Next Article in Journal
Special Issue Editorial “Atomic Processes in Plasmas and Gases: Symmetries and Beyond”
Next Article in Special Issue
An Efficient Identification Scheme Based on Bivariate Function Hard Problem
Previous Article in Journal
The Novelty of Thermo-Diffusion and Diffusion-Thermo, Slip, Temperature and Concentration Boundary Conditions on Magneto–Chemically Reactive Fluid Flow Past a Vertical Plate with Radiation
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Cryptanalysis of RSA-Variant Cryptosystem Generated by Potential Rogue CA Methodology

by
Zahari Mahad
1,
Muhammad Rezal Kamel Ariffin
1,2,*,
Amir Hamzah Abd. Ghafar
2 and
Nur Raidah Salim
1
1
Laboratory of Cryptography, Analysis and Structure, Institute for Mathematical Research, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia
2
Department of Mathematics and Statistics, Faculty of Science, Universiti Putra Malaysia, Serdang 43400, Selangor, Malaysia
*
Author to whom correspondence should be addressed.
Symmetry 2022, 14(8), 1498; https://doi.org/10.3390/sym14081498
Submission received: 30 June 2022 / Revised: 14 July 2022 / Accepted: 18 July 2022 / Published: 22 July 2022

Abstract

:
Rogue certificate authorities (RCA) are third-party entities that intentionally produce key pairs that satisfy publicly known security requirements but contain weaknesses only known to the RCA. This work analyses the Murru–Saettone RSA variant scheme that obtains its key pair from a potential RCA methodology. The Murru–Saettone scheme is based on the cubic Pell equation x 3 + r y 3 + r 2 z 3 3 r x y z = 1 . The public, e, and private, d key generation process uses the secret parameter ψ = ( p 2 + p + 1 ) ( q 2 + q + 1 ) in place of the standard Euler–phi function ϕ ( N ) = ( p 1 ) ( q 1 ) , where e d 1 ( mod ψ ) . We prove that, upon obtaining an approximation of ψ , we are able to identify the provided key pair that was maliciously provided even if the private key d size is approximate to ψ . In fact, we are able to factor the modulus N = p q .

1. Introduction

The security of a symmetric encryption scheme highly depends on the safety of the secret key transmission between parties involved in the communication. Other than direct interaction between parties, the utilization of asymmetric encryption schemes is the norm in modern communication. Central to the production of the public and private key pair of an asymmetric encryption scheme is the Certificate Authority (CA). Parties should have full trust in the CA to provide secure key pairs. Nevertheless, it is wise to conduct due diligence on the key pairs received. As such, for a communication topology with large participation, it is not surprising that the security of a symmetric encryption scheme will fall back on the strength of the asymmetric encryption scheme being utilized. As such, studies on the asymmetric cryptosystem utilized must be conducted to ensure that symmetric encryption remains secure.
RSA encryption/digital signing scheme is currently the world’s most widely used public-key cryptosystem. The standard RSA cryptosystem comprises three distinct algorithms: key generation, encryption, and decryption [1]. The security of RSA is mainly based on the hardness of factoring large composite integers, which is modulus N = p q where p and q are two large prime numbers of the same bit size. It is well known that RSA is not secure if the process of generating the public parameters ( e , N ) and the private parameters ( p , q , d ) do not satisfy certain conditions [2,3,4,5,6]. For instance, the RSA cryptosystem is vulnerable when employing continued fractions if such decryption exponent d is less than 1 3 N 1 4 , by a classical finding in [2]. Additionally, [3] has recovered the secret key if d < 2 2 N 3 4 t 2 and explicitly for d < 2 2 N 1 4 . Eventually, by using Coppersmith’s technique to obtain small solutions of modular univariate polynomials, ref. [5] refined the bound to d < N 0.292 . From then on, ref. [4] identified that it is possible to raise the bound from d < 1 3 N 1 4 to d < 1 18 4 N 1 4 . The new bound is generated in part from the constraint that both primes number of p and q will have almost the same size of bit length. Moreover, ref. [6] has maximized the small root bounds to small secret exponent RSA using linearization and applications. To the extent of improving the implementation of the RSA cryptosystem, many schemes with various techniques have been proposed. As a result, a lot of RSA variant cryptosystems arise [7,8,9,10,11,12].
The existence of RCA is the underlying motivation behind the identification of weak public keys. RCA is defined by [13] as an entity issuing legitimate certificates being trusted by web browsers and users but contains hidden weaknesses. There is a window of vulnerability with the existing public key infrastructure between the time a rogue certificate is issued and when it is discovered. Likewise, an RCA can publish a fraudulent RSA digital certificate using these keys without users noticing its anomaly. As the weak keys satisfy the conditions established in the key generation process, the validity of these fraudulent certificates can be convincing. Hence, the cryptosystem continues to operate discreetly using the keys, i.e., suppose an adversary knows about the existence of these specific certificates, then the adversary can find the private keys corresponding to the public keys without knowing any information about the private keys.
In relation to the above, this paper discloses potential RCA methodology upon an RSA variant cryptosystem constructed from a cubic field connected to the cubic Pell equation that was invented by Murru–Saettone [14]. Our identified conditions will allow an adversary to factor the modulus N if the user has been provided with keys through the potential RCA methodology.
The framework of this paper is as follows. In Section 2, we summarize the Murru–Saettone scheme. Section 3 describes some important tools and useful lemmas, respectively. Moreover, in the Section 4 and Section 5, we present our main result, which says that the Murru–Saettone scheme is not secure with experimental results. Finally, we conclude the paper in Section 6.

