Home A security analysis of two classes of RSA-like cryptosystems
Article Open Access

A security analysis of two classes of RSA-like cryptosystems

  • Paul Cotan ORCID logo and George Teşeleanu ORCID logo EMAIL logo
Published/Copyright: September 28, 2024
Download Article (PDF)
Become an author with De Gruyter Brill
Submit Manuscript Author Information
Journal of Mathematical Cryptology
From the journal Journal of Mathematical Cryptology Volume 18 Issue 1

Abstract

Let N = p q be the product of two balanced prime numbers p and q . In Elkamchouchi et al. (Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In: ICCS 2002. vol. 1. IEEE Computer Society; 2002. p. 91–5.) introduced an Rivest-Shamir-Adleman (RSA)-like cryptosystem that uses the key equation e d k ( p 2 1 ) ( q 2 1 ) = 1 , instead of the classical RSA key equation e d k ( p 1 ) ( q 1 ) = 1 . Another variant of RSA, presented in Murru and Saettone (A novel RSA-like cryptosystem based on a generalization of the Rédei rational functions. In: NuTMiC 2017. vol. 10737 of Lecture Notes in Computer Science. Springer; 2017. p. 91–103), uses the key equation e d k ( p 2 + p + 1 ) ( q 2 + q + 1 ) = 1 . Despite the authors’ claims of enhanced security, both schemes remain vulnerable to adaptations of common RSA attacks. Let n be an integer. This article proposes two families of RSA-like encryption schemes: one employs the key equation e d k ( p n 1 ) ( q n 1 ) = 1 for n > 0 , while the other uses e d k [ ( p n 1 ) ( q n 1 ) ] [ ( p 1 ) ( q 1 ) ] = 1 for n > 1 . Note that we remove the conventional assumption of primes having equal bit sizes. In this scenario, we show that regardless of the choice of n , continued fraction-based attacks can still recover the secret exponent. Additionally, this work fills a gap in the literature by establishing an equivalent of Wiener’s attack when the primes do not have the same bit size.

Keywords: continued fractions; small private key attack; RSA
MSC 2010: 94A60; 11A55

1 Introduction

In 1978, Rivest et al. [1] proposed one of the most popular and widely used cryptosystems, namely, Rivest-Shamir-Adleman (RSA). In the standard RSA encryption scheme, we work modulo an integer N , where N is the product of two large prime numbers p and q . Let φ ( N ) = ( p 1 ) ( q 1 ) denote the Euler totient function. In order to encrypt a message m < N , we simply compute c m e mod N , where e is generated a priori such that gcd ( e , φ ( N ) ) = 1 . To decrypt, one needs to compute m c d mod N , where d e 1 mod φ ( N ) . Note that ( N , e ) are public, while ( p , q , d ) are kept secret. In the standard version of RSA, also called balanced RSA, p and q are of the same bit-size such that q < p < 2 q .

A frequently used method for speeding up decryption is to first compute m p c d p mod p and m q c d q mod q , where d p d mod p 1 and d q d mod q 1 . Then, using the Chinese remainder theorem (CRT), we can recover m from m p and m q . Shamir [2] remarked that if m < q , then it suffices to compute m q , since m = m q . Asymmetric encryption schemes are usually used to encapsulate keys for symmetric schemes, and thus, the restriction holds for most practical cases. To further speed up the process, Shamir proposed a variant of RSA, called the unbalanced RSA, where the bit size of q is much more smaller than that of p . As long as q and N are large enough to prevent factorization via the elliptic curve method (ECM) and the number field sieve (NFS), the unbalanced RSA is secure.

In 2002, Elkamchouchi et al. [3] extended the classical RSA scheme to the ring of Gaussian integers modulo N . A Gaussian integer modulo N is a number of the form a + b i , where a , b Z N and i 2 = 1 . We denote the set of all Gaussian integers modulo N by Z N [ i ] and the totient function of N by ϕ ( N ) = Z N * [ i ] = ( p 2 1 ) ( q 2 1 ) . To set up the public exponent, we require gcd ( e , ϕ ( N ) ) = 1 . The corresponding private exponent is computed as d e 1 mod ϕ ( N ) . Encryption of a message m Z N [ i ] is obtained by computing c m e mod N and decryption by m c d mod N . Note that the exponentiations are computed in the ring Z N [ i ] .

In 2017, Murru and Saettone introduced an RSA-like cryptosystem [4] that involves a special type of group composed of equivalence classes of polynomials from the GF ( p 3 ) × GF ( q 3 ) , where GF stands for the Galois field. Unlike the classical RSA scheme, they select the public exponent e such that gcd ( e , ψ ( N ) ) = 1 , where ψ ( N ) = ( p 2 + p + 1 ) ( q 2 + q + 1 ) . The decryption exponent is then computed as d e 1 ( mod ψ ( N ) ) . Encryption and decryption follow a process similar to classical RSA, except that they employ this specific group instead of Z N * .

The authors of both papers [3,4] claimed that their extension offers more security compared to the classical RSA. However, as elaborated in the following paragraphs, these assertions prove to be inaccurate. It is important to clarify that throughout the ensuing discussion, RSA refers to the classical RSA scheme.

1.1 Small private key attacks

In order to decrease, decryption time, one may prefer to use a smaller d . Wiener [5] showed that this is not always a good idea. More exactly, in the case of RSA, if d < N 0.25 3 , then one can retrieve d from the continued fraction expansion of e N and thus factor N . Using a result developed by Coppersmith [6], Boneh and Durfee [7] improved Wiener’s bound to N 0.292 . Later on, Herrmann and May [8] obtained the same bound, but using simpler techniques. A different approach was taken by Blömer and May [9], who generalized Wiener’s attack. More precisely, they showed that if there exist three integers x , y , and z such that e x y φ ( N ) = z , x < N 0.25 3 , and z < e x N 0.75 , then the factorization of N can be recovered. When an approximation of p is known such that p p 0 < N δ 8 and δ < 0.5 , Nassr et al. [10] presented a method based on continued fractions for recovering d when d < N ( 1 δ ) 2 .

In the case of Elkamchouchi et al.’s scheme, a series of small private key attacks have been developed. Initially, presented in the study by Bunder et al. [11], the attack made use of continued fractions. Subsequent improvements utilizing lattice reduction techniques were made in the studies by Peng et al. [12] and Zheng et al. [13], refining the attack’s efficiency and leading to a bound of d < N 0.585 . A generalization of the attack presented in [11] to unbalanced prime numbers was presented in [14]. Considering the generic equation e x y ϕ ( N ) = z , Bunder et al. [15] described a method for factoring N when x y < 2 N 4 2 N 0.75 and z < ( p q ) N 0.25 y . An extension of the previous attack was proposed in the study of Nitaj et al. [16].

As for the Murru-Saettone scheme, it was shown in previous studies [17,18] that a Wiener-type attack remains effective. Utilizing continued fractions, the authors showed that when d < N 0.25 , it is possible to factor N . Building upon the Boneh-Durfee method, Nitaj et al. [17] improved the bound to N 0.5694 . Further advancements were made by Zheng et al. [19], achieving a tighter bound of d < N 0.585 . Moreover, Nassr et al. [20] demonstrated a technique to recover d when p 0 satisfies p p 0 < N δ and d < N ( 1 δ ) 2 , where δ < 0.5 .

1.2 Multiple private keys attack

Let > 0 be an integer and i [ 1 , ] . When multiple large public keys e i N α are used with the same modulus N , Howgrave-Graham and Seifert [21] described an attack for RSA that recovers the corresponding small private exponents d i N β . This attack was later improved by Sarkar and Maitra [22], Aono [23], and Takayasu and Kunihiro [24]. The best known bound [24] is β < 1 2 ( 3 + 1 ) . Remark that when = 1 , we obtain the Boneh–Durfee bound.

The multiple private keys attack against the Elkamchouchi et al.’s cryptosystem was studied by Zheng et al. [13]. They derived a bound of β < 2 2 2 ( 3 + 1 ) , which is twice the bound obtained by Takayasu and Kunihiro [24]. Note that when = 1 , the bound equals 0.585.

Similarly, Shi et al. [25] studied the multiple private keys attack against the Murru–Saettone cryptosystem. They obtained a bound of β < 3 2 4 ( 3 + 1 ) , which is twice the bound derived by Aono [23]. It is worth noting that when = 1 , the bound is less than 0.585, suggesting the possibility of tighter bounds.

1.3 Partial key exposure attack

In this type of attack, the most or least significant bits of the private exponent d are known. Starting from these, an adversary can recover the entire RSA private key using the techniques presented by Boneh et al. [26]. The attack was later improved by Blömer and May [27], Ernst et al. [28], and Takayasu and Kunihiro [29]. The best known bound [29] is β < ( γ + 2 2 3 γ 2 ) 2 , where the attacker knows N γ leaked bits.

Zheng et al. [13] and Shi et al. [25] described a partial exposure attack that works in the case of the Elkamchouchi et al.’s scheme and the Murru–Saetonne scheme. The bound they achieve is β < ( 3 γ + 7 2 3 γ + 7 ) 3 . When γ = 0 , the bound is close to 0.569, and thus, it remains an open problem how to optimize it.

1.4 Small prime difference attack

When the primes difference p q is small and certain conditions hold, de Weger [30] described two methods to recover d , one based on continued fractions and another on lattice reduction. These methods were further extended by Maitra and Sakar [31,32] to ρ q p , where 1 ρ 2 . Finally, Chen, Hsueh, and Lin generalized them further to ρ q ε p , where ρ and ε have certain properties. The continued fraction method is additionally improved by Kamel Ariffin et al. [33].

The small prime difference attack against the Elkamchouchi et al.’s public key encryption scheme was studied by Cherkaoui-Semmouni et al. [34]. Note that when the common condition p q < N 0.5 holds, their bound leads to the small private key bound d < N 0.585 .

The de Weger attack was adapted to the Murru–Saetonne public key encryption scheme by Nitaj et al. [35], Nassr et al. [20] and Shi et al. [25]. The best bounds for the continued fraction and lattice reduction methods are found in the study by Nitaj et al. [35]. The Maitra-Sakar extension was studied only in the study by Nassr et al. [20].

1.5 Our contributions

We first remark that the rings Z p = Z p [ t ] ( t + 1 ) = GF ( p ) and Z p [ i ] = Z p [ t ] ( t 2 + 1 ) = GF ( p 2 ) , where GF stands for Galois field. Therefore, we can reinterpret the RSA scheme as working in the GF ( p ) × GF ( q ) group instead of Z N . Additionally, the Elkamchouchi et al.’s scheme is an extension to GF ( p 2 ) × GF ( q 2 ) instead of Z N [ i ] . This naturally leads to a generalization of RSA to GF ( p n ) × GF ( q n ) , where n 1 . In this article, we introduce exactly this extension. Moreover, we generalize the Murru–Saetonne scheme to equivalence classes of polynomials from GF ( p n ) × GF ( q n ) , where n > 1 . We wanted to see if only for n = 1 and n = 2 (RSA and Elkamchouchi et al.) or n = 3 (Murru–Saetonne) the common attacks presented in the introduction work or this is something that happens in general. In this study, we present several Wiener-type attacks that work for any n . More precisely, we prove that for any p > q , when d < N 0.25 n ( q p ) 0.5 n 2 0.5 n or d < N 0.25 ( q p ) 0.25 ( n 1 ) , respectively, we can recover the secret exponent. Therefore, no matter how we instantiate the generalized version, a small private key attack will always succeed. In the case of the first family[1], we construct a probabilistic factorization algorithm once the group order is determined. For completeness, we also generalized Wiener’s attack to unbalanced prime numbers.

1.5.1 Previous work

The generalizations of Elkamchouchi et al.’s and Murru–Saetonne encryption schemes, along with their corresponding attacks, were initially presented in the studies by Cotan and Teşeleanu [36] and [37], respectively. It is important to note that these versions specifically addressed the case of balanced prime numbers and did not consider the unbalanced scenario.

