Improved Cryptanalysis of Some RSA Variants

Abstract

Several RSA variants enforce a constraint between their public and private keys through the relation $ed\equiv 1(mod(p^2-1)(q^2-1))$, where p and q are the prime factors of their RSA modulus $N=pq$. In this paper, we introduce a novel attack on RSA variant schemes where the public exponent satisfies an equation of the form $eu\equiv z(mod(p^2-1)(q^2-1))$, with sufficiently small $\left|z\right|$, $\left|u\right|$, in a scenario where the attacker has access to an approximation of one of the prime factors. Our new attack utilizes Coppersmith’s method, combined with lattice basis reduction techniques, to efficiently recover the prime factors of the RSA modulus in these scenarios. This method offers a significant improvement over prior attacks on RSA variants with small private exponents or partial prime information.

1. Introduction

Following the publication of the groundbreaking work of Diffie and Hellman [1], the first public-key scheme was introduced by Rivest, Shamir, and Adleman [2]. This system is known as RSA and remains widely used in practical applications. Its security is rooted in computationally hard problems, particularly the integer factorization problem. The cryptosystem involves generating two large prime numbers p and q with equal bit lengths, and producing the RSA modulus $N=pq$. A public exponent is an integer e selected so that it is prime relative to $\phi \left(N\right)$, where $\phi \left(N\right)=(p-1)(q-1)$ denotes the Euler totient function. The private exponent d is defined as the inverse of e modulo $\phi \left(N\right)$, satisfying the key equation $ed\equiv 1(mod\phi (N\left)\right)$. The public key comprises $(N,e)$, while the private key consists of $(N,d)$. For a message m such that $m<N$, encryption is achieved using $c\equiv m^e(modN)$. Decryption then recovers m via $m\equiv c^d(modN)$.

Encryption and decryption processes can be computationally expensive with large numbers, and using small exponents can improve the efficiency of RSA. However, in 1990, Wiener [3] established that RSA is susceptible to attacks when $d<{\displaystyle \frac{1}{3}}{N}^{1/4}$. Later, Boneh and Durfee [4] refined this limit up to $N^{0.292}$. These findings have spurred ongoing efforts to enhance the efficiency and security of RSA, leading to the development of various alternative variants. Noteworthy examples include CRT-RSA [5] and Multi-Prime RSA [6]. Additionally, other modifications and variants of the RSA scheme have emerged, wherein the Euler totient function $\phi \left(N\right)=(p-1)(q-1)$ is substituted with different formulations.

In 1995, Kuwakado et al. [7] proposed a variant of the RSA cryptosystem that utilizes singular cubic curves, specifically curves with the equation $y^2\equiv x^3+b{x}^2(modN)$, where $N=pq$ is the RSA modulus, and b is an integer in ${\mathbb{Z}}_N$. In this scheme, the public exponent e is chosen such that $gcd(e,\psi (N\left)\right)=1$, where $\psi \left(N\right)=(p^2-1)(q^2-1)$. The private exponent d is determined by the congruence $d\equiv {\displaystyle \frac{1}{e}}(mod(p^2-1)(q^2-1))$.

In 2002, Elkamchouchi et al. [8] introduced an RSA variant using the arithmetic of the ring of Gaussian integers $\mathbb{Z}\left[i\right]$. This cryptosystem employs moduli of the form $N=\mathcal{P}\mathcal{Q}$, with Gaussian prime numbers $\mathcal{P}$ and $\mathcal{Q}$. The central key equation governing the encryption and decryption process is given by $ed\equiv {1(mod(\left|\mathcal{P}\right|}^2-{1\left)\right(\left|\mathcal{P}\right|}^2-1\left)\right)$. Notably, when $\left|\mathcal{P}\right|=p$ and $\left|\mathcal{P}\right|=q$ are both prime integers, this relation reduces to $ed\equiv 1(mod(p^2-1)(q^2-1))$.

In 2003, Said and Loxton [9] presented a modified version of the LUC cryptosystem [10]. In this scheme, the modulus is $N=pq$, where p and q are prime numbers, and the public exponent e and the private exponent d are constrained by the equation $ed\equiv 1(mod\psi (N\left)\right)$, where $\psi \left(N\right)=(p^2-1)(q^2-1)$ represents a generalized Euler totient function.

The RSA cryptosystem and its variants are used in several real-world applications, to secure email communications, e-commerce, digital signatures and verifications, VPNs and network security, and digital certificates such as TLS [11]. As a consequence, any attack on RSA and its variants is closely scrutinized by security specialists and cryptography system designers.

Besides Wiener’s attack [3] and its refinement by Boneh and Durfee [4], a range of other attacks have been developed for the various RSA variants.

In [12], Peng et al. examined the equation $ed-k(p^2-1)(q^2-1)=1$, where $e=N^{\alpha }$ and $d=N^{\delta }$, using Coppersmith’s method. Their findings improved upon previous attacks and demonstrated that if $\delta <2-\sqrt{\alpha }$, the factorization of the modulus N can be achieved in polynomial time.

In 2024, Feng et al. [13] proposed a novel partial prime exposure attack on RSA variants defined by the key equation $ed-k(p^2-1)(q^2-1)=1$. They demonstrated that if $N=pq$ is an RSA modulus, where $\tilde{p}$ is an approximation of p with $|p-\tilde{p}|=N^{\sigma }$, and if $e=N^{\alpha }$ and $d<N^{\delta }$, then the factorization of N can be efficiently determined under the following conditions:

$$\delta <\left\{\begin{array}{cc}2-\sqrt{2\alpha \sigma },\hfill & \mathrm{if}2\sigma <\alpha <{\displaystyle \frac{9}{2}}\sigma ,\hfill \\ 2-{\displaystyle \frac{1}{3}}\alpha -{\displaystyle \frac{3}{2}}\sigma ,\hfill & \mathrm{if}{\displaystyle \frac{9}{2}}\sigma \le \alpha <6-{\displaystyle \frac{9}{2}}\sigma .\hfill \end{array}\right.$$

1.1. Our Contribution

In the attack proposed by Feng et al. [13], the key strategy for breaking the schemes with the equation

$$ed\equiv 1(mod(p^2-1)(q^2-1)),$$

involves transforming the key equation into a modular polynomial equation of the form

$$x_1(x_2^2+a{x}_2+b)\equiv -1(mode).$$

By solving this equation, the extracted solution satisfies

$$(x_1,x_2)=(k,p+q-\tilde{p}-\tilde{q}),$$

where $\tilde{p}$ and $\tilde{q}$ are approximations of the primes p and q, respectively. This enabled them to break the schemes in some scenarios.

In this paper, we extend the work of Feng et al. [13] by transforming the extended key equation

$$eu\equiv z(mod(p^2-1)(q^2-1)),$$

into the generalized modular equation

$$x_1(x_2^2+a{x}_2+b)\equiv x_3(mode).$$

We demonstrate how the solution of this modular equation can be applied to attack the RSA variants characterized by the key equation $ed\equiv 1(mod(p^2-1)(q^2-1)),$ whenever two parameters u and z exist such that $eu\equiv z(mod(p^2-1)(q^2-1)),$ and are sufficiently small, in addition to a known approximation of one of the RSA prime factors.

Notice that the equation $eu\equiv z(mod(p^2-1)(q^2-1))$ is a generalization of the standard key equation $ed\equiv 1(mod(p^2-1)(q^2-1))$, and the private exponent d and u are related by the formula

$$u\equiv dz(mod(p^2-1)(q^2-1)).$$

As a byproduct, we design a polynomial-time algorithm for attacking the mentioned schemes for a significantly broader range of public exponents compared to existing methods.

