A New RSA Variant Based on Elliptic Curves

Maher Boudabra1 and Abderrahmane Nitaj2

1
Department of Computing and Mathematics, King Fahd University of Petroleum
and Minerals, Saudi Arabia,
maher.boudabra@kfupm.edu.sa
2
Normandie Univ, UNICAEN, CNRS, LMNO, 14000 Caen, France
abderrahmane.nitaj@unicaen.fr

Abstract. We propose a new scheme based on ephemeral elliptic curves

over the ring Z/nZ where n = pq is an RSA modulus with p = u2p + vp2 ,
q = u2q + vq2 , up ≡ uq ≡ 3 (mod 4). The new scheme is a variant of both
the RSA and the KMOV cryptosystems. The scheme can be used for
both signature and encryption. We study the security of the new scheme
and show that is immune against factorization attacks, discrete loga-
rithm problem attacks, sum of two squares attacks, sum of four squares
attacks, isomorphism attacks, and homomorphism attacks. Moreover, we
show that the private exponents can be much smaller than the ordinary
exponents for RSA and KMOV, which makes the decryption phase in
the new scheme more efficient.

Keywords. Public key Cryptography, RSA, KMOV, Demytko’s scheme, El-

liptic curves, Continued fractions, Coppersmith’s method.
Mathematics Subject Classification. 94A60, 68P25, 11A55. 14H52.

1 Introduction
The RSA system was proposed in 1977 by Rivest, Shamir, and Adleman [37]
as a public key cryptosystem. The algorithm is based on a trap door function
that utilizes Fermat-Euler theorem. The RSA algorithm strength depends on the
difficulty of factorizing a large integer n which is the product of two large primes
p and q. In RSA, the public exponent is an integer e and the private exponent
is an integer d such that ed ≡ 1 (mod (p − 1)(q − 1)).
Since its publication, the RSA cryptosystem has been intensively studied for
vulnerabilities using various methods (see [4,16]). On the other hand, to improve
the efficiency of RSA, many variants have been proposed such as Batch RSA [13],
Multi-prime RSA [8], Prime-power RSA [41], CRT-RSA [10], Rebalanced-RSA [45],
Dual RSA [40] and DRSA [34].
In 1985, Koblitz [21] and Miller [28] showed independently how to use elliptic
curves over finite fields for the design of cryptosystems. Such schemes contribute
to the elliptic curve cryptography (ECC) and their security is based on the hard-
ness of the elliptic curve discrete logarithm (ECDLP). ECC offers high security
with smaller keys and more efficient implementations than traditional public key
2 Maher Boudabra and Abderrahmane Nitaj

cryptosystems such as RSA. ECC is increasingly used in industry for digital sig-
natures such as ECDSA [30], key agreement such as ECDH [7] and Bitcoin [29].
In 1991, Koyama et al. [20] proposed a new scheme called KMOV, by adapting
RSA to the elliptic curve with an equation y 2 ≡ x3 + b (mod n) over the ring
Z/nZ, where n = pq is an RSA modulus satisfying p ≡ q ≡ 2 (mod 3). In
KMOV, b is computed during the encryption process in terms of the plaintext
(x, y) as b ≡ y 2 − x3 (mod n). The main property in KMOV is that (p + 1)(q +
1)P = O for any point P of the elliptic curve where O is the point at infinity.
In 1993, Demytko [11] proposed a variant of RSA where the elliptic curve with
the equation y 2 ≡ x3 + ax + b (mod n) over Z/nZ is fixed. The advantage of
Demytko’s scheme over KMOV is that it uses only the x-coordinate of the points
of the elliptic curve. One of the common properties of both schemes is that their
security is based on the hardness of factoring large composite integers.
In this paper, we propose a new RSA variant based on the elliptic curve with
the equation y 2 = x3 + ax over the ring Z/nZ where n = pq is an RSA modulus
with p = u2p + vp2 , q = u2q + vq2 , up ≡ 3 (mod 4) and uq ≡ 3 (mod 4). The number
of points of the elliptic curve y 2 = x3 + ax over the finite field Fp is p + 1 − 2Up
with Up ∈ {±up , ±vp }. Similarly, the number of points of the same elliptic curve
over Fp is q + 1 − 2Vp with Uq ∈ {±uq , ±vq }.
The new scheme is a variant of both RSA and KMOV and works as follows.
The public exponent is an integer e satisfying gcd(e, ψ(n)) = 1 where

ψ(n) = (p + 1 − 2Up )(q + 1 − 2Uq ),

with Up ∈ {±up , ±vp }, and Uq ∈ {±uq , ±vq }. To encrypt a message m, one

2 3
generates a random integer r with 1 ≤ r < n, computes a = m r−r (mod n),
and C = (xC , yC ) = e(r, m) on the elliptic curve with equation y 2 = x3 + ax
over the ring Z/nZ. The point C is then the encrypted message. To decrypt C,
y 2 −x3
one first computes a ≡ CxC C (mod n) and the two values Up and Uq such that
 p−1

−up if a 4 ≡1 (mod p),

 p−1

up if a ≡ −1 (mod p),


 4

Up = p−1 up (1)
vp if a 4 ≡ (mod p),



 vp

 p−1 up
−vp
 if a 4 ≡− (mod p),
vp

and
 q−1

−uq if a ≡1 (mod q),

 4

 q−1
uq if a ≡ −1 (mod q),
 4


Uq = q−1 uq (2)
vq if a 4 ≡ (mod q),



 vq

 q−1 uq
−vq
 if a 4 ≡− (mod q).
vq
 A New RSA Variant Based on Elliptic Curves 3

Using Up and Uq , one computes ψ(n) = (p + 1 − 2Up )(q + 1 − 2Uq ), and d ≡ e−1
(mod ψ(n)). Finally, one computes the initial message (r, m) = d(xC , yC ) on the
elliptic curve with equation y 2 = x3 + ax over the ring Z/nZ.
We study the security of the new scheme regarding the modulus n, the private
multiplier d and the elliptic curve with an equation y 2 ≡ x3 +ax (mod n). For the
modulus n = pq, we study its resistance against factorization algorithms, and its
decomposition as the sum of two or four squares. We show that knowing the order
ψ(n) = (p + 1 − 2Up )(q + 1 − 2Uq ) with Up ∈ {±up , ±vp }, and Uq ∈ {±uq , ±vq }
is not sufficient to factor n. For the private multiplier d, we show that the
attacks based on the continued fraction algorithm or Coppersmith’s method
are applicable only if d < n0.133 . For comparison, the former techniques are
applicable for RSA and KMOV when their private exponent and multiplier d0
is such that d0 < n0.292 . Finally, we study the discrete logarithm problem for
an elliptic curve with the equation y 2 ≡ x3 + ax (mod n). We also study the
isomorphism and the homomorphism attacks and the way to overcome them.
The rest of the paper is organized as follows. In Section 2, we present three
results that will be used in the paper. In Section 3 and Section 4, we present the
theory of elliptic curves over a finite field Fp and a finite ring Z/nZ respectively.
In Section 5, we present the new scheme. In Section 6, we present a detailed
analysis of the security of the new scheme. We conclude the paper in Section 7.

