Further Cryptanalysis of a Type of RSA Variants

Abstract

To enhance the security or the efficiency of the standard RSA cryptosystem, some variants have been proposed based on elliptic curves, Gaussian integers or Lucas sequences. A typical type of these variants which we called Type-A variants have the specified modified Euler’s totient function \(\psi (N)=(p^2-1)(q^2-1)\). But in 2018, based on cubic Pell equation, Murru and Saettone presented a new RSA-like cryptosystem, and it is another type of RSA variants which we called Type-B variants, since their scheme has \(\psi (N)=(p^2+p+1)(q^2+q+1)\). For RSA-like cryptosystems, four key-related attacks have been widely analyzed, i.e., the small private key attack, the multiple private keys attack, the partial key exposure attack and the small prime difference attack. These attacks are well-studied on both standard RSA and Type-A variants. Recently, the small private key attack on Type-B variants has also been analyzed. In this paper, we make further cryptanalysis of Type-B variants, that is, we propose the first theoretical results of multiple private keys attack, partial key exposure attack as well as small prime difference attack on Type-B variants, and the validity of our attacks are verified by experiments. Our results show that for all three attacks, Type-B variants are less secure than standard RSA.

Appendices

Appendix A: Details of the Computation of Eq. (5)

According to Eq. (1), we have

$$\begin{aligned}&\underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\prod }e_1^{m-\text {min}(i_1,\lfloor \frac{j}{2} \rfloor )}\cdots e_l^{m-\text {min}(i_l,\lfloor \frac{j}{2} \rfloor )}X_1^{i_1}\cdots X_l^{i_l} Y^j{} & {} < (e_1\dots e_l)^{m{|\mathcal {I}_{+}|}} \nonumber \\ \Rightarrow&\underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\prod }N^{- \alpha \sum _{k=1}^l \text {min}(i_k,\lfloor \frac{j}{2} \rfloor )} N^{(\alpha +\beta -2)\sum _{t=1}^l i_t} N^{0.5j}{} & {} <1 \nonumber \\ \Rightarrow&\underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\sum }- \alpha \sum _{k=1}^l \text {min}(i_k,\lfloor \frac{j}{2} \rfloor ) + (\alpha +\beta -2)\sum _{t=1}^l i_t + 0.5j{} & {} <0. \end{aligned}$$

(16)

Let \(\overset{\bullet }{\sum }\) denotes the sum \(\sum \limits _{i_1=0}^m\cdots \sum \limits _{i_l=0}^m\), \(\bar{i}\) denotes the sum \(\sum \limits _{k=1}^l i_k\).

For any \(l,m\in \mathbb {N}\) and \(1\le a\le b\le l\), the following formulas hold:

$$\begin{aligned} \overset{\bullet }{\sum }i_a i_b = \left\{ \begin{aligned}&m^{l-1}\frac{m(m+1)(2m+1)}{6}&=\frac{m^{l+2}}{3}+o(m^{l+2}) \quad&(a=b),\\&m^{l-2}\frac{m^2(m+1)^2}{4}&=\frac{m^{l+2}}{4}+o(m^{l+2}) \quad&(a\not =b). \end{aligned} \right. \end{aligned}$$

Then,

$$\begin{aligned} \overset{\bullet }{\sum }\bar{i}^2=(\frac{l^2}{4}+\frac{l}{12})m^{l+2} + o(m^{l+2}). \end{aligned}$$

Thus,

$$\begin{aligned} \begin{aligned} \underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\sum }j&= \overset{\bullet }{\sum }\sum _{j=0}^{l+2\bar{i}} j = \overset{\bullet }{\sum }(2\bar{i}^2+o(m)) = (\frac{l^2}{2}+\frac{l}{6})m^{l+2} + o(m^{l+2}), \\ \underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\sum }\bar{i}&= \overset{\bullet }{\sum }\sum _{j=0}^{l+2\bar{i}} \bar{i} = \overset{\bullet }{\sum }(2\bar{i}^2+o(m))= (\frac{l^2}{2}+\frac{l}{6})m^{l+2} + o(m^{l+2}), \\ \underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\sum }\sum _{k=1}^l \text {min}(i_k, \lfloor \frac{j}{2}\rfloor )&= l \underset{(i_1,\dots ,i_l,j)\in \mathcal {I}_{+}}{\sum }\text {min}(i_1, \lfloor \frac{j}{2}\rfloor ) = l \overset{\bullet }{\sum }\sum _{j=0}^{l+2\bar{i}} \text {min}(i_1, \lfloor \frac{j}{2}\rfloor ) \\&= l \overset{\bullet }{\sum }( \sum _{j=0}^{2i_1}\lfloor \frac{j}{2} \rfloor + \sum _{j=2i_1+1}^{l+2\bar{i}}i_1 ) = l \overset{\bullet }{\sum }(i_1(i_1+1) + i_1(l+2\sum _{t=2}^l i_t ) ) \\&= (\frac{l^2}{2}-\frac{l}{6})m^{l+2} + o(m^{l+2}). \end{aligned} \end{aligned}$$

Now, just substitute the above results into the left-hand side of Eq. (16), we get

$$\begin{aligned} -\alpha (\frac{l^2}{2}-\frac{l}{6})m^{l+2} + (\alpha +\beta -2)(\frac{l^2}{2}+\frac{l}{6})m^{l+2}+ (\frac{l^2}{4}+\frac{l}{12})m^{l+2} + o(m^{l+2}) < 0. \end{aligned}$$

When m is sufficient large, we may omit the term \(o(m^{l+2})\), which yields the new condition in Eq. (5)

Appendix B: Details of the Computation of Eq. (10)

First, we can rewrite the condition in Eq. (1) as

$$\begin{aligned} X^{n_X}Y^{n_Y}Z^{n_Z} < W^{n_W}. \end{aligned}$$

(17)

We can compute the value of \(\omega ,n_X,n_Y,n_Z,n_W\) as follows:

$$\begin{aligned} \begin{aligned} \omega&= |\mathcal {G}| + |\mathcal {H}| = \sum _{\begin{array}{c} (i,j,k):\\ g_{i,j,k}\in \mathcal {G} \end{array}}1 + \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}1 =\frac{3\tau +2}{6}m^3+o(m^3)\\ n_X&= \sum _{\begin{array}{c} (i,j,k):\\ g_{i,j,k}\in \mathcal {G} \end{array}}(m-1) + \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}(m-1+i) - (m-1)\omega = \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}i = \frac{3\tau +2}{6}m^3 + o(m^3) \\ n_Y&= \sum _{\begin{array}{c} (i,j,k):\\ g_{i,j,k}\in \mathcal {G} \end{array}}(m-1) + \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}(m-1+j) - (m-1)\omega = \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}j = \frac{3\tau +4}{6}m^3 + o(m^3) \\ n_Z&= \sum _{\begin{array}{c} (i,j,k):\\ g_{i,j,k}\in \mathcal {G} \end{array}}(2(m-1)+\tau m) + \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}(2(m-1)+\tau m+k) - (2(m-1)+\tau m)\omega \\&= \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}k = \frac{3\tau ^2+6\tau + 4}{6}m^3 + o(m^3)\\ n_W&= \omega - \sum _{\begin{array}{c} (i,j,k):\\ h_{i,j,k}\in \mathcal {H} \end{array}}1 = \frac{3\tau +2}{6}m^3 + o(m^3) \end{aligned} \end{aligned}$$

Substitute the above results and \(X=N^{\beta -\delta },Y=N^{\alpha +\beta -2},Z=N^{0.5},W=N^{\alpha +\beta }\) into Eq. (17), then take the exponents part, we can obtain

$$\begin{aligned} \begin{aligned} (\beta -\delta )&(\frac{3\tau +2}{6}m^3 + o(m^3)) + (\alpha +\beta -2)(\frac{3\tau +4}{6}m^3 + o(m^3)) \\&+0.5(\frac{3\tau ^2+6\tau + 4}{6}m^3 + o(m^3)) < (\alpha +\beta )(\frac{3\tau +2}{6}m^3 + o(m^3)). \end{aligned} \end{aligned}$$

When m is sufficient large, we may omit the term \(o(m^3)\), and get the new condition in Eq. (10).