2. The Scheme of Murru and Saettone

In this section, we summarize the Murru and Saettone cryptosystem [14] along with the key generation, encryption, and decryption procedures.
Key Generation:
  • Choose two random prime numbers p and q of bit-size k;
  • Set N = p q and ψ = ( p 2 + p + 1 ) ( q 2 + q + 1 ) ;
  • Choose a random integer e < ψ with gcd ( e , ψ ) = 1 ;
  • Choose a non-cube integer r in Z p , Z q and Z N ;
  • Compute d e 1 ( mod ψ ) ;
  • Return the public parameters as ( N , e , r ) and the private parameters as ( p , q , d ) .
Encryption:
  • Given a pair of messages m 1 and m 2 in Z N ;
  • Compute ( c 1 , c 2 ) ( m 1 , m 2 ) e ( mod N ) ;
  • Return the ciphertext as ( c 1 , c 2 ) .
Decryption:
  • Given a pair of ciphertexts c 1 and c 2 ;
  • Compute ( m 1 , m 2 ) ( c 1 , c 2 ) d ( mod N ) ;
  • Return the message as ( m 1 , m 2 ) .

3. Preliminaries

In this section, we put forward preliminary concepts needed.
Definition 1.
The expression of continued fractions expansion of ξ R can be written in these forms
ξ = a 0 + 1 a 1 + 1 a 2 + 1 a 3 + 1 + 1 a μ
which can also be written as ξ = [ a 0 , a 1 , , a μ , ] . The process of calculating the continued fractions expansion would be executed in polynomial time if ξ is a rational number and thus ξ = [ a 0 , a 1 , , a μ ] . The convergents r s of ξ are the fractions denoted by r s = [ a 0 , a 1 , , a i ] for i 0 . An important result on continued fractions that will be used is the following theorem.
Theorem 1.
Let ξ be a positive number. Suppose that gcd ( r , s ) = 1 and
ξ r s < 1 2 s 2 .
Then r s is a convergent of the continued fractions expansion of ξ.
The following result gives the bounds for p, and q in terms of N (See [15]).
Lemma 1.
Let N = p q be the product of two unknown integers with q < p < 2 q . Then
2 N < p + q < 3 N .
In the following, we set ψ = p 2 + p + 1 q 2 + q + 1 . The former lemma can be used to find a good approximation for ψ . The following result shows that one can factor the modulus N = p q if ψ is known [15].
Proposition 1.
Let N = p q be the product of two unknown integers with q < p < 2 q . Suppose that ψ = p 2 + p + 1 q 2 + q + 1 is known. Then,
p = 1 2 S + S 2 4 N , q = 1 2 S S 2 4 N ,
where
S = 1 2 ( N + 1 ) 2 + 4 ψ N 2 N + 1 ( N + 1 ) .
Definition 2.
Let ψ L and ψ U be the lower bound and the upper bound of ψ. Then we define A = ψ L + ψ U .
