Solving Generalized Bivariate Integer Equations and Its Application to Factoring With Known Bits

In this paper, we propose two improved theorems for addressing generalized bivariate integer equations using the lattice-based method. We examine the application of these theorems to the problem of factoring general RSA (Rivest–Shamir–Adleman) moduli of the form <inline-formula> <tex-math notation="LaTeX">$N=p^{r} q^{s}$ </tex-math></inline-formula> where <inline-formula> <tex-math notation="LaTeX">$r,s\ge 1$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$p,q$ </tex-math></inline-formula> are prime numbers. These moduli, which are commonly used in the RSA cryptosystem and its variants, have previously been subjected to attacks primarily through the solution of univariate modular equations. In contrast, we investigate the possibility of factoring <inline-formula> <tex-math notation="LaTeX">$N=p^{r} q^{s}$ </tex-math></inline-formula> using leaked most significant bits (MSBs) or least significant bits (LSBs) of the prime numbers by solving generalized bivariate integer equations. We determine the minimum amount of known bits required for implementing the proposed factoring attacks and establish a unifying attack strategy. Furthermore, our results are verified through numerical computer experiments.

x i y j ∈M c ij x i y j for c ij ∈ Z, we are interested in solving all possible roots (x ′ , y ′ ) satisfying f (x ′ , y ′ ) = 0 in polynomial time and further maximizing the upper bounds on x ′ and y ′ . Solving bivariate integer polynomial equations stemmed from Coppersmith's lattice-based analyses [1], [2] on RSA (Rivest-Shamir-Adleman) cryptosystem [3] and was later studied by [4], [5], [6], [7]. Coppersmith [2] and Coron [4], [7] studied several basic cases and efficient solving methods. Blömer and May [5] proposed an approach to analyze more situations and presented a useful theorem with concrete lattice constructions. The advantage is that solving a certain integer polynomial f (x, y) can be formulated just in terms of its monomials. Moreover, Jochemsz and May [6] presented a generic approach for extracting possible roots of modular and The associate editor coordinating the review of this manuscript and approving it for publication was Pedro R. M. Inácio . integer multivariate polynomials. However, it is less efficient for several multivariate polynomials of specific structures.
RSA [3] is a widely used public-key cryptosystem for secure data transmission in cyberspace. The standard modulus N = pq is the product of two large primes of the same bit-size, namely p and q. To speed up the decryption phase when utilizing RSA in the constrained environments like smart cards, some variants with modified moduli such as N = p r q for r > 1 and N = p r q s for r, s > 1 have been proposed. Similarly, the primes appearing in each modulus are suggested to share the same bit-size. The cryptosystem security is related to the integer factoring problem. A well-known algorithm for factorizing large composite integers is Number Field Sieve (NFS) [8], which runs in sub-exponential time. In practice, some partial information leaked by side-channel attacks (e.g. [9], [10]) can be used to enhance the factoring attacks by solving multivariate polynomial equations. The so-called partial information is usually referred to as some known bits of the primes. We further investigate polynomial-time factorization of such RSA moduli with some known bits of the primes, which is designated as the factoring with known bits problem.
Rivest and Shamir [11] first studied the factoring with known bits problem. They used integer programming to factor N when given 2/3-fraction of p. Later Coppersmith [2] showed that it can be done when 1/2-fraction of p are known. The main technique is to solve modular/integer equations using lattice reduction algorithms, i.e., the LLL (Lenstra-Lenstra-Lovász) algorithm [12]. This lattice-based idea is also named Coppersmith's technique in the literature. A fast RSA variant using modified moduli N = p r q was suggested by Takagi [13]. Later, Boneh, Durfee, and Howgrave-Graham [14] demonstrated that exposing 1/(r + 1)-fraction of p is sufficient to factor N in polynomial time. Furthermore, when r increases to r ≈ log p, one only needs to know a constant number of p and it can be recovered by exhaustive search. Hence, the running time of the factorization becomes polynomial, which implies that one should not use Takagi's RSA variant with a large r.
Lim et al. [15] extended general RSA moduli N = p r q to the form of N = p r q s . The advantage is that the decryption phase is much faster than that in Takagi's RSA variant. How to generalize lattice-based factoring attacks on N = p r q s for r and s of almost same bit-size was considered as an open problem in [14]. Lim et al. also analyzed the security of the extended RSA variant with N = p r q r+1 by a modified lattice-based factoring attack. N = p r q r+1 can be factored in polynomial time when r ≥ log(pq), i.e., r ≥ 2 log p. In 2016, Coron et al. [16] factored N = p r q s in polynomial time when r > log 3 p. They first aimed to find an appropriate decomposition of r and s and then applied Coppersmith's technique to factor N . This result was later improved to r ≥ log p by Coron and Zeitoun [17]. To be specific, we have two positive integers a, b satisfying as−br = 1, which lead to the decomposition of N a = (p a q b ) r q. It is much simpler to factor N a = (p a q b ) r q using the algorithm in [14] to recover p and q. Lu et al. [18] studied how to factor N = p r q s with partial known bits of p or of pq. They demonstrated that knowing min{s/(r + s), 2(r − s)/(r + s)}-fraction of p is sufficient to factor N . Wang et al. [19] showed further improvement on required known bits of p or q for factoring N = p r q s .
We revisit and handle the factoring with known bits problem by solving generalized bivariate integer polynomial equations based on the lattice-based technique. Instead of solving modular equations (i.e., the modular method for short), we handle the problem by solving integer equations (i.e., the integer method for short). Previous factoring attacks such as [16], [18], [20], [21], and [22] on general RSA moduli with known bits other than Coppersmith's original work [23] are based on the modular method. Conversely, we further exploit the power of the integer method to present a unifying attack strategy on factoring N = p r q s with known bits.
The subsequent analyses restrict our attack scenarios when given some MSBs in each prime leaving behind one consecutive unknown block. Though the description of our attack scenario is uncomplicated, we have many integer equations to solve in different cases. We have the following reasonable preconditions on the integer exponents r and s to simplify our analyses.
• We know r and s, otherwise an exhaustive search in time O(log 2 N ) recovers them.
• We have 1 ≤ s ≤ r ≪ log p, otherwise we can exchange p and q.
• We have gcd(r, s) = 1, otherwise we try to factor another N * = p r * q s * for r * = r/gcd(r, s) and s * = s/gcd(r, s).
More precisely, we aim to factor N = p r q s for r ≥ s ≥ 1 with some known MSBs denoted by P and Q respectively, where r and s are two known coprime integers. The LSBs case is skipped since it is similar to the MSBs case. In the proposed integer method, we aim to solve several integer equations like (P + x) r (Q + y) s − N = 0 when performing factoring attacks on N = p r q s with P and Q. Firstly, we show that most previous results can be obtained through the integer method. In fact, the modular method is preferable when s is small (down to 1) or s is large (up to r − 1) because of the efficiency. Secondly, we observe that the least amount of known MSBs to factor N depends on the relation of r and s. To be specific, we identify the most suitable (r, s) pairs for various r's and s's when using the integer method.
Our results are extensions of Coppersmith's work [23] via the integer method, as well as a refinement of previous solutions to the factoring with known bits problem. A direct application is to factor RSA moduli in the forms of p r+1 q r , p r+1 q r−1 and p r+2 q r−2 with known bits. Such RSA moduli were suggested by Lim et al. [15] considering optimal efficiency for a roughly fixed sum of the exponents. We show that some moduli like p 3 q 2 and p 5 q 3 are more vulnerable to the integer method. Furthermore, a unifying condition on the desired amount of the prime leakage is derived. Informally speaking, knowing a fraction min s r + s , of p is sufficient to factor N = p r q s for primes p, q of the same bit-size and coprime integers r > s. The rest is organized as follows. We review basic definitions and a crucial theorem employed in the integer method in Section II. Subsequently, two improved theorems are developed for the factoring with known bits problem. We propose several factoring attacks using known MSBs in both primes (i.e., P and Q) or in only one prime (i.e., P or Q) in Section III. In Section IV, the theoretical results are compared and discussed in detail to obtain a unifying attack strategy. We conduct validation experiments for practical attacks and provide experimental results in Section V. Section VI concludes the paper. VOLUME 11, 2023

II. SOLVING GENERALIZED BIVARIATE INTEGER EQUATIONS
We first review basic definitions involved in the integer method and then state a crucial theorem. After that, we propose two improved theorems for solving specific bivariate integer equations in our attack scenarios. We note that the detailed lattice conception is not mentioned to simplify the analysis in this paper. More information can be found in [2], [5], [6], and [24].
An irreducible integer polynomial f (x, y) implies that we must have |g(x, y)| = |h(x, y)| = 1 if f (x, y) can be expressed as the product of two integer polynomials g(x, y) and h(x, y). There exists an index set for any monomial set M in variables x and y, which is : x i y j ∈ M } and the Newton polygon for f (x, y) is It is important to identify the Newton polygon of an integer polynomial as well as its polynomial norm when we try to solve bivariate integer polynomials. The definition of the polynomial norm is given. Let f (x, y) = c ij x i y j ∈ Z[x, y] be an integer polynomial. Its l p -norm is defined as The l ∞ -norm is involved in the literature of solving integer polynomials such as [4], [5], and [7]. We point out that it can be directly deduced from the above definition as ∥f (x, y)∥ ∞ = max{|c ij |} for f (x, y) = c ij x i y j . We provide the following definitions to guarantee that one can extract the roots of a given bivariate integer polynomial.
Definition 1 [5]: Let f (x, y) be a bivariate integer polynomial and S, M be two finite non-empty monomial sets in the variables x and y. The sets S, M are called admissible for

y), then h(x, y) is defined over S. Definition 2 [5]: Let I A and I B be two index sets. The Minkowski sum I A + I B is defined as
The first property of Definition 1 can be satisfied by M in a straightforward manner for a given integer polynomial f (x, y) and a given set S, i.e., M such that I M = N (f ) + I S . It usually leads to monomial sets S and M also satisfying the second property, i.e., S and M are admissible for f (x, y).
Lemma 1 [5]: Assume that the Newton polygon : 0 ≤ i ≤ a, 0 ≤ j ≤ b} for positive integers a and b. Then monomial sets S and M that correspond to two respective index sets are admissible for f (x, y), where k ∈ N controls low order error terms and γ > 0 optimizes the solving bound. Lemma 2 [5]: Assume that the Newton polygon

for positive integers c and d. Then monomial sets S and M that correspond to two respective index sets
are admissible for f (x, y), where k ∈ N controls low order error terms and γ > 0 optimizes the solving bound. See [5,Lemma 7] for the proofs. Blömer-May theorem for extracting possible roots of bivariate integer polynomials is stated as follows.

(7)
All possible (x ′ , y ′ ) satisfying f (x ′ , y ′ ) = 0 can be extracted in time polynomial in m, d x , d y , and log W provided X s x Y s y < W s , assuming that (m − s) 2 = O(sd x d y ) is satisfied. We omit low order terms since the increasing factor of running time is a constant and one may refer to [5,Section 5] for a detailed lattice-based proof. However, Theorem 1 cannot directly apply to factoring general RSA moduli with known bits. We embody Blömer-May theorem in two improved theorems for solving generalized integer polynomials.
Theorem 2: for an optimizing parameter γ > 0. Furthermore, by setting We can construct two admissible sets S and M such that S ⊆ M according to Lemma 1, where k ∈ N and γ > 0 is an optimizing parameter. Furthermore, we calculate s, m, s x , and s y stated in Theorem 1 as follows.
Substituting them in X s x Y s y < W s (omitting lower order terms o(k 2 ) for simplicity) gives which leads to Additionally, we have d x = a, d y = b and hence (m−s) 2 = O(sd x d y ) = O(k 2 ) is satisfied. The time complexity is mainly dominated by log W since a, b ≪ log W and k = log W . Thus, the running time is a polynomial regarding log W .
