Fast RSA-Type Cryptosystem Modulo pkq

Tsuyoshi Takagi

NTT Software Laboratories

3-9-11, Midori-cho Musashino-shi, Tokyo 180-0012, Japan
E-mail: ttakagiQslab.ntt, co. jp

Abstract. We propose a cryptosystem modulo pkq based on the RSA

cryptosystem. We choose an appropriate modulus pkq which resists two
of the fastest factoring algorithms, namely the number field sieve and
the elliptic curve method. We also apply the fast decryption algorithm
modulo pk proposed in [22]. The decryption process of the proposed cryp-
tosystems is faster than the RSA cryptosystem using Chinese remainder
theorem, known as the Quisquater-Couvreur method [17]. For example,
if we choose the ?68-bit modulus p2q for 256-bit primes p and q, then the
decryption process of the proposed cryptosystem is about 3 times faster
than that of RSA cryptosystem using Quisquater-Couvreur method.

Key w o r d s : RSA cryptosystem, Quisquater-Couvreur method, fast decryption, fac-

toring algorithm

1 Introduction

The RSA cryptosystem is one of the most practical public key cryptosystems
and is used throughout the world [19]. Let n be a public key, which is the product
of two appropriate primes, e be an encryption key, and d be a decryption key.
The algorithms of encryption and decryption consist of exponentiation to the eth
and d th powers modulo n, respectively. We can make e small, but must consider
low exponent attacks [3] [4] [6]. The encryption process takes less computation
and is fast. On the other hand, the decryption key d must have more than one
fourth the number of bits of the public key n to preclude Wiener's attack [24]
and its extension [23]. Therefore, the cost of the decryption process is dominant
for the RSA cryptosystem.
In this paper, we propose an RSA-type cryptosystem modulo n = pkq. Even
though the modulus is not of the form pq, we choose appropriate sizes for the
secret primes p and q to preclude both the number field sieve and the elliptic
curve method. Using this modulus pkq, we construct a fast decryption public-key
cryptosystem. In the key generation, we generate the public key e and secret key
d using the relation ed =_ 1 (rood L), where L = LCM ( p - 1, q - 1). Note that L is
not the same as r = pk-1 (p_ 1) ( q - 1) or even ~(n) = LCM(p k-x ( p - 1), q - 1).
Thus, the secret exponent d becomes much smaller than n = pkq. Moreover, for
decrypting M r - M (mod pk) we show that it is possible to apply the fast
 319

decryption algorithm proposed in [22]. The running time for computing Mp is

essentially equivalent to that for C d (rood p). Therefore, the decryption pro-
cess is much faster than in the RSA cryptosystem using the Chinese remainder
theorem [17].
The paper is organized as follows. In Section 2, we describe the algorithm
of the proposed cryptosystem. We discuss the size of the secret primes which
prevents the use of both the number field sieve and the elliptic curve method
in Section 3. Then, we show the running time of the proposed cryptosystem in
comparison with the RSA cryptosystem using the Quisquater-Couvreur method
in Section 4. We explain the effectiveness of Wiener's attack in Section 5. We
show some properties of our cryptosystem related to some attacks in Section 6.

Notation: Z is an integer ring. Zn is a residue ring Z / n Z and its complete

residue class is {0, 1,2,... ,n - 1}. Z x is a reduced residue group modulo n.
LCM(ml,m2) is the least common multiple of ml and m2. GCD(ml,m2) is the
greatest common divisor of ml and m2.

2 Proposed public-key cryptosystem

In this section, we describe an RSA-type cryptosystem modulo pkq, and discuss

the size of its secret keys and the running time.

2.1 Algorithm
1. Generation of the keys: Generate two random primes p, q, and let n = pkq.
Compute L = LCM ( p - 1, q - 1), and find e, d which satisfies ed - 1 (rood L)
and GCD(e,p) = 1. Then e, n are public keys, and d,p, q are the secret keys.
2. Encryption: Let M ~ Z x be the plaintext. We encrypt the plaintext by the
equation:

C-=M e (modn). (1)

3. Decryption: We decrypt Mp = M (mod pk) and Mq = M (mod q) using

the secret key d,p, q. The plaintext M can be recovered by the Chinese
remainder theorem. Here, Mq is computed by Mq = C d (mod q) and Mp is
computed by the fast algorithm described in [22].