2 Useful Lemmas
In this section, we present some results that will be convenient for the security
analysis of our new scheme.
Let n = pq be an RSA modulus with balanced prime factors p and q, typically,
q < p < 2q. The following result gives upper and lower bounds for p and q in
terms of n [31].
Lemma 1. Let n = pq be the product of two unknown integers such that q <
p < 2q. Then √
2√ √ √ √
n < q < n < p < 2 n.
2
In 1990, Wiener [45] showed that RSA with a public key (n = pq, e) is insecure
1
if the private exponents d satisfies ed − k(p − 1)(q − 1) = 1 with d < 31 n 4 .
His method is based on the continued fraction algorithm and makes use of the
following result (Theorem 184 of [15]).
Theorem 1. Let ξ be a real number. Let a and b be two positive integers satis-
fying gcd(a, b) = 1 and
a 1
ξ− < 2.
b 2b
Then ab is a convergent of the continued fraction expansion of ξ.
In 1996, Coppersmith [9] described a polynomial-time algorithm for finding
small solutions of univariate modular polynomial equations. The method is based
4 Maher Boudabra and Abderrahmane Nitaj

on lattice reduction. Since then, Coppersmith method has been extended to

solve modular polynomial equations with more variables, and has been used for
cryptanalysis, especially in regards with the RSA system. To illustrate this point,
Boneh and Durfee [6] presented an attack on RSA by transforming the RSA key
equation ed − k(p − 1)(q − 1) = 1 into the small inverse problem x(n + y) ≡ 1
(mod e). Using Coppersmith’s method, they improved Wiener’s attack up to
d < N 0.292 .
The following result is a generalization of the method of Boneh and Durfee
for solving the small inverse problem (see [6,44,42]).

Lemma 2. Let n and e be two distinct integers of the same size. Let x and
that |x| < nδ , |y| < nβ , and x(n + y) ≡ 1 (mod e). If
y be two integers such √
1
4 < β < 1 and δ < 1 − β, then one can find x and y in polynomial time.

3 Elliptic Curves over the Finite Field Fp

In this section, we present the main definitions and properties of elliptic curves.
For more properties, see [39,43,38,17].
Let p be a prime number and Fp be the finite field with p elements. An
elliptic curve E over Fp is an algebraic curve with no singular points, given by
the Weierstrass equation

y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 ,

where ai ∈ Fp for i ∈ {1, 2, 3, 4, 6}. When p ≥ 5, the equation can be transformed

into the short Weierstrass

equation y 2 = x3 + ax + b, with nonzero discriminant
3 2
∆ = −16 4a + 27b 6= 0. The set of points P = (x, y) satisfying the equation,
along with the infinity point O is denoted E(Fp ). The total number of points
on E(Fp ) is called the order of E and is denoted #E(Fp ). It is well known that
#E(Fp ) can be written as #E(Fp ) = p+1−t where t is bounded by the following
√
result of Hasse 0 ≤ |t| ≤ 2 p. An addition law is defined over E(Fp ) using the
chord-tangent method.
The following result is fundamental to find the exact value of #E(Fp ) for
specific elliptic curves (see Theorem 5, page 307, Section 4, Chapter 18 of [18]).

Theorem 2. Let p = u2p +vp2 be a prime number with p ≡ 1 (mod 4). Let a ∈ Fp
with a 6= 0. Consider the elliptic curve Ep with equation y 2 = x3 + ax over Fp .
Then    
−a −a
#E(Fp ) = p + 1 − π− π,
π 4 π 4
p−1
where π = up + ivp ≡ 1 (mod (2 + 2i)), i2 = −1, and α


π 4 = α (mod π) is
4

the biquadratic (or quartic) residue character of α modulo π.

The following result gives an explicit solution for πa 4 (mod π) (See page 122,

Proposition 9.8.2 of [18]).

 A New RSA Variant Based on Elliptic Curves 5

Theorem 3. Let p = u2p +vp2 be a prime number with p ≡ 1 (mod 4). Let a ∈ Fp
with a 6= 0. Then
p−1
a 4 ≡ ±1, ±i (mod π),
where π = up + ivp , i2 = −1.
The following result is valid when the residue quartic character is computed
modulo p.
Lemma 3. Let p = u2p + vp2 be a prime number with p ≡ 1 (mod 4). Let a ∈ Fp
with a 6= 0. Then
p−1
a 4 ≡ ±1, ±up vp−1 (mod p).

Proof. Let p = u2p + vp2 be a prime number. First, we have u2p + vp2 ≡ 0 (mod p)

2
and up vp−1 ≡ −1 (mod p). Next, let a ∈ Fp with a 6= 0. By Fermat’s Little
p−1 p−1
Theorem, we have ap−1 ≡ 1 (mod p). Then a 2 ≡ 1 (mod p) or a 2 ≡ −1
p−1 p−1 p−1
(mod p). If a 2 ≡ 1 (mod p), then a 4 ≡ ±1 (mod p), and if a 2 ≡ −1
(mod p), then
p−1
2
a 2 ≡ up vp−1 (mod p),
p−1 p−1
and a 4 ≡ ±up vp−1 (mod p). Summarizing, we have a 4 ∈ {±1, ±up vp−1 }
modulo p. This terminates the proof. t
u

In the following result, we give a simple proof for the estimation of #E(Fp )
when p ≡ 1 (mod 4). Alternative proofs can be found in [43] (Section 4.4 p.
115) and [18] (Section 4 in Chapter 18).
Lemma 4. Let p = u2p + vp2 be a prime number with up = 4u + 3 and vp =
4v + 2. For a ∈ Fp with a 6= 0, let Ea (p) be the elliptic curve with the equation
y 2 = x3 + ax over Fp . Then
 p−1

 p + 1 + 2up if a 4 ≡1 (mod p),

 p−1

p + 1 − 2up if a ≡ −1 (mod p),


 4

#E(Fp ) = p−1 up
p + 1 − 2vp if a 4 ≡ (mod p),



 vp

 p−1 up
p + 1 + 2vp
 if a 4 ≡− (mod p),
vp

Proof. Let p = u2p + vp2 with up = 4u + 3 and vp = 4v + 2. We set p = ππ with

π = up + ivp . Then

p−1
= 4u2 + 4v 2 + 6u + 4v + 3,
4
and  
−1 p−1
= (−1) 4 = (−1)3 = −1.
π 4
6 Maher Boudabra and Abderrahmane Nitaj

Also, we have

up + ivp = 1 + (2 + 2i)(1 + u − v + i(v − u)) ≡ 1 (mod 2 + 2i).

We apply Theorem 2 to the elliptic curve with equation y 2 = x3 + ax over Fp .

We get
   
−a −a
#E(Fp ) = p + 1 − π− π
π 4 π 4
   
−1  a  −1  a 
=p+1− π− π
π 4 π 4 π 4 π 4
a a
=p+1+ π+ π.
π 4 π 4
p−1 p−1
Theorem 3 asserts that a 4 ≡ ±1, ±up vp−1 (mod p). First, assume that a 4 ≡
p−1
1 (mod p). Then a 4 ≡ 1 (mod π) and

#E(Fp ) = p + 1 + (up + ivp ) + (up − ivp ) = p + 1 + 2up .

p−1 p−1
Next, assume that a 4 ≡ −1 (mod p). Then a 4 ≡ −1 (mod π) and

#E(Fp ) = p + 1 − (up + ivp ) − (up − ivp ) = p + 1 − 2up .

p−1 u
Now, assume that a 4 ≡ − vpp (mod p). Since up + ivp ≡ 0 (mod π), then
p−1
−up vp−1 − i ≡ 0 (mod π) and −up vp−1 ≡ i (mod π). Hence a 4 ≡ i (mod π)
and
#E(Fp ) = p + 1 − i(up + ivp ) + i(up − ivp ) = p + 1 + 2vp .
p−1 up
Finally, assume that a 4 ≡ vp (mod p). Then up vp−1 ≡ −i (mod π) and
p−1
a 4 ≡ −i (mod π) which gives

#E(Fp ) = p + 1 + i(up + ivp ) − i(up − ivp ) = p + 1 − 2vp .

This terminates the proof. t

u

4 Elliptic Curves over the Ring Z/nZ

In this section, we briefly describe the theory of elliptic curves over the ring
Z/nZ where n = pq is an RSA modulus (see [43], Section 2.11 and [25] for more
details).
Let a, b ∈ Z/nZ with gcd(4a3 + 27b2 , n) = 1. The elliptic curve En (a, b) is the
set of points P = (x, y) satisfying the equation y 2 = x3 +ax+b (mod n), together
with the point at infinity, denoted On . By the Chinese remainder Theorem, the
set En (a, b) is isomorphic to the direct sum Ep (a, b) ⊕ Eq (a, b) where Ep (a, b) is
the elliptic curve with equation y 2 = x3 + ax + b (mod p) over Fp with the point
 A New RSA Variant Based on Elliptic Curves 7

at infinity Op , and Eq (a, b) is the elliptic curve with equation y 2 = x3 + ax + b

(mod q) over Fq with the point at infinity Oq . Hence, the point at infinity of
En (a, b) is On = (Op , Oq ). The points of the form (Op , Pq ) with Pq 6= Oq and of
the form (Pp , Oq ) with Pp 6= Op are semi-zero points while ordinary points are of
the form P = (Pp , Pq ) with Pp 6= Op and Pq 6= Oq . A group law can be given for
En (a, b) by the chord and tangent addition law. However, the addition law is not
always well-defined when using analytical expressions since there are elements
in Z/nZ that are not invertible modulo n. To overcome this, the projective
coordinates (x : y : z) ∈ P2 (Zn ) are used with the equation y 2 z = x3 +axz 2 +bz 3
(mod n). Hence, for any point P of the elliptic curve En (a, b), we have

lcm(#Ep (a, b), #Eq (a, b) · P = On .

In this paper, the arithmetic of the new scheme is based on the elliptic curve
En (a, b) with a ∈ Z/nZ and b = 0 where n = pq with large prime numbers.
Consequently, the sum of two points of En (a, 0) is defined with overwhelming
probability.
The following result gives an explicit value for the order #En (a, 0).
Theorem 4. Let n = pq be an RSA modulus with p = u2p + vp2 , q = u2q + vq2 ,
up ≡ uq ≡ 3 (mod 4) and vp ≡ vq ≡ 2 (mod 4). For a ∈ Z/nZ with gcd(a, n) =
1, let En (a) be the elliptic curve with the equation y 2 = x3 + ax over Z/nZ.
Then for any point P on En (a), we have

(p + 1 − 2Up )(q + 1 − 2Uq ) · P = On ,

where Up satisfies (1) and Uq satisfies (2).

5 The New Scheme

In this section, we present the new scheme and give a small numerical example.

5.1 The new encryption scheme

Key generation.
1. Choose a size l ≥ 4096 for the modulus to guarantee at least 128 security
level.
2. Choose two large integers u1 and v1 of size l/4.
3. Compute up = 4u1 + 3 and vp = 4v1 + 2.
4. Compute p = u2p + vp2 .
5. If p is not prime, return to Step 2.
6. Choose two large integers u2 and v2 of size l/4.
7. Compute uq = 4u2 + 3 and vq = 4v2 + 2.
8. Compute q = u2q + vq2 .
9. If q is not prime, return to Step 6.
10. Compute n = pq.
8 Maher Boudabra and Abderrahmane Nitaj

11. Choose an integer e such that

gcd e, (p + 1)2 − 4u2p (q + 1)2 − 4u2q

= 1.