1.2. The Structure of the Paper

The remainder of this paper is organized in five sections. Section 2 presents some necessary preliminaries. Section 3 introduces our novel attack. Section 4 offers a comparison between our attack and existing ones. Section 5 presents two detailed numerical experiments that demonstrate the effectiveness of our proposed attack. Finally, Section 6 concludes the paper.

2. Preliminaries

In this section, we present fundamental results and important concepts that are pertinent to our main result.

2.1. Useful Lemmas

Given a positive integer of the form $N=pq$ with $q<p<2q$, the following result provides the limiting values for p and q in relation to N, as well as the prime sum $p+q$ (see [14]).

Lemma 1. 

Let p and q be prime numbers satisfying $N=pq$ and $q<p<2q$. Then, one finds that

$${\displaystyle \frac{\sqrt{2}}{2}}{N}^{{\displaystyle \frac{1}{2}}}<q<N^{{\displaystyle \frac{1}{2}}}<p<\sqrt{2}{N}^{{\displaystyle \frac{1}{2}}},p+q<3N^{{\displaystyle \frac{1}{2}}}.$$

The subsequent result shows that, given an approximation of p for a modulus $N=pq$, one can also approximate both q and $p+q$ (see [13]).

Lemma 2. 

Let $N=pq$ be the product of two prime numbers p and q with $q<p<2q$. Assume that $\tilde{p}$ is a known approximation of p with $|p-\tilde{p}|\le N^{\sigma }$. Then, $\tilde{q}=⌊{\displaystyle \frac{N}{\tilde{p}}}⌋$ approximates q, and

$$|q-\tilde{q}|<N^{\sigma },|p+q-(\tilde{p}+\tilde{q})|<2N^{\sigma }.$$

2.2. Schemes with the Key Equation $ed-k(p^2-1)(q^2-1)=1$

In 1995, Kuwakado et al. [7] introduced a cryptographic scheme utilizing a specific elliptic curve, defined by the equation

$$y^2\equiv x^3+b{x}^2(modN),$$

where $N=pq$ represents an RSA modulus. In this scheme, the public key is represented by the pair $(N,e)$, with e chosen to satisfy

$$gcd\left(e,(p^2-1)(q^2-1)\right)=1.$$

The private key is $(N,d)$, where d is determined such that

$$d\equiv {\displaystyle \frac{1}{e}}(mod(p^2-1)(q^2-1)).$$

The encryption of the message $(m_x,m_y)$ is performed by computing

$$b\equiv {\displaystyle \frac{m_y^2-m_x^3}{m_x^2}}(modN),$$

after which the ciphertext $(c_x,c_y)$ is obtained by applying the encryption operation e to $(m_x,m_y)$ on the elliptic curve.

Decryption is carried out by first computing

$$b\equiv {\displaystyle \frac{c_y^2-c_x^3}{c_x^2}}(modN),$$

and then applying the decryption operation d to $(c_x,c_y)$ on the curve to recover the original plaintext $(m_x,m_y)$.

In 2002, Elkamchouchi et al. [8] proposed a cryptosystem in which arithmetic operations are carried out over $\mathbb{Z}\left[i\right]$, the ring of Gaussian integers, rather than the standard integers. In this scheme, the modulus is a standard $N=pq$, and the public and private exponents are related by $ed\equiv 1(mod(p^2-1)(q^2-1))$. For encryption, the plaintext $m\in \mathbb{Z}\left[i\right]$ is transformed into the ciphertext $c\equiv m^e(modN)$, and the decryption is performed using $m\equiv c^d(modN)$.

In [9,15], alternative RSA variants were introduced, where the modulus is expressed as $N=pq$, and the exponents e and d are interlinked by the key equation

$$ed\equiv 1(mod(p^2-1)(q^2-1)).$$

2.3. Lattice Reduction and Coppersmith’s Technique

Lattices are fundamental mathematical structures that play a crucial role in various branches of mathematics. They can be understood as discrete subgroups of finite-dimensional vector spaces. Formally, a Euclidean lattice is defined as follows:

Definition 1. 

Let ${\mathbf{u}}_1,{\mathbf{u}}_2,\dots ,{\mathbf{u}}_{\omega }\in {\mathbb{R}}^d$ be ω linearly independent vectors with $\omega \le d$. The Euclidean lattice spanned by $\{{\mathbf{u}}_1,{\mathbf{u}}_2,\dots ,{\mathbf{u}}_{\omega }\}$ is the set

$$\mathcal{L}=\mathbb{Z}{\mathbf{u}}_1+\mathbb{Z}{\mathbf{u}}_2+\cdots +\mathbb{Z}{\mathbf{u}}_{\omega }.$$

The collection $\{{\mathbf{u}}_1,{\mathbf{u}}_2,\dots ,{\mathbf{u}}_{\omega }\}$ is termed a basis for the lattice $\mathcal{L}$, with ω and d corresponding to the rank and dimension of the lattice, respectively. When $\omega =d$, the lattice $\mathcal{L}$ is said to have full rank.

A matrix representation of a lattice $\mathcal{L}$ can be described as follows: Let $\mathcal{B}\in {\mathbb{R}}^{\omega \times d}$ be the matrix whose rows correspond to the basis $\{{\mathbf{u}}_1,{\mathbf{u}}_2,\dots ,{\mathbf{u}}_{\omega }\}$. Then, an element $\mathbf{v}$ belongs to $\mathcal{L}$ if, and only if, there exists $\mathbf{x}\in {\mathbb{Z}}^{\omega }$ such that $\mathbf{v}=\mathbf{x}\mathcal{B}.$ The quantity defined by $det\left(\mathcal{L}\right)=\sqrt{det\left({\mathcal{B}}^t\mathcal{B}\right)}$ is referred to as the determinant of the lattice, where ${\mathcal{B}}^t$ denotes the transpose of the basis matrix $\mathcal{B}$. For a lattice of full rank, the determinant simplifies to the form $det\left(\mathcal{L}\right)=|det(\mathcal{B}\left)\right|.$

It is a known fact that a lattice $\mathcal{L}$ of rank $\omega \ge 2$ has infinitely many bases, each consisting of $\omega$ vectors and having an identical determinant. Nevertheless, identifying a basis made up of short vectors is a computationally difficult task, particularly as the lattice dimensions grow.

In 1982, Lenstra, Lenstra, and Lovász [16] proposed the LLL algorithm, a polynomial-time method for computing a reduced basis with relatively short vectors. The following theorem, derived from [17], outlines the properties of a reduced basis generated by the LLL algorithm:

Theorem 1. 

For any lattice $\mathcal{L}\subseteq {\mathbb{R}}^d$ defined by a basis $\{{\mathbf{u}}_1,{\mathbf{u}}_2,\dots ,{\mathbf{u}}_{\omega }\}$. The LLL algorithm produces a reduced basis $\{{\mathbf{v}}_1,{\mathbf{v}}_2,\dots ,{\mathbf{v}}_{\omega }\}$, such that

$$\parallel {\mathbf{v}}_1\parallel \le \parallel {\mathbf{v}}_2\parallel \le \cdots \le \parallel {\mathbf{v}}_j\parallel \le 2^{{\displaystyle \frac{\omega (\omega -1)}{4(\omega +1-j)}}}det{\left(\mathcal{L}\right)}^{{\displaystyle \frac{1}{\omega +1-j}}}.$$

for every $j=1,\dots ,\omega$.

