 18, no. 4: 223. https://doi.org/10.3390/a18040223

APA Style

Rahmani, M., Nitaj, A., & Ziane, M. (2025). Improved Cryptanalysis of Some RSA Variants. Algorithms, 18(4), 223. https://doi.org/10.3390/a18040223

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop