Cryptanalysis of RSA-Variant Cryptosystem Generated by Potential Rogue CA Methodology

Abstract

Rogue certificate authorities (RCA) are third-party entities that intentionally produce key pairs that satisfy publicly known security requirements but contain weaknesses only known to the RCA. This work analyses the Murru–Saettone RSA variant scheme that obtains its key pair from a potential RCA methodology. The Murru–Saettone scheme is based on the cubic Pell equation $x^3+r{y}^3+r^2{z}^3-3rxyz=1$. The public, e, and private, d key generation process uses the secret parameter $\psi =(p^2+p+1)(q^2+q+1)$ in place of the standard Euler–phi function $\varphi \left(N\right)=(p-1)(q-1)$, where $ed\equiv 1(mod\psi )$. We prove that, upon obtaining an approximation of $\psi$, we are able to identify the provided key pair that was maliciously provided even if the private key d size is approximate to $\psi$. In fact, we are able to factor the modulus $N=pq$.

1. Introduction

The security of a symmetric encryption scheme highly depends on the safety of the secret key transmission between parties involved in the communication. Other than direct interaction between parties, the utilization of asymmetric encryption schemes is the norm in modern communication. Central to the production of the public and private key pair of an asymmetric encryption scheme is the Certificate Authority (CA). Parties should have full trust in the CA to provide secure key pairs. Nevertheless, it is wise to conduct due diligence on the key pairs received. As such, for a communication topology with large participation, it is not surprising that the security of a symmetric encryption scheme will fall back on the strength of the asymmetric encryption scheme being utilized. As such, studies on the asymmetric cryptosystem utilized must be conducted to ensure that symmetric encryption remains secure.

RSA encryption/digital signing scheme is currently the world’s most widely used public-key cryptosystem. The standard RSA cryptosystem comprises three distinct algorithms: key generation, encryption, and decryption [1]. The security of RSA is mainly based on the hardness of factoring large composite integers, which is modulus $N=pq$ where p and q are two large prime numbers of the same bit size. It is well known that RSA is not secure if the process of generating the public parameters $(e,N)$ and the private parameters $(p,q,d)$ do not satisfy certain conditions [2,3,4,5,6]. For instance, the RSA cryptosystem is vulnerable when employing continued fractions if such decryption exponent d is less than $\frac{1}{3}{N}^{\frac{1}{4}}$, by a classical finding in [2]. Additionally, [3] has recovered the secret key if $d<2\sqrt{2}{N}^{\frac{3}{4}-\frac{t}{2}}$ and explicitly for $d<2\sqrt{2}{N}^{\frac{1}{4}}$. Eventually, by using Coppersmith’s technique to obtain small solutions of modular univariate polynomials, ref. [5] refined the bound to $d<N^{0.292}$. From then on, ref. [4] identified that it is possible to raise the bound from $d<\frac{1}{3}{N}^{\frac{1}{4}}$ to $d<\frac{1}{\sqrt[4]{18}}{N}^{\frac{1}{4}}$. The new bound is generated in part from the constraint that both primes number of p and q will have almost the same size of bit length. Moreover, ref. [6] has maximized the small root bounds to small secret exponent RSA using linearization and applications. To the extent of improving the implementation of the RSA cryptosystem, many schemes with various techniques have been proposed. As a result, a lot of RSA variant cryptosystems arise [7,8,9,10,11,12].

The existence of RCA is the underlying motivation behind the identification of weak public keys. RCA is defined by [13] as an entity issuing legitimate certificates being trusted by web browsers and users but contains hidden weaknesses. There is a window of vulnerability with the existing public key infrastructure between the time a rogue certificate is issued and when it is discovered. Likewise, an RCA can publish a fraudulent RSA digital certificate using these keys without users noticing its anomaly. As the weak keys satisfy the conditions established in the key generation process, the validity of these fraudulent certificates can be convincing. Hence, the cryptosystem continues to operate discreetly using the keys, i.e., suppose an adversary knows about the existence of these specific certificates, then the adversary can find the private keys corresponding to the public keys without knowing any information about the private keys.

In relation to the above, this paper discloses potential RCA methodology upon an RSA variant cryptosystem constructed from a cubic field connected to the cubic Pell equation that was invented by Murru–Saettone [14]. Our identified conditions will allow an adversary to factor the modulus N if the user has been provided with keys through the potential RCA methodology.

The framework of this paper is as follows. In Section 2, we summarize the Murru–Saettone scheme. Section 3 describes some important tools and useful lemmas, respectively. Moreover, in the Section 4 and Section 5, we present our main result, which says that the Murru–Saettone scheme is not secure with experimental results. Finally, we conclude the paper in Section 6.

2. The Scheme of Murru and Saettone

In this section, we summarize the Murru and Saettone cryptosystem [14] along with the key generation, encryption, and decryption procedures.

Key Generation:

• Choose two random prime numbers p and q of bit-size k;
• Set $N=pq$ and $\psi =(p^2+p+1)(q^2+q+1)$;
• Choose a random integer $e<\psi$ with $\gcd (e,\psi )=1$;
• Choose a non-cube integer r in ${\mathbb{Z}}_p$, ${\mathbb{Z}}_q$ and ${\mathbb{Z}}_N$;
• Compute $d\equiv e^{-1}(mod\psi )$;
• Return the public parameters as $(N,e,r)$ and the private parameters as $(p,q,d)$.

Encryption:

• Given a pair of messages $m_1$ and $m_2$ in ${\mathbb{Z}}_N$;
• Compute $(c_1,c_2)\equiv {(m_1,m_2)}^{\odot e}(modN)$;
• Return the ciphertext as $(c_1,c_2)$.

Decryption:

• Given a pair of ciphertexts $c_1$ and $c_2$;
• Compute $(m_1,m_2)\equiv {(c_1,c_2)}^{\odot d}(modN)$;
• Return the message as $(m_1,m_2)$.

3. Preliminaries

In this section, we put forward preliminary concepts needed.

Definition 1.

The expression of continued fractions expansion of $\xi \in \mathbb{R}$ can be written in these forms

$$\xi =a_0+\frac{1}{a_1+\frac{1}{a_2+\frac{1}{a_3+\frac{1}{\cdots +\frac{1}{a_{\mu }}}}}}$$

(1)

which can also be written as $\xi =[a_0,a_1,\cdots ,a_{\mu },\cdots ]$. The process of calculating the continued fractions expansion would be executed in polynomial time if ξ is a rational number and thus $\xi =[a_0,a_1,\cdots ,a_{\mu }]$. The convergents $\frac{r}{s}$ of ξ are the fractions denoted by $\frac{r}{s}=[a_0,a_1,\cdots ,a_i]$ for $i\ge 0$. An important result on continued fractions that will be used is the following theorem.

Theorem 1.

Let ξ be a positive number. Suppose that $gcd(r,s)=1$ and

$$\left|\xi -\frac{r}{s}\right|<\frac{1}{2s^2}.$$

(2)

Then $\frac{r}{s}$ is a convergent of the continued fractions expansion of ξ.

The following result gives the bounds for p, and q in terms of N (See [15]).

Lemma 1.

Let $N=pq$ be the product of two unknown integers with $q<p<2q$. Then

$$2\sqrt{N}<p+q<3\sqrt{N}.$$

(3)

In the following, we set $\psi =\left(p^2+p+1\right)\left(q^2+q+1\right)$. The former lemma can be used to find a good approximation for $\psi$. The following result shows that one can factor the modulus $N=pq$ if $\psi$ is known [15].

Proposition 1.

Let $N=pq$ be the product of two unknown integers with $q<p<2q$. Suppose that $\psi =\left(p^2+p+1\right)\left(q^2+q+1\right)$ is known. Then,

$$p=\frac{1}{2}\left(S+\sqrt{S^2-4N}\right),q=\frac{1}{2}\left(S-\sqrt{S^2-4N}\right),$$

(4)

where

$$S=\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(\psi -\left(N^2-N+1\right)\right)}-(N+1)\right).$$

(5)

Definition 2.

Let ${\psi }_L$ and ${\psi }_U$ be the lower bound and the upper bound of ψ. Then we define $A={\psi }_L+{\psi }_U$.

The next remark shows how we can find the best current approximation values for ${\psi }_L$ and ${\psi }_U$.

Remark 1.

From Nitaj [16], we know that $2\sqrt{N}<p+q<\frac{3}{\sqrt{N}}N$. This means

$${(N+\sqrt{N}+1)}^2<\psi <{\left(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1\right)}^2+\frac{3}{8}N$$

as $\psi =(p^2+p+1)(q^2+q+1)$. Hence, the best current approximation for ${\psi }_L$ is ${(N+\sqrt{N}+1)}^2$ and for ${\psi }_U$ is ${(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1)}^2+\frac{3}{8}N$.

The following lemmas and theorem show conditions to be fulfilled by parameters in the equation $eX-AY=Z-{\psi }_L$.

Lemma 2.

Let $N=pq$ with $q<p<2q$. Let e satisfy the equation $eX-AY=Z-{\psi }_L$ where X and Y are positive integers. If

$$1\le Y<X<\left|\frac{A}{2(\psi -{\psi }_L)}\right|and|Z-\psi |<\frac{p-q}{p+q}{N}^{1/4}$$

then $\frac{X}{Y}$ is a convergent function of $\frac{e}{A}-\frac{N^{1/4}}{2A}$.

Proof. 

Consider the following equation

$$eX-AY=Z-{\psi }_L.$$

(6)

Let $|Z-\psi |<\frac{p-q}{p+q}{N}^{1/4}$. Then, divide (8) by $AX$, we obtain

$$\begin{array}{cc}\hfill \left|\frac{e}{A}-\frac{Y}{X}\right|& =\left|\frac{Z-{\psi }_L}{AX}\right|\hfill \\ \hfill & \le \frac{\frac{p-q}{p+q}{N}^{1/4}+\psi -{\psi }_L}{AX}\hfill \\ \hfill & <\frac{\frac{N^{1/2}}{2N^{1/2}}{N}^{1/4}+\psi -{\psi }_L}{AX}\hfill \\ \hfill & <\frac{X{N}^{1/4}}{2AX}+\frac{\psi -{\psi }_L}{AX}\hfill \\ \hfill & \le \frac{N^{1/4}}{2A}+\frac{\psi -{\psi }_L}{AX}\hfill \end{array}$$

(7)

since $p-q<2\sqrt{N}$, $p+q>2\sqrt{N}$ and $X>1$. If $X<\left|\frac{A}{2(\psi -{\psi }_L)}\right|$, then $\frac{1}{2X}>\left|\frac{2(\psi -{\psi }_L)}{A}\right|$. As $AX$ will always be a positif value, rearranging (9), we obtain

$$\begin{array}{cc}\hfill \left|\left(\frac{e}{A}-\frac{N^{1/4}}{2A}\right)-\frac{Y}{X}\right|& <\left|\frac{\psi -{\psi }_L}{AX}\right|\hfill \\ \hfill & <\frac{1}{2X^2}\hfill \end{array}$$

which satisfies Theorem 1. This terminates the proof. □

Theorem 2.

Let $N=pq$ with $q<p<2q$. Let e satisfies the equation $eX-AY=Z-{\psi }_L$ where X, Y are positive integers. If

• $1\le Y<X<\left|\frac{A}{2(\psi -{\psi }_L)}\right|$
• $\psi +\frac{p-q}{p+q}{N}^{1/4}<N^2+8N+3\sqrt{N}N+3\sqrt{N}+1$
• $|Z-\psi |<\frac{p-q}{p+q}{N}^{1/4}$

then N can be factored in polynomial time.

Proof. 

Suppose e satisfies an equation $eX-AY=Z-{\psi }_L$. Let X, Y and Z satisfy the conditions in Lemma 3, then we can find the values of X and Y by computing $\frac{e}{A}-\frac{N^{1/4}}{2A}$. From the values of X and Y, we can have the value of Z by computing $Z=eX-AY+{\psi }_L$. From the values of Z, we define Equation (5) as

$$S=\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(Z-\left(N^2-N+1\right)\right)}-(N+1)\right).$$

Since, $\psi +\frac{p-q}{p+q}{N}^{1/4}<N^2+8N+3\sqrt{N}N+3\sqrt{N}+1$ then

$$\begin{array}{cc}\hfill S& =\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(Z-\left(N^2-N+1\right)\right)}-(N+1)\right)\hfill \\ \hfill & <\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left((N^2+8N+3\sqrt{N}N+3\sqrt{N}+1)-\left(N^2-N+1\right)\right)}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(9N+3\sqrt{N}N+3\sqrt{N}\right)}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{N^2+2N+1+36N+12\sqrt{N}N+12\sqrt{N}}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{N^2+38N+12\sqrt{N}N+12\sqrt{N}+1}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{{\left(N+1+6\sqrt{N}\right)}^2}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left((N+1)+6\sqrt{N}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(6\sqrt{N}\right)\hfill \\ \hfill & =3\sqrt{N}.\hfill \end{array}$$

Based on Proposition 1, we can factor N in polynomial time. □

4. Generating Weak Murru–Saettone Cryptosystem Public Keys by RCA: Case $\left|\mathit{Z}-\mathbf{\psi }\right|<\frac{\mathit{p}-\mathit{q}}{\mathit{p}+\mathit{q}}{\mathit{N}}^{\mathbf{1}/\mathbf{4}}$

In this section, we show how a RCA can generate weak Murru–Saettone cryptosystem public key pairs. By using conditions in Lemma 3 coupled with results from Theorem 3, a RCA can build an algorithm that produces such weak Murru–Saettone cryptosystem public keys. The Algorithm 1 is as follows:

Algorithm 1. Generating weak Murru–Saettone cryptosystem public keys via Lemma 3 and Theorem 3

Input: Two distinct primes, p and q where $p<q<2q$ Output: Weak Murru–Saettone cryptosystem public keys, ($N,e$) 1: Compute $N=p·q$ 2: Compute $\psi =(p^2+p+1)(q^2+q+1)$ 3: Compute ${\psi }_L=⌊{(N+\sqrt{N}+1)}^2⌋$ 4: Compute ${\psi }_U=⌈{(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1)}^2-\frac{3}{8}N⌉$ 5: Compute $A={\psi }_L+{\psi }_U$ 6: Compute $Z_L=⌈\psi -\frac{p-q}{p+q}{N}^{1/4}⌉$ 7: Compute $Z_U=⌊\psi +\frac{p-q}{p+q}{N}^{1/4}⌋$ 8: Choose an integer Z randomly between $Z_L$ and $Z_U$ 9: Choose an integer $Y<\frac{A}{2(\psi -{\psi }_L)}$ 10: Compute $\xi =Z-{\psi }_L+A·Y$ 11: if$\xi =$ prime number then return to Step 8. 12: else Assign $r_1^{s_1},r_2^{s_2},\dots ,r_n^{s_n}$ to be all the small prime factors of $\xi$ 13: end if 14: Compute $X={\prod }_{i=1}^n{r}_i^{s_i}$ 15: if$X<Y$then return to Step 8. 16: else Compute $e=\xi /X$ 17: end if 18: Output$N,e$

From Theorem 3, given $(N,e)$, a thorough user can utilize the following algorithm to determine the security of the provided key pair, whether it was generated via Algorithm 1 or not. In fact, the following algorithm will factor the modulus $N=pq$. Algorithm 2 is as follows:

Algorithm 2. Factoring weak Murru–Saettone cryptosystem moduli for adversary

Input:e and $N=pq$ Output:$p,q$ 1: Run the continued fraction method on input $\left(\frac{e}{A}-\frac{N^{1/4}}{2A}\right)$ to obtain the list of convergents $\frac{x_1}{y_1},\frac{x_2}{y_2},...,\frac{x_i}{y_i}$. 2: for$1\le j\le i$do 3:   Compute $\zeta =e{x}_j-A{y}_j+{\psi }_L$ 4:   Computing $S=\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(\zeta -\left(N^2-N+1\right)\right)}-(N+1)\right)$. 5:   Find the two roots $\widehat{p}$ and $\widehat{q}$ by computing $\widehat{p}=\frac{1}{2}\left(S+\sqrt{S^2-4N}\right)$, $\widehat{q}=\frac{1}{2}\left(S-\sqrt{S^2-4N}\right)$. 6:   if $\frac{N}{\widehat{p}}$ and $\frac{N}{\widehat{q}}$ is true then 7:    return $(p=\widehat{p},q=\widehat{q})$ 8:   end if 9: end for 10: return⊥

The following is an example to illustrate Algorithm 2 for the case $\left|Z-\psi \right|<\frac{p-q}{p+q}{N}^{1/4}$.

Example 1.

We use 512-bits for modulus, N in this example. Specifically, an adversary is given

$$\begin{array}{ccc}\hfill N& =& 10474822604491897001733857277814570107822699106377897693425264554973361\hfill \\ & & 58458484775463402422003323750703377331670427702899085519959211457360525\hfill \\ & & 1725921749487\hfill \end{array}$$

and

$$\begin{array}{ccc}\hfill e& =& 10769431345193232115549076564111889013279606438830774711785365502043223\hfill \\ & & 36983784754825450828067839539380291147535145118648508441400064293496014\hfill \\ & & 28037987577469755126079846620517207129565398016054178944122529342046000\hfill \\ & & 79951902104127778845899081368191996598990016792544117030228778670332199\hfill \\ & & 66688065360189864914067\hfill \end{array}$$

Then the adversary can compute the following parameters

$$\begin{array}{ccc}\hfill {\psi }_L& =& {\left(N+\sqrt{N}+1\right)}^2\hfill \\ & =& 10972190859557440848144523347183869176170441989204148244265443157694326\hfill \\ & & 55090596006849331271968597124151449472326065606717076270695558973543340\hfill \\ & & 16399157992733112957908865628547537726741464786957792386746053861066215\hfill \\ & & 14005357690284192187276002600785194693106806210105341266365825588084065\hfill \\ & & 4876802104380257011319546;\hfill \end{array}$$

$$\begin{array}{ccc}\hfill {\psi }_U& =& {\left(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1\right)}^2+\frac{3}{8}N\hfill \\ & =& 10972190859557440848144523347183869176170441989204148244265443157694326\hfill \\ & & 55090597307478970371992316073205293629546536981622305227485167239321394\hfill \\ & & 38987511657679949831394489061622293209819788811091076702286375226298967\hfill \\ & & 38567217321814134233548331851018257283060212388804238053825134923510675\hfill \\ & & 2443601422078279861895276;\hfill \\ \hfill A& =& {\psi }_L+{\psi }_U\hfill \\ & =& 21944381719114881696289046694367738352340883978408296488530886315388653\hfill \\ & & 10181193314328301643960913197356743101872602588339381498180726212864734\hfill \\ & & 55386669650413062789303354690169830936561253598048869089032429087365182\hfill \\ & & 52572575012098326420824334451803451976167018598909579320190960511594740\hfill \\ & & 7320403526458536873214822.\hfill \end{array}$$

