Known-plaintext attack of the Domingo-Feller's first privacy homomorphism scheme

We analyze Domingo-Feller's first privacy homomorphism scheme with known-plaintext attack As a result, it is possible to get the secret key if we blow two known plaintext-ciphertext pairs when modulus n is public, and three or more pairs are sufficient when modulus n is secret.