1.5.2 Structure of this article

We introduce in Section 2 notations and definitions used throughout this article. The necessary group theory is developed in Section 3. Inspired by Rivest et al., Elkamchouchi et al., and Murru and Saettone’s work [1,3,4], in Section 4, we construct two families of RSA-like cryptosystems. After proving several useful lemmas in Sections 5.1 and 6.1, we extend Wiener’s small private key attack in Sections 5.2 and 6.2. Discussions and conclusions are presented in Sections 7 and 8. Concrete instantiations of our classes of attacks are provided in Appendices A and B. For completeness, in Appendix C we generalize Wiener’s attack to the unbalanced RSA case, while in Appendix D, we provide a concrete example.

2 Preliminaries

Notations

Throughout this article, λ denotes a security parameter. The notation S denotes the cardinality of a set S . When n is an integer, n denotes the size of n in bits. The set of integers { 0 , , a } is further denoted by [ 0 , a ] . We use ≃ to indicate that two values are approximately equal.

The Jacobi symbol of an integer a modulo an integer N is represented by J N ( a ) . J N + and J N denote the sets of integers modulo n with Jacobi symbol 1, respectively 1 . Throughout this article, we let Q R N be the set of quadratic residues modulo N .

2.1 Continued fraction

For any real number ζ , and there exists a unique sequence ( a n ) n of integers such that

ζ = a 0 + 1 a 1 + 1 a 2 + 1 a 3 + 1 a 4 + ,

where a k > 0 for any k 1 . This sequence represents the continued fraction expansion of ζ and is denoted by ζ = [ a 0 , a 1 , a 2 , ] . Remark that ζ is a rational number if and only if its corresponding representation as a continued fraction is finite.

For any real number ζ = [ a 0 , a 1 , a 2 , ] , the sequence of rational numbers ( A n ) n , obtained by truncating this continued fraction, A k = [ a 0 , a 1 , a 2 , , a k ] , is called the convergent sequence of ζ .

According to the study of Hardy and Wright [38], the following bound allows us to check if a rational number u v is a convergent of ζ .

Theorem 2.1

Let ζ = [ a 0 , a 1 , a 2 , ] be a positive real number. If u and v are the positive integers such that gcd ( u , v ) = 1 and

ζ u v < 1 2 v 2 ,

then u v is a convergent of [ a 0 , a 1 , a 2 , ] .

2.2 Parameter selection

In an unbalanced RSA-type encryption scheme, in order to decrease decryption time, we lower the bit size of q (denoted by λ q ) while preserving the bit size of N (denoted by λ N ). Therefore, we have λ N = λ p + λ q , where λ p = p and λ q λ p . Remark that when λ p = λ q , we obtain the balanced RSA-type encryption schemes.

The fastest currently known method for factoring composite numbers is the NFS algorithm [39]. The expected running time of the NFS depends on the size of the modulus N and not on the size of its factors. More precisely, the expected running time is approximately

L [ N ] = e 1.923 ( log N ) 1 3 ( log log N ) 2 3 .

Lenstra and Verheul [39,40] used the computational effort needed to factor a 512-bit modulus to extrapolate the running time required to factor a modulus of size λ N . Therefore, a λ N -bit modulus offers a security equivalent to a block cipher of d -bit security if

(1) L [ 2 λ N ] 50 2 d 56 L [ 2 512 ] .

Therefore, if we select a modulus size that offers protection against the NFS, decreasing the size of one of the factors does not increase the success probability of factoring N using the NFS. Unfortunately, lowering the bit size of q below a certain threshold can make the resulting encryption scheme vulnerable to the ECM algorithm [41]. Compared to the NFS, the ECM has the running time determined by the size of the smallest factor. More precisely, the running time of the ECM is

E [ N , q ] = ( log 2 N ) 2 e 2 log q log log q .

Similar to the NFS, Lenstra [42] extrapolated that the equivalent security is

(2) E [ 2 λ N , 2 λ q ] 80 2 d 56 E [ 2 768 , 2 167 ] .

Using equations (1) and (2), we can compute the following relation:

(3) E [ 2 λ N , 2 λ q ] 80 2 log 2 ( L [ 2 λ N ] ( 50 L [ 2 512 ] ) ) E [ 2 768 , 2 167 ] .

Using known historical factoring records, Brent developed a different model [43] to predict the security against the NFS and the ECM. More specifically, Brent provided an equation[2] that links the number of digits D N and D q of the modulus and, respectively, the smallest prime factor to the year Y when it is possible to factor the modulus using the NFS or the ECM. We further provide the updated equations [44] for the NFS

(4) D N 1 3 = Y 1,926 13.97 or equivalently Y = 13.97 D N 1 3 + 1,926

and for the ECM

(5) D q 1 2 = Y 1,939 8.207 or equivalently Y = 8.207 D q 1 2 + 1,939 .

Using equations (4) and (5), we obtain the following relation:

(6) D q 1 2 = 13.97 D N 1 3 13 8.207 .

According to NIST [45], if we choose λ N = 3,072 7,680 15,360 , we can guarantee protection against the NFS at least until 2030. We chose to use NIST’s key lengths since the ones provided in the study by Lenstra and Verheul [39,40] are criticized as being too conservative [46]. Another argument for using the key sizes suggested by NIST is that these are the ones used by the industry. Therefore, using NIST’s recommendations, and equations (3) and (6), we can compute the size of the smallest prime that offers the same level of protection against the ECM. The results are presented in Table 1.

Table 1

Equivalent sizes of the smallest prime number

Modulus key size 3,072 7,680 15,360
Lenstra model 800 1,617 2,761
Regression model 749 1,457 2,385

The following lemma provides some useful bounds for the larges prime factor.

Lemma 2.2

Let p and q be two primes such that p = λ p and q = λ q . If λ p = λ q + λ , then

2 λ 1 q < p < 2 λ q or 2 λ q < p < 2 λ + 1 q .

Proof

According to the statement, we have the following inequalities:

2 λ p < p < 2 λ p + 1 and 2 λ q < q < 2 λ q + 1 .

From the previous relations, we obtain the following:

p < 2 λ p + 1 = 2 λ q 2 λ + 1 < q 2 λ + 1 p > 2 λ p = 2 λ q + 1 2 λ 1 > q 2 λ 1 ,

as desired.□

Note that when λ p = λ q , according to Lemma 2.2, we obtain that q < p < 2 q . To be consistent with the balanced case, we further assume, without loss of generality, that μ q < p < 2 μ q . According to Lemma 2.2, we have either μ = 2 λ 1 or μ = 2 λ .

3 Useful quotient groups

In the first part of this section, we will provide the mathematical theory needed to generalize Rivest, Shamir and Adleman, and the Elkamchouchi, Elshenawy, and Shaban encryption schemes. Therefore, let ( F , + , ) be a field and t n r an irreducible polynomial in F [ t ] . Then,

A n = F [ t ] ( t n r ) = { a 0 + a 1 t + + a n 1 t n 1 a 0 , a 1 , , a n 1 F }

is the corresponding quotient field. Let a ( t ) , b ( t ) A n . Remark that the quotient field induces a natural product

a ( t ) b ( t ) = i = 0 n 1 a i t i j = 0 n 1 b j t j = i = 0 2 n 2 j = 0 i a j b i j t i = i = 0 n 1 j = 0 i a j b i j t i + r i = n 2 n 2 j = 0 i a j b i j t i n = i = 0 n 2 j = 0 i a j b i j + r j = 0 i + n a j b i j + n t i + j = 0 n 1 a j b n 1 j t n 1 .

In order to generalize the Murru and Saettone encryption scheme, we need to introduce another quotient group B n = A n * F * . The elements from B n are equivalence classes of elements from A n * . More precisely, we have

[ a 0 + + a n 1 t n 1 ] = { γ a 0 + + γ a n 1 t n 1 γ F * , a 0 , , a n 1 F } ,

where [ a 0 + + a n 1 t n 1 ] B n .

Using Lagrange’s theorem [47], we obtain the following result about the cardinality of B n .

Lemma 3.1

The cardinality of B n is ψ n ( F ) = ( F n 1 ) ( F 1 ) .

For completeness, we further provide the equivalence classes from B n . Let 1 F * be the unity of F * . When a 0 0 and a 1 = = a n 1 = 0 , we obtain that

[ a 0 + + a n 1 t n 1 ] = [ a 0 ] = [ a 0 a 0 1 ] = [ 1 F * ] .

If a 1 0 and a 2 = = a n 1 = 0 , then

[ a 0 + + a n 1 t n 1 ] = [ a 0 + a 1 t ] = [ a 0 a 1 1 + t ] .

From the previous two examples, we can deduce the general formula. For any k [ 0 , n 1 ] , if a k 0 and a k + 1 = = a n 1 = 0 , then

[ a 0 + + a n 1 t n 1 ] = [ a 0 + + a k t k ] = [ a 0 a k 1 + a 1 a k 1 t + + a k 1 a k 1 t k 1 + t k ] .

From the equivalence classes, we can infer the product induced by B n , namely,

[ a ( t ) ] [ b ( t ) ] = [ a ( t ) b ( t ) ] = [ c ( t ) ] = [ α 1 c ( t ) ] ,

where α is the leading coefficient of c ( t ) .

4 RSA-like unbalanced encryption schemes

4.1 Generalized Elkamchouchi et al.’s unbalanced scheme

Let p be a prime number. When we instantiate F = Z p , we have that A n = GF ( p n ) is the Galois field of order p n . Moreover, A n * is a cyclic group of order φ n ( p ) = p n 1 . Remark that an analogous of Fermat’s little theorem holds

a ( t ) φ n ( p ) 1 ,

where a ( t ) A n * and the power is evaluated by -multiplying a ( t ) by itself φ n ( p ) 1 times. Therefore, we can build an encryption scheme that is similar to RSA using the as the product.

  • Setup( λ p , λ q ): Let n > 1 be an integer. Randomly generate two distinct large prime numbers p and q such that p = λ p , q = λ q and compute their product N = p q . Select r Z N such that the polynomial t n r is irreducible in Z p [ t ] and Z q [ t ] . Let

    φ n ( N ) = ( p n 1 ) ( q n 1 ) .

    Choose an integer e such that gcd ( e , φ n ( N ) ) = 1 , and compute d such that e d 1 mod φ n ( N ) . Output the public key p k = ( n , N , r , e ) . The corresponding secret key is s k = ( p , q , d ) .

  • Encrypt( p k , m ): To encrypt a message m = ( m 0 , , m n 1 ) Z N n we first construct the polynomial m ( t ) = m 0 + + m n 1 t n 1 A n * , and then, we compute c ( t ) m ( t ) e . Output the ciphertext c ( t ) .

  • Decrypt( s k , c ( t ) ): To recover the message, simply compute m ( t ) c ( t ) d and reassemble m = ( m 0 , , m n 1 ) .

Remark

When n = 1 , we obtain the RSA scheme [1]. Also, when n = 2 and λ p = λ q , we obtain the Elkamchouchi et al.’s cryptosystem [3].

Remark

When m 1 = m 2 = = m n 1 = 0 , encryption is reduced to c ( t ) = m 0 e mod N . Therefore, everything is computed in Z N , as in the classical RSA scheme, due to all other message components being zero.

4.2 Generalized Murru and Saettone unbalanced scheme

In this case, we use the group B n instead of A n . Therefore, when we instantiate F = Z p , we obtain that B n is a cyclic group of order ψ n ( p ) = ( p n 1 ) ( p 1 ) . Note that an analogue of Fermat’s little theorem also exists in this case, namely,

[ a ( t ) ] ψ n ( Z p ) [ 1 ] ,

where [ a ( t ) ] B n and the power is evaluated by -multiplying [ a ( t ) ] by itself ψ n ( p ) 1 times. Hence, we can build an encryption scheme that is similar to RSA using the as the product. Note that the equivalence class of [ 0 ] contains all the polynomials that are either divisible by t n r or have all their coefficient divisible by p .

  • Setup( λ p , λ q ): Let n > 1 be an integer. Randomly generate two distinct large prime numbers p and q such that p = λ p , q = λ q , and compute their product N = p q . Select r such that the polynomial t n r is irreducible in Z N [ t ] . Let

    ψ n ( N ) = p n 1 p 1 q n 1 q 1 .

    Choose an integer e such that gcd ( e , ψ n ( N ) ) = 1 , and compute d such that e d 1 mod ψ n ( N ) . Output the public key p k = ( n , N , r , e ) . The corresponding secret key is s k = ( p , q , d ) .

  • Encrypt( p k , m ): To encrypt a message m = ( m 0 , , m n 2 ) Z N n 1 , we first construct the polynomial m ( t ) = m 0 + + m n 2 t n 2 + t n 1 B n , and then, we compute c ( t ) [ m ( t ) ] e . Output the ciphertext c ( t ) .

  • Decrypt( s k , c ( t ) ): To recover the message, simply compute m ( t ) [ c ( t ) ] d and reassemble m = ( m 0 , , m n 2 ) .

Remark

When λ p = λ q and n = 3 , we obtain the Murru and Saettone cryptosystem [4].

Remark

The group B n has been used to define ElGamal-based cryptosystems as well. For more details, we refer the reader to the studies of Alecci et al. [48] and Dutto [49] for the cases n = 2 and n = 3 , respectively.

4.3 Optimizations

In this section, we present a possible optimization for the generalized Murru and Saettone scheme. We focus solely on this family, as the underlying group is more intricate. A similar optimization is also feasible for the generalized Elkamchouchi et al.’s scheme. The main differences lie in changing the equivalence classes, and we work with φ n instead of ψ n .

Therefore, to efficiently decrypt the message, we first have to compute m p ( t ) [ c ( t ) ] d p mod p and m q ( t ) [ c ( t ) ] d q mod q , where d p d mod ψ n ( p ) and d q d mod ψ n ( q ) . Then, we can use the CRT to recover m from m p and m q . If m Z N n 1 , then this procedure makes sense only when λ p = λ q . In the practical case of key wrapping, we have that the coefficients of m ( t ) are strictly smaller than q (i.e., m i [ 0 , 2 λ k ] , where λ k < λ q ), and thus is sufficient only to compute m q ( t ) [ c ( t ) ] d q mod q . Also, in this case, using the equivalent sizes of q provided in Table 1, we obtain a significant speed up for decryption compared to the balanced case.

Note that we must always set parameter λ k in the Setup phase and make it public. Also, in the Decrypt phase, after recovering m , we must always check that for all i we have m i [ 0 , 2 λ k ] . If this is not true, then we must discard the message. In the following paragraphs, we will provide the technical details for setting these restrictions.

If we do not check whether m i [ 0 , 2 λ k ] , then the following chosen ciphertext attack is possible. The attacker chooses a message m such that m > q and he encrypts it. Let c ( t ) denote the corresponding ciphertext. When the recipient decrypts, c ( t ) obtains [ m ( t ) ] [ m ( t ) ] mod q . Once the attacker has access[3] to m ( t ) , then he computes gcd ( m 0 m 0 , N ) and obtains the factorization of N . To check that he truly obtains q , we observe that [ m ( t ) ] [ m ( t ) ] mod q leads to [ m ( t ) m ( t ) ] 0 mod q . Then, either t n r m ( t ) m ( t ) or q m i m for all i . Since both messages have degree less than n , we have that q m i m for all i . Therefore, we obtain

gcd ( m 0 m 0 , N ) = gcd ( a q , p q ) = q ,

as desired.

If we only check internally that m i < q , then the attacker can probe[4] the recipient and reveal q . In order to do that, he sets m i = 0 for i > 0 and sets m 0 randomly. If the message is discarded, then the attacker knows that q < m 0 ; otherwise, m 0 < q . Once the attacker knows a lower and an upper bound of q , he can do a binary search and locate q .

Remark

Attacks similar to those presented earlier are described in the study by Gilbert et al. [50] for the unbalanced RSA and in the study by Joye et al. [51] for the Okamoto–Uchiyama scheme.

5 Attacking the generalized Elkamchouchi et al.’s unbalanced scheme

5.1 Useful lemmas

In this section, we provide a few useful properties of φ n ( N ) . Before starting our analysis, we first note that plugging q = N p in φ n ( N ) leads to the following function:

f n ( p ) = N n p n N p n + 1 ,

with p as a variable. The next lemma tells us that, under certain conditions, f n is a strictly decreasing function.

Proposition 5.1

Let N be a positive integer. Then, for any integers n > 1 and N x < N , we have that the function

f n ( x ) = N n x n N x n + 1

is strictly decreasing with x.

Proof

Computing the derivative of f n , we have that

f n ( x ) = n x n 1 1 x n + 1 N n .

Using x N , we obtain that

x 2 n > N n x n 1 > 1 x n + 1 N n f n ( x ) < 0 ,

and therefore, we have that f n is a strictly decreasing function.□

Using the following lemma, we will compute a lower and upper bound for φ n ( N ) .

Lemma 5.2

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . Then, the following property holds:

μ N < p < 2 μ N and 2 N μ 2 μ < q < N μ μ .

Proof

Multiplying μ q < p < 2 μ q with p , we obtain μ N < p 2 < 2 μ N . This is equivalent with μ N < p < 2 μ N . Since q = N p , the previous relation becomes N 2 μ < q < N μ , and thus, we conclude our proof.□

When μ = 1 , the following result proven in the study by Nitaj [52] becomes a special case of Lemma 5.2.

Corollary 5.2.1

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following property holds:

2 2 N < q < N < p < 2 N .

Corollary 5.2.2

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . Then, the following property holds:

N n ( μ N ) n μ N μ n + 1 > φ n ( N ) > N n ( 2 μ N ) n 2 μ N 2 μ n + 1 .

Proof

By Lemma 5.2, we have that

μ N < p < 2 μ N ,

which, according to Proposition 5.1, leads to

f n ( μ N ) > f n ( p ) > f n ( 2 μ N ) .

This is equivalent to our desired inequality.□

For μ = 1 , when n = 1 and n = 2 , the following results proven in previous studies [53] and [11], respectively, become special cases of Corollary 5.2.2.

Corollary 5.2.3

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following property holds:

( N 1 ) 2 > φ 1 ( N ) > N + 1 3 2 N .

Corollary 5.2.4

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following property holds:

( N 1 ) 2 > φ 2 ( N ) > N 2 + 1 5 2 N .

We can use Corollary 5.2.2 to find a useful approximation of φ n . This result will be useful when devising the attack against the generalized RSA scheme.

Proposition 5.3

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . We define

φ n , 0 ( N ) = 1 2 N n ( μ N ) n μ N μ n + 1 + 1 2 N n ( 2 μ N ) n 2 μ N 2 μ n + 1 .

Then, the following holds:

φ n ( N ) φ n , 0 ( N ) < Δ n 2 N n ,

where

Δ n E = μ n ( 2 n 2 n ) 2 n + 1 2 μ n .

Proof

According to Corollary 5.2.2, φ n , 0 ( N ) is the mean value of the lower and upper bound. The following property holds:

φ n ( N ) φ n , 0 ( N ) 1 2 N n ( μ N ) n μ N μ n + 1 N n + ( 2 μ N ) n + 2 μ N 2 μ n 1 = 1 2 N n μ n 1 μ n + 2 μ n + 1 2 μ n = Δ n E 2 N n ,

as desired.□

For μ = 1 , when n = 1 and n = 2 , the following properties presented in previous studies [53] and [11], respectively, become special cases of Proposition 5.3.

Corollary 5.3.1

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following holds:

φ 1 ( N ) φ 1 , 0 ( N ) < 3 2 2 2 2 N .

Corollary 5.3.2

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following holds:

φ 2 ( N ) φ 2 , 0 ( N ) < 1 4 N .

5.2 Application of continued fractions

We further provide an upper bound for selecting d such that we can use the continued fraction algorithm to recover d without knowing the factorization of the modulus N .

Theorem 5.4

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . If e < φ n ( N ) satisfies e d k φ n ( N ) = 1 with

(7) d < N n ( N n δ n E ) e Δ n E ,

where

δ n E = 4 2 μ n μ n ( 2 n 2 n ) 2 n + 1 + 2 [ ( 2 μ ) n + 1 ] 2 μ n

then we can recover d in polynomial time.

Proof

Since e d k φ n ( N ) = 1 , we have that

k d e φ n , 0 ( N ) e 1 φ n , 0 ( N ) 1 φ n ( N ) + e φ n ( N ) k d = e φ n ( N ) φ n , 0 ( N ) φ n , 0 ( N ) φ n ( N ) + 1 φ n ( N ) d .

Let ε n = N n N n ( ( 2 μ ) n + 1 ) ( 2 μ ) n + 1 . Using d = ( k φ n ( N ) + 1 ) e and Proposition 5.3, we obtain

k d e φ n , 0 ( N ) Δ n E 2 e N n φ n , 0 ( N ) φ n ( N ) + e φ n ( N ) ( k φ n ( N ) + 1 ) e N n ( μ n ( 2 n 2 n ) 2 n + 1 ) 2 2 μ n ε n 2 + e ε n ( k ε n + 1 ) e N n ( μ n ( 2 n 2 n ) 2 n + 1 ) 2 2 μ n ε n 2 + e ε n 2 = e [ N n ( μ n ( 2 n 2 n ) 2 n + 1 ) + 2 2 μ n ] 2 2 μ n ε n 2 e [ N n ( μ n ( 2 n 2 n ) 2 n + 1 ) + 2 2 μ n ] 2 2 μ n ( N n N n ( 2 μ ) n + 1 2 μ n ) 2 .

Note that

[ N n ( μ n ( 2 n 2 n ) 2 n + 1 ) + 2 2 μ n ] 2 2 μ n ( N n N n ( 2 μ ) n + 1 2 μ n ) 2 = ( μ n ( 2 n 2 n ) 2 n + 1 ) [ N n + 2 2 μ n μ n ( 2 n 2 n ) 2 n + 1 ] 2 2 μ n N n ( N n ( 2 μ ) n + 1 2 μ n ) 2 Δ n E 2 N n ( N n δ n E ) ,

which leads to

k d e φ n , 0 ( N ) e Δ n E 2 N n ( N n δ n E ) 1 2 d 2 .

Using Theorem 2.1, we obtain that k d is a convergent of the continued fraction expansion of e φ n , 0 ( N ) . Therefore, d can be recovered in polynomial time.□

In the case of unbalanced RSA (i.e., n = 1 ), when e is large enough, Theorem 5.4 is simplified into the following corollary. We achieve a tighter bound in Appendix C, where we directly generalized Wiener’s attack [5,54].

Corollary 5.4.1

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . If we approximate e N n , then Theorem 5.4 is equivalent to

d < ( μ N ) 0.25 μ ( 2 1 ) 1 .

Corollary 5.4.2

Let α < 1.5 n and N = p q be the product of two unknown primes with μ q < p < 2 μ q . If we approximate e N α , N 2 λ N , and μ 2 λ , then equation (7) becomes

d < 2 0.5 ( n α ) λ N 2 0.5 n λ N δ n E Δ n E < 2 0.5 ( 1.5 n α ) λ N Δ n E

or equivalently,

log 2 ( d ) < 0.5 ( 1.5 n α ) λ N log 2 ( Δ n E ) 0.5 ( 1.5 n α ) λ N 0.5 n ( λ + 1 ) .

Proof

From the definition of Δ n E , we obtain that

Δ n E = μ n ( 2 n 2 n ) 2 n + 1 2 μ n 2 n λ ( 2 n 2 n ) 2 n + 1 2 n ( λ + 1 ) 2 2 n ( λ + 1 ) 2 ,

as desired.□

When μ = 1 , the following properties presented in the study by Bunder and Tonien [53] ( n = 1 ) and those in the study by Bunder et al. [11] ( n = 2 ) become special cases of Corollary 5.4.2. Note that when n = α = 1 , we obtain roughly the same margin as Wiener [5,54] obtained for the classical RSA.

Corollary 5.4.3

Let α < 1.5 and N = p q be the product of two unknown primes with q < p < 2 q . If we approximate e N α and N 2 λ N , then equation (7) is equivalent to

log 2 ( d ) < 0.5 ( 1.5 α ) λ N 0.25 + 1.27 0.5 ( 1.5 α ) λ N .

Corollary 5.4.4

Let α < 3 and N = p q be the product of two unknown primes with q < p < 2 q . If we approximate e N α and N 2 λ N , then equation (7) is equivalent to

log 2 ( d ) < 0.5 ( 3 α ) λ N 0.5 0.5 ( 3 α ) λ N .

Corollary 5.4.5

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . If we approximate e N n and N 2 λ N , then equation (7) is equivalent to

log 2 ( d ) < 0.25 n λ N log 2 ( Δ n E ) 0.25 n λ N 0.5 n ( λ + 1 ) .

We further provide a theorem that allows us to devise a probabilistic algorithm for factoring the modulus N once φ n ( N ) is known.

Theorem 5.5

Let N = p q be an RSA-modulus. If φ n ( N ) = ( p n 1 ) ( q n 1 ) is known, then one can find primes p and q.

Proof

Consider a J N and b J N + \ Q R N . Without loss of generality, we can assume that J p ( a ) = 1 and J q ( a ) = 1 , which is equivalent to

a p 1 2 = 1 mod p and a q 1 2 = 1 mod q .

Remark that for any odd t Z , the properties

a t ( p 1 ) 2 = 1 mod p and a t ( q 1 ) 2 = 1 mod q

hold. Equivalent equations can be obtained for b .

Using Section 4.1 and noting that ( q 1 ) 2 divides ( p n 1 ) ( q n 1 ) 4 , we consider u 1 , u 2 , t 1 , t 2 , v N such that

u 1 2 v p 1 2 t 1 = u 2 2 v q 1 2 t 2 = ( p n 1 ) ( q n 1 ) 4 ,

where u 1 , u 2 , ( p 1 ) 2 t 1 , ( q 1 ) 2 t 2 are the odd numbers. Thus, naturally, we obtain

a u 2 ( q 1 ) 2 = 1 mod q a u 2 ( q 1 ) 2 + 1 = 0 mod q , b u 1 ( p 1 ) 2 = 1 mod p b u 1 ( p 1 ) 2 + 1 = 0 mod p , b u 2 ( q 1 ) 2 = 1 mod q b u 2 ( q 1 ) 2 + 1 = 0 mod q .

We want to prove that either

a u 2 ( q 1 ) 2 + 1 0 ( mod p ) or b u 1 ( p 1 ) 2 + 1 0 ( mod q ) .

We further consider the following cases:

  1. If t 1 = t 2 , then

    a u 2 ( q 1 ) 2 a u 1 ( p 1 ) 2 1 ( mod p ) ,

    which implies

    a v ( q 1 ) 2 + 1 2 0 ( mod p ) .

  2. Note that

    (8) a u 2 ( q 1 ) 2 t 2 = a u 1 ( p 1 ) 2 t 1 .

    If t 1 < t 2 , then raising both sides of equation (8) to 2 t 2 1 , we obtain

    a u 2 ( q 1 ) 2 a u 1 ( p 1 ) 2 t 2 t 1 1 a u 1 ( p 1 ) 2 2 t 2 t 1 1 ( mod p ) .

  3. Note that

    (9) b u 1 p 1 2 t 1 = b u 2 q 1 2 t 2 .

    If t 1 > t 2 , then raising both sides of equation (9) to 2 t 1 1 , we obtain

    b u 1 ( p 1 ) 2 b u 2 ( q 1 ) 2 t 1 t 2 1 b u 2 ( q 1 ) 2 2 t 1 t 2 1 ( mod q ) .

Taking into account the previous arguments, we conclude that by computing either

y = a u 2 ( q 1 ) 2 + 1 ( mod N ) or z = b u 1 ( p 1 ) 2 + 1 ( mod N )

and evaluating gcd ( y , N ) or gcd ( z , N ) , respectively, allows us to determine one of the factors q or p .□

Algorithm 1: Factoring the modulus when the order of the group is known
Input: A composite number N and φ n ( N ) .
Output: The prime factors p and q .
1 while 1 0 do
2 3 4 5 6 7 8 9 10 a $ J N , b $ J N + while φ mod 2 = 0 do φ φ 2 y 1 a φ + 1 mod N , y 2 b φ + 1 mod N d 1 gcd ( y 1 , N ) , d 2 gcd ( y 2 , N ) if y 1 0 and d 1 1 then return d 1 , N d 1 if y 2 0 and d 2 1 then return d 2 , N d 2

Remark

Before stating our proposed factoring algorithm, some remarks are in place:

  1. In the third case of the previous proof, one could consider an element x Z N satisfying J p ( x ) = 1 and J q ( x ) = 1 , and the proof would proceed similarly to the second case.

  2. Without knowing the factorization of N , due to quadratic residuosity assumption[5], b must be chosen from J N + . Then, with probability of 1/2, we have that b J N + \ Q R N .

  3. An equivalent proof can be obtained by considering numbers of the form y = a u 2 ( q 1 ) 2 1 .

Using Theorem 5.4, we can compute the order φ n ( N ) = ( e d 1 ) k . Based on Theorem 5.5, in Algorithm 1, we provide a probabilistic algorithm for computing the factorization of N for any n 1 . Note that for n = 3 and n = 4 , we provide in Appendix A a deterministic algorithm that solves a cubic or biquadratic equation, respectively. For n = 1 and n = 2 , similar methods are presented in previous studies [11,53,54]. Therefore, for these cases, we avoid doing exponentiations.[6]

It is known that J N = Z N 2 and J N + \ Q R N = Q R N = Z N 4 . When b J N + \ Q R N , Algorithm 1 always returns the factorization of N . When b Q R N , the factorization of N can surely be found if t 1 t 2 . Thus, the probability of obtaining the factorization of N for a single pair ( a , b ) is greater than 1/2.

Remark

Padhye [55] described a public key encryption scheme based on Pell’s equation, choosing key exponents such that e d 1 mod lcm ( p 1 , q 1 ) . Using our attack with n = 1 we recover the factors of N ; thereby, we also break the scheme presented in the study by Padhye [55].

6 Attacking the generalized Murru and Saettone unbalanced scheme

6.1 Useful lemmas

In this section, we provide a few useful properties of ψ n ( N ) . Before starting our analysis, we first note that plugging q = N p in ψ n ( N ) leads to the following function:

f n ( p ) = p n 1 p 1 N p n 1 N p 1 ,

with p as a variable. The next lemma tells us that, under certain conditions, f n is a strictly increasing function.

Proposition 6.1

Let N be a positive integer. Then, for any integers n > 1 and N x < N , we have that the function

f n ( x ) = x n 1 x 1 N x n 1 N x 1 ,

is strictly increasing with x.

Proof

Before starting our proof, we note that the function f n can be expanded into f n ( x ) = g n ( x ) h n ( x ) , where

g n ( x ) = 1 + x + x 2 + + x n 1

and

h n ( x ) = 1 + N x + N x 2 + + N x n 1 .

We will further prove our statement using induction with respect to n . When n = 2 , we have that

f 2 ( x ) = ( 1 + x ) 1 + N x = 1 + N x + x + N .

Using x N , we obtain that

f 2 ( x ) = 1 N x 2 0 1 N x 2 x 2 N ,

and therefore, we have that f 2 is strictly increasing.

For the induction step, we assume that f k is strictly increasing and we will show that f k + 1 is also strictly increasing. Hence, we have that

f k + 1 ( x ) = g k + 1 ( x ) h k + 1 ( x ) = g k ( x ) h k ( x ) + g k ( x ) N x k + x k h k ( x ) + N k .

Considering the induction hypothesis, it is enough to prove that the function

s k ( x ) = g k ( x ) N x k + x k h k ( x )

is strictly increasing. Therefore, we have that

s k ( x ) = N k 1 x k + x k + N k 1 x k 1 + N x k 1 + N k 1 x k 2 + N 2 x k 2 + + N k 1 x + N k 1 x = s k , 0 ( x ) + s k , 1 ( x ) + s k , 2 ( x ) + + s k , k 1 ( x ) ,

where we considered

s k , i ( x ) = N k 1 x k i + N i x k i .

Bear in mind that

s k , i ( x ) = N k ( k i ) x k i + 1 + N i ( k i ) x k i 1 = N i ( k i ) x k i 1 N k i 1 x k i + 1 .

For any i [ 0 , k 1 ] , we have that s k , i is strictly increasing since

s k , i ( x ) 0 x k i 1 N k i 1 x k i + 1 x 2 ( k i ) N k i ,

where for the last inequality we used x N . Therefore, s k is strictly increasing, which implies that f k + 1 is strictly increasing.□

Using Lemma 5.2 from Section 5.1, we further compute a lower and upper bound for ψ n ( N ) .

Corollary 6.1.1

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . Then, the following property holds:

( μ N ) n 1 μ N 1 μ N μ n 1 μ N μ 1 < ψ n ( N ) < ( 2 μ N ) n 1 2 μ N 1 2 μ N 2 μ n 1 2 μ N 2 μ 1 .

Proof

By Lemma 5.2, we have that

μ N < p < 2 μ N ,

which, according to Proposition 6.1, leads to

f n ( μ N ) < f n ( p ) < f n ( 2 μ N ) .

This is equivalent to our desired inequality.□

When n = 3 and μ = 1 , the following result proven in the study by Nitaj et al. [17] becomes a special case of Corollary 6.1.1.

Corollary 6.1.2

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following property holds:

( N + N + 1 ) 2 < ψ 3 ( N ) < N + 3 4 2 N + 1 2 3 8 N .

We can use Corollary 6.1.1 to find a useful approximation of ψ n . This result will be useful when devising the attack against the generalized Murru–Saettone scheme.

Proposition 6.2

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . We define

ψ n , 0 ( N ) = 1 2 ( μ N ) n 1 μ N 1 μ N μ n 1 μ N μ 1 + 1 2 ( 2 μ N ) n 1 2 μ N 1 2 μ N 2 μ n 1 2 μ N 2 μ 1 .

Then, the following holds:

ψ n ( N ) ψ n , 0 ( N ) < Δ n M 2 N n 2 N ,

where

Δ n M = ( 2 μ ) n 1 2 μ 1 2 μ 2 μ n 1 2 μ 2 μ 1 ( μ ) n 1 μ 1 μ μ n 1 μ μ 1 .

Proof

According to Corollary 6.1.1, ψ n , 0 ( N ) is the mean value of the lower and upper bound. The following property holds:

ψ n ( N ) ψ n , 0 ( N ) 1 2 ( 2 μ N ) n 1 2 μ N 1 2 μ N 2 μ n 1 2 μ N 2 μ 1 ( μ N ) n 1 μ N 1 μ N μ n 1 μ N μ 1 = 1 2 i , j = 0 n 1 ( 2 μ N ) i 2 μ N 2 μ j i , j = 0 n 1 ( μ N ) i μ N μ j = 1 2 i , j = 0 n 1 N i N j 2 μ i + j 2 j μ j μ i + j μ j = 1 2 i , j = 0 i j n 1 N i N j μ i + j μ j 2 i + j 2 j 1 .

Note that in the last expression, all the coefficients are non-zero and the leading coefficient is N n 1 + n 2 = N n 2 N . Therefore, we obtain

ψ n ( N ) ψ n , 0 ( N ) < 1 2 N n 2 N i , j = 0 i j n 1 μ i + j μ j 2 i + j 2 j 1 = 1 2 N n 2 N ( 2 μ ) n 1 2 μ 1 2 μ 2 μ n 1 2 μ 2 μ 1 ( μ ) n 1 μ 1 μ μ n 1 μ μ 1 ,

as desired.□

When n = 3 and μ = 1 , the following property presented in the study by Nitaj et al. [17] becomes a special case of Proposition 6.2.

Corollary 6.2.1

Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following holds:

ψ 3 ( N ) ψ 3 , 0 ( N ) < 0.372 N N < 0.5 N N .

6.2 Application of continued fractions

We further provide an upper bound for selecting d such that we can use the continued fraction algorithm to recover d without knowing the factorization of the modulus N .

Theorem 6.3

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . If e < ψ n ( N ) satisfies e d k ψ n ( N ) = 1 with

(10) d < N n 0.5 e Δ n M ,

then we can recover d in polynomial time.

Proof

We have that

k d e ψ n , 0 ( N ) = e d k ψ n , 0 ( N ) d ψ n , 0 ( N ) e d k ψ n ( N ) + k ψ n ( N ) ψ n , 0 ( N ) d ψ n , 0 ( N ) .

Using e d k ψ n ( N ) = 1 and Proposition 6.2, we obtain

k d e ψ n , 0 ( N ) 1 + Δ n M 2 k N n 2 N d ψ n , 0 ( N ) k 2 d Δ n M 2 + N n 2 N ψ n , 0 ( N ) .

Note that

ψ n , 0 ( N ) > ( μ N ) n 1 μ N 1 μ N μ n 1 μ N μ 1 > μ N 2 ( n 1 ) μ n 1 + μ N + μ N μ = N 2 ( n 1 ) + N μ + 1 μ > N 2 ( n 1 ) + 2 N ,

which leads to

(11) k d e ψ n , 0 ( N ) k 2 d Δ n M 2 + N 2 n 3 N 2 n 2 + 2 N = k Δ n M 2 d N .

According to Corollary 6.1.1, we have that ψ n ( N ) > μ N 2 ( n 1 ) μ n 1 = N n 1 . Since k ψ n ( N ) = e d 1 < e d , we have

k d < e ψ n ( N ) < e N n 1 .

Equation (11) becomes

k d e ψ n , 0 ( N ) 1 2 e Δ n M N n 0.5 < 1 2 d 2 .

Using Theorem 2.1, we obtain that k d is a convergent of the continued fraction expansion of e ψ n , 0 ( N ) . Therefore, d can be recovered in polynomial time.□

Corollary 6.3.1

Let α + 0.5 < n , λ = λ p λ q , and N = p q be the product of two unknown primes with μ q < p < 2 μ q . If we approximate e N α , N 2 λ N , and μ 2 λ , then equation (10) becomes

d < 2 0.5 ( n α 0.5 ) λ N Δ n M ,

or equivalently,

log 2 ( d ) < 0.5 ( n α 0.5 ) λ N log 2 ( Δ n M ) 0.5 ( n α 0.5 ) λ N 0.25 ( n 1 ) λ .

Proof

From the definition of Δ n M , we obtain that

Δ n M = i , j = 0 i j n 1 μ i j ( 2 i j 1 ) i , j = 0 i j n 1 2 λ ( i j ) 2 ( 2 i j 1 ) i , j = 0 i j n 1 2 λ ( i j ) 2 j = 0 i > j n 1 2 λ ( i j ) 2 = j = 0 n 1 2 λ 2 2 λ ( n 1 j ) 2 1 2 λ 2 1 j = 0 n 1 2 λ ( n 1 j ) 2 = 2 λ n 2 1 2 λ 2 1 2 λ ( n 1 ) 2 ,

as desired.□

When case n = 3 and μ = 1 is considered, the following property presented in the study by Nitag et al. [17] becomes a special case of Corollary 6.3.1.

Corollary 6.3.2

Let α < 2.5 and N = p q be the product of two unknown primes with q < p < 2 q . If we approximate e N α and N 2 λ N , then equation (10) is equivalent with

log 2 ( d ) < 0.5 ( 2.5 α ) λ N 0.43 0.5 ( 2.5 α ) λ N .

Corollary 6.3.3

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . If we approximate e N n 1 , N 2 λ N , and μ 2 λ , then equation (10) is equivalent with

log 2 ( d ) < 0.25 ( λ N λ ( n 1 ) ) .

7 Discussions

In this section, we will compare the attack intervals for the two RSA-like families. We start with the balanced primes case (i.e., λ = 0 ). According to Corollaries 5.4.2 and 6.3.1 for a given α , n > 1 , and λ N , we have

0.5 ( 1.5 n α ) λ N 0.5 ( n α 0.5 ) λ N 1.5 n α n α 0.5 0.5 ( n + 1 ) 0 .

Therefore, the attack interval for the generalized Elkamchouchi et al.’s scheme is always greater than the one for the generalized Murru and Saettone scheme.

In the unbalanced case, for a given α , n > 1 , λ p , and λ q , we obtain that

0.5 ( 1.5 n α ) λ N 0.5 n ( λ + 1 ) 0.5 ( n α 0.5 ) λ N 0.25 ( n 1 ) λ 0.5 ( 0.5 n + 0.5 ) λ N 0.25 ( n + 1 ) λ + 0.5 n ( n + 1 ) λ N ( n + 1 ) λ + 2 n ( n + 1 ) ( λ p + λ q ) ( n + 1 ) ( λ p λ q ) + 2 n ( n + 1 ) λ q ( n + 1 ) λ q + 2 n ( n + 1 ) λ q n .

Therefore, the attack interval for the generalized Elkamchouchi et al.’s scheme is always greater than the one for the Murru and Saettone scheme.

Taking into account the previous arguments and the fact that for the generalized Elkamchouchi et al.’s scheme, we found a probabilistic factoring algorithm[7], we conclude that the security assurances[8] are greater for the generalized Murru and Saettone scheme.

8 Conclusion

In this article, we introduced two families of RSA-like cryptosystems. The first one includes the RSA and Elkamchouchi et al.’s public key encryption schemes [1,3] (i.e., n = 1 and n = 2 ), while the second one includes the Murru and Saettone public key encryption scheme [4] (i.e., n = 3 ). Then, we presented a small private key attack against each family of cryptosystems and provided several instantiations of it.

As a conclusion, both the families of RSA-like schemes allow an attacker to recover the secret exponent via continued fractions when the public exponent is close to N n and the secret exponent is smaller than N 0.25 n ( q p ) 0.5 n 2 0.5 n or N n 1 , or when the secret exponent is smaller than N 0.25 ( q p ) 0.25 ( n 1 ) , respectively. Note that in the case of the generalized Elkamchouchi et al.’s scheme, we also provided a probabilistic factorization algorithm once the order φ n is known. For completeness, we also provided a generalization of Wiener’s attack to the unbalanced RSA. In this case, we can recover the secret exponent when it is smaller than N 0.25 ( q p ) 0.25 .

8.1 Future work

We leave the construction of a deterministic factoring algorithm, capable of factoring N given the order of the group φ n or ψ n , as an open problem. While we have managed to devise such algorithms for specific cases

  1. for φ n when n = 1 , 2 , 3 , 4 (see Appendix A and [11,53,54]),

  2. for ψ n when n = 2 , 3 , 4 (see Appendix B and [17]),

the general case remains unsolved. Note that when ψ n is given, we could not even find a probabilistic algorithm for factoring. Another interesting research direction is to find out whether the attack methods described in Section 1 also work in the general case of the two RSA-like families.

  1. Author contributions: Conceptualization, G.T.; Formal analysis, P.C. and G.T.; Project administration, G.T.; Software, P.C.; Supervision, G.T.; Validation, P.C. and G.T.; Writing—original draft, P.C. and G.T.; Writing—review & editing, G.T. All authors have read and agreed to the published version of the manuscript.

  2. Conflict of interest: Authors state no conflict of interest.

Appendix A Experimental results for the Elkamchouchi et al.’s scheme

We further present some examples for the attack presented in Section 5.2 in the cases n = 3 and n = 4 . When λ p = λ q , examples for n = 1 and n = 2 cases are provided in previous studies [53] and [11], respectively, and thus, we omit them.

A.1 Case n = 3

Before providing our example, we first show how to recover p and q once φ 3 ( N ) = ( e d 1 ) k is recovered using our attack.

Lemma A.1

Let N = p q be the product of two unknown primes with q < p < 2 q . If φ 3 ( N ) = N 3 p 3 q 3 + 1 is known, then p and q can be recovered in polynomial time.

Proof

We will rewrite φ 3 ( N ) as

φ 3 ( N ) = N 3 p 3 3 p 2 q 3 p q 2 q 3 + 1 + 3 p 2 q + 3 p q 2 = N 3 ( p + q ) 3 + 3 N ( p + q ) + 1 ,

which is equivalent to

( p + q ) 3 3 N ( p + q ) + φ 3 ( N ) N 3 1 = 0 .

Finding S = p + q is equivalent to solving (in Z ) the following cubic equation:

(A1) x 3 3 N x + ( φ 3 ( N ) N 3 1 ) = 0 ,

which can be done in polynomial time as it is presented by Fujii [56]. In order to find p and q , we compute D = p q using the following remark:

( p q ) 2 = ( p + q ) 2 4 p q = S 2 4 N .

Taking into account that p > q , D is the positive square root of the previous quantity, and thus, we derive the following:

p = S + D 2 q = S D 2 .

The following lemma shows that in order to factor N , we only need to find one solution to equation (A1), namely, its unique integer solution.

Lemma A.2

Equation (A1) always has exactly two non-real roots and an integer one.

Proof

Let x 1 , x 2 , and x 3 be equation (A1)’s roots. Using Vieta’s formulas, we have

x 1 + x 2 + x 3 = 0 , x 1 x 2 + x 2 x 3 + x 3 x 1 = 3 N , x 1 x 2 x 3 = ( φ 3 ( N ) N 3 1 ) .

From the first two relations, we obtain

x 1 2 + x 2 2 + x 3 2 = ( x 1 + x 2 + x 3 ) 2 2 ( x 1 x 2 + x 2 x 3 + x 3 x 1 ) = 6 N .

If we assume that x 1 = p + q and x 2 , x 3 are both real, we obtain the following system:

x 2 + x 3 = ( p + q ) x 2 2 + x 3 2 = 6 N ( p + q ) 2 ( x 2 + x 3 ) 2 = ( p + q ) 2 2 ( x 2 2 + x 3 2 ) = 12 N 2 ( p + q ) 2

( x 2 x 3 ) 2 = 12 N 3 ( p + q ) 2 = 6 p q 3 p 2 3 q 2 = 3 ( p q ) 2 < 0 .

Therefore, we obtain a contradiction, and hence, we conclude that equation (A1) has one real root, which is p + q Z , and two non-real roots.□

A.1.1 Same size primes

Now, we will exemplify our attack for n = 3 using the following small public key:

N = 3014972633503040336590226508316351022768913323933 , e = 8205656493798992557632452332926222819762435306999 0124626035612517563005998895654688526643002715434 25112020628278119623817044320522328087505650969 .

Remark that e N 2.989 . We use the Euclidean algorithm to compute the continued fraction expansion of e φ 3 , 0 ( N ) and obtain that the first 25 partial quotients are

[ 0 , 3 , 2 , 1 , 16 , 5 , 3 , 5 , 1 , 5 , 1 , 11 , 2 , 6 , 1 , 3 , 1 , 4 , 1 , 1 , 1 , 267 , 1 , 1 , 4 , ] .

According to Theorem 6.3, the set of convergents of e φ 3 , 0 ( N ) contains all the possible candidates for k d . From these convergents, we select only those for which φ 3 = ( e d 1 ) k is an integer and the following system of equations:

φ 3 = ( p 3 1 ) ( q 3 1 ) N = p q

has a solution as given in Lemma A.1. The 2nd, 3rd, and 21st convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 21st convergent leads to

φ 3 = 2740628207892953207018702174077483807563264408773 7057963987757509374280517157259708222994487763446 946621855565600927215471565545807198298953933036 , k d = 514812488 1719435401 , p = 2119778199036859068707819 , q = 1422305708622213956806807 .

