Abstract
Let \(N=pq\) be the product of two balanced prime numbers p and q. Elkamchouchi, Elshenawy and Shaban presented in 2002 an interesting RSA-like cryptosystem that uses the key equation \(ed - k (p^2-1)(q^2-1) = 1\), instead of the classical RSA key equation \(ed - k (p-1)(q-1) = 1\). The authors claimed that their scheme is more secure than RSA. Unfortunately, the common attacks developed against RSA can be adapted for Elkamchouchi et al.’s scheme. In this paper, we introduce a family of RSA-like encryption schemes that uses the key equation \(ed - k (p^n-1)(q^n-1) = 1\), where \(n>0\) is an integer. Then, we show that regardless of the choice of n, there exists an attack based on continued fractions that recovers the secret exponent.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
1 Introduction
In 1978, Rivest, Shamir and Adleman [29] proposed one of the most popular and widely used cryptosystems, namely RSA. In the standard RSA encryption scheme, we work modulo an integer N, where N is the product of two large prime numbers p and q. Let \(\varphi (N) = (p-1)(q-1)\) denote the Euler’s totient function. In order to encrypt a message \(m < N\), we simply compute \(c \equiv m^e \bmod N\), where e is generated a priori such that \(\gcd (e, \varphi (N)) = 1\). To decrypt, one needs to compute \(m \equiv c^d \bmod N\), where \(d \equiv e^{-1} \bmod \varphi (N)\). Note that (N, e) are public, while (p, q, d) are kept secret. In the standard version of RSA, also called balanced RSA, p and q are of the same bit-size such that \(q < p < 2q\). In this paper, we only consider the balanced RSA scheme and its variants.
In 2002, Elkamchouchi, Elshenawy and Shaban [15] extend the classical RSA scheme to the ring of Gaussian integers modulo N. A Gaussian integer modulo N is a number of the form \(a+bi\), where \(a,b \in \mathbb {Z}_N\) and \(i^2=-1\). Let \(\mathbb {Z}_N[i]\) denote the set of all Gaussian integers modulo N and let \(\phi (N) = |\mathbb {Z}_N^*[i]| = (p^2-1)(q^2-1)\). To set up the public exponent, in this case we must have \(\gcd (e, \phi (N)) =1\). The corresponding private exponent is \(d \equiv e^{-1} \bmod \phi (N)\). In order to encrypt a message \(m \in \mathbb {Z}_N[i]\), we simply compute \(c \equiv m^e \bmod N\) and to decrypt it \(m \equiv c^d \bmod N\). Note that the exponentiations are computed in the ring \(\mathbb {Z}_N[i]\). The authors of [15] claim that this extension provides more security than that of the classical RSA. In the following paragraphs we present a series of common attacks that work for both types of cryptosystems.
Small Private Key Attacks. In order to decrease decryption time, one may prefer to use a smaller d. Wiener showed in [33] that this is not always a good idea. More exactly, in the case of RSA, if \(d < N^{0.25}/3\), then one can retrieve d from the continued fraction expansion of e/N, and thus factor N. Using a result developed by Coppersmith [12], Boneh and Durfee [5] improved Wiener’s bound to \(N^{0.292}\). Later on, Herrmann and May [19] obtain the same bound, but using simpler techniques. A different approach was taken by Blömer and May [3], whom generalized Wiener’s attack. More precisely, they showed that if there exist three integers x, y, z such that \(ex-y\varphi (N)=z\), \(x < N^{0.25}/3\) and \(|z| < |exN^{-0.75}|\), then the factorisation of N can be recovered. When an approximation of p is known such that \(|p - p_0| < N^\delta /8\) and \(\delta < 0.5\), Nassr, Anwar and Bahig [25] present a method based on continued fractions for recovering d when \(d < N^{(1-\delta )/2}\).
In the case of Elkamchouchi et al., a small private key attack based on continued fractions was presented in [7]. Using lattice reduction, the attack was improved in [28, 34]. The authors obtained a bound of \(d < N^{0.585}\). A generalization of the attack presented in [7] to unbalanced prime numbers was presented in [9]. Considering the generic equation \(ex-y\phi (N)=z\), the authors of [8] describe a method for factoring N when \(xy < 2N -4\sqrt{2} N^{0.75}\) and \(|z| < (p-q)N^{0.25}y\). An extension of the previous attack was proposed in [27].