Prior to 1996, polynomials of the form $P\left(z\right)\equiv 0(modM)$ were typically solved when the modulus M had a known factorization, employing techniques like the Chinese Remainder Theorem and the properties of finite fields. In 1996, Coppersmith [18] presented an innovative approach for determining small roots of modular polynomial equations of the form

$$P\left(z\right)\equiv 0(modM),$$

even when the factorization of the modulus M was not available. This breakthrough was extended to multivariate polynomials, which are expressed as

$$P(z_1,z_2,\dots ,z_n)=\sum _{i_1,i_2,\dots ,i_n}{\rho }_{i_1,i_2,\dots ,i_n}{z}_1^{i_1}{z}_2^{i_2}\dots z_n^{i_n},$$

where ${\rho }_{i_1,i_2,\dots ,i_n}\in \mathbb{Z}$. The Euclidean norm related to this polynomial is expressed as

$$\parallel P(z_1,z_2,\dots ,z_n)\parallel =\sqrt{\sum _{i_1,i_2,\dots ,i_n}{\rho }_{i_1,i_2,\dots ,i_n}^2}.$$

In 1997, Howgrave-Graham [19] revisited Coppersmith’s technique and proposed a new technique for finding small roots. This advance provided a key result that became foundational in the field.

Theorem 2 

(Howgrave-Graham). Let $P(z_1,z_2,\dots ,z_n)$ be a multivariate polynomial in $\mathbb{Z}[z_1,z_2,\dots ,z_n]$ with no more than ω monomials. Let e and μ be positive integers. Then, the following statements

1. 

$P\left(z_1^{\left(0\right)},z_2^{\left(0\right)},\dots ,z_n^{\left(0\right)}\right)\equiv 0(mod{e}^{\mu })$,

2. 

$\parallel P(z_1{Z}_1,z_2{Z}_2,\dots ,z_n{Z}_n)\parallel <{\displaystyle \frac{e^{\mu }}{\sqrt{\omega }}}$,

3. 

For all $i=1,\dots ,n$, $|z_i^{\left(0\right)}| <Z_i$,

imply that $P\left(z_1^{\left(0\right)},z_2^{\left(0\right)},\dots ,z_n^{\left(0\right)}\right)=0$.

In systems involving more than two variables, extensions of Coppersmith’s method typically depend on heuristic approaches. For the purposes of this study, we make the following assumption [4,12,20,21]:

Assumption 1. 

The polynomials $r_1,r_2,\dots ,r_{\omega }$ generated by the LLL algorithm are algebraically independent.

Based on this assumption, the unique solution $\left(z_1^{\left(0\right)},z_2^{\left(0\right)},\dots ,z_n^{\left(0\right)}\right)$ to the system of polynomial equations $r_i(z_1,z_2,\dots ,z_n)=0$ for $i\le n$, can be computed using methods such as the Gröbner basis or resultant computations.

3. Main Results

In this section, we introduce an efficient technique for breaking RSA variants characterized by the generalized key equation

$$eu\equiv z(mod\left((p^2-1)(q^2-1)\right).$$

The New Attack

Theorem 3. 

Let $(N,e)$ denote an RSA public key where $N=pq$, $q<p<2q$, and $e=N^{\alpha }$. Suppose that there are two parameters, $\left|u\right|\le N^{\delta }$ and $\left|z\right|\le N^{\gamma }$, such that $eu\equiv z(mod\psi (N\left)\right)$, with $\psi \left(N\right)=(p^2-1)(q^2-1)$. Assume also that p is approximated by $\tilde{p}$ with an error bound of $|p-\tilde{p}| \le N^{\sigma }$, where $0\le \sigma \le {\displaystyle \frac{1}{2}}$. If

$$2\sigma <\alpha <{\displaystyle \frac{2}{\sigma }}and\delta +{\displaystyle \frac{\gamma }{2}}<2-\sqrt{2\sigma \alpha },$$

then the factorization of N can be performed in polynomial time.

Proof. 

Let $\tilde{p}$ be a close approximation of p such that $|p-\tilde{p}| \le N^{\sigma }$. By Lemma 2, the value $\tilde{q}=⌊N/\tilde{p}⌋$ serves as an approximation for q, satisfying the bounds

$$|q-\tilde{q}| <N^{\sigma },|p+q-\tilde{p}-\tilde{q}|<2N^{\sigma }.$$

Let x be an integer satisfying $eu-x\psi \left(N\right)=z$. This can be rewritten as

$$-x\psi \left(N\right)\equiv z(mode).$$

Write $-\psi \left(N\right)=y^2+ay+b,$ for

$$a=2(\tilde{p}+\tilde{q}),b={(\tilde{p}+\tilde{q})}^2-{(N+1)}^2,y=p+q-\tilde{p}-\tilde{q}.$$

As a consequence, the triplet

$$\left(x_1^{\left(0\right)},x_2^{\left(0\right)},x_3^{\left(0\right)}\right)=(x,y,z),$$

is a solution of the equation

$$x_1(x_2^2+a{x}_2+b)\equiv x_3(mode).$$

To compute the root $\left(x_1^{\left(0\right)},x_2^{\left(0\right)},x_3^{\left(0\right)}\right)$, we employ an extended version of Coppersmith’s method. This involves analyzing the polynomial equation

$$f(x_1,x_2,x_3)\equiv 0(mode),$$

where

$$f(x_1,x_2,x_3)=x_1(x_2^2+a{x}_2+b)-x_3.$$

Let $x_4=x_1{x}_2^2-x_3$. Then, $f(x_1,x_2,x_3)=g(x_1,x_2,x_4)$, where

$$g(x_1,x_2,x_4)=x_1(a{x}_2+b)+x_4.$$

Building on Coppersmith’s method, we introduce an additional parameter $\zeta >0$, which will be optimized, along with two integers $\mu$ and w, where $0\le w\le \mu$. We then define the following list of polynomials:

$$G_{w,a,b}(x_1,x_2,x_3,x_4)=x_1^a{x}_2^b{x}_3^{\mu -a-w}g{(x_1,x_2,x_4)}^w{e}^{\mu -w},(w,a,b)\in \mathcal{C}\cup \mathcal{D},$$

where

$$\begin{array}{cc}\hfill \mathcal{C}& =\left\{(w,a,b)|b=0,1,w=0,\dots ,\mu ,a=1,\dots ,\mu -w\right\},\hfill \\ \hfill \mathcal{D}& =\left\{(w,a,b)|b=0,\dots ,\lfloor \zeta \rfloor ,w=⌊{\displaystyle \frac{\mu }{\zeta }}⌋b,\dots ,\mu ,a=0\right\},\hfill \end{array}$$

and, in the computations, the term $x_1{x}_2^2$ is replaced by $x_4+x_3$.

Given that $\left(x_1^{\left(0\right)},x_2^{\left(0\right)},x_3^{\left(0\right)}\right)$ is a root of the equation

$$f(x_1,x_2,x_3)\equiv 0(mode).$$

Then, by defining $x_4^{\left(0\right)}=x_1^{\left(0\right)}{\left(x_2^{\left(0\right)}\right)}^2-x_3^{\left(0\right)}$, the triplet $\left(x_1^{\left(0\right)},x_2^{\left(0\right)},x_4^{\left(0\right)}\right)$ satisfies the equation $g(x_1,x_2,x_4)\equiv 0(mode)$. Furthermore, we observe that

$$G_{w,a,b}\left(x_1^{\left(0\right)},x_2^{\left(0\right)},x_3^{\left(0\right)},x_4^{\left(0\right)}\right)\equiv 0(mod{e}^{\mu }),$$

for all $(w,a,b)\in \mathcal{C}\cup \mathcal{D}$.