Moreover, by setting X = N δ 1 , Y = N δ 2 , W = N α , we obtain (bγ 2 +2aγ )δ 1 +(2bγ +a)δ 2 < 2γ α if considering the exponents over N . We have bδ 1 γ 2 for an optimizing parameter γ > 0. Furthermore, by setting We can construct two admissible sets S and M such that S ⊆ M according to Lemma 2, where k ∈ N and γ > 0 is an optimizing parameter. Furthermore, we calculate s, m, s x , and s y stated in Theorem 1 as follows.
Substituting them in X s x Y s y < W s gives which reduces to Furthermore, we have d x = c, d y = d, and hence (m − s) 2 = O(sd x d y ) = O(k 2 ) is satisfied. The time complexity is mainly dominated by log W since a, b ≪ log W and k = log W . Thus, the running time is a polynomial regarding log W .
Moreover, by setting

III. APPLICATION TO FACTORING WITH KNOWN BITS
We propose several attacks to factor N with known MSBs, namely P and Q. Let us first specify the attack scenarios. Given N = p r q s with r, s and two MSBs approximations P, Q, where p = P + x and q = Q + y for unknown variables x, y that can be bounded by X = Y = N η , we aim to efficiently recover p and q leading to the factorization of N under minimal requirements of P and Q. It means that the VOLUME 11, 2023 size of known MSBs of p (or q) is N 1/(r+s)−η , or equivalently p 1−(r+s)η . We obtain the attack results by applying above improved theorems via the integer method. To do so, we should derive some integer equations from the above attack scenarios. The suitable integer equations are divided into two parts as follows. The first part is involved with two approximations that consists of solving (P + x) r (Q + y) s − N = 0 and (PQ + x) s y − N = 0. The second part is related to only one approximation, which consists of solving (P + x) r y − N = 0. Before presenting the analyses, we show that known MSBs in one prime can be used to compute some MSBs of the same bit-size in another prime. Proof: Because r, s are negligible compared to p and q, we assume p, q and P are roughly equal to N 1 r+s and thus Q is also roughly equal to N 1 r+s . To bound |q − Q|, we first bound the value of |q s − Q s | since we have We define Q := [(N /P r ) 1 s ] and it leads to Q s ≈ N /P r , which gives Now we bound the value of |P r − p r |, that is |P r − p r | = |P − p|(P r−1 + P r−2 p + · · · + p r−1 ) < rN r−1 r+s +η .
which terminates the proof. We mention the known leakage that always refers to the MSBs approximation P in the following factoring attacks, which implies that we know both P and Q from N , r and s.

A. USING TWO APPROXIMATIONS
We present the results in theorems derived from solving bivariate integer equations. More concretely, we try to solve (P + x) r (Q + y) s − N = 0 and (PQ + x) s y − N = 0 to obtain the solution to the factoring with known bits problem. We have a straightforward option to solve (P + x) r (Q + y) s − N = 0, which is based on the observation that we can directly put p = P + x and q = Q + y into N = p r q s . Proof: Let f (x, y) = (P + x) r (Q + y) s − N and we apply Theorem 2 withx = P,ỹ = Q, a = r, and b = s to obtain We need to figure out the value of W since we know X = Y = N η and P ≈ Q ≈ N 1 r+s . Since r, s ≪ log p, the binomial coefficients can not exceed P, Q and we have Considering the exponents in the condition, it leads to which further reduces to We set γ = √ r/s to make the right side reach its maximum and then obtain A fraction 1 − (r + s)η is required, which implies that at least a fraction of p and q is required. The time complexity is polynomial in log W , and it is also polynomial in log N . We have another integer equation (PQ + x) s y − N = 0 based on the observation (P + x) r (Q + y) s = ((P + x)(Q + y)) s p r−s = (PQ + Qx + Py + xy) s p r−s = N . Thus, we can apply Theorem 3 for this bivariate integer equation.  From the condition, we have which reduces to We set γ = (r − s)/2 to make the right side reach its maximum and then obtain We must have s < r < 3s since γ , η > 0. The solution of y is enough to compute p, so a fraction at least It reduces to the same result that we require a fraction at least As for the latter equation, we can apply Theorem 2 with x = PQ,ỹ = P, a = s, and b = r − s for X = N 1 r+s +η , Y = N η , and W = N r+s−1 r+s +η . The result implies that we need at least a fraction of p to factor N in polynomial time for r > s ≥ 1. However, this result is always inferior to that stated in Theorem 4 and Theorem 5.

