#
New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus N = p^{2}q

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

**Our contribution:**

## 2. Materials and Methods

#### 2.1. Lattices

**Theorem**

**1.**

**Theorem**

**2.**

**Assumption**

**1.**

#### 2.2. Approximation of Size of Primes in Modulus

**Lemma**

**1.**

**Lemma**

**2.**

#### 2.3. Prime Sharing LSBs on the Modulus $N=Pq$

**Lemma**

**3.**

**Proof.**

#### 2.4. Prime Sharing LSBs on the Modulus $N={P}^{2}q$

**Lemma**

**4.**

**Proof.**

## 3. Our New Attack

**Theorem**

**3.**

**Proof.**

## 4. Comparison with the Previous Attacks

**Corollary**

**1.**

**Remark**

**1.**

## 5. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Appendix A

**Proof of Lemma 4.**

## Appendix B

**Proof of Theorem 3.**

- max$({e}_{1},{e}_{2})={N}^{\gamma}$
- max$({d}_{1},{d}_{2})<{N}^{\delta}$
- $|{d}_{1}-{d}_{2}|<{X}_{1}={N}^{\beta}$
- ${k}_{1}=\frac{{e}_{1}{d}_{1}-1}{\varphi \left(N\right)}<{X}_{2}={N}^{\gamma +\delta -1}$
- ${k}_{2}=\frac{{e}_{2}{d}_{2}-1}{\varphi \left(N\right)}<{X}_{3}={N}^{\gamma +\delta -1}$
- $p-q={2}^{m}u$ with ${2}^{m}\approx {N}^{\alpha}$ and $\alpha <\frac{2}{9}$.
- ${p}^{2}+pq-p={2}^{3m}s+{s}_{0}-v$ with
- -
- $s=\frac{{p}^{2}+pq-p+s-v}{{2}^{3m}}<{X}_{4}={N}^{2/3-3\alpha}$,
- -
- $v={2}^{3m}s+{s}_{0}-({p}^{2}+pq-p)<{X}_{5}={N}^{2/3}$

## Appendix C

**Remark**

**A1.**

1 | ${\mathit{x}}_{3}$ | ${\mathit{x}}_{3}{\mathit{x}}_{5}$ | ${\mathit{x}}_{3}{\mathit{x}}_{4}$ | ${\mathit{x}}_{3}^{2}$ | ${\mathit{x}}_{3}^{2}{\mathit{x}}_{5}$ | ${\mathit{x}}_{3}^{2}{\mathit{x}}_{5}^{2}$ | ${\mathit{x}}_{3}^{2}{\mathit{x}}_{4}$ | ${\mathit{x}}_{3}^{2}{\mathit{x}}_{4}{\mathit{x}}_{5}$ | ${\mathit{x}}_{3}^{2}{\mathit{x}}_{4}^{2}$ | ${\mathit{x}}_{2}$ | ${\mathit{x}}_{2}{\mathit{x}}_{5}$ | ${\mathit{x}}_{2}{\mathit{x}}_{4}$ | ${\mathit{x}}_{2}{\mathit{x}}_{3}$ | ${\mathit{x}}_{2}{\mathit{x}}_{3}{\mathit{x}}_{5}$ | ${\mathit{x}}_{2}{\mathit{x}}_{3}{\mathit{x}}_{5}^{2}$ | ${\mathit{x}}_{2}{\mathit{x}}_{3}{\mathit{x}}_{4}$ | ${\mathit{x}}_{2}{\mathit{x}}_{3}{\mathit{x}}_{4}{\mathit{x}}_{5}$ | ${\mathit{x}}_{2}{\mathit{x}}_{3}{\mathit{x}}_{4}^{2}$ | ${\mathit{x}}_{2}^{2}$ | ${\mathit{x}}_{2}^{2}{\mathit{x}}_{5}$ | ${\mathit{x}}_{2}^{2}{\mathit{x}}_{5}^{2}$ | ${\mathit{x}}_{2}^{2}{\mathit{x}}_{4}$ | ${\mathit{x}}_{2}^{2}{\mathit{x}}_{4}{\mathit{x}}_{5}$ | ${\mathit{x}}_{2}^{2}{\mathit{x}}_{4}^{2}$ | ${\mathit{x}}_{1}$ | ${\mathit{x}}_{1}{\mathit{x}}_{3}$ | ${\mathit{x}}_{1}{\mathit{x}}_{3}{\mathit{x}}_{5}$ | ${\mathit{x}}_{1}{\mathit{x}}_{3}{\mathit{x}}_{4}$ | ${\mathit{x}}_{1}{\mathit{x}}_{2}$ | ${\mathit{x}}_{1}{\mathit{x}}_{2}{\mathit{x}}_{5}$ | ${\mathit{x}}_{1}{\mathit{x}}_{2}{\mathit{x}}_{4}$ | ${\mathit{x}}_{1}^{2}$ | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

${g}_{0,0,0,0,0}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{0,0,1,0,0}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{0,0,1,0,1}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{0,0,1,1,0}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{0,0,2,0,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,0,2,0,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,0,2,0,2}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,0,2,1,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,0,2,1,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,0,2,2,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,0,0,0}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{0,1,0,0,1}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{0,1,0,1,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,1,0,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,1,0,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,1,0,2}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,1,1,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,1,1,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,1,1,2,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,2,0,0,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,2,0,0,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,2,0,0,2}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,2,0,1,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,2,0,1,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{0,2,0,2,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{1,0,0,0,0}$ | A | ** | ** | ** | ** | ** | ** | ** | |||||||||||||||||||||||||

${g}_{1,0,1,0,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{1,0,1,0,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{1,0,1,1,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{1,1,0,0,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{1,1,0,0,1}$ | B | ||||||||||||||||||||||||||||||||

${g}_{1,1,0,1,0}$ | B | ||||||||||||||||||||||||||||||||

${g}_{2,0,0,0,0}$ | B |

## References

- Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] - Wiener, M.J. Cryptanalysis of short RSA secret exponents. J. IEEE T. Inform. Theory
**1990**, 36, 553–558. [Google Scholar] [CrossRef] [Green Version] - Boneh, D.; Durfee, G. Cryptanalysis of RSA with private key d less than N
^{0.292}. J. IEEE Trans. Inform. Theory**2000**, 46, 1339–1349. [Google Scholar] [CrossRef] - Coppersmith, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol.
**1997**, 10, 233–260. [Google Scholar] [CrossRef] [Green Version] - Hinek, M.J. Multi-Prime RSA. In Cryptanalysis of RSA and Its Variants; CRC: London, UK; New York, NY, USA, 2010; p. 155. [Google Scholar]
- Takagi, T. A fast RSA-type public-key primitive modulo p
^{k}q using Hensel lifting. IEICE Trans.**2004**, 87, 94–101. [Google Scholar] - Ariffin, M.R.K.; Asbullah, M.A.; Abu, N.A.; Mahad, Z. A new efficient asymmetric ccryptosystem based on the integer factorization problem of N=p
^{2}q. MJMS**2013**, 10, 19–37. [Google Scholar] - Asbullah, M.A.; Ariffin, M.R.K. Design of Rabin-like cryptosystem without decryption failure. MJMS
**2016**, 10, 1–18. [Google Scholar] - Boneh, D.; Durfee, G.; Howgrave-Graham, N. Factor N=p
^{r}q for large r. In Cryptographers’ Track at the RSA Conference; Springer: Cham, Switzerland, 1999; pp. 326–337. [Google Scholar] - May, A. A secret exponent attacks on RSA-typer schemes with moduli N=p
^{r}q. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2004; pp. 218–230. [Google Scholar] - Sarkar, S. Small secret exponent attack on RSA varian with modulus N=p
^{r}q. Des. Codes Cryptogr.**2014**, 73, 383–392. [Google Scholar] [CrossRef] - Lu, Y.; Zhang, R.; Peng, L.; Lin, D. Solving linear equations modulo unknown divisors: Revisited. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2015; pp. 189–213. [Google Scholar]
- Boneh, D.; Durfee, G.; Frankel, Y. An attack on RSA given a small fraction of the private key bits. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 1998; pp. 25–34. [Google Scholar]
- Sun, H.M.; Wu, M.E.; Steinfeld, R.; Guo, J.; Wang, H. Cryptanalysis of short exponent RSA with primes sharing least significant bits. In International Conference on Cryptology and Network Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 49–63. [Google Scholar]
- Zhao, Y.D.; Qi, W.F. Small private-exponent attack on RSA with primes sharing bits. In International Conference on Information Security; Springer: Berlin/Heidelberg, Germany, 2007; pp. 221–229. [Google Scholar]
- Nitaj, A.; Ariffin, M.R.K.; Nassr, D.I.; Bahig, H.M. New attacks on the RSA cryptosystem. In International Conference on Cryptology in Africa; Springer: Cham, Switzerland, 2014; pp. 178–198. [Google Scholar]
- Lenstra, A.K.; Lenstra, H.W.; Lovasz, H.W. Factoring polynomials with rational coeffcients. J. Math. Ann.
**1982**, 261, 515–534. [Google Scholar] [CrossRef] - Howgrave-Graham, N. Finding small roots of univariate modular equations revisited. In MA International Conference on Cryptography and Coding; Springer: Berlin/Heidelberg, Germany, 1997; pp. 131–142. [Google Scholar]
- Jochemsz, E.; May, A. A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2006; pp. 267–282. [Google Scholar]
- Asbullah, M.A.; Ariffin, M.R.K. New attacks on RSA with modulus N=p
^{2}q using continued fractions. J. Phys. Conf. Ser.**2015**, 622, 191–199. [Google Scholar] [CrossRef] [Green Version] - Zhang, L.; Huang, T.; Hu, X.; Zhang, Z.; Wang, W.; Guan, D.; Zhoa, C.; Kim, S. A distributed covert channel of the packet ordering enhancement model based on data compression. Comput. Mater. Contin.
**2020**, 64, 2013–2030. [Google Scholar] - Zhang, L.; Peng, M.; Wang, W.; Cui, S.; Kim, S. Secure and efficient data storage and sharing scheme based on double blockchain. Comput. Mater. Contin.
**2021**, 66, 499–515. [Google Scholar]

Former Attack | Bound | Method |
---|---|---|

[12] | $d<{N}^{\frac{r(r-1)}{{(r+1)}^{2}}}=d<{N}^{0.22}$ | New proposed algorithm |

[10] | $d<{N}^{\mathrm{max}\frac{r}{{(r+1)}^{2}},\frac{{(r-1)}^{2}}{{(r+1)}^{2}}}=d<{N}^{0.22}$ | Coppersmith’s Method |

[11] | $d<{N}^{0.39}$ | Lattice reduction |

$\mathit{\gamma}={\mathbf{log}}_{\mathit{N}}\left(\mathit{e}\right)$ | $\mathit{\gamma}=0.7$ | $\mathit{\gamma}=0.60$ | $\mathit{\gamma}=0.5$ | $\mathit{\gamma}=0.4$ | $\mathit{\gamma}=0.3$ | |
---|---|---|---|---|---|---|

Bound of $\mathit{\delta}$ | ||||||

[12] | 0.22 | 0.22 | 0.22 | 0.22 | 0.22 | |

[10] | 0.22 | 0.22 | 0.22 | 0.22 | 0.22 | |

[11] | 0.39 | 0.39 | 0.39 | 0.39 | 0.39 | |

Our bound in Corollary 1 | 0.21 | 0.29 | 0.36 | 0.43 | 0.51 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Adenan, N.N.H.; Kamel Ariffin, M.R.; Sapar, S.H.; Abd Ghafar, A.H.; Asbullah, M.A.
New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus *N* = *p*^{2}*q*. *Mathematics* **2021**, *9*, 340.
https://doi.org/10.3390/math9040340

**AMA Style**

Adenan NNH, Kamel Ariffin MR, Sapar SH, Abd Ghafar AH, Asbullah MA.
New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus *N* = *p*^{2}*q*. *Mathematics*. 2021; 9(4):340.
https://doi.org/10.3390/math9040340

**Chicago/Turabian Style**

Adenan, Nurul Nur Hanisah, Muhammad Rezal Kamel Ariffin, Siti Hasana Sapar, Amir Hamzah Abd Ghafar, and Muhammad Asyraf Asbullah.
2021. "New Jochemsz–May Cryptanalytic Bound for RSA System Utilizing Common Modulus *N* = *p*^{2}*q*" *Mathematics* 9, no. 4: 340.
https://doi.org/10.3390/math9040340