In Coppersmith’s technique, it is important to establish the bounds $X_1$, $X_2$, $X_3$, and $X_4$ such that

$$\left|x_1^{\left(0\right)}\right|\le X_1,\left|x_2^{\left(0\right)}\right|\le X_2,\left|x_3^{\left(0\right)}\right|\le X_3,\left|x_4^{\left(0\right)}\right|\le X_4.$$

Using $\psi \left(N\right)>{\displaystyle \frac{N^2}{2}}$ and assuming that $\left|z\right|<e\left|u\right|$, we obtain the following estimate:

$$\left|x_1^{\left(0\right)}\right|=\left|{\displaystyle \frac{eu-z}{\psi \left(N\right)}}\right|<4e\left|u\right|N^{-2}\le 4N^{\alpha +\delta -2}.$$

To obtain a bound for $x_4^{\left(0\right)}=x_1^{\left(0\right)}{\left(x_2^{\left(0\right)}\right)}^2-x_3^{\left(0\right)}$, we suppose

$$\left|x_3^{\left(0\right)}\right|<x_1^{\left(0\right)}{\left(x_2^{\left(0\right)}\right)}^2,$$

so that $\left|x_4^{\left(0\right)}\right|<2x_1^{\left(0\right)}{\left(x_2^{\left(0\right)}\right)}^2.$ In addition to $\left|x_2^{\left(0\right)}\right|<2N^{\sigma }$, the corresponding bounds are given by

$$\begin{array}{c}\hfill X_1=4N^{\alpha +\delta -2},X_2=2N^{\sigma },X_3=N^{\gamma },X_4=2X_1{X}_2^2=32N^{\alpha +\delta -2(1-\sigma )}.\end{array}$$

(1)

Next, we construct the lattice $\mathcal{L}$ represented by the matrix whose rows consist of the coefficient vectors of the polynomials $G_{w,a,b}(X_1{x}_1,X_2{x}_2,X_3{x}_3,X_4{x}_4)$. A lower triangular matrix can be formed by considering the following criteria: The rows of this matrix correspond to the polynomials $G_{w,a,b}(X_1{x}_1,X_2{x}_2,X_3{x}_3,X_4{x}_4)$ and are arranged lexicographically, assuring that

$$G_{w,a,b}(X_1{x}_1,X_2{x}_2,X_3{x}_3,X_4{x}_4)\prec G_{w^{\prime },a^{\prime },b^{\prime }}(X_1{x}_1,X_2{x}_2,X_3{x}_3,X_4{x}_4),$$

if $w<w^{\prime }$, or if $w=w^{\prime }$ and $a<a^{\prime }$, or if $w=w^{\prime }$, $a=a^{\prime }$, and $b<b^{\prime }$. Similarly, the columns are represented by the monomials $x_1^a{x}_2^b{x}_3^{\mu -a-w}{x}_4^w$, and the lexicographical ordering is as follows:

$$x_4^w{x}_1^a{x}_2^b{x}_3^{\mu -a-w}\prec x_4^{w^{\prime }}{x}_1^{a^{\prime }}{x}_2^{b^{\prime }}{x}_3^{\mu -a^{\prime }-w^{\prime }},$$

if $w<w^{\prime }$, or if $w=w^{\prime }$ and $a<a^{\prime }$, or if $w=w^{\prime }$, $a=a^{\prime }$, and $b<b^{\prime }$.

A typical example of the lattice basis matrix for $\mu =\zeta =2$ and

$$f(x_1,x_2,x_3)=x_1(x_2^2+a{x}_2+b)-x_3,$$

using $x_1{x}_2^2=x_3+x_4$, is provided in

Table 1. The lattice basis matrix for $(\mu ,\zeta )=(2,2)$.

${\mathit{G}}_{\mathit{w},\mathit{a},\mathit{b}}$	${\mathit{x}}_3^2$	${\mathit{x}}_1{\mathit{x}}_3$	${\mathit{x}}_1{\mathit{x}}_2{\mathit{x}}_3$	${\mathit{x}}_1^2$	${\mathit{x}}_1^2{\mathit{x}}_2$	${\mathit{x}}_3{\mathit{x}}_4$	${\mathit{x}}_2{\mathit{x}}_3{\mathit{x}}_4$	${\mathit{x}}_1{\mathit{x}}_4$	${\mathit{x}}_1{\mathit{x}}_2{\mathit{x}}_4$	${\mathit{x}}_4^2$	${\mathit{x}}_2{\mathit{x}}_4^2$	${\mathit{x}}_2^2{\mathit{x}}_4^2$
$G_{0,0,0}$	$e^2{X}_3^2$	0	0	0	0	0	0	0	0	0	0	0
$G_{0,1,0}$	0	$e^2{X}_1{X}_3$	0	0	0	0	0	0	0	0	0	0
$G_{0,1,1}$	0	0	$e^2{X}_1{X}_2{X}_3$	0	0	0	0	0	0	0	0	0
$G_{0,2,0}$	0	0	0	$e^2{X}_1^2$	0	0	0	0	0	0	0	0
$G_{0,2,1}$	0	0	0	0	$e^2{X}_1^2{X}_2$	0	0	0	0	0	0	0
$G_{1,0,0}$	0	★	★	0	0	$e{X}_3{X}_4$	0	0	0	0	0	0
$G_{1,0,1}$	★	0	★	0	0	★	$e{X}_2{X}_3{X}_4$	0	0	0	0	0
$G_{1,1,0}$	0	0	0	★	★	0	0	$e{X}_1{X}_4$	0	0	0	0
$G_{1,1,1}$	0	★	0	0	★	0	0	★	$e{X}_1{X}_2{X}_4$	0	0	0
$G_{2,0,0}$	0	★	0	★	★	0	0	★	★	$X_4^2$	0	0
$G_{2,0,1}$	0	★	★	0	★	★	0	★	★	★	$X_2{X}_4^2$	0
$G_{2,0,2}$	★	★	★	0	0	★	★	★	★	★	★	$X_2^2{X}_4^2$

. The symbol ★ marks the non-zero entries.

By construction, the lattice basis matrix is lower triangular, and each diagonal entry takes the form $X_1^a{X}_2^b{X}_3^{\mu -a-w}{X}_4^w{e}^{\mu -w}$ for some combination $(w,a,b)$ belonging to $\mathcal{C}\cup \mathcal{D}$. This shows that the determinant of the lattice can be expressed as

$$\begin{array}{c}\hfill det\left(\mathcal{L}\right)=X_1^{n_{X_1}}{X}_2^{n_{X_2}}{X}_3^{n_{X_3}}{X}_4^{n_{X_4}}{e}^{n_e},\end{array}$$

(2)

with $n_{X_1}=\mathcal{E}\left(a\right)$, $n_{X_2}=\mathcal{E}\left(b\right)$, $n_{X_3}=\mathcal{E}(\mu -a-w)$, $n_{X_4}=\mathcal{E}\left(w\right)$, $n_e=\mathcal{E}(\mu -w)$, and

$$\begin{array}{cc}\hfill \mathcal{E}\left(c\right)& =\sum _{b=0}^1\sum _{w=0}^{\mu }\sum _{a=1}^{\mu -w}c+\sum _{b=0}^{\lfloor \zeta \rfloor }\sum _{w=⌊{\displaystyle \frac{\mu }{\zeta }}⌋b}^{\mu }\sum _{a=0}^{0}c.\hfill \end{array}$$

