RSA is the most widely used public-key cryptosystem in the world. However, there are still two main shortcomings when using this system. One is the inefficiency in encryption/decryption, and the other one is high cost for key storage requirement. In this thesis, we focus on designing efficient RSA variants to improve the efficiency of operation or storage requirement. We design three RSA variants, including Generalized Rebalanced-RSA, Dual RSA, and LSBS-RSA. We briefly describe them in the following:

Generalized Rebalanced-RSA is an RSA variant based on the CRT-decryption. The term "Rebalanced" denotes speeding up RSA decryption by shifting decryption costs to encryption costs. In our design, we let the public exponent e being much smaller than the modulus N, while still maintaining the CRT-exponents small. Thus,the goal of efficient encryption and decryption are achieved simultaneously. Dual RSA is an RSA variant whose key generation algorithm outputs two distinct RSA key pairs having the same public and private exponents. This variant can be used in scenarios that require two instances of RSA with the advantage of reducing the storage requirements for the keys. We also propose two applications for Dual RSA,
blind signatures and authentication/secrecy.

LSBS-RSA is the traditional RSA system but with modulus prime sharing least significant bits (LSBs). This property can be used in server-aided signature generation (SASG) to improve the computational efficiency. We give the detailed security analysis for LSBS-RSA and specify the tightly security boundary by using the lattice reduction technique.

All the cryptanalysis of the proposed variants show that the systems require higher security boundary while comparing with the traditional RSA. This is a trade-off
phenomenon between the security level and efficiency. Thus, we finally point out that one should be more careful when using other kinds of RSA variants.

RSA 為世界上最為廣泛使用的公開金鑰密碼系統。然而，在使用RSA 時仍然有兩項主要的缺點。一個是在加密與解密上的耗時；另一個是在金鑰儲存上需要較大的儲存空間。在本論文裡，我們提出三種RSA 變形設計去改善RSA 運算的效率， 或降低金鑰儲存的空間， 三種RSA 變形分別為Generalized Rebalanced-RSA、Dual RSA、LSBS-RSA。我們分別介紹如下：

Generalized Rebalanced RSA 是一種基於CRT 解密的RSA 變形設計。"Rebalanced"表示將部分解密的工作代價轉移到加密上面。在我們的設計裡，我們讓公開金鑰e 遠比模數N 短，卻仍然保持短的CRT 指數。因此，我們可達到同時有效加密與解密的目標。

Dual RSA 是一種將兩組RSA 公開金鑰與私密金鑰合併在一起的RSA 變形設計 (具有相同的公開金鑰指數與私密金鑰指數)。這樣的變形設計可以使用在需要兩組RSA 密碼系統的環境，以節省金鑰儲存的空間。我們也提出了兩種DualRSA 的應用：盲簽章與 認證且私密通訊。

LSBS-RSA 為傳統的RSA 密碼系統，但是RSA 模質數具有大量相同的最低位元(LSBs)。這樣的特型可以增加Server-Aided Signature Generation (SASG)的計算效率。我們藉由格子點化簡的技巧給出完整的安全分析，並指出緊緻的安全邊界條件。

我們的分析指出所有的RSA 變形設計皆需要更高的安全邊界條件。這是一種在安全程度與效率上的Trade-Off 現象。所以，在本論文最後，我們結論使用者要更小心當使用其他的RSA 變形演算法。