2.2 Details o f the decryption algorithm

The order of the group Z pk
x is pk-1 (p_ 1). When M v = M (mod pk) is recovered
using the standard algorithm of RSA, we have to compute Mp = C d (mod pk)
for d = e -1 (mod LCM(pk-l(p - 1),q - 1)). Then the running time is slower
than that of the method using the Chinese remainder theorem for n = pq [17],
so there are no significant advantages in using the modulus pkq. Instead, we
apply the method described in [22], where the author presents a fast algorithm
 320

for computing RSA decryption modulo n k using n-adic expansion. Then, the
running time for computing Mp becomes essentially equivalent to computing
M r -- C d (mod p) for d -~ e -1 (mod LCM(p - 1, q - 1)).
First, we modify the algorithm into a more efficient form. We denote the
ciphertext reduced modulo pk by Cp. Then the relationship between the cipher-
text C r and the plaintext is Cp = M~ (mod pk). Note that M r the plaintext
modulo pk, has the p-adic expansion such that

M r - Ko +pK1 +p2K2 + . . . + p k - I K k - 1 (mod pk). (2)

Here, we define the function F~(X0, X1,..., Zi) as follows:

F (Xo, X l , . . ., = (Xo + +... +

where i = 0, 1 , . . . , k - 1. f k _ l ( Z 0 .~-pZ 1 -~-... "-}-pk-lXk_l)e is the same as the

function that encrypts the plaintext M r in equation (2). By reducing modulo
pi+l, we get the relationship

Fi(Zo,Xl,... ,Xi) ~--Fi-1 jrpiVi_iZi (mod pi+l),

where F~-I = Fi-l (Xo + pX1 +... "~t'pi-lXi-1)e and Gi-1 : e(Xo "JcpXl "}-...--~
p~-lXi_l)e-1 for i = 0, 1 , . . . , k - 1. From this relationship, we can recursively
calculate K I , . . . , K k - 1 . For i = 1, /(1 is the solution of the following linear
equation of XI:
C =- Fo(go) +pGo(go)Xl (mod p2). (3)

Assume we have already calculated K 1 , K 2 , . . . , K i-1. Using these values, we

compute F~-I (K0, K 1 , . . . , Ki-1), Gi-1 (/to, K1, 9 9 Ki-1) in Z, and denote them
by Fi-1, Gi-1, respectively. Then, Ks is the solution of the following linear equa-
tion of .I"/:
C = Fi-1 + p i G i - l X i (mod pi+l). (4)

Note that (Gi-l,p) = 1, because GCD(Ko,p) = GCD(e,p) = 1, so we can

uniquely decrypt K~.
After computing Ko, K1,. 99 Kk-1, we can evaluate Mp (mod pk) from equa-
tion (2). Finally, the plaintext M (mod pkq) is also computed from the values
Mp (mod pk), Mq (mod q), and the Chinese remainder theorem.
Moreover, note that we do not have to use the secret exponent d for evaluating
/(1,/(2, . . . , K~-I. Thus, when we compute the two values of Ko =- C d (rood p)
and Mq - C '~ (mod q), the secret exponent d can be reduced modulo p - 1 and
q - 1. Indeed, C d - C d,' (mod p) and C d - C d, (mod q) hold, where dp -- d
(rood p - 1) and dq - d (rood q - 1).
In Appendix A, we describe the decryption program written in pseudo-code.
For x E Z and a positive integer N, [X]N denotes the remainder of x modulo N,
which is in {0,1,..., N - 1}.
 321

