Small Private Key Attack Against a Family of

RSA-like Cryptosystems

Paul Cotan1,2 and George Teşeleanu1,2

1
Advanced Technologies Institute
10 Dinu Vintilă, Bucharest, Romania
{paul.cotan,tgeorge}@dcti.ro
2
Simion Stoilow Institute of Mathematics of the Romanian Academy
21 Calea Grivitei, Bucharest, Romania

Abstract. Let N = pq be the product of two balanced prime numbers

p and q. Elkamchouchi, Elshenawy and Shaban presented in 2002 an
interesting RSA-like cryptosystem that uses the key equation ed−k(p2 −
1)(q 2 − 1) = 1, instead of the classical RSA key equation ed − k(p −
1)(q − 1) = 1. The authors claimed that their scheme is more secure than
RSA. Unfortunately, the common attacks developed against RSA can be
adapted for Elkamchouchi et al.’s scheme. In this paper, we introduce a
family of RSA-like encryption schemes that uses the key equation ed −
k(pn − 1)(q n − 1) = 1, where n > 0 is an integer. Then, we show that
regardless of the choice of n, there exists an attack based on continued
fractions that recovers the secret exponent.

1 Introduction
In 1978, Rivest, Shamir and Adleman [29] proposed one of the most popular
and widely used cryptosystems, namely RSA. In the standard RSA encryption
scheme, we work modulo an integer N , where N is the product of two large prime
numbers p and q. Let φ(N ) = (p − 1)(q − 1) denote the Euler’s totient function.
In order to encrypt a message m < N , we simply compute c ≡ me mod N ,
where e is generated a priori such that gcd(e, φ(N )) = 1. To decrypt, one needs
to compute m ≡ cd mod N , where d ≡ e−1 mod φ(N ). Note that (N, e) are
public, while (p, q, d) are kept secret. In the standard version of RSA, also called
balanced RSA, p and q are of the same bit-size such that q < p < 2q. In this
paper, we only consider the balanced RSA scheme and its variants.
In 2002, Elkamchouchi, Elshenawy and Shaban [15] extend the classical RSA
scheme to the ring of Gaussian integers modulo N . A Gaussian integer modulo N
is a number of the form a+bi, where a, b ∈ ZN and i2 = −1. Let ZN [i] denote the
set of all Gaussian integers modulo N and let ϕ(N ) = |Z∗N [i]| = (p2 − 1)(q 2 − 1).
To set up the public exponent, in this case we must have gcd(e, ϕ(N )) = 1.
The corresponding private exponent is d ≡ e−1 mod ϕ(N ). In order to encrypt
a message m ∈ ZN [i], we simply compute c ≡ me mod N and to decrypt it
m ≡ cd mod N . Note that the exponentiations are computed in the ring ZN [i].
The authors of [15] claim that this extension provides more security than that
2 Paul Cotan and George Teşeleanu

of the classical RSA. In the following paragraphs we present a series of common

attacks that work for both types of cryptosystems.

Small Private Key Attacks. In order to decrease decryption time, one may prefer
to use a smaller d. Wiener showed in [33] that this is not always a good idea.
More exactly, in the case of RSA, if d < N 0.25 /3, then one can retrieve d from
the continued fraction expansion of e/N , and thus factor N . Using a result
developed by Coppersmith [12], Boneh and Durfee [5] improved Wiener’s bound
to N 0.292 . Later on, Herrmann and May [19] obtain the same bound, but using
simpler techniques. A different approach was taken by Blömer and May [3], whom
generalized Wiener’s attack. More precisely, they showed that if there exist three
integers x, y, z such that ex−yφ(N ) = z, x < N 0.25 /3 and |z| < |exN −0.75 |, then
the factorisation of N can be recovered. When an approximation of p is known
such that |p − p0 | < N δ /8 and δ < 0.5, Nassr, Anwar and Bahig [25] present a
method based on continued fractions for recovering d when d < N (1−δ)/2 .
In the case of Elkamchouchi et al., a small private key attack based on con-
tinued fractions was presented in [7]. Using lattice reduction, the attack was im-
proved in [28,34]. The authors obtained a bound of d < N 0.585 . A generalization
of the attack presented in [7] to unbalanced prime numbers was presented in [9].
Considering the generic equation ex − yϕ(N √) = z, the authors of [8] describe a
method for factoring N when xy < 2N − 4 2N 0.75 and |z| < (p − q)N 0.25 y. An
extension of the previous attack was proposed in [27].

Multiple Private Keys Attack. Let ℓ > 0 be an integer and i ∈ [1, ℓ]. When mul-
tiple large public keys ei ≃ N α are used with the same modulus N , Howgrave-
Graham and Seifert [20] describe an attack against RSA that recovers the cor-
responding small private exponents di ≃ N β . This attack was later improved
by Sarkar and Maitra [30], Aonop [1] and Takayasu and Kunihiro [31]. The best
known bound [31] is β < 1 − 2/(3ℓ + 1). Remark that when ℓ = 1 we obtain
the Boneh-Durfee bound.
The multiple private keys attack against the Elkamchouchi et al. cryptosys-
tem was studied byp Zheng, Kunihiro and Hu [34]. The bound obtained by the
authors is β < 2 − 2 2/(3ℓ + 1) and it is twice the bound obtained by Takayasu
and Kunihiro [31]. Note that when ℓ = 1 the bound is equal to 0.585.

Partial Key Exposure Attack. In this type of attack, the most or least significant
bits of the private exponent d are known. Starting from these, an adversary can
recover the entire RSA private key using the techniques presented by Boneh,
Durfee and Frankel in [6]. The attack was later improved by Blömer and May [2],
Ernst et al. [16]
p and Takayasu and Kunihiro [32]. The best known bound [32] is
β < (γ + 2 − 2 − 3γ 2 )/2, where the attacker knows N γ leaked bits.
Zheng, Kunihiro and Hu [34] describe a partial exposure attack that works
in the case √of the Elkamchouchi et al. scheme. The bound they achieve is β <
(3γ + 7 − 2 3γ + 7)/3. When γ = 0, the bound is close to 0.569, and thus it
remains an open problem how to optimize it.
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 3

Small Prime Difference Attack. When the prime difference |p − q| is small and
certain conditions hold, de Weger [14] described two methods to recover d, one
based on continued fractions and one on lattice reduction. These methods were
further extended by Maitra and Sakar [22, 23] to |ρq − p|, where 1 ≤ ρ ≤ 2.
Lastly, Chen, Hsueh and Lin generalize them further to |ρq − ϵp|, where ρ and ϵ
have certain properties. The continued fraction method is additionally improved
by Ariffin et al. [21].
The small prime difference attack against the Elkamchouchi et al. public key
encryption scheme was studied in [11]. Note that when the common condition
|p−q| < N 0.5 holds, their bound leads to the small private key bound d < N 0.585 .

Related work. It is worth noting that our current undertaking shares similarities
with a prior work of ours [13], where we explored a cryptographic system closely
related to our own. Specifically, we studied the implications of generalizing the
Murru-Saettone cryptosystem [24], and the effect of using continued fractions to
recover the private key.

1.1 Our Contributions

We first remark that the rings Zp = Zp [t]/(t+1) = GF (p) and Zp [i] = Zp [t]/(t2 +
1) = GF (p2 ), where GF stands for Galois field. Therefore, we can rethink the
RSA scheme as working in the GF (p) × GF (q) group instead of ZN . Also, that
the Elkamchouchi et al. scheme is an extension to GF (p2 ) × GF (q 2 ) instead of
ZN [i]. This leads to a natural generalization of RSA to GF (pn ) × GF (q n ), where
n ≥ 1. In this paper we introduce exactly this extension. We wanted to see if
only for n = 1 and n = 2 the common attacks presented in the introduction
work or this is something that happens in general. In this study we present a
Wiener-type attack that works for any n > 1. More, precisely we prove that
when d < N 0.25n , we can recover the secret exponent regardless the value of n.
Therefore, no matter how we instantiate the generalized version, a small private
key attack will always succeed.

Structure of the Paper. We introduce in Section 2 notations and definitions

used throughout the paper. Inspired by Rivest et al. and Elkamchouchi et al.’s
work [15,29], in Section 3 we construct a family of RSA-like cryptosystems. After
proving several useful lemmas in Section 4, we extend Wiener’s small private key
attack in Section 5. Two concrete instantiations are provided in Section 6. We
conclude our paper in Section 7.

2 Preliminaries

Notations. Throughout the paper, λ denotes a security parameter. Also, the

notation |S| denotes the cardinality of a set S. The set of integers {0, . . . , a} is
further denoted by [0, a]. We use ≃ to indicate that two values are approximately
equal.
4 Paul Cotan and George Teşeleanu

2.1 Continued fraction

For any real number ζ there exists a unique sequence (an )n of integers such that

1
ζ = a0 + ,
1
a1 +
1
a2 +
1
a3 +
a4 + · · ·

where ak > 0 for any k ≥ 1. This sequence represents the continued fraction
expansion of ζ and is denoted by ζ = [a0 , a1 , a2 , . . .]. Remark that ζ is a rational
number if and only if its corresponding representation as a continued fraction is
finite.
For any real number ζ = [a0 , a1 , a2 , . . .], the sequence of rational numbers
(An )n , obtained by truncating this continued fraction, Ak = [a0 , a1 , a2 , . . . , ak ],
is called the convergents sequence of ζ.
According to [18], the following bound allows us to check if a rational number
u/v is a convergent of ζ.

Theorem 1. Let ζ = [a0 , a1 , a2 , . . .] be a positive real number. If u, v are positive

integers such that gcd(u, v) = 1 and

u 1
ζ− < 2,
v 2v

then u/v is a convergent of [a0 , a1 , a2 , . . .].

2.2 Quotient Groups

In this section we will provide the mathematical theory needed to generalize the
Rivest, Shamir and Adleman, and the Elkamchouchi, Elshenawy and Shaban
encryption schemes. Therefore, let (F, +, ·) be a field and tn − r an irreducible
polynomial in F[t]. Then

An = F[t]/(tn − r) = {a0 + a1 t + . . . + an−1 tn−1 | a0 , a1 , . . . , an−1 ∈ F}

 Small Private Key Attack Against a Family of RSA-like Cryptosystems 5

is the corresponding quotient field. Let a(t), b(t) ∈ An . Remark that the quotient
field induces a natural product

n−1
! n−1 
X X
a(t) ◦ b(t) = ai ti ◦  bj tj 
i=0 j=0
 
2n−2
X X i
=  aj bi−j  ti
i=0 j=0
   
n−1
X X i 2n−2
X X i
=  aj bi−j  ti + r  aj bi−j  ti−n
i=0 j=0 i=n j=0
 
n−2
X X i i+n
X n−1
X
=  aj bi−j + r aj bi−j+n  ti + aj bn−1−j tn−1 .
i=0 j=0 j=0 j=0

3 The Scheme

Let p be a prime number. When we instantiate F = Zp , we have that An =

GF (pn ) is the Galois field of order pn . Moreover, A∗n is a cyclic group of order
φn (Zp ) = pn − 1. Remark that an analogous of Fermat’s little theorem holds

a(t)φn (Zp ) ≡ 1 mod p,

where a(t) ∈ A∗n and the power is evaluated by ◦-multiplying a(t) by itself
φn (Zp ) − 1 times. Therefore, we can build an encryption scheme that is similar
to RSA using the ◦ as the product.

Setup(λ): Let n > 1 be an integer. Randomly generate two distinct large prime
numbers p, q such that p, q ≥ 2λ and compute their product N = pq. Select
r ∈ ZN such that the polynomial tn − r is irreducible in Zp [t] and Zq [t]. Let

φn (ZN ) = φn (N ) = (pn − 1) · (q n − 1).

Choose an integer e such that gcd(e, φn (N )) = 1 and compute d such that

ed ≡ 1 mod φn (N ). Output the public key pk = (n, N, r, e). The correspond-
ing secret key is sk = (p, q, d).
Encrypt(pk, m): To encrypt a message m = (m0 , . . . , mn−1 ) ∈ ZnN we first
construct the polynomial m(t) = m0 + . . . + mn−1 tn−1 ∈ A∗n and then we
compute c(t) ≡ [m(t)]e mod N . Output the ciphertext c(t).
Decrypt(sk, c(t)): To recover the message, simply compute m(t) ≡ [c(t)]d mod
N and reassemble m = (m0 , . . . , mn−1 ).

Remark 1. When n = 1 we get the RSA scheme [29]. Also, when n = 2, we

obtain the Elkamchouchi et al. cryptosystem [15].
6 Paul Cotan and George Teşeleanu

4 Useful Lemmas

In this section we provide a few useful properties of φn (N ). Before starting our

analysis, we first note that plugging q = N/p in φn (N ) leads to the following
function
 n
n n N
fn (p) = N − p − + 1,
p

with p as a variable. The next lemma tells us that, under certain conditions, fn
is a strictly decreasing function.

Proposition
√ 1. Let N be a positive integer. Then for any integers n > 1 and
N ≤ x < N , we have that the function
 n
N
fn (x) = N n − xn − + 1,
x

is strictly decreasing with x.

Proof. Computing the derivative of fn we have that

 
1
fn′ (x) = −n xn−1 − n+1 · N n .
x
√
Using x ≥ N we obtain that

1
x2n > N n ⇔ xn−1 > · N n ⇔ fn′ (x) < 0,
xn+1
and therefore we have that fn is strictly decreasing function.
⊔
⊓

Using the following result from [26, Lemma 1], we will compute a lower and
upper bound for φn (N ).

Lemma 1. Let N = pq be the product of two unknown primes with q < p < 2q.
Then the following property holds
√
2√ √ √ √
N < q < N < p < 2 N.
2
Corollary 1. Let N = pq be the product of two unknown primes with q < p <
2q. Then the following property holds
√ n 2 
2n + 1

N − 1 > φn (N ) > N n 1 − √ n + 1.
2N
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 7

Proof. By Lemma 1 we have that

√ √ √
N < p < 2 N,

which, according to Proposition 1, leads to

√ √ √
fn ( N ) > fn (p) > fn ( 2 N ).

This is equivalent to
√ n
2 
2n + 1

n
N − 1 > φn (N ) > N 1 − √ n + 1,
2N
as desired.
⊔
⊓

When n = 1 and n = 2, the following results proven in [10] and [7] respec-
tively become special cases of Corollary 1.

Corollary 2. Let N = pq be the product of two unknown primes with q < p <
2q. Then the following property holds
√ 3 √
( N − 1)2 > φ1 (N ) > N + 1 − √ N .
2

Corollary 3. Let N = pq be the product of two unknown primes with q < p <
2q. Then the following property holds

5
(N − 1)2 > φ2 (N ) > N 2 + 1 − N.
2
We can use Corollary 1 to find a useful approximation of φn . This result will
be useful when devising the attack against the generalized RSA scheme.

Proposition 2. Let N = pq be the product of two unknown primes with q <

p < 2q. We define

1 √ n 2 1  2n + 1
  
n
φn,0 (N ) = · N −1 + · N 1− √ n +1 .
2 2 2N
Then the following holds

∆n √ n
|φn (N ) − φn,0 (N )| < N ,
2
where
√ n
( 2 − 1)2
∆n = √ n .
2
8 Paul Cotan and George Teşeleanu

Proof. According to Corollary 1, φn,0 (N ) is the mean value of the lower and
upper bound. The following property holds
1 √ n 2n + 1
 2   
n
|φn (N ) − φn,0 (N )| ≤ N −1 −N 1− √ n −1
2 2N
√ n
 
1 n n n n 2 +1
= N −2 N +1−N +N · √ n −1
2 2N
1 √ n 2n + 1
 
= N √ n −2
2 2
∆n √ n
= N ,
2
as desired.
⊔
⊓
When n = 1 and n = 2, the following properties presented in [10] and [7]
respectively become special cases of Proposition 2.
Corollary 4. Let N = pq be the product of two unknown primes with q < p <
2q. Then the following holds
√
3 − 2 2√
|φ1 (N ) − φ1,0 (N )| < √ N.
2 2
Corollary 5. Let N = pq be the product of two unknown primes with q < p <
2q. Then the following holds
1
|φ2 (N ) − φ2,0 (N )| < N.
4

5 Application of Continued Fractions

We further provide an upper bound for selecting d such that we can use the
continued fraction algorithm to recover d without knowing the factorisation of
the modulus N .
Theorem 2. Let N = pq be the product of two unknown primes with q < p < 2q.
If e < φn (N ) satisfies ed − kφn (N ) = 1 with
s√ n √ n
2 N n ( N − δn )
d< √ n , (1)
e( 2 − 1)2
where
√ n
4 2 2(2n + 1)
δn = √ n + √ n ,
( 2 − 1)2 2
then we can recover d in polynomial time.
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 9

Proof. Since ed − kφn (N ) = 1, we have that

k e 1 1 e k
− ≤e − + −
d φn,0 (N ) φn,0 (N ) φn (N ) φn (N ) d
|φn (N ) − φn,0 (N )| 1
=e + .
φn,0 (N )φn (N ) φn (N )d
√ n √ n
Let εn = N n − N (2n +1)/ 2 +1. Using d = (kφn (N )+1)/e and Proposition 2
we obtain
∆n
√ n
k e 2 e N e
− ≤ +
d φn,0 (N ) φn,0 (N )φn (N ) φn (N )(kφn (N ) + 1)
√ n √ n
e N ( 2 − 1)2 e
≤ √ n +
2 2 εn 2 εn (kεn + 1)
√ n √ n 2
e N ( 2 − 1) e
≤ √ n + 2
2 2 εn 2 εn
√ n √ n 2
√ n
e[ N ( 2 − 1) + 2 2 ]
= √ n
2 2 ε2n
√ n √ n √ n
e[ N ( 2 − 1)2 + 2 2 ]
≤ √ n n
√ n .
2 2 (N n − 2√2+1 n N )2
Note that
√ n √ n √ n √ n √ n √ n
[ N ( 2 − 1)2 + 2 2 ] ( 2 − 1)2 [ N + (√22n −1)
2
2
]
√ n n
√ n = √ n √ n n
2 2 (N n − 2√2+1
n N )2 2 2 N n ( N − 2√2+1n )
2
√ n
( 2 − 1)2
≤ √ n √ n ,
2 2 N n ( N − δn )
which leads to
√ n
k e e( 2 − 1)2 1
− ≤ √ n √ n ≤ 2.
d φn,0 (N ) 2 2 N n ( N − δn ) 2d
Using Theorem 1 we obtain that k/d is a convergent of the continued fraction
expansion of e/φn,0 (N ). Therefore, d can be recovered in polynomial time.
⊔
⊓
Corollary 6. Let α < 1.5n and N = pq be the product of two unknown primes
with q < p < 2q. If we approximate e ≃ N α and N ≃ 22λ , then Equation (1)
becomes
n n
p
2(n−α)λ+ 4 2nλ − δn 2(1.5n−α)λ+ 4
d< √ n < √ n
2 −1 2 −1
or equivalently
n √ n
log2 (d) < (1.5n − α)λ + − log2 ( 2 − 1) ≃ (1.5n − α)λ.
4
10 Paul Cotan and George Teşeleanu

When cases n = 1 and n = 2 are considered the following properties presented

in [10] and [7], respectively become special cases of Corollary 6. Note that when
n = α = 1 we obtain roughly the same margin as Wiener [4, 33] obtained for the
classical RSA.
Corollary 7. Let α < 1.5 and N = pq be the product of two unknown primes
with q < p < 2q. If we approximate e ≃ N α and N ≃ 22λ then Equation (1) is
equivalent to

log2 (d) < (1.5 − α)λ − 0.25 + 1.27 ≃ (1.5 − α)λ.

Corollary 8. Let α < 3 and N = pq be the product of two unknown primes

with q < p < 2q. If we approximate e ≃ N α and N ≃ 22λ then Equation (1) is
equivalent to

log2 (d) < (3 − α)λ − 0.5 ≃ (3 − α)λ.

The last corollary tells us what happens when e is large enough. We can see
that n is directly proportional to the secret exponent’s upper bound.
Corollary 9. Let N = pq be the product of two unknown primes with q < p <
2q. If we approximate e ≃ N n and N ≃ 22λ then Equation (1) is equivalent to
n √ n
log2 (d) < 0.5nλ + − log2 ( 2 − 1) ≃ 0.5nλ.
4

6 Experimental results
We further present an example for the n = 3 and n = 4 cases. Examples for
n = 1 and n = 2 cases are provided in [10] and [7] respectively, and thus we omit
them.

6.1 Case n = 3
Before providing our example, we first show how to recover p and q once φ3 (N ) =
(ed − 1)/k is recovered using our attack.
Lemma 2. Let N = pq be the product of two unknown primes with q < p < 2q.
If φ3 (N ) = N 3 −p3 −q 3 +1 is known, then p and q can be recovered in polynomial
time.
Proof. We will rewrite φ3 (N ) as

φ3 (N ) = N 3 − p3 − 3p2 q − 3pq 2 − q 3 + 1 + 3p2 q + 3pq 2

= N 3 − (p + q)3 + 3N (p + q) + 1,

which is equivalent to

(p + q)3 − 3N (p + q) + φ3 (N ) − N 3 − 1 = 0.
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 11

Finding S = p + q is equivalent to solving (in Z) the following cubic equation

x3 − 3N x + (φ3 (N ) − N 3 − 1) = 0. (2)

which can be done in polynomial time as it is presented in [17]. In order to find

p and q, we compute D = p − q using the following remark

(p − q)2 = (p + q)2 − 4pq = S 2 − 4N.

Taking into account that p > q, D is the positive square root of the previous
quantity, and thus we derive the following
(
p = S+D2 .
q = S−D2

⊔
⊓

The following lemma shows that in order to factor N we only need to find
one solution to Equation (2), namely its unique integer solution.

Lemma 3. Equation (2) always has exactly two non-real roots and an integer
one.

Proof. Let x1 , x2 and x3 be Equation (2)’s roots. Using Vieta’s formulas we have

x1 + x2 + x3 = 0,
x1 x2 + x2 x3 + x3 x1 = −3N,
x1 x2 x3 = −(φ3 (N ) − N 3 − 1).

From the first two relations we obtain

x21 + x22 + x23 = (x1 + x2 + x3 )2 − 2(x1 x2 + x2 x3 + x3 x1 )

= 6N.

If we assume that x1 = p + q and x2 , x3 are both real, we get the following

system
( (
x2 + x3 = −(p + q) (x2 + x3 )2 = (p + q)2
⇒ ⇒
x22 + x23 = 6N − (p + q)2 2(x22 + x23 ) = 12N − 2(p + q)2

(x2 − x3 )2 = 12N − 3(p + q)2

= 6pq − 3p2 − 3q 2
= −3(p − q)2 < 0.

Therefore, we obtain a contradiction, and hence we conclude that Equation (2)

has one real root, which is p + q ∈ Z, and two non-real roots.
⊔
⊓
12 Paul Cotan and George Teşeleanu

Now, we will exemplify our attack for n = 3 using the following small public
key

N = 3014972633503040336590226508316351022768913323933,
e = 8205656493798992557632452332926222819762435306999
0124626035612517563005998895654688526643002715434
25112020628278119623817044320522328087505650969.

Remark that e ≈ N 2.989 . We use the Euclidean algorithm to compute the contin-
ued fraction expansion of e/φ3,0 (N ) and obtain that the first 25 partial quotients
are

[0, 3, 2, 1, 16, 5, 3, 5, 1, 5, 1, 11, 2, 6, 1, 3, 1, 4, 1, 1, 1, 267, 1, 1, 4, . . .].

According to Theorem 2, the set of convergents of e/φ3,0 (N ) contains all the

possible candidates for k/d. From these convergents we select only those for
which φ3 = (ed − 1)/k is an integer and the following system of equations
(
φ3 = (p3 − 1)(q 3 − 1)
N = pq

has a solution as given in Lemma 2. The 2nd, 3rd and 21st convergents satisfy
the first condition, however only the last one leads to a valid solution for p and
q. More precisely, the 21st convergent leads to

φ3 = 2740628207892953207018702174077483807563264408773
7057963987757509374280517157259708222994487763446
946621855565600927215471565545807198298953933036,
k 514812488
= ,
d 1719435401
p = 2119778199036859068707819,
q = 1422305708622213956806807.
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 13

6.2 Case n = 4
As in the previous case, we first show how to factorize N once φ4 is known.
Lemma 4. Let N = pq be the product of two unknown primes with q < p < 2q.
If φ4 (N ) = N 4 − p4 − q 4 + 1 is known, then
1 1
p= (S + D) (S − D),
and q=
2 2
q p √
where S = 2N + (N 2 + 1)2 − φ4 (N ) and D = S 2 − 4N .

Proof. We will rewrite φ4 (N ) as

φ4 (N ) = N 4 − p4 − 4p3 q − 6p2 q 2 − 4pq 3 − q 4 + 1 + 4p3 q + 6p2 q 2 + 4pq 3
= N 4 − (p + q)4 + 4N (p2 + 2pq + q 2 ) − 2p2 q 2 + 1
= N 4 − (p + q)4 + 4N (p + q)2 − 2N 2 + 1
which is equivalent to
(p + q)4 − 4N (p + q)2 + φ4 (N ) − (N 2 − 1)2 = 0.
Finding S ′ = p + q is equivalent to solving (in Z) the following biquadratic
equation
x4 − 4N x2 + φ4 (N ) − (N 2 − 1)2 = 0 ⇔
(x2 )2 − 4N (x2 ) + φ4 (N ) − (N 2 − 1)2 = 0.
The previous equation can be solved as a normal quadratic equation. Computing
the discriminant ∆, we have that
∆ = 4(N 2 + 1)2 − 4φ4 (N ) > 0.
Thus, the roots of the quadratic equation, x′1,2 , are
p
x′1,2 = 2N ± (N 2 + 1)2 − φ4 (N ).
The roots of the biquadratic equation are the square roots of the previous quan-
tities.
q p
x1,2 = ± 2N + (N 2 + 1)2 − φ4 (N )
q p
x3,4 = ± 2N − (N 2 + 1)2 − φ4 (N )
The roots x3,4 are pure imaginary since
p
(N 2 + 1)2 − φ4 (N ) > 2N ⇔
(N 2 + 1)2 − φ4 (N ) > 4N 2 ⇔
N 4 + 2N 2 + 1 − N 4 + p4 + q 4 − 1 − 4N 2 > 0 ⇔
(p2 − q 2 )2 > 0.
14 Paul Cotan and George Teşeleanu
q p
The root x2 = − 2N + (N 2 + 1)2 − φ4 (N ) < 0, thus we get S ′ = S = x1 =
q p
2N + (N 2 + 1)2 − φ4 (N ). The values of p and q can be recovered by using
the algorithm from Lemma 2.
⊔
⊓

We will further present our attack for n = 4 using the following small public
key

N = 3014972633503040336590226508316351022768913323933,
e = 3886649078157217512540781268280213360319970133145
6396788273204320283738850302214441484301356047280
9980074678226938065582620857819830171139174634897
69731055010977380039512575106301590600391232847.

Note that e ≈ N 3.993 . Applying the continued fraction expansion of e/φ4,0 (N ),

we get the first 25 partial quotients

[0, 2, 7, 1, 15, 6, 1, 2, 4, 1, 1, 2, 1, 1, 3, 1, 1, 1, 2, 38, 1, 2, 1, 45, 8, . . .].

In this case, we consider the convergents of e/φ4,0 (N ), and we select only

those for which φ4 = (ed − 1)/k is an integer and the following system of equa-
tions (
φ4 = (p4 − 1)(q 4 − 1)
N = pq
has a solution as given in Lemma 4. The 2nd and 23rd convergents satisfy the
first condition, however only the last one leads to a valid solution for p and q.
More precisely, the 23rd convergent leads to

φ4 = 8262919045403735048878111025050137547018067986718
6489272861711603139280409749776405912009959512474
1225965967573968605037596274853618481302754457480
67878911842670048325065350941516266452271040000,
k 799532980
= ,
d 1699787183
p = 2119778199036859068707819,
q = 1422305708622213956806807.
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 15

7 Conclusions

In this paper we introduced a family of RSA-like cryptosystems, which includes

the RSA and Elkamchouchi et al. public key encryption schemes [15, 29] (i.e.
n = 1 and n = 2). Then, we presented a small private key attack against our
family of cryptosystems and provided two instantiations of it. As a conclusion,
the whole family of RSA-like schemes allows an attacker to recover the secret
exponent via continued fractions when the public exponent is close to N n and
the secret exponent is smaller that N 0.25n .

Future Work. When n = 1, 2, 3, 4, in Section 6 and [4,7,10] a method for factoring

N once φn is known is provided. Although we found a method for particular cases
of n we could not find a generic method for factoring N . Therefore, we leave it
as an open problem. Another interesting research direction, is to find out if the
attack methods described in Section 1 for the RSA and Elkamchouchi et al.
schemes also work in the general case.

References
1. Aono, Y.: Minkowski Sum Based Lattice Construction for Multivariate Simultane-
ous Coppersmith’s Technique and Applications to RSA. In: ACISP 2013. Lecture
Notes in Computer Science, vol. 7959, pp. 88–103. Springer (2013)
2. Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: CRYPTO
2003. Lecture Notes in Computer Science, vol. 2729, pp. 27–43. Springer (2003)
3. Blömer, J., May, A.: A Generalized Wiener Attack on RSA. In: PKC 2004. Lecture
Notes in Computer Science, vol. 2947, pp. 1–13. Springer (2004)
4. Boneh, D.: Twenty Years of Attacks on the RSA Cryptosystem. Notices of the
AMS 46(2), 203–213 (1999)
5. Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less than N 0.292 .
In: EUROCRYPT 1999. Lecture Notes in Computer Science, vol. 1592, pp. 1–11.
Springer (1999)
6. Boneh, D., Durfee, G., Frankel, Y.: An Attack on RSA Given a Small Fraction of
the Private Key Bits. In: ASIACRYPT 1998. Lecture Notes in Computer Science,
vol. 1514, pp. 25–34. Springer (1998)
7. Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A New Attack on Three Variants
of the RSA Cryptosystem. In: ACISP 2016. Lecture Notes in Computer Science,
vol. 9723, pp. 258–268. Springer (2016)
8. Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: A generalized attack on RSA type
cryptosystems. Theoretical Computer Science 704, 74–81 (2017)
9. Bunder, M., Nitaj, A., Susilo, W., Tonien, J.: Cryptanalysis of RSA-type Cryp-
tosystems Based on Lucas Sequences, Gaussian Integers and Elliptic curves. J. Inf.
Secur. Appl. 40, 193–198 (2018)
10. Bunder, M., Tonien, J.: A New Attack on the RSA Cryptosystem Based on Con-
tinued Fractions. Malaysian Journal of Mathematical Sciences 11, 45–57 (2017)
11. Cherkaoui-Semmouni, M., Nitaj, A., Susilo, W., Tonien, J.: Cryptanalysis of RSA
Variants with Primes Sharing Most Significant Bits. In: ISC 2021. Lecture Notes
in Computer Science, vol. 13118, pp. 42–53. Springer (2021)
16 Paul Cotan and George Teşeleanu

12. Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent
RSA Vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)
13. Cotan, P., Teşeleanu, G.: Continued Fractions Applied to a Family of RSA-like
Cryptosystems. In: ISPEC 2022. pp. 589–605. Springer (2022)
14. De Weger, B.: Cryptanalysis of RSA with Small Prime Difference. Appl. Algebra
Eng. Commun. Comput. 13(1), 17–28 (2002)
15. Elkamchouchi, H., Elshenawy, K., Shaban, H.: Extended RSA Cryptosystem and
Digital Signature Schemes in the Domain of Gaussian Integers. In: ICCS 2002.
vol. 1, pp. 91–95. IEEE Computer Society (2002)
16. Ernst, M., Jochemsz, E., May, A., Weger, B.d.: Partial Key Exposure Attacks
on RSA up to Full Size Exponents. In: EUROCRYPT 2005. Lecture Notes in
Computer Science, vol. 3494, pp. 371–386. Springer (2005)
17. Fujii, K.: A Modern Introduction to Cardano and Ferrari Formulas in the Algebraic
Equations. arXiv Preprint arXiv:quant-ph/0311102 (2003)
18. Hardy, G.H., Wright, E.M., et al.: An Introduction to the Theory of Numbers.
Oxford University Press (1979)
19. Herrmann, M., May, A.: Maximizing Small Root Bounds by Linearization and
Applications to Small Secret Exponent RSA. In: PKC 2010. Lecture Notes in
Computer Science, vol. 6056, pp. 53–69. Springer (2010)
20. Howgrave-Graham, N., Seifert, J.P.: Extending Wiener’s Attack in the Presence of
Many Decrypting Exponents. In: CQRE (Secure) 1999. Lecture Notes in Computer
Science, vol. 1740, pp. 153–166. Springer (1999)
21. Kamel Ariffin, M.R., Abubakar, S.I., Yunos, F., Asbullah, M.A.: New Cryptan-
alytic Attack on RSA Modulus N = pq Using Small Prime Difference Method.
Cryptography 3(1), 2 (2018)
22. Maitra, S., Sarkar, S.: Revisiting Wiener’s Attack - New Weak Keys in RSA. In:
ISC 2008. Lecture Notes in Computer Science, vol. 5222, pp. 228–243. Springer
(2008)
23. Maitra, S., Sarkar, S.: Revisiting Wiener’s Attack - New Weak Keys in RSA. IACR
Cryptology ePrint Archive 2008/228 (2008)
24. Murru, N., Saettone, F.M.: A Novel RSA-Like Cryptosystem Based on a Gener-
alization of the Rédei Rational Functions. In: NuTMiC 2017. Lecture Notes in
Computer Science, vol. 10737, pp. 91–103. Springer (2017)
25. Nassr, D.I., Bahig, H.M., Bhery, A., Daoud, S.S.: A New RSA Vulnerability Using
Continued Fractions. In: AICCSA 2008. pp. 694–701. IEEE Computer Society
(2008)
26. Nitaj, A.: Another Generalization of Wiener’s Attack on RSA. In: AFRICACRYPT
2008. Lecture Notes in Computer Science, vol. 5023, pp. 174–190. Springer (2008)
27. Nitaj, A., Pan, Y., Tonien, J.: A Generalized Attack on Some Variants of the RSA
Cryptosystem. In: SAC 2018. Lecture Notes in Computer Science, vol. 11349, pp.
421–433. Springer (2018)
28. Peng, L., Hu, L., Lu, Y., Wei, H.: An Improved Analysis on Three Variants of the
RSA Cryptosystem. In: Inscrypt 2016. Lecture Notes in Computer Science, vol.
10143, pp. 140–149. Springer (2016)
29. Rivest, R.L., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signa-
tures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126
(1978)
30. Sarkar, S., Maitra, S.: Cryptanalysis of RSA with more than one Decryption Ex-
ponent. Information Processing Letters 110(8-9), 336–340 (2010)
 Small Private Key Attack Against a Family of RSA-like Cryptosystems 17

31. Takayasu, A., Kunihiro, N.: Cryptanalysis of RSA with Multiple Small Secret
Exponents. In: ACISP 2014. Lecture Notes in Computer Science, vol. 8544, pp.
176–191. Springer (2014)
32. Takayasu, A., Kunihiro, N.: Partial Key Exposure Attacks on RSA: Achieving the
Boneh-Durfee Bound. In: SAC 2014. Lecture Notes in Computer Science, vol. 8781,
pp. 345–362. Springer (2014)
33. Wiener, M.J.: Cryptanalysis of Short RSA Secret Exponents. IEEE Trans. Inf.
Theory 36(3), 553–558 (1990)
34. Zheng, M., Kunihiro, N., Hu, H.: Cryptanalysis of RSA Variants with Modified
Euler Quotient. In: AFRICACRYPT 2018. Lecture Notes in Computer Science,
vol. 10831, pp. 266–281. Springer (2018)