Using values of e, N and A, the adversary obtain the continued fraction expansion of $\left(\frac{e}{A}-\frac{N^{1/4}}{2A}\right)$ which are

$$\left[0,\frac{1}{203},\frac{1}{204},\frac{4}{815},\frac{13}{2649},\frac{17}{3464},\frac{64}{13041},\frac{81}{16505},\cdots ,\frac{990529}{201835601},\cdots \right].$$

Our algorithm stops at the 13th convergent $\frac{x_{13}}{y_{13}}=\frac{990529}{201835601}$. Taking $\frac{x_{13}}{y_{13}}=\frac{990529}{201835601}$, the adversary computes

$$\begin{array}{ccc}\hfill \zeta & =& e{x}_{13}-A{y}_{13}+{\psi }_L\hfill \\ & =& 5574608071352441655477991436266937217831337826056715404009612529043\hfill \\ & & 9394900853347880762347196536169393312904395683940461765091274051490\hfill \\ & & 4922129571135704857702475014481507126817419400466534386062373124882\hfill \\ & & 4598157616580496587587321268549335267487323247766573142730757277460\hfill \\ & & 6908398902349753769291344577179649895178.\hfill \end{array}$$

Using value of ζ, the adversary solve the Equations (5) and (1) to get S, p and q respectively.

$$\begin{array}{ccc}\hfill S& =& 20494978362949416541086172246659407304192799993752661797416382518140388\hfill \\ & & 0052072;\hfill \\ \hfill p& =& 10760137676568779991090044679907911735120737664989630437784142392233347\hfill \\ & & 8553733;\hfill \end{array}$$

and

$$\begin{array}{ccc}\hfill q& =& 97348406863806365499961275667514955690720623287630313596322401259070401\hfill \\ & & 498339.\hfill \end{array}$$

5. Generating Weak Murru–Saettone Cryptosystem Public Keys by RCA: Case $\left|\mathit{Z}-\mathbf{\psi }\right|<\mathit{N}$

In this section, we show that the condition $\left|Z-\psi \right|<\frac{p-q}{p+q}{N}^{1/4}$ in the previous section can be extended to $\left|Z-\psi \right|<N$.

Lemma 3.

Let $N=pq$ with $q<p<2q$. Let e satisfies the equation $eX-AY=Z-{\psi }_L$ where X and Y are positive integers. If

$$1\le Y<X<\left|\frac{A}{2(\psi -{\psi }_L)}\right|and|Z-\psi |<N$$

then $\frac{X}{Y}$ is a convergent function of $\frac{e}{A}-\frac{N}{2A}$.

Proof. 

Consider the following equation

$$eX-AY=Z-{\psi }_L.$$

(8)

Let $|Z-\psi |<N$. Then, divide (8) by $AX$, we obtain

$$\begin{array}{cc}\hfill \left|\frac{e}{A}-\frac{Y}{X}\right|& =\left|\frac{Z-{\psi }_L}{AX}\right|\hfill \\ \hfill & \le \frac{N+\psi -{\psi }_L}{AX}\hfill \\ \hfill & <\frac{XN}{2AX}+\frac{\psi -{\psi }_L}{AX}\hfill \\ \hfill & \le \frac{N}{2A}+\frac{\psi -{\psi }_L}{AX}\hfill \end{array}$$

(9)

since $p-q<2\sqrt{N}$, $p+q>2\sqrt{N}$ and $X>1$. If $X<\left|\frac{A}{2(\psi -{\psi }_L)}\right|$, then $\frac{1}{2X}>\left|\frac{2(\psi -{\psi }_L)}{A}\right|$. As $AX$ will always be a positive value, rearranging (9), we obtain

$$\begin{array}{cc}\hfill \left|\left(\frac{e}{A}-\frac{N}{2A}\right)-\frac{Y}{X}\right|& <\left|\frac{\psi -{\psi }_L}{AX}\right|\hfill \\ \hfill & <\frac{1}{2X^2}\hfill \end{array}$$

which satisfies Theorem 1. This terminates the proof. □

Theorem 3.

Let $N=pq$ with $q<p<2q$. Let e satisfies the equation $eX-AY=Z-{\psi }_L$ where X, Y are positive integers. If

• $1\le Y<X<\left|\frac{A}{2(\psi -{\psi }_L)}\right|$
• $\psi +N<N^2+8N+3\sqrt{N}N+3\sqrt{N}+1$
• $|Z-\psi |<N$

then N can be factored in polynomial time.

Proof. 

Suppose e satisfies an equation $eX-AY=Z-{\psi }_L$. Let X, Y and Z satisfy the conditions in Lemma 3, then we can find the values of X and Y by computing $\frac{e}{A}-\frac{N}{2A}$. From the values of X and Y, we can have the value of Z by computing $Z=eX-AY+{\psi }_L$. From the values of Z, we define Equation (5) as

$$S=\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(Z-\left(N^2-N+1\right)\right)}-(N+1)\right).$$

Since, $\psi +N<N^2+8N+3\sqrt{N}N+3\sqrt{N}+1$ then

$$\begin{array}{cc}\hfill S& =\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(Z-\left(N^2-N+1\right)\right)}-(N+1)\right)\hfill \\ \hfill & <\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left((N^2+8N+3\sqrt{N}N+3\sqrt{N}+1)-\left(N^2-N+1\right)\right)}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{{(N+1)}^2+4\left(9N+3\sqrt{N}N+3\sqrt{N}\right)}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{N^2+2N+1+36N+12\sqrt{N}N+12\sqrt{N}}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{N^2+38N+12\sqrt{N}N+12\sqrt{N}+1}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(\sqrt{{\left(N+1+6\sqrt{N}\right)}^2}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left((N+1)+6\sqrt{N}-(N+1)\right)\hfill \\ \hfill & =\frac{1}{2}\left(6\sqrt{N}\right)\hfill \\ \hfill & =3\sqrt{N}.\hfill \end{array}$$

Based on Proposition 1, we can factor N in polynomial time. □

Remark 2.

A RCA can build an algorithm that produces such weak public keys by using Algorithm 1 by changing step 6 and 7 instead of

$$Z_L=⌈\psi -\frac{p-q}{p+q}{N}^{1/4}⌉tobe{Z}_L=\psi -N$$

and

$$Z_U=⌊\psi +\frac{p-q}{p+q}{N}^{1/4}⌋tobe{Z}_U=\psi +N$$

respectively.

The following is an example to illustrate Algorithm 2 for the case $\left|Z-\psi \right|<N$.

Example 2.

We use 512-bits for modulus, N in this example. Specifically, an adversary is given

$$\begin{array}{ccc}\hfill N& =& 90998889189985602168085367893162619329958419488034971810965711742895590\hfill \\ & & 77774100415809039409348571858260497344724878561601849467626260439789077\hfill \\ & & 252741730547\hfill \end{array}$$

and

$$\begin{array}{ccc}\hfill e& =& 15387369231796195738270992845728344585898863892978423209867961015301962\hfill \\ & & 46472248583690385843285862859500857363812725002682339828686015519248969\hfill \\ & & 63680184170435282928948400170028279134662306718807531327694445559522168\hfill \\ & & 84664833658348512658325929687042827403376132263722135766423596683016053\hfill \\ & & 1518452792490127534307\hfill \end{array}$$

Then the adversary can compute the following parameters

$$\begin{array}{ccc}\hfill {\psi }_L& =& {\left(N+\sqrt{N}+1\right)}^2\hfill \\ & =& 82807978338112784826780485020381417521129159135920594979482820416390407\hfill \\ & & 23513424633156792874478533036764173593809203208428445896229812621601877\hfill \\ & & 61723144557638769299971010979168848830320041278367854644800805874441479\hfill \\ & & 18688097702791322474704887700856055822473759466601003234855838299076770\hfill \\ & & 683825614980799914083673;\hfill \\ \hfill {\psi }_U& =& {\left(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1\right)}^2+\frac{3}{8}N\hfill \\ & =& 82807978338112784826780485020381417521129159135920594979482820416390407\hfill \\ & & 23513435164597038913347172745328547015259734197573535282812397829422636\hfill \\ & & 39341490139659551164180227994657123576942524448711206060094402408587573\hfill \\ & & 31703045358792739925795217103381777720156105924634123140051008685419014\hfill \\ & & 861113526695021736842623;\hfill \\ \hfill A& =& {\psi }_L+{\psi }_U\hfill \\ & =& 16561595667622556965356097004076283504225831827184118995896564083278081\hfill \\ & & 44702685979775383178782570578209272060906893740600198117904221045102451\hfill \\ & & 40106463469729832046415123897382597240726256572707906070489520828302905\hfill \\ & & 25039114306158406240050010480423783354262986539123512637490684698449578\hfill \\ & & 5544939141675821650926296.\hfill \end{array}$$

Using values of e, N and A, the adversary obtain the continued fraction expansion of $\left(\frac{e}{A}-\frac{N}{2A}\right)$ which are

$$\left[0,\frac{1}{1076},\frac{3}{3229},\frac{13}{13992},\frac{16}{17221},\frac{29}{31213},\frac{45}{48434},\frac{389}{418685},\cdots ,\frac{149512}{160921419},\cdots \right].$$

Our algorithm stops at the 15th convergent $\frac{x_{15}}{y_{15}}=\frac{149512}{160921419}$. Taking $\frac{x_{15}}{y_{15}}=\frac{149512}{160921419}$, the adversary computes

$$\begin{array}{ccc}\hfill \zeta & =& e{x}_{15}-A{y}_{15}+{\psi }_L\hfill \\ & =& 8280797833811278482678048502038141752112915913592059497948282041639\hfill \\ & & 0407235134256359934395235635855824807251668463934139518596275257230\hfill \\ & & 3632018218353221404022231036420777232659973150835293152204280391789\hfill \\ & & 5724945896673436600011377906815484408955098909607003238015099035475\hfill \\ & & 8989840453283514219334557078991720354078.\hfill \end{array}$$

Using value of ζ, the adversary solve the Equations (5) and (4) to get S, p and q respectively.

$$\begin{array}{ccc}\hfill S& =& 19188870757973671053726455398280471509352628848967903121245052936330134\hfill \\ & & 1353108;\hfill \\ \hfill p& =& 10621227009050433240107186555032049103435869244605078165796777445866056\hfill \\ & & 0181091;\hfill \end{array}$$

and

$$\begin{array}{ccc}\hfill q& =& 85676437489232378136192688432484224059167596043628249554482754904640781\hfill \\ & & 172017.\hfill \end{array}$$

Remark 3.

The above examples uses two random prime numbers with $|p-q|\approx N^{0.49}$ and $e\approx N^2$. By using the values of p and q in the examples, the adversary can easily compute the private exponent $d\approx N^2$. Therefore, based on the examples, it is difficult for the user to identify that the rogue digital certificate because all the public and private parameters generated satisfy the conditions imposed during the key generation process.

6. Conclusions

We have constructed novel strategies to identify whether the Murru–Saettone RSA variant cryptosystem key pair was generated by a potential RCA. Based on our findings, if the following condition of $\left|Z-\psi \right|<\frac{p-q}{p+q}{N}^{1/4}$ or $\left|Z-\psi \right|<N$ where Z is an approximation of $\psi$ satisfies, then Murru–Saettone RSA variant cryptosystem is vulnerable to an attack. An adversary will be able to successfully execute an attack in polynomial time by using continued fractions algorithm to factor the modulus N without having any information of the private keys upon the public key pair. Furthermore, by factoring modulus N, an adversary will be able to compute the value of $\psi =(p^2+p+1)(q^2+q+1)$ and, finally, acquire the private key, $d\equiv e^{-1}(mod\psi )$.