A.1.2 Different size primes

Now, we will exemplify our attack for n = 3 using the following small public key:

N = 2855813480614094216274394592472618547278232541419395361 , e = 4630084046662429097336558670671304233271432584109216468 0915894991799969707897320076677947898287075731667867080 46228385668910893284588931122055374926315487848673999 ,

with security parameters λ p = 100 and λ q = 80 .

Remark that e N 2.987 . We use the Euclidean algorithm to compute the continued fraction expansion of e φ 3 , 0 ( N ) and obtain that the first 30 partial quotients are

[ 0 , 5 , 32 , 1 , 11 , 4 , 4 , 4 , 1 , 1 , 12 , 2 , 1 , 2 , 1 , 1 , 1 , 5 , 1 , 1 , 2 , 1 , 3 , 1 , 10 , 1 , 1 , 1 , 1 , 1 , ] .

According to Theorem 6.3, the set of convergents of e φ 3 , 0 ( N ) contains all the possible candidates for k d . From these convergents, we select only those for which φ 3 = ( e d 1 ) k is an integer and the following system of equations:

φ 3 = ( p 3 1 ) ( q 3 1 ) N = p q

has a solution as given in Lemma A.1. The 2nd and 29th convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 29th convergent leads to

φ 3 = 2329107414590064022951020531059192426539732750496 0291083177194445977849272372356250112885763018786 8314005868964154508199529573323714824273095587900 67149237117218500 , k d = 293248165996 1475149199999 , p = 1545742437745710787397496383711 , q = 1847535146139205937905151 .

A.2 Case n = 4

As in the previous case, we first show how to factorize N once φ 4 is known.

Lemma A.3

Let N = p q be the product of two unknown primes with q < p < 2 q . If φ 4 ( N ) = N 4 p 4 q 4 + 1 is known, then

p = 1 2 ( S + D ) and q = 1 2 ( S D ) ,

where S = 2 N + ( N 2 + 1 ) 2 φ 4 ( N ) and D = S 2 4 N .

Proof

We will rewrite φ 4 ( N ) as

φ 4 ( N ) = N 4 p 4 4 p 3 q 6 p 2 q 2 4 p q 3 q 4 + 1 + 4 p 3 q + 6 p 2 q 2 + 4 p q 3 = N 4 ( p + q ) 4 + 4 N ( p 2 + 2 p q + q 2 ) 2 p 2 q 2 + 1 = N 4 ( p + q ) 4 + 4 N ( p + q ) 2 2 N 2 + 1 ,

which is equivalent to

( p + q ) 4 4 N ( p + q ) 2 + φ 4 ( N ) ( N 2 1 ) 2 = 0 .

Finding S = p + q is equivalent to solving (in Z ) the following biquadratic equation:

x 4 4 N x 2 + φ 4 ( N ) ( N 2 1 ) 2 = 0 ( x 2 ) 2 4 N ( x 2 ) + φ 4 ( N ) ( N 2 1 ) 2 = 0 .

The previous equation can be solved as a normal quadratic equation. Computing the discriminant Δ , we have that

Δ = 4 ( N 2 + 1 ) 2 4 φ 4 ( N ) > 0 .

Thus, the roots of the quadratic equation, x 1 , 2 , are

x 1 , 2 = 2 N ± ( N 2 + 1 ) 2 φ 4 ( N ) .

The roots of the biquadratic equation are the square roots of the previous quantities:

x 1 , 2 = ± 2 N + ( N 2 + 1 ) 2 φ 4 ( N ) , x 3 , 4 = ± 2 N ( N 2 + 1 ) 2 φ 4 ( N ) .

The roots x 3 , 4 are pure imaginary since

( N 2 + 1 ) 2 φ 4 ( N ) > 2 N ( N 2 + 1 ) 2 φ 4 ( N ) > 4 N 2 N 4 + 2 N 2 + 1 N 4 + p 4 + q 4 1 4 N 2 > 0 ( p 2 q 2 ) 2 > 0 .

The root x 2 = 2 N + ( N 2 + 1 ) 2 φ 4 ( N ) < 0 ; thus, we obtain S = S = x 1 = 2 N + ( N 2 + 1 ) 2 φ 4 ( N ) . The values of p and q can be recovered by using the algorithm from Lemma A.1.□

A.2.1 Same size primes

We will further present our attack for n = 4 using the following small public key:

N = 3014972633503040336590226508316351022768913323933 , e = 3886649078157217512540781268280213360319970133145 6396788273204320283738850302214441484301356047280 9980074678226938065582620857819830171139174634897 69731055010977380039512575106301590600391232847 .

Note that e N 3.993 . Applying the continued fraction expansion of e φ 4 , 0 ( N ) , we obtain the first 25 partial quotients:

[ 0 , 2 , 7 , 1 , 15 , 6 , 1 , 2 , 4 , 1 , 1 , 2 , 1 , 1 , 3 , 1 , 1 , 1 , 2 , 38 , 1 , 2 , 1 , 45 , 8 , ] .

In this case, we consider the convergents of e φ 4 , 0 ( N ) , and we select only those for which φ 4 = ( e d 1 ) k is an integer and the following system of equations:

φ 4 = ( p 4 1 ) ( q 4 1 ) N = p q

has a solution as given in Lemma A.3. The 2nd and 23rd convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 23rd convergent leads to

φ 4 = 8262919045403735048878111025050137547018067986718 6489272861711603139280409749776405912009959512474 1225965967573968605037596274853618481302754457480 67878911842670048325065350941516266452271040000 , k d = 799532980 1699787183 , p = 2119778199036859068707819 , q = 1422305708622213956806807 .

A.2.2 Different size primes

We will further present our attack for n = 4 using the following small public key:

N = 2855813480614094216274394592472618547278232541419395361 , e = 2567370510972232006773537047215627569107232281812189203 47687158230510226195422573507282956093878118161325621701 21232464975442827741478460424643869840862494360616802843 89852002469708776700405298285081740832540792743333 ,

with security parameters λ p = 100 and λ q = 80 .

Note that e N 3.974 . Applying the continued fraction expansion of e φ 4 , 0 ( N ) , we obtain the first 30 partial quotients

[ 0 , 25 , 1 , 9 , 1 , 5 , 1 , 1 , 2 , 1 , 5 , 2 , 6 , 6 , 1 , 1 , 1 , 1 , 1 , 1 , 7 , 1 , 92 , 3 , 1 , 1 , 1 , 1 , 2 , 1 , ] .

In this case, we consider the convergents of e φ 4 , 0 ( N ) , and we select only those for which φ 4 = ( e d 1 ) k is an integer and the following system of equations:

φ 4 = ( p 4 1 ) ( q 4 1 ) N = p q

has a solution as given in Lemma A.3. The 2nd, 3rd, and 30th convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 30th convergent leads to

φ 4 = 6651496352384544903188120619770908196616817016200938630 9658510834304488819286773009251380765194122496812979719 9545925318425222504044575756485728476654739258155949912 41680627125876858676996469366026313423904013451264000 , k d = 184064447974 4768707901997 , p = 1545742437745710787397496383711 , q = 1847535146139205937905151 .

B Experimental Results for the Murru and Saettone scheme

In this section, we provide examples for the attack discussed in Section 6.2, specifically we examine the cases where n = 2 and n = 4 . An example for the case λ p = λ q and n = 3 is provided in [17], and thus we omit it.

B.1 Case n = 2

Before providing our example, we first show how to recover p and q once ψ 2 ( N ) = ( 1 e d ) k is recovered using our attack.

Lemma B.1

Let N = p q be the product of two unknown primes with q < p < 2 q . If ψ 2 ( N ) = ( 1 + p ) ( 1 + q ) is known, then p and q can be recovered in polynomial time.

Proof

Expanding ψ 2 ( N ) we obtain that

ψ 2 ( N ) = 1 + p + q + p q = 1 + p + q + N ,

which is equivalent to

p + q = ψ 2 ( N ) N 1 .

Let S = ψ 2 ( N ) N 1 . We remark that

( p q ) 2 = ( p + q ) 2 4 p q = S 2 4 N .

Let D be the positive square root of the previous quantity. Taking into account that p > q , we derive the following:

p = S + D 2 q = S D 2 .

B.1.1 Same size primes

Now, we will exemplify our attack for n = 2 using the following small public key:

N = 11939554693914055465250454114706510455824787856591 , e = 6074574633060181514768858436051302980810169830821 .

Remark that e N 0.994 . We use the Euclidean algorithm to compute the continue fraction expansion of e ψ 2 , 0 ( N ) and obtain that the first 20 partial quotients are

[ 0 , 1 , 1 , 27 , 1 , 56 , 7 , 23 , 3 , 2 , 9 , 2 , 20 , 1 , 3 , 1 , 1 , 1 , 2 , 7 , 17 , ] .

According to Theorem 6.3, the set of convergents of e ψ 2 , 0 ( N ) contains all the possible candidates for k d . From these convergents, we select only those for which ψ 2 = ( e d 1 ) k is an integer and the following system of equations:

ψ 2 = ( 1 + p ) ( 1 + q ) N = p q

has a solution as given in Lemma B.1. The 2nd, 3rd, and 15th convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 15th convergent leads to

ψ 2 = 11939554693914055465250461283567876958785337490000 , k d = 3205471919 6300343581 , p = 4537629838266117418120249 , q = 2631231528236843131513159 .

B.1.2 Different size primes

In this scenario we will consider the following public key:

N = 5019736030067394147475736707189228061339219786566982627 , e = 485434467383574169502440945536575804609769000630574045 ,

with security parameters λ p = 100 and λ q = 80 .

Observe that e N 0.9815 . Using the Euclidean algorithm to compute the continue fraction expansion of e ψ 2 , 0 ( N ) , we obtain that the first 20 partial quotients are

[ 0 , 10 , 2 , 1 , 14 , 2 , 2 , 286 , 1 , 2 , 1 , 32 , 1 , 4 , 2 , 1 , 3 , 1 , 1 , 2 , ] .

As stated in Theorem 6.3, the set of convergents of e ψ 2 , 0 includes all possible candidates for k d . From these convergents we choose only those for which ψ 2 = ( e d 1 ) k is an integer and the following system of equations:

ψ 2 = ( 1 + p ) ( 1 + q ) N = p q

has a solution as given in Lemma B.1. The 2nd, 3rd, 4th, and 19th convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 19th convergent leads to

ψ 2 = 5019736030067394147475739071746925125275429766201217656 , k d = 1167480464 12072574453 , p = 2364555574155054332193018723851 , q = 2122908881877786615511177 .

B.2 Case n = 4

As in the previous case, we first show how to factorize N once ψ 4 is known.

Lemma B.2

Let N = p q be the product of two unknown primes with q < p < 2 q . If ψ 4 ( N ) = ( 1 + p + p 2 + p 3 ) ( 1 + q + q 2 + q 3 ) is known, then p and q can be recovered in polynomial time.

Proof

Expanding ψ 4 ( N ) we obtain that

ψ 4 ( N ) = p 3 q 3 + p 3 q 2 + p 3 q + p 3 + p 2 q 3 + p 2 q 2 + p 2 q + p 2 + p q 3 + p q 2 + p q + p + q 3 + q 2 + q + 1 = N 3 + ( N 2 + 1 ) ( p + q ) + ( N + 1 ) ( p 2 + p q + q 2 ) + ( p 3 + p 2 q + p q 2 + q 3 ) + 1 = N 3 + ( N 2 + 1 ) ( p + q ) + ( N + 1 ) ( p + q ) 2 ( N + 1 ) N + ( p + q ) 3 2 N ( p + q ) + 1 .

We further consider the following form of ψ 4

ψ 4 ( N ) = ( p + q ) 3 + ( N + 1 ) ( p + q ) 2 + ( N 1 ) 2 ( p + q ) + N 3 N 2 N + 1 .

Finding S = p + q is equivalent to solving (in Z ) the cubic equation

(A2) x 3 + ( N + 1 ) x 2 + ( N 1 ) 2 x + ( N 3 N 2 N + 1 ψ 4 ( N ) ) = 0 ,

which can be done in polynomial time as it is presented in [56]. In order to find p and q , we compute D = p q as in Lemma B.1. This concludes our proof.□

The following lemma shows that in order to factor N , we only need to find one solution to equation (A2), namely its unique integer solution.

Lemma B.3

Equation (A2) always has exactly two non-real roots and an integer one.

Proof

Let x 1 , x 2 , and x 3 be equation (A2)’s roots. Using Vieta’s formulas we have

x 1 + x 2 + x 3 = ( N + 1 ) , x 1 x 2 + x 2 x 3 + x 3 x 1 = ( N 1 ) 2 , x 1 x 2 x 3 = ( N 3 N 2 N + 1 ψ 4 ( N ) ) .

From the first two relations we obtain

x 1 2 + x 2 2 + x 3 2 = ( x 1 + x 2 + x 3 ) 2 2 ( x 1 x 2 + x 2 x 3 + x 3 x 1 ) = ( N + 1 ) 2 2 ( N 1 ) 2 = N 2 + 6 N 1 .

If we assume that x 1 , x 2 , x 3 are all real, we obtain the following inequalities

0 < x 1 2 + x 2 2 + x 3 2 = ( N 3 ) 2 + 8 < 0 ,

for any N 6 . Therefore, we obtain a contradiction, and hence we conclude that equation (A2) has one real root, which is p + q Z , and two non-real roots.□

B.2.1 Same size primes

We will further present our attack for n = 4 using the following small public key

N = 11939554693914055465250454114706510455824787856591 , e = 15006652287039759861337802324565215623310940476513 92542670434722550157448270887318217632962138205421 899647696285870461657741073464172612216312741409 .

Note that e N 2.998 . Applying the continue fraction expansion of e ψ 4 , 0 ( N ) , we obtain the first 20 partial quotients

[ 0 , 1 , 7 , 2 , 4 , 1 , 4 , 6 , 1 , 4 , 26 , 1 , 7 , 1 , 1 , 10 , 2 , 1 , 11 , 1 , 1 , ] .

In this case, we consider the convergents of e ψ 4 , 0 ( N ) , and we select only those for which ψ 4 = ( e d 1 ) k is an integer and the following system of equations:

ψ 4 = ( 1 + p + p 2 + p 3 ) ( 1 + q + q 2 + q 3 ) N = p q

has a solution as given in Lemma B.2. The 2nd and 19th convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 19 t h convergent leads to

ψ 4 = 17020189377867860247096553094467061591207640835506 21907753457911934182387623188683187170430636727789 996180586005565732093187872678169520144124360000 , k d = 2425248603 2750659489 , p = 4537629838266117418120249 , q = 2631231528236843131513159 .

B.2.2 Different size primes

In this scenario we will consider the following public key:

N = 5019736030067394147475736707189228061339219786566982627 , e = 2144503513112830076766890985740891129181794630408884243 8351762718099949271772339472915417343214409254154821228 349284512502245789360583063482846844126104153266836579 ,

with security parameters λ p = 100 and λ q = 80 .

Notice that e N 2.986 . Using the Euclidean algorithm to compute the continue fraction expansion of e ψ 4 , 0 ( N ) , we obtain that the first 20 partial quotients are

[ 0 , 5 , 1 , 8 , 1 , 4 , 1 , 1 , 30 , 1 , 22 , 1 , 1 , 4 , 24 , 1 , 50 , 2 , 2 , 3 , ] .

As stated in Theorem 6.3, the set of convergents of e ψ 4 , 0 includes all possible candidates for k d . From these convergents, we choose only those for which ψ 4 = ( e d 1 ) k is an integer and the following system of equations:

ψ 4 = ( 1 + p + p 2 + p 3 ) ( 1 + q + q 2 + q 3 ) N = p q

has a solution as given in Lemma B.2. The 2nd, 3rd, 5th, and 17th convergents satisfy the first condition; however, only the last one leads to a valid solution for p and q . More precisely, the 13th convergent leads to

ψ 4 = 12648605260569537228242920792973090843887765822412440102 42424015478519904978373292779574040402298258662027055373 12473369988620334246189313082892046200224081054148960 , k d = 927107051 5468217259 , p = 2364555574155054332193018723851 , q = 2122908881877786615511177 .

C Generalized Wiener attack

In this section, we provide an equivalent of Wiener’s attack applied to the unbalanced RSA. To the best of our knowledge, there is no such equivalent in the literature.

Theorem C.1

Let N = p q be the product of two unknown primes with μ q < p < 2 μ q . If e < φ ( N ) satisfies e d k φ ( N ) = 1 with

(A3) d < ( μ N ) 0.25 2 ( 2 μ + 1 ) ,

then we can recover d in polynomial time.

Proof

Using e d k φ ( N ) = 1 , we have that

k d e N = e d k N d N = e d k φ ( N ) + k φ ( N ) k N d N = 1 k ( N φ ( N ) ) d N .

Since μ q < p < 2 μ q , we obtain

N φ ( N ) = p + q 1 < ( 2 μ + 1 ) q < ( 2 μ + 1 ) μ N ,

where for the last inequality, we used Lemma 5.2. Therefore, we have

k d e N < k ( 2 μ + 1 ) N d μ N = k ( 2 μ + 1 ) d μ N .

Since k φ ( N ) = e d 1 < e d and e < φ ( N ) , we obtain k < d . This leads to

k d e N < 2 μ + 1 μ N < 1 2 d 2 .

Using Theorem 2.1, we obtain that k d is a convergent of the continued fraction expansion e N . Therefore, d can be recovered in polynomial time.□

When case μ = 1 is considered, Wiener’s attack [5,54] becomes a special case of Theorem C.1.

Corollary C.1.1

Let N = p q be the product of two unknown primes with q < p < 2 q . If e < φ ( N ) satisfies e d k φ ( N ) = 1 with

d < N 0.25 6 < N 0.25 3 ,

then we can recover d in polynomial time.

Corollary C.1.2

Let λ = λ p λ q and N = p q be the product of two unknown primes with μ q < p < 2 μ q . If we approximate N 2 λ N and μ 2 λ , then equation (A3) becomes

d < 2 0.25 ( λ N λ ) ,

or equivalently,

log 2 ( d ) < 0.25 ( λ N λ ) .

D Experimental results for the generalized Wiener attack

For completeness, we additionally present an example for the generalized Wiener attack when λ p > λ q . An example for the case λ p = λ q is provided in the study by Wiener [5], and thus, we omit it.

D.1 Different size primes

We will exemplify the generalized Wiener’s attack using the following public key

N = 3520803707194414428952988103961415751574974566641 , e = 2123018498998414990793362988347899186101759432733 ,

with security parameters λ p = 120 and λ q = 40 .

Note that by setting μ = 2 80 , we obtain that in order to apply Wienner’s attack, we need d < 653176 . Using the Euclidean algorithm to compute the continue fraction expansion of e N , we obtain that the first 20 partial quotients are

[ 0 , 1 , 1 , 1 , 1 , 12 , 1 , 3 , 3 , 1 , 1 , 3 , 1 , 2 , 1 , 2 , 1 , 3 , 14 , 2 , ] .

As stated in Theorem C.1, the set of convergents of e N includes all possible candidates for k d . From these convergents, we choose only those for which φ ( N ) = ( e d 1 ) k is an integer and the following system of equations:

φ ( N ) = ( p 1 ) ( q 1 ) N = p q

has a solution. Note that the system’s solutions can be computed similarly as in the case of Lemma B.1. The 2nd, 3rd, 4th, and 18th convergents satisfy the first condition; however, only the 18 t h convergent leads to a valid solution for p and q . More precisely, the last one leads to

φ ( N ) = 3520803707192711603764814487714739054164400581232 , k d = 291041 482661 , p = 170282518817361624667669534294911607 , q = 2067624869333 .

References

[1] Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM. 1978;21(2):120–6. 10.1145/359340.359342Search in Google Scholar

[2] Shamir A. RSA for paranoids. RSA Laboratories Cryptobytes. 1995;1(3):1–4. 10.1016/1353-4858(95)90160-4Search in Google Scholar

[3] Elkamchouchi H, Elshenawy K, Shaban H. Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In: ICCS 2002. vol. 1. IEEE Computer Society; 2002. p. 91–5. 10.1109/ICCS.2002.1182444Search in Google Scholar

[4] Murru N, Saettone FM. A novel RSA-like cryptosystem based on a generalization of the Rédei rational functions. In: NuTMiC 2017. vol. 10737 of Lecture Notes in Computer Science. Springer; 2017. p. 91–103. 10.1007/978-3-319-76620-1_6Search in Google Scholar

[5] Wiener MJ. Cryptanalysis of short RSA secret exponents. IEEE Trans Inf Theory. 1990;36(3):553–8. 10.1109/18.54902Search in Google Scholar

[6] Coppersmith D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 1997;10(4):233–60. 10.1007/s001459900030Search in Google Scholar

[7] Boneh D, Durfee G. Cryptanalysis of RSA with private key d Less than N0.292. In: EUROCRYPT 1999. vol. 1592 of Lecture Notes in Computer Science. Springer; 1999. p. 1–11. 10.1007/3-540-48910-X_1Search in Google Scholar

[8] Herrmann M, May A. Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: PKC 2010. vol. 6056 of Lecture Notes in Computer Science. Springer; 2010. p. 53–69. 10.1007/978-3-642-13013-7_4Search in Google Scholar

[9] Blömer J, May A. A generalized Wiener attack on RSA. In: PKC 2004. vol. 2947 of Lecture Notes in Computer Science. Springer; 2004. p. 1–13. 10.1007/978-3-540-24632-9_1Search in Google Scholar

[10] Nassr DI, Bahig HM, Bhery A, Daoud SS. A new RSA vulnerability using continued fractions. In: AICCSA 2008. IEEE Computer Society; 2008. p. 694–701. 10.1109/AICCSA.2008.4493604Search in Google Scholar

[11] Bunder M, Nitaj A, Susilo W, Tonien J. A new attack on three variants of the RSA cryptosystem. In: ACISP 2016. vol. 9723 of Lecture Notes in Computer Science. Springer; 2016. p. 258–68. 10.1007/978-3-319-40367-0_16Search in Google Scholar

[12] Peng L, Hu L, Lu Y, Wei H. An improved analysis on three variants of the RSA cryptosystem. In: Inscrypt 2016. vol. 10143 of Lecture Notes in Computer Science. Springer; 2016. p. 140–9. 10.1007/978-3-319-54705-3_9Search in Google Scholar

[13] Zheng M, Kunihiro N, Hu H. Cryptanalysis of RSA variants with modified Euler quotient. In: AFRICACRYPT 2018. vol. 10831 of Lecture Notes in Computer Science. Springer; 2018. p. 266–81. 10.1007/978-3-319-89339-6_15Search in Google Scholar

[14] Bunder M, Nitaj A, Susilo W, Tonien J. Cryptanalysis of RSA-type Cryptosystems based on Lucas sequences, Gaussian integers and elliptic curves. J Inf Secur Appl. 2018;40:193–8. 10.1016/j.jisa.2018.04.006Search in Google Scholar

[15] Bunder M, Nitaj A, Susilo W, Tonien J. A generalized attack on RSA type cryptosystems. Theoretic Comput Sci. 2017;704:74–81. 10.1016/j.tcs.2017.09.009Search in Google Scholar

[16] Nitaj A, Pan Y, Tonien J. A generalized attack on some variants of the RSA cryptosystem. In: SAC 2018. vol. 11349 of Lecture Notes in Computer Science. Springer; 2018. p. 421–33. 10.1007/978-3-030-10970-7_19Search in Google Scholar

[17] Nitaj A, Ariffin MRBK, Adenan NNH, Abu NA. Classical attacks on a variant of the RSA cryptosystem. In: LATINCRYPT 2021. vol. 12912 of Lecture Notes in Computer Science. Springer; 2021. p. 151–67. 10.1007/978-3-030-88238-9_8Search in Google Scholar

