On the Improvement Attack Upon Some Variants of RSA Cryptosystem via the Continued Fractions Method

Let <inline-formula> <tex-math notation="LaTeX">$N=pq$ </tex-math></inline-formula> be an RSA modulus where <inline-formula> <tex-math notation="LaTeX">$p$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$q$ </tex-math></inline-formula> are primes not necessarily of the same bit size. Previous cryptanalysis results on the difficulty of factoring the public modulus <inline-formula> <tex-math notation="LaTeX">$N=pq$ </tex-math></inline-formula> deployed on variants of RSA cryptosystem are revisited. Each of these variants share a common key relation utilizing the modified Euler quotient <inline-formula> <tex-math notation="LaTeX">$(p^{2}-1)(q^{2}-1)$ </tex-math></inline-formula>, given by the key relation <inline-formula> <tex-math notation="LaTeX">$ed-k(p^{2}-1)(q^{2}-1)=1$ </tex-math></inline-formula> where <inline-formula> <tex-math notation="LaTeX">$e$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$d$ </tex-math></inline-formula> are the public and private keys respectively. By conducting continuous midpoint subdivision analysis upon an interval containing <inline-formula> <tex-math notation="LaTeX">$(p^{2}-1)(q^{2}-1)$ </tex-math></inline-formula> together with continued fractions on the key relation, we increase the security bound for <inline-formula> <tex-math notation="LaTeX">$d$ </tex-math></inline-formula> exponentially.


I. INTRODUCTION
With the realization of the quantum computer coming into reality in the near future, expected in 2030 [20], the demise of traditional asymmetric encryption schemes is imminent. However, transition towards post-quantum requires resources and a seamless methodology. As such, in the near future, traditional asymmetric encryption schemes are still the choice to provide cryptographic security. Entrenched within most of the digital platforms we have today is the RSA cryptosystem. Since its introduction in 1978 by Rivest et al. [10], RSA has become the most broadly used public key cryptosystem in the world. RSA is one of the main default cryptosystem in most web browsers with the objective to provide confidentiality, integrity, authenticity and to disallow repudiation. It is a fact that many cryptographic technologies utilize RSA for privacy protection [19]. Hence, research on the security of RSA and its variants are ever more important and still ongoing.
RSA is described as follows. Let a public RSA modulus be presented by N = pq where p and q are distinct prime The associate editor coordinating the review of this manuscript and approving it for publication was Wei Huang .
factors. In RSA key generation algorithm, the positive integers e and d are associated by the modular relation ed ≡ 1 (mod φ(N )) where the Euler's totient function or Euler quotient be represented by φ(N ) = (p − 1)(q − 1). Both public exponent e and private exponent d satisfy the RSA key equation ed − kφ(N ) = 1 for a positive integer k. The algorithm returns the public key pair (N , e) while the tuple (p, q, d) contains the secret components of the RSA cryptosystem where d is private key. In the encryption algorithm, a message M is encrypted as C ≡ M e (mod N ) while in the decryption algorithm, one simply computes M ≡ C d (mod N ) to retrieve the message M .
For more than four decades, studies on improving the efficiency of RSA's decryption execution time and its relation upon RSA's overall security features are discussed in-depth by the cryptographic research community. In the process, many variants of RSA were proposed to overcome possible vulnerabilities. As an example, to speed up the decryption process of either the RSA or its variants, one is tempted to use a relatively small private exponent d. Thus, the importance of identifying the threshold value for such small private exponents, in order to balance out between speed and security. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ In this paper, we essentially focus on the following three variants of the RSA cryptosystem. 1) Kuwakado et al. [7] in 1995 proposed a variant of RSA cryptosystem which is based on singular cubic curves y 3 ≡ x 3 + bx 2 (mod N ) where N = pq is an RSA modulus such that (x, y) is the set of points in Z N × Z N and b ∈ Z/N Z. 2) Elkamchouchi et al. [5] in 2002 suggested an idea to extend RSA cryptosystem into the domain of Gaussian integers for N = PQ, where P and Q are the Gaussian primes which relate to the ordinary primes i.e. p = |P| and q = |Q|. 3) Castagnos [4] in 2007 introduced a probabilistic version of variant of RSA cryptosystem which is working over quadratic field quotients using Lucas sequences with an RSA modulus N = pq.
Interested readers may refer to the following literatures [3], [12] and [14] for the details of these variants of RSA cryptosystem. Notice that the public key e and private key d of these three variant schemes satisfies the modified key equation of the form ed − k(p 2 − 1)(q 2 − 1) = 1 for a positive integer k. For simplicity, we refer the term ω(N ) = (p 2 − 1)(q 2 − 1) as the modified Euler quotient. One can rewrite the modified key equation in modular form as ed ≡ 1 (mod ω(N )). Hence, solving the unknowns d, p and q from this particular key equation becomes the topic of interest in this work.
The integer factorization problem upon the public modulus N = pq is an important security feature of the RSA. A popular strategy to factor the public modulus is to scrutinize the upper bound defined by practitioners, especially when decryption speed up is one of their objectives. The seminal work by Wiener [11] proved that if d < 1 3 N 0.25 , the secret parameters k and d can be computed efficiently using the continued fractions algorithm. Subsequently, Boneh and Durfee [2] proved that by utilizing Coppersmith's lattice reduction based method, RSA is insecure if the decryption exponent d < N 0.292 .
Motivated by Wiener's attack on RSA, Bunder et al. [3] in 2016 proved that RSA variant cryptosystems in [4], [5] and [7] . This is done by finding the private parameters k d amongst the convergents of the continued fractions expansion of . In 2016, Bunder et al. [3] proved that the lower and upper bounds of the modified Euler quotient (ω(N )) are N 2 − 5 2 N + 1 and N 2 − 2N + 1 respectively. Observe that the denominator term of is the midpoint of the interval (N 2 − 5 2 N + 1, Then in 2017, Bunder et al. [12] extended their previous work in [3] by considering the general key equation of the form ex − y(p 2 − 1)(q 2 − 1) = z where the unknown parameters x, y and z fulfill the conditions xy < 2N − 4 √ 2N 3 4 and |z| < (p − q)N 1 4 y. The unknowns x and y can be found among the convergents of the public rational number e N 2 − 9 4 N +1 via the continued fractions algorithm. Then, Coppersmith's technique [13] is applied to factor primes p and q. For the parameters e ≈ N β , x ≈ N δ and |z| ≈ N γ , the bound of δ in [12] is given by δ < 3−β 2 . In 2016, Peng et al. [16] analyzed the key equation given by ed −k(p 2 −1)(q 2 −1) = 1 via lattice methods. Suppose the private parameter d ≈ N δ , they obtained that for δ < 2− √ β, where β ≥ 1, the equation is insecure. That is, one is able to identify the variable pair (d, k) and subsequently factor the modulus N = pq. The work in 2017 by Bunder et al. [12], was actually an attempt to generalize work by Peng et al. [16]. The generalization was in a sense successful. That is, Bunder et al. [12] identified a potential Diophantine equation that would render factorization of the modulus N = pq easily. Nevertheless, for the case |z| = 1, the work by Bunder et al. [12] did not extend the bound by Peng et al. [16].
Recently in 2018, Bunder et al. [14] published a new result considering the case for the modulus N = pq where the primes p and q are of arbitrary sizes or they are said to be unbalanced primes. Generally, let N = pq be an RSA modulus where by q < p < λq. Then, the modified Euler quotient ω(N ) is proven to be within the interval N 2 Later, Tonien [15] extended the work in [3] by introducing a new attack based on the continued fractions method. The attack is applicable whenever d < e for a fixed positive integer t with time complexity O(t log(N )).
As a continuation of work in [3] and [14], we propose a new result for the case when the primes p and q are unbalanced primes such that q < p < λq; where λ is a chosen parameter specifically λ > 2. Note that, if λ = 2, then the primes p and q are balanced primes having the same bit size.
In this work, we successfully extend and improve previously mentioned attacks in [3] and [14]. For a chosen λ, previous RSA variants as mentioned earlier are insecure when . That is, one can identify the secret parameters k and d among the convergents of the continued fractions expansion of the public rational number VOLUME 8, 2020 for certain values of i and j, where i is the number of midpoint subdivison process within the interval (N 2 whilst j represents each midpoint term in i-th where j = 0, 1, · · · , 2 i − 1. The layout of the paper is organized as follows. We dedicate Section II to introduce our proposed method and highlight the significant existing results related to our method. We present our first and second attacks followed by numerical examples in Section III and Section IV respectively. We briefly conclude our work in Section V.

II. PRELIMINARIES
This section reviews the fundamental concept of the continued fractions and presents some existing results relevant to our algebraic cryptanalysis method.
Definition 1 (Continued Fractions, [6]): The continued fractions expansion of a real number x ∈ R is an expression of the form As observed from Definition 1, The following theorem is a significant result concerning the continued fractions that will be used thoroughly in this paper. This theorem guarantees that the unknown integers y and z are amongst the list of convergents of the continued fractions expansion of a rational number x fulfilled the given inequality as in (1).
Theorem 1 (Legendre's Theorem, [6]): Let x be a rational number and y and z be positive integers where gcd(y, z) = 1. Suppose then y z is a convergent of the continued fractions expansion of x.
The following lemmas are important as we will utilize these bounds of ω(N ) = (p 2 − 1)(q 2 − 1) to improve the previous attacks in [3] and [14]. We will consider the case when the prime factors p and q have the same bits size and when the primes are of arbitrary sizes. Lemma 1: [3] Suppose an RSA modulus N = pq such that q < p < 2q. Then   Lemma 2: [14] Suppose an RSA modulus N = pq such that q < p < λq.
We apply the result of Lemma 1 and introduce a method known as the continuous midpoint subdivision analysis that is defined as follows.
Definition 2 (Continuous Midpoint Subdivision Analysis): Then, suppose we divide equally the interval (α 1 , α 2 ) to obtain a midpoint term denoted as Figure 1. We denote this process as i = 0.
Observe that, no matter where ω(N ) is situated on the interval, we always have Continuing, we divide equally between the midpoint of the above intervals; (α 1 , µ (0,0) ) and (µ (0,0) , α 2 ), which yields another two midpoints; µ (1,0) Figure 2. Note that, this process is the first division between the midpoints and we denote this process as i = 1. Then, no matter where ω(N ) is situated on the interval, we always have Continuously after the first division between midpoints, we equally divide between midpoints obtained previously as illustrated by the following Figure 3 and denoted the process with i = 2.
Here, the midpoints obtained from the second division of midpoints are µ (2,0) Then, no matter where ω(N ) is situated on the interval, we always have Similarly, the process continues and the midpoints obtained from the third division between the previous midpoints are as follows; µ (3,0)  this process is denoted as i = 3. Refer to Figure 4 for the illustration of the process. Therefore, regardless of where the interval of ω(N ) may situate, we always have To sum up, we have the following general result.
Let i and j be fixed positive integers for Remark 1: An integer i is the number of subdivision process between the midpoints in the interval of ω(N ) where whilst j denotes each midpoint term in the i-th subdivision process.

III. ATTACK I
As a consequence of Definition 2, we propose the following result by considering the case when the distinct primes p and q have the same-bit-sizes. Remark that Theorem 2 can be regarded as the extension and improved result upon [3].
Theorem 2: Suppose i and j are fixed positive integers. Consider a variant of the RSA cryptosystem with the public key pair (N , e) such that N = pq where q < p < 2q. If e < (p 2 −1)(q 2 −1) satisfies an equation ed −k(p 2 −1)(q 2 −1) = 1 for some positive integers k and d with then k d can be found amongst the convergents of the public rational number e µ (i,j) given that N be the general term for midpoint in the interval of (α 1 , α 2 ). Then, there exists a µ (i,j) such that From the equation ed − kω(N ) = 1, dividing by dω (N ) to Let µ (i,j) be the approximation of ω(N ) and observe Next, since d = 1+kω(N ) e and from (2), then (3) yields Observe from Lemma 1, To ensure (5) satisfies the condition of Legendre's Theorem which yields Furthermore Hence, we deduce for each midpoint term-j If (8) holds, then (5) satisfies the condition of Legendre's Theorem Thus, k d is amongst the convergents of the continued fractions expansion of e µ (i,j) . Consequently, with the knowledge of k and d implies that one can obtain the prime factorization of modulus N = pq efficiently as proved in the following corollary.
Corollary 1: Suppose we obtain the private parameters k and d according to Theorem 2, then N = pq can be factored in polynomial time.
Next, we provide an algorithm referring to Theorem 2 and Corollary 1. Remark 2: One can observe that the continuous midpoint subdivision analysis increases the upper bound of private exponent d exponentially from d < √ N for e < N 2 . This can be achieved by increasing the number of subdivisions i on the interval of modified Euler quotient. Based on the current technologically advancement, i = 112 is a feasible target [1].
Remark 3: In relation with Theorem 2, this method is applicable whenever Remark 4: By letting i = 0, j = 0 and applying to Theorem 2, we obtain the result as in [3]. We recall that the attack in [3] works only if the condition d < 2N 3 −18N 2 e is satisfied.

A. NUMERICAL EXAMPLES
In this section, we demonstrate the proposed attack based on Theorem 2.
As an illustration of our first attack, on input of an RSA modulus N and public exponent e satisfying the condition stated in Theorem 2, N = 173276358253790788733361489927580784671, e = 2802331803465028017651205628749261648419547 6841032411777890597828347435382031.
We begin the process of factoring N . Now, from the list of the above convergents, we obtain the candidate for k d = 23991245551777600906 25704660003951708271 and consequently applying Step 2 from Algorithm 1 to compute ω(N ) = ed−1 k which will result in ω(N ) = 30024696329696051195738388590111489609 691397851473425694773252538621308286400.
We continue to find the roots X 1 and X 2 from the polynomial X 2 − (N 2 − ω(N ) + 1)X + N 2 = 0 upon obtaining the value of ω(N ); which returns the value of primes p = √ X 1 and q = √ X 2 where in this case, p = 18259918246806033389 and q = 9489437790013092539. This completes the factorization of N .
Observe from Example 1, we can verify that the condition ≈ 27250795559553171350 is met as required by Theorem 2. Moreover, the approach in [3] will fail to retrieve primes p and q as d > We begin the process of factoring N .
We solve for the roots X 1 and X 2 from the polynomial X 2 − (N 2 − ω(N ) + 1)X + N 2 = 0 upon receiving the value of ω(N ), which returns the value of primes p = √ X 1 and q = √ X 2 where in this case, p = 13119615460534710209 and q = 11120492118926167543. This completes the factorization of N .
Likewise, from Example 2, we can certify that the con- ≈ 24794983203204208209 is met as required by Theorem 2. Again, the approach in [3] will fail to acquire primes p and q as d > We begin the process of factoring N . Let µ (10,0) = N 2 − 10239 4096 N + 1, then k d is amongst the convergents of continued fractions expansion of e µ (10,0) . The list of the convergents are 0, 1, 1 2 , 2 3 , 9 14  We continue to find the roots X 1 and X 2 from the polynomial X 2 − (N 2 − ω(N ) + 1)X + N 2 = 0 upon obtaining the value of ω(N ); which returns the value of primes p = √ X 1 and q = √ X 2 where in this case, p = 18443477894986380419 and q = 9226490368772134793. This completes the factorization of N .
As observed from Example 3, we certify that the condi- ≈ 734405316607763478232 is met as required by Theorem 2. Moreover, the approach in [3] will fail to recover primes p and q as d > ≈ 22950166143992608695. In this case, d = 570039211036312173319 is 4 bits larger than the bound in [3]. We observe that our strategy is able to identify the private exponent d which is up to i 2 = 10 2 = 5 bits longer than the bound in [3].  from the list of the above convergents, and we apply Step 2 from Algorithm 1 to compute ω(N ) = ed−1 k which will result in ω(N ) = 290286616964463382866365489298983738023 88711525964101210796663444303379276800.
We continue to find the roots X 1 and X 2 from the polynomial X 2 − (N 2 − ω(N ) + 1)X + N 2 = 0 upon obtaining the value of ω(N ); which returns the value of primes p = √ X 1 and q = √ X 2 where in this case, p = 18384779238391572031 and q = 9267339808963082741. This completes the factorization of N .
The condition d < ≈ 66202017113308289244156 is met as required by Theorem 2. However, the approach in [3] failed to retrieve primes p and q as d > 2N 3 −18N 2 e ≈ 64650407337215126215. In this case, d = 36860175068451 2962801 is 3 bits larger than the bound in [3]. We can observe that our strategy is able to identify the private exponent d which is up to i 2 = 20 2 = 10 bits longer than the bound in [3].

IV. ATTACK II
In this section, we present an improvement upon [14] by considering the distinct primes p and q to be unbalanced or the primes are said to be of arbitrary sizes (i.e. q < p < λq for a chosen parameter λ).
Consequently from Definition 2, we extend our method (i.e. the continuous midpoint subdivision analysis) for the case when the primes p and q are said to be unbalanced. given that µ (i,j) = N 2 N represents the general term for midpoint in the interval of (φ 1 , φ 2 ). Then, for a chosen parameter λ, there exists a µ (i,j) such that Let µ (i,j) be the approximation of ω(N ) and observe Since d = 1+kω(N ) e and from (9), then (10) yields Then from Lemma 2, we observe To ensure (12) satisfies the condition of Legendre's Theorem which yields Observe that (13) is less than Furthermore, for each midpoint term-j, (14) is less than (15) as shown at the bottom of the next page. If (16) holds as shown at the bottom of the next page, then (12) satisfies the condition of Legendre's Theorem; Thus, the unknowns k d can be obtained amongst convergents of the continued fractions expansion of e µ (i,j) . This terminates the proof. VOLUME 8, 2020 Consequently, with the knowledge of k and d implies that one can efficiently find the prime factorization of modulus N = pq.
Suppose we obtain the private parameters k and d according to Theorem 3, then N = pq can be factored in polynomial time. The proof is similar to the proof in Corollary 1.
Next, we provide an algorithm referring to Theorem 3.
For ω(N ) be an integer, proceed to Step 4. Else, repeat Step 2. 4. Solve the roots X 1 and X 2 of the polynomial Remark 7: By letting λ = 2 and λ = 6 for the case when i = 0 and j = 0; and applying to Theorem 3, we obtained the result as in [14]. We recall that the attack in [14]

A. NUMERICAL EXAMPLES
Arbitrary size primes p and q where q < p < 6q In this section, we illustrate the proposed attack by running Algorithm 2. Now we contemplate a chosen parameter λ to be an even integer which we set λ = 6. We choose two distict unbalanced bits of RSA primes p and q satisfying q < p < 6q. We run Algorithm 2 to verify that we successfully extend the proposed result in [14].
In Example 5, we consider the case when i = 10 and j = 0, which yields the midpoint term µ (10,0) = N 2 + 1 − 75751 12288 N whilst in Example 6 we consider the case when i = 20 and j = 0, which yields the midpoint term µ (20,0)  and q = 10146906305984149441. This completes the factorization of N . We observe from Example 5, that the condition d < ≈ 30324842827054009052754 is met as required by Theorem 3. However, for this case, the approach in [14] fails to retrieve primes p and q as d > ≈ 947651338345437782899. That is, d = 12328123148187295412941 is 4 bits larger than the proposed bound in [14]. We can observe that our strategy is able to identify the private exponent d which is up to i 2 = 10 2 = 5 bits longer than the bound in [14]. We begin the process of factoring N . Let µ (20,0) = N 2 + 1 − 77594599 12582912 N , then k d can be found amongst the convergents of continued fractions expansion of e µ (20,0) . The list of the convergents are 0, 1  from the list of the above convergents, and applied Step 2 from Algorithm 2 to compute ω(N ) = ed−1 k which results in ω(N ) = 2990203056153252890165920546744298798584 296283994609533493059694192540895674880.
Then, we solve for the roots X 1 and X 2 from the polynomial X 2 − (N 2 − ω(N ) + 1)X + N 2 = 0, which returns the value of primes p = √ X 1 and q = √ X 2 such that p = 101859262917187999631 and q = 16976564636942436263. This completes the factorization of N .
We verify that d < ≈ 62211675327338161310123 fulfilled the condition of Theorem 3. Again, the approach in [14] failed to retrieve the required primes p and q as in this case d > ≈ 60753589186853673154. That is, d = 20860782061488758742611 is 9 bits larger than the condition of d in [14]. We observe that our strategy is able to identify the private exponent d which is up to i 2 = 20 2 = 10 bits longer than the bound in [14].

V. CONCLUSION
In conclusion, the work presented in this paper focuses on a cryptanalysis method to factor the modulus N = pq of some RSA cryptosystem variants where the prime factors p and q are of arbitrary sizes satisfying q < p < λq for a chosen parameter λ. Precisely, we propose a generalization of previous works in [3] and [14] by introducing a strategy known as the continuous midpoint subdivision analysis. We demonstrate that the unknowns d and k can be found using the continued fractions expansion of certain related numbers under certain assumptions. Remark that we have successfully improved earlier attacks exponentially.