The pair (n, e) represents the public key, and (up , vp , uq , vq ) represents the
private key.
Encryption.
1. Generate a random integer r ∈ Z/nZ.
2. Use the message yM as
M = (r, yM ) ∈ Z/nZ × Z/nZ.
3. Compute a ≡ yM 2
− r3 r−1 (mod n). The elliptic curve En (a) is defined by
the equation y ≡ x3 + ax (mod n).
2

4. Compute (xC , yC ) = e(r, yM ) on Ea (n). The point (xC , yC ) is the encrypted

message.
Decryption.
− x3C x−1
2


1. Compute a ≡ yC C (mod n). The elliptic curve Ea (n) is defined
by the equation y 2 ≡ x3 + ax (mod n).
2. Compute Up by one of the formulae (1), and Uq by one of the formulae (2).
3. Compute φ(a, n) = (p + 1 − 2Up )(q + 1 − 2Uq ).
4. Compute d ≡ e−1 (mod φ(a, n)).
5. Compute M = (r, yM ) = d(xC , yC ) on En (a). The point (r, yM ) is the
original message.
The role of the random integer r is to serve as the x-coordinate of M on the
elliptic curve with the equation y 2 ≡ x3 + ax (mod n). If the same message
yM is encrypted twice, this yields two different couples
(r, yM ) and (r0 , ym ), two

−1
2
values a ≡ yM − r r 3
(mod n) and a0 ≡ yM 2
− r03 r0−1 (mod n), and then
two elliptic curves with different equations.

5.2 Numerical Example

The following is a numerical example with small integers demonstrating the

system parameters and a pair of plaintext-ciphertext.

u1 = 3253473156, v1 = 3239617290,
up = 4u1 + 3 = 13013892627, vp = 4v1 + 2 = 12958469162,
p = u2p + vp2 = 337283324329589943373,
u2 = 4133795239, v2 = 4069844016,
uq = 4u2 + 3 = 16535180959, vq = 4v2 + 2 = 16279376066,
q = u2q + vq2 = 538430294445129796037,
n = pq = 181603559630213323475279432919469869812801,
e = 233,
r = 276576193905959805653341,
yM = 24123988022450690140866.
 A New RSA Variant Based on Elliptic Curves 9

Then, one can compute the following parameters

2
yM − r3
a≡ (mod n)
r
= 124892799480186717332460335305220886752546,
C = e(r, yM ) = (xC , yC ),
xC = 9895932661554916108079613524266560686478,
yC = 174838551993023162117462165695082973280827,
p−1
a 4 ≡1 (mod p), hence Up = −up ,
q−1
a 4 ≡ −1 (mod q), hence Uq = uq ,
φ(a, n) = (p + 1 − 2Up )(q + 1 − 2Uq )
= 181603559633073389948874511533493403987360,
d ≡ e−1 (mod φ(a, n)) = 35073648856172972307722545145953661714297,
m = d(xC , yC ) = (r, yM ),
which shows that the decryption is correct.

5.3 The new signature scheme

The encryption scheme can be transformed easily into a signature scheme using
a hash function Hash as follows.
– Key generation. The key generation scheme is similar to that of the en-
cryption scheme 5.1.
– Encryption.
1. Generate a random integer r ∈ Z/nZ.
2. Represent the message
as M = (r, yM ) ∈ Z/nZ × Z/nZ.
3. Compute a ≡ yM 2
− r3 r−1 (mod n). The elliptic curve En (a) is defined
by the equation y ≡ x3 + ax (mod n).
2

4. Compute (xC , yC ) = e(r, yM ) on Ea (n). The point (xC , yC ) is the en-

crypted message.
5. Compute the signature s = Hash(rkyM ).
– Decryption.
− x3C x−1
2


1. Compute a ≡ yC C (mod n). The elliptic curve Ea (n) is de-
fined by the equation y 2 ≡ x3 + ax (mod n).
2. Compute Up by one of the formulae (1), and Uq by one of the formu-
lae (2).
3. Compute φ(a, n) = (p + 1 − 2Up )(q + 1 − 2Uq ).
4. Compute d ≡ e−1 (mod φ(a, n)).
5. Compute M = (r, yM ) = d(xC , yC ) on En (a).
6. Compute s0 = Hash(rkyM )
7. Accept the message if s0 = s.
As in the encryption scheme, the random number r serves as the x-coordinate
of the point M = (r, yM ) on the elliptic curve with the equation y 2 ≡ x3 + ax
(mod n). Note that r is random, which implies that the signature scheme is
probabilistic.
10 Maher Boudabra and Abderrahmane Nitaj

6 Security Analysis
6.1 Resistance against factorization methods
When p and q are sufficiently large, factoring the RSA modulus n = pq is believed
to be hard for all current known factorization algorithms (see [5,3] ). Indeed,
√

Pollard’s rho method is not affective since its run time is O p(log(n))2 and
depends on the size of the prime number p found. This is similar√for√Lenstra’s El-


liptic Curve Method (ECM) for which the run time is O exp 2 ln p ln ln p .
The Number Field
 √Sieve [26] is also
ineffective for large primes p and q. Its run
3
p
time is O exp c ln n (ln ln n)
3 2 where c is a constant.

6.2 Resistance against decomposition as sum of two squares

It is well known that if n = pq with p ≡ q ≡ 1 (mod 4), then n can be expressed
as the sum of two squares as n
= x2 + y 2
. In the new scheme, the modulus is
in the form n = pq = u2p + vp2 u2q + vq2 . Then, the Brahmagupta-Fibonacci
identity expresses n as a sum of two squares in two different ways, namely

n = (up uq − vp vq )2 + (up vq + vp uq )2 = (up uq + vp vq )2 + (up vq − vp uq )2 .

Euler observed that if n = x21 + y12 = x22 + y22 with x1 ≡ x2 ≡ 0 (mod 2) and
x1 6= ±x2 (mod n), then
 2
u2

r
s2 + t2 ,


n= +
4 4
where
x1 − x2 y2 − y1
r = gcd(x1 − x2 , y2 − y1 ), u = gcd(x1 + x2 , y2 + y1 ), s = , t= .
r r

2
2
On the other hand, we have x1 y1−1 ≡ x2 y2−1 ≡ −1 (mod n). It follows
that decomposing n as the sum of two squares in two different ways will give
a solution to the equation t21 ≡ t22 (mod n) with t1 6= ±t2 (mod n), and two
solutions of the congruence t2 = −1 (mod n). This is known to be equivalent
to factoring n as in the quadratic sieve factoring algorithm [35] and in Rabin’s
cryptosystem [36]. √
It is also known that by applying the continued fraction algorithm to n, it
is possible to find one representation of n (see [12]) as n = x2 + y 2 . This leads
to one of the systems
( (
up uq − vp vq = x, up uq + vp vq = x,
up vq + vp uq = y, up vq − vp uq = y.

This is not sufficient the solve anyone of the two systems. Consequently, the
representation of n as a sum of two squares by the continued fraction method is
not sufficient to factor it.
 A New RSA Variant Based on Elliptic Curves 11

6.3 Resistance against decomposition as sum of four squares

Lagrange’s four-square theorem states that every positive integer n is the sum
of four squares (Theorem 369 in [15]), that is n = x21 + x22 + x23 + x24 . The number
of decomposing n as a such a sum is denoted r4 (n), and for odd n, Jacobi’s
P four-
square theorem formula gives (Proposition 17.7.2 of [15]) r4 (n) = 8 m|n m. For



the modulus n = pq = u2p + vp2 u2q + vq2 , a specific decomposition as sum of
four squares is

n = (up uq )2 + (up vq )2 + (vp uq )2 + (vp vq )2 .

Conversely, let n = x21 + x22 + x
23 + x24 be
a decomposition of n leading to the
factorization n = pq = u2p + vp2 u2q + vq2 . Then

up uq = |x1 |, up vq = |x2 |, vp uq = |x3 |, vp vq = |x4 |,

from which we get

gcd(|x1 |, |x2 |) = gcd(up uq , up vq ) = up gcd(uq , vq ) = up .

Similarly, we have

vp = gcd(|x3 |, |x4 |), uq = gcd(|x1 |, |x3 |), vq = gcd(|x2 |, |x4 |).

As the decomposition of p = u2p + vp2 with positive integers up and vp satisfying

up ≡ 3 (mod 4) is unique, then p can be decomposed as p = r2 +s2 with integers
r and s in eight ways, namely

p = (±up )2 + (±vp )2 = (±vp )2 + (±up )2 .

This is also true for q. Consequently, among the representations of n as a sum

of four squares n = x21 + x22 + x23 + x24 , only 64 decompositions can lead to the
factorisation of n by using

up uq = |x1 |, up vq = |x2 |, vp uq = |x3 |, vp vq = |x4 |.

This is negligible compared to r4 (n) = 8(1 + p + q + n), the number of decom-

positions of a large modulus n = pq as the sum of four squares.

6.4 Resistance against solving the order

In RSA, it is well known that solving Euler’s totient function φ(n) = (p−1)(q−1)
is equivalent to factoring n = pq. This is also true for solving the order Nn =
(p + 1)(q + 1) in the KMOV system. For an elliptic curve E over a finite ring
Z/nZ with an RSA modulus n, Martin et al. [27] proved that computing the
order #E is as difficult as factoring n. Moreover, for our scheme, we have the
following facts.
12 Maher Boudabra and Abderrahmane Nitaj

Let a ∈ Z/nZ be fixed. In our scheme, the order of the elliptic curves En (a) is
of the form
#En (a) = (p + 1 − 2Up )(q + 1 − 2Uq ),
with Up ∈ {±up , ±vp } and Uq ∈ {±uq , ±vq }. Assume that the factorization
of n is known. Then one can compute #Ep (a) = p + 1 − 2Up and #Eq (a) =
q + 1 − 2Uq by a specific algorithm to determine the order of an elliptic curve
over a finite field such as the Schoof-Elkies-Atkin algorithm [1]. This implies that
#En (a) = (p + 1 − 2Up )(q + 1 − 2Uq ) can be computed. Conversely, assume that
#En (a) = (p + 1 − 2Up )(q + 1 − 2Uq ) is known where Up ∈ {±up , ±vp } and
Uq ∈ {±uq , ±vq }. Let Vp ∈ {vp , up } and Vq ∈ {vq , uq } such that

Vp2 = p − Up2 , Vq2 = q − Uq2 .

Assume that up and vp are of the same size so that up < 2vp and vp < 2up .
Then, if Up = ±up , we get Vp = vp , and

p = Up2 + Vp2 = u2p + vp2 < 5vp2 = 5Vp2 .

Also, if if Up = ±vp , we get Vp = up , and

p = Up2 + Vp2 = vp2 + u2p < 5vp2 = 5Up2 .

Hence, using Lemma 1, we get

√

p n
min Up2 , Vp2 > > .
5 5
Similarly, assuming that uq and vq are of the same size with uq < 2vq and
vq < 2up , we get √ √

q 2 n
min Uq2 , Vq2 > > .
5 10
As a consequence, we have
√
n
p + 1 − 2Up = (Up − 1)2 + Vp2 > Vp2 > ,
5
and
√ √
2 2 n
q + 1 − 2Uq = (Uq − 1) + Vq2 > Vq2 > .
10
Combining the former inequalities, we get
√ √ √ √
n 2 n 2
(p + 1 − 2Up )(q + 1 − 2Uq ) > · = n. (3)
5 10 50
This implies that the order #En (a) = (p + 1 − 2Up )(q + 1 − 2Uq ) is sufficiently
large and there is no efficient method to factor it. Hence, finding p and q is not
feasible in general.
 A New RSA Variant Based on Elliptic Curves 13

It is important to notice that the work of Kunihiro and Koyama [22] on the
equivalence between factoring n and counting the number of points on elliptic
curves over Z/nZ does not apply when the order #En (a) = (p + 1 − 2Up )(q +
1 − 2Uq ) is known for a fixed a. The reason is that in [22] an oracle is needed
that count the number of points on every elliptic curve over Z/nZ, while, in our
situation, just #En (a) = (p + 1 − 2Up )(q + 1 − 2Uq ) is known.

6.5 Resistance against small private exponent attacks

The main small private exponent attacks on RSA are based on the key equation
ed0 − k 0 (p − 1)(q − 1) = 1. Wiener’s attack is based on the continued fraction
algorithm which exploits the approximation (p − 1)(q − 1) = n + 1 − p − q ≈ n.
1
It leads to the factorization of n under the condition d0 < 31 n 4 . The attack of
Boneh and Durfee is based on Coppersmith’s method and exploits the existence
of a small solution (x, k 0 ) to the modular equation k 0 (n + 1 − x) ≡ 1 (mod e). It
works for d0 < n0.292 .
In the following, we show that the private exponent d in our scheme can be
small enough without undermining its security. Typically, it should be larger
than n0.133 while it should be larger than n0.292 for RSA.
Lemma 5. Let n = pq be an RSA modulus with p = u2p + vp2 , q = u2q + vq2 ,
up ≡ uq ≡ 3 (mod 4), up ≈ vp , and uq ≈ vq . If d satisfies the key equation
ed−k(p+1−2Up )(q+1−2Uq ) = 1 where Up ∈ {±up , ±vp } and Uq ∈ {±uq , ±vq },
then
3
|ed − kn| < 7k(2n) 4 .

Proof. Rewrite the key equation in the form

ed − k(p + 1 − 2Up )(q + 1 − 2Uq ) = 1,

with Up ∈ {±up , ±vp }, Uq ∈ {±uq , ±vq }. We have

(p + 1 − 2Up )(q + 1 − 2Uq ) = n + p(1 − 2Uq ) + q(1 − 2Up ) + (1 − 2Up )(1 − 2Uq ).

Then
|ed − kn| = |k(p + 1 − 2Up )(p + 1 − 2Uq ) + 1 − kn|
= |k((p + 1 − 2Up )(p + 1 − 2Uq ) − n) + 1|
= |k(p(1 − 2Uq ) + q(1 − 2Up ) + (1 − 2Up )(1 − 2Uq )) + 1|
≤ kp|1 − 2Uq | + kq|1 − 2Up | + k|1 − 2Up ||1 − 2Uq | + 1.

Suppose that up and vp are of the same bit-size so that up < 2vp and vp < 2up .
Then
max(up , vp )2 < 2up vp < u2p + vp2 = p.
Hence
√
max(up , vp ) < p,
14 Maher Boudabra and Abderrahmane Nitaj

from which we deduce

√ √
|1 − 2Up | ≤ 2|Up | + 1 < 2 p + 1 < 3 p. (4)

Similarly, we get
√
|1 − 2Uq | < 3 q. (5)
This leads to

|ed − kn| ≤ kp|1 − 2Uq | + kq|1 − 2Up | + k|1 − 2Up ||1 − 2Uq | + 1
√ √ √ √
< 3kp q + 3kq p + 9k p q + 1
√ √ √ √
< 3kp p + 3kp p + 9k p q + 1
√ √ √
< 6kp p + 10k p q
√
< 7kp p,
√ √ √ √
where we used 10k p q + 1 < kp p which is valid since 10 q < p. Using
Lemma 1, we get
√ 3
|ed − kn| < 7kp p < 7k(2n) 4 .
This terminates the proof. t
u

The following result shows that, in regard to Wiener’s attack, the private expo-
nent d can be very small in our scheme comparing to the private exponent in
RSA.

Theorem 5. Let n = pq be an RSA modulus with p = u2p + vp2 , q = u2q + vq2 and
up ≡ uq ≡ 3 (mod 4). Let e be a public exponent such that e < (p + 1 − 2Up )(q +
1 − 2Uq ) with Up ∈ {±up , ±vp }, and Uq ∈ {±uq√, ±vq }. If d satisfies the equation
1
ed − k(p + 1 − 2Up )(q + 1 − 2Uq ) = 1 with d < 42 n 8 , then one can find d and k
in polynomial time.

Proof. The key equation is in the form

ed − k(p + 1 − 2Up )(q + 1 − 2Uq ) = 1,

with Up ∈ {±up , ±vp }, and Uq ∈ {±uq , ±vq }. Then, Lemma 5 gives

3
|ed − kn| < 7k(2n) 4 .

Dividing by nd, we get

3
e k 7k(2n) 4
− < . (6)
n d nd

Using the key equation ed − k(p + 1 − 2Up )(q + 1 − 2Uq ) = 1, we get

k(p + 1 − 2Up )(q + 1 − 2Uq ) = ed − 1 < ed.

 A New RSA Variant Based on Elliptic Curves 15

Then
k e
< .
d (p + 1 − 2Up )(q + 1 − 2Uq )
Assuming e < (p + 1 − 2Up )(q + 1 − 2Uq ), this implies that k < d. Then (6)
implies
3
e k 7(2n) 4
− < .
n d n
3
7(2n) 4 1
The solutions in d of the inequality n < 2d2 satisfy
1 1
d< p 3
n8 .
14 · 2 4
For such solutions, we have
e k 1
− < 2.
n d 2d

This implies that kd can be found amongst the convergents of the continued
expansion of ne . Since the continued fraction algorithm computes the convergents
of ne with complexity O(log(n)), then one finds k and d in polynomial time. t u
The following result makes use of lattice reduction techniques.
Theorem 6. Let n = pq be an RSA modulus with p = u2p + vp2 , q = u2q + vq2 and
up ≡ uq ≡ 3 (mod 4). Let e be a public exponent such that e < (p + 1 − 2Up )(q +
1 − 2Uq ) with Up ∈ {±up , ±vp }, and Uq ∈ {±uq , ±vq }. If d satisfies the equation
ed − k(p + 1 − 2Up )(q + 1 − 2Uq ) = 1 with d < n0.133 , then one can find d and k
in polynomial time.
Proof. Since d satisfies an equation of the form ed−k(p+1−2Up )(q+1−2Uq ) = 1,
with Up ∈ {±up , ±vp }, Uq ∈ {±uq , ±vq }, we rewrite

(p + 1 − 2Up )(q + 1 − 2Uq ) = n + p(1 − 2Uq ) + q(1 − 2Up ) + (1 − 2Up )(1 − 2Uq )
= n − s,

where s = −p(1 − 2Uq ) − q(1 − 2Up ) − (1 − 2Up )(1 − 2Uq ). Then the key equation
can be transformed into the modular equation

(−k)(n − s) ≡ 1 (mod e). (7)

We set the bound k < X = eδ for some δ > 0. On the other hand, we have

|s| = |p(1 − 2Uq ) + q(1 − 2Up ) + (1 − 2Up )(1 − 2Uq )|

≤ p|1 − 2Uq | + q|1 − 2Up | + |1 − 2Up ||1 − 2Uq |.

Using (4) and (5), and combining with Lemma 1, we get

√ √ √ √ 3
|s| < 3p q + 3q p + 9 pq < 7p p < 7(2n) 4 .
16 Maher Boudabra and Abderrahmane Nitaj

3
Then, we set the bound |s| < Y = 7(2n) 4 = nβ with β ≈ 34 . Now, we can apply
Lemma 2 to the equation (7). Itq
allows to find k and s in polynomial time under
√
the condition δ < 1 − β = 1 − 34 ≈ 0.133. Using k and s, one can find d since
k(n−s)+1
d= e . t
u
Remark 1. The bound on d in Theorem 6 is slightly better than the bound in
Theorem 5. In both cases, one can find d and k which gives
ed − 1
(p + 1 − 2Up )(q + 1 − 2Uq ) = ,
k
with Up ∈ {±u√ p
, ±vp }, Uq ∈ {±uq , ±vq }. By 3, we know that (p + 1 − 2Up )(q +
2
1 − 2Uq ) > 50 n. This is large enough, and in general is hard to factor when n is
large. Consequently, the method described in [32] to extract p and q can not be
applied. As a consequence, finding p and q by the continued fraction method, or
by lattice reduction techniques when the multiplier d is small is infeasible.

6.6 Resistance against discrete logarithm problem

The elliptic curve discrete logarithm problem (ECDLP) over a finite field Fp is
the following computational problem: Given an elliptic curve E over Fp and two
points P, Q ∈ E(Fp ), find an integer x, if any, such that Q = aP in E. ECDLP
is still resistant to several non quantum algorithms and is behind the security of
the elliptic curve cryptography (see [14] for more details).
For an elliptic curve defined over a finite ring such as Z/nZ where n = pq
is an RSA modulus, the elliptic curve discrete logarithm problem can be solved
if one knows p and q and if one can solve ECDLP in both E(Fp ) and E(Fp ).
Hence, solving ECDLP on E(Z/nZ) is more difficult. This problem is used to
build several elliptic curve based cryptosystems [20,11,19,24,33].
One more and crucial fact in our scheme is that a new elliptic curve is gener-
ated each time that a message is encrypted. This will make any generic or global
discrete logarithm attack on our scheme infeasible.

6.7 Resistance against isomorphism and homomorphism attacks

Let En (a) and En (a0 ) be two elliptic curves with equations y 2 ≡ x3 +ax (mod n)
and y 2 ≡ x3 + a0 x (mod n), arising from our scheme. Then En (a) and En (a0 )
are isomorphic if and only if a0 = u4 a for some u ∈ Z/nZ. As in KMOV [20],
it is possible to launch an isomorphism attack on our scheme. Moreover, the
encryption and decryption are homomorphic, that is
enc(m1 + m2 ) = enc(m1 ) + enc(m2 ), and dec(c1 + c2 ) = dec(c1 ) + dec(c2 ),
when using the same elliptic curve. Also, it is possible to launch a homomorphism
attack on our scheme, similar to that on KMOV. To overcome the isomorphism
as well as the homomorphism attack, a hash function should be applied as shown
in the signature scheme 5.3. This is sufficient to make the new scheme immune
against the two kind of attacks.
 A New RSA Variant Based on Elliptic Curves 17

6.8 Other attacks

There are more attacks in the literature that are related to some elliptic variants
of RSA.
In [2], Bleichenbacher proposed four attacks on KMOV when one of the
following situations is satisfied.
1. The ciphertext and half of the plaintext are known.
2. Three encryptions of the same message are encrypted with distinct public
keys.
3. Six encryptions of linearly related messages are encrypted with distinct pub-
lic keys.
4. Two encryptions of linearly related messages are encrypted with the same
public key.
Similarly, in [23], Kurosawa et al. showed that both the KMOV scheme and
Demytko’s scheme are not secure when the same message is encrypted with a
suitably large number of distinct keys.
We note that the former attacks are not applicable to our scheme since the
encryption process is probabilistic. This implies that, to the contrary of the
KMOV scheme and Demytko’s scheme, if we encrypt the same message twice
even with the same key in the new scheme, then the cyphertexts are different
with a high probability because they depend on a randomly generated number
in the encryption phase.

7 Conclusion
We proposed a new variant of RSA with a modulus of the form n = pq where
p and q are large prime numbers satisfying p = u2p + vp2 , q = u2q + vq2 , up ≡ 3
(mod 4) and uq ≡ 3 (mod 4). The arithmetic of the new scheme uses elliptic
curves with equations y 2 = x3 + ax over the finite ring Z/nZ. The encryption
is probabilistic such that each encryption generates a new curve which result in
new ciphertext in each call. We analyzed the security of the scheme and show
that it is at least as hard as factoring.

References
1. Blake, I., Seroussi, G., Smart, N.: Elliptic curves in cryptography, volume 265 of
London Math. Soc. Lecture Note Ser. Cambridge University Press, (1999)
2. Bleichenbacher, D.: On the security of the KMOV public key cryptosystem, LNCS
1294, Proc. Crypto 97, Springer-Verlag, (1997), pp. 235248.
3. Brent, R.P.: Recent Progress and Prospects for Integer Factorisation Algorithms,
In: Du DZ., Eades P., Estivill-Castro V., Lin X., Sharma A. (eds) Computing and
Combinatorics. COCOON 2000. Lecture Notes in Computer Science, vol 1858.
Springer, Berlin, Heidelberg
4. Boneh, D.: Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math.
Soc. 46 (2). 203–213 (1999)
18 Maher Boudabra and Abderrahmane Nitaj

5. Boneh, D., Durfee, G., and Howgrave-Graham, N.: Factoring N = pr q for Large r.
In M. Wiener, Ed., Crypto’99, Lecture Notes in Computer Science 1666, Springer-
Verlag, p. 326–337 (1999)
6. Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292 ,
Advances in Cryptology-Eurocrypt’99, Lecture Notes in Computer Science Vol.
1592, Springer-Verlag, pp. 1–11 (1999)
7. Certicom Research. Standards for efficient cryptography 2: Recommended elliptic
curve domain parameters. Standard SEC2, Certicom, 2000.
8. T. Collins, D. Hopkins, S. Langford, and M. Sabin. Public Key Cryptographic
Apparatus and Method. US Patent #5,848,159. Jan. 1997.
9. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA
vulnerabilities. Journal of Cryptology, 10(4), pp. 233–260 (1997)
10. Couvreur, C., Quisquater, J.J.: Fast Decipherment Algorithm for RSA Public-Key
Cryptosystem. Electronics Letters 18, pp. 905–907 (1982)
11. Demytko N.: A new elliptic curve based analogue of RSA, in T. Helleseth (ed.),
EUROCRYPT 1993, Lecture Notes in Computer Science 765, Springer-Verlag, 40–
49 (1994)
12. M. Elia, Continued Fractions and Factoring, arXiv:1905.10704 (2019) https://
arxiv.org/abs/1905.10704
13. A. Fiat.: Batch RSA, In G. Brassard (ed.), Proceedings of Crypto 1989, vol. 435
of LNCS, pp. 175–185. Springer-Verlag (1989)
14. Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm
problem. Des. Codes Cryptogr. 78, pp. 51-72 (2016)
15. Hardy, G.H., Wright, E.M.: An Introduction to Theory of Numbers, 5th Edition,
The Clarendon Press Oxford University Press, New York (1979)
16. Hinek, M.: Cryptanalysis of RSA and its Variants, Chapman & Hall/CRC, Cryp-
tography and Network Security Series, Boca Raton (2009)
17. D. Husemöller, Elliptic Curves, 2nd edn., Springer, 2004.
18. K. Ireland and M. Rosen. A Classical Introduction to Modern Number Theory,
volume 84 of Graduate Texts in Mathematics. Springer-Verlag, 2nd edition (1990)
19. Koyama K.: Fast RSA type scheme based on singular cubic curve y 2 + axy = x3
(mod n). Proc. Eurocrypt’95, Lecture Notes in Computer Science, vo.921, Springer,
Berlin, 1995, 329–339 (1995)
20. K. Koyama, U.M. Maurer, T. Okamoto, S.A. Vanstone, New Public-Key Schemes
Based on Elliptic Curves over the Ring Zn , CRYPTO 1991, Lecture Notes in
Computer Science 576, 252-266.
21. Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation, 48: pp.
203–209, (1987)
22. N. Kunihiro and K. Koyama, Equivalence between counting the number of points
on elliptic curves over the ring Zn and factoring n, LNCS 1403, Proceedings of
Eurocrypt 1998, pp. 47-58 (1998)
23. Kaoru Kurosawa, Koji Okada, Shigeo Tsujii, Low exponent attack against elliptic
curve RSA, Information Processing Letters, Volume 53, Issue 2, 1995, Pages 77-83,
24. H. Kuwakado, K. Koyama, and Y. Tsuruoka, A new RSA-type scheme based on
singular cubic curves y 2 = x3 +bx2 (mod n), IEICE Transactions on Fundamentals,
vol. E78-A (1995) pp. 27–33.
25. Lenstra, H.: Factoring integers with elliptic curves, Annals of Mathematics, Vol.
126, pp. 649–673 (1987)
26. A. K. Lenstra, A.K., H. W. Lenstra, H.W. Jr.: The Development of the Number
Field Sieve, Lecture Notes in Mathematics 1554, Springer-Verlag (1993)
 A New RSA Variant Based on Elliptic Curves 19

27. S. Martı́n, P. Morillo, J.L. Villar, Computing the order of points on an elliptic curve
modulo N is as difficult as factoring N , Applied Mathematics Letters Volume 14,
Issue 3, April 2001, pp. 341-346 (2001)
28. Miller, V.S.: Use of elliptic curves in cryptography. In H. C. Williams, editor,
Advances in Cryptology - CRYPTO’85, Vol. 218 of Lecture Notes in Computer
Science, Springer-Verlag, pp. 417–426 (1986)
29. S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system (2009) https://
bitcoin.org/bitcoin.pdf
30. NIST: National Institute of Standards and Technology, Digital Signature Standard,
FIPS PUB 186-2 (2000)
31. Nitaj, A.: Another generalization of Wiener’s attack on RSA, In: Vaudenay, S.
(eds.) Africacrypt 2008. LNCS, vol. 5023. 174190. Springer, Heidelberg (2008)
32. Nitaj, A., Fouotsa, E.: A new attack on RSA and Demytko’s elliptic curve cryp-
tosystem, Journal of Discrete Mathematical Sciences and Cryptography 22 (3), pp.
391-409 (2019)
33. Paillier, P.: Trapdooring Discrete Logarithms on Elliptic Curves over Rings, Trap-
dooring Discrete Logarithms on Elliptic Curves over Rings. In: Okamoto T. (eds)
Advances in Cryptology ASIACRYPT 2000. ASIACRYPT 2000. Lecture Notes in
Computer Science, vol 1976, Springer, Berlin, Heidelberg, pp. 573-584 (2000)
34. D. Pointcheval, ”New public key cryptosystem based on the dependent RSA prob-
lem”, Eurocrypt99 Springer-Verlag, 1999, 1592: pp. 239-254.
35. Pomerance, C.: The quadratic sieve factoring algorithm, Advances in Cryptology,
Proc. Eurocrypt’84, LNCS 209, Springer-Verlag, Berlin, pp. 169182 (1985)
36. Rabin, M.O.: Digital signatures and public key functions as intractable as factoring.
MIT Technical Report, MIT/LCS/TR-212 (1979)
37. Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining digital signatures and
public-key cryptosystems, Communications of the ACM, Vol. 21 (2), pp. 120–126
(1978)
38. Schmitt, S. , Zimmer, H.G., ProQuest (Firm): Elliptic curves : a computational
approach, Walter de Gruyter, Berlin, New York (2003)
39. Silverman, J.H.: The Arithmetic of Elliptic Curves, Graduate Texts in Mathemat-
ics, Springer-Verlag, 106 (1986)
40. H.M Sun, M.E Wu, W.CTing and M.J Hinek, Dual RSA and its security analysis,
IEEE Transactions on Information Theory, 2007; 53(8), pp. 2922-2933.
41. T. Takagi. Fast RSA-type Cryptosystem Modulo pk q. In H. Krawczyk, ed., Pro-
ceedings of Crypto 1998, vol. 1462 of LNCS, pp. 318–326. Springer-Verlag, (1998)
42. Takayasu, A., Kunihiro N.: General bounds for small inverse problems and its
applications to multi-prime RSA, Proc. ICISC 2014, LNCS 8949, pp. 3–17, Springer
(2014)
43. L.C. Washington. Elliptic Curves: Number Theory and Cryptography. Chapman
& Hall/CRC, Florida, 2003.
44. de Weger, B. :Cryptanalysis of RSA with small prime difference, Applicable Alge-
bra in Engineering, Communication and Computing 13, pp. 17–28 (2002)
45. Wiener, M.: Cryptanalysis of short RSA secret exponents, IEEE Transactions on
Information Theory, Vol. 36, pp. 553–558 (1990)