Partial Exposure Attacks Against a Family of RSA-like Cryptosystems

Abstract

An RSA generalization using complex integers was introduced by Elkamchouchi, Elshenawy and Shaban in 2002. This scheme was further extended by Cotan and Teșeleanu to Galois fields of order $n\ge 1$. In this generalized framework, the key equation is $ed-k(p^n-1)(q^n-1)=1$, where p and q are prime numbers. Note that the classical RSA and Elkamchouchi et al.’s key equations are special cases, namely, when $n=1$ and $n=2$. In addition to introducing this generic family, Cotan and Teșeleanu described a continued fractions attack capable of recovering the secret key d if $d<N^{0.25n}$. This bound was later improved by Teșeleanu using a lattice-based method. In this paper, we explore other lattice attacks that could lead to factoring the modulus $N=pq$, namely, we propose a series of partial exposure attacks that can aid an adversary in breaking this family of cryptosystems if certain conditions hold.

1. Introduction

The RSA, one of the most widely used cryptosystems, was introduced by Rivest, Shamir and Adleman in their 1978 paper [1]. The classical RSA scheme works using elements from the group ${\mathbb{Z}}_N^{*}$, where N is the product of two large prime numbers p and q. More precisely, to encrypt an element $m\in {\mathbb{Z}}_N^{*}$, we have to compute the ciphertext $c\equiv m^{e}modN$, where e satisfies $gcd(e,\phi (N\left)\right)=1$ and $\phi \left(N\right)=(p-1)(q-1)$. To recover the original element, we simply compute $m\equiv c^{d}modN$, where $d\equiv e^{-1}mod\phi \left(N\right)$. The user’s public key is $(N,e)$, while $(p,q,d)$ constitutes its secret key. In this paper, we focus only on primes that satisfy $q<p<2q$ (i.e., have the same bit size), further referred to as balanced primes.

Over time, various attacks were developed to extract the secret key d from the public key $(N,e)$ under certain conditions. Wiener proved in [2] that if $d<N^{0.25}/3$, the secret key d can be recovered from the continued fraction expansion of $e/N$, hence enabling the factorization of N. Boneh and Durfee [3] improved this bound to $d<N^{0.292}$ using Coppersmith’s method [4] and lattice-reduction techniques [5]. Herrmann and May [6] later achieved the same bound with simpler methods. For an overview of RSA attacks, see [7,8,9].

Elkamchouchi, Elshenawy and Shaban [10] extended the RSA scheme to the ring of Gaussian integers modulo N. Such an integer modulo N has the form $a+bi$, where $a,b\in {\mathbb{Z}}_N$ and $i^2=-1$. The set of all Gaussian integers modulo N is denoted by ${\mathbb{Z}}_N\left[i\right]$, and its group order is $\varphi \left(N\right)=(p^2-1)(q^2-1)$. In this case, the encryption exponent e satisfies $gcd(e,\varphi (N\left)\right)=1$, and the decryption exponent d is computed using $d\equiv e^{-1}mod\varphi \left(N\right)$. The encryption and decryption processes mirror those of the RSA: for $m\in {\mathbb{Z}}_N\left[i\right]$, the ciphertext is $c\equiv m^{e}modN$, and to recover m, we compute $m\equiv c^{d}modN$. Note that all operations are performed in the ring ${\mathbb{Z}}_N\left[i\right]$.

Elkamchouchi et al. [10] argued that their extension has better security compared with the traditional RSA. However, Bunder [11] developed a Wiener-type continued fraction attack against this scheme. Using lattice-reduction techniques, the authors of [12,13] improved the bound to $d<N^{0.585}$. For more details on attacks against Elkamchouchi et al.’s scheme, see [9,14].

The rings $Z_p$ and $Z_p\left[i\right]$ can be rewritten as $Z_p={\mathbb{Z}}_p\left[t\right]/(t+1)=GF\left(p\right)$ and $Z_p\left[i\right]={\mathbb{Z}}_p\left[t\right]/(t^2+1)=GF\left(p^2\right)$, where $GF$ stands for a Galois field. Consequently, the underlying RSA group is ${\mathbb{Z}}_N=GF\left(p\right)\times GF\left(q\right)$, while in Elkamchouchi et al.’s case, it is ${\mathbb{Z}}_N\left[i\right]=GF\left(p^2\right)\times GF\left(q^2\right)$. Using these observations, Cotan and Teşeleanu [14] generalized both schemes to $GF\left(p^n\right)\times GF\left(q^n\right)$ for $n\ge 1$. In this case, the group order is ${\phi }_n\left(N\right)=(p^n-1)(q^n-1)$, while the encryption and decryption algorithms are direct extensions of the RSA and Elkamchouchi et al.’s algorithm.

The motivation for this extension was to evaluate whether Wiener-type attacks apply to the generic setting. The authors of [14] proved that when $d<N^{0.25n}$, a continued fractions attack can always recover the secret exponent, regardless of n. This result was extended to unbalanced primes in [15]. The development of a lattice-based attack was left open in [14,15], but it was subsequently resolved in [16], thus leading to a better attack bound.

1.1. Related Work

It is worth noting that our current undertaking shares similarities with the work of [17], where the authors explored a cryptographic system closely related to our own. Specifically, they studied the effect of using latices against the generalized Murru–Saettone cryptosystem [18].

1.2. Our Contributions

In this paper, we develop several lattice-based attacks against Cotan and Teșeleanu’s scheme, thus providing deeper insights into the inner workings of this family. More precisely, we prove that it is possible to factor N if d is smaller than a given threshold and the attacker has knowledge of one of the following:

• The least significant bits of d;
• An approximation of p;
• That the prime difference $|p-q|$ is small;
• That the primes share an amount of least significant bits.

To establish these results, we first prove that ${\phi }_n\left(N\right)$ can be expressed as a polynomial in $p+q-M$ for a given integer M. Next, we show how to reduce each problem to solving an equation of the form $xH\left(y\right)+1\equiv 0mode$, where $H\left(y\right)$ is a monic univariate polynomial. Therefore, this allows us to apply Kunihiro’s method for solving such equations [19].

1.3. Structure of the Paper

Preliminary notions are provided in Section 2. In Section 3, we reevaluate the previous result about the group’s order, while in Section 4, we describe a series of attacks. We conclude our paper in Section 5.

2. Preliminaries

2.1. Notations

Throughout this paper, $\lambda$ denotes a security parameter. Also, the notation $\left|S\right|$ denotes the cardinality of a set S. We use ≃ to indicate that two values are approximately equal.

2.2. Quotient Groups

In this section, we provide the group theory needed to introduce the RSA-like family. Therefore, let $(\mathbb{F},+,·)$ be a field and $t^n-r$ an irreducible polynomial in $\mathbb{F}\left[t\right]$. Then,

$$\begin{array}{c}\hfill {\mathbb{A}}_n=\mathbb{F}\left[t\right]/(t^n-r)=\{a_0+a_{1}t+\dots +a_{n-1}{t}^{n-1}\mid a_0,a_1,\dots ,a_{n-1}\in \mathbb{F}\}\end{array}$$

is the corresponding quotient field. Let $a\left(t\right),b\left(t\right)\in {\mathbb{A}}_n$. We remark that the quotient field induces a natural product:

$$\begin{array}{cc}\hfill a\left(t\right)\circ b\left(t\right)& =\sum _{i=0}^{n-2}\left(\sum _{j=0}^i{a}_j{b}_{i-j}+r\sum _{j=0}^{i+n}{a}_j{b}_{i-j+n}\right)t^i+\sum _{j=0}^{n-1}{a}_j{b}_{n-1-j}{t}^{n-1}.\hfill \end{array}$$

2.3. RSA-like Cryptosystems

Let p be a prime number. When we instantiate $\mathbb{F}={\mathbb{Z}}_p$, we have that ${\mathbb{A}}_n=GF\left(p^n\right)$ is the Galois field of order $p^n$. Moreover, ${\mathbb{A}}_n^{*}$ is a cyclic group of order ${\phi }_n\left({\mathbb{Z}}_p\right)=p^n-1$. We remark that a theorem analogous to Fermat’s little theorem holds:

$$\begin{array}{c}\hfill a{\left(t\right)}^{{\phi }_n\left({\mathbb{Z}}_p\right)}\equiv 1modp,\end{array}$$

where $a\left(t\right)\in {\mathbb{A}}_n^{*}$ and the power is evaluated by ∘-multiplying $a\left(t\right)$ by itself ${\phi }_n\left({\mathbb{Z}}_p\right)-1$ times. Based on these observations, the authors of [14] built an encryption scheme that is similar to the RSA by using the ∘ operation as the product.

• Setup($\lambda$): Let $n\ge 1$ be an integer. Randomly generate two distinct large prime numbers p and q such that $p,q\ge 2^{\lambda }$ and compute their product $N=pq$. Select $r\in {\mathbb{Z}}_N$ such that the polynomial $t^n-r$ is irreducible in ${\mathbb{Z}}_p\left[t\right]$ and ${\mathbb{Z}}_q\left[t\right]$. Let

  $$\begin{array}{c}\hfill {\phi }_n\left({\mathbb{Z}}_N\right)={\phi }_n\left(N\right)=(p^n-1)·(q^n-1).\end{array}$$
  Choose an integer e such that $gcd(e,{\phi }_n\left(N\right))=1$ and compute d such that $ed\equiv 1mod{\phi }_n\left(N\right)$. Output the public key $pk=(n,N,r,e)$. The corresponding secret key is $sk=(p,q,d)$.
• Encrypt($pk,m$): To encrypt a message $m=(m_0,\dots ,m_{n-1})\in {\mathbb{Z}}_N^n$, first construct the polynomial $m\left(t\right)=m_0+\dots +m_{n-1}{t}^{n-1}\in {\mathbb{A}}_n^{*}$, and then compute $c\left(t\right)\equiv {\left[m\left(t\right)\right]}^{e}modN$. Output the ciphertext $c\left(t\right)$.
• Decrypt($sk,c\left(t\right)$): to recover the message, simply compute $m\left(t\right)\equiv {\left[c\left(t\right)\right]}^{d}modN$ and reassemble $m=(m_0,\dots ,m_{n-1})$.

Remark 1.

When $n=1$, we obtain the RSA scheme [1]. Also, when $n=2$, we obtain the Elkamchouchi et al. cryptosystem [10].

2.4. Useful Lemmas

The results presented in this section serve as a foundation for devising our novel attacks on the RSA-like family from Section 4. Hence, we first provide some results about p and q. The first one contains lower and upper bounds for p and q (see [20], Lemma 1).

Lemma 1.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Then, the following property holds:

$$\begin{array}{c}\hfill {\displaystyle \frac{\sqrt{2}}{2}}\sqrt{N}<q<\sqrt{N}<p<\sqrt{2}\sqrt{N}.\end{array}$$

If an approximation of p is known, an approximation of q can be derived using the following result from [21].

Lemma 2.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Let $p_0$ be an approximation of p such that $|p-p_0|<N^{\epsilon }$. Then, $q_0=\lfloor N/p_0\rfloor$ is an approximation of q such that

$$\begin{array}{c}\hfill |q-q_0|<N^{\epsilon }\mathrm{and}|p+q-p_0-q_0|<2N^{\epsilon }.\end{array}$$

When $p-q=2^{s}u$, with s known and u unknown, the following result from [22,23] allows us to determine the s least significant bits of both p and q. Additionally, it enables the recovery of the $2s$ least significant bits of $p+q$.

Lemma 3.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Let $p-q=2^{s}u$ with a known s and an unknown u. We define $u_0$ as a solution of $x^2\equiv Nmod{2}^s$ and

$$\begin{array}{c}\hfill v_0\equiv 2u_0+(N-u_0^2)u_0^{-1}mod{2}^{2s}.\end{array}$$

Then, $p=p_1·2^s+u_0$, $p=q_1·2^s+u_0$ and $p+q=v_1·2^{2s}+v_0$ for some integers $p_1$, $q_1$ and $v_1$.

We further provide a series of results concerning ${\phi }_n$. The following bounds for ${\phi }_n\left(N\right)$, provided in [14], (Corollary 1), imply that ${\phi }_n\left(N\right)$ can be approximated by $N^n$.

Corollary 1.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Then, the following property holds:

$$\begin{array}{c}\hfill {\left({\sqrt{N}}^n-1\right)}^2>{\phi }_n\left(N\right)>N^n\left(1-{\displaystyle \frac{2^n+1}{{\sqrt{2N}}^n}}\right)+1.\end{array}$$

The next two results are proved in [16] and show that ${\phi }_n$ can be written as a polynomial in $p+q$ and that its coefficients can be computed using only N and n.

Proposition 1.

Let N be a positive integer. Then, for any integer $n\ge 1$, the following property holds:

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=-{(p+q)}^n+\sum _{k=0}^{n-1}{a}_k{(p+q)}^k,\end{array}$$

where $a_k\in \mathbb{Z}$.

Lemma 4.

Let $N=pq$ and $S=p+q$ be two positive integers. Then, for any integer $n\ge 2$, the following property holds:

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=(N^{n-1}+1)(N-S+1)+S{\phi }_{n-1}\left(N\right)-N{\phi }_{n-2}\left(N\right),\end{array}$$

where ${\phi }_0\left(N\right)=0$ and ${\phi }_1\left(N\right)=N-S+1$.

2.5. Finding Small Roots

In this section, we outline some tools used for solving the problem of finding small roots, both in the modular and integer cases.

Coppersmith [4,24,25] provided rigorous techniques for computing small integer roots of single-variable polynomials modulo an integer, as well as bivariate polynomials over the integers. In the case of modular roots, Coppersmith’s ideas were reinterpreted by Howgrave–Graham [26]. We further provide the Howgrave–Graham result.

Theorem 1.

Let $f(x_1,\dots ,x_n)=\sum a_{i_1\dots i_n}{x}_1^{i_1}\dots x_n^{i_n}\in \mathbb{Z}[x_1,\dots ,x_n]$ be a polynomial with at most ω monomials, α be an integer, and

$$\begin{array}{c}\hfill \left|\right|f(x_1,\dots ,x_n)\left|\right|=\sqrt{\sum |a_{i_1\dots i_n}{|}^2}\end{array}$$

be the norm of f. Suppose that

• $f(y_1,\dots ,y_n)\equiv 0mod\alpha$ for some $|y_1|<X_1,\dots ,\left|y_n\right|<X_n$;
• $\left|\right|f(y_1{X}_1,\dots ,y_n{X}_n)\left|\right|<\alpha /\sqrt{\omega }$.

Then, $f(y_1,\dots ,y_n)=0$ holds over the integers.

Lenstra, Lenstra and Lovász [5] proposed a lattice-reduction algorithm (LLL) that is widely used in cryptanalysis and is typically combined with Howgrave–Graham’s lemma. We further provide the version presented in [27,28].

Theorem 2.

Let L be a lattice of dimension ω. In polynomial time, the LLL algorithm outputs a reduced basis $(b_1,\dots ,b_{\omega })$ that satisfies

$$\begin{array}{c}\hfill \left|\right|b_1\left|\right|\le \dots \le \left|\right|b_i\left|\right|\le 2^{{\displaystyle \frac{\omega (\omega -1)}{4(\omega +1-i)}}}det{\left(L\right)}^{{\displaystyle \frac{1}{\omega +1-i}}},\end{array}$$

where $det\left(L\right)$ is the determinant of lattice L.

Note that the condition

$$\begin{array}{c}\hfill 2^{{\displaystyle \frac{\omega (\omega -1)}{4(\omega +1-i)}}}det{\left(L\right)}^{{\displaystyle \frac{1}{\omega +1-i}}}<\alpha /\sqrt{\omega }\end{array}$$

implies that the polynomials corresponding to $b_i$ match Howgrave–Graham’s bound. This leads to

$$\begin{array}{c}\hfill det\left(L\right)\le \epsilon {\alpha }^{\omega +1-i},\end{array}$$

where $\epsilon$ is an error term that is usually ignored.

In order to find a solution $(y_1,\dots ,y_n)$, we need the following assumption to be true.

Assumption 1.

The LLL reduced-basis polynomials are algebraically independent (they do not share a non-trivial gcd), and the resultant computations for $b_i$ yield the common roots of these polynomials.

In [19], a lattice-based method for finding small solutions of the equation $xH\left(y\right)+c\equiv 0mod\beta$ is provided. This result extends the Boneh and Durfee method [3] and uses the LLL algorithm [5] and Howgrave–Graham’s lemma [26] to derive the solutions. The author shows that the bounds provided in [19] are optimal under reasonable assumptions.

Theorem 3.

Let $H\left(y\right)\in \mathbb{Z}\left[y\right]$ be a monic polynomial with degree $r\ge 1$ and β be an integer. Suppose that

• $x_{0}H\left(y_0\right)+c\equiv 0mod\beta$ for some $|x_0|<X={\beta }^{\delta }$ and $|y_0|<Y={\beta }^{\gamma }$;
• $\left|c\right|<X{Y}^r$.

Then, one can solve the equation $xH\left(y\right)+c\equiv 0mod\beta$ if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\delta \le {\displaystyle \frac{r+2}{2(r+1)}}-{\displaystyle \frac{r+1}{2}}\gamma \hfill & \mathit{when}0<\gamma <r/{(r+1)}^2,\hfill \\ \delta \le 1-\sqrt{r\gamma },\hfill & \mathit{when}r/{(r+1)}^2\le \gamma \le 1/r.\hfill \end{array}\right.\end{array}$$

3. A New Look at ${\mathit{\phi }}_{\mathit{n}}$

In this section, we further generalize the result from Proposition 1. This result is later used as building blocks for some of the partial exposure attacks presented in Section 4.

Proposition 2.

Let N be a positive integer and $M\in \mathbb{Z}$. Then, for any integer $n\ge 1$, the following property holds:

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=-{(p+q-M)}^n+\sum _{k=0}^{n-1}{a}_k{(p+q-M)}^k,\end{array}$$

where $a_k\in \mathbb{Z}$ and $a_k$ depend only on N, M and n.

Proof. 

We use Lemma 4 to see that this result always holds. In order to be able to apply it, we first need to check that the first two values ${\phi }_1$ and ${\phi }_2$ satisfy this property.

It is easy to see that

$$\begin{array}{cc}\hfill {\phi }_1\left(N\right)& =(p-1)(q-1)=-(p+q)+N+1\hfill \\ \hfill & =-(p+q-M)-M+N+1\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\phi }_2\left(N\right)& =(p^2-1)(q^2-1)=-(p^2+q^2)+N^2+1\hfill \\ \hfill & =-{(p+q-M)}^2-2M(p+q-M)-M^2+N^2+2N+1.\hfill \end{array}$$

Let $S=p+q$. Now, we assume that the property holds for

$$\begin{array}{cc}\hfill {\phi }_{n-1}& =-{(S-M)}^{n-1}+\sum _{k=0}^{n-2}{b}_k{(S-M)}^k,\hfill \\ \hfill {\phi }_{n-2}& =-{(S-M)}^{n-2}+\sum _{k=0}^{n-3}{c}_k{(S-M)}^k,\hfill \end{array}$$

and using Lemma 4, we obtain

$$\begin{array}{cc}\hfill {\phi }_n& =S{\phi }_{n-1}\left(N\right)-N{\phi }_{n-2}\left(N\right)+(N^{n-1}+1)(N-S+1)\hfill \\ \hfill & =(S-M){\phi }_{n-1}\left(N\right)+M{\phi }_{n-1}\left(N\right)-N{\phi }_{n-2}\left(N\right)+(N^{n-1}+1)(N-S+1)\hfill \\ \hfill & =-{(S-M)}^n+\sum _{k=0}^{n-2}{b}_k{(S-M)}^{k+1}-M{(S-M)}^{n-1}+\sum _{k=0}^{n-2}{b}_{k}M{(S-M)}^k\hfill \\ \hfill & +N{(S-M)}^{n-2}-\sum _{k=0}^{n-3}{c}_{k}N{(S-M)}^k+(N^{n-1}+1)(N-S+1)\hfill \\ \hfill & =-{(S-M)}^n+(b_{n-2}-M){(S-M)}^{n-1}+(b_{n-3}+b_{n-2}M+N){(S-M)}^{n-2}\hfill \\ \hfill & +\sum _{k=1}^{n-3}(b_{k-1}+b_{k}M-c_{k}N){(S-M)}^k+b_{0}M-c_{0}N+(N^{n-1}+1)(N-S+1).\hfill \end{array}$$

Therefore, if we set

$$\begin{array}{cc}\hfill a_{n-1}& =b_{n-2}-M\hfill \\ \hfill a_{n-2}& =b_{n-3}+b_{n-2}M+N\hfill \\ \hfill a_k& =b_{k-1}+b_{k}M-c_{k}N,\mathrm{for}k=1,\dots ,n-3\hfill \\ \hfill a_0& =b_{0}M-c_{0}N+(N^{n-1}+1)(N-S+1),\hfill \end{array}$$

we obtain our desired result. □

Using Lemma 4, we can compute the first few values for ${\phi }_n$ as a polynomial in $T=p+q-M$:

$$\begin{array}{cc}\hfill {\phi }_1& =-M+N-T+1\hfill \\ \hfill {\phi }_2& =-M^2-2MT+N^2+2N-T^2+1,\hfill \\ \hfill {\phi }_3& =-M^3-3M^{2}T+3MN-3M{T}^2+N^3+3NT-T^3+1,\hfill \\ \hfill {\phi }_4& =-M^4-4M^{3}T+4M^{2}N-6M^2{T}^2+8MNT-4M{T}^3+N^4-2N^2\hfill \\ & +4N{T}^2-T^4+1,\hfill \\ \hfill {\phi }_5& =-M^5-5M^{4}T+5M^{3}N-10M^3{T}^2+15M^{2}NT-10M^2{T}^3-5M{N}^2\hfill \\ & +15MN{T}^2-5M{T}^4+N^5-5N^{2}T+5N{T}^3-T^5+1,\hfill \\ \hfill {\phi }_6& =-M^6-6M^{5}T+6M^{4}N-15M^4{T}^2+24M^{3}NT-20M^3{T}^3-9M^2{N}^2\hfill \\ & +36M^{2}N{T}^2-15M^2{T}^4-18M{N}^{2}T+24MN{T}^3-6M{T}^5+N^6+2N^3\hfill \\ & -9N^2{T}^2+6N{T}^4-T^6+1.\hfill \end{array}$$

The following corollary is useful in devising our attack when the two primes share a portion of their least significant bits.

Corollary 2.

Let N be a positive integer and $p+q=v_1·2^{2s}+v_0$. Then, for any integer $n\ge 1$, the following property holds:

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=-v_1^n·2^{2sn}+\sum _{k=0}^{n-1}{b}_k{v}_1^k,\end{array}$$

where $b_k\in \mathbb{Z}$ and $b_k$ depend only on N, $v_0$, n and s.

Proof. 

Rewriting $p+q=v_1·2^{2s}+v_0$, we have $p+q-v_0=v_1·2^{2s}$. Replacing M with $v_0$ in Proposition 2, we obtain

$$\begin{array}{cc}\hfill {\phi }_n\left(N\right)& =-{(p+q-v_0)}^n+\sum _{k=0}^{n-1}{a}_k{(p+q-v_0)}^k\hfill \\ \hfill & =-{(v_1·2^{2s})}^n+\sum _{k=0}^{n-1}{a}_k{(v_1·2^{2s})}^k\hfill \\ \hfill & =-v_1^n·2^{2sn}+\sum _{k=0}^{n-1}(a_k·2^{2sk})v_1^k\hfill \\ \hfill & =-v_1^n·2^{2sn}+\sum _{k=0}^{n-1}{b}_k{v}_1^k,\hfill \end{array}$$

where $b_k=a_k·2^{2sk}$. □

4. Application of Lattices

In this section, we present our lattice-based partial exposure attacks and connect previous results to those introduced in this work.

4.1. Known Least Significant Bits of d

We further provide a method for finding the factorization of N when the attacker knows the least significant bits of d.

Theorem 4.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $d=d_1·2^s+d_0$, where $d_0$ and s are known integers. When $e=N^{\delta }$, $d<N^{\gamma }$ and $2^s=N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n+\epsilon -\sqrt{0.5n(\delta +\epsilon )},\hfill & \mathit{when}{\displaystyle \frac{n}{2}}-\epsilon \le \delta \le {\displaystyle \frac{{(n+1)}^2}{2n}}-\epsilon ,\hfill \\ \gamma \le {\displaystyle \frac{3n-1}{4}}+{\displaystyle \frac{(n+2)\epsilon -n\delta }{2(n+1)}},\hfill & \mathit{when}{\displaystyle \frac{{(n+1)}^2}{2n}}-\epsilon <\delta \le {\displaystyle \frac{(n+1)(3n-1)}{2n}}+{\displaystyle \frac{(n+2)\epsilon }{n}},\hfill \end{array}\right.\end{array}$$

and $0.5n+\epsilon <\gamma$ when $d_0\ge 1$.

Proof. 

According to Proposition 1, we have that

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=-{(p+q)}^n+\sum _{k=0}^{n-1}{a}_k{(p+q)}^k,\end{array}$$

where $a_k\in \mathbb{Z}$. Finding $p+q$ is equivalent to solving the equation

$$\begin{array}{c}\hfill h\left(y\right)=-y^n+\sum _{k=0}^{n-1}{a}_k{y}^k,\end{array}$$

or analogously, the monic polynomial $H\left(y\right)=-h\left(y\right)$.

By rewriting the key equation $ed-k{\phi }_n\left(N\right)=1$, we obtain $1+k{\phi }_n\left(N\right)-e{d}_0=e{d}_1·2^s$. Let $E=e·2^s$; then, we have the congruence $k{\phi }_n\left(N\right)+1-e{d}_0\equiv 0modE$, which is equivalent to $k(-{\phi }_n\left(N\right))-1+e{d}_0\equiv 0modE$. Consequently, we deduce the equation $xH\left(y\right)-1+e{d}_0\equiv 0modE$, which has k and $p+q$ as solutions.

In order to be able to apply Theorem 3, we first need to bound k and $p+q$. Since $k{\phi }_n\left(N\right)=ed-1<ed$ and $N^n<\phi \left(N\right)$ (see Corollary 1), we obtain that

$$\begin{array}{c}\hfill k<{\displaystyle \frac{ed}{{\phi }_n\left(N\right)}}<N^{\delta +\gamma -n}.\end{array}$$

Using Lemma 1, we have that $p+q<3\sqrt{N}$. Therefore, we have that $k<X=E^{(\delta +\gamma -n)/(\delta +\epsilon )}$ and $p+q<Y\simeq E^{0.5/(\delta +\epsilon )}$.

According to Theorem 3, we can find the solutions $x_0=k$ and $y_0=p+q$ to the equation $xH\left(y\right)-1+e{d}_0\equiv 0modE$ if certain conditions are met.

We start with bounding the constant $|e{d}_0-1|$. We obtain the following inequalities:

$$\begin{array}{cc}\hfill |e{d}_0-1|<e{d}_0<e·2^s& <X{Y}^n=E^{{\displaystyle \frac{\delta +\gamma -n}{\delta +\epsilon }}}·E^{{\displaystyle \frac{0.5n}{\delta +\epsilon }}},\hfill \end{array}$$

and the last one is equivalent to

$$\begin{array}{c}\hfill 1<E^{{\displaystyle \frac{\gamma -0.5n-\epsilon }{\delta +\epsilon }}}\iff 0.5n+\epsilon <\gamma .\end{array}$$

The last inequality has to hold when $d_0\ge 1$, and no restrictions are necessary otherwise.