In order to optimize $\zeta$, we replace it with $\mu \zeta$, and to facilitate the computations, we adopt the approximation $\lfloor x\rfloor \approx x$ for a real number x. Consequently, the exponents $n_{X_1}$, $n_{X_2}$, $n_{X_3}$, $n_{X_4}$, $n_e$, along with the lattice dimension $\omega =\mathcal{E}\left(1\right)$, are governed by the following relations:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill n_{X_1}& ={\displaystyle \frac{1}{3}}{\mu }^3+o\left({\mu }^3\right)\hfill \\ \hfill n_{X_2}& ={\displaystyle \frac{1}{6}}{\zeta }^2{\mu }^3+o\left({\mu }^3\right)\hfill \\ \hfill n_{X_3}& ={\displaystyle \frac{1}{6}}(\zeta +2){\mu }^3+o\left({\mu }^3\right)\hfill \\ \hfill n_{X_4}& ={\displaystyle \frac{1}{3}}(\zeta +1){\mu }^3+o\left({\mu }^3\right)\hfill \\ \hfill n_e& ={\displaystyle \frac{1}{6}}(\zeta +4){\mu }^3+o\left({\mu }^3\right)\hfill \\ \hfill \omega & ={\displaystyle \frac{1}{2}}(\zeta +2){\mu }^2+o\left({\mu }^2\right).\hfill \end{array}\end{array}$$

(3)

The LLL algorithm is applied to reduce the matrix M, yielding a reduced matrix $M^{\prime }$ that preserves the determinant. From this reduced matrix, we construct $\omega$ polynomials $r_i(x_1,x_2,x_3,x_4)$, where $i=1,\dots ,\omega$, each of which satisfies the congruence

$$r_i\left(x_1^{\left(0\right)},x_2^{\left(0\right)},x_3^{\left(0\right)},x_4^{\left(0\right)}\right)\equiv 0(mod{e}^{\mu }).$$

In order to find the solution, we establish a connection between Theorems 1 and 2, concentrating on the scenario where $j=4$. Thus, we set

$$2^{{\displaystyle \frac{\omega (\omega -1)}{4(\omega -3)}}}det{\left(\mathcal{L}\right)}^{{\displaystyle \frac{1}{\omega -3}}}<{\displaystyle \frac{e^{\mu }}{\sqrt{\omega }}}.$$

By combining with (2), this simplifies to

$$\begin{array}{c}\hfill e^{n_e-\mu (\omega -3)}{X}_1^{n_{X_1}}{X}_2^{n_{X_2}}{X}_3^{n_{X_3}}{X}_4^{n_{X_4}}<{\displaystyle \frac{1}{2^{\frac{\omega (\omega -1)}{4}}{\left(\sqrt{\omega }\right)}^{\omega -2}}}<1.\end{array}$$

(4)

By considering the dominant terms in (3) along with the bounds in (1), and neglecting smaller values, we obtain

$$\begin{array}{c}\hfill \sigma {\zeta }^2+(\gamma +2\delta +4\sigma -4)\zeta +2\alpha +2\gamma +4\delta +4\sigma -8<0,\end{array}$$

(5)

in which the optimal value for $\zeta$ is

$${\zeta }_0={\displaystyle \frac{2-\delta -\frac{\gamma }{2}-2\sigma }{\sigma }}.$$

To ensure that ${\zeta }_0>0$, the parameters must satisfy

$$\begin{array}{c}\hfill \delta +{\displaystyle \frac{\gamma }{2}}<2-2\sigma .\end{array}$$

(6)

Plugging ${\zeta }_0$ in (5), we arrive at

$$-4{\delta }^2-4(\gamma -4)\delta -{\gamma }^2+8\alpha \sigma +8\gamma -16<0.$$

Solving the former inequation for $\delta$, we obtain

$$\begin{array}{c}\hfill \delta <2-\sqrt{2\sigma \alpha }-{\displaystyle \frac{\gamma }{2}}.\end{array}$$

Using the assumption $\alpha >2\sigma$ and (6), we obtain

$$\delta +{\displaystyle \frac{\gamma }{2}}<min\left(2-\sqrt{2\sigma \alpha },2-2\sigma \right)=2-\sqrt{2\sigma \alpha }.$$

In addition, given that $\delta \ge 0$ and $\gamma \ge 0$, the inequality

$$2-\sqrt{2\sigma \alpha }>0,$$

is satisfied if $\alpha <{\displaystyle \frac{2}{\sigma }}$.

Afterward, we select four reduced and algebraically independent polynomials, denoted as $r_i(x_1,x_2,x_3,x_4)$ for $1\le i\le 4$. By solving the system of equations $r_i(x_1,x_2,x_3,x_4)=0$ for $i=1,2,3,4$ over the integers, using either the Gröbner basis approach or resultant techniques, we can extract

$$x_2^{\left(0\right)}=p+q-\tilde{p}-\tilde{q}.$$

Finally, solving the system $N=pq$ and $x_2^{\left(0\right)}+\tilde{p}+\tilde{q}=p+q$, we can recover p and q. This concludes the proof. □

A consequence of Theorem 3 is the following result, which concerns the case where the modulus $N=pq$ is the product of two primes, p and q, with a sufficiently small difference $|p-q|$.

Corollary 1. 

Let $(N,e)$ denote an RSA public key where $N=pq$, with $q<p<2q$, and $e=N^{\alpha }$. Assume the existence of two parameters, $\left|u\right|\le N^{\delta }$ and $\left|z\right|\le N^{\gamma }$, such that $eu\equiv z(mod\psi (N\left)\right)$, where $\psi \left(N\right)=(p^2-1)(q^2-1)$. Furthermore, suppose that the prime difference $|p-q|\le N^{\sigma }$ is small, with $0\le \sigma \le {\displaystyle \frac{1}{2}}$. If

$$2\sigma <\alpha <{\displaystyle \frac{2}{\sigma }}and\delta +{\displaystyle \frac{\gamma }{2}}<2-\sqrt{2\sigma \alpha },$$

then we can recover p and q in polynomial time.

Proof. 

Assume that $p-q<N^{\sigma }$. According to Lemma 1, we have $q<\sqrt{N}<p$, which implies that

$$0<p-\sqrt{N}<p-q\le N^{\sigma }.$$

This suggests that $\tilde{p}=\sqrt{N}$ is a close approximation of p, with $|p-\tilde{p}|<N^{\sigma }$. Applying Theorem 3, we can factor $N=pq$ under the conditions

$$2\sigma <\alpha <{\displaystyle \frac{2}{\sigma }}\mathrm{and}\delta +{\displaystyle \frac{\gamma }{2}}<2-\sqrt{2\sigma \alpha }.$$

This completes the proof. □

4. Comparison with the Existing Attacks

In this section, we compare the bounds of our attack with those of previous approaches.

4.1. Comparison with Peng et al.’s Attack

In [12], Peng et al. proposed an attack against the RSA variants based on the key equation

$$ed-k(p^2-1)(q^2-1)=1.$$

They demonstrated that the system is vulnerable when $e=N^{\alpha }$, $d=N^{\delta }$, and $\delta <2-\sqrt{\alpha }$. This represents the optimal bound for attacks targeting small private exponents in such schemes. This bound can be obtained by taking $\gamma =0$ and $\sigma ={\displaystyle \frac{1}{2}}$. As a consequence, our attack can be seen as an extension of the attack of Peng et al.

4.2. Comparison with Feng et al.’s Attack

In [13], Feng et al. introduced an attack on cryptographic systems defined by the key equation $ed-k(p^2-1)(q^2-1)=1$. They showed that for a modulus $N=pq$, where $e=N^{\alpha }$, $d<N^{\delta }$, and $|p-\tilde{p}|=N^{\sigma }$ with $\tilde{p}$ being an approximation of p, the scheme becomes susceptible to attack when $\delta <2-\sqrt{2\alpha \sigma }$. This vulnerability threshold is derived by setting $\gamma =0$ in Theorem 3, highlighting that the approach of Feng et al. is a particular case within the broader framework presented in our methodology.