Multiple Private Keys Attack. Let \(\ell > 0\) be an integer and \(i \in [1, \ell ]\). When multiple large public keys \(e_i \simeq N^{\alpha }\) are used with the same modulus N, Howgrave-Graham and Seifert [20] describe an attack against RSA that recovers the corresponding small private exponents \(d_i \simeq N^\beta \). This attack was later improved by Sarkar and Maitra [30], Aono [1] and Takayasu and Kunihiro [31]. The best known bound [31] is \(\beta < 1 - \sqrt{2/(3\ell +1)}\). Remark that when \(\ell = 1\) we obtain the Boneh-Durfee bound.
The multiple private keys attack against the Elkamchouchi et al. cryptosystem was studied by Zheng, Kunihiro and Hu [34]. The bound obtained by the authors is \(\beta < 2 - 2\sqrt{2/(3\ell +1)}\) and it is twice the bound obtained by Takayasu and Kunihiro [31]. Note that when \(\ell = 1\) the bound is equal to 0.585.
Partial Key Exposure Attack. In this type of attack, the most or least significant bits of the private exponent d are known. Starting from these, an adversary can recover the entire RSA private key using the techniques presented by Boneh, Durfee and Frankel in [6]. The attack was later improved by Blömer and May [2], Ernst et al. [16] and Takayasu and Kunihiro [32]. The best known bound [32] is \(\beta < (\gamma +2-\sqrt{2-3\gamma ^2})/2\), where the attacker knows \(N^\gamma \) leaked bits.
Zheng, Kunihiro and Hu [34] describe a partial exposure attack that works in the case of the Elkamchouchi et al. scheme. The bound they achieve is \(\beta < (3\gamma +7-2\sqrt{3\gamma +7})/3\). When \(\gamma = 0\), the bound is close to 0.569, and thus it remains an open problem how to optimize it.
Small Prime Difference Attack. When the prime difference \(|p-q|\) is small and certain conditions hold, de Weger [14] described two methods to recover d, one based on continued fractions and one on lattice reduction. These methods were further extended by Maitra and Sakar [22, 23] to \(|\rho q - p|\), where \(1 \le \rho \le 2\). Lastly, Chen, Hsueh and Lin generalize them further to \(|\rho q - \epsilon p|\), where \(\rho \) and \(\epsilon \) have certain properties. The continued fraction method is additionally improved by Ariffin et al. [21].
The small prime difference attack against the Elkamchouchi et al. public key encryption scheme was studied in [11]. Note that when the common condition \(|p-q| < N^{0.5}\) holds, their bound leads to the small private key bound \(d < N^{0.585}\).
Related Work. It is worth noting that our current undertaking shares similarities with a prior work of ours [13], where we explored a cryptographic system closely related to our own. Specifically, we studied the implications of generalizing the Murru-Saettone cryptosystem [24], and the effect of using continued fractions to recover the private key.
1.1 Our Contributions
We first remark that the rings \(Z_p = \mathbb {Z}_p[t]/(t+1) = GF(p)\) and \(Z_p[i] = \mathbb {Z}_p[t]/(t^2+1) = GF(p^2)\), where GF stands for Galois field. Therefore, we can rethink the RSA scheme as working in the \(GF(p)\times GF(q)\) group instead of \(\mathbb {Z}_N\). Also, that the Elkamchouchi et al. scheme is an extension to \(GF(p^2)\times GF(q^2)\) instead of \(Z_N[i]\). This leads to a natural generalization of RSA to \(GF(p^n)\times GF(q^n)\), where \(n > 1\). In this paper we introduce exactly this extension. We wanted to see if only for \(n=1\) and \(n=2\) the common attacks presented in the introduction work or this is something that happens in general. In this study we present a Wiener-type attack that works for any \(n>1\). More, precisely we prove that when \(d < N^{0.25n}\), we can recover the secret exponent regardless the value of n. Therefore, no matter how we instantiate the generalized version, a small private key attack will always succeed.
Structure of the Paper. We introduce in Sect. 2 notations and definitions used throughout the paper. Inspired by Rivest et al. and Elkamchouchi et al.’s work [15, 29], in Sect. 3 we construct a family of RSA-like cryptosystems. After proving several useful lemmas in Sect. 4, we extend Wiener’s small private key attack in Sect. 5. Two concrete instantiations are provided in Sect. 6. We conclude our paper in Sect. 7.
2 Preliminaries
Notations. Throughout the paper, \(\lambda \) denotes a security parameter. Also, the notation |S| denotes the cardinality of a set S. The set of integers \(\{0, \ldots , a\}\) is further denoted by [0, a]. We use \(\simeq \) to indicate that two values are approximately equal.
