Cryptanalysis of RSA-Variant Cryptosystem Generated by Potential Rogue CA Methodology

: Rogue certiﬁcate authorities (RCA) are third-party entities that intentionally produce key pairs that satisfy publicly known security requirements but contain weaknesses only known to the RCA. This work analyses the Murru–Saettone RSA variant scheme that obtains its key pair from a potential RCA methodology. The Murru–Saettone scheme is based on the cubic Pell equation x 3 + ry 3 + r 2 z 3 − 3 rxyz = 1. The public, e , and private, d key generation process uses the secret parameter ψ = ( p 2 + p + 1 )( q 2 + q + 1 ) in place of the standard Euler–phi function φ ( N ) = ( p − 1 )( q − 1 ) , where ed ≡ 1 ( mod ψ ) . We prove that, upon obtaining an approximation of ψ , we are able to identify the provided key pair that was maliciously provided even if the private key d size is approximate to ψ . In fact, we are able to factor the modulus N = pq .


Introduction
The security of a symmetric encryption scheme highly depends on the safety of the secret key transmission between parties involved in the communication. Other than direct interaction between parties, the utilization of asymmetric encryption schemes is the norm in modern communication. Central to the production of the public and private key pair of an asymmetric encryption scheme is the Certificate Authority (CA). Parties should have full trust in the CA to provide secure key pairs. Nevertheless, it is wise to conduct due diligence on the key pairs received. As such, for a communication topology with large participation, it is not surprising that the security of a symmetric encryption scheme will fall back on the strength of the asymmetric encryption scheme being utilized. As such, studies on the asymmetric cryptosystem utilized must be conducted to ensure that symmetric encryption remains secure.
RSA encryption/digital signing scheme is currently the world's most widely used public-key cryptosystem. The standard RSA cryptosystem comprises three distinct algorithms: key generation, encryption, and decryption [1]. The security of RSA is mainly based on the hardness of factoring large composite integers, which is modulus N = pq where p and q are two large prime numbers of the same bit size. It is well known that RSA is not secure if the process of generating the public parameters (e, N) and the private parameters (p, q, d) do not satisfy certain conditions [2][3][4][5][6]. For instance, the RSA cryptosystem is vulnerable when employing continued fractions if such decryption exponent d is less than 1 3 N 1 4 , by a classical finding in [2]. Additionally, [3]  . The new bound is generated in part from the constraint that both primes number of p and q will have almost the same size of bit length. Moreover, ref. [6] has maximized the small root bounds to small secret exponent RSA using linearization and applications. To the extent of improving the implementation of the RSA cryptosystem, many schemes with various techniques have been proposed. As a result, a lot of RSA variant cryptosystems arise [7][8][9][10][11][12].
The existence of RCA is the underlying motivation behind the identification of weak public keys. RCA is defined by [13] as an entity issuing legitimate certificates being trusted by web browsers and users but contains hidden weaknesses. There is a window of vulnerability with the existing public key infrastructure between the time a rogue certificate is issued and when it is discovered. Likewise, an RCA can publish a fraudulent RSA digital certificate using these keys without users noticing its anomaly. As the weak keys satisfy the conditions established in the key generation process, the validity of these fraudulent certificates can be convincing. Hence, the cryptosystem continues to operate discreetly using the keys, i.e., suppose an adversary knows about the existence of these specific certificates, then the adversary can find the private keys corresponding to the public keys without knowing any information about the private keys.
In relation to the above, this paper discloses potential RCA methodology upon an RSA variant cryptosystem constructed from a cubic field connected to the cubic Pell equation that was invented by Murru-Saettone [14]. Our identified conditions will allow an adversary to factor the modulus N if the user has been provided with keys through the potential RCA methodology.
The framework of this paper is as follows. In Section 2, we summarize the Murru-Saettone scheme. Section 3 describes some important tools and useful lemmas, respectively. Moreover, in the Sections 4 and 5, we present our main result, which says that the Murru-Saettone scheme is not secure with experimental results. Finally, we conclude the paper in Section 6.

The Scheme of Murru and Saettone
In this section, we summarize the Murru and Saettone cryptosystem [14] along with the key generation, encryption, and decryption procedures.

Key Generation:
• Choose two random prime numbers p and q of bit-size k; • Set N = pq and ψ = (p 2 + p + 1)(q 2 + q + 1); • Choose a random integer e < ψ with gcd(e, ψ) = 1; • Choose a non-cube integer r in Z p , Z q and Z N ; Return the public parameters as (N, e, r) and the private parameters as (p, q, d).

Encryption:
• Given a pair of messages m 1 and m 2 in Z N ; Return the ciphertext as (c 1 , c 2 ).

Decryption:
• Given a pair of ciphertexts c 1 and c 2 ; Return the message as (m 1 , m 2 ).

Preliminaries
In this section, we put forward preliminary concepts needed.

Definition 1.
The expression of continued fractions expansion of ξ ∈ R can be written in these forms which can also be written as ξ = [a 0 , a 1 , · · · , a µ , · · · ]. The process of calculating the continued fractions expansion would be executed in polynomial time if ξ is a rational number and thus ξ = [a 0 , a 1 , · · · , a µ ]. The convergents r s of ξ are the fractions denoted by r s = [a 0 , a 1 , · · · , a i ] for i ≥ 0. An important result on continued fractions that will be used is the following theorem.
Then r s is a convergent of the continued fractions expansion of ξ.
The following result gives the bounds for p, and q in terms of N (See [15]).

Lemma 1.
Let N = pq be the product of two unknown integers with q < p < 2q. Then In the following, we set ψ = p 2 + p + 1 q 2 + q + 1 . The former lemma can be used to find a good approximation for ψ. The following result shows that one can factor the modulus N = pq if ψ is known [15]. Proposition 1. Let N = pq be the product of two unknown integers with q < p < 2q. Suppose that ψ = p 2 + p + 1 q 2 + q + 1 is known. Then, where Definition 2. Let ψ L and ψ U be the lower bound and the upper bound of ψ. Then we define The next remark shows how we can find the best current approximation values for ψ L and ψ U .
Hence, the best current approximation for ψ L is (N + √ N + 1) 2 and for ψ U is (N + 3 The following lemmas and theorem show conditions to be fulfilled by parameters in the equation eX − AY = Z − ψ L . Lemma 2. Let N = pq with q < p < 2q. Let e satisfy the equation eX − AY = Z − ψ L where X and Y are positive integers. If Proof. Consider the following equation . As AX will always be a positif value, rearranging (9), we obtain which satisfies Theorem 1. This terminates the proof.
From the values of Z, we define Equation (5) as Based on Proposition 1, we can factor N in polynomial time.

Generating Weak Murru-Saettone Cryptosystem Public Keys by RCA: Case
|Z − ψ| < p−q p+q N 1/4 In this section, we show how a RCA can generate weak Murru-Saettone cryptosystem public key pairs. By using conditions in Lemma 3 coupled with results from Theorem 3, a RCA can build an algorithm that produces such weak Murru-Saettone cryptosystem public keys. The Algorithm 1 is as follows: Algorithm 1 Generating weak Murru-Saettone cryptosystem public keys via Lemma 3 and Theorem 3 Input: Two distinct primes, p and q where p < q < 2q Output: Weak Murru-Saettone cryptosystem public keys, (N, e) 1: Compute N = p · q 2: Compute ψ = (p 2 + p + 1)(q 2 + q + 1) 3: Compute ψ L = (N + 7: Compute Z U = ψ + p−q p+q N 1/4 8: Choose an integer Z randomly between Z L and Z U 9: Choose an integer Y <  (N, e), a thorough user can utilize the following algorithm to determine the security of the provided key pair, whether it was generated via Algorithm 1 or not. In fact, the following algorithm will factor the modulus N = pq. Algorithm 2 is as follows: Compute ζ = ex j − Ay j + ψ L
Our algorithm stops at the 13th convergent Using value of ζ, the adversary solve the Equations (5) and (4)

Generating Weak Murru-Saettone Cryptosystem Public Keys by RCA: Case
In this section, we show that the condition |Z − ψ| < p−q p+q N 1/4 in the previous section can be extended to |Z − ψ| < N. Lemma 3. Let N = pq with q < p < 2q. Let e satisfies the equation eX − AY = Z − ψ L where X and Y are positive integers. If Proof. Consider the following equation Let |Z − ψ| < N. Then, divide (8) by AX, we obtain . As AX will always be a positive value, rearranging (9), we obtain which satisfies Theorem 1. This terminates the proof.

Theorem 3.
Let N = pq with q < p < 2q. Let e satisfies the equation eX − AY = Z − ψ L where X, Y are positive integers. If Based on Proposition 1, we can factor N in polynomial time.
Our algorithm stops at the 15th convergent Using value of ζ, the adversary solve the Equations (5) and (4)  and q = 85676437489232378136192688432484224059167596043628249554482754904640781 172017.

Remark 3.
The above examples uses two random prime numbers with |p − q| ≈ N 0.49 and e ≈ N 2 . By using the values of p and q in the examples, the adversary can easily compute the private exponent d ≈ N 2 . Therefore, based on the examples, it is difficult for the user to identify that the rogue digital certificate because all the public and private parameters generated satisfy the conditions imposed during the key generation process.

Conclusions
We have constructed novel strategies to identify whether the Murru-Saettone RSA variant cryptosystem key pair was generated by a potential RCA. Based on our findings, if the following condition of |Z − ψ| < p−q p+q N 1/4 or |Z − ψ| < N where Z is an approximation of ψ satisfies, then Murru-Saettone RSA variant cryptosystem is vulnerable to an attack. An adversary will be able to successfully execute an attack in polynomial time by using continued fractions algorithm to factor the modulus N without having any information of the private keys upon the public key pair. Furthermore, by factoring modulus N, an adversary will be able to compute the value of ψ = (p 2 + p + 1)(q 2 + q + 1) and, finally, acquire the private key, d ≡ e −1 (mod ψ).