[1] S. Berkovits. Factoring via superencryption. Cryptologia, 6(3): 229-237, 1982.
[2] M. Bellare and P. Rogaway, “Optimal asymmetric encryption –how to encrypt
with RSA”, Advances in Cryptology - EUROCRYPT’94, Lecture Notes in Com-
puter Science, volume 950, Springer-Verlag, pp. 92-111, 1995.
[3] M. Bellare and P. Rogaway, “The exact security of digital signatures: How to sign
with RSA and Rabin”, Advanced in Cryptology - EUROCRYPTO’ 96, Lecture
Notes in Computer Science, volume 1070, Springer-Verlag, pp.399-416, 1996.
[4] D. Boneh, G. Durfee, and Y. Frankel, “An attack on RSA given a small fraction of
the private key bits”, Advances in Cryptology - ASIACRYPT’98, Lecture Notes
in Computer Science, volume 1514, Springer-Verlag, pp. 25-34, 1998.
[5] D. Boneh, G. Durfee and Y. Frankel, “Exposing an RSA Private Key Given a Small
Fraction of its Bits”, Full version of the work from ASIACRYPT’98, available at
http://crypto.stanford.edu/~dabo/abstracts/bits_of_d.html, 1998.
[6] D. Boneh, “Twenty Years of Attacks on the RSA Cryptosystem”, Notices of the
American Mathematical Society, 46(2): 203–213, 1999.
[7] D. Boneh and G. Durfee, “Cryptanalysis of RSA with private key d less than
N0:292”, Advanced in Cryptology - EUROCRYPT’99, Lecture Notes in Computer
Science, volume 1952, Springer-Verlag, pp. 1-11, 1999.
[8] D. Boneh and G. Durfee, “Cryptanalysis of RSA with private key d less than
N0:292”, IEEE Transactions on Information Theory, 46(4): 1339–1349, July 2000.
[9] J. Blömer and A. May, “Low private exponent RSA revisited”, In J. H. Silverman,
editor, Cryptography and Lattices, International Conference, CaLC 2001, Lecture
Notes in Computer Science, volume 2146, Springer-Verlag, pp. 4-19, 2001.
[10] D. Boneh and H. Shacham, “Fast variants of RSA”, CryptoBytes, 5(1):1–9, 2002.
[11] J. Blömer and A. May, “New Partial Key Exposure Attacks on RSA”, Advanced
in Cryptology - CRYPTO’03, Lecture Notes in Computer Science, volume 2729,
Springer-Verlag, pp. 27-43, 2003.
[12] D. Bleichenbacher and A. May, “New attacks on RSA with small secret CRT-
Exponents”, Public Key Cryptography - PKC 2006, Lecture Notes in Computer
Science, volume 3958, Springer-Verlag, pp. 1-13. Springer, 2006.
[13] D. Chaum, “Untraceable electronic mail”, return address and digital pseudonyms.
Communications of the ACM, 24(2): 84–88, February 1981.
[14] D. Coppersmith, “Finding a small root of a bivariate integer equation; factoring
with high bits known”, In U. M. Maurer, editor, Advances in Cryptology - EURO-
CRYPT’ 96, Lecture Notes in Computer Science, volume 1070, Springer-Verlag,
pp. 178-189, 1996.
[15] D. Coppersmith, “Finding a small root of a univariate modular equation”, Ad-
vances in Cryptology - EUROCRYPT’ 96, Lecture Notes in Computer Science,
volume 1070, Springer-Verlag, pp. 155-165, 1996.
[16] D. Coppersmith, M. Franklin, J. Patarin, andM. Reiter, “Low-exponent RSA with
related message”, Advances in Cryptology - EUROCRYPT’96, Lecture Notes in
Computer Science, volume 1070, Springer-Verlag, pp. 1-9, 1996.
[17] D. Coppersmith, “Finding a Small Root of a Bivariate Integer Equation; Factoring
with High Bits Known”, Advances in Cryptology - EUROCRYPT’ 96, Lecture
Notes in Computer Science, volume 1070, Springer-Verlag, pp. 178-189, 1996.
[18] D. Coppersmith, “Small solutions to polynomial equations, and low exponent RSA
vulnerabilities”, Journal of Cryptology, volume. 10, pp. 233-260, 1997.
[19] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, Introduction to Algo-
rithms, second edition, McGraw-Hill Book Company, 2001.
[20] J-S. Coron, “Finding Small Roots of Bivariate Integer Polynomial Equations Re-
visited”, Advanced in Cryptology –EUROCRYPTO’ 04, Lecture Notes in Com-
puter Science, volume 3027, Springer-Verlag, pp. 492-505, 2004.
[21] J-S. Coron, “Finding Small Roots of Bivariate Integer Polynomial Equations: A
Direct Approach,”Advanced in Cryptology - CRYPTO’07, Lecture Notes in Com-
puter Science, volume 4622, Springer-Verlag, pp. 379-394, 2007.