2.1 Continued Fraction
For any real number \(\zeta \) there exists a unique sequence \((a_n)_n\) of integers such that
where \(a_k > 0\) for any \(k \ge 1\). This sequence represents the continued fraction expansion of \(\zeta \) and is denoted by \(\zeta = [a_0, a_1, a_2,\ldots ]\). Remark that \(\zeta \) is a rational number if and only if its corresponding representation as a continued fraction is finite.
For any real number \(\zeta = [a_0, a_1, a_2, \ldots ]\), the sequence of rational numbers \((A_n)_n\), obtained by truncating this continued fraction, \(A_k = [a_0, a_1, a_2, \ldots , a_k]\), is called the convergents sequence of \(\zeta \).
According to [18], the following bound allows us to check if a rational number u/v is a convergent of \(\zeta \).
Theorem 1
Let \(\zeta = [a_0, a_1, a_2, \ldots ]\) be a positive real number. If u, v are positive integers such that \(\gcd (u,v)=1\) and
then u/v is a convergent of \([a_0, a_1, a_2, \ldots ]\).
2.2 Quotient Groups
In this section we will provide the mathematical theory needed to generalize the Rivest, Shamir and Adleman, and the Elkamchouchi, Elshenawy and Shaban encryption schemes. Therefore, let \((\mathbb {F}, +, \cdot )\) be a field and \(t^n-r\) an irreducible polynomial in \(\mathbb {F}[t]\). Then
is the corresponding quotient field. Let \(a(t), b(t) \in \mathbb {A}_n\). Remark that the quotient field induces a natural product
3 The Scheme
Let p be a prime number. When we instantiate \(\mathbb {F} = \mathbb {Z}_p\), we have that \(\mathbb {A}_n = GF(p^n)\) is the Galois field of order \(p^n\). Moreover, \(\mathbb {A}_n^*\) is a cyclic group of order \(\varphi _n(\mathbb {Z}_p) = p^n-1\). Remark that an analogous of Fermat’s little theorem holds
where \(a(x) \in \mathbb {A}_n^*\) and the power is evaluated by \(\circ \)-multiplying a(x) by itself \(\varphi _n(\mathbb {Z}_p)-1\) times. Therefore, we can build an encryption scheme that is similar to RSA using the \(\circ \) as the product.
-
Setup(\(\lambda \)): Let \(n > 1\) be an integer. Randomly generate two distinct large prime numbers p, q such that \(p, q \ge 2^\lambda \) and compute their product \(N = pq\). Select \(r\in \mathbb {Z}_N\) such that the polynomial \(t^n-r\) is irreducible in \(\mathbb {Z}_p[t]\) and \(\mathbb {Z}_q[t]\). Let
$$\begin{aligned} \varphi _n(\mathbb {Z}_N) = \varphi _n(N) = (p^n-1) \cdot (q^n-1). \end{aligned}$$Choose an integer e such that \(\gcd (e, \varphi _n(N)) = 1\) and compute d such that \(ed \equiv 1 \bmod \varphi _n(N)\). Output the public key \(pk = (n, N, r, e)\). The corresponding secret key is \(sk = (p, q, d)\).
-
Encrypt(pk, m): To encrypt a message \(m = (m_0, \ldots , m_{n-1})\in \mathbb {Z}_N^{n}\) we first construct the polynomial \(m(t) = m_0 + \ldots + m_{n-1} t^{n-1} \in \mathbb {A}_n^*\) and then we compute \(c(t) \equiv [m(t)]^{e} \bmod N\). Output the ciphertext c(t).
-
Decrypt(sk, c(t)): To recover the message, simply compute \(m(t) \equiv [c(t)]^{d} \bmod N\) and reassemble \(m = (m_0, \ldots , m_{n-1})\).
Remark 1
When \(n=1\) we get the RSA scheme [29]. Also, when \(n=2\), we obtain the Elkamchouchi et al. cryptosystem [15].
4 Useful Lemmas
In this section we provide a few useful properties of \(\varphi _n(N)\). Before starting our analysis, we first note that plugging \(q = N/p\) in \(\varphi _n(N)\) leads to the following function
with p as a variable. The next lemma tells us that, under certain conditions, \(f_n\) is a strictly decreasing function.
Proposition 1
Let N be a positive integer. Then for any integers \(n>1\) and \(\sqrt{N} \le x < N\), we have that the function
is strictly decreasing with x.