B. USING ONE APPROXIMATION
We employ both p = P + x and q = Q + y for unknown variables x, y bounded by X = Y = N η in Section III-A. But we observe that W decreases when taking both P and Q into consideration and it may weaken the bound on η. Therefore, we try to explore the factoring attacks only with the help of P or Q. More concretely, we try to solve (P + x) r y − N = 0 without the knowledge of Q. Proof: Let f (x, y) = (P + x) r y − N and we apply Theorem 3 withx = P, c = r, and d = 1 to obtain where the upper bounds are X = N η , Y = N s r+s , and W = ∥f (xX , yY )∥ ∞ = N . Then we have It reduces to We set γ = s to make the right side reach its maximum and then obtain The solution of roots x, y implies the values of p and q, respectively. So a fraction at least is required to recover p and then factor N . The time complexity is polynomial in log W , and it is also polynomial in log N .
Similarly, we can solve (P + x) r y s − N = 0 via Theorem 3 forx = P, c = r, and d = s with the upper bounds X = N η , Y = N 1 r+s , and W = ∥f (xX , yY )∥ ∞ = N . We set γ = 1 in the proof and obtain It results in the same result as that in Theorem 6. When we consider using one approximation P or Q, there also exist two integer equations (Q + x) s y − N = 0 and (Q + x) s y r −N = 0. For completeness, we provide the result but do not discuss it in further comparison since it is a worse choice for r ≥ s. For example, we apply Theorem 3 to solve (Q + x) s y − N = 0 forx = Q, c = s, and d = r with X = N η , Y = N r r+s , and W = N . Setting γ = r, we obtain which means that a fraction at least is required to recover q and then factor N .

IV. COMPARISON AND DISCUSSIONS
We show the comparison of our proposed attacks with existing techniques against schemes using RSA moduli N = p r q s in Table 1. Our work is superior based on the comparison and covers several previous results.
Since the modular method is more efficient and simpler for some specific equations, solving modular equations are preferred when the same or even better attack results can be obtained. However, taking Theorem 4, Theorem 5, and Theorem 6 into consideration, the integer method shows its power for solving a generalized bivariate integer equation (P + x) r (Q + y) s − N = 0, which is involved in Theorem 4. We compare the required amounts of known MSBs derived from the integer method in Section III to conclude a unifying condition since the fractions of desired known bits differ when solving distinct integer equations. Our theoretical results and the unifying condition to factoring general RSA moduli with known bits are showed in Fig. 1. The respective fractions required for factoring general RSA moduli N = p r q s with known bits and the corresponding solvable integer equations are summarized as follows.
• For the solvable equation (P + x) r (Q + y) s − N = 0 with r ≥ s ≥ 1, the required fraction given via Theorem 4 is √ rs • For the solvable equations (PQ + x) s y − N = 0 and (PQ + x) s y r−s − N = 0 with 1 ≤ s < r < 3s, the required fraction given via Theorem 5 is • For the solvable equations (P + x) r y − N = 0 and (P + x) r y s − N = 0 with r ≥ s ≥ 1, the required fraction given via Theorem 6 is s r + s .
We discuss more the unifying condition. For N = pq with r = s = 1, we can apply Theorem 4 and Theorem 6. Our results cover that of [1] but we can provide more solvable equations. For the modified RSA modulus N = p r q with r > 1, s = 1, we can apply Theorem 6 since the required amount of known MSBs is least. Our results also cover those of [14] and [18]. However, for general RSA moduli N = p r q s with arbitrary r, s > 1, we should compare the above three fractions to choose the best one. We show the comparison of the numerical values of the respective fractions for r = 3, 4, 5, 6 with various reasonable s's in Table 2. It is showed that the best choice actually depends on both r, s and their relation.
To be concrete, Theorem 4 is preferred for medium s for a fixed r. Theorem 6 is more effective for small s like s = 1 and Theorem 5 works better for large s like s = r − 1. Furthermore, we identify the respective applicable ranges of s along with the most suitable solvable equations for each theorem in Table 3. The results also include s = 1 that is considered as a special case of Theorem 6 if θ(r) < 1. Additionally, the restrictions on each theorem are always satisfied. We further define two functions θ(r) and ξ (r) for simplicity since the explicit forms are complicated to express.
Definition 3: Given a positive integer r, let θ(r) be the unique real root in (0, 1) of the following equation which can be explicitly expressed as x =   3 27r 3 + (729r 6 + 108(r − 1) 3 r 3 )    Let ξ (r) be the unique real root in (0, 1) of the following equation which cannot be explicitly expressed but can be calculated by numerical methods. We list the numerical values of θ(r) and ξ (r) for r ≤ 9 in Table 4. The results are applicable for all reasonable (r, s) pairs if we let the cases when s = 1 for r = 1, 2 belong to Theorem 6. Finally, we derive a unifying condition for factoring general RSA moduli N = p r q s with known bits. To explicitly understand our proposed factoring attacks, we list the theoretical required minimum number of prime bits for factoring various moduli N = p r q s using the unifying condition in Table 5. We let both p and q be two ℓ-bit primes for ℓ = 512, 1024, and 2048 to make the illustration more realistic.
Though our proposed factoring attacks run in polynomial time, we further analyze the attack complexity. As our attacks are derived from the lattice-based method that rely on the LLL algorithm, the attack complexity is mainly dominated by the LLL algorithm [12]. We know that it shall terminate in time complexity O(n 6 log 3 B), where n denotes the lattice dimension and B denotes the maximal Euclidean norm of lattice vectors. Assume that we aim to factor N = p r q s with known bits for ℓ-bit primes and the proposed factoring attacks are conducted using an n-dimensional lattice, the maximal Euclidean norm B of lattice vectors is approximate p 3 √ n due to our lattice construction. Hence, the attack complexity is O(n 6 log 3 B) ≈ O(n 6 ( 3 √ n log p) 3 ) = O(n 7 ℓ 3 ). The attack complexity is a roughly estimated upper bound since the LLL algorithm works better in practice.
We want to give a more accurate estimation of the execution time of our proposed factoring attacks based on the attack complexity. Considering the computing power of modern personal computers and the execution time of fundamental operations, we estimate that the complexity O(10 18 ) can be completed in one second. The execution time (recorded in seconds) and its corresponding attack complexity for conducting factoring attacks using an n-dimensional lattice are estimated in Table 6. Both p and q are assumed to be two 512-bit primes for simplicity. The symbol '∼' indicates that the execution time is at the given magnitude. Based on the observation of the estimated execution time, we would like to use a lattice whose dimension is less than 100 in our experiments for efficient validation.
Example 1: We provide the concrete choices for several RSA moduli with 1 ≤ r, s ≤ 9 with respect to solvable integer equations as follows.
Proposition 1: We provide a unifying attack strategy for factoring general RSA moduli N = p r q s with known bits with respect to a sufficiently large s (satisfying s ≪ log p).

V. VALIDATION EXPERIMENTS
We provide the experimental results to check the validity of our proposed factoring attacks according to Theorem 4, Theorem 5, and Theorem 6, respectively. The experiments were conducted under Windows 10 running on a computer with 3.10GHz CPU and 8 GB RAM. We utilized the LLL algorithm available in SageMath [26]. The RSA instances were generated uniformly at random. To simulate practical factoring attacks on general RSA moduli N = p r q s with known bits, we first randomly generated two ℓ-bit primes. Then we calculated N = p r q s for given parameters r and s. The amount of known bits in MSBs of primes p and q was assumed as u and hence the exposed MSBs, i.e., P and Q were computed based on p, q and u. Finally, we could construct the above solvable integer equations like (P + x) r y − N = 0, (PQ + x) s y − N = 0, and (P + x) r (Q + y) s − N = 0. During the experiments, we chose a proper lattice setting for conducting the proposed factoring attacks. We could collect many polynomial equations satisfying our solvable requirements and hence extract the desired root, i.e., the unknown part of the primes and then factor the given RSA moduli. The experimental results of our proposed factoring attacks are shown in Table 7. The 'u'-column provides the experimental number of bits leading to successful factoring attacks. The 'u t '-column provides the theoretical required number of bits for conducting the proposed factoring attacks as stated in Table 5. The 'Theorem'-column and 'Equation'column provides the specific theorem and solvable integer equation we used for given practical instance in our factoring attacks. The corresponding lattice dimension is denoted by 'n' and the running time is 'Time' (recorded in seconds).
We collected enough integer polynomials having the common root in each experiment. We took some of them to extract the common root and obtained the correct values in the unknown part of the primes, namely x ′ = p − P or y ′ = q − Q. Thus, p = P + x ′ and q = Q + y ′ finally led to the factorization of N . Through the above experiments, we successfully verified the validity of our proposed factoring attacks. However, the experimental results are still several bits away from the theoretical ones when comparing u with u t in Table 7. The reason may be that the lattice dimension is not large enough due to the limitation of computing resources.
From the observation of Table 7, we find that Theorem 4 works more efficient than Theorem 5 and Theorem 6. Besides, Theorem 5 has the worst performance. More TABLE 6. The execution time and its corresponding attack complexity for conducting factoring attacks with 512-bit primes using an n-dimensional lattice. specifically, the experimental results of the factoring attacks induced by Theorem 4 are closest to the theoretical results. In contrast, the experimental results of the factoring attacks induced by Theorem 5 differ the most from the theoretical results. The running time meets our prediction for it as stated in Table 6. Moreover, we show the following example for numerical understanding.
Example 2: We provide a toy example for factoring N = p 2 q with known P via Theorem 6. Two primes p, q are set of 128-bit, which implies ℓ = 128. Suppose that we are given known 52-bit MSBs, which implies u = 52. Note that the theoretical result for recovering the primes is u t = 43. The toy RSA instance is listed as follows.
We then derive the solvable integer equation (P + x) 2 y − N = 0 with known parameters N and P. We construct a 91-dimensional lattice for conducting the proposed factoring attack via Theorem 6. After nearly 37 seconds, we extract the root (x ′ , y ′ ) satisfying the above equation. The obtained root is listed as follows.
x ′ = 35811068498785421000871 y ′ = 293590213774301270676454386402555434447 Since we have x ′ = p − P and y ′ = q, these two primes are computed as follows. p = 301958494768445181148100139329150517248 One may check that N = p 2 q does hold and hence we successfully factor the given modulus N .

VI. CONCLUSION
We revisited the factoring with known bits problem on general RSA moduli N = p r q s with r, s ≥ 1 for two primes p, q of the same bit-size. To be specific, we examined the minimum amount of known MSBs of the primes required for factoring and derived the attack results based on solving generalized bivariate integer equations. We established a unifying condition on the required fraction of known MSBs for factoring N = p r q s . Our analysis identified one solution as superior for certain combinations of (r, s), such as p 3 q 2 , p 5 q 3 , p 7 q 4 , p 8 q 5 , and p 9 q 5 , when s is of medium size relative to r. Theoretical analysis and experimental results were provided to verify the effectiveness of our proposed factoring attacks.
We demonstrated that the integer method is more powerful as it covers the majority of results derived from the modular method and provides new solvable integer equations for conducting factoring attacks. We hope that such integer method can be applied to other problems involving the solution of generalized bivariate integer equations and yield even better results.