Cryptoanalysis of RSA variants with special structure of RSA primes

Abstract

In this paper, we present attacks on three types of RSA modulus when the least significant bits of the prime factors of RSA modulus satisfy some conditions. Let p, and q be primes of the form p=am1+rp and q=bm2+rq respectively, where a,b,m1,m2 ∈ Z+ rp, and rq are known. The first attack is when the RSA modulus is N=pq where m1 or m2 is an even number. If (rprq)12 is sufficiently small, then N can be factored in polynomial time. The second attack is when N=psq, where q>p and s divides m2. If rprq is sufficiently small, then N can be factored in polynomial time. The third attack is when N=ps+lqs, where p>q, s,l ∈ Z+, l < s2 and s divides m1l. If am1>qam1ls, and lr3p is sufficiently small, then N can be factored in polynomial time.