Additionally, the number of exponents e of size $N^{\alpha }$ that are prone to the attack of Feng et al. can be approximated by

$$\#\left\{d\mid d<N^{2-\sqrt{2\sigma \alpha }},gcd(d,\psi \left(N\right))=1\right\}=\mathcal{O}\left(N^{2-\sqrt{2\sigma \alpha }-\epsilon }\right),$$

where $\epsilon$ is a small positive parameter representing the exponents that are not coprime with $\psi \left(N\right)=(p^2-1)(q^2-1)$.

Alternatively, the quantity of the weak exponents e of size $N^{\alpha }$ associated with our attack can be expressed as

$$\mathcal{Q}=\#\left\{(u,z)\left|\right|u|\le N^{\delta },\left|z\right|\le N^{\gamma },\delta +{\displaystyle \frac{1}{2}}\gamma <2-\sqrt{2\sigma \alpha },gcd(u,\psi \left(N\right))=1\right\}.$$

Hence,

$$\mathcal{Q}\le \#\left\{(u,z)\left|\right|u|\le N^{\delta },\left|z\right|\le N^{\gamma },\left|u\right|\sqrt{\left|z\right|}<N^{2-\sqrt{2\sigma \alpha }},gcd(u,\psi \left(N\right))=1\right\}.$$

By setting $\rho =2-\sqrt{2\sigma \alpha }$, and observing $1\le \left|z\right|<{\displaystyle \frac{N^{2\rho }}{{\left|u\right|}^2}}$, where $1\le \left|u\right|<N^{\rho }$, an upper bound for this quantity is determined by summing the possible values of $\left|z\right|$ within the interval $\left[1,{\displaystyle \frac{N^{2\rho }}{{\left|u\right|}^2}}\right]$ for each u satisfying $1\le \left|u\right|<N^{\rho }$. This results in

$$\mathcal{Q}\le 4\sum _{u=1}^{N^{\rho }}\sum _{z=1}^{{\displaystyle \frac{N^{2\rho }}{{\left|u\right|}^2}}}1=4\sum _{u=1}^{N^{\rho }}{\displaystyle \frac{N^{2\rho }}{{\left|u\right|}^2}}=4N^{2\rho }\sum _{u=1}^{N^{\rho }}{\displaystyle \frac{1}{{\left|u\right|}^2}}\le {\displaystyle \frac{2{\pi }^2}{3}}{N}^{2\rho },$$

where we utilized the established result ${\sum }_{k=1}^{+\infty }{\displaystyle \frac{1}{k^2}}={\displaystyle \frac{{\pi }^2}{6}}$. Thus,

$$\mathcal{Q}=\mathcal{O}\left(N^{2\left(2-\sqrt{2\sigma \alpha }\right)-\epsilon }\right),$$

where $\epsilon$ is a small positive constant representing the integers u that are not coprime with $\psi \left(N\right)$. This bound greatly exceeds the number of exponents e of size $N^{\alpha }$ that are susceptible to the attack introduced by Feng et al. [13].

5. Experimental Results

In this section, we provide two small numerical examples to demonstrate that our new method successfully breaks the RSA variants where previous methods fail, and present a table to show that it also works for large examples of real-world size. The computations were carried out using SageMath 10.4 [22] on a PC running Ubuntu 22.04.3 LTS, equipped with an Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz (4 cores) and 8.00 GB of RAM.

5.1. A Numerical Example with a Sufficiently Small Prime Gap

This numerical example illustrates how Theorem 3 can be leveraged to break the schemes when the difference between the RSA primes is sufficiently small.

Let us examine the following public parameters, with N being a 300-bit number and e being a 591-bit number

$$\begin{array}{cc}\hfill N=& 154979168861015678139379817043779303050456195924935465847814228\setminus \hfill \\ \hfill & 2890859680277309141134732469,\hfill \\ \hfill e=& 457288125509831890795785821136858794210767210242104567444220851\setminus \hfill \\ \hfill & 229578313165377666751566097358780811176150123829929919164675754\setminus \hfill \\ \hfill & 9806692842556025667935819822827034254195266303881105.\hfill \end{array}$$

This implies that $e=N^{\alpha }$, with $\alpha \approx 1.9698$.

From Corollary 1, the quantity $\tilde{p}=⌊\sqrt{N}⌋$ provides an estimate for p, such that

$$\begin{array}{cc}\hfill \tilde{p}=& 1244906297120452669049070335354223115387563820.\hfill \end{array}$$

The computation of $⌊{\displaystyle \frac{\tilde{p}}{N}}⌋$ subsequently results in

$$\begin{array}{cc}\hfill \tilde{q}=& ⌊{\displaystyle \frac{\tilde{p}}{N}}⌋=1244906297120452669049070335354223115387563821.\hfill \end{array}$$

The goal here is to solve the modular equation

$$x_1(x_2^2+a{x}_2+b)\equiv x_3(mode),$$

where

$$a=2(\tilde{p}+\tilde{q}),b={(\tilde{p}+\tilde{q})}^2-{(N+1)}^2.$$

More specifically, we have

$$\begin{array}{cc}\hfill a=& 4979625188481810676196281341416892461550255282,\hfill \\ \hfill b=& -240185427808512116073417421646903712871170445256523888858285\setminus \hfill \\ \hfill & 019886634239027251972324059413204652277359229823499357615430045\setminus \hfill \\ \hfill & 0691818616461378580654179335980030497821387859658630076019.\hfill \end{array}$$

To implement the approach specified in Theorem 3, an attacker without knowledge of u, z, and, p can try different values for $\delta$, $\gamma$, and $\sigma$. Assume that $\delta =0.235$, $\gamma =0.294$, and $\sigma =0.484$ such that $\left|u\right|\le N^{\delta }$, $\left|z\right|\le N^{\gamma }$ and $|p-p_1|\le N^{\sigma }$. These values satisfy the necessary inequalities of Theorem 3, namely

$$2\sigma \approx 0.968<\alpha <{\displaystyle \frac{2}{\sigma }}\approx 4.132,$$

and

$$\delta +{\displaystyle \frac{\gamma }{2}}\approx 0.382<2-\sqrt{2\sigma \alpha }\approx 0.619.$$

Next, we set the bounds

$$\begin{array}{cc}\hfill X_1=& \lfloor 4N^{\alpha +\delta -2}\rfloor =11831177466857048064,\hfill \\ \hfill X_2=& \lfloor 2N^{\sigma }\rfloor =89768152296567761007830082898706151812104192,\hfill \\ \hfill X_3=& \lfloor N^{\gamma }\rfloor =328050238835591035454750720,\hfill \\ \hfill X_4=& 2X_1{X}_2^2=190678855617257854312232486748643825499976561448821233\setminus \hfill \\ \hfill & 845028452847741564061825373741977013396720419279470592.\hfill \end{array}$$

The lattice $\mathcal{L}$ is constructed by choosing $\mu =5$ and $\zeta =4$ and using the coefficient vectors of the polynomials $G_{w,a,b}(X_1{x}_1,X_2{x}_2,X_3{x}_3,X_4{x}_4)$, where

$$G_{w,a,b}(x_1,x_2,x_3,x_4)=x_1^a{x}_2^b{x}_3^{\mu -a-w}g{(x_1,x_2,x_4)}^w{e}^{\mu -w},(w,a,b)\in \mathcal{C}\cup \mathcal{D},$$

$g(x_1,x_2,x_4)=x_1(a{x}_2+b)+x_4$, and the substitution $x_1{x}_2^2=x_3+x_4$ is also applied. The sets $\mathcal{C}$ and $\mathcal{D}$ are defined by

$$\begin{array}{cc}\hfill \mathcal{C}& =\left\{(w,a,b)|b=0,1,w=0,\dots ,\mu ,a=1,\dots ,\mu -w\right\},\hfill \\ \hfill \mathcal{D}& =\left\{(w,a,b)|b=0,\dots ,\lfloor \zeta \rfloor ,w=⌊{\displaystyle \frac{\mu }{\zeta }}⌋b,\dots ,\mu ,a=0\right\}.\hfill \end{array}$$

The lattice $\mathcal{L}$ has a dimension of $\omega =50$. After applying the LLL reduction algorithm, an output of 50 polynomials is obtained. By leveraging the Gröbner basis method, four polynomials are extracted and solved over the integers, providing the desired solution

$$\begin{array}{cc}\hfill x_1^{\left(0\right)}& =2118139169990949806,\hfill \\ \hfill x_2^{\left(0\right)}& =390817915437012442315843242819187471908433,\hfill \\ \hfill x_3^{\left(0\right)}& =215787365557955890516827161,\hfill \\ \hfill x_4^{\left(0\right)}& =32352170256576205797755149595806747150304278873868333447245\setminus \hfill \\ \hfill & 5668311351552253549441721597993613823717973.\hfill \end{array}$$

Combining $x_2^{\left(0\right)}+\tilde{p}+\tilde{q}=p+q$ with $N=pq$ gives

$$\begin{array}{cc}\hfill p=& 1267160034859286529528805631615411782484795507,\hfill \\ \hfill q=& 1223043377297055821011650882335853635762240567.\hfill \end{array}$$

The LLL algorithm and Gröbner basis computations were completed in under $3.2$ s. Notice that

$$eu\equiv z(mod(p^2-1)(q^2-1)),$$

where

$$u=1112528697601846621961.$$

The hypotheses $\left|x_3^{\left(0\right)}\right|<x_1^{\left(0\right)}{\left(x_2^{\left(0\right)}\right)}^2$ as well as $\left|z\right|<e\left|u\right|$ are well satisfied as outlined in the proof of Theorem 3.

Next, one can compute the private exponent corresponding to e via

$$d\equiv {\displaystyle \frac{1}{e}}(mod(p^2-1)(q^2-1)).$$

Hence,

$$\begin{array}{cc}\hfill d=& 605002709727751669617165546601883006212903964271667723683291\setminus \hfill \\ \hfill & 018629338222112941267558151236353614233660075317610862453388\setminus \hfill \\ \hfill & 60942430869431283894009332939209545056528528907125307870961.\hfill \end{array}$$

Observe that $d=N^{{\delta }_0}$ with ${\delta }_0\approx 1.982$.

To experimentally validate the comparisons made in Section 4, we observed that $|p-\tilde{p}|\le N^{{\sigma }_0}$, where ${\sigma }_0\approx 0.48062$.

Feng et al. [13] proposed an optimal bound for breaking RSA schemes, given by ${\delta }_0<2-\sqrt{2{\sigma }_0\alpha }$, where $d\le N^{{\delta }_0}$ defines the threshold for partial prime exposure attacks. In the numerical example considered here, we calculate $2-\sqrt{2{\sigma }_0\alpha }\approx 0.623$, which is smaller than ${\delta }_0$. This result demonstrates that Feng’s method is ineffective in compromising the system in this particular case.

In the same manner, the optimal bound for small private exponent attacks, as proposed by Peng et al. [12], is ${\delta }_0<2-\sqrt{\alpha }$. In our case, we compute $2-\sqrt{\alpha }\approx 0.596$, which is also smaller than ${\delta }_0$. This shows that their method is not sufficient to break the systems in this particular instance.

5.2. A Numerical Example Highlighting the Use of a Proper Approximation

In this numerical example, we illustrate the process of recovering RSA primes when an integer that is near one of the RSA primes is accessible.

Consider the following public parameters, where N is a 602-bit number and e is a 1203-bit number

$$\begin{array}{cc}\hfill N=& 966492835405917565828743876772306537872563335866019903185649724\setminus \hfill \\ \hfill & 585072428210443099203551461953784012336521319066373953079442564\setminus \hfill \\ \hfill & 5096246950121860628973430859686177613488569115359388469,\hfill \\ \hfill e=& 777696331000137048626324377418300225698121769798015281961785263\setminus \hfill \\ \hfill & 396314104341430708362418250852799801319640832347407155148403524\setminus \hfill \\ \hfill & 830446594816250177319485494227260306500966008079178804053714386\setminus \hfill \\ \hfill & 550565059933158714405685845984477756481877004637940295537785063\setminus \hfill \\ \hfill & 120660318119031261121321236386018313549302989253240895952509090\setminus \hfill \\ \hfill & 12701494724121570822144212683726079127519436075.\hfill \end{array}$$

As a result, we obtain $e=N^{\alpha }$, where $\alpha \approx 1.9996$. Suppose that $\tilde{p}$ serves as an approximation for p

$$\begin{array}{cc}\hfill \tilde{p}=& 364610523335379592284389421573659615395758581802091912160143469\setminus \hfill \\ \hfill & 2397675330348189905978392575.\hfill \end{array}$$

In addition,

$$\begin{array}{cc}\hfill \tilde{q}=& ⌊{\displaystyle \frac{\tilde{p}}{N}}⌋=26507540884027330731045765925267078004728846420158921488\setminus \hfill \\ \hfill & 30934441516667046167116343321796511.\hfill \end{array}$$

Using the same approach as before, we set $\delta =0.5$, $\gamma =0.48$, and $\sigma =0.35$, assuming that $\left|u\right|\le N^{\delta }$, $\left|z\right|\le N^{\gamma }$, and $|p-\tilde{p}|\le N^{\sigma }$, also setting $\mu =3$ and $\zeta =2$, for which the lattice has dimension 21. This yields

$$\begin{array}{cc}\hfill b=& -934108400890970063113012658149447009177943086257627895908427\setminus \hfill \\ \hfill & 452430596466687391156490830430984129377337370262845368309072316\setminus \hfill \\ \hfill & 837147048999456798902983065075413979216608100055377703331416184\setminus \hfill \\ \hfill & 593193736239252540424061026130258781942275427721679167321317591\setminus \hfill \\ \hfill & 128546008317439625034646622430589530983004348180039059143417035\setminus \hfill \\ \hfill & 28114881439971427073016598854361702457857015425504,\hfill \\ \hfill a=& 125937186435130579918969416165266079088609409200736225408647382\setminus \hfill \\ \hfill & 67828684753030612498600378172.\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill X_1=& \lfloor 4N^{\alpha +\delta -2}\rfloor =10526045218379553266784328389710180922200405020583\setminus \hfill \\ \hfill & 344587683953736983232496439578853778653184,\hfill \\ \hfill X_2=& \lfloor 2N^{\sigma }\rfloor =442435044439138152363855736582994067244877411503118598\setminus \hfill \\ \hfill & 5007255552,\hfill \\ \hfill X_3=& \lfloor N^{\gamma }\rfloor =746268905988929664887076686742541830260450951567549101\setminus \hfill \\ \hfill & 674427835233703688367285274148864,\hfill \\ \hfill X_4=& 2X_1{X}_2^2=41209207783538205815969522326106407631768819589618604\setminus \hfill \\ \hfill & 56896053520766911584121244573412698478084094774623230437845253\setminus \hfill \\ \hfill & 00839108720405531155708393071899115390281782418196043961370236\setminus \hfill \\ \hfill & 047805596490885666949991968070301302915072.\hfill \end{array}$$

By applying the Gröbner basis technique, we choose four of these polynomials and find their integer solution, resulting in

$$\begin{array}{cc}\hfill x_1^{\left(0\right)}=& 927289119299658614013919916110587398358183024721353315997217625\setminus \hfill \\ \hfill & 364986735038070234,\hfill \\ \hfill x_2^{\left(0\right)}=& -81742039631074545148932102760,\hfill \\ \hfill x_3^{\left(0\right)}=& 155307939029434956997630259985238998486681453560506681476796626\setminus \hfill \\ \hfill & 0825646610673424375909,\hfill \\ \hfill x_4^{\left(0\right)}=& 619592431297889806198462072567183158811595584795214277160999337\setminus \hfill \\ \hfill & 875469111193070308053807933256693043581463662201635520498003358\setminus \hfill \\ \hfill & 3325318142491.\hfill \end{array}$$

By combining $x_2^{\left(0\right)}+\tilde{p}+\tilde{q}=p+q$ with $N=pq$, we obtain

$$\begin{array}{cc}\hfill p=& 364610523335379592284389421573659615395758581802091912160143439\setminus \hfill \\ \hfill & 2965580440330615005275393973,\hfill \\ \hfill q=& 265075408840273307310457659252670780047288464201589214883093465\setminus \hfill \\ \hfill & 9206722305110146095092692353.\hfill \end{array}$$

The LLL algorithm and Gröbner basis computations were executed in less than 1 seconds. It is noteworthy that

$$eu\equiv z(mod(p^2-1)(q^2-1)),$$

where

$$\begin{array}{cc}\hfill u=& 111378763389388734375287265457126953482575338986119066859878424\setminus \hfill \\ \hfill & 0128288156171976879.\hfill \end{array}$$

The conditions $\left|x_3^{\left(0\right)}\right|<x_1^{\left(0\right)}{\left(x_2^{\left(0\right)}\right)}^2$ and $\left|z\right|<e\left|u\right|$ are both fulfilled, as shown in the proof of Theorem 3.

The private exponent corresponding to e is

$$\begin{array}{cc}\hfill d=& 564448283796874259566671584629302225976460091746908933141533\setminus \hfill \\ \hfill & 804413103523490851354858189883202173086020496673336692715487\setminus \hfill \\ \hfill & 554862018821458311786572683162197275601409613473916288085307\setminus \hfill \\ \hfill & 058668848088231546671437275383745312900782226914748122021439\setminus \hfill \\ \hfill & 579982887102015568949798945581022534542357068682965632698913\setminus \hfill \\ \hfill & 800869603835969819422745866337071597390377632698184191607171.\hfill \end{array}$$

Notice that $d=N^{{\delta }_0}$ with ${\delta }_0\approx 1.988$.

To rigorously validate the comparisons presented in Section 4, we note that

$$|p-\tilde{p}|\le N^{{\sigma }_0},\mathrm{where}{\sigma }_0\approx 0.1628.$$

Next, we begin by considering the optimal bound for small private exponent attacks, as established by Peng et al. [12]. This bound is given by

$${\delta }_0<2-\sqrt{\alpha }.$$

For the parameters of our case, we compute

$$2-\sqrt{\alpha }\approx 0.585,$$

which is smaller than ${\delta }_0$. This result demonstrates that Peng et al.’s method is inadequate for breaking the system in this particular instance.

Similarly, the optimal bound proposed by Feng et al. [13] is expressed as

$${\delta }_0<2-\sqrt{2{\sigma }_0\alpha },$$

where $d\le N^{{\delta }_0}$ represents the threshold for partial prime exposure attacks. For the numerical example under consideration, we calculate

$$2-\sqrt{2{\sigma }_0\alpha }\approx 1.192,$$

and since this value is smaller than ${\delta }_0$, we conclude that Feng et al.’s method is also ineffective in compromising the systems for this particular case.

5.3. Experiments with Large Examples

We applied the procedure described in Theorem 3 to examine cases where the public key $\left(N,e\right)$ involves large values. By conducting a series of computational tests, we successfully resolved the modular equation

$$x_1(x_2^2+a{x}_2+b)\equiv x_3(mode),$$

where

$$a=2(\tilde{p}+\tilde{q}),b={(\tilde{p}+\tilde{q})}^2-{(N+1)}^2.$$

This method enables an efficient factorization of the modulus $N=pq$ when an amount of the most significant bits of p is available. Moreover, the conditions $d>N^{2-\sqrt{\alpha }}$ and $d>N^{2-\sqrt{2\alpha \sigma }}$ are satisfied, which demonstrates that the optimal bounds in the literature [12,13] fail to break these RSA variants.

The outcomes of these experiments are presented in

Table 2. Experiments for various values of $(N,e)$.

bl(N)	bl(e)	$\mathit{\delta }$	${\mathit{\delta }}_0$	$\mathit{\alpha }$	$\mathit{\gamma }$	$\mathit{\sigma }$	$\mathbf{Ns}\left(\mathit{p}\right)$	$\mathit{\mu }$	$\mathit{\zeta }$	$\mathit{\omega }$	$\mathcal{T}\left(\mathit{s}\right)$
1024	2047	0.390	1.994	2.00	0.488	0.293	212	3	3	52	8.00
1100	2198	0.454	1.999	2.00	0.490	0.266	250	3	3	52	10.09
1200	2398	0.426	1.999	2.00	0.500	0.325	210	3	3	52	9.98
1300	2598	0.477	2.000	2.00	0.500	0.317	237	3	3	52	10.48
1400	2797	0.486	1.999	2.00	0.500	0.279	310	3	3	52	14.81
1500	2997	0.487	1.999	2.00	0.500	0.328	255	3	3	52	13.15
1600	3199	0.469	1.999	2.00	0.500	0.355	231	3	2	40	5.34
1700	3399	0.494	2.000	2.00	0.500	0.347	260	3	2	40	5.69
1800	3595	0.497	2.000	2.00	0.506	0.366	241	3	1	22	1.38
1900	3794	0.495	2.000	2.00	0.500	0.316	350	3	1	22	1.98
2048	4096	0.487	2.000	2.00	0.488	0.369	269	2	2	21	0.5

, where each row specifies the corresponding parameters:

• $\mathrm{bl}\left(n\right)$ represents the bit-length of the value n.
• $\delta$ is a parameter where $\left|u\right|\le N^{\delta }$ holds.
• ${\delta }_0$ denotes a parameter such that $d\approx N^{{\delta }_0}$.
• $\alpha$ is defined through the relation $e\approx N^{\alpha }$.
• $\gamma$ corresponds to a parameter satisfying $\left|z\right|\le N^{\gamma }$.
• $\sigma$ is a parameter satisfying $|p-\tilde{p}|\le N^{\sigma }$.
• $\mathrm{Ns}\left(p\right)$ denotes the number of known most significant bits of p.
• $\mu$ and $\zeta$ are parameters involved in the construction of the lattice $\mathcal{L}$, which has dimension $\omega$ as shown in Theorem 3.
• $\mathcal{T}\left(s\right)$ refers to the computation time in seconds required for executing the LLL algorithm and the Gröbner basis computation.

6. Conclusions

In this paper, we presented an enhanced cryptanalytic approach that builds upon Coppersmith’s method and incorporates lattice basis reduction. We applied this technique to analyze several variants of RSA where the modulus is $N=pq$, the modified totient function is $\psi \left(N\right)=(p^2-1)(q^2-1)$, and the generalized key equation is $eu\equiv z(mod\psi (N\left)\right)$. Our method successfully enables the factorization of the RSA modulus N in polynomial time, even for real-world examples on a large scale. Our method works in the scenario where an amount of the most significant bits of p is known, and the unknown parameters $u,z$ in the equation $eu\equiv z(mod\psi (N\left)\right)$ are suitably small. Our method extends all methods where the equation is $ed\equiv 1(mod\psi (N\left)\right)$ with small d. In addition, the results of this paper highlight the superiority of our attack over existing techniques that are not based on quantum computation, especially in scenarios involving small private exponents and partial prime information.