[22] G. Durfee, P. Q. Nguyen, “Cryptanalysis of the RSA Schemes with Short private
exponent form Asiacrypt’99”, Advances in Cryptology - ASIACRYPT’00, Lecture
Notes in Computer Science, volume 1976, Springer-Verlag, pp.1-11, 2000.
[23] A. Dujella, “Continued fractions and RSA with small private exponent”, Tatra
Mt. Math. Publ., 29: 101-112, 2004.
[24] http://www.alpertron.com.ar/ecm.htm
[25] M. Ernst, E. Jochemsz, A. May, B. de Weger, “Partial Key Exposure Attacks on
RSA up to Full Size Exponents,”Advanced in Cryptology - EUROCRYPT’ 05,
Lecture Notes in Computer Science, volume 3494, Springer-Verlag, pp. 371-386,
2005.
[26] M. Gysin and J. Seberry, “Generalised cycling attacks on RSA and strong RSA
primes. Information Security and Privacy, 4th Australasian Conference, ACISP
1999, Lecture Notes in Computer Science, volume 1587, Springer-Verlag, pp. 149-
163, 1999.
[27] S. D. Galbraith, C. Heneghan, and J. F. McKee, “Tunable balancing of RSA,”
In C. Boyd and J. M. G. Nieto, Information Security and Privacy, 10th Australasian Conference, ACISP 2005, Lecture Notes in Computer Science, volume
3574, Springer-Verlag, pp. 280-292, 2005.
[28] S. D. Galbraith, C. Heneghan, and J. F. McKee, “Tunable balancing of RSA,”
full version of [27]. [ONLINE]. Available: http://www.isg.rhul.ac.uk/~sdg/full-
tunable-rsa.pdf
[29] G. H. Hardy and E. M.Wright. An Introduction to the Theory of Numbers. Oxford
University Press, fourth edition, 1960.
[30] D. Hühnlein, M. J. Jacobson, S. Paulus, and T. Takagi, “A cryptosystem based
on non-maximal imaginary quadratic orders with fast decryption”, Advances in
Cryptology - EUROCRYPT ’98, Lecture Notes in Computer Science, volume 1403,
Springer-Verlag, pp. 294-307. Springer, 1998.
[31] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied
Cryptography. Discrete Mathematics and Its Applications. CRC Press, 1996.
[32] M. J. Hinek, “Another look at small RSA exponents”, In D. Pointcheval, editor,
Topics in Cryptology - CT-RSA 2006, Lecture Notes in Computer Science, volume
3860, Springer-Verlag, pp. 82-98, 2006.
[33] J. Hastad, “Solving simultaneous modular equations of low degree”, SIAMJournal
of Computing, volume. 17, pp. 336-341, 1988.
[34] N. Howgrave-Graham, “Finding small roots of univariate modular equations re-
visited”, in Proceedings of Cryptography and Coding, Lecture Notes in Computer
Science, volume. 1355, Springer-Verlag, pp.131-142, 1997.
[35] M. Joye, J.-J. Quisquater, and T. Takagi, “How to choose secret parameters for
RSA and its extension to elliptic curves”, Designs, Codes and Cryptography, 23(3):
297-316, 2001.
[36] E. Jochemsz and A. May, “A strategy for …nding roots of multivariate polynomials
with new applications in attacking RSA variants”, Advances in Cryptology - ASIACRYPT’06, Lecture Notes in Computer Science, volume 4284, Springer-Verlag,
pp. 267-282, 2006.
[37] A. Lenstra, H. Lenstra, and L. Lovász, “Factoring polynomials with rational co-
e¢ cients”, Mathematische Annalen, 261:515–534, 1982.
[38] H. W. Lenstra, “Factoring integers with elliptic curves”, Annals of Mathematics,
126: 649-673, 1987.
[39] A. K. Lenstra, “Generating RSA moduli with a predetermined portion”, Advances
in Cryptology - ASIACRYPT’ 98, Lecture Notes in Computer Science, volume
1514, Springer-Verlag, pp. 1-10, 1998.
[40] A. K. Lenstra, “Unbelievable security. matching AES security using public key
systems”, Advances in Cryptology - ASIACRYPT’01, Lecture Notes in Computer
Science, volume 2248, pp. 67-86, 2001.
[41] A. K. Lenstra and B. M. M. de Weger, “Twin RSA”, In E. Dawson and S. Vaude-
nay, editors, Progress in Cryptology - Mycrypt 2005, Lecture Notes in Computer
Science, volume 3715, Springer-Verlag, pp. 222-228, 2005.
[42] I. Niven and H. S. Zuckerman. An Introduction to the Theory of Numbers. John
Wiley and Sons Inc., 1991.
[43] Victor Shoup. NTL: A Library for doing Number Theory, [ONLINE]. Available:
http://shoup.net/ntl
[44] T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secure as fac-
toring”, Advances in Cryptology - EUROCRYPT ’98, Lecture Notes in Computer
Science, volume 1403, Springer-Verlag, pp. 308-318. Springer, 1998.
[45] J. M. Pollard. Theorems on factorization and primality testing. Proceedings Cam-
bridge Philosophical Society, 76: 521-528, 1974.
[46] G. Qiao and K.-Y. Lam, “RSA signature algorithm for microcontroller imple-
mentation”, In J.-J. Quisquater and B. Schneier, editors, Smart Card Research
and Applications, CARDIS ’98,Lecture Notes in Computer Science, volume 1820,
Springer-Verlag, pp. 353–356, 1998.
[47] J.-J. Quisquater and C. Couvreur, “Fast decipherment algorithm for RSA public
key cryptosystem”, Electronics Letters, 18(21):905–907, October 1982.
[48] R. Rivest, A. Shamir, and L. Aldeman, “A method for obtaining digital signatures
and public-key cryptosystems”, Communications of the ACM, 21(2): 120-126,
1978.
[49] R. Rivest and R. Silverman, “Are "Strong Prime" needed for RSA?
Cryptology ePrint Archive, Report 2001/007, 2001. [ONLINE]. Available:
http://eprint.iacr.org/2001/007.
[50] R. D. Silverman, “Fast generation of random, strong RSA primes”, CryptoBytes,
3(1): 9-13, 1997.
[51] H.-M. Sun, W.-C. Yang, and C.-S. Laih, “On the design of RSA with short private
exponent”, Advances in Cryptology - ASIACRYPT ’99, Lecture Notes in Computer
Science, volume 1716, Springer-Verlag, pp. 150-164, 1999.
[52] R. Steinfeld, and Y. Zheng, “An Advantage of Low-Exponent RSA with Modulus
Primes Sharing Least Signi…cant Bits”, in Topic in Cryptology - CT-RSA 2001,
ser. Lecture Notes in Computer Science, , volume 2020,Springer-Verlag, pp. 52-62,
2001.
[53] R. Steinfeld, and Y. Zheng, “On the Security of RSA with Primes Sharing Least-
Signi…cant Bits,”Appl. Algebra Eng. Commun. Comput., Heidelberg: Springer,
2004, volume. 15, no. 3(4), pp. 179-200.
[54] H.-M. Sun, M. J. Hinek, and M.-E. Wu, “On the design of Rebalanced-
RSA”, revised version of [55]. Technical Report CACR 2005-35, Centre for Applied Cryptographic Research, 2005. [ONLINE]. Available:
http://www.cacr.math.uwaterloo.ca/techreports/2005/cacr2005-35.pdf.
[55] H.-M. Sun and M.-E. Wu, “An approach towards Rebalanced-RSA-CRT with
short public exponent”, Cryptology ePrint Archive, Report 2005/053, 2005. [ON-
LINE]. Available: http://eprint.iacr.org/2005/053.
[56] H.-M. Sun and C.-T. Yang, “RSA with balanced short exponents and its appli-
cation to entity authentication”, Public Key Cryptography - PKC 2005, Lecture
Notes in Computer Science, volume 3386, Springer-Verlag, pp. 199-215, 2005.
[57] H.-M. Sun, M.-E. Wu, and Y.-H. Chen, “Estimating the Prime Factors of an RSA
Modulus and an Extension of the Wiener Attack”, in Proceeding of Applied Cryp-
tography and Network Security 2007 — ACNS’07, ser. Lecture Notes in Computer
Science, volume. 4521,Springer-Verlag, pp. 116-128, 2007.
[58] T. Takagi, “Fast RSA-type cryptosystem modulo p2q”, Advances in Cryptology -
CRYPTO’98, Lecture Notes in Computer Science, voulme 1462, Springer-Verlag,
pp. 318-326, 1998.
[59] S. A. Vanstone and R. J. Zuccherato, “Short RSA keys and their generation”,
Journal of Cryptology, 8(2): 101–114, March 1995.
[60] E. R. Verheul and H. C. A. van Tilborg, “Cryptanalysis of ‘less short’RSA secret
exponents”, Appl. Algebra Eng. Commun. Comput., 8(5): 425–435, 1997.
[61] M. J. Wiener, “Cryptanalysis of short RSA secret exponents”, IEEE Trans. In-
formation Theory, 36(3):553–559, May 1990.
[62] B. deWeger, “Cryptanalysis of RSA with small prime di¤erence”, Applicable Alge-
bra in Engineering, Communication and Computing, volume. 13, pp. 17-28, 2002.
[63] G. Wang, “Bibliography on blind signatures”, [ONLINE]. Available:
http://www.i2r.a-star.edu.sg/icsd/sta¤/guilin/bible/blind-sign.htm.
[64] Y.-D. Zhao, and W.-F. Qi, “Small Private-Exponent Attack on RSA with Primes
Sharing Bits”, in Proc. Information Security Conference 2007 –ISC 2007, Lecture
Notes in Computer Science, volume 4779, Springer-Verlag, pp. 221-229, 2007.