[18] Susilo W, Tonien J. A Wiener-type attack on an RSA-like cryptosystem constructed from cubic Pell equations. Theor Comput Sci. 2021;885:125–30. 10.1016/j.tcs.2021.06.033Search in Google Scholar

[19] Zheng M, Kunihiro N, Yao Y. Cryptanalysis of the RSA variant based on cubic Pell equation. Theor Comput Sci. 2021;889:135–44. 10.1016/j.tcs.2021.08.001Search in Google Scholar

[20] Nassr DI, Anwar M, Bahig HM. Improving small private exponent attack on the Murru-Saettone cryptosystem. Theor Comput Sci. 2022;923:222–34. 10.1016/j.tcs.2022.05.010Search in Google Scholar

[21] Howgrave-Graham N, Seifert JP. Extending Wiener’s attack in the presence of many decrypting exponents. In: CQRE (Secure) 1999. vol. 1740 of Lecture Notes in Computer Science. Springer; 1999. p. 153–66. 10.1007/3-540-46701-7_14Search in Google Scholar

[22] Sarkar S, Maitra S. Cryptanalysis of RSA with more than one decryption exponent. Inform Process Lett. 2010;110(8–9):336–40. 10.1016/j.ipl.2010.02.016Search in Google Scholar

[23] Aono Y. Minkowski sum based lattice construction for multivariate simultaneous Coppersmith’s technique and applications to RSA. In: ACISP 2013. vol. 7959 of Lecture Notes in Computer Science. Springer; 2013. p. 88–103. 10.1007/978-3-642-39059-3_7Search in Google Scholar

[24] Takayasu A, Kunihiro N. Cryptanalysis of RSA with multiple small secret exponents. In: ACISP 2014. vol. 8544 of Lecture Notes in Computer Science. Springer; 2014. p. 176–91. 10.1007/978-3-319-08344-5_12Search in Google Scholar

[25] Shi G, Wang G, Gu D. Further cryptanalysis of a type of RSA variants. In: ISC 2022. vol. 13640 of Lecture Notes in Computer Science. Springer; 2022. p. 133–52. 10.1007/978-3-031-22390-7_9Search in Google Scholar

[26] Boneh D, Durfee G, Frankel Y. An attack on RSA given a small fraction of the private key bits. In: ASIACRYPT 1998. vol. 1514 of Lecture Notes in Computer Science. Springer; 1998. p. 25–34. 10.1007/3-540-49649-1_3Search in Google Scholar

[27] Blömer J, May A. New partial key exposure attacks on RSA. In: CRYPTO 2003. vol. 2729 of Lecture Notes in Computer Science. Springer; 2003. p. 27–43. 10.1007/978-3-540-45146-4_2Search in Google Scholar

[28] Ernst M, Jochemsz E, May A, Weger Bd. Partial key exposure attacks on RSA up to full size exponents. In: EUROCRYPT 2005. vol. 3494 of Lecture Notes in Computer Science. Springer; 2005. p. 371–86. 10.1007/11426639_22Search in Google Scholar

[29] Takayasu A, Kunihiro N. Partial key exposure attacks on RSA: achieving the Boneh-Durfee bound. In: SAC 2014. vol. 8781 of Lecture Notes in Computer Science. Springer; 2014. p. 345–62. 10.1007/978-3-319-13051-4_21Search in Google Scholar

[30] De Weger B. Cryptanalysis of RSA with small prime difference. Appl Algebra Eng Commun Comput. 2002;13(1):17–28. 10.1007/s002000100088Search in Google Scholar

[31] Maitra S, Sarkar S. Revisiting Wiener’s attack - new weak keys in RSA. In: ISC 2008. vol. 5222 of Lecture Notes in Computer Science. Springer; 2008. p. 228–43. Search in Google Scholar

[32] Maitra S, Sarkar S. Revisiting Wieneras attack - new weak keys in RSA. IACR Cryptol ePrint Archive. 2008;2008/228. 10.1007/978-3-540-85886-7_16Search in Google Scholar

[33] Kamel Ariffin MR, Abubakar SI, Yunos F, Asbullah MA. New cryptanalytic attack on RSA modulus N=pq using small prime difference method. Cryptography. 2018;3(1):2. 10.3390/cryptography3010002Search in Google Scholar

[34] Cherkaoui-Semmouni M, Nitaj A, Susilo W, Tonien J. Cryptanalysis of RSA Variants with Primes Sharing Most Significant Bits. In: ISC 2021.vol. 13118 of Lecture Notes in Computer Science. Springer; 2021. p. 42–53. 10.1007/978-3-030-91356-4_3Search in Google Scholar

[35] Nitaj A, Ariffin MRBK, Adenan NNH, Lau TSC, Chen J. Security issues of novel RSA variant. IEEE Access. 2022;10:53788–96. 10.1109/ACCESS.2022.3175519Search in Google Scholar

[36] Cotan P, Teşeleanu G. Small private key attack against a family of RSA-like cryptosystems. In: NordSEC 2023. vol. 14324 of Lecture Notes in Computer Science. Springer; 2023. p. 57–72. 10.1007/978-3-031-47748-5_4Search in Google Scholar

[37] Cotan P, Teşeleanu G. Continued fractions applied to a family of RSA-like cryptosystems. In: ISPEC 2022. vol. 13620 of Lecture Notes in Computer Science. Springer; 2022. p. 589–605. 10.1007/978-3-031-21280-2_33Search in Google Scholar

[38] Hardy GH, Wright EM. An introduction to the theory of numbers. Oxford: Oxford University Press; 1979. Search in Google Scholar

[39] Lenstra AK, Verheul ER. Selecting cryptographic key sizes. J Cryptol. 2001;14(4):255–93. 10.1007/s00145-001-0009-4Search in Google Scholar

[40] Lenstra AK, Verheul ER. Selecting cryptographic key sizes. In: PKC 2000. vol. 1751 of Lecture Notes in Computer Science. Springer; 2000. p 446–65. 10.1007/978-3-540-46588-1_30Search in Google Scholar

[41] Lenstra HW. Factoring integers with elliptic curves. Ann Math. 1987;126:649–73. 10.2307/1971363Search in Google Scholar

[42] Lenstra AK. Unbelievable security. Matching AES security using public key systems. In: ASIACRYPT 2001. vol. 2248 of Lecture Notes in Computer Science. Springer; 2001. p. 67–86. 10.1007/3-540-45682-1_5Search in Google Scholar

[43] Brent RP. Some parallel algorithms for integer factorization. In: Euro-Par 1999. vol. 1685 of Lecture Notes in Computer Science. Springer; 1999. p. 1–22. 10.1007/3-540-48311-X_1Search in Google Scholar

[44] Teşeleanu G. The case of small prime numbers versus the Joye-Libert cryptosystem. Mathematics. 2022;10(9):1577. 10.3390/math10091577Search in Google Scholar

[45] Barker E. NIST SP800-57 recommendation for key management, Part 1: general. Technical report. NIST; 2016. 10.6028/NIST.SP.800-57pt1r4Search in Google Scholar

[46] Silverman RD. A cost-based security analysis of symmetric and asymmetric key lengths. RSA Laboratories’ Bulletin. 2000. p. 13. Search in Google Scholar

[47] Gallian J. Contemporary abstract algebra. 10th ed. USA: Chapman and Hall/CRC; 2020. 10.1201/9781003142331Search in Google Scholar

[48] Alecci G, Dutto S, Murru N. Pell hyperbolas in DLP-based cryptosystems. Finite Fields Their Appl. 2022;84:102112. 10.1016/j.ffa.2022.102112Search in Google Scholar

[49] Dutto S. DLP-based cryptosystems with Pell Cubics. Polland: Banach Center Publications. 2023;126:123–36. 10.4064/bc126-8Search in Google Scholar

[50] Gilbert H, Gupta D, Odlyzko A, Quisquater JJ. Attacks on Shamir’s RSA for Paranoids. Inform Process Lett. 1998;68(4):197–9. 10.1016/S0020-0190(98)00160-4Search in Google Scholar

[51] Joye M, Quisquater JJ, Yen SM. Two protocol attacks on Okamoto and Uchiyama's Cryptosystem. Technical Report. TamKang University; 1998. TR-98-8B. Search in Google Scholar

[52] Nitaj A. Another generalization of Wiener’s attack on RSA. In: AFRICACRYPT 2008. vol. 5023 of Lecture Notes in Computer Science. Springer; 2008. p. 174–90. 10.1007/978-3-540-68164-9_12Search in Google Scholar

[53] Bunder M, Tonien J. A new attack on the RSA cryptosystem based on continued fractions. Malaysian J Math Sci. 2017;11:45–57. Search in Google Scholar

[54] Boneh D. Twenty years of attacks on the RSA cryptosystem. Notices AMS. 1999;46(2):203–13. Search in Google Scholar

[55] Padhye S. A public key cryptosystem based on Pell equation. IACR cryptology ePrint archive. 2006;2006/191. Search in Google Scholar

[56] Fujii K. A modern introduction to Cardano and Ferrari formulas in the algebraic equations. 2003; arXiv:quant-ph/0311102. Search in Google Scholar
Received: 2024-04-02
Revised: 2024-06-11
Accepted: 2024-07-30
Published Online: 2024-09-28

© 2024 the author(s), published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

  1. Regular Article
  2. The dihedral hidden subgroup problem
  3. Characterizing the upper bound on the transparency order of (n, m)-functions
  4. Tropical cryptography III: Digital signatures
  5. A security analysis of two classes of RSA-like cryptosystems
  6. On the quantum security of high-dimensional RSA protocol
  7. On implementation of Stickel's key exchange protocol over max-min and max-T semirings
  8. Revocable policy-based chameleon hash using lattices
  9. Revisiting linearly extended discrete functions
  10. Special Issue based on CIFRIS23
  11. Special issue based on the CIFRIS 2023 conference
  12. On linear codes with random multiplier vectors and the maximum trace dimension property
  13. Group structure of elliptic curves over /Nℤ
  14. mRLWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography
  15. On the Black-Box impossibility of multi-designated verifiers signature schemes from ring signature schemes
  16. Searchable encryption with randomized ciphertext and randomized keyword search
  17. Differential experiments using parallel alternative operations
  18. On a generalization of the Deligne–Lusztig curve of Suzuki type and application to AG codes
  19. Automatic boomerang attacks search on Rijndael
  20. Efficiency of SIDH-based signatures (yes, SIDH)
  21. Cryptanalysis of a privacy-preserving authentication scheme based on private set intersection
https://doi.org/10.1515/jmc-2024-0013
Keywords for this article
continued fractions; small private key attack; RSA
Creative Commons
BY 4.0

Articles in the same Issue

  1. Regular Article
  2. The dihedral hidden subgroup problem
  3. Characterizing the upper bound on the transparency order of (n, m)-functions
  4. Tropical cryptography III: Digital signatures
  5. A security analysis of two classes of RSA-like cryptosystems
  6. On the quantum security of high-dimensional RSA protocol
  7. On implementation of Stickel's key exchange protocol over max-min and max-T semirings
  8. Revocable policy-based chameleon hash using lattices
  9. Revisiting linearly extended discrete functions
  10. Special Issue based on CIFRIS23
  11. Special issue based on the CIFRIS 2023 conference
  12. On linear codes with random multiplier vectors and the maximum trace dimension property
  13. Group structure of elliptic curves over /Nℤ
  14. mRLWE-CP-ABE: A revocable CP-ABE for post-quantum cryptography
  15. On the Black-Box impossibility of multi-designated verifiers signature schemes from ring signature schemes
  16. Searchable encryption with randomized ciphertext and randomized keyword search
  17. Differential experiments using parallel alternative operations
  18. On a generalization of the Deligne–Lusztig curve of Suzuki type and application to AG codes
  19. Automatic boomerang attacks search on Rijndael
  20. Efficiency of SIDH-based signatures (yes, SIDH)
  21. Cryptanalysis of a privacy-preserving authentication scheme based on private set intersection
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 14.9.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jmc-2024-0013/html
Scroll to top button