MIke, first of all it does not appear you read my RSA message, I mentioned M for this purpose (secret key mode) need not be p*q, could be merely a prime. Second, the way I had in mind to search for M depended on fact that if message (as integer) exceeds M, then modding by M would lose information. So this must be forbidden. Hence by binary search to see what is forbidden an attacker with black box access to crypto box could determine M. Third, even if you do not buy that (for example if crypto box permitted users to lose information and just silently screwed them in such an event), then still just by guessing M, whereupon the other stuff (secret exponents) could be determined by subexponential algorithms, that'd still be a way to break it using only half the guessing normally needed for a key that size, i.e. break time not 2^N but rather 2^(N/2)*subexponential(N). ---- Also, re my important remark at the end about how a 4-round Feistel network using discrete exponentials as frobbing functions could be a secret key cipher which I do not see how to break -- one could also do 6-round for a bit more safety, and here note there is no requirement that the message not exceed the modulus M because in this application losing a little information is OK. So any modulus M slightly smaller than 2^(#bits) could be used, for example if we wanted a 256-bit cryptosystem, use M = largest prime below 2^128, which would be M = 340282366920938463463374607431768211297. Mersenne prime M have the slight advantage that modding is especially easy. My Feistelized discrete exponential scheme would be extremely simply described and apparently also reasonable BUT would be slow compared to rival schemes, especially if "slow arithmetic" used in which case it would be asymptotically uncompetitive.