Proof
Computing the derivative of f we have that
Using \(x \ge \sqrt{N}\) we obtain that
and therefore we have f is strictly decreasing function. \(\square \)
Using the following result from [26, Lemma 1], we will compute a lower and upper bound for \(\varphi _n(N)\).
Lemma 1
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). Then the following property holds
Corollary 1
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). Then the following property holds
Proof
By Lemma 1 we have that
which, according to Proposition 1, leads to
This is equivalent to
as desired. \(\square \)
When \(n=1\) and \(n=2\), the following results proven in [10] and [7] respectively become a special case of Corollary 1.
Corollary 2
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). Then the following property holds
Corollary 3
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). Then the following property holds
We can use Corollary 1 to find a useful approximation of \(\varphi _n\). This result will be useful when devising the attack against the generalized RSA scheme.
Proposition 2
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). We define
Then the following holds
where
Proof
According to Corollary 1, \(\psi _{n,0}(N)\) is the mean value of the lower and upper bound. The following property holds
as desired. \(\square \)
When \(n=1\) and \(n=2\), the following property presented in [10] and [7] respectively become a special case of Proposition 2.
Corollary 4
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). Then the following holds
Corollary 5
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). Then the following holds
5 Application of Continued Fractions
We further provide an upper bound for selecting d such that we can use the continued fraction algorithm to recover d without knowing the factorisation of the modulus N.
Theorem 2
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If \(e < \varphi _n(N)\) satisfies \(ed - k \varphi _n(N) = 1\) with
where
then we can recover d in polynomial time.
Proof
Since \(ed - k \varphi _n(N) = 1\), we have that
Let \(\varepsilon _n = N^n -\sqrt{N}^n(2^n+1)/\sqrt{2}^n + 1\). Using \(d = (k \varphi _n(N) -1) / e = 1\) and Proposition 2 we obtain
Note that
which leads to
Using Theorem 1 we obtain that k/d is a convergent of the continued fraction expansion of \(e/\varphi _{n,0}(N)\). Therefore, d can be recovered in polynomial time. \(\square \)
Corollary 6
Let \(\alpha < 1.5 n\) and \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If we approximate \(e \simeq N^\alpha \) and \(N \simeq 2^{2\lambda }\), then Eq. 1 becomes
or equivalently
When cases \(n=1\) and \(n=2\) are considered the following properties presented in [10] and [7] respectively become a special case of Corollary 6. Note that when \(n=\alpha = 1\) we obtain roughly the same margin as Wiener [4, 33] obtained for the classical RSA.
Corollary 7
Let \(\alpha < 1.5\) and \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If we approximate \(e \simeq N^\alpha \) and \(N \simeq 2^{2\lambda }\) then Eq. 1 is equivalent to
Corollary 8
Let \(\alpha < 3\) and \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If we approximate \(e \simeq N^\alpha \) and \(N \simeq 2^{2\lambda }\) then Eq. 1 is equivalent to
The last corollary tells us what happens when e is large enough. We can see that n is directly proportional to the secret exponent’s upper bound.
Corollary 9
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If we approximate \(e \simeq N^n\) and \(N \simeq 2^{2\lambda }\) then Eq. 1 is equivalent to
6 Experimental Results
We further present an example for the \(n=3\) and \(n=4\) cases. Examples for \(n=1\) and \(n=2\) cases are provided in [10] and [7] respectively, and thus we omit them.
6.1 Case \(n=3\)
Before providing our example, we first show how to recover p and q once \(\varphi _3(N) = (ed-1)/k\) is recovered using our attack.
Lemma 2
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If \(\varphi _3(N) = N^3 - p^3 - q^3 +1\) is known, then p and q can be recovered in polynomial time.
Proof
We will rewrite \(\varphi _3(N)\) as
which is equivalent to
Finding \(S = p+q\) is equivalent to solving (in \(\mathbb {Z}\)) the following cubic equation
which can be done in polynomial time as it is presented in [17]. In order to find p and q, we compute \(D = p-q\) using the following remark
Taking into account that \(p>q\), D is the positive square root of the previous quantity, and thus we derive the following
\(\square \)
The following lemma shows that in order to factor N we only need to find one solution to Eq. 2, namely its unique integer solution.
Lemma 3
Eq. 2 always has exactly two non-real roots and an integer one.
