1. Introduction
The security of a symmetric encryption scheme highly depends on the safety of the secret key transmission between parties involved in the communication. Other than direct interaction between parties, the utilization of asymmetric encryption schemes is the norm in modern communication. Central to the production of the public and private key pair of an asymmetric encryption scheme is the Certificate Authority (CA). Parties should have full trust in the CA to provide secure key pairs. Nevertheless, it is wise to conduct due diligence on the key pairs received. As such, for a communication topology with large participation, it is not surprising that the security of a symmetric encryption scheme will fall back on the strength of the asymmetric encryption scheme being utilized. As such, studies on the asymmetric cryptosystem utilized must be conducted to ensure that symmetric encryption remains secure.
RSA encryption/digital signing scheme is currently the world’s most widely used publickey cryptosystem. The standard RSA cryptosystem comprises three distinct algorithms: key generation, encryption, and decryption [
1]. The security of RSA is mainly based on the hardness of factoring large composite integers, which is modulus
$N=pq$ where
p and
q are two large prime numbers of the same bit size. It is well known that RSA is not secure if the process of generating the public parameters
$(e,N)$ and the private parameters
$(p,q,d)$ do not satisfy certain conditions [
2,
3,
4,
5,
6]. For instance, the RSA cryptosystem is vulnerable when employing continued fractions if such decryption exponent
d is less than
$\frac{1}{3}{N}^{\frac{1}{4}}$, by a classical finding in [
2]. Additionally, [
3] has recovered the secret key if
$d<2\sqrt{2}{N}^{\frac{3}{4}\frac{t}{2}}$ and explicitly for
$d<2\sqrt{2}{N}^{\frac{1}{4}}$. Eventually, by using Coppersmith’s technique to obtain small solutions of modular univariate polynomials, ref. [
5] refined the bound to
$d<{N}^{0.292}$. From then on, ref. [
4] identified that it is possible to raise the bound from
$d<\frac{1}{3}{N}^{\frac{1}{4}}$ to
$d<\frac{1}{\sqrt[4]{18}}{N}^{\frac{1}{4}}$. The new bound is generated in part from the constraint that both primes number of
p and
q will have almost the same size of bit length. Moreover, ref. [
6] has maximized the small root bounds to small secret exponent RSA using linearization and applications. To the extent of improving the implementation of the RSA cryptosystem, many schemes with various techniques have been proposed. As a result, a lot of RSA variant cryptosystems arise [
7,
8,
9,
10,
11,
12].
The existence of RCA is the underlying motivation behind the identification of weak public keys. RCA is defined by [
13] as an entity issuing legitimate certificates being trusted by web browsers and users but contains hidden weaknesses. There is a window of vulnerability with the existing public key infrastructure between the time a rogue certificate is issued and when it is discovered. Likewise, an RCA can publish a fraudulent RSA digital certificate using these keys without users noticing its anomaly. As the weak keys satisfy the conditions established in the key generation process, the validity of these fraudulent certificates can be convincing. Hence, the cryptosystem continues to operate discreetly using the keys, i.e., suppose an adversary knows about the existence of these specific certificates, then the adversary can find the private keys corresponding to the public keys without knowing any information about the private keys.
In relation to the above, this paper discloses potential RCA methodology upon an RSA variant cryptosystem constructed from a cubic field connected to the cubic Pell equation that was invented by Murru–Saettone [
14]. Our identified conditions will allow an adversary to factor the modulus
N if the user has been provided with keys through the potential RCA methodology.
The framework of this paper is as follows. In
Section 2, we summarize the Murru–Saettone scheme.
Section 3 describes some important tools and useful lemmas, respectively. Moreover, in the
Section 4 and
Section 5, we present our main result, which says that the Murru–Saettone scheme is not secure with experimental results. Finally, we conclude the paper in
Section 6.
3. Preliminaries
In this section, we put forward preliminary concepts needed.
Definition 1. The expression of continued fractions expansion of $\xi \in \mathbb{R}$ can be written in these formswhich can also be written as $\xi =[{a}_{0},{a}_{1},\cdots ,{a}_{\mu},\cdots ]$. The process of calculating the continued fractions expansion would be executed in polynomial time if ξ is a rational number and thus $\xi =[{a}_{0},{a}_{1},\cdots ,{a}_{\mu}]$. The convergents $\frac{r}{s}$ of ξ are the fractions denoted by $\frac{r}{s}=[{a}_{0},{a}_{1},\cdots ,{a}_{i}]$ for $i\ge 0$. An important result on continued fractions that will be used is the following theorem. Theorem 1. Let ξ be a positive number. Suppose that $gcd(r,s)=1$ andThen $\frac{r}{s}$ is a convergent of the continued fractions expansion of ξ. The following result gives the bounds for
p, and
q in terms of
N (See [
15]).
Lemma 1. Let $N=pq$ be the product of two unknown integers with $q<p<2q$. Then In the following, we set
$\psi =\left({p}^{2}+p+1\right)\left({q}^{2}+q+1\right)$. The former lemma can be used to find a good approximation for
$\psi $. The following result shows that one can factor the modulus
$N=pq$ if
$\psi $ is known [
15].
Proposition 1. Let $N=pq$ be the product of two unknown integers with $q<p<2q$. Suppose that $\psi =\left({p}^{2}+p+1\right)\left({q}^{2}+q+1\right)$ is known. Then,where Definition 2. Let ${\psi}_{L}$ and ${\psi}_{U}$ be the lower bound and the upper bound of ψ. Then we define $A={\psi}_{L}+{\psi}_{U}$.
The next remark shows how we can find the best current approximation values for ${\psi}_{L}$ and ${\psi}_{U}$.
Remark 1. From Nitaj [16], we know that $2\sqrt{N}<p+q<\frac{3}{\sqrt{N}}N$. This meansas $\psi =({p}^{2}+p+1)({q}^{2}+q+1)$. Hence, the best current approximation for ${\psi}_{L}$ is ${(N+\sqrt{N}+1)}^{2}$ and for ${\psi}_{U}$ is ${(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1)}^{2}+\frac{3}{8}N$. The following lemmas and theorem show conditions to be fulfilled by parameters in the equation $eXAY=Z{\psi}_{L}$.
Lemma 2. Let $N=pq$ with $q<p<2q$. Let e satisfy the equation $eXAY=Z{\psi}_{L}$ where X and Y are positive integers. If then $\frac{X}{Y}$ is a convergent function of $\frac{e}{A}\frac{{N}^{1/4}}{2A}$. Proof. Consider the following equation
Let
$Z\psi <\frac{pq}{p+q}{N}^{1/4}$. Then, divide (
8) by
$AX$, we obtain
since
$pq<2\sqrt{N}$,
$p+q>2\sqrt{N}$ and
$X>1$. If
$X<\left\frac{A}{2(\psi {\psi}_{L})}\right$, then
$\frac{1}{2X}>\left\frac{2(\psi {\psi}_{L})}{A}\right$. As
$AX$ will always be a positif value, rearranging (
9), we obtain
which satisfies Theorem 1. This terminates the proof. □
Theorem 2. Let $N=pq$ with $q<p<2q$. Let e satisfies the equation $eXAY=Z{\psi}_{L}$ where X, Y are positive integers. If
$1\le Y<X<\left\frac{A}{2(\psi {\psi}_{L})}\right$
$\psi +\frac{pq}{p+q}{N}^{1/4}<{N}^{2}+8N+3\sqrt{N}N+3\sqrt{N}+1$
$Z\psi <\frac{pq}{p+q}{N}^{1/4}$
then N can be factored in polynomial time.
Proof. Suppose
e satisfies an equation
$eXAY=Z{\psi}_{L}$. Let
X,
Y and
Z satisfy the conditions in Lemma 3, then we can find the values of
X and
Y by computing
$\frac{e}{A}\frac{{N}^{1/4}}{2A}$. From the values of
X and
Y, we can have the value of
Z by computing
$Z=eXAY+{\psi}_{L}$. From the values of
Z, we define Equation (
5) as
Since,
$\psi +\frac{pq}{p+q}{N}^{1/4}<{N}^{2}+8N+3\sqrt{N}N+3\sqrt{N}+1$ then
Based on Proposition 1, we can factor
N in polynomial time. □
4. Generating Weak Murru–Saettone Cryptosystem Public Keys by RCA: Case $\left\mathit{Z}\mathbf{\psi}\right<\frac{\mathit{p}\mathit{q}}{\mathit{p}+\mathit{q}}{\mathit{N}}^{\mathbf{1}/\mathbf{4}}$
In this section, we show how a RCA can generate weak Murru–Saettone cryptosystem public key pairs. By using conditions in Lemma 3 coupled with results from Theorem 3, a RCA can build an algorithm that produces such weak Murru–Saettone cryptosystem public keys. The Algorithm 1 is as follows:
Algorithm 1. Generating weak Murru–Saettone cryptosystem public keys via Lemma 3 and Theorem 3 
Input: Two distinct primes, p and q where $p<q<2q$ Output: Weak Murru–Saettone cryptosystem public keys, ($N,e$)
 1:
Compute $N=p\xb7q$  2:
Compute $\psi =({p}^{2}+p+1)({q}^{2}+q+1)$  3:
Compute ${\psi}_{L}=\u230a{(N+\sqrt{N}+1)}^{2}\u230b$  4:
Compute ${\psi}_{U}=\u2308{(N+\frac{3}{4}\sqrt{2}\sqrt{N}+1)}^{2}\frac{3}{8}N\u2309$  5:
Compute $A={\psi}_{L}+{\psi}_{U}$  6:
Compute ${Z}_{L}=\u2308\psi \frac{pq}{p+q}{N}^{1/4}\u2309$  7:
Compute ${Z}_{U}=\u230a\psi +\frac{pq}{p+q}{N}^{1/4}\u230b$  8:
Choose an integer Z randomly between ${Z}_{L}$ and ${Z}_{U}$  9:
Choose an integer $Y<\frac{A}{2(\psi {\psi}_{L})}$  10:
Compute $\xi =Z{\psi}_{L}+A\xb7Y$  11:
if$\xi =$ prime number then return to Step 8.  12:
else Assign ${r}_{1}^{{s}_{1}},{r}_{2}^{{s}_{2}},\dots ,{r}_{n}^{{s}_{n}}$ to be all the small prime factors of $\xi $  13:
end if  14:
Compute $X={\prod}_{i=1}^{n}{r}_{i}^{{s}_{i}}$  15:
if$X<Y$then return to Step 8.  16:
else Compute $e=\xi /X$  17:
end if  18:
Output$N,e$

From Theorem 3, given
$(N,e)$, a thorough user can utilize the following algorithm to determine the security of the provided key pair, whether it was generated via Algorithm 1 or not. In fact, the following algorithm will factor the modulus
$N=pq$. Algorithm 2 is as follows:
Algorithm 2. Factoring weak Murru–Saettone cryptosystem moduli for adversary 
Input:e and $N=pq$ Output:$p,q$  1:
Run the continued fraction method on input $\left(\frac{e}{A}\frac{{N}^{1/4}}{2A}\right)$ to obtain the list of convergents $\frac{{x}_{1}}{{y}_{1}},\frac{{x}_{2}}{{y}_{2}},...,\frac{{x}_{i}}{{y}_{i}}$.  2:
for$1\le j\le i$do  3:
Compute $\zeta =e{x}_{j}A{y}_{j}+{\psi}_{L}$  4:
Computing $S=\frac{1}{2}\left(\sqrt{{(N+1)}^{2}+4\left(\zeta \left({N}^{2}N+1\right)\right)}(N+1)\right)$.  5:
Find the two roots $\widehat{p}$ and $\widehat{q}$ by computing $\widehat{p}=\frac{1}{2}\left(S+\sqrt{{S}^{2}4N}\right)$, $\widehat{q}=\frac{1}{2}\left(S\sqrt{{S}^{2}4N}\right)$.  6:
if $\frac{N}{\widehat{p}}$ and $\frac{N}{\widehat{q}}$ is true then  7:
return $(p=\widehat{p},\phantom{\rule{4pt}{0ex}}q=\widehat{q})$  8:
end if  9:
end for  10:
return⊥

The following is an example to illustrate Algorithm 2 for the case $\leftZ\psi \right<\frac{pq}{p+q}{N}^{1/4}$.
Example 1. We use 512bits for modulus, N in this example. Specifically, an adversary is givenandThen the adversary can compute the following parametersUsing values of e, N and A, the adversary obtain the continued fraction expansion of $\left(\frac{e}{A}\frac{{N}^{1/4}}{2A}\right)$ which areOur algorithm stops at the 13th convergent $\frac{{x}_{13}}{{y}_{13}}=\frac{990529}{201835601}$. Taking $\frac{{x}_{13}}{{y}_{13}}=\frac{990529}{201835601}$, the adversary computesUsing value of ζ, the adversary solve the Equations (5) and (1) to get S, p and q respectively.and 5. Generating Weak Murru–Saettone Cryptosystem Public Keys by RCA: Case $\left\mathit{Z}\mathbf{\psi}\right<\mathit{N}$
In this section, we show that the condition $\leftZ\psi \right<\frac{pq}{p+q}{N}^{1/4}$ in the previous section can be extended to $\leftZ\psi \right<N$.
Lemma 3. Let $N=pq$ with $q<p<2q$. Let e satisfies the equation $eXAY=Z{\psi}_{L}$ where X and Y are positive integers. Ifthen $\frac{X}{Y}$ is a convergent function of $\frac{e}{A}\frac{N}{2A}$. Proof. Consider the following equation
Let
$Z\psi <N$. Then, divide (8) by
$AX$, we obtain
since
$pq<2\sqrt{N}$,
$p+q>2\sqrt{N}$ and
$X>1$. If
$X<\left\frac{A}{2(\psi {\psi}_{L})}\right$, then
$\frac{1}{2X}>\left\frac{2(\psi {\psi}_{L})}{A}\right$. As
$AX$ will always be a positive value, rearranging (
9), we obtain
which satisfies Theorem 1. This terminates the proof. □
Theorem 3. Let $N=pq$ with $q<p<2q$. Let e satisfies the equation $eXAY=Z{\psi}_{L}$ where X, Y are positive integers. If
then N can be factored in polynomial time.
Proof. Suppose
e satisfies an equation
$eXAY=Z{\psi}_{L}$. Let
X,
Y and
Z satisfy the conditions in Lemma 3, then we can find the values of
X and
Y by computing
$\frac{e}{A}\frac{N}{2A}$. From the values of
X and
Y, we can have the value of
Z by computing
$Z=eXAY+{\psi}_{L}$. From the values of
Z, we define Equation (
5) as
Since,
$\psi +N<{N}^{2}+8N+3\sqrt{N}N+3\sqrt{N}+1$ then
Based on Proposition 1, we can factor
N in polynomial time. □
Remark 2. A RCA can build an algorithm that produces such weak public keys by using Algorithm 1 by changing step 6 and 7 instead ofandrespectively. The following is an example to illustrate Algorithm 2 for the case $\leftZ\psi \right<N$.
Example 2. We use 512bits for modulus, N in this example. Specifically, an adversary is givenand Then the adversary can compute the following parametersUsing values of e, N and A, the adversary obtain the continued fraction expansion of $\left(\frac{e}{A}\frac{N}{2A}\right)$ which areOur algorithm stops at the 15th convergent $\frac{{x}_{15}}{{y}_{15}}=\frac{149512}{160921419}$. Taking $\frac{{x}_{15}}{{y}_{15}}=\frac{149512}{160921419}$, the adversary computesUsing value of ζ, the adversary solve the Equations (5) and (4) to get S, p and q respectively.and Remark 3. The above examples uses two random prime numbers with $pq\approx {N}^{0.49}$ and $e\approx {N}^{2}$. By using the values of p and q in the examples, the adversary can easily compute the private exponent $d\approx {N}^{2}$. Therefore, based on the examples, it is difficult for the user to identify that the rogue digital certificate because all the public and private parameters generated satisfy the conditions imposed during the key generation process.
6. Conclusions
We have constructed novel strategies to identify whether the Murru–Saettone RSA variant cryptosystem key pair was generated by a potential RCA. Based on our findings, if the following condition of $\leftZ\psi \right<\frac{pq}{p+q}{N}^{1/4}$ or $\leftZ\psi \right<N$ where Z is an approximation of $\psi $ satisfies, then Murru–Saettone RSA variant cryptosystem is vulnerable to an attack. An adversary will be able to successfully execute an attack in polynomial time by using continued fractions algorithm to factor the modulus N without having any information of the private keys upon the public key pair. Furthermore, by factoring modulus N, an adversary will be able to compute the value of $\psi =({p}^{2}+p+1)({q}^{2}+q+1)$ and, finally, acquire the private key, $d\equiv {e}^{1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}\psi )$.