The next remark shows how we can find the best current approximation values for ψ L and ψ U .
Remark 1.
From Nitaj [16], we know that 2 N < p + q < 3 N N . This means
( N + N + 1 ) 2 < ψ < N + 3 4 2 N + 1 2 + 3 8 N
as ψ = ( p 2 + p + 1 ) ( q 2 + q + 1 ) . Hence, the best current approximation for ψ L is ( N + N + 1 ) 2 and for ψ U is ( N + 3 4 2 N + 1 ) 2 + 3 8 N .
The following lemmas and theorem show conditions to be fulfilled by parameters in the equation e X A Y = Z ψ L .
Lemma 2.
Let N = p q with q < p < 2 q . Let e satisfy the equation e X A Y = Z ψ L where X and Y are positive integers. If
1 Y < X < A 2 ( ψ ψ L ) a n d | Z ψ | < p q p + q N 1 / 4
then X Y is a convergent function of e A N 1 / 4 2 A .
Proof. 
Consider the following equation
e X A Y = Z ψ L .
Let | Z ψ | < p q p + q N 1 / 4 . Then, divide (8) by A X , we obtain
e A Y X = Z ψ L A X p q p + q N 1 / 4 + ψ ψ L A X < N 1 / 2 2 N 1 / 2 N 1 / 4 + ψ ψ L A X < X N 1 / 4 2 A X + ψ ψ L A X N 1 / 4 2 A + ψ ψ L A X
since p q < 2 N , p + q > 2 N and X > 1 . If X < A 2 ( ψ ψ L ) , then 1 2 X > 2 ( ψ ψ L ) A . As A X will always be a positif value, rearranging (9), we obtain
e A N 1 / 4 2 A Y X < ψ ψ L A X < 1 2 X 2
which satisfies Theorem 1. This terminates the proof. □
Theorem 2.
Let N = p q with q < p < 2 q . Let e satisfies the equation e X A Y = Z ψ L where X, Y are positive integers. If
  • 1 Y < X < A 2 ( ψ ψ L )
  • ψ + p q p + q N 1 / 4 < N 2 + 8 N + 3 N N + 3 N + 1
  • | Z ψ | < p q p + q N 1 / 4
then N can be factored in polynomial time.
Proof. 
Suppose e satisfies an equation e X A Y = Z ψ L . Let X, Y and Z satisfy the conditions in Lemma 3, then we can find the values of X and Y by computing e A N 1 / 4 2 A . From the values of X and Y, we can have the value of Z by computing Z = e X A Y + ψ L . From the values of Z, we define Equation (5) as
S = 1 2 ( N + 1 ) 2 + 4 Z N 2 N + 1 ( N + 1 ) .
Since, ψ + p q p + q N 1 / 4 < N 2 + 8 N + 3 N N + 3 N + 1 then
S = 1 2 ( N + 1 ) 2 + 4 Z N 2 N + 1 ( N + 1 ) < 1 2 ( N + 1 ) 2 + 4 ( N 2 + 8 N + 3 N N + 3 N + 1 ) N 2 N + 1 ( N + 1 ) = 1 2 ( N + 1 ) 2 + 4 9 N + 3 N N + 3 N ( N + 1 ) = 1 2 N 2 + 2 N + 1 + 36 N + 12 N N + 12 N ( N + 1 ) = 1 2 N 2 + 38 N + 12 N N + 12 N + 1 ( N + 1 ) = 1 2 N + 1 + 6 N 2 ( N + 1 ) = 1 2 ( N + 1 ) + 6 N ( N + 1 ) = 1 2 6 N = 3 N .
Based on Proposition 1, we can factor N in polynomial time. □

4. Generating Weak Murru–Saettone Cryptosystem Public Keys by RCA: Case Z ψ < p q p + q N 1 / 4

In this section, we show how a RCA can generate weak Murru–Saettone cryptosystem public key pairs. By using conditions in Lemma 3 coupled with results from Theorem 3, a RCA can build an algorithm that produces such weak Murru–Saettone cryptosystem public keys. The Algorithm 1 is as follows:
Algorithm 1. Generating weak Murru–Saettone cryptosystem public keys via Lemma 3 and Theorem 3
  • Input: Two distinct primes, p and q where p < q < 2 q
  • Output: Weak Murru–Saettone cryptosystem public keys, ( N , e )
    1:
    Compute N = p · q
    2:
    Compute ψ = ( p 2 + p + 1 ) ( q 2 + q + 1 )
    3:
    Compute ψ L = ( N + N + 1 ) 2
    4:
    Compute ψ U = ( N + 3 4 2 N + 1 ) 2 3 8 N
    5:
    Compute A = ψ L + ψ U
    6:
    Compute Z L = ψ p q p + q N 1 / 4
    7:
    Compute Z U = ψ + p q p + q N 1 / 4
    8:
    Choose an integer Z randomly between Z L and Z U
    9:
    Choose an integer Y < A 2 ( ψ ψ L )
    10:
    Compute ξ = Z ψ L + A · Y
    11:
    if ξ = prime number then return to Step 8.
    12:
    else Assign r 1 s 1 , r 2 s 2 , , r n s n to be all the small prime factors of ξ
    13:
    end if
    14:
    Compute X = i = 1 n r i s i
    15:
    if X < Y then return to Step 8.
    16:
    else Compute e = ξ / X
    17:
    end if
    18:
    Output N , e
From Theorem 3, given ( N , e ) , a thorough user can utilize the following algorithm to determine the security of the provided key pair, whether it was generated via Algorithm 1 or not. In fact, the following algorithm will factor the modulus N = p q . Algorithm 2 is as follows:
Algorithm 2. Factoring weak Murru–Saettone cryptosystem moduli for adversary
  • Input:e and N = p q
  • Output: p , q
    1:
    Run the continued fraction method on input e A N 1 / 4 2 A to obtain the list of convergents x 1 y 1 , x 2 y 2 , . . . , x i y i .
    2:
    for 1 j i do
    3:
      Compute ζ = e x j A y j + ψ L
    4:
      Computing S = 1 2 ( N + 1 ) 2 + 4 ζ N 2 N + 1 ( N + 1 ) .
    5:
      Find the two roots p ^ and q ^ by computing p ^ = 1 2 S + S 2 4 N , q ^ = 1 2 S S 2 4 N .
    6:
      if N p ^ and N q ^ is true then
    7:
       return ( p = p ^ , q = q ^ )
    8:
      end if
    9:
    end for
    10:
    return
The following is an example to illustrate Algorithm 2 for the case Z ψ < p q p + q N 1 / 4 .
Example 1.
We use 512-bits for modulus, N in this example. Specifically, an adversary is given
N = 10474822604491897001733857277814570107822699106377897693425264554973361 58458484775463402422003323750703377331670427702899085519959211457360525 1725921749487
and
e = 10769431345193232115549076564111889013279606438830774711785365502043223 36983784754825450828067839539380291147535145118648508441400064293496014 28037987577469755126079846620517207129565398016054178944122529342046000 79951902104127778845899081368191996598990016792544117030228778670332199 66688065360189864914067
Then the adversary can compute the following parameters
ψ L = N + N + 1 2 = 10972190859557440848144523347183869176170441989204148244265443157694326 55090596006849331271968597124151449472326065606717076270695558973543340 16399157992733112957908865628547537726741464786957792386746053861066215 14005357690284192187276002600785194693106806210105341266365825588084065 4876802104380257011319546 ;
ψ U = N + 3 4 2 N + 1 2 + 3 8 N = 10972190859557440848144523347183869176170441989204148244265443157694326 55090597307478970371992316073205293629546536981622305227485167239321394 38987511657679949831394489061622293209819788811091076702286375226298967 38567217321814134233548331851018257283060212388804238053825134923510675 2443601422078279861895276 ; A = ψ L + ψ U = 21944381719114881696289046694367738352340883978408296488530886315388653 10181193314328301643960913197356743101872602588339381498180726212864734 55386669650413062789303354690169830936561253598048869089032429087365182 52572575012098326420824334451803451976167018598909579320190960511594740 7320403526458536873214822 .
Using values of e, N and A, the adversary obtain the continued fraction expansion of e A N 1 / 4 2 A which are
0 , 1 203 , 1 204 , 4 815 , 13 2649 , 17 3464 , 64 13041 , 81 16505 , , 990529 201835601 , .
Our algorithm stops at the 13th convergent x 13 y 13 = 990529 201835601 . Taking x 13 y 13 = 990529 201835601 , the adversary computes
ζ = e x 13 A y 13 + ψ L = 5574608071352441655477991436266937217831337826056715404009612529043 9394900853347880762347196536169393312904395683940461765091274051490 4922129571135704857702475014481507126817419400466534386062373124882 4598157616580496587587321268549335267487323247766573142730757277460 6908398902349753769291344577179649895178 .
Using value of ζ, the adversary solve the Equations (5) and (1) to get S, p and q respectively.
S = 20494978362949416541086172246659407304192799993752661797416382518140388 0052072 ; p = 10760137676568779991090044679907911735120737664989630437784142392233347 8553733 ;
and
q = 97348406863806365499961275667514955690720623287630313596322401259070401 498339 .

5. Generating Weak Murru–Saettone Cryptosystem Public Keys by RCA: Case Z ψ < N

In this section, we show that the condition Z ψ < p q p + q N 1 / 4 in the previous section can be extended to Z ψ < N .
Lemma 3.
Let N = p q with q < p < 2 q . Let e satisfies the equation e X A Y = Z ψ L where X and Y are positive integers. If
1 Y < X < A 2 ( ψ ψ L ) a n d | Z ψ | < N
then X Y is a convergent function of e A N 2 A .
Proof. 
Consider the following equation
e X A Y = Z ψ L .
Let | Z ψ | < N . Then, divide (8) by A X , we obtain
e A Y X = Z ψ L A X N + ψ ψ L A X < X N 2 A X + ψ ψ L A X N 2 A + ψ ψ L A X
since p q < 2 N , p + q > 2 N and X > 1 . If X < A 2 ( ψ ψ L ) , then 1 2 X > 2 ( ψ ψ L ) A . As A X will always be a positive value, rearranging (9), we obtain
e A N 2 A Y X < ψ ψ L A X < 1 2 X 2
which satisfies Theorem 1. This terminates the proof. □
Theorem 3.
Let N = p q with q < p < 2 q . Let e satisfies the equation e X A Y = Z ψ L where X, Y are positive integers. If
  • 1 Y < X < A 2 ( ψ ψ L )
  • ψ + N < N 2 + 8 N + 3 N N + 3 N + 1
  • | Z ψ | < N
then N can be factored in polynomial time.
Proof. 
Suppose e satisfies an equation e X A Y = Z ψ L . Let X, Y and Z satisfy the conditions in Lemma 3, then we can find the values of X and Y by computing e A N 2 A . From the values of X and Y, we can have the value of Z by computing Z = e X A Y + ψ L . From the values of Z, we define Equation (5) as
S = 1 2 ( N + 1 ) 2 + 4 Z N 2 N + 1 ( N + 1 ) .
Since, ψ + N < N 2 + 8 N + 3 N N + 3 N + 1 then
S = 1 2 ( N + 1 ) 2 + 4 Z N 2 N + 1 ( N + 1 ) < 1 2 ( N + 1 ) 2 + 4 ( N 2 + 8 N + 3 N N + 3 N + 1 ) N 2 N + 1 ( N + 1 ) = 1 2 ( N + 1 ) 2 + 4 9 N + 3 N N + 3 N ( N + 1 ) = 1 2 N 2 + 2 N + 1 + 36 N + 12 N N + 12 N ( N + 1 ) = 1 2 N 2 + 38 N + 12 N N + 12 N + 1 ( N + 1 ) = 1 2 N + 1 + 6 N 2 ( N + 1 ) = 1 2 ( N + 1 ) + 6 N ( N + 1 ) = 1 2 6 N = 3 N .
Based on Proposition 1, we can factor N in polynomial time. □
Remark 2.
A RCA can build an algorithm that produces such weak public keys by using Algorithm 1 by changing step 6 and 7 instead of
Z L = ψ p q p + q N 1 / 4 t o b e Z L = ψ N
and
Z U = ψ + p q p + q N 1 / 4 t o b e Z U = ψ + N
respectively.
The following is an example to illustrate Algorithm 2 for the case Z ψ < N .
Example 2.
We use 512-bits for modulus, N in this example. Specifically, an adversary is given
N = 90998889189985602168085367893162619329958419488034971810965711742895590 77774100415809039409348571858260497344724878561601849467626260439789077 252741730547
and
e = 15387369231796195738270992845728344585898863892978423209867961015301962 46472248583690385843285862859500857363812725002682339828686015519248969 63680184170435282928948400170028279134662306718807531327694445559522168 84664833658348512658325929687042827403376132263722135766423596683016053 1518452792490127534307
Then the adversary can compute the following parameters
ψ L = N + N + 1 2 = 82807978338112784826780485020381417521129159135920594979482820416390407 23513424633156792874478533036764173593809203208428445896229812621601877 61723144557638769299971010979168848830320041278367854644800805874441479 18688097702791322474704887700856055822473759466601003234855838299076770 683825614980799914083673 ; ψ U = N + 3 4 2 N + 1 2 + 3 8 N = 82807978338112784826780485020381417521129159135920594979482820416390407 23513435164597038913347172745328547015259734197573535282812397829422636 39341490139659551164180227994657123576942524448711206060094402408587573 31703045358792739925795217103381777720156105924634123140051008685419014 861113526695021736842623 ; A = ψ L + ψ U = 16561595667622556965356097004076283504225831827184118995896564083278081 44702685979775383178782570578209272060906893740600198117904221045102451 40106463469729832046415123897382597240726256572707906070489520828302905 25039114306158406240050010480423783354262986539123512637490684698449578 5544939141675821650926296 .
Using values of e, N and A, the adversary obtain the continued fraction expansion of e A N 2 A which are
0 , 1 1076 , 3 3229 , 13 13992 , 16 17221 , 29 31213 , 45 48434 , 389 418685 , , 149512 160921419 , .
Our algorithm stops at the 15th convergent x 15 y 15 = 149512 160921419 . Taking x 15 y 15 = 149512 160921419 , the adversary computes
ζ = e x 15 A y 15 + ψ L = 8280797833811278482678048502038141752112915913592059497948282041639 0407235134256359934395235635855824807251668463934139518596275257230 3632018218353221404022231036420777232659973150835293152204280391789 5724945896673436600011377906815484408955098909607003238015099035475 8989840453283514219334557078991720354078 .
Using value of ζ, the adversary solve the Equations (5) and (4) to get S, p and q respectively.
S = 19188870757973671053726455398280471509352628848967903121245052936330134 1353108 ; p = 10621227009050433240107186555032049103435869244605078165796777445866056 0181091 ;
and
q = 85676437489232378136192688432484224059167596043628249554482754904640781 172017 .
Remark 3.
The above examples uses two random prime numbers with | p q | N 0.49 and e N 2 . By using the values of p and q in the examples, the adversary can easily compute the private exponent d N 2 . Therefore, based on the examples, it is difficult for the user to identify that the rogue digital certificate because all the public and private parameters generated satisfy the conditions imposed during the key generation process.

6. Conclusions

We have constructed novel strategies to identify whether the Murru–Saettone RSA variant cryptosystem key pair was generated by a potential RCA. Based on our findings, if the following condition of Z ψ < p q p + q N 1 / 4 or Z ψ < N where Z is an approximation of ψ satisfies, then Murru–Saettone RSA variant cryptosystem is vulnerable to an attack. An adversary will be able to successfully execute an attack in polynomial time by using continued fractions algorithm to factor the modulus N without having any information of the private keys upon the public key pair. Furthermore, by factoring modulus N, an adversary will be able to compute the value of ψ = ( p 2 + p + 1 ) ( q 2 + q + 1 ) and, finally, acquire the private key, d e 1 ( mod ψ ) .

Author Contributions

Conceptualization, Z.M. and M.R.K.A.; formal analysis, Z.M.; funding acquisition, Z.M.; investigation, Z.M.; methodology, Z.M. and M.R.K.A.; software, Z.M.; supervision, M.R.K.A. and A.H.A.G.; validation, Z.M., M.R.K.A., A.H.A.G. and N.R.S.; writing—original draft, Z.M.; writing—review & editing, Z.M., M.R.K.A., A.H.A.G. and N.R.S.. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Universiti Putra Malaysia under Putra Grant with project number GP-IPM/2021/9699900.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Rivest, R.L.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  2. Wiener, M. Cryptanalysis of Short RSA Secret Exponents. IEEE Trans. Inf. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef] [Green Version]
  3. Bunder, M.; Tonien, J. A new improved attack on RSA. In Proceedings of the 5th International Cryptology and Information Security Conference 2016, Sabah, Malaysia, 31 May–2 June 2016; pp. 101–110. [Google Scholar]
  4. Susilo, W.; Tonien, J.; Yang, G. A generalised bound for the Wiener attack on RSA. J. Inf. Secur. Appl. 2020, 53, 102531. [Google Scholar] [CrossRef]
  5. Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N0.292. IEEE Trans. Inf. Theory 2000, 46, 1339–1349. [Google Scholar] [CrossRef]
  6. Herrmann, M.; May, A. Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In Proceedings of the Public Key Cryptography—PKC 2010, Paris, France, 26–28 May 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 53–69. [Google Scholar]
  7. Takagi, T. Fast RSA-type cryptosystem modulo pkq. In Proceedings of the Advances in Cryptology—CRYPTO’98, Santa Barbara, CA, USA, 23–27 August 1998; Krawczyk, H., Ed.; Springer: Berlin/Heidelberg, Germany, 1998; pp. 318–326. [Google Scholar]
  8. Quisquater, J.J.; Couvreur, C. Fast decipherment algorithm for RSA public-key cryptosystem. Electron. Lett. 1982, 18, 905–907. [Google Scholar] [CrossRef]
