New Attacks on RSA with Moduli N = p r q

Abstract

We present three attacks on the Prime Power RSA with modulus N = p r q. In the first attack, we consider a public exponent e satisfying an equation ex − φ(N)y = z where φ(N) = p r − 1(p − 1)(q − 1). We show that one can factor N if the parameters |x| and |z| satisfy \(|xz|<N^\frac{r(r-1)}{(r+1)^2}\) thereby extending the recent results of Sakar [16]. In the second attack, we consider two public exponents e 1 and e 2 and their corresponding private exponents d 1 and d 2. We show that one can factor N when d 1 and d 2 share a suitable amount of their most significant bits, that is \(|d_1-d_2|<N^{\frac{r(r-1)}{(r+1)^2}}\). The third attack enables us to factor two Prime Power RSA moduli \(N_1=p_1^rq_1\) and \(N_2=p_2^rq_2\) when p 1 and p 2 share a suitable amount of their most significant bits, namely, \(|p_1-p_2|<\frac{p_1}{2rq_1q_2}\).