3 Size of secret parameters

Here, we discuss the size of the secret parameters p and q. The RSA cryptosystem
uses a composite number of the symmetry type pq, where p and q are the same
bit size. The cryptosystem proposed in this paper depends on the security of
factoring the modulus pkq. We have to carefully choose the size of p and q.
There are two types of fast factoring algorithm to consider: the number
field sieve [11] and the elliptic curve method [10]. Other factoring algorithms
have the same or slower running times, so the size of the RSA-modulus can
be estimated by these two factoring algorithms [7] [13] [20]. Let LN[s,c] =
exp((c + o(1))logS(N)loglogl-S(N)). The number field sieve is the fastest fac-
toring algorithm, and the running time is estimated from the total bit size of the
integer n to be factored, which is expected as Ln[1/3, (64/9)1/3]. If we choose
n to be larger than 768 bits, the number field sieve becomes infeasible. In our
case, we have to make the modulus n = pkq larger than 768 bits. The elliptic
curve method is effective for finding primes which are divisors of the integer n to
be factored. The running time is estimated in terms of the bit size of the prime
divisor p. Its expected value is Lp[1/2, 21/2]. Note that the running time of the
elliptic curve method is different from that of the number field sieve, and the
order is much different. If we choose p to be larger than 256 bits, the elliptic
curve method becomes infeasible. In our case, we have to make the primes p and
q of the modulus larger than 256 bits.
The factoring algorithm strongly depends on the implementation. In my
knowledge, the fastest implementation record for the number field sieves fac-
tored 130-digit RSA modulus [5] and that for the elliptic curve method found
48-digit prime factor [8]. Here, we again emphasize that there is a big difference
in the cost between the number field sieve and the elliptic curve method. There-
fore, if we choose the 768-bit modulus p2q with 256-bit primes p and q, neither
of the factoring algorithms is feasible, so the scheme is secure for cryptographic
purposes. But the size of secret primes must be thoroughly discussed for the
practical usage of our proposed cryptosystem, and this is work in progress.
Here, we wonder if there exists factoring algorithms against the modulus
with a square factor p2q. This factoring problem appeared in the list of the open
problems in number theoretic complexity by Adleman and McCurley [1], and it
is unknown whether there exists Lp[1/3]-type sub-exponential algorithm which
finds the primes of the composite number p2q. Recently, Peralta and Okamoto
proposed a factoring algorithm against numbers of the form p2q based on the
elliptic curve method [16]. They focused on the fact the Jacobi symbol is equal
to one for a square integer, and the running time becomes a little bit faster than
that of the original elliptic curve method.

Remark 1. A digital signature scheme [14] and two public key cryptosystems
[9] [15] which rely on the difficulty of factoring numbers of the type p2q have
been proposed. These cryptosystems are fast and practical. For secure usage of
these cryptosystems and our proposed cryptosystem, the research of factoring
algorithms against a composite number with a square factor is desirable.
 322

4 Running time

In this section, we estimate the running time of the proposed cryptosystem. We

assume that the public modulus n = p2q is 768 bits for 256-bit primes p and q
in the following. We also assume the running time for computing Z a (mod b) is
O(log~(b) log2(a)). Below, we estimate the worst-case running time.
In the decryption process of the proposed cryptosystem, the algorithm does
not depend on the secret exponent d except when we compute

Cd (modp), Ca (mod q). (5)

After calculating C d (mod p), we compute only a few multiplications for ob-
taining Mp -- M (mod pk). This costs the same as the encryption process. If we
choose a very small e, this algorithm is very efficient. For example, if the mod-
ulus be p2q, then we only compute at most [log2 eJ multiplications modulo p2
and one division of p, two multiplications modulo p, and one inversion modulo p.
Moreover, when we compute the two values of equation (5), the secret exponent
d can be reduced modulo p - 1 and q - 1. In other words, C d - C ap (mod p) and
C d =_ C dq (rood q) hold, where dp -= d (mod p - 1) and dq =- d (rood q - 1).
Thus, the size of the secret exponent can be reduced.
Denote by T the running time for computing the decryption algorithm of the
original RSA cryptosystem, i.e., C a' (rood n), where d' is as large as n. Then,
the running time of the proposed cryptosystem for a 768-bit modulus is about
(2(1/3) 3 + ae)T = (0.074 + ae)T, where ae depends only on the encryption
exponent e. When we make the encryption exponent e very small, ae becomes
negligible.
A similar decryption algorithm for the RSA cryptosystem using Chinese re-
mainder theorem, the Quisquater-Couvreur method, mainly computes C d (mod p)
and C d (mod q), where n = pq is the RSA modulus, both p and q are as large
as (log2 n ) / 2 bits, and we assume d is as large as p and q. So, the running time
of Quisquater-Couvreur method is about 4 times faster than the original RSA
cryptosystem.
Here, we compare the running time of our proposed cryptosystem with that
of Quisquater-Couvreur method. The comparison is carried out based on the
common bit length of the modulus. The proposed cryptosystem with the small
encryption exponent e is about 3 times faster than the RSA cryptosystem ap-
plying the Quisquater-Couvreur method for the 768-bit modulus.
In addition, consider the RSA cryptosystem with the square-free modulus
n = p l p 2 " " P l , where we assume that pi are as large as ( l o g 2 n ) / l bits for i =
1, 2 , . . . ,l. As we discussed in Section 3, we can use a 768-bit modulus n =
plp2p3 with 256-bit primes pi(i = 1, 2, 3) for the cryptographic purpose. This
version of RSA will be faster when we use the decryption technique using the
Chinese remainder theorem. Indeed, the decryption time with this modulus is
dominant for computing C d~ (mod pi), where we assume dl are as large as Pi for
i = 1, 2, 3. So, the running time of this RSA variant is about 9 times faster than
the original RSA cryptosystem. Here, we compare this RSA variant with our
 323

proposed cryptosystem. Our proposed cryptosystem is about 1.5 times faster for
a 768-bit modulus.

5 Short secret e x p o n e n t d

A short secret exponent is desirable for the fast decryption algorithm. However,
Wiener reported an attack based on the continued fraction algorithm which
detects a short secret exponent d [24]. This attack is effective for d < n 1/4.
The secret key d and the public key e of the proposed cryptosystem have
the relation ed _= 1 (rood L C M ( p - 1,q - 1)), and the primes p and q are much
smaller than n. So, we wonder if Wiener's attack is applicable to larger secret
exponents d. Moreover, if the attacker can compute d ~ such that

ed' =- 1 (mod L C M ( p k - l ( p - 1),q - 1)), (6)

then proposed cryptosystem will also be broken.

Here, we discuss Wiener's attack for relation (6). From LCM(p k-1 (p - 1), q -
1) = pk-1 ( p _ l ) ( q _ l ) / G C D ( p k - l ( p _ l ) , q - l ) , we have ed' = l+mpk-l(p--1)(q -
1 ) / G C D ( p k-1 ( p - 1), q - 1) for some integer m. Generally, GCD(p k-1 ( p - 1), q - 1)
is very small compared with p and q. Let m / G C D ( p k - I ( p - 1),q - 1) = h/g,
where GCD(h, g) = 1. Then, we get the relation

e h I= (7)
~q gd I I

where 5 ~ = hP~TPh-lq-p~-l-@/h
gd ~ p~q 9
From h/d~g <
_
1, the upper bound of 5 * is of
the size n -1/(k+1). It is known that for a rational number x such that [ x - P / Q ] <
1/2Q 2, P / Q is a convergent in the continued fraction of x, where P and Q
are relatively prime integers. Therefore, if n -1/(~+1) < 1/2(gd~) 2 holds, then
Wiener's attack is applicable by computing the continued fraction of e/pkq.
1
Therefore, Wiener's attack is effective for d' < n 2-(~-~. During key generation
one must ensure that d ~ -- e -1 (mod LCM(p~-I(P - 1), (q - 1)) is sufficiently
large.
In the same manner, we can discuss tile Wiener's attack for the relation ed =_ 1
(rood LCM(p - 1, q - 1)). In this case, we get the relation

q gdp ~-1

where 5 = . The lower bound on 5 is of the size 1/gdn k/(k+l), and

h p + q -p~q
-l-g/h

1/gdn k/(k+l) is larger than the upper bound 1/2(gdpk-1) 2 ,., 1/2(gdn(a-1)/(k+l)) 2
which the continued fraction can detect. So, Wiener's attack seems infeasible for
the relation ed = 1 (mod L C M ( p - 1, q - 1)). Further work on this is in progress.
 324

6 Other properties

In this section, we describe some attacks against our proposed cryptosystem and
some other properties of it.
Permutation: Let S be a finite set, and let F(x) be a function from S to S. The
function F(x) is called a permutation function if every pair x, Y E S that satisfies
F(z) -- F(F) also satisfies x -- y. The encryption function must be a permutation
function in order to have unique decryption. The encryption function of the
proposed cryptosystem is F(X) - X e (modpkq). This function is a permutation
function if and only if GCD(p - 1,e) -- GCD(q - 1,e) = GCD(p,e) -- 1. The
last condition is always satisfied for small e, so this condition becomes the same
as that for the original RSA cryptosystem.
Message concealing: A function F(x) is called unconcealed when F(x) = x
holds for some x. If the encryption function is unconcealed, some plaintexts are
not encrypted. Blakley and Borosh showed that the encryption function of the
RSA cryptosystem is unconcealed [2]. And they also estimated the number of
unconcealed messages for a modulus having the form pkq. They proved

N = (1 + GCD(e - 1,pk-l(p - 1)))(1 + GCD(e - 1, (q - 1))).

This number is negligible because we choose e to be small in our proposed

cryptosystem.
Cycling attack: The cycling attack is to find an integer s such that C e~ _
C (rood pkq) [12] [25]. If we find such an integer, then the modulus pkq can
be factored with probability greater than 1/2. From a recent result by Rivest
and Silverman, it is known that the probability of the cycling attack success is
negligible [20]. This analysis is also true for our proposed cryptosystem, because
p and q must be chosen to be more than 256-bit primes. Here, denote by ord,~(Q)
the order of the point Q in the group Zm for some integer m, and ordord. (O)(e)Is
holds. Note that ordm(Q)lord,(Q) for rain and Q in Zn. The probability that
plordph (Q) for a random point Q in Zph is 1 - 1/p, so plordn(C) holds for a
random ciphertext C in Zn with high probability, and ordp(e) is greater than
the largest prime of p - 1, which is more than 50 bits with high probability.
Therefore, the integer s is greater than 50 bits with high probability.
Other attacks: All other attacks are applicable, for example, the low exponent
attacks [3] [4] [6], the common modulus attack, and the chosen message attack
(See, for example, [7] [13]).
Digital signature: Of course, the proposed algorithm can be used for a digital
signature. 1 The prominent property of our proposed cryptosystem is the run-
ning time for generating the signature, which it is faster than that of the RSA
cryptosystem using Chinese remainder theorem.
Rabin-type cryptosystem: We can construct a ttabin-type cryptosystem by
applying the algorithm proposed in this paper. We can also prove that the ex-
tended Rabin-type cryptosystem is as intractable as factoring the modulus pkq.
1 Shamir proposed a variation of RSA cryptosystem with an unbalanced modulus [21].
As he stated in the paper, Shamir's RSA can not be used for digital signatures.
 325

Acknowledgments

I wish to thank Shozo Naito for his helpful discussion.I would also liketo thank
the anonymous referees for their valuable comments.

References

I. L. M. Adleman and K. S. McCurley, "Open problems in number theoretic com-

plexity, If" proceedings of ANTS-I, L N C S 877, (1994), pp.291-322.
2. G. R. Blakley and I. Borosh, "Rivest-Shamir-Adleman public key cryptosystems
do not always conceal messages," Comput. ~ Maths. with Appls., 5, (1979),
pp.169-178.
3. D. Coppersmith, M. Franklin, J. Patarin and M. Reiter, "Low-exponent R S A with
related messages," Advances in Cryptology - E U R O C R Y P T '96, L N C S 1070,
(1996), pp.1-9.
4. D. Coppersmith, "Finding a small root of a univariate modular equation," Ad-
vances in Cryptology - E U R O C R Y P T '96, L N C S 1070, (1996), pp.155-165.
5. J. Cowie, B. Dodson, R. Elkenbracht-Huizing, A. K. Lenstra, P. L. Montgomery,
J. Zayer; "A world wide number field sieve factoring record: on to 512 bits,"
Advances in Cryptology - A S I A C R Y P T '96, L N C S 1163, (1996), pp.382-394.
6. J. H~stad, "Solving simultaneous modular equations of low degree," S I A M Jour-
nal of Computing, 17, (1988), pp.336-341.
7. B. S. Kaliski Jr. and M. Robshaw, "Secure use of RSA," C R Y P T O B Y T E S , 1 (3),
(1995), pp.7-13.
8. E C M N E T Project; http://~, lors fr/'zin~erma/records/ecmnet, html
9. D. Hiihnlein, M. J. Jacobson, S. Paulus, and T. Takagi, "A cryptosystem based
on non-maximal imaginary quadratic orders with fast decryption." Advances in
Cryptology - EUROCRYPT '98, LNCS 1403, (1998), pp.294-307.
10. H. W. Lenstra, Jr., "Factoring integers with elliptic curves", Annals of Mathe-
matics, 126, (1987), pp.649-673.
11. A. K. Lenstra and H. W. Lenstra, Jr. (Eds.), "The development of the number
field sieve," Lecture Notes in Mathematics, 1554, Springer, (1991).
12. U. M. Maurer; "Fast generation of prime numbers and secure public-key crypto-
graphic parameters," Journal of Cryptology, Vol.8, (1995), pp.123-155.
13. A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, "Handbook of applied
cryptography," CRC Press, (1996).
14. T. Okamoto, "A fast signature scheme based on congruential polynomial opera-
tions," IEEE Transactions on Information Theory, IT-36, (1990), pp.47-53.
15. T. Okamoto and S. Uchiyama; "A new public-key cryptosystem as secure as
factoring," Advances in Cryptology - EUROCRYPT '98, LNCS 1403, (1998),
pp.308-318.
16. It. Peralta and E. Okamoto, "Faster factoring of integers of a special form," IEICE
Trans. Fundamentals, Vol.E79-A, No.4, (1996), pp.489-493.
17. J. -J. Quisquater and C. Couvreur, "Fast decipherment algorithm for RSA public-
key cryptosystem," Electronic Letters, 18, (1982), pp.905-907.
18. M. O. Rabin, "Digitalized signatures and public-key functions as intractable as
factorization", Technical Report No.212, MIT, Laboratory of Computer Science,
Cambridge (1979), pp.l-16.
 326

19. R. Rivest, A. Shamir and L. M. Adleman, "A method for obtaining digital signa-
tures and public-key cryptosystems," Communications of the ACM, 21(2), (1978),
pp.120-126.
20. R. Rivest and R. D. Silverman, "Are 'strong' primes needed for RSA," The 1997
RSA Laboratories Seminar Series, Seminars Proceedings, (1997).
21. A. Shamir; "RSA for paranoids," CryptoBytes, 1, Autumn, (1995), pp. 1-4.
22. T. Takagi, "Fast RSA-type cryptosystem using n-adic expansion," Advances in
Cryptology - CRYPTO '97, LNCS 1294, (1997), pp.372-384.
23. E. R. Verheul and H. C. A. van Tilborg, "Cryptanalysis of 'less short' RSA secret
exponents," Applicable Algebra in Engineering, Communication and Computing,
8, (1997), pp.425-435.
24. M. J. Wiener, "Cryptanalysis of short RSA secret exponents," IEEE Transactions
on Information Theory, IT-36, (1990), pp.553-558.
25. H. C. Williams and B. Schmid, "Some remarks concerning the M.I.T. public-key
cryptosystem," BIT 19, (1979), pp.525-538.

A Decryption algorithm

In this appendix, we describe the decryption program written in pidgin ALGOL.

For x E Z and a positive integer N, [X]N will denote the remainder of x modulo
N , which is in {0, 1 , . . . , N - 1}. The plaintext M is encrypted by C _= M e
(mod pkq). T h e relation between the encryption exponent e and the decryption
exponent d is ed - 1 (mod LCM(p - 1, q - 1)).

procedure D E C R Y P T I O N :
INPUT: d,p, q, e, k, C
OUTPUT: M
(1) dp := [d]p-l,dq := [d]q_l;
(2) Ko := [Cd']p,Mq := [Caqlq;
(3) A0 := K0;
FOR. i = l t o ( k - 1 ) do
Fi := [A~-~'lp,+l;
E~ := [C -/~]~,+1 ;
Bi := Ei/p i in Z;
g~ := [(eF~)-lA~-~Bi]~;
Ai := Ai-1 +piKi in Z;
(4) Mp := Ak-1;
(5) p~ := [(v~)-~]~, q~ := [q-1],,~;
(6) U := [qlqMp +plpkMq]p~q.