  9. Asbullah, M.A.; Kamel Ariffin, M.R.; Mahad, Z.; Daud, M.A. (In)security of the cryptosystem for transmitting large data. In Proceedings of the ICSCA’19: The 2019 8th International Conference on Software and Computer Applications, Penang, Malaysia, 19–21 February 2019; Volume Part F147956, pp. 91–94. [Google Scholar] [CrossRef]
  10. Mahad, Z.; Asbullah, M.; Ariffin, M. Efficient methods to overcome rabin cryptosystem decryption failure. Malays. J. Math. Sci. 2017, 11, 9–20. [Google Scholar]
  11. Ariffin, M.; Asbullah, M.; Abu, N.; Mahad, Z. A new efficient asymmetric cryptosystem based on the integer factorization problem of N=p2q. Malays. J. Math. Sci. 2013, 7, 19–37. [Google Scholar]
  12. Elkamchouchi, H.; Elshenawy, K.; Shaban, H. Extended RSA cryptosystem and digital signature schemes in the domain of Gaussian integers. In Proceedings of the The 8th International Conference on Communication Systems, Singapore, 28 November 2002; pp. 91–95. [Google Scholar] [CrossRef]
  13. Dong, Z.; Kane, K.; Camp, L.J. Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks. ACM Trans. Priv. Secur. 2016, 19, 1–31. [Google Scholar] [CrossRef]
  14. Murru, N.; Saettone, F.M. A Novel RSA-Like Cryptosystem Based on a Generalization of the Rédei Rational Functions. In Proceedings of the Number-Theoretic Methods in Cryptology, Warsaw, Poland, 11–13 September 2018; Kaczorowski, J., Pieprzyk, J., Pomykała, J., Eds.; Springer International Publishing: Cham, Switzerland, 2018; pp. 91–103. [Google Scholar]
  15. Nitaj, A. Another Generalization of Wiener’s Attack on RSA. In Proceedings of the Progress in Cryptology—AFRICACRYPT 2008, Casablanca, Morocco, 11–14 June 2008; Vaudenay, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 174–190. [Google Scholar]
  16. Nitaj, A.; Ariffin, M.R.B.K.; Adenan, N.N.H.; Abu, N.A. Classical Attacks on a Variant of the RSA Cryptosystem. In Proceedings of the Progress in Cryptology—LATINCRYPT 2021, Bogotá, Colombia, 6–8 October 2021; Longa, P., Ràfols, C., Eds.; Springer International Publishing: Cham, Switzerland, 2021; pp. 151–167. [Google Scholar]
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Mahad, Z.; Ariffin, M.R.K.; Ghafar, A.H.A.; Salim, N.R. Cryptanalysis of RSA-Variant Cryptosystem Generated by Potential Rogue CA Methodology. Symmetry 2022, 14, 1498. https://doi.org/10.3390/sym14081498

AMA Style

Mahad Z, Ariffin MRK, Ghafar AHA, Salim NR. Cryptanalysis of RSA-Variant Cryptosystem Generated by Potential Rogue CA Methodology. Symmetry. 2022; 14(8):1498. https://doi.org/10.3390/sym14081498

Chicago/Turabian Style

Mahad, Zahari, Muhammad Rezal Kamel Ariffin, Amir Hamzah Abd. Ghafar, and Nur Raidah Salim. 2022. "Cryptanalysis of RSA-Variant Cryptosystem Generated by Potential Rogue CA Methodology" Symmetry 14, no. 8: 1498. https://doi.org/10.3390/sym14081498

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop