Next Article in Journal
Elliptic Curve Cryptography with Machine Learning
Previous Article in Journal
Security Proof of Single-Source Shortest Distance Protocols Built on Secure Multiparty Computation Protocols
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Partial Exposure Attacks Against a Family of RSA-like Cryptosystems

by
George Teşeleanu
1,2
1
Advanced Technologies Institute, 10 Dinu Vintilă, 021101 Bucharest, Romania
2
Simion Stoilow Institute of Mathematics of the Romanian Academy, 21 Calea Grivitei, 010702 Bucharest, Romania
Cryptography 2025, 9(1), 2; https://doi.org/10.3390/cryptography9010002
Submission received: 22 November 2024 / Revised: 23 December 2024 / Accepted: 26 December 2024 / Published: 28 December 2024

Abstract

:
An RSA generalization using complex integers was introduced by Elkamchouchi, Elshenawy and Shaban in 2002. This scheme was further extended by Cotan and Teșeleanu to Galois fields of order n 1 . In this generalized framework, the key equation is e d k ( p n 1 ) ( q n 1 ) = 1 , where p and q are prime numbers. Note that the classical RSA and Elkamchouchi et al.’s key equations are special cases, namely, when n = 1 and n = 2 . In addition to introducing this generic family, Cotan and Teșeleanu described a continued fractions attack capable of recovering the secret key d if d < N 0.25 n . This bound was later improved by Teșeleanu using a lattice-based method. In this paper, we explore other lattice attacks that could lead to factoring the modulus N = p q , namely, we propose a series of partial exposure attacks that can aid an adversary in breaking this family of cryptosystems if certain conditions hold.

1. Introduction

The RSA, one of the most widely used cryptosystems, was introduced by Rivest, Shamir and Adleman in their 1978 paper [1]. The classical RSA scheme works using elements from the group Z N * , where N is the product of two large prime numbers p and q. More precisely, to encrypt an element m Z N * , we have to compute the ciphertext c m e mod N , where e satisfies gcd ( e , φ ( N ) ) = 1 and φ ( N ) = ( p 1 ) ( q 1 ) . To recover the original element, we simply compute m c d mod N , where d e 1 mod φ ( N ) . The user’s public key is ( N , e ) , while ( p , q , d ) constitutes its secret key. In this paper, we focus only on primes that satisfy q < p < 2 q (i.e., have the same bit size), further referred to as balanced primes.
Over time, various attacks were developed to extract the secret key d from the public key ( N , e ) under certain conditions. Wiener proved in [2] that if d < N 0.25 / 3 , the secret key d can be recovered from the continued fraction expansion of e / N , hence enabling the factorization of N. Boneh and Durfee [3] improved this bound to d < N 0.292 using Coppersmith’s method [4] and lattice-reduction techniques [5]. Herrmann and May [6] later achieved the same bound with simpler methods. For an overview of RSA attacks, see [7,8,9].
Elkamchouchi, Elshenawy and Shaban [10] extended the RSA scheme to the ring of Gaussian integers modulo N. Such an integer modulo N has the form a + b i , where a , b Z N and i 2 = 1 . The set of all Gaussian integers modulo N is denoted by Z N [ i ] , and its group order is ϕ ( N ) = ( p 2 1 ) ( q 2 1 ) . In this case, the encryption exponent e satisfies gcd ( e , ϕ ( N ) ) = 1 , and the decryption exponent d is computed using d e 1 mod ϕ ( N ) . The encryption and decryption processes mirror those of the RSA: for m Z N [ i ] , the ciphertext is c m e mod N , and to recover m, we compute m c d mod N . Note that all operations are performed in the ring Z N [ i ] .
Elkamchouchi et al. [10] argued that their extension has better security compared with the traditional RSA. However, Bunder [11] developed a Wiener-type continued fraction attack against this scheme. Using lattice-reduction techniques, the authors of [12,13] improved the bound to d < N 0.585 . For more details on attacks against Elkamchouchi et al.’s scheme, see [9,14].
The rings Z p and Z p [ i ] can be rewritten as Z p = Z p [ t ] / ( t + 1 ) = G F ( p ) and Z p [ i ] = Z p [ t ] / ( t 2 + 1 ) = G F ( p 2 ) , where G F stands for a Galois field. Consequently, the underlying RSA group is Z N = G F ( p ) × G F ( q ) , while in Elkamchouchi et al.’s case, it is Z N [ i ] = G F ( p 2 ) × G F ( q 2 ) . Using these observations, Cotan and Teşeleanu [14] generalized both schemes to G F ( p n ) × G F ( q n ) for n 1 . In this case, the group order is φ n ( N ) = ( p n 1 ) ( q n 1 ) , while the encryption and decryption algorithms are direct extensions of the RSA and Elkamchouchi et al.’s algorithm.
The motivation for this extension was to evaluate whether Wiener-type attacks apply to the generic setting. The authors of [14] proved that when d < N 0.25 n , a continued fractions attack can always recover the secret exponent, regardless of n. This result was extended to unbalanced primes in [15]. The development of a lattice-based attack was left open in [14,15], but it was subsequently resolved in [16], thus leading to a better attack bound.

1.1. Related Work

It is worth noting that our current undertaking shares similarities with the work of [17], where the authors explored a cryptographic system closely related to our own. Specifically, they studied the effect of using latices against the generalized Murru–Saettone cryptosystem [18].

1.2. Our Contributions

In this paper, we develop several lattice-based attacks against Cotan and Teșeleanu’s scheme, thus providing deeper insights into the inner workings of this family. More precisely, we prove that it is possible to factor N if d is smaller than a given threshold and the attacker has knowledge of one of the following:
  • The least significant bits of d;
  • An approximation of p;
  • That the prime difference | p q | is small;
  • That the primes share an amount of least significant bits.
To establish these results, we first prove that φ n ( N ) can be expressed as a polynomial in p + q M for a given integer M. Next, we show how to reduce each problem to solving an equation of the form x H ( y ) + 1 0 mod e , where H ( y ) is a monic univariate polynomial. Therefore, this allows us to apply Kunihiro’s method for solving such equations [19].

1.3. Structure of the Paper

Preliminary notions are provided in Section 2. In Section 3, we reevaluate the previous result about the group’s order, while in Section 4, we describe a series of attacks. We conclude our paper in Section 5.

2. Preliminaries

2.1. Notations

Throughout this paper, λ denotes a security parameter. Also, the notation | S | denotes the cardinality of a set S. We use ≃ to indicate that two values are approximately equal.

2.2. Quotient Groups

In this section, we provide the group theory needed to introduce the RSA-like family. Therefore, let ( F , + , · ) be a field and t n r an irreducible polynomial in F [ t ] . Then,
A n = F [ t ] / ( t n r ) = { a 0 + a 1 t + + a n 1 t n 1 a 0 , a 1 , , a n 1 F }
is the corresponding quotient field. Let a ( t ) , b ( t ) A n . We remark that the quotient field induces a natural product:
a ( t ) b ( t ) = i = 0 n 2 j = 0 i a j b i j + r j = 0 i + n a j b i j + n t i + j = 0 n 1 a j b n 1 j t n 1 .

2.3. RSA-like Cryptosystems

Let p be a prime number. When we instantiate F = Z p , we have that A n = G F ( p n ) is the Galois field of order p n . Moreover, A n * is a cyclic group of order φ n ( Z p ) = p n 1 . We remark that a theorem analogous to Fermat’s little theorem holds:
a ( t ) φ n ( Z p ) 1 mod p ,
where a ( t ) A n * and the power is evaluated by ∘-multiplying a ( t ) by itself φ n ( Z p ) 1 times. Based on these observations, the authors of [14] built an encryption scheme that is similar to the RSA by using the ∘ operation as the product.
  • Setup( λ ): Let n 1 be an integer. Randomly generate two distinct large prime numbers p and q such that p , q 2 λ and compute their product N = p q . Select r Z N such that the polynomial t n r is irreducible in Z p [ t ] and Z q [ t ] . Let
    φ n ( Z N ) = φ n ( N ) = ( p n 1 ) · ( q n 1 ) .
    Choose an integer e such that gcd ( e , φ n ( N ) ) = 1 and compute d such that e d 1 mod φ n ( N ) . Output the public key p k = ( n , N , r , e ) . The corresponding secret key is s k = ( p , q , d ) .
  • Encrypt( p k , m ): To encrypt a message m = ( m 0 , , m n 1 ) Z N n , first construct the polynomial m ( t ) = m 0 + + m n 1 t n 1 A n * , and then compute c ( t ) [ m ( t ) ] e mod N . Output the ciphertext c ( t ) .
  • Decrypt( s k , c ( t ) ): to recover the message, simply compute m ( t ) [ c ( t ) ] d mod N and reassemble m = ( m 0 , , m n 1 ) .
Remark 1.
When n = 1 , we obtain the RSA scheme [1]. Also, when n = 2 , we obtain the Elkamchouchi et al. cryptosystem [10].

2.4. Useful Lemmas

The results presented in this section serve as a foundation for devising our novel attacks on the RSA-like family from Section 4. Hence, we first provide some results about p and q. The first one contains lower and upper bounds for p and q (see [20], Lemma 1).
Lemma 1.
Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following property holds:
2 2 N < q < N < p < 2 N .
If an approximation of p is known, an approximation of q can be derived using the following result from [21].
Lemma 2.
Let N = p q be the product of two unknown primes with q < p < 2 q . Let p 0 be an approximation of p such that | p p 0 | < N ε . Then, q 0 = N / p 0 is an approximation of q such that
| q q 0 | < N ε and | p + q p 0 q 0 | < 2 N ε .
When p q = 2 s u , with s known and u unknown, the following result from [22,23] allows us to determine the s least significant bits of both p and q. Additionally, it enables the recovery of the 2 s least significant bits of p + q .
Lemma 3.
Let N = p q be the product of two unknown primes with q < p < 2 q . Let p q = 2 s u with a known s and an unknown u. We define u 0 as a solution of x 2 N mod 2 s and
v 0 2 u 0 + ( N u 0 2 ) u 0 1 mod 2 2 s .
Then, p = p 1 · 2 s + u 0 , p = q 1 · 2 s + u 0 and p + q = v 1 · 2 2 s + v 0 for some integers p 1 , q 1 and v 1 .
We further provide a series of results concerning φ n . The following bounds for φ n ( N ) , provided in [14], (Corollary 1), imply that φ n ( N ) can be approximated by N n .
Corollary 1.
Let N = p q be the product of two unknown primes with q < p < 2 q . Then, the following property holds:
N n 1 2 > φ n ( N ) > N n 1 2 n + 1 2 N n + 1 .
The next two results are proved in [16] and show that φ n can be written as a polynomial in p + q and that its coefficients can be computed using only N and n.
Proposition 1.
Let N be a positive integer. Then, for any integer n 1 , the following property holds:
φ n ( N ) = ( p + q ) n + k = 0 n 1 a k ( p + q ) k ,
where a k Z .
Lemma 4.
Let N = p q and S = p + q be two positive integers. Then, for any integer n 2 , the following property holds:
φ n ( N ) = ( N n 1 + 1 ) ( N S + 1 ) + S φ n 1 ( N ) N φ n 2 ( N ) ,
where φ 0 ( N ) = 0 and φ 1 ( N ) = N S + 1 .

2.5. Finding Small Roots

In this section, we outline some tools used for solving the problem of finding small roots, both in the modular and integer cases.
Coppersmith [4,24,25] provided rigorous techniques for computing small integer roots of single-variable polynomials modulo an integer, as well as bivariate polynomials over the integers. In the case of modular roots, Coppersmith’s ideas were reinterpreted by Howgrave–Graham [26]. We further provide the Howgrave–Graham result.
Theorem 1.
Let f ( x 1 , , x n ) = a i 1 i n x 1 i 1 x n i n Z [ x 1 , , x n ] be a polynomial with at most ω monomials, α be an integer, and
| | f ( x 1 , , x n ) | | = | a i 1 i n | 2
be the norm of f. Suppose that
  • f ( y 1 , , y n ) 0 mod α for some | y 1 | < X 1 , , | y n | < X n ;
  • | | f ( y 1 X 1 , , y n X n ) | | < α / ω .
Then, f ( y 1 , , y n ) = 0 holds over the integers.
Lenstra, Lenstra and Lovász [5] proposed a lattice-reduction algorithm (LLL) that is widely used in cryptanalysis and is typically combined with Howgrave–Graham’s lemma. We further provide the version presented in [27,28].
Theorem 2.
Let L be a lattice of dimension ω. In polynomial time, the LLL algorithm outputs a reduced basis ( b 1 , , b ω ) that satisfies
| | b 1 | | | | b i | | 2 ω ( ω 1 ) 4 ( ω + 1 i ) d e t ( L ) 1 ω + 1 i ,
where d e t ( L ) is the determinant of lattice L.
Note that the condition
2 ω ( ω 1 ) 4 ( ω + 1 i ) d e t ( L ) 1 ω + 1 i < α / ω
implies that the polynomials corresponding to b i match Howgrave–Graham’s bound. This leads to
d e t ( L ) ε α ω + 1 i ,
where ε is an error term that is usually ignored.
In order to find a solution ( y 1 , , y n ) , we need the following assumption to be true.
Assumption 1.
The LLL reduced-basis polynomials are algebraically independent (they do not share a non-trivial gcd), and the resultant computations for b i yield the common roots of these polynomials.
In [19], a lattice-based method for finding small solutions of the equation x H ( y ) + c 0 mod β is provided. This result extends the Boneh and Durfee method [3] and uses the LLL algorithm [5] and Howgrave–Graham’s lemma [26] to derive the solutions. The author shows that the bounds provided in [19] are optimal under reasonable assumptions.
Theorem 3.
Let H ( y ) Z [ y ] be a monic polynomial with degree r 1 and β be an integer. Suppose that
  • x 0 H ( y 0 ) + c 0 mod β for some | x 0 | < X = β δ and | y 0 | < Y = β γ ;
  • | c | < X Y r .
Then, one can solve the equation x H ( y ) + c 0 mod β if
δ r + 2 2 ( r + 1 ) r + 1 2 γ when 0 < γ < r / ( r + 1 ) 2 , δ 1 r γ , when r / ( r + 1 ) 2 γ 1 / r .

3. A New Look at φ n

In this section, we further generalize the result from Proposition 1. This result is later used as building blocks for some of the partial exposure attacks presented in Section 4.
Proposition 2.
Let N be a positive integer and M Z . Then, for any integer n 1 , the following property holds:
φ n ( N ) = ( p + q M ) n + k = 0 n 1 a k ( p + q M ) k ,
where a k Z and a k depend only on N, M and n.
Proof. 
We use Lemma 4 to see that this result always holds. In order to be able to apply it, we first need to check that the first two values φ 1 and φ 2 satisfy this property.
It is easy to see that
φ 1 ( N ) = ( p 1 ) ( q 1 ) = ( p + q ) + N + 1 = ( p + q M ) M + N + 1
and
φ 2 ( N ) = ( p 2 1 ) ( q 2 1 ) = ( p 2 + q 2 ) + N 2 + 1 = ( p + q M ) 2 2 M ( p + q M ) M 2 + N 2 + 2 N + 1 .
Let S = p + q . Now, we assume that the property holds for
φ n 1 = ( S M ) n 1 + k = 0 n 2 b k ( S M ) k , φ n 2 = ( S M ) n 2 + k = 0 n 3 c k ( S M ) k ,
and using Lemma 4, we obtain
φ n = S φ n 1 ( N ) N φ n 2 ( N ) + ( N n 1 + 1 ) ( N S + 1 ) = ( S M ) φ n 1 ( N ) + M φ n 1 ( N ) N φ n 2 ( N ) + ( N n 1 + 1 ) ( N S + 1 ) = ( S M ) n + k = 0 n 2 b k ( S M ) k + 1 M ( S M ) n 1 + k = 0 n 2 b k M ( S M ) k + N ( S M ) n 2 k = 0 n 3 c k N ( S M ) k + ( N n 1 + 1 ) ( N S + 1 ) = ( S M ) n + ( b n 2 M ) ( S M ) n 1 + ( b n 3 + b n 2 M + N ) ( S M ) n 2 + k = 1 n 3 ( b k 1 + b k M c k N ) ( S M ) k + b 0 M c 0 N + ( N n 1 + 1 ) ( N S + 1 ) .
Therefore, if we set
a n 1 = b n 2 M a n 2 = b n 3 + b n 2 M + N a k = b k 1 + b k M c k N , for k = 1 , , n 3 a 0 = b 0 M c 0 N + ( N n 1 + 1 ) ( N S + 1 ) ,
we obtain our desired result. □
Using Lemma 4, we can compute the first few values for φ n as a polynomial in T = p + q M :
φ 1 = M + N T + 1 φ 2 = M 2 2 M T + N 2 + 2 N T 2 + 1 , φ 3 = M 3 3 M 2 T + 3 M N 3 M T 2 + N 3 + 3 N T T 3 + 1 , φ 4 = M 4 4 M 3 T + 4 M 2 N 6 M 2 T 2 + 8 M N T 4 M T 3 + N 4 2 N 2 + 4 N T 2 T 4 + 1 , φ 5 = M 5 5 M 4 T + 5 M 3 N 10 M 3 T 2 + 15 M 2 N T 10 M 2 T 3 5 M N 2 + 15 M N T 2 5 M T 4 + N 5 5 N 2 T + 5 N T 3 T 5 + 1 , φ 6 = M 6 6 M 5 T + 6 M 4 N 15 M 4 T 2 + 24 M 3 N T 20 M 3 T 3 9 M 2 N 2 + 36 M 2 N T 2 15 M 2 T 4 18 M N 2 T + 24 M N T 3 6 M T 5 + N 6 + 2 N 3 9 N 2 T 2 + 6 N T 4 T 6 + 1 .
The following corollary is useful in devising our attack when the two primes share a portion of their least significant bits.
Corollary 2.
Let N be a positive integer and p + q = v 1 · 2 2 s + v 0 . Then, for any integer n 1 , the following property holds:
φ n ( N ) = v 1 n · 2 2 s n + k = 0 n 1 b k v 1 k ,
where b k Z and b k depend only on N, v 0 , n and s.
Proof. 
Rewriting p + q = v 1 · 2 2 s + v 0 , we have p + q v 0 = v 1 · 2 2 s . Replacing M with v 0 in Proposition 2, we obtain
φ n ( N ) = ( p + q v 0 ) n + k = 0 n 1 a k ( p + q v 0 ) k = ( v 1 · 2 2 s ) n + k = 0 n 1 a k ( v 1 · 2 2 s ) k = v 1 n · 2 2 s n + k = 0 n 1 ( a k · 2 2 s k ) v 1 k = v 1 n · 2 2 s n + k = 0 n 1 b k v 1 k ,
where b k = a k · 2 2 s k . □

4. Application of Lattices

In this section, we present our lattice-based partial exposure attacks and connect previous results to those introduced in this work.

4.1. Known Least Significant Bits of d

We further provide a method for finding the factorization of N when the attacker knows the least significant bits of d.
Theorem 4.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let d = d 1 · 2 s + d 0 , where d 0 and s are known integers. When e = N δ , d < N γ and 2 s = N ε , we can factor N in polynomial time if
γ n + ε 0.5 n ( δ + ε ) , when n 2 ε δ ( n + 1 ) 2 2 n ε , γ 3 n 1 4 + ( n + 2 ) ε n δ 2 ( n + 1 ) , when ( n + 1 ) 2 2 n ε < δ ( n + 1 ) ( 3 n 1 ) 2 n + ( n + 2 ) ε n ,
and 0.5 n + ε < γ when d 0 1 .
Proof. 
According to Proposition 1, we have that
φ n ( N ) = ( p + q ) n + k = 0 n 1 a k ( p + q ) k ,
where a k Z . Finding p + q is equivalent to solving the equation
h ( y ) = y n + k = 0 n 1 a k y k ,
or analogously, the monic polynomial H ( y ) = h ( y ) .
By rewriting the key equation e d k φ n ( N ) = 1 , we obtain 1 + k φ n ( N ) e d 0 = e d 1 · 2 s . Let E = e · 2 s ; then, we have the congruence k φ n ( N ) + 1 e d 0 0 mod E , which is equivalent to k ( φ n ( N ) ) 1 + e d 0 0 mod E . Consequently, we deduce the equation x H ( y ) 1 + e d 0 0 mod E , which has k and p + q as solutions.
In order to be able to apply Theorem 3, we first need to bound k and p + q . Since k φ n ( N ) = e d 1 < e d and N n < φ ( N ) (see Corollary 1), we obtain that
k < e d φ n ( N ) < N δ + γ n .
Using Lemma 1, we have that p + q < 3 N . Therefore, we have that k < X = E ( δ + γ n ) / ( δ + ε ) and p + q < Y E 0.5 / ( δ + ε ) .
According to Theorem 3, we can find the solutions x 0 = k and y 0 = p + q to the equation x H ( y ) 1 + e d 0 0 mod E if certain conditions are met.
We start with bounding the constant | e d 0 1 | . We obtain the following inequalities:
| e d 0 1 | < e d 0 < e · 2 s < X Y n = E δ + γ n δ + ε · E 0.5 n δ + ε ,
and the last one is equivalent to
1 < E γ 0.5 n ε δ + ε 0.5 n + ε < γ .
The last inequality has to hold when d 0 1 , and no restrictions are necessary otherwise.
Now, let us consider the first case of Theorem 3. We have
0 1 2 ( δ + ε ) < n ( n + 1 ) 2 ( n + 1 ) 2 2 n ε < δ
and
δ + γ n δ + ε n + 2 2 ( n + 1 ) n + 1 2 · 1 2 ( δ + ε ) δ + γ n ( n + 2 ) ( δ + ε ) 2 ( n + 1 ) n + 1 4 γ n n + 1 4 + n + 2 2 ( n + 1 ) 1 δ + ( n + 2 ) ε 2 ( n + 1 ) γ 3 n 1 4 n δ 2 ( n + 1 ) + ( n + 2 ) ε 2 ( n + 1 ) .
Since we also want γ 0 , we must have
0 n δ 2 ( n + 1 ) + ( n + 2 ) ε 2 ( n + 1 ) + 3 n 1 4 δ ( n + 1 ) ( 3 n 1 ) 2 n + ( n + 2 ) ε n .
In the second case of Theorem 3, we have
n ( n + 1 ) 2 1 2 ( δ + ε ) 1 n n 2 ε δ ( n + 1 ) 2 2 n ε
and
δ + γ n δ + ε 1 n 2 ( δ + ε ) δ + γ n δ + ε 0.5 n ( δ ε ) γ n + ε 0.5 n ( δ + ε ) .
Since we also want γ 0 , we must have
0 n + ε 0.5 n ( δ + ε ) δ 2 n + 3 ε + 2 ε 2 n .
Note that ( n + 1 ) 2 / 2 n 2 n for n 1 , and thus, ( n + 1 ) 2 / 2 n ε 2 n + 3 ε + 2 ε 2 / n .
Once y 0 is found, solving the following system of equations:
p + q = y 0 p q = N
enables us to factorize the modulus N. □
When the case s = 0 is considered, the lattice attack presented in [16] for the RSA-like family becomes a special case of Theorem 4.
Corollary 3.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let e = N δ and d < N γ . We can factor N in polynomial time if
γ n 0.5 n δ , when n 2 δ ( n + 1 ) 2 2 n , γ 3 n 1 4 n δ 2 ( n + 1 ) , when ( n + 1 ) 2 2 n < δ ( n + 1 ) ( 3 n 1 ) 2 n .
The following corollary tells us what happens when e is large enough.
Corollary 4.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let d = d 1 · 2 s + d 0 , where d 0 and s are known integers. When e N n , d < N γ and 2 s = N ε , we can factor N in polynomial time if
γ n + ε 0.5 n ( n + ε ) , when n = 1 or n = 2 , γ 3 n 1 4 + ( n + 2 ) ε n 2 2 ( n + 1 ) , otherwise .
Proof. 
In the first case, we must have n / 2 ε n ( n + 1 ) 2 / 2 n ε . The first inequality is always true. Let us check the conditions for the second one:
n ( n + 1 ) 2 2 n ε 2 n 2 n 2 + 2 n + 1 ε ( n 1 ) 2 2 ε n 2 ε + 1 2.42 .
Thus, the second inequality is true only for n = 1 or n = 2 .
In the second case, according to the previous statements, we automatically have ( n + 1 ) 2 / 2 n ε < n for n 3 . Therefore, we only need to check whether
n ( n + 1 ) ( 3 n 1 ) 2 n + ( n + 2 ) ε n 2 n 2 3 n 2 + 2 n 1 + 2 ( n + 2 ) ε 2 ( n + 1 ) 2 + 2 ( n + 2 ) ε .
This inequality is always true for n 3 . This concludes our proof. □
When cases ( s , n ) = ( 0 , 1 ) and ( s , n ) = ( 0 , 2 ) are considered, the optimal bounds presented in [3,6] for the RSA and [12,13] for Elkamchouchi et al.’s scheme become special cases of Corollary 4.
Corollary 5.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let n = 1 , e N and d < N γ . We can factor N in polynomial time if γ ( 2 2 ) / 2 0.292 .
Corollary 6.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let n = 2 , e N 2 and d < N γ . We can factor N in polynomial time if γ 2 2 0.585 .

4.2. Known Approximation of p

We further provide a method for finding the factorization of N when the attacker knows an approximation p 0 of p. Note that when n = 2 , we obtain the same bound as the one presented in [21].
Theorem 5.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p 0 be a known approximation of p. When e = N δ , d < N γ and | p p 0 | < N ε , we can factor N in polynomial time if
γ n ε n δ , when ε n δ ε ( n + 1 ) 2 n , γ n ( 2 ε ) 1 2 n δ 2 ( n + 1 ) , when ε ( n + 1 ) 2 n < δ ( n + 1 ) [ n ( 2 ε ) 1 ] n ,
and ε < ( 2 n 1 ) / ( 2 n + 1 ) .
Proof. 
Using Lemma 2, we have that q 0 = N / p 0 is an approximation of q such that
| q q 0 | < N ε and | p + q p 0 q 0 | < 2 N ε .
Setting M = p 0 + q 0 in Proposition 2, we obtain that
φ n ( N ) = ( p + q p 0 q 0 ) n + k = 0 n 1 a k ( p + q p 0 q 0 ) k ,
where a k Z . Finding p + q p 0 q 0 is equivalent to solving the equation
h ( y ) = y n + k = 0 n 1 a k y k ,
or analogously, the monic polynomial H ( y ) = h ( y ) .
By rewriting the key equation e d k φ n ( N ) = 1 , we obtain the congruence k φ n ( N ) + 1 0 mod e , which is equivalent to k ( φ n ( N ) ) 1 0 mod e . Consequently, we deduce the equation x H ( y ) 1 0 mod e , which has k and p + q p 0 q 0 as solutions.
In order to be able to apply Theorem 3, we first need to bound k and p + q p 0 q 0 . Since k φ n ( N ) = e d 1 < e d and N n < φ ( N ) (see Corollary 1), we obtain that
k < e d φ n ( N ) < N δ + γ n .
Using Lemma 2, we have that | p + q p 0 q 0 | < 2 N ε . Therefore, we have that k < X = e ( δ + γ n ) / δ and | p + q p 0 q 0 | < Y e ε / δ .
According to Theorem 3, we can find the solutions x 0 = k and y 0 = p + q p 0 q 0 to the equation x H ( y ) 1 0 mod e if certain conditions are met.
Let us consider the first case of Theorem 3. We have
0 ε δ < n ( n + 1 ) 2 ε ( n + 1 ) 2 n < δ
and
δ + γ n δ n + 2 2 ( n + 1 ) n + 1 2 · ε δ δ + γ n ( n + 2 ) δ 2 ( n + 1 ) ε ( n + 1 ) 2 γ n ε ( n + 1 ) 2 + n + 2 2 ( n + 1 ) 1 δ γ n ( 2 ε ) 1 2 n δ 2 ( n + 1 ) .
Since we also want γ 0 , we must have
0 n δ 2 ( n + 1 ) + n ( 2 ε ) 1 2 δ ( n + 1 ) [ n ( 2 ε ) 1 ] n .
This leads to
ε ( n + 1 ) 2 n < ( n + 1 ) [ n ( 2 ε ) 1 ] n ε ( n + 1 ) < n ( 2 ε ) 1 ε < 2 n 1 2 n + 1 .
In the second case of Theorem 3, we have
n ( n + 1 ) 2 ε δ 1 n ε n δ ε ( n + 1 ) 2 n
and
δ + γ n δ 1 ε n δ δ + γ n δ ε n δ γ n ε n δ .
Since we also want γ 0 , we must have
0 n ε n δ δ n ε .
Therefore, we need to check that
ε ( n + 1 ) 2 n < n ε ε < n n + 1 .
Note that Equation (1) implies that
ε < 2 n 1 2 n + 1 < n n + 1 .
Once y 0 is found, solving the following system of equations
p + q = y 0 + p 0 + q 0 p q = N
enables us to factorize the modulus N. □
The following corollary tells us what happens when e is large enough.
Corollary 7.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p 0 be a known approximation of p. When e N n , d < N γ and | p p 0 | < N ε , we can factor N in polynomial time if
γ n ( 1 ε ) , when n 2 ( n + 1 ) 2 ε 2 n 1 2 n + 1 , γ n ( 2 ε ) 1 2 n 2 2 ( n + 1 ) , when 0 < ε n 2 ( n + 1 ) 2 ,
and ε < ( 2 n 1 ) / ( 2 n + 1 ) .
Proof. 
The only thing that we need to prove are the bounds provided in the statement. The first bound from Theorem 5 becomes
ε n n ε ( n + 1 ) 2 n n 2 ( n + 1 ) 2 ε 1 ,
but we also have that ε < ( 2 n 1 ) / ( 2 n + 1 ) < 1 . Thus, we obtain the first bound.
The second bound from Theorem 5 becomes
ε ( n + 1 ) 2 n < n ( n + 1 ) [ n ( 2 ε ) 1 ] n ε < n 2 ( n + 1 ) 2 and ε n 2 + n 1 n 2 + n .
Since we also want ε > 0 , we obtain our desired result. □
For the cases n = 1 and n = 2 , we derive the following bounds. Notice that for n = 1 , our result is similar to the one presented in [29], which states that if | p p 0 | < N ε / 8 and ε < 0.5 , then d can be recovered if γ < ( 1 ε ) / 2 . The key difference is that Nassr, Anwar and Bahig’s attack relies on continued fractions, whereas ours is lattice-based. Note that for the RSA, a lattice approach that leads to a similar bound can be found in [30]. When n = 2 , the optimal bounds presented in [31] for Elkamchouchi et al.’s scheme are identical with ours.
Corollary 8.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p 0 be a known approximation of p. When n = 1 , e = N , d < N γ and | p p 0 | < N ε , we can factor N in polynomial time if
γ 1 ε , when 0.25 ε < 0 . ( 3 ) , γ 1 ε 2 , when ε < 0.25 .
Corollary 9.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p 0 be a known approximation of p. When n = 2 , e = N 2 , d < N γ and | p p 0 | < N ε , we can factor N in polynomial time if
γ 2 ( 1 ε ) , when 0 . ( 4 ) ε < 0.6 , γ 3 2 ε 2 , when δ < 0 . ( 4 ) .
The following corollary tells us what happens if the prime difference | p q | is small (or stated alternatively, the primes share the most significant bits). Note that when n = 2 and e = N 2 , the bound presented in [32] for Elkamchouchi et al.’s scheme is a special case of Corollary 10. For RSA, similar bounds to ours are provided in [30,33].
Corollary 10.
Let N = p q be the product of two unknown primes with q < p < 2 q . When e = N δ , d < N γ and | p q | < N ε , we can factor N in polynomial time if
γ n ε n δ , when ε n δ ε ( n + 1 ) 2 n , γ n ( 2 ε ) 1 2 n δ 2 ( n + 1 ) , when ε ( n + 1 ) 2 n < δ ( n + 1 ) [ n ( 2 ε ) 1 ] n ,
and ε < ( 2 n 1 ) / ( 2 n + 1 ) .
Proof. 
Using Lemma 1, we have that q < N < p , which leads to
0 < p N < p q < N ε .
Therefore, N is a good approximation for p. Using Theorem 5, we obtain our desired bound. □

4.3. Primes Sharing the Least Significant Bits

Finally, we provide a factorization method for N when the two primes share an amount of the least significant bits.
Theorem 6.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p q = v 1 · 2 s + v 0 , where s is a known integer. When e = N δ , d < N γ and 2 s = N ε , we can factor N in polynomial time if
γ n 0.5 n δ ( 1 4 ε ) , when n ( 1 4 ε ) 2 δ ( 1 4 ε ) ( n + 1 ) 2 2 n , γ 3 n 1 4 + ε ( n + 1 ) n δ 2 ( n + 1 ) , when ( 1 4 ε ) ( n + 1 ) 2 2 n < δ 4 ε ( n + 1 ) 2 + ( n + 1 ) ( 3 n 1 ) 2 n ,
and 0.5 n < δ + γ .
Proof. 
According to Corollary 2, we have that
φ n ( N ) = v 1 n · 2 2 s n + k = 0 n 1 b k v 1 k ,
where b k Z . Finding v 1 is equivalent to solving the equation
h ( y ) = 2 2 s n · y n k = 0 n 1 b k y k 2 2 s n ,
or analogously, the monic polynomial H ( y ) = h ( y ) / 2 2 s n .
By rewriting the key equation e d k φ n ( N ) = 1 , we obtain the congruence k ( 2 2 s n · φ n ( N ) ) 2 2 s n 0 mod e . Note that 2 2 s n makes sense since gcd ( 2 , e ) = 1 . Consequently, we deduce the equation x H ( y ) 2 2 s n 0 mod e , which has k and v 1 as solutions.
In order to be able to apply Theorem 3, we first need to bound k and v 1 . Since k φ n ( N ) = e d 1 < e d and N n < φ ( N ) (see Corollary 1), we obtain that
k < e d φ n ( N ) < N δ + γ n .
Using Lemma 1, we have that p + q = v 1 · 2 2 s + v 0 < 3 N , and thus,
v 1 = p + q v 0 2 2 s < 3 N 0.5 2 ε .
Note that if v 1 = 1 or v 1 = 2 , we can easily factor N. Hence, we can safely assume that 0.5 2 ε > 0 . Therefore, we have that k < X = e ( δ + γ n ) / δ and v 1 < Y e ( 0.5 2 ε ) / δ .
According to Theorem 3, we can find the solutions x 0 = k and y 0 = v 1 to equation x H ( y ) 2 2 s n 0 mod E if certain conditions are met.
We start with bounding the constant | 2 2 s n | . We obtain the following inequality:
| 2 2 s n | = 2 2 s n = N 2 n ε = e 2 n ε δ < e δ + γ n δ · e ( 0.5 2 ε ) n δ = e δ + γ ( 0.5 + 2 ε ) n δ ,
which is equivalent to
2 n ε < δ + γ ( 0.5 + 2 ε ) n 0.5 n < δ + γ .
Now, let us consider the first case of Theorem 3. We have
0 1 4 ε 2 δ < n ( n + 1 ) 2 ( 1 4 ε ) ( n + 1 ) 2 2 n < δ
and
δ + γ n δ n + 2 2 ( n + 1 ) n + 1 2 · 1 4 ε 2 δ δ + γ n ( n + 2 ) δ 2 ( n + 1 ) ( 1 4 ε ) ( n + 1 ) 4 γ n ( 1 4 ε ) ( n + 1 ) 4 + n + 2 2 ( n + 1 ) 1 δ γ 3 n 1 4 + ε ( n + 1 ) n δ 2 ( n + 1 ) .
Since we also want γ 0 , we must have
0 n δ 2 ( n + 1 ) + ε ( n + 1 ) + 3 n 1 4 δ 4 ε ( n + 1 ) 2 + ( n + 1 ) ( 3 n 1 ) 2 n .
In the second case of Theorem 3, we have
n ( n + 1 ) 2 1 4 ε 2 δ 1 n n ( 1 4 ε ) 2 δ ( 1 4 ε ) ( n + 1 ) 2 2 n
and
δ + γ n δ 1 n ( 1 4 ε ) 2 δ δ + γ n δ 0.5 n δ ( 1 4 ε ) γ n 0.5 n δ ( 1 4 ε ) .
Since we also want γ 0 , we must have
0 n 0.5 n δ ( 1 4 ε ) δ 2 n 1 4 ε .
Once y 0 is found, solving the following system of equations
p + q = y 0 · 2 2 s + v 0 p q = N
enables us to factorize the modulus N. □
The following corollary tells us what happens when e is large enough.
Theorem 7.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p q = v 1 · 2 s + v 0 , where s is a known integer. When n > 2 , e N n , d < N γ and 2 s = N ε , we can factor N in polynomial time if
γ 3 n 1 4 + ε ( n + 1 ) n 2 2 ( n + 1 ) .
Proof. 
The only thing that we need to prove are the bounds provided in the statement. The first bound from Theorem 6 becomes
n ( 1 4 ε ) 2 n ( 1 4 ε ) ( n + 1 ) 2 2 n ε 1 4 n 2 2 ( n + 1 ) 2 .
The second bound from Theorem 6 becomes
( 1 4 ε ) ( n + 1 ) 2 2 n < n 4 ε ( n + 1 ) 2 + ( n + 1 ) ( 3 n 1 ) 2 n 1 4 n 2 2 ( n + 1 ) 2 < ε and n 2 2 n + 1 4 ( n + 1 ) 2 ε .
Therefore, we obtain the following result
γ n [ 1 0.5 ( 1 4 ε ) ] , when ε 1 4 n 2 2 ( n + 1 ) 2 , γ 3 n 1 4 + ε ( n + 1 ) n 2 2 ( n + 1 ) , when 1 4 n 2 2 ( n + 1 ) 2 < ε .
Note that we also want ε > 0 . When n > 2 , we obtain just this only in the second case, and thus, we obtain our desired result. □
When n = 1 and n = 2 , we obtain the following bounds. Note that these results are a direct consequence of Equation (2).
Corollary 11.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p q = v 1 · 2 s + v 0 , where s is a known integer. When n = 1 , e = N , d < N γ and 2 s = N ε , we can factor N in polynomial time if
γ 1 0.5 ( 1 4 ε ) , when ε 0.125 , γ 1 + 4 ε 2 , when 0.125 < ε .
Corollary 12.
Let N = p q be the product of two unknown primes with q < p < 2 q . Also, let p q = v 1 · 2 s + v 0 , where s is a known integer. When n = 2 , e = N 2 , d < N γ and 2 s = N ε , we can factor N in polynomial time if
γ n 0.5 n δ ( 1 4 ε ) , when ε 0.02 ( 7 ) , γ 5 + 12 ε 4 , when 0.02 ( 7 ) < ε .

5. Conclusions

In this paper, we present several lattice-based attacks on a family of RSA-like cryptosystems. To execute our attacks, we first reduce the problem to solving an equation of type x H ( y ) 1 0 mod e , after which we apply a result proven by Kunihiro [19]. The resulting bounds extend prior results for the RSA and the scheme by Elkamchouchi et al. while providing deeper insights into selecting optimal parameters for the broader RSA-like family.

Future Work

An interesting research direction is whether more of the attacks presented in [7,8,9,14] can be adapted to the general case.

Funding

This research received no external funding.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The author declares no conflicts of interest.

References

  1. Rivest, R.L.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  2. Wiener, M.J. Cryptanalysis of Short RSA Secret Exponents. IEEE Trans. Inf. Theory 1990, 36, 553–558. [Google Scholar] [CrossRef]
  3. Boneh, D.; Durfee, G. Cryptanalysis of RSA with Private Key d Less than N0.292. In Proceedings of the EUROCRYPT 1999, Prague, Czech Republic, 2–6 May 1999; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 1–11. [Google Scholar]
  4. Coppersmith, D. Finding a Small Root of a Univariate Modular Equation. In Proceedings of the EUROCRYPT 1996, Saragossa, Spain, 12–16 May 1996; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1996; Volume 1070, pp. 155–165. [Google Scholar]
  5. Lenstra, A.K.; Lenstra, H.W.; Lovász, L. Factoring Polynomials with Rational Coefficients. Math. Ann. 1982, 261, 515–534. [Google Scholar] [CrossRef]
  6. Herrmann, M.; May, A. Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In Proceedings of the PKC 2010, Paris, France, 26–28 May 2010; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2010; Volume 6056, pp. 53–69. [Google Scholar]
  7. Boneh, D. Twenty Years of Attacks on the RSA Cryptosystem. Not. AMS 1999, 46, 203–213. [Google Scholar]
  8. May, A. Using LLL-Reduction for Solving RSA and Factorization Problems. In The LLL Algorithm: Survey and Applications; Information Security and Cryptography; Springer: Berlin/Heidelberg, Germany, 2010; pp. 315–348. [Google Scholar]
  9. Shi, G.; Wang, G.; Gu, D. Further Cryptanalysis of a Type of RSA Variants. In Proceedings of the ISC 2022, Bali, Indonesia, 18–22 December 2022; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2022; Volume 13640, pp. 133–152. [Google Scholar]
  10. Elkamchouchi, H.; Elshenawy, K.; Shaban, H. Extended RSA Cryptosystem and Digital Signature Schemes in the Domain of Gaussian Integers. In Proceedings of the ICCS 2002, Amsterdam, The Netherlands, 21–24 April 2002; IEEE Computer Society: Washington, DC, USA, 2002; Volume 1, pp. 91–95. [Google Scholar]
  11. Bunder, M.; Nitaj, A.; Susilo, W.; Tonien, J. A New Attack on Three Variants of the RSA Cryptosystem. In Proceedings of the ACISP 2016, Melbourne, Australia, 4–6 July 2016; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2016; Volume 9723, pp. 258–268. [Google Scholar]
  12. Peng, L.; Hu, L.; Lu, Y.; Wei, H. An Improved Analysis on Three Variants of the RSA Cryptosystem. In Proceedings of the Inscrypt 2016, Beijing, China, 4–6 November 2016; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2016; Volume 10143, pp. 140–149. [Google Scholar]
  13. Zheng, M.; Kunihiro, N.; Hu, H. Cryptanalysis of RSA Variants with Modified Euler Quotient. In Proceedings of the AFRICACRYPT 2018, Marrakesh, Morocco, 7–9 May 2018; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2018; Volume 10831, pp. 266–281. [Google Scholar]
  14. Cotan, P.; Teşeleanu, G. Small Private Key Attack Against a Family of RSA-Like Cryptosystems. In Proceedings of the NordSEC 2023, Oslo, Norway, 16–17 November 2023; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2023; Volume 14324, pp. 57–72. [Google Scholar]
  15. Cotan, P.; Teşeleanu, G. A Security Analysis of Two Classes of RSA-Like Cryptosystems. J. Math. Cryptol. 2024, 18, 20240013. [Google Scholar] [CrossRef]
  16. Teşeleanu, G. A Lattice Attack Against a Family of RSA-like Cryptosystems. In Proceedings of the CSCML 2024, Be’er Sheva, Israel, 19–20 December 2024; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2024. [Google Scholar]
  17. Rahmani, M.; Nitaj, A.; Ziane, M. Partial Exposure Attacks on a New RSA Variant. Cryptography 2024, 8, 44. [Google Scholar] [CrossRef]
  18. Cotan, P.; Teşeleanu, G. Continued Fractions Applied to a Family of RSA-like Cryptosystems. In Proceedings of the ISPEC 2022, Taipei, Taiwan, 23–25 November 2022; Springer: Berlin/Heidelberg, Germany, 2022; pp. 589–605. [Google Scholar]
  19. Kunihiro, N. On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree. In Proceedings of the ISC 2012, Passau, Germany, 19–21 September 2012; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2012; Volume 7483, pp. 55–69. [Google Scholar]
  20. Nitaj, A. Another Generalization of Wiener’s Attack on RSA. In Proceedings of the AFRICACRYPT 2008, Casablanca, Morocco, 11–14 June 2008; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2008; Volume 5023, pp. 174–190. [Google Scholar]
  21. Feng, Y.; Nitaj, A.; Pan, Y. Partial Prime Factor Exposure Attacks on Some RSA Variants. Theor. Comput. Sci. 2024, 999, 114549. [Google Scholar] [CrossRef]
  22. Steinfeld, R.; Zheng, Y. On the Security of RSA with Primes Sharing Least-Significant Bits. Appl. Algebra Eng. Commun. Comput. 2004, 15, 179–200. [Google Scholar] [CrossRef]
  23. Nitaj, A.; Ariffin, M.R.K.; Nassr, D.I.; Bahig, H.M. New Attacks on the RSA Cryptosystem. In Proceedings of the AFRICACRYPT 2014, Marrakesh, Morocco, 28–30 May 2014; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2014; Volume 8469, pp. 178–198. [Google Scholar]
  24. Coppersmith, D. Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In Proceedings of the EUROCRYPT 1996, Saragossa, Spain, 12–16 May 1996; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1996; Volume 1070, pp. 178–189. [Google Scholar]
  25. Coppersmith, D. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. Cryptol. 1997, 10, 233–260. [Google Scholar] [CrossRef]
  26. Howgrave-Graham, N. Finding Small Roots of Univariate Modular Equations Revisited. In Proceedings of the IMA 1997, Cirencester, UK, 17–19 December 1997; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1997; Volume 1355, pp. 131–142. [Google Scholar]
  27. May, A. New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. Thesis, University of Paderborn, Paderborn, Germany, 2003. [Google Scholar]
  28. Jochemsz, E.; May, A. A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In Proceedings of the ASIACRYPT 2006, Shanghai, China, 3–7 December 2006; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2006; Volume 4284, pp. 267–282. [Google Scholar]
  29. Nassr, D.I.; Bahig, H.M.; Bhery, A.; Daoud, S.S. A New RSA Vulnerability Using Continued Fractions. In Proceedings of the AICCSA 2008, Doha, Qatar, 1–4 April 2008; IEEE Computer Society: Washington, DC, USA, 2008; pp. 694–701. [Google Scholar]
  30. Feng, Y.; Liu, Z.; Nitaj, A.; Pan, Y. Practical Small Private Exponent Attacks against RSA. IACR Cryptol. ePrint Arch. 2024. Available online: https://eprint.iacr.org/2024/1331 (accessed on 23 December 2024). [CrossRef]
  31. Abderrahmane Nitaj, N.N.H.A.; Ariffin, M.R.B.K. Cryptanalysis of a New Variant of the RSA Cryptosystem. In Proceedings of the AFRICACRYPT 2024, Douala, Cameroon, 10–12 July 2024; Springer: Berlin/Heidelberg, Germany, 2024. [Google Scholar]
  32. Cherkaoui-Semmouni, M.; Nitaj, A.; Susilo, W.; Tonien, J. Cryptanalysis of RSA Variants with Primes Sharing Most Significant Bits. In Proceedings of the ISC 2021, Virtual Event, 10–12 November 2021; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2021; Volume 13118, pp. 42–53. [Google Scholar]
  33. De Weger, B. Cryptanalysis of RSA with Small Prime Difference. Appl. Algebra Eng. Commun. Comput. 2002, 13, 17–28. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Teşeleanu, G. Partial Exposure Attacks Against a Family of RSA-like Cryptosystems. Cryptography 2025, 9, 2. https://doi.org/10.3390/cryptography9010002

AMA Style

Teşeleanu G. Partial Exposure Attacks Against a Family of RSA-like Cryptosystems. Cryptography. 2025; 9(1):2. https://doi.org/10.3390/cryptography9010002

Chicago/Turabian Style

Teşeleanu, George. 2025. "Partial Exposure Attacks Against a Family of RSA-like Cryptosystems" Cryptography 9, no. 1: 2. https://doi.org/10.3390/cryptography9010002

APA Style

Teşeleanu, G. (2025). Partial Exposure Attacks Against a Family of RSA-like Cryptosystems. Cryptography, 9(1), 2. https://doi.org/10.3390/cryptography9010002

Article Metrics

Back to TopTop