Proof
Let \(x_1\), \(x_2\) and \(x_3\) be Eq. 2’s roots. Using Vieta’s formulas we have
From the first two relations we obtain
If we assume that \(x_1=p+q\) and \(x_2, x_3\) are both real, we get the following system
Therefore, we obtain a contradiction, and hence we conclude that Eq. 2 has one real root, which is \(p+q \in \mathbb {Z}\), and two non-real roots. \(\square \)
Now, we will exemplify our attack for \(n=3\) using the following small public key
Remark that \(e \approx N^{2.989}\). We use the Euclidean algorithm to compute the continued fraction expansion of \(e / \varphi _{3,0}(N)\) and obtain that the first 25 partial quotients are
According to Theorem 2, the set of convergents of \(e / \varphi _{3,0}(N)\) contains all the possible candidates for k/d. From these convergents we select only those for which \(\varphi _3 = (ed-1)/k\) is an integer and the following system of equations
has a solution as given in Lemma 2. The 2nd, 3rd and 21st convergents satisfy the first condition, however only the last one leads to a valid solution for p and q. More precisely, the 21st convergent leads to
6.2 Case \(n=4\)
As in the previous case, we first show how to factorize N once \(\varphi _4\) is known.
Lemma 4
Let \(N = pq\) be the product of two unknown primes with \(q < p < 2q\). If \(\varphi _4(N) = N^4-p^4-q^4 +1\) is known, then
where \(S = \sqrt{2N + \sqrt{(N^2+1)^2 - \varphi _4(N)}}\) and \(D = \sqrt{S^2 - 4N}\).
Proof
We will rewrite \(\varphi _4(N)\) as
which is equivalent to
Finding \(S' = p+q\) is equivalent to solving (in \(\mathbb {Z}\)) the following biquadratic equation
The previous equation can be solved as a normal quadratic equation. Computing the discriminant \(\varDelta \), we have that
Thus, the roots of the quadratic equation, \(x'_{1,2}\), are
The roots of the biquadratic equation are the square roots of the previous quantities.
The roots \(x_{3,4}\) are pure imaginary since
The root \(x_2 = - \sqrt{2N + \sqrt{(N^2+1)^2-\varphi _4(N)}} < 0\), thus we get \(S' = S = x_1 = \sqrt{2N + \sqrt{(N^2+1)^2-\varphi _4(N)}}\). The values of p and q can be recovered by using the algorithm from Lemma 2. \(\square \)
We will further present our attack for \(n=4\) using the following small public key
Note that \(e \approx N^{3.993}\). Applying the continued fraction expansion of \(e / \varphi _{4,0}(N)\), we get the first 25 partial quotients
In this case, we consider the convergents of \(e / \varphi _{4,0}(N)\), and we select only those for which \(\varphi _4 = (ed-1)/k\) is an integer and the following system of equations
has a solution as given in Lemma 4. The 2nd and 23rd convergents satisfy the first condition, however only the last one leads to a valid solution for p and q. More precisely, the 23rd convergent leads to
7 Conclusions
In this paper we introduced a family of RSA-like cryptosystems, which includes the RSA and Elkamchouchi et al. public key encryption schemes [15, 29] (i.e. \(n=1\) and \(n=2\)). Then, we presented a small private key attack against our family of cryptosystems and provided two instantiations of it. As a conclusion, the whole family of RSA-like schemes allows an attacker to recover the secret exponent via continued fractions when the public exponent is close to \(N^n\) and the secret exponent is smaller that \(N^{0.25n}\).
Future Work. When \(n=1,2,3,4\), in Sect. 6 and [4, 7, 10] a method for factoring N once \(\varphi _n\) is known is provided. Although we found a method for particular cases of n we could not find a generic method for factoring N. Therefore, we leave it as an open problem. Another interesting research direction, is to find out if the attack methods described in Sect. 1 for the RSA and Elkamchouchi et al. schemes also work in the general case.
References
Aono, Y.: Minkowski sum based lattice construction for multivariate simultaneous coppersmith’s technique and applications to RSA. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 88–103. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_7
Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_2
Blömer, J., May, A.: A generalized wiener attack on RSA. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 1–13. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_1
Boneh, D.: Twenty years of attacks on the RSA cryptosystem. Notices AMS 46(2), 203–213 (1999)
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than \({N}_{0.292}\). In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_1
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_3
Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A new attack on three variants of the RSA cryptosystem. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 258–268. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_16
Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A generalized attack on RSA type cryptosystems. Theor. Comput. Sci. 704, 74–81 (2017)
Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: Cryptanalysis of RSA-type cryptosystems based on Lucas sequences, Gaussian integers and elliptic curves. J. Inf. Secur. Appl. 40, 193–198 (2018)
Bunder, M., Tonien, J.: A new attack on the RSA cryptosystem based on continued fractions. Malays. J. Math. Sci. 11, 45–57 (2017)
Cherkaoui-Semmouni, M., Nitaj, A., Susilo, W., Tonien, J.: Cryptanalysis of RSA variants with primes sharing most significant bits. In: Liu, J.K., Katsikas, S., Meng, W., Susilo, W., Intan, R. (eds.) ISC 2021. LNCS, vol. 13118, pp. 42–53. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-91356-4_3
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Cotan, P., Teşeleanu, G.: Continued fractions applied to a family of RSA-like cryptosystems. In: Su, C., Gritzalis, D., Piuri, V. (eds.) Information Security Practice and Experience. ISPEC 2022. LNCS, vol. 13620, pp. 589–605. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-21280-2_33
De Weger, B.: Cryptanalysis of RSA with small prime difference. Appl. Algebra Eng. Commun. Comput. 13(1), 17–28 (2002)
Elkamchouchi, H., Elshenawy, K., Shaban, H.: Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In: ICCS 2002, vol. 1, pp. 91–95. IEEE Computer Society (2002)
Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_22
Fujii, K.: A Modern Introduction to Cardano and Ferrari Formulas in the Algebraic Equations. arXiv Preprint arXiv:quant-ph/0311102 (2003)
Hardy, G.H., Wright, E.M., et al.: An Introduction to the Theory of Numbers. Oxford University Press, Oxford (1979)
Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_4
Howgrave-Graham, N., Seifert, J.-P.: Extending wiener’s attack in the presence of many decrypting exponents. In: CQRE 1999. LNCS, vol. 1740, pp. 153–166. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-46701-7_14
Kamel Ariffin, M.R., Abubakar, S.I., Yunos, F., Asbullah, M.A.: New cryptanalytic attack on RSA modulus N = pq using small prime difference method. Cryptography 3(1), 2 (2018)
Maitra, S., Sarkar, S.: Revisiting wiener’s attack – new weak keys in RSA. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 228–243. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85886-7_16
Maitra, S., Sarkar, S.: Revisiting Wiener’s Attack - New Weak Keys in RSA. IACR Cryptology ePrint Archive 2008/228 (2008)
Murru, N., Saettone, F.M.: A novel RSA-like cryptosystem based on a generalization of the Rédei rational functions. In: Kaczorowski, J., Pieprzyk, J., Pomykała, J. (eds.) NuTMiC 2017. LNCS, vol. 10737, pp. 91–103. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76620-1_6
Nassr, D.I., Bahig, H.M., Bhery, A., Daoud, S.S.: A new RSA vulnerability using continued fractions. In: AICCSA 2008, pp. 694–701. IEEE Computer Society (2008)
Nitaj, A.: Another generalization of wiener’s attack on RSA. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 174–190. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_12
Nitaj, A., Pan, Y., Tonien, J.: A generalized attack on some variants of the RSA cryptosystem. In: Cid, C., Jacobson Jr., M. (eds.) Selected Areas in Cryptography – SAC 2018. SAC 2018. LNCS, vol. 11349, pp. 421–433. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_19
Peng, L., Hu, L., Lu, Y., Wei, H.: An improved analysis on three variants of the RSA cryptosystem. In: Chen, K., Lin, D., Yung, M. (eds.) Inscrypt 2016. LNCS, vol. 10143, pp. 140–149. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54705-3_9
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one decryption exponent. Inf. Process. Lett. 110(8–9), 336–340 (2010)
Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with multiple small secret exponents. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 176–191. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_12
Takayasu, A., Kunihiro, N.: Partial key exposure attacks on RSA: achieving the Boneh-Durfee bound. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 345–362. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_21
Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)
Zheng, M., Kunihiro, N., Hu, H.: Cryptanalysis of RSA variants with modified Euler quotient. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 266–281. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cotan, P., Teşeleanu, G. (2024). Small Private Key Attack Against a Family of RSA-Like Cryptosystems. In: Fritsch, L., Hassan, I., Paintsil, E. (eds) Secure IT Systems. NordSec 2023. Lecture Notes in Computer Science, vol 14324. Springer, Cham. https://doi.org/10.1007/978-3-031-47748-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-47748-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47747-8
Online ISBN: 978-3-031-47748-5
eBook Packages: Computer ScienceComputer Science (R0)