Now, let us consider the first case of Theorem 3. We have

$$\begin{array}{cc}\hfill 0& \le {\displaystyle \frac{1}{2(\delta +\epsilon )}}<{\displaystyle \frac{n}{{(n+1)}^2}}\iff {\displaystyle \frac{{(n+1)}^2}{2n}}-\epsilon <\delta \hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\displaystyle \frac{\delta +\gamma -n}{\delta +\epsilon }}& \le {\displaystyle \frac{n+2}{2(n+1)}}-{\displaystyle \frac{n+1}{2}}·{\displaystyle \frac{1}{2(\delta +\epsilon )}}\hfill \\ \hfill & \iff \delta +\gamma -n\le {\displaystyle \frac{(n+2)(\delta +\epsilon )}{2(n+1)}}-{\displaystyle \frac{n+1}{4}}\hfill \\ & \iff \gamma \le n-{\displaystyle \frac{n+1}{4}}+\left({\displaystyle \frac{n+2}{2(n+1)}}-1\right)\delta +{\displaystyle \frac{(n+2)\epsilon }{2(n+1)}}\hfill \\ \hfill & \iff \gamma \le {\displaystyle \frac{3n-1}{4}}-{\displaystyle \frac{n\delta }{2(n+1)}}+{\displaystyle \frac{(n+2)\epsilon }{2(n+1)}}.\hfill \end{array}$$

Since we also want $\gamma \ge 0$, we must have

$$\begin{array}{c}\hfill 0\le -{\displaystyle \frac{n\delta }{2(n+1)}}+{\displaystyle \frac{(n+2)\epsilon }{2(n+1)}}+{\displaystyle \frac{3n-1}{4}}\iff \delta \le {\displaystyle \frac{(n+1)(3n-1)}{2n}}+{\displaystyle \frac{(n+2)\epsilon }{n}}.\end{array}$$

In the second case of Theorem 3, we have

$$\begin{array}{cc}\hfill {\displaystyle \frac{n}{{(n+1)}^2}}& \le {\displaystyle \frac{1}{2(\delta +\epsilon )}}\le {\displaystyle \frac{1}{n}}\iff {\displaystyle \frac{n}{2}}-\epsilon \le \delta \le {\displaystyle \frac{{(n+1)}^2}{2n}}-\epsilon \hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\displaystyle \frac{\delta +\gamma -n}{\delta +\epsilon }}\le 1-{\displaystyle \frac{\sqrt{n}}{\sqrt{2(\delta +\epsilon )}}}& \iff \delta +\gamma -n\le \delta +\epsilon -\sqrt{0.5n(\delta -\epsilon )}\hfill \\ \hfill & \iff \gamma \le n+\epsilon -\sqrt{0.5n(\delta +\epsilon )}.\hfill \end{array}$$

Since we also want $\gamma \ge 0$, we must have

$$\begin{array}{c}\hfill 0\le n+\epsilon -\sqrt{0.5n(\delta +\epsilon )}\iff \delta \le 2n+3\epsilon +{\displaystyle \frac{2{\epsilon }^2}{n}}.\end{array}$$

Note that ${(n+1)}^2/2n\le 2n$ for $n\ge 1$, and thus, ${(n+1)}^2/2n-\epsilon \le 2n+3\epsilon +2{\epsilon }^2/n$.

Once $y_0$ is found, solving the following system of equations:

$$\begin{array}{c}\hfill \left\{\begin{array}{c}p+q=y_0\hfill \\ pq=N\hfill \end{array}\right.\end{array}$$

enables us to factorize the modulus N. □

When the case $s=0$ is considered, the lattice attack presented in [16] for the RSA-like family becomes a special case of Theorem 4.

Corollary 3.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $e=N^{\delta }$ and $d<N^{\gamma }$. We can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n-\sqrt{0.5n\delta },\hfill & \mathit{when}{\displaystyle \frac{n}{2}}\le \delta \le {\displaystyle \frac{{(n+1)}^2}{2n}},\hfill \\ \gamma \le {\displaystyle \frac{3n-1}{4}}-{\displaystyle \frac{n\delta }{2(n+1)}},\hfill & \mathit{when}{\displaystyle \frac{{(n+1)}^2}{2n}}<\delta \le {\displaystyle \frac{(n+1)(3n-1)}{2n}}.\hfill \end{array}\right.\end{array}$$

The following corollary tells us what happens when e is large enough.

Corollary 4.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $d=d_1·2^s+d_0$, where $d_0$ and s are known integers. When $e\simeq N^n$, $d<N^{\gamma }$ and $2^s=N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n+\epsilon -\sqrt{0.5n(n+\epsilon )},\hfill & \mathit{when}n=1\mathrm{or}n=2,\hfill \\ \gamma \le {\displaystyle \frac{3n-1}{4}}+{\displaystyle \frac{(n+2)\epsilon -n^2}{2(n+1)}},\hfill & \mathit{otherwise}.\hfill \end{array}\right.\end{array}$$

Proof. 

In the first case, we must have $n/2-\epsilon \le n\le {(n+1)}^2/2n-\epsilon$. The first inequality is always true. Let us check the conditions for the second one:

$$\begin{array}{cc}\hfill n\le {\displaystyle \frac{{(n+1)}^2}{2n}}-\epsilon & \iff 2n^2\le n^2+2n+1-\epsilon \hfill \\ & \iff {(n-1)}^2\le 2-\epsilon \hfill \\ & \iff n\le \sqrt{2-\epsilon }+1\le 2.42.\hfill \end{array}$$

Thus, the second inequality is true only for $n=1$ or $n=2$.

In the second case, according to the previous statements, we automatically have ${(n+1)}^2/2n-\epsilon <n$ for $n\ge 3$. Therefore, we only need to check whether

$$\begin{array}{cc}\hfill n\le {\displaystyle \frac{(n+1)(3n-1)}{2n}}+{\displaystyle \frac{(n+2)\epsilon }{n}}& \iff 2n^2\le 3n^2+2n-1+2(n+2)\epsilon \hfill \\ \hfill & \iff 2\le {(n+1)}^2+2(n+2)\epsilon .\hfill \end{array}$$

This inequality is always true for $n\ge 3$. This concludes our proof. □

When cases $(s,n)=(0,1)$ and $(s,n)=(0,2)$ are considered, the optimal bounds presented in [3,6] for the RSA and [12,13] for Elkamchouchi et al.’s scheme become special cases of Corollary 4.

Corollary 5.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $n=1$, $e\simeq N$ and $d<N^{\gamma }$. We can factor N in polynomial time if $\gamma \le (2-\sqrt{2})/2\simeq 0.292$.

Corollary 6.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $n=2$, $e\simeq N^2$ and $d<N^{\gamma }$. We can factor N in polynomial time if $\gamma \le 2-\sqrt{2}\simeq 0.585$.

4.2. Known Approximation of p

We further provide a method for finding the factorization of N when the attacker knows an approximation $p_0$ of p. Note that when $n=2$, we obtain the same bound as the one presented in [21].

Theorem 5.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p_0$ be a known approximation of p. When $e=N^{\delta }$, $d<N^{\gamma }$ and $|p-p_0|<N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n-\sqrt{\epsilon n\delta },\hfill & \mathit{when}\epsilon n\le \delta \le {\displaystyle \frac{\epsilon {(n+1)}^2}{n}},\hfill \\ \gamma \le {\displaystyle \frac{n(2-\epsilon )-1}{2}}-{\displaystyle \frac{n\delta }{2(n+1)}},\hfill & \mathit{when}{\displaystyle \frac{\epsilon {(n+1)}^2}{n}}<\delta \le {\displaystyle \frac{(n+1)\left[n\right(2-\epsilon )-1]}{n}},\hfill \end{array}\right.\end{array}$$

and $\epsilon <(2n-1)/(2n+1)$.

Proof. 

Using Lemma 2, we have that $q_0=\lfloor N/p_0\rfloor$ is an approximation of q such that

$$\begin{array}{c}\hfill |q-q_0|<N^{\epsilon }\mathrm{and}|p+q-p_0-q_0|<2N^{\epsilon }.\end{array}$$

Setting $M=p_0+q_0$ in Proposition 2, we obtain that

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=-{(p+q-p_0-q_0)}^n+\sum _{k=0}^{n-1}{a}_k{(p+q-p_0-q_0)}^k,\end{array}$$

where $a_k\in \mathbb{Z}$. Finding $p+q-p_0-q_0$ is equivalent to solving the equation

$$\begin{array}{c}\hfill h\left(y\right)=-y^n+\sum _{k=0}^{n-1}{a}_k{y}^k,\end{array}$$

or analogously, the monic polynomial $H\left(y\right)=-h\left(y\right)$.

By rewriting the key equation $ed-k{\phi }_n\left(N\right)=1$, we obtain the congruence $k{\phi }_n\left(N\right)+1\equiv 0mode$, which is equivalent to $k(-{\phi }_n\left(N\right))-1\equiv 0mode$. Consequently, we deduce the equation $xH\left(y\right)-1\equiv 0mode$, which has k and $p+q-p_0-q_0$ as solutions.

In order to be able to apply Theorem 3, we first need to bound k and $p+q-p_0-q_0$. Since $k{\phi }_n\left(N\right)=ed-1<ed$ and $N^n<\phi \left(N\right)$ (see Corollary 1), we obtain that

$$\begin{array}{c}\hfill k<{\displaystyle \frac{ed}{{\phi }_n\left(N\right)}}<N^{\delta +\gamma -n}.\end{array}$$

Using Lemma 2, we have that $|p+q-p_0-q_0|<2N^{\epsilon }$. Therefore, we have that $k<X=e^{(\delta +\gamma -n)/\delta }$ and $|p+q-p_0-q_0|<Y\simeq e^{\epsilon /\delta }$.

According to Theorem 3, we can find the solutions $x_0=k$ and $y_0=p+q-p_0-q_0$ to the equation $xH\left(y\right)-1\equiv 0mode$ if certain conditions are met.

Let us consider the first case of Theorem 3. We have

$$\begin{array}{cc}\hfill 0& \le {\displaystyle \frac{\epsilon }{\delta }}<{\displaystyle \frac{n}{{(n+1)}^2}}\iff {\displaystyle \frac{\epsilon {(n+1)}^2}{n}}<\delta \hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\displaystyle \frac{\delta +\gamma -n}{\delta }}\le {\displaystyle \frac{n+2}{2(n+1)}}-{\displaystyle \frac{n+1}{2}}·{\displaystyle \frac{\epsilon }{\delta }}& \iff \delta +\gamma -n\le {\displaystyle \frac{(n+2)\delta }{2(n+1)}}-{\displaystyle \frac{\epsilon (n+1)}{2}}\hfill \\ & \iff \gamma \le n-{\displaystyle \frac{\epsilon (n+1)}{2}}+\left({\displaystyle \frac{n+2}{2(n+1)}}-1\right)\delta \hfill \\ \hfill & \iff \gamma \le {\displaystyle \frac{n(2-\epsilon )-1}{2}}-{\displaystyle \frac{n\delta }{2(n+1)}}.\hfill \end{array}$$

Since we also want $\gamma \ge 0$, we must have

$$\begin{array}{c}\hfill 0\le -{\displaystyle \frac{n\delta }{2(n+1)}}+{\displaystyle \frac{n(2-\epsilon )-1}{2}}\iff \delta \le {\displaystyle \frac{(n+1)\left[n\right(2-\epsilon )-1]}{n}}.\end{array}$$

This leads to

$$\begin{array}{cc}\hfill {\displaystyle \frac{\epsilon {(n+1)}^2}{n}}<{\displaystyle \frac{(n+1)\left[n\right(2-\epsilon )-1]}{n}}& \iff \epsilon (n+1)<n(2-\epsilon )-1\hfill \\ & \iff \epsilon <{\displaystyle \frac{2n-1}{2n+1}}.\hfill \end{array}$$

(1)

In the second case of Theorem 3, we have

$$\begin{array}{cc}\hfill {\displaystyle \frac{n}{{(n+1)}^2}}& \le {\displaystyle \frac{\epsilon }{\delta }}\le {\displaystyle \frac{1}{n}}\iff \epsilon n\le \delta \le {\displaystyle \frac{\epsilon {(n+1)}^2}{n}}\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\displaystyle \frac{\delta +\gamma -n}{\delta }}\le 1-{\displaystyle \frac{\sqrt{\epsilon n}}{\sqrt{\delta }}}& \iff \delta +\gamma -n\le \delta -\sqrt{\epsilon n\delta }\hfill \\ \hfill & \iff \gamma \le n-\sqrt{\epsilon n\delta }.\hfill \end{array}$$

Since we also want $\gamma \ge 0$, we must have

$$\begin{array}{c}\hfill 0\le n-\sqrt{\epsilon n\delta }\iff \delta \le {\displaystyle \frac{n}{\epsilon }}.\end{array}$$

Therefore, we need to check that

$$\begin{array}{c}\hfill {\displaystyle \frac{\epsilon {(n+1)}^2}{n}}<{\displaystyle \frac{n}{\epsilon }}\iff \epsilon <{\displaystyle \frac{n}{n+1}}.\end{array}$$

Note that Equation (1) implies that

$$\begin{array}{c}\hfill \epsilon <{\displaystyle \frac{2n-1}{2n+1}}<{\displaystyle \frac{n}{n+1}}.\end{array}$$

Once $y_0$ is found, solving the following system of equations

$$\begin{array}{c}\hfill \left\{\begin{array}{c}p+q=y_0+p_0+q_0\hfill \\ pq=N\hfill \end{array}\right.\end{array}$$

enables us to factorize the modulus N. □

The following corollary tells us what happens when e is large enough.

Corollary 7.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p_0$ be a known approximation of p. When $e\simeq N^n$, $d<N^{\gamma }$ and $|p-p_0|<N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n(1-\sqrt{\epsilon }),\hfill & \mathit{when}{\displaystyle \frac{n^2}{{(n+1)}^2}}\le \epsilon \le {\displaystyle \frac{2n-1}{2n+1}},\hfill \\ \gamma \le {\displaystyle \frac{n(2-\epsilon )-1}{2}}-{\displaystyle \frac{n^2}{2(n+1)}},\hfill & \mathit{when}0<\epsilon \le {\displaystyle \frac{n^2}{{(n+1)}^2}},\hfill \end{array}\right.\end{array}$$

and $\epsilon <(2n-1)/(2n+1)$.

Proof. 

The only thing that we need to prove are the bounds provided in the statement. The first bound from Theorem 5 becomes

$$\begin{array}{c}\hfill \epsilon n\le n\le {\displaystyle \frac{\epsilon {(n+1)}^2}{n}}\iff {\displaystyle \frac{n^2}{{(n+1)}^2}}\le \epsilon \le 1,\end{array}$$

but we also have that $\epsilon <(2n-1)/(2n+1)<1$. Thus, we obtain the first bound.

The second bound from Theorem 5 becomes

$$\begin{array}{c}\hfill {\displaystyle \frac{\epsilon {(n+1)}^2}{n}}<n\le {\displaystyle \frac{(n+1)\left[n\right(2-\epsilon )-1]}{n}}\iff \epsilon <{\displaystyle \frac{n^2}{{(n+1)}^2}}\mathrm{and}\epsilon \le {\displaystyle \frac{n^2+n-1}{n^2+n}}.\end{array}$$

Since we also want $\epsilon >0$, we obtain our desired result. □

For the cases $n=1$ and $n=2$, we derive the following bounds. Notice that for $n=1$, our result is similar to the one presented in [29], which states that if $|p-p_0|<N^{\epsilon }/8$ and $\epsilon <0.5$, then d can be recovered if $\gamma <(1-\epsilon )/2$. The key difference is that Nassr, Anwar and Bahig’s attack relies on continued fractions, whereas ours is lattice-based. Note that for the RSA, a lattice approach that leads to a similar bound can be found in [30]. When $n=2$, the optimal bounds presented in [31] for Elkamchouchi et al.’s scheme are identical with ours.

Corollary 8.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p_0$ be a known approximation of p. When $n=1$, $e=N$, $d<N^{\gamma }$ and $|p-p_0|<N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le 1-\sqrt{\epsilon },\hfill & \mathit{when}0.25\le \epsilon <0.\left(3\right),\hfill \\ \gamma \le {\displaystyle \frac{1-\epsilon }{2}},\hfill & \mathit{when}\epsilon <0.25.\hfill \end{array}\right.\end{array}$$

Corollary 9.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p_0$ be a known approximation of p. When $n=2$, $e=N^2$, $d<N^{\gamma }$ and $|p-p_0|<N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le 2(1-\sqrt{\epsilon }),\hfill & \mathit{when}0.\left(4\right)\le \epsilon <0.6,\hfill \\ \gamma \le {\displaystyle \frac{3-2\epsilon }{2}},\hfill & \mathit{when}\delta <0.\left(4\right).\hfill \end{array}\right.\end{array}$$

The following corollary tells us what happens if the prime difference $|p-q|$ is small (or stated alternatively, the primes share the most significant bits). Note that when $n=2$ and $e=N^2$, the bound presented in [32] for Elkamchouchi et al.’s scheme is a special case of Corollary 10. For RSA, similar bounds to ours are provided in [30,33].

Corollary 10.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. When $e=N^{\delta }$, $d<N^{\gamma }$ and $|p-q|<N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n-\sqrt{\epsilon n\delta },\hfill & \mathit{when}\epsilon n\le \delta \le {\displaystyle \frac{\epsilon {(n+1)}^2}{n}},\hfill \\ \gamma \le {\displaystyle \frac{n(2-\epsilon )-1}{2}}-{\displaystyle \frac{n\delta }{2(n+1)}},\hfill & \mathit{when}{\displaystyle \frac{\epsilon {(n+1)}^2}{n}}<\delta \le {\displaystyle \frac{(n+1)\left[n\right(2-\epsilon )-1]}{n}},\hfill \end{array}\right.\end{array}$$

and $\epsilon <(2n-1)/(2n+1)$.

Proof. 

Using Lemma 1, we have that $q<\sqrt{N}<p$, which leads to

$$\begin{array}{c}\hfill 0<p-\sqrt{N}<p-q<N^{\epsilon }.\end{array}$$

Therefore, $\sqrt{N}$ is a good approximation for p. Using Theorem 5, we obtain our desired bound. □

4.3. Primes Sharing the Least Significant Bits

Finally, we provide a factorization method for N when the two primes share an amount of the least significant bits.

Theorem 6.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p-q=v_1·2^s+v_0$, where s is a known integer. When $e=N^{\delta }$, $d<N^{\gamma }$ and $2^s=N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n-\sqrt{0.5n\delta (1-4\epsilon )},\hfill & \mathit{when}{\displaystyle \frac{n(1-4\epsilon )}{2}}\le \delta \le {\displaystyle \frac{(1-4\epsilon ){(n+1)}^2}{2n}},\hfill \\ \gamma \le {\displaystyle \frac{3n-1}{4}}+\epsilon (n+1)-{\displaystyle \frac{n\delta }{2(n+1)}},\hfill & \mathit{when}{\displaystyle \frac{(1-4\epsilon ){(n+1)}^2}{2n}}<\delta \le {\displaystyle \frac{4\epsilon {(n+1)}^2+(n+1)(3n-1)}{2n}},\hfill \end{array}\right.\end{array}$$

and $0.5n<\delta +\gamma$.

Proof. 

According to Corollary 2, we have that

$$\begin{array}{c}\hfill {\phi }_n\left(N\right)=-v_1^n·2^{2sn}+\sum _{k=0}^{n-1}{b}_k{v}_1^k,\end{array}$$

where $b_k\in \mathbb{Z}$. Finding $v_1$ is equivalent to solving the equation

$$\begin{array}{c}\hfill h\left(y\right)=-2^{2sn}·\left(y^n-\sum _{k=0}^{n-1}{\displaystyle \frac{b_k{y}^k}{2^{2sn}}}\right),\end{array}$$

or analogously, the monic polynomial $H\left(y\right)=-h\left(y\right)/2^{2sn}$.

By rewriting the key equation $ed-k{\phi }_n\left(N\right)=1$, we obtain the congruence $k(-2^{-2sn}·{\phi }_n\left(N\right))-2^{-2sn}\equiv 0mode$. Note that $2^{-2sn}$ makes sense since $gcd(2,e)=1$. Consequently, we deduce the equation $xH\left(y\right)-2^{-2sn}\equiv 0mode$, which has k and $v_1$ as solutions.

In order to be able to apply Theorem 3, we first need to bound k and $v_1$. Since $k{\phi }_n\left(N\right)=ed-1<ed$ and $N^n<\phi \left(N\right)$ (see Corollary 1), we obtain that

$$\begin{array}{c}\hfill k<{\displaystyle \frac{ed}{{\phi }_n\left(N\right)}}<N^{\delta +\gamma -n}.\end{array}$$

Using Lemma 1, we have that $p+q=v_1·2^{2s}+v_0<3\sqrt{N}$, and thus,

$$\begin{array}{c}\hfill v_1={\displaystyle \frac{p+q-v_0}{2^{2s}}}<3N^{0.5-2\epsilon }.\end{array}$$

Note that if $v_1=1$ or $v_1=2$, we can easily factor N. Hence, we can safely assume that $0.5-2\epsilon >0$. Therefore, we have that $k<X=e^{(\delta +\gamma -n)/\delta }$ and $v_1<Y\simeq e^{(0.5-2\epsilon )/\delta }$.

According to Theorem 3, we can find the solutions $x_0=k$ and $y_0=v_1$ to equation $xH\left(y\right)-2^{-2sn}\equiv 0modE$ if certain conditions are met.

We start with bounding the constant $|-2^{-2sn}|$. We obtain the following inequality:

$$\begin{array}{c}\hfill |-2^{-2sn}|=2^{-2sn}=N^{-2n\epsilon }=e^{{\displaystyle \frac{-2n\epsilon }{\delta }}}<e^{{\displaystyle \frac{\delta +\gamma -n}{\delta }}}·e^{{\displaystyle \frac{(0.5-2\epsilon )n}{\delta }}}=e^{{\displaystyle \frac{\delta +\gamma -(0.5+2\epsilon )n}{\delta }}},\end{array}$$

which is equivalent to

$$\begin{array}{c}\hfill -2n\epsilon <\delta +\gamma -(0.5+2\epsilon )n\iff 0.5n<\delta +\gamma .\end{array}$$

Now, let us consider the first case of Theorem 3. We have

$$\begin{array}{cc}\hfill 0& \le {\displaystyle \frac{1-4\epsilon }{2\delta }}<{\displaystyle \frac{n}{{(n+1)}^2}}\iff {\displaystyle \frac{(1-4\epsilon ){(n+1)}^2}{2n}}<\delta \hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\displaystyle \frac{\delta +\gamma -n}{\delta }}& \le {\displaystyle \frac{n+2}{2(n+1)}}-{\displaystyle \frac{n+1}{2}}·{\displaystyle \frac{1-4\epsilon }{2\delta }}\hfill \\ \hfill & \iff \delta +\gamma -n\le {\displaystyle \frac{(n+2)\delta }{2(n+1)}}-{\displaystyle \frac{(1-4\epsilon )(n+1)}{4}}\hfill \\ & \iff \gamma \le n-{\displaystyle \frac{(1-4\epsilon )(n+1)}{4}}+\left({\displaystyle \frac{n+2}{2(n+1)}}-1\right)\delta \hfill \\ \hfill & \iff \gamma \le {\displaystyle \frac{3n-1}{4}}+\epsilon (n+1)-{\displaystyle \frac{n\delta }{2(n+1)}}.\hfill \end{array}$$

Since we also want $\gamma \ge 0$, we must have

$$\begin{array}{cc}\hfill 0\le -{\displaystyle \frac{n\delta }{2(n+1)}}+\epsilon (n+1)& +{\displaystyle \frac{3n-1}{4}}\hfill \\ \hfill & \iff \delta \le {\displaystyle \frac{4\epsilon {(n+1)}^2+(n+1)(3n-1)}{2n}}.\hfill \end{array}$$

In the second case of Theorem 3, we have

$$\begin{array}{cc}\hfill {\displaystyle \frac{n}{{(n+1)}^2}}& \le {\displaystyle \frac{1-4\epsilon }{2\delta }}\le {\displaystyle \frac{1}{n}}\iff {\displaystyle \frac{n(1-4\epsilon )}{2}}\le \delta \le {\displaystyle \frac{(1-4\epsilon ){(n+1)}^2}{2n}}\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\displaystyle \frac{\delta +\gamma -n}{\delta }}\le 1-{\displaystyle \frac{\sqrt{n(1-4\epsilon )}}{\sqrt{2\delta }}}& \iff \delta +\gamma -n\le \delta -\sqrt{0.5n\delta (1-4\epsilon )}\hfill \\ \hfill & \iff \gamma \le n-\sqrt{0.5n\delta (1-4\epsilon )}.\hfill \end{array}$$

Since we also want $\gamma \ge 0$, we must have

$$\begin{array}{c}\hfill 0\le n-\sqrt{0.5n\delta (1-4\epsilon )}\iff \delta \le {\displaystyle \frac{2n}{1-4\epsilon }}.\end{array}$$

Once $y_0$ is found, solving the following system of equations

$$\begin{array}{c}\hfill \left\{\begin{array}{c}p+q=y_0·2^{2s}+v_0\hfill \\ pq=N\hfill \end{array}\right.\end{array}$$

enables us to factorize the modulus N. □

The following corollary tells us what happens when e is large enough.

Theorem 7.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p-q=v_1·2^s+v_0$, where s is a known integer. When $n>2$, $e\simeq N^n$, $d<N^{\gamma }$ and $2^s=N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \gamma \le {\displaystyle \frac{3n-1}{4}}+\epsilon (n+1)-{\displaystyle \frac{n^2}{2(n+1)}}.\end{array}$$

Proof. 

The only thing that we need to prove are the bounds provided in the statement. The first bound from Theorem 6 becomes

$$\begin{array}{c}\hfill {\displaystyle \frac{n(1-4\epsilon )}{2}}\le n\le {\displaystyle \frac{(1-4\epsilon ){(n+1)}^2}{2n}}\iff \epsilon \le {\displaystyle \frac{1}{4}}-{\displaystyle \frac{n^2}{2{(n+1)}^2}}.\end{array}$$

The second bound from Theorem 6 becomes

$$\begin{array}{cc}\hfill {\displaystyle \frac{(1-4\epsilon ){(n+1)}^2}{2n}}& <n\le {\displaystyle \frac{4\epsilon {(n+1)}^2+(n+1)(3n-1)}{2n}}\hfill \\ & \iff {\displaystyle \frac{1}{4}}-{\displaystyle \frac{n^2}{2{(n+1)}^2}}<\epsilon \mathrm{and}{\displaystyle \frac{-n^2-2n+1}{4{(n+1)}^2}}\le \epsilon .\hfill \end{array}$$

Therefore, we obtain the following result

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n[1-\sqrt{0.5(1-4\epsilon )}],\hfill & \mathrm{when}\epsilon \le {\displaystyle \frac{1}{4}}-{\displaystyle \frac{n^2}{2{(n+1)}^2}},\hfill \\ \gamma \le {\displaystyle \frac{3n-1}{4}}+\epsilon (n+1)-{\displaystyle \frac{n^2}{2(n+1)}},\hfill & \mathrm{when}{\displaystyle \frac{1}{4}}-{\displaystyle \frac{n^2}{2{(n+1)}^2}}<\epsilon .\hfill \end{array}\right.\end{array}$$

(2)

Note that we also want $\epsilon >0$. When $n>2$, we obtain just this only in the second case, and thus, we obtain our desired result. □

When $n=1$ and $n=2$, we obtain the following bounds. Note that these results are a direct consequence of Equation (2).

Corollary 11.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p-q=v_1·2^s+v_0$, where s is a known integer. When $n=1$, $e=N$, $d<N^{\gamma }$ and $2^s=N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le 1-\sqrt{0.5(1-4\epsilon )},\hfill & \mathit{when}\epsilon \le 0.125,\hfill \\ \gamma \le {\displaystyle \frac{1+4\epsilon }{2}},\hfill & \mathit{when}0.125<\epsilon .\hfill \end{array}\right.\end{array}$$

Corollary 12.

Let $N=pq$ be the product of two unknown primes with $q<p<2q$. Also, let $p-q=v_1·2^s+v_0$, where s is a known integer. When $n=2$, $e=N^2$, $d<N^{\gamma }$ and $2^s=N^{\epsilon }$, we can factor N in polynomial time if

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\gamma \le n-\sqrt{0.5n\delta (1-4\epsilon )},\hfill & \mathit{when}\epsilon \le 0.02\left(7\right),\hfill \\ \gamma \le {\displaystyle \frac{5+12\epsilon }{4}},\hfill & \mathit{when}0.02\left(7\right)<\epsilon .\hfill \end{array}\right.\end{array}$$

5. Conclusions

In this paper, we present several lattice-based attacks on a family of RSA-like cryptosystems. To execute our attacks, we first reduce the problem to solving an equation of type $xH\left(y\right)-1\equiv 0mode$, after which we apply a result proven by Kunihiro [19]. The resulting bounds extend prior results for the RSA and the scheme by Elkamchouchi et al. while providing deeper insights into selecting optimal parameters for the broader RSA-like family.

Future Work

An interesting research direction is whether more of the attacks presented in [7,8,9,14] can be adapted to the general case.