Factoring the Modulus of Type N = p2q by Finding Small Solutions of the Equation er − (Ns + t) = αp2 + βq2

The modulus of type N=p2q is often used in many variants of factoring-based cryptosystems due to its ability to fasten the decryption process. Faster decryption is suitable for securing small devices in the Internet of Things (IoT) environment or securing fast-forwarding encryption services used in mobile applications. Taking this into account, the security analysis of such modulus is indeed paramount. This paper presents two cryptanalyses that use new enabling conditions to factor the modulus N=p2q of the factoring-based cryptosystem. The first cryptanalysis considers a single user with a public key pair (e,N) related via an arbitrary relation to equation er−(Ns+t)=αp2+βq2, where r,s,t are unknown parameters. The second cryptanalysis considers two distinct cases in the situation of k-users (i.e., multiple users) for k≥2, given the instances of (Ni,ei) where i=1,…,k. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of (Ni,ei) can be successfully factored in polynomial time.


Introduction
The integration of digital and physical realms has advanced considerably during the previous decade, resulting in the Internet of Things (IoT). The IoT is frequently viewed as a paradigm shift from the standard Internet to environments connected to everything. The advancement of technology incorporated in heterogeneous devices, such as smartphones, tablets, radio-frequency identification (RFID), Wifi, smart cities, and smart homes enables all types of communications, even unlawful ones. These connected gadgets equipped with actuators or sensors can detect their surroundings, comprehend current events, and act appropriately, resulting in increased data transfers, as [1] points out.
Individuals have been adapting to the IoT ecosystem without realizing that all the data stored, transferred, and processed in the network are not primarily designed with security aspects [2]. Henceforth, this causes more security and privacy risks for the users of these devices, which is currently one of the significant challenges of the IoT, also allowing the ecosystem to be susceptible and prone to many threats and security attacks [3]. Additionally, IoT devices are frequently limited in computing power, energy, and memory capacity, and the prototypical Internet protocols and cryptography algorithms lack many of these resources, potentially making them inadmissible for IoT devices [4]. fractions, the RSA cryptosystem is insecure. Later, ref. [14] revised the bound to d < N 0.292 via Coppersmith's method [15] for finding small solutions of modular univariate polynomials. The ref. [16] later discovered that it is feasible to increase the bound of d < 1 3 N 1 4 to d < 1 4 √ 18 N 1 4 . The new bound is partially derived from the restriction that both primes p and q have the same bit length.
In recent years, many researchers have extended Wiener's and Boneh-Durfee's results. For instance, the ref. [17] presented the type of attacks zoomed into the RSA Diophantine equation in its original form of ed − kφ(N) = 1, focusing on increasing the bound of d, which combines the continued fraction expansion. Instead of deriving an equation from the RSA key equation in its original, the ref. [18] utilized an arbitrary Diophantine equation in the form of eX − uY = Z − φ b . Furthermore, their proposed conditions upon parameters have no relation between the parameters X and Y and the parameters d and φ(N). As a result, their strategy enables factoring modulus N = pq for a set of weak keys with d ≈ N. The ref. [19] then revisited Wiener's continued fraction technique. Thus, a new attack against RSA is proposed. In contrast to the conclusion of [14] where e ≈ N, their technique is well-suited to the circumstance when e is substantially less than N. Consequently, when the public key exponent is substantially less than the RSA modulus, the new attack in [19] surpasses the best current attack.
Many RSA variations have been proposed in parallel with these efforts to ensure computational performance while retaining acceptable security levels. There are respective variants of RSA that are established on the moduli, having the form N = p 2 q. Such a modulus is widely employed in cryptography, as explained in [20], representing one of the most critical instances. One such prominent variant is proposed in [21], which applied the Hensel-lifting technique to verify a faster decryption algorithm compared to the original RSA decryption procedure. Other cryptosystems that also employed the modulus of the form N = p 2 q were designed in [22][23][24]. In comparison to the conventional RSA, their experiments were successful in demonstrating reduced computing costs.
Consequently, the security analysis of N = p 2 q becomes essential. For instance, the ref. [25] has proved that the cryptosystem that used N = p 2 q is vulnerable if coupled with a decryption exponent d, which is upper-bounded by N 0.395 . Unlike [25], who solved ex − Ny = 1, the ref. [26] solved ex − Ny = z, which is a more generic equation. Their results increase the number of possible solutions to the problem. Intuitively, the technique in [26] appears to have a better probability of discovering solutions, that is, factoring the modulus N. Successful cryptanalysis for the modulus N = p 2 q that is linked to partial key exposure was published very recently in [27,28]. They employed Jochemsz and May's comprehensive approach [29], which is a highly successful methodology for finding small roots of integer polynomials and, as a result, factoring the modulus N. Despite the advantages of using the modulus N = p 2 q, it is susceptible to attackers if the primes share some of their least significant bits (LSBs), as explained in [27], or if the primes and private keys share some of their most significant bits (MSBs), as described in [28].
To demonstrate that the class of keys is indeed weak, we must establish the existence of a probabilistic polynomial-time algorithm that accepts public parameters as input and returns the factors p and q. Thus, the procedure may be used to determine whether the key belongs to the relevant weak class. This trait may be advantageous when designing a cryptosystem's key generation procedure to avoid mistakenly creating a weak key. The suggested approach may be beneficial in designing a cryptosystem's key generation process to guarantee that no weak key is created accidentally.
Our contribution. In this paper, we introduce two interesting findings of cryptanalysis of moduli in the form N = p 2 q. Firstly, we consider the solution on the public key pair (e, N) that is related via an arbitrary relation to equation er − (Ns + t) = αp 2 + βq 2 , where r, s, t are unknown parameters. We present a strategy by applying the continued fraction expansion to factor primes p and q, given public key pairs (e, N), which satisfy the following enabling conditions; gcd(r, s) = 1, |αp 2 − βq 2 | < N 1 2 , r < N 3(αp 2 +βq 2 ) and |t| < |αp 2 −βq 2 | 3(αp 2 +βq 2 ) N 1 3 . Furthermore, we show that there exists a significant number of factorizable key pairs (e, N) that fall under our first cryptanalysis.
Secondly, we consider the security of k-users (i.e., multiple users) for k ≥ 2, given the instances of (N i , e i ) where i = 1, . . . , k. There are two distinct cases to be considered in the second cryptanalysis. Case number one is about solving k-instances (N i , e i ) for fixed integer r < N δ 1 , satisfying e i r − (N i s i + t i ) = αp 2 i + βq 2 i , where the parameter δ 1 will be defined later. Similarly, on the case number two, the analysis worked on fixed integer s < N δ 2 , satisfying e i r i − (N i s + t i ) = αp 2 i + βq 2 i , where the parameter δ 2 will be defined later. In the second cryptanalysis, we convert the equations into a simultaneous Diophantine problem and use lattice basis reduction techniques to obtain parameters (r, s i ) or (s, r i ) in both situations. This gives us a good estimate of αp 2 + βq 2 , allowing us to calculate the prime factors p i and q i of each modulus N i . We further show that, in both situations, the suggested approach allows one to factor k-moduli of the form N i = p 2 i q i at the same time.
Organization of the article. We begin with a brief review of the continuous fractions expansion, lattice basis reduction, and simultaneous Diophantine approximation techniques discussed in Section 2. Section 3 shows the results and details the discussion. The first cryptanalysis is presented in Section 3.1, together with the estimation of the number of weak exponents. Following that, Section 3.2 discusses the second cryptanalysis. The examples are presented to illustrate the achieved outcomes. Section 4 compares our findings against relevant and significant previous findings corresponding to their enabling conditions. Section 5 summarises our findings and suggests intriguing future work.

Mathematical Foundation
In this section, we give brief reviews on Legendre's theorem of continued fractions expansion and simultaneous Diophantine approximation via lattice reduction that will be used throughout this paper.

Continued Fraction Expansion
Let χ = [a 0 , a 1 , a 2 , . . .] be the continued fraction expansion of χ. If χ is a rational number, then the process of listing the continued fractions expansion will finish in some finite index n (i.e., χ = [a 0 , a 1 , . . . , a n ]). In recent years, there has been an increasing amount of work on using the continued fraction expansion, for instance, [17,30], as a tool for analysing the security of public key cryptosystems. An important result on continued fractions is due to the following theorem, widely known as Legendre's theorem. Theorem 1 ([31]). Suppose χ is a rational number. Let r and s be integers where s = 0 and gcd(r, s) = 1, such that χ − r s < 1 2s 2 , then r s is a convergent of χ.

Simultaneous Diophantine Approximations
Let u 1 , . . . , u d be d linearly independent vectors of R n with d ≤ n. The set of all integer linear combinations of the vectors u 1 , . . . , u d is called a lattice, and is in the form The set (u 1 , . . . , u d ) is the basis of L, and its dimension is d. The determinant of L is defined as det(L) = det(U T U), where U is the matrix of the u i 's in the canonical basis of R n . Define the Euclidean norm of a vector v ∈ L as v . Define the Euclidean norm of a vector v ∈ L as v . Finding a short non-zero vector in L is a crucial problem in lattice reduction. The LLL algorithm generates a reduced basis vector [32], and the following result fixes the reduced basis vector's sizes (see [20]).

Theorem 2 ([32]
). Let L be a lattice of dimension ω with a basis {v 1 , . . . , v ω }. The LLL algorithm produces a reduced basis {b 1 , . . . , b ω } satisfying The simultaneous Diophantine approximations problem, which is stated as follows, is one of the most significant applications of the LLL algorithm. Let χ 1 , . . . , χ n be n real numbers, and ε a real number such that 0 < ε < 1. Dirichlet's classical theorem states that integers exist p 1 , . . . , p n , and a positive integer q ≤ ε −n , such that |qχ i − p i | < ε for 1 ≤ i ≤ n. The LLL algorithm described a method for finding simultaneous Diophantine approximations to rational numbers using a lattice with real number elements [32]. In [33] (Appendix A), a comparable solution for a lattice with integer elements is provided.

Results and Discussion
In this section, we present our first cryptanalysis which focuses on a single public key pair (e, N), that is related via an arbitrary relation to equation er − (Ns + t) = αp 2 + βq 2 , where N = p 2 q and r, s, t are unknown parameters.

The First Cryptanalysis
Suppose that for N = p 2 q with q < p < 2q, then N 1 3 holds [27], unless stated otherwise, and this relation defines the integer N throughout this work. Let [x] be the integer that is closest to x. Let's start with the lemma below.
. Consider the following equation.
, then N can be factored in polynomial time.
Proof. Suppose that a public key pair (e, N) satisfies an arbitrary equation (1) as er − Ns = αp 2 + βq 2 + t, and dividing both sides by Nr, we have If the condition 2r 2 holds, we can infer that s r is a convergent of the continuing fraction e N using Theorem 1. Observe that, this is equivalent to r < This implies that We can see from (2) that this requirement is satisfied for r < N 3(αp 2 +βq 2 ) . As a result, we may deduce that s r is a convergent of the continuing fraction e N . Following that, we define ∆ = er − Ns. By Lemma 1, ∆ is a satisfactory approximation of αp 2 + βq 2 , hence this implies that αβq = ∆ 2 4N . It follows that gcd ∆ 2 4N , N = q, hence p = N q .
3.1.1. The Uniqueness of Paramaters r, s, and t for Which the Theorem 4 Applies Let's start with the following result. It proves that given fixed integers α and β, the public parameter e < N satisfies, at most, one equation er − (Ns + t) = αp 2 + βq 2 , where the unknown parameters r, s and t satisfy the conditions of Theorem 4.

The Second Cryptanalysis
In this section, we consider the security of k-users (i.e., multiple users) for k ≥ 2, given the instances of (N i , e i ) where i = 1, . . . , k. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of public key pairs (N i , e i ) can be factored in polynomial time.

The Second Cryptanalysis: Case #1
Suppose that we are given k-instances (N i , e i ) for fixed integer r, satisfying e i r − (N i s i + t i ) = αp 2 i + βq 2 i . The following Theorem 6 proves that we are able to factor in such moduli if the unknown parameters r, s i , and t i satisfy the given conditions. Theorem 6. Let i be integers such that i = 1, . . . , k for k ≥ 2. Suppose e i are k-public exponents and N i = p 2 i q i are k-moduli, each with the same bit-size N where N = min{N i }. Let α, β be suitably small integers with gcd(α, β) = 1 such that αp 2 i + βq 2 i < N 2 3 +γ where 0 < γ < 1 3 .
Define δ 1 = ( 1 3 − γ)k. If there exists a fixed integer r < N δ 1 , k-integers s i < N δ 1 and |t i | < satisfying the equation e i r − (N i s i + t i ) = αp 2 i + βq 2 i , then k-moduli of the form N i = p 2 i q i can be factored in polynomial time.
We rearranged the equation and divided by N i for both sides, and obtained the following; To show the existence of integer r and s i , let Hence, for i = 1, . . . , k, we obtain e i N i r − s i < ε and r < 2 If the requirements of Theorem 3 are fulfilled, we will be able to calculate r and s i for i = 1, . . . , k.
Next, observe the equation

, then
from Lemma 1 and Theorem 4, ∆ i = e i r − N i s i is an approximation of αp 2 i + βq 2 i . Hence, this implies that αβq i = Therefore, k-moduli of the form N i = p 2 i q i can be factored in polynomial time.

Numerical Illustration of the Second Cryptanalysis: Case #1
As an illustration of our second cryptanalysis for Case #1, suppose we consider three pairs of public keys, as follows.
Suppose that the lattice L is spanned by the following matrix: After applying the LLL algorithm to L, the following matrix is obtained as a reduced basis. According to the first row of the above matrix, we obtain r = 13,521,818, s 1 = 10,523,085, s 2 = 11,523,087 and s 3 = 12,523,593. By applying r and s i for i = 1, 2, 3, we define ∆ i = e i r − N i s i as an approximation of αp 2 i + βq 2 i , respectively. Hence, by using Lemma 1 and Theorem 4, this implies that αβq i = Hence, by using Lemma 1 and Theorem 4, for each i = 1, 2, 3, this implies that , N i which we obtain q 1 = 2,926,416,947, q 2 = 2,915,145,313, q 3 = 2,816,384,869. This results in the factorization of three moduli N 1 , N 2 and N 3 with p 1 = 3,584,116,567, p 2 = 3,570,311,711, p 3 = 3,449,355,491, respectively.

The Second Cryptanalysis: Case #2
In this section, we consider the Case #2 that is when k-moduli of the form N i = p 2 i q i satisfy k-equations of the form e i r i − (N i s + t i ) = αp 2 i + βq 2 i , where the parameters r i , s, and t i are suitably small unknown parameters. This analysis is for the fixed value of s instead of fixed value of r from Case #1. Thus, the following theorem is looking for k-integers of r i and an integer s.

Theorem 7.
Let i be integers such that i = 1, . . . , k for k ≥ 2. Suppose e i be k-public exponents with min{e i } = N τ and N i = p 2 i q i be k-moduli, each with the same bit-size N, where N = max{N i }. Let α, β be suitably small integers with gcd(α, β) = 1 such that If there exists a fixed integer s < N δ 2 , k-integers 3 satisfy the equation e i r i − (N i s + t i ) = αp 2 i + βq 2 i , then k-moduli of the form N i = p 2 i q i can be factored in polynomial time.
Proof. Let e i be k-public exponents with min{e i } = N τ and Consider the equation Rearranging the equation and dividing by e i for both sides, we have the following: We now continue to demonstrate the existence of integers r i and s. Let ε = 2N 2 3 +γ−τ It follows that if s < N δ 2 , then s < 2 k(k−3) 4 · 3 k · ε −k . Next, for i = 1, . . . , k, we have N i e i s − r i < ε and s < 2 If the conditions of Theorem 3 are fulfilled, we will find s and r i . Next, by rearranging the equation e i r i − (N i s + t i ) = αp 2 i + βq 2 i , observe the following equation; 3 , hence, using Lemma 1 and Theorem 4 confirms that such ∆ i = e i r i − N i s is an approximation of αp 2 i + βq 2 i , which implies that i q i can be factored in.

Numerical Illustration of the Second Cryptanalysis: Case #2
It should be noted that the numerical illustration can be accomplished in a similar manner and with a slight adjustment with the Case #1. We consider three moduli and three public exponents to show our second cryptanalysis for Case #2 as follows.

Comparative Analysis
In this section, we compare our findings against previous findings of security analysis related to N = p 2 q concerning the form of the modified key equations and their conditions. The comparisons are illustrated in Table 2.
From Table 2, based on the references given (i.e., [25][26][27]34,35], we can view that all earlier first five findings are a type of cryptanalysis as a zoomed-in generalized Diophantine equation in the form eX − NY = Z for suitable integers X, Y, Z. The first five findings had to dictate conditions upon the key pairs (e, N) and its corresponding generalized parameters. All of the mentioned attacks usually combine the continued fraction method, the lattice reduction technique such as the Coppersmith's method [15] or utilize Jochemsz and May's strategy [29] to formulate a new strategy in factoring N.

Reference
Utilized Key Equations Enabling Conditions [27] ed − k(N − (p 2 + pq − p)) = 1 Our result: Our result: The above collection depicts the progress of cryptanalysis efforts over some time. To continue the research, there might be more generalization key equations that can be provided to emphasize the technique to factor N = p 2 q in polynomial time. Hence, this paper presents two new cryptanalyses that depend on an arbitrary Diophantine key equation, which differ from earlier studies.
There are two different results of cryptanalysis of the modulus in the form N = p 2 q presented in this paper, which is briefly summarized in Table 2. As a consequence, our strategy enables us to factor N = p 2 q for a collection of weak keys with requirements as specified in Theorems 4, 6 and 7, respectively. Thus, our results are novel and essential. The conditions upon our parameters cannot be compared to conditions upon parameters of earlier results. It is due to the proposed results in another addition to the not-to-do list during the key generation process to guarantee that the crypto-designers or implementors do not unawarely construct a weak key.

Conclusions and Future Work
The modulus of type N = p 2 q is often used in many variants of factoring-based publickey encryption due to its ability to fasten the decryption process. Faster decryption is very suitable for securing small devices in the IoT environment or securing fast-forwarding encryption services used in mobile applications. Taking this into account, the security of those devices is paramount. Finally, two new cryptanalyses of the modulus N = p 2 q were presented. This study focused on two cryptanalyses that use new enabling conditions to factor the modulus N = p 2 q of the factoring-based cryptosystem. The first cryptanalysis considered a single user with a public key pair (e, N) related via an arbitrary relation to equation er − (Ns + t) = αp 2 + βq 2 , where r, s, t are unknown parameters. The second cryptanalysis considered two distinct cases in the situation of k-users (i.e., multiple users) for k ≥ 2, given the instances of (N i , e i ) where i = 1, . . . , k. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of (N i , e i ) can be successfully factored in polynomial time.
It was proven that a probabilistic polynomial-time algorithm exists that takes public parameters as an input and returns the factors p and q. Hence, we executed the procedure to see if the key belonged to the weak class. The proposed results may be helpful during key generation to avoid creating a weak key by accident. This study revealed specific flaws in the relaxed model using faulty public variables and limited parameter selection. These flaws do not compromise the factoring-based cryptosystem's security. Nevertheless, our findings can help uncover possible flaws and better understand the underlying mathematics and parameter choices.
Future work. Given the resource constraints associated with various IoT devices, cryptographic solutions in this environment must be resilient while remaining practical, posing a challenge for security analysts and crypto designers. Therefore, other generalization key equations can be presented in the future to demonstrate how to recover the prime factors p and q in polynomial time. It would be splendid if a small private exponent could reduce the encryption and decryption time. Under partial key exposure attacks, future researchers can analyze the RSA variant's security when the prime factor p and q share many LSBs or MSBs. There are other schemes that one might be interested in by using a small private exponent that can be employed to recover the prime factor p and q in polynomial time, such as [27,28].

Conflicts of Interest:
The authors declare no conflicts of interest.

Abbreviations and Mathematical Symbols
The following abbreviations and mathematical symbols are used in this manuscript: