1. Introduction

Invented in 1978 by Rivest, Shamir, and Adleman [1], the RSA cryptosystem is one of the most used public key cryptosytems regarding its practical applications. Its security is related to the hardness of factoring composite large integers. To use the RSA scheme, one starts by generating two large prime numbers p and q of the same bit size, and it computes $N=pq$ as the RSA modulus. Then, one selects an integer e, called the public exponent, satisfying $\gcd \left(e,p-1\left)\right(q-1)\right)=1$. This enables us to compute the private exponent d as the inverse of e modulo $(p-1)(q-1)$, that is $ed\equiv 1(\mathrm{mod}(p-1\left)\right(q-1\left)\right)$. The encryption process allows transforming a plaintext $m<N$ to a ciphertext $c\equiv m^e(\mathrm{mod}N)$. To recover the plaintext m, one applies the decryption process $m\equiv c^d(\mathrm{mod}N)$. The efficiency of both encryption and decryption is based on the run time of the modular exponentiation. To reduce the run time, specifically in the decryption, it is tempting to use small private exponents. Unfortunately, in 1990, Wiener [2] showed that such a choice is vulnerable when $d\le \frac{1}{3}{N}^{\frac{1}{4}}$. The former bound was improved later by Boneh and Durfee [3] up to $N^{0.292}$.

Based on these obstacles, several variants have been proposed to improve the efficiency as well as the security of RSA. Some of these variants employ a modulus of the form $N=pq$ as in CRT-RSA [4], rebalanced RSA [2], and KMOV [5]. In contrast, other variants utilize different types of moduli, such as Multi-Prime RSA [6] and Prime-Power RSA [7].

In 2018, Murru and Saettone [8] introduced a new variant of the RSA scheme based on the cubic Pell equation $x^3+a{y}^3+a^2{z}^3-3axyz=1$, where a is a cubic non-residue modulo $N=pq$. They used $N=pq$ as a modulus, with the public key being $(N,e)$ and the private key $(N,d)$, where e and d satisfy $ed\equiv 1\left(\mathrm{mod}\frac{(p^3-1)(q^3-1)}{(p-1)(q-1)}\right)$. This variant of RSA has been intensively cryptanalyzed in [9,10,11,12].

In 2022, Cotan and Teşeleanu [13] proposed a generalization of the scheme of Murru and Saettone. They used a modulus $N=pq$, a public exponent e, and a private exponent d such that $ed\equiv 1\left(\mathrm{mod}\frac{(p^n-1)(q^n-1)}{(p-1)(q-1)}\right)$ for $n\ge 2$. The special case $n=3$ is the scheme of Murru and Saettone. The authors also presented an attack based on the continued fraction algorithm whenever $n\le 4$, $d=N^{\delta }$, $e=N^{\alpha }$, $\alpha \le n-\frac{1}{2}$, and $\delta <\frac{1}{4}(2n-2\alpha -1)$.

In 2024, Nitaj et al. [14] developed a novel attack on the Cotan and Teşeleanu scheme using Coppersmith’s method and lattice basis reduction. They demonstrated that one can efficiently factor the modulus $N=pq$ if $e=N^{\alpha }$, $d\le N^{\delta }$, $\frac{n-1}{2}\le \alpha \le 2(n-1)$, and $\delta <n-1-\frac{\sqrt{2}}{2}\sqrt{(n-1)\alpha }$.

In the work of Nitaj et al. [14], the authors started by solving the modular equation $xH\left(y\right)+c\equiv 0(\mathrm{mod}e)$ where $H\left(y\right)$ is a monic polynomial of degree r, under certain conditions, namely, $e=N^{\alpha }$, $\left|x\right|<N^{\beta }$, $\left|y\right|<N^{\gamma }$, ${c<\left|x\right|\left|y\right|}^r<e$, and $\beta <\alpha -\sqrt{r\alpha \gamma }$. As a by-product, they presented an attack on the scheme of Cotan and Teşeleanu and showed that $N=pq$ can be factored for any $n\ge 2$ if e and d satisfy $ed\equiv 1\left(\mathrm{mod}\frac{(p^n-1)(q^n-1)}{(p-1)(q-1)}\right)$ and $\delta <n-1-\frac{\sqrt{2}}{2}\sqrt{(n-1)\alpha }$. This significantly improved the bound $\delta <\frac{1}{4}(2n-2\alpha -1)$ of Cotan and Teşeleanu.

In this paper, for a monic univariate polynomial $H\left(y\right)\in \mathbb{Z}\left[y\right]$ of degree r, we propose a new lattice-based method to solve the equation $xH\left(y\right)+c\equiv 0(\mathrm{mod}e)$ when $N=pq$, $e=N^{\alpha }$, $\left|x\right|\le N^{\beta }$, $\left|y\right|\le N^{\gamma }$, ${\left|x\right|\left|y\right|}^r<e$, and $\beta <\alpha +\frac{1}{3}r\gamma -\frac{2}{3}\sqrt{3r\alpha \gamma +r^2{\gamma }^2}$. This can be achieved for any value of c; in particular, the condition $\left|c\right|<\left|x{y}^r\right|$ is no more required. This allows us to perform four attacks on the scheme of Cotan and Teşeleanu. The first attack deals with the situation where the least significant bits (LSBs) of the private exponent d are known. The second attack concerns the situation where an approximation of one of the primes is known. The third attack concerns the situation when the primes share their most significant bits (MSBs). The fourth attack concerns the situation where the primes share their least significant bits.

The paper is organized as follows. In Section 2, we present some preliminaries and provide a new expression for ${\psi }_n\left(N\right)$ that is useful in the sequel. In Section 3, we present the new method to find the small solutions of the equation $xH\left(y\right)+c\equiv 0(\mathrm{mod}e)$. In Section 4, we apply the proposed method to perform the first attack on the cryptosystem of Cotan and Teşeleanu, namely, an attack with known LSBs. In Section 5, we present the second attack, which is a partial prime exposure attack. In Section 6, we apply the third attack when the prime factors of the modulus share their MSBs. In Section 7, we present another expression for ${\psi }_n$ which allows performing the fourth attack when the prime factors of the modulus share their LSBs. Finally, we conclude the paper in Section 8.

2. Preliminaries

Let $N=pq$ be an RSA modulus with $q<p<2q$. Then, p and q can be bounded in terms of N as in the following simple lemma.

The following lemma shows how to find an approximation of q if an approximation of p is given (see [9]).

The generalized totient function in the system of Cotan and Teşeleanu [13] is defined for $N=pq$ and $n\ge 2$ by

${\psi }_n\left(N\right)={\displaystyle \frac{\left(p^n-1\right)\left(q^n-1\right)}{(p-1)(q-1)}}.$

The following result gives simple upper and lower bounds for ${\psi }_n\left(N\right)$.

The following result shows how to compute ${\psi }_n\left(N\right)$ (see [14]).

The following result shows that ${\psi }_n\left(N\right)$ can be expressed as a polynomial of $p+q$ (see [14]).

Note that in Lemma 5, the coefficients $a_i$ can be computed only by using N and n. Nevertheless, ${\psi }_n\left(N\right)$ cannot be computed by an adversary who does not know $p+q$.

The former result can be extended in the following form.

Using Lemma 4, one can express the first values of ${\psi }_n\left(N\right)$ as a polynomial in $T=p+q-M$. For instance, we have

$\begin{array}{cc}\hfill {\psi }_1\left(N\right)& =1,\hfill \\ \hfill {\psi }_2\left(N\right)& =T+M+N+1,\hfill \\ \hfill {\psi }_3\left(N\right)& =T^2+(2M+N+1)T+M(M+N+1)+N^2-N+1,\hfill \\ \hfill {\psi }_4\left(N\right)& =T^3+(3M+N+1)T^2+\left(M(3M+2N+2)+N^2-2N+1\right)T\hfill \\ \hfill & +M^2+M^3+M+M(N^2+MN-2N)+N^3-N^2-N+1,\hfill \\ \hfill {\psi }_5\left(N\right)& =T^4+(4M+N+1)T^3+\left(M(6M+3N+3)+N^2-3N+1\right)T^2\hfill \\ \hfill & +\left(4M^3+3M^2+2M+M(3MN+2N^2-6N)+N^3-2N^2-2N+1\right)T\hfill \\ \hfill & +M^4+M^3+M^2+M+M(M^{2}N+M{N}^2-3MN+N^3-2N^2-2N)\hfill \\ \hfill & +N^4-N^3+N^2-N+1.\hfill \end{array}$

2.1. Lattice Basis Reduction and Coppersmith’s Method

Let $\omega$ and n be positive integers with $\omega \le n$. Let $v_1,v_2,\dots ,v_{\omega }$ be $\omega$ linearly independent vectors of ${\mathbb{R}}^n$. A lattice $\mathcal{L}\subset {\mathbb{R}}^n$ is the set of all integer linear combinations of $v_1,v_2,\dots ,v_{\omega }$, that is,

$\mathcal{L}=\mathbb{Z}{v}_1+\mathbb{Z}{v}_2+\dots +\mathbb{Z}{v}_{\omega }.$

It is known that a lattice $\mathcal{L}$ has infinitely many bases, and finding a basis with short vectors is a hard task especially when the dimension of the lattice is large. In 1982, Lenstra, Lenstra and Lovász [15] proposed LLL, which is a polynomial time algorithm to find a short basis. The following result [16] is widely used to estimate the output of the LLL algorithm.

2.2. Coppersmith’s Method

In 1996, Coppersmith [17] proposed an efficient way to find small roots of modular polynomial equations of the form $f\left(x\right)\equiv 0(\mathrm{mod}M)$, mainly when the factorization of the modulus M is unknown. Since then, Coppersmith’s method has been generalized to polynomials with more variables, specifically polynomials of the form

$f(x_1,x_2,\dots ,x_n)=\sum _{i_1,i_2,\dots ,i_n}{a}_{i_1,i_2,\dots ,i_n}{x}_1^{i_1}{x}_2^{i_2}\cdots x_n^{i_n},$

In 1997, Howgrave-Graham [18] clarified Coppersmith’s method in the following sense.

• 1. 

  $f(y_1,y_2,\dots ,y_n)\equiv 0(\mathrm{mod}{e}^m)$.

• 2. 

  $\parallel f(x_1{X}_1,x_2{X}_2,\dots ,x_n{X}_n)\parallel <\frac{e^m}{\sqrt{\omega }}$, $|y_i| <X_i$, for $i=1,\dots ,n$.

Then, $f(y_1,y_2,\dots ,y_n)=0$ holds over the integers.

When more than two variables are involved, the methods based on Coppersmith’s technique are heuristic. In this paper, we use the following assumption [3,12,19,20]. This is a reasonable assumption that holds true when the parameters are sufficiently smaller than the theoretical bounds.

Under the former assumption, the common root $(y_1,y_2,\dots ,y_n)$ of the polynomial equations $h_i(y_1,y_2,\dots ,y_n)=0$, $i=1,\dots ,\omega$ can be extracted by the Gröbner basis method or resultant techniques.

2.3. The Scheme of Cotan and Teşeleanu

Before describing the scheme, we need to define some mathematical objects that are useful in the sequel. Let $(\mathbb{F},+,·)$ be a field. Let n be an integer and $a\in \mathbb{F}$ such that $x^n-a$ is irreducible in $\mathbb{F}\left[x\right]$. Define the quotient field

${\mathbb{A}}_n=\mathbb{F}\left[x\right]/(x^n-a)=\{a_0+a_{1}x+\dots +a_{n-1}{x}^{n-1}\mid a_0,\dots ,a_{n-1}\in \mathbb{F}\}.$

$a\left(x\right)\circ b\left(x\right)=\sum _{i=0}^{n-2}\left(\sum _{j=0}^i{a}_j{b}_{i-j}+a\sum _{j=0}^{i+n}{a}_j{b}_{i-j+n}\right)x^i+\sum _{j=0}^{n-1}{a}_j{b}_{n-1-j}{x}^{n-1}.$

$[a_0+\dots +a_{n-1}{x}^{n-1}]=\left\{\gamma a_0+\dots +\gamma a_{n-1}{x}^{n-1}\mid \gamma \in {\mathbb{F}}^{\ast },a_0,\dots ,a_{n-1}\in \mathbb{F}\right\}.$

${\mathbb{B}}_k=\{a_0+\dots +a_{k-1}{x}^{k-1}+x^k\mid a_0,\dots ,a_{k-1}\in \mathbb{F}\},k=0,\dots ,n-1,$

When p is a prime number and $\mathbb{F}={\mathbb{F}}_p$ is the finite field of p elements, ${\mathbb{A}}_n$ becomes the Galois field of order $p^n$. Also, ${\mathbb{B}}_n$ is a cyclic group of order

$\sum _{k=0}^{n-1}{\left|{\mathbb{F}}_p\right|}^k={\displaystyle \frac{p^n-1}{p-1}}.$

${\left[a\left(x\right)\right]}^{|{\mathbb{B}}_n|}\equiv 1(\mathrm{mod} p),\forall \left[a\left(x\right)\right]\in {\mathbb{B}}_n.$

Observe that if $N=pq$ is the product of two prime numbers, and $\mathbb{F}=\mathbb{Z}/N\mathbb{Z}$, we obtain

$|{\mathbb{B}}_n| ={\displaystyle \frac{(p^n-1)(q^n-1)}{(p-1)(q-1)}}.$

${\left[a\left(x\right)\right]}^{|{\mathbb{B}}_n|}\equiv 1(\mathrm{mod}N).$

Key Generation

• 1.. Select a positive integer $n>1$ and a security size $\lambda >0$.

• 2.. Generate randomly two distinct large prime numbers of size $\lambda$.

• 3.. Calculate $N=pq$ and ${\psi }_n\left(N\right)=\frac{(p^n-1)(q^n-1)}{(p-1)(q-1)}$.

• 4.. Choose an integer a for which $x^n-a$ is irreducible in $\mathbb{Z}/p\mathbb{Z}\left[x\right]$, $\mathbb{Z}/q\mathbb{Z}\left[x\right]$, and $\mathbb{Z}/N\mathbb{Z}\left[x\right]$.

• 5.. Select an integer e such that $gcd(e,{\psi }_n\left(N\right))=1$ and compute d, the inverse of e modulo ${\psi }_n\left(N\right)$.

• 6.. The public key is $(N,n,a,e)$ and the private key is $(p,q,d)$.

Encryption

• 1.. Represent the plaintext as a polynomial

  $m\left(x\right)=m_0+m_{1}x+\dots +m_{n-2}{x}^{n-2}+x^{n-1}\in {\mathbb{B}}_n.$

• 2.. Compute $c\left(x\right)\equiv {\left[m\left(x\right)\right]}^e(\mathrm{mod} N)$.

• 3.. The ciphertext is $c\left(x\right)$.

Decryption

To recover the plaintext $m\left(x\right)$, one needs to compute

$m\left(x\right)\equiv {\left[c\left(x\right)\right]}^d(\mathrm{mod} N).$

3. Solving the Equation $\mathit{xH}\left(\mathit{y}\right)+\mathit{c}\equiv \mathbf{0}(\mathbf{mod} \mathit{e})$

In this section, we propose a new technique to find the small solutions of the modular equation $xH\left(y\right)+c\equiv 0(\mathrm{mod}e)$ where c is a constant, and $H\left(y\right)\in \mathbb{Z}\left[y\right]$ is a monic polynomial of degree r. The equation $xH\left(y\right)+c\equiv 0(\mathrm{mod}e)$ was previously studied by Kunihiro [21] and recently by Nitaj et al. [14]. In both works, the value $x{y}^r$ is replaced by $z-c$, and the assumption ${\left|c\right|<\left|x\right|\left|y\right|}^r$ is used. In this paper, we present a different method where $x{y}^r$ is independent of c. This relaxes the condition ${\left|c\right|<\left|x\right|\left|y\right|}^r$ used in [14,21], and it permits more applications in the cryptanalysis of some variants of RSA.

3.1. The New Method

3.2. A Numerical Example

In this section, we present a small numerical example to show the details of the resolution method of Theorem 3 with $n=4$, and $r=n-1=3$. Consider the following parameters

$\begin{array}{cc}\hfill N=& 463028995904606051817018641173,\hfill \\ \hfill c=& 895087879645377698399589802186741096954354552299285\setminus \hfill \\ \hfill & 87492654228177046463498977617360027022,\hfill \\ \hfill e=& 172459409963116822030248732348419638390904926885797\setminus \hfill \\ \hfill & 13115090719406582906246851863033916922.\hfill \end{array}$

${\psi }_4\left(N\right)={(p+q)}^3+(N+1){(p+q)}^2+\left(N^2-2N+1\right)(p+q)+N^3-N^2-N+1,$

$H\left(y\right)=y^3+(N+1)y^2+\left(N^2-2N+1\right)y+N^3-N^2-N+1.$

$\begin{array}{cc}\hfill & X=⌊N^{0.5}⌋=680462339813605,\hfill \\ \hfill & Y=⌊3N^{0.5}⌋=2041387019440815,\hfill \\ \hfill & Z=X{Y}^3=578868797830754738565836771991739782740725532698185\setminus \hfill \\ \hfill & 4011616875.\hfill \end{array}$

$F(x,y,z)=z+x\left((N+1)y^2+\left(N^2-2N+1\right)y+N^3-N^2-N+1\right)+c.$

$\begin{array}{cc}\hfill & G_{k,i,j}(x,y,z)=x^i{y}^{j}F{(x,y,z)}^k{e}^{m-k},\hfill \\ \hfill & k=0,\dots ,m,i=1,\dots ,m-k,j=0,\dots ,r-1,\hfill \\ \hfill & k=0,\dots ,m,i=0,j=0,\dots ,\lfloor t\rfloor ,\hfill \end{array}$

$\begin{array}{cc}\hfill & x_0=16165734257585,\hfill \\ \hfill & y_0=1360935721901674,\hfill \\ \hfill & z_0=40748185648950035910680304028872647558518309799826755032040.\hfill \end{array}$

$\begin{array}{c}\hfill p=683209007134751,q=677726714766923,\end{array}$

4. Partial Key Attack on the Scheme of Cotan and Teşeleanu with Known LSBs

In this section, we apply Theorem 3 to attack the scheme of Cotan and Teşeleanu when the attacker knows the s least significant bits (LSBs) of d so that $d=d_{1}M+d_0$ for $M=2^s$, with known $d_0$, and unknown $d_1$.