Security Issues of Novel RSA Variant

The RSA is one of the current default cryptosystems that provides security with applications such as encryptions and digital signatures. It is important to further study the weak characteristics of the RSA to ensure correct utilisation in order not to be susceptible to adversaries. In this paper, we give detailed analysis on security of the Murru-Saettone variant of the RSA cryptosystem that utilised a cubic Pell ed – k ( p2 + p + 1 ) ( q2 + q + 1 ) = 1 as key equation and N = pq as RSA modulus. We propose some attacks on this variant when the prime difference |p – q| is small. Our first approach is to utilise the continued fractions algorithm to determine the parameter d which enables us to determine the secret p and q. Our second approach considers the Coppersmith’s method and lattice basis reduction to factor the modulus N. Our attacks improve recent cryptanalyses on the cubic Pell equation variant of RSA. Furthermore, our attacks prove that under small prime difference scenario, the number of susceptible private exponents for the cubic Pell equation variant of RSA is much larger than the standard RSA.


I. INTRODUCTION
T HE existence of cryptography becomes essential aligning to the demands of using the digital platform to transmit the data. Prior to the 70's, the data was relayed via symmetric cryptography. However, the designated cryptography was no longer effective as the number of users escalated significantly. The problem arose led to the development of asymmetric cryptography namely the RSA [15]. By employing different encryption key and decryption key, the RSA designed by Rivest, Shamir and Adleman publicised the key pair (N, e) purposely for encryption and at the same time ensure (N, d) private as they are needed to decrypt the data safely. To this day, RSA has been worldwidely implemented in various applications such as smart-cards, e-commerce, email and remote login session as it guarantees security of the user's information.
One main features of the RSA is the modulus N = pq which p and q are large primes satisfying q < p < 2q. Let φ(N ) = (p−1)(q −1) be the Euler totient function. Suppose that e and d are designated as public and private RSA parameters satisfying the equation ed ≡ 1 (mod φ(N )). An ingenious element of this cryptosystem is that the message is encrypted and decrypted using modular equation. That is, for encryption, the sender is required to compute C ≡ M e (mod N ) where C is the ciphertext and M is the original message or plaintext. Since d is the multiplicative inverse of e, thus one simply requires to compute M ≡ C d (mod N ). However, the task of decryption would not be possible if one does not have the value d. Futhermore, the values of p, q, φ(N ) are also kept private. Hence, it makes the cryptosystem secure from attacks.
Since its invention, RSA has been widely used for encryption and has been intensively studied for vulnerabilities [5]. There are attempts on factoring the modulus N = pq by studying its features and the methods that are applicable to factor it. In fact, the study in [7] showed that the 768-bit RSA modulus is insecure to be utilised as it can be factored by using number field sieve factoring method. Meanwhile, the work in [11] studied the method of semi-prime factorization and showed that their method managed to factor the RSA modulus from [7]. Other than that, the usage of small d may also lead to vulnerability although it helps to improve its efficiency. In 1990, Wiener [19] presented a method, based on the continued fractions algorithm, to factor N when d < 1 3 N improvement of the bound to d < N 0.292 [2]. Application of variants of RSA is another endeavour made by the researchers to increase its efficiency. For instance, Takagi [17] utilised multi-power RSA N = p r q and proved that it can shorten the execution time for decryption process provided the Chinese Remainder Theorem and Hensel Lifting lemma are used. Note that, [17] only consider the case when r is small. Incited by the advantage of this new finding, few more studies have been made upon this matter. [10] and [16] managed to find the weakness of using this variant. They showed that this cryptosystem is vulnerable to attacks if certain conditions are satisfied. Their attacks are workable on large values of r. Later in 2018, Murru and Saettone [12] constructed a new RSA variant based on the cubic Pell equation x 3 + ry 3 + r 2 z 3 − 3rxyz = 1 modulo an RSA modulus N = pq. Both e and d satisfy the following equation, For the proposed scheme, its security is being examined in [12]. In [14], Nitaj et al. presented a cryptanalysis of the scheme by considering the continued fractions and the Coppersmith's method. In particular, an adversary can break In [20], Zheng et al. presented another cryptanalysis of the scheme and gained a better bound for δ, namely δ < 2 − √ 2 ≈ 0.585. Hence, these recent works arose the following questions: 1) Based on Murru-Saettone scheme, is there any feature of the primes p and q that could lead to factorization? 2) What is the size of d that is safe from attack? Our contribution. In order to answer the questions above, we push further the cryptanalysis of the Murru-Saettone scheme by considering a specific RSA modulus N = pq, which p and q are two prime factors which have their most significant bits of the same structure. This implies the prime difference |p − q| is much smaller than the ordinary case where |p − q| ≈ N 1 2 . By considering e = N α , |p − q| = N β and d = N δ , we show that one can extend the methods in [14] to improve the bounds on δ. Typically, using the continued fraction method, we show that the scheme is vulnerable if Similarly, we apply the Coppersmith's method and show that the scheme is vulnerable if For β = 1 2 , we get the bounds as in [14]. This shows that our new cryptanalysis is an extension of the method of [14] and gives better bounds.
This following is the organization for this paper. Section II gives the preliminaries required for subsequent sections.
Various results are presented in Section III to ease the understanding of Sections IV and V. In Section IV, we detail our approach based on the continued fractions algorithm. In Section V, we describe our approach based on the Coppersmith's method and lattice reduction techniques. We conclude the paper in Section VI.

II. PRELIMINARIES
We give brief description on the continued fractions, lattices, Coppersmith's method and the Murru-Saettone scheme [12] in this section.

A. CONTINUED FRACTIONS
The expression of continued fractions expansion of ξ ∈ R can be written in these forms which can also be written as ξ = [a 0 , a 1 , · · · , a µ , · · · ]. If ξ is a rational number, then ξ = [a 0 , a 1 , · · · , a µ ] and we can perform the continued fractions expansion algorithm in polynomial time. The convergents r s of ξ are the fractions denoted by r s = [a 0 , a 1 , · · · , a i ] for i ≥ 0. The following theorem is a useful result on continued fractions which is important in our attack.
Then r s is a convergent of the continued fractions expansion of ξ.

B. LATTICES
Let ω ≤ n be an integer. Consider l 1 , . . . , l ω ∈ R n such that they are linearly independent. We call the set of all integer linear combinations of the vectors v i as the lattice L spanned by {l 1 , . . . , l ω }, i.e.
The set {l 1 , . . . , l ω } is the basis of lattice L as it is used to generate L. To find the lattice dimension, one simply needs to count the number of basis of L. In our case, the lattice L has dimension dim(L) = ω, and L is offull ranked when ω = n. In 1982, Lenstra et al. [9] invented a very useful tool known as the LLL algorithm to determine the shortest basis vector that generates a lattice. The following theorem presents the results on LLL reduced basis vectors.

C. THE COPPERSMITH'S METHOD
Suppose that we know how to factorize the modulus into its factors, then the solutions of a modular equation can be determined easily [4]. However, there are situations which we do not have any information on factorizing the modulus, thus finding the solutions can be difficult. Coppersmith [3] contributed on solving this problem by proposing a way to determine the small solutions of modular polynomial specifically for a univariate case and heuristically for a multivariate case. There are two important tools required in the Coppersmith's method: the LLL algorithm and the following result reformulated in [6].
then h (x 0 , y 0 ) = 0 is true over the integers.

D. THE MURRU-SAETTONE SCHEME
Murru and Saettone [12] designed a scheme using cubic Pell equation where r is not a cube of an integer. Let (G, +, ·) be a field. Let A be the quotient field A = G[t]/(t 3 − r) such that it contains elements in the form of x+ty +t 2 z where (x, y, z) ∈ G 3 . Then, a product · between elements in A can be defined by (x1, y1, z1) · (x2, y2, z2) = (x1x2 + (y2z1 + y1z2)r, x2y1 + x1y2 + rz1z2, y1y2 + x2z1 + x1z2). (10) Next, consider the set Then, (A, · ) is a commutative group with (1, 0, 0) as the identity element; and the inverse element of (x, y, z) is Let B be the quotient group defined by B = F * /G * , which consists elements in the following forms: m+nt+t 2 , or m+ t, or 1. Consider the point at infinity (α, α) for the addition defined by the following cases: 1) (m, α) (p, α) = (mp, m + p); 2) if n + p = 0, a) and m = n 2 , then (m, n) (p, α) = (α, α); b) and m = n 2 , then Consequently, we can reduce B to Let p be a prime. If we take G = Z/pZ, then one can choose α = ∞. n this case, A = G p 3 is the finite field with p e elements. It follows that B is a cyclic group of order p 2 + p + 1. As a consequence, we always have (m, n) p 2 +p+1 = (α, α) (mod p) for all (m, n) ∈ B. The RSA cryptosystem variant presented in [12] is based on the former observations. Their construction of algorithms are presented as follows.

Algorithm 1: Key Generation
Input: n, the modulus N bit-size. Output: A public key (e, N, r) and a private key (d, p, q).
1. Choose prime integers p and q.
3. Choose an integer r such that it is not a cube integer and not a cubic modulo p, q, and N . 4. Choose an integer e ∈ Z satisfying gcd(e, (p 2 + p + 1)(q 2 + q + 1)) = 1.

III. USEFUL LEMMAS
Consider an RSA module N = pq with q < p < 2q. Let ∆ = |p − q|. The next statement describes a relationship between p, q, N and ∆ [18].
If ∆ < 2N 1 4 , then p+q = 2 √ N . Since N = pq, we can substitute N = pq into the previous statement and determine p and q. As a consequence, we make the assumption that ∆ > 2N 1 4 throughout this paper. The following describes some bounds for p and q in relation to the term N (See [13]).
Proposition 1. Suppose that p and q are unknown integers satisfying q < p < 2q. Consider N = pq > 230 and Then Proof. We have ψ(N ) = p 2 + p + 1 q 2 + q + 1 and Then, Set |p − q| = ∆. By Lemma 2, we have 2 For N ≥ 231, we have N + 5 which completes the proof.
If ψ(N ) is known, we can perform factorization on the modulus N = pq by the following result [14].
Proposition 2. Suppose that p and q are unknown integers satisfying q < p. Consider N = pq and suppose that ψ(N ) is known. Then,

IV. APPLICATION OF CONTINUED FRACTIONS
We try to estimate the values for d, so that it could be determined via the continued fractions algorithm. Then, we can determine p and q from the modulus N = pq.

A. OUR ATTACK ON THE SCHEME
Theorem 4. Suppose that p and q are unknown integers satisfying q < p < 2q and |p − q| = N β . Consider N = pq.
Note that since δ > 0 is required, we must have On the other hand, we require α + δ ≥ 2, which implies that α > 1 2 + 2β. Observe that, if e ≈ N 2 , then the method will succeed δ < 3 4 − β. This is the same condition obtained in [18] by extending the attack of Wiener on RSA to the case with small prime difference.

B. A SMALL NUMERICAL EXAMPLE
Consider the following small public parameters Then e = N α with α ≈ 1.993.
Next, we need the convergents so that there exists solution for the equations p 2 + p + 1 q 2 + q + 1 = ψ, pq = N . This can be computed by Proposition 2. Upon verification, we check that the 33th convergent a b = 282741560637038515 657693369725239904 fulfils the conditions. We take k = 282741560637038515, d = 657693369725239904, (34) which gives Then, by Proposition 2, we solve the equations pq = N and p 2 + p + 1 q 2 + q + 1 = ψ. We obtain Observing that d = N δ where δ ≈ 0.332, and |p − q| = N β where β ≈ 0.413. This makes all the conditions of Theorem 4 fulfilled.

C. COMPARISON WITH FORMER ATTACKS ON STANDARD RSA UNDER SAME ASSUMPTION
In this section we provide a comparison with a former attack upon the standard RSA under the same assumption that is the modulus N = pq contains primes that share MSB's and that the strategy to conduct the attack is via continued fractions. As provided in Table 1, it is visible that the bound for insecure private exponent d derived from the cubic Pell equation variant of RSA is much larger than the standard version. This implies the cubic Pell equation variant of RSA has much more insecure private exponents than the standard RSA under the sharing MSB's assumption and continued fractions analysis strategy. Thus, one needs to choose the parameters carefully so that the cryptosystem is insusceptible through the communication networks.

Attack
General bound β δ for d Ariffin et. al [1] attack on standard RSA

V. APPLICATION OF THE COPPERSMITH'S METHOD
Consider e and d in the Murru-Saettone scheme which satisfies the equation ed − k p 2 + p + 1 q 2 + q + 1 = 1. We can transform this equation into a modular equation of the form x(y 2 +ay+b)+1 (mod e), where a and b are constants. We can apply the Coppersmith's method to determine its small solutions, and then determine the factors p and q of N . The method described here is a generalization of the method described in [14].

A. THE SMALL INVERSE PROBLEM
Theorem 5. Suppose that p and q are unknown integers satisfying q < p < 2q. Consider N = pq and a, b ∈ Z + . Let f (x, y) = x(y 2 + ay + b) + 1.
Proof. Let m ∈ Z + . For 0 ≤ k ≤ m, define the polynomials (see [14], Theorem 5), Note that if f (x, y) ≡ 0 (mod e), then g k,i,j (x, y) ≡ 0 (mod e m ). Define L as the lattice spanned by the coefficient vectors of the polynomials The rows of the matrix of the lattice are formed by the polynomials g k,i,j (xX, yY, zZ). The rows are ordered according to the order of (i, j, k). Note that the monomials x i y j are arranged according to the order of (i, j). This leads to a triangular matrix which has determinant Consider τ ≥ 0 which we will compute the optimal value later. Let t = τ m. We give some approximations for the parameters n X , n Y , n e and ω = dim(L) (see [14], Theorem 5), Assume that we have Then, using (40), we get Assume that x < X = N γ , y < Y = N β , and e = N α . Substituting (41) into (44), we get where ε 1 > 0 is a small value depending on m and N .
On the left side, the optimal value is τ = α−2β−γ
If both h 1 (x, y) and h 2 (x, y) are independent algebraically, then we can consider the Gröbner basis method to solve for (x, y).

B. THE ATTACK WITH SMALL PRIME DIFFERENCE AND SMALL D
In this section, we consider the attack on the Murru-Saettone variant of the RSA in [12]. For N = pq, we assume that the value of |p − q| is small.
Theorem 6. Suppose that p and q are unknown integers satisfying q < p < 2q and |p − q| = N β . Consider N = pq. Suppose that ed − kψ(N ) = 1 with e = N α and d = N δ . Then, we can determine d and compute p and q in polynomial time if α > 2β, and Proof. Let e be a public parameter of the RSA variant satis- We set x 0 = k, y 0 = p + q − 2M , a = N + 4M + 1, and b = N 2 + 4M 2 + 2M N + 2M − N + 1.
We can now rewrite ed − kψ(N ) = 1 as a modular equation, Now, considering the polynomial f (x, y) as in (38) . Then f (x 0 , y 0 ) ≡ 0 (mod e), and the small solutions can be computed by applying Theorem 5. Assume that |p − q| = N β , e = N α , and d < N δ . By Lemma 1, we have y 0 = p + q − 2M < N 2β− 1 2 . We set Y = N 2β− 1 2 . On the other hand, since ψ(N ) > p 2 q 2 = N 2 , we obtain We set X = N α+δ−2 . Then, by Theorem 5, the condition to find the small solutions is and thus completes the proof.
Suppose that e is an exponent of full size, then e ≈ N 2 , and δ satisfies the following bound In fact, this is twice the bound obtained by de Weger [18] for the attack on RSA with small prime difference.

C. EXPERIMENTAL RESULT
We experimented the method of Theorem 6 in Windows 10 on a 1.8 GHz Intel (R) CoreTM i7-8550U processor.
In particular, we generated p and q of different sizes up to 1024 bits randomly, where p and q are prime satisfying q < p < 2q, and |p − q| = N β for various sizes of β where N = pq. Furthermore, we generated various integers d satisfying gcd (d, ψ(N ))) = 1, and d = N δ with δ < 0.76. Finally, we computed the inverse e of d with ed ≡ 1 (mod ψ(N )), and applied Theorem 6 to determine the solution for equation x(y 2 +ay+b)+1 ≡ 0 (mod e) with a = N +4M +1, If any, the solution should be x 0 = k, y 0 = p + q − 2M . We also used the parameters The run time of the method is essentially dominated by executing the LLL algorithm to reduce the basis of the lattice. We present the result when the size of primes are 512 bits. Let and When m = 4, t = 3, ω = 40, X = N 0.7 , Y = N 0.5 , we get (57) VOLUME 4, 2016 Using p + q = 2 √ N + y 0 and pq = N , we get Then, one can observe that |p − q| = N β with β ≈ 0.428, d = N δ with δ ≈ 0.615, and e = N α with α ≈ 1.998. The bound on δ in Theorem 6 is then δ < 0.780. We believe that by increasing m and t, our method will succeed to solve the problem for bounds on δ approaching the optimal value 0.780.

D. COMPARISON WITH FORMER ATTACKS ON STANDARD RSA UNDER SAME ASSUMPTION
In this section we provide a comparison with a former attack upon the standard RSA under the same assumption that is the modulus N = pq contains primes that share MSB's and that the strategy to conduct the attack is via Coppersmith's method. As provided in Table 2, it is visible that the bound for insecure private exponent d derived from the Murru-Saettone RSA variant is much larger than the standard version. This implies that, the cubic Pell equation variant of RSA has much more insecure private exponents than the standard RSA under the sharing MSB's assumption and Coppersmith's method analysis strategy. Thus, one needs to choose the parameters carefully so that the cryptosystem is insusceptible through the communication networks. (4β − 1)(3α + 4β − 1) e = N α , α ≈ 2 |p − q| = N β δ = 0.65

VI. CONCLUSION
In this paper, we present two novel attacks on the variant of the RSA crytosystem designed in [12]. This variant uses an RSA modulus of the form N = pq, a public parameter e = N α , and a private parameter d = N δ . Our new results extend the former results in [14]. In the new attacks, we consider the instance whereby the prime difference |p − q| = N β is sufficiently small. For the first approach, we considered the continued fractions algorithm, and proved that the variant of the RSA crytosystem is vulnerable whenever δ < 7 4 − 1 2 α − β whereas for the second attack, we applied Coppersmith's method and showed that when d < N δ for δ < 5 3 + 4 3 β − 2 3 (4β − 1)(3α + 4β − 1), then the private p and q can be solved in polynomial time.
Finally, as shown in Table 1 and 2, the cubic Pell equation variant of RSA which utilizes primes that share MSB's has a larger set of weak private keys when compared with the standard RSA algorithm when analyzed under the assumption that |p − q| = N β is sufficiently small.
Through our work, it can be seen that every parameter is important and thus, one needs to choose them carefully. The failure to do so might jeopardize the cryptosystem and lead to the factorization of the RSA.