The new Weakness of RSA and The Algorithm to Solve this Problem

Abstract

RSA is one of the best well-known public key cryptosystems. This methodology is widely used at present because there is not any algorithm which can break this system that has all strong parameters within polynomial time. However, it may be easily broken when at least one parameter is weak. In fact, many weak parameters are already found and are solved by some algorithms. Some examples of weak parameters consist of a small private key, a large private key, a small prime factor and a small result of the difference between two prime factors. In this paper, the new weakness of RSA is proposed. Assuming Euler's totient value, Φ (n), can be rewritten as Φ (n) = ad + b, where d is the private key and a, b ∈ ℤ, if a divides both of Φ (n) and b and the new exponent for the decryption equation is a small integer, this condition is assigned as the new weakness for breaking RSA. Firstly, the specific algorithm which is created for this weakness directly is proposed. Secondly, two equations are presented to find a, b and d. In fact, one of two equations must be implemented to find a and b at first. After that, the other equation is chosen to find d. The experimental results show that if this weakness has happened and the new exponent is small, original plaintext, m, will be recovered very fast. Furthermore, number of steps to recover d are very small when a is large. However, if a is too large, d may not be recovered because m which must be always written as m = h^a is higher than modulus.

1. Introduction

Cryptography [1] is the significant technique to secure the secret information by using encryption and decryption processes. It falls into two groups. The first group is called symmetric key cryptography. It uses the same key which is called the secret key to encrypt original plaintext and decrypt the ciphertext. The advantage is about time to finish processes in both sides. Moreover, low computational cost is required. Advanced Encryption Standard (AES) [2], [3] is the best algorithm. However, the disadvantage of all algorithms in this group is the problem to find the secret channels to exchange the secret key between sender and receiver. Later, the other technique which is different from the first group was proposed. Asymmetric key cryptography or public key cryptography is the name of this technique. In fact, a pair of keys is selected for encryption and decryption processes, both keys are called public key and private key. In depth, a public key is always disclosed to interlocutors. On the other hand, a private key must be kept secretly by owner. The first algorithm which was born in 1976 was discovered by W. Diffie and M.E. Hellman [4]. Although, Diffie and Hellman’ s method cannot be chosen to secure the information, it is selected as the secret way to exchange a secret key which is transmitted via the insecure channel. In 1978, RSA [5], [6] which is another public key cryptography was proposed. It is different from Diffie and Hellman’s algorithm because RSA can secure many types of information such as text and image [7], [8] by using encryption and decryption processes. In general, at least 1024 bits of modulus must be selected to avoid an attack by intruders. Although RSA is one of the best algorithms in this group, it may be easily broken whenever at least one hidden parameter is weak. For examples, in 1990, M. Wiener [9], [10] presented the method to recover a private key by using continued fractions. This algorithm has very high performance when a private key is very small especially a key which is less than \(\frac 1 3 n^{0.25}\), where n is modulus. Later, D. Boneh and G. Durfee [11] improved Wiener’s technique. In that time, they showed that the modified technique is still efficient to recover a private key, although it is bigger than \(\frac 1 3 n^{0.25}\). However, their method becomes incapable when a private key is larger than n 0.292 . In addition, brute force attack is suitable for a small private key, because the initial value for the investigation is the smallest odd integer. Furthermore, factoring [12] the modulus as prime numbers is another methodology to find a private key, because Euler’s totient value is disclosed. Most of algorithms can finish the process very fast when the characteristic of some prime factors is weak. In 2017, the technique [13] to speed up RSA’s decryption process with a large private key was proposed by using the modified decryption equation. The inversion of ciphertext modulo n is chosen as the base instead of the ciphertext and the private key is replaced by the new integer. In fact, this method is suitable for only the large private key, because the size of the new exponent is opposite of the private key. On the other hand, this technique may be chosen to attack RSA by using brute force attack whenever a private key is too large. It affects to the size of the new exponent which is too small. Therefore, it is an easy way for intruders to break RSA by using the equation with the base as inversion of ciphertext modulo n and the random exponent.

The aim of this paper is to propose the new idea to break RSA. Furthermore, the weak parameter for this method occurs when a private key, d, can be rewritten as \(\frac{\Phi(n)-b}{a}\), where \(a, b ∈ \mathbb{Z}\), Φ (n) is Euler’s totient value, a divides b (a|b) and a divides Φ (n) (a| Φ (n)). In fact, if d is from the above condition, a and b are easily disclosed. In contrast, d will not be discovered by using the proposed method in the case that it cannot be written as this form.

The rest of the paper is organized as follows. In section 2, the related works are mentioned. It consists of the overview of RSA and the techniques to recover d. The proposed method will be discussed in Section 3. In section 4, the experimental results are presented. Finally, the last section is about the conclusion of this research.

2. Related Work

In this section, the conceptual idea of RSA and the ways to recover d by intruders are mentioned. In fact, all algorithms which are in the special proposed group may break RSA in polynomial time when at least one parameter is weak.

2.1 RSA

RSA [5], [6] is one of public key cryptosystems to protect the secret information by using data encryption. Because of high security, when n is assigned at least 1024 bits, RSA is still widely used at present. In general, there are three processes to secure the plaintext by using RSA. First step is the key generation process. The beginning of this process is the generating two large prime numbers, p and q (p < q), randomly. The second step is to compute n = p*q and Φ (n) = (p – 1)*(q – 1). The next step is to choose a public key, e, from the following condition: 1 < e < Φ (n) and the greatest common divisor between e and Φ (n) must be equal to 1, gcd(e, Φ (n)) = 1. Computing d, from e*d mod Φ (n) = 1, is performed in the last step. In fact, Extended Euclidean Algorithm or the improved methods [14], [15] are the method to calculate d. The second process is the encryption process. It will convert the original plaintext, m, as unreadable message or ciphertext, c, from the equation: c = m^e mod n. However, m will be recovered by using the decryption equation: m = c^d mod n in the last process.

In general, d which is always kept secretly by owner is the intruders’ target. However, there is not any efficient algorithm to recover d for breaking RSA within the polynomial time whenever at least 1024 bits of n is chosen and all secreted parameters are very difficult to be calculated.

On the other hand, RSA may be easily attacked when at least one of the parameters becomes weak. In the sections 2.2 – 2.5, the algorithms for recovering d are shown when at least one of hidden parameters which is weak is occured. All of them are suitable for the different characteristics of the weak parameters.

2.2 Wiener’s attack

Assuming, the communication devices in decryption part are a low power electronic equipment, these divices are not suitable to be selected as the machine to decrypt the ciphertext. The reason is that d is usually assigned very large. Therefore, one of the best solutions is to choose the new private key that the size is smaller than the old one. However, in 1990, M. Wiener [9], [10] proposed the efficient method to recover a small private key. His method has very high performance when d is smaller than \(\frac 1 3 n^{0.25}\). In fact, if this situation is occured, it can be computed by searching \(\frac k d\) which is the convergence of \(\frac e n\). Moreover, after d is disclosed, p and q are also found. Therefore, a small private key is considered as one of the weak parameters. Furthermore, D. Boneh and G. Durfee [10] improved Wiener’s algorithm and the result from the experiment reported that it can recover d, although d is still larger than \(\frac 1 3 n^{0.25}\). In fact, to avoid an attack by using Boneh and Durfee’s method, d should be larger than n^0.292.

2.3 Brute force attack

Brute force attack [16] is the simplest method to explore d. The main process is to find an integer which is equal to d. In general, the first initial value which is selected as the exponent of modular exponentiation is begun as 3 and it is increased by two whenever the result from decryption equation is not equal to m until the target is found. In fact, the reason that the exponent must be increased by two is to skip all even numbers out of the computation, because d is always an odd number. Therefore, it implies that if d is a small integer, the process can be finished very fast by using brute force attack.

2.4 High value of Private key

After Wiener’s attack and some improved methods were proposed, d must be assigned very large to increase the security. However, it affects to get the result directly, because the process becomes slow. In 2017, the improvement of decryption equation [13] was proposed to speed up RSA’s decryption process. Considering at the modified equation, the inversion of ciphertext modulo n , c^-1 mod n, is selected as the base instead of c and d is replaced by x = Φ (n) – d. Therefore, the equation to recover m is changed as m = (c^-1)^x mod n. In fact, this method is suitable for a high private key because x becomes small. Therefore, if d is a large integer, m can be recovered very fast by using the above equation. In contrast, this equation may become the weak point for attackers to solve this problem. Assuming, d is a large integer, x becomes small, d can be found easily by using brute force attack with c^-1 mod n as the base. Therefore, the large private key may become one of the weak parameters.

2.5 Integer Factorization Algorithms

Integer Factorization is another strategy to retrieve d after p and q are found. It is distinguished as two groups. For the first group, it is called the general purposed group. All algorithms are based on only size of n. Number Field Sieve (NFS) [17] which is one of efficient algorithms in this group is considered as the best integer factorization algorithm. In fact, it has very high performance when n is large. However, if n is higher than 1024 bits, then NFS becomes an inefficient algorithm to find two prime factors. The second group is called the special purposed group. In fact, the performance of each algorithm in this group is based on the different characteristics of the weak parameters. Although, NFS is considered as the best algorithm, it is not guaranteed as the fastest algorithm for all values of n. In fact, if there is at least one weak parameter that responds well to the algorithm in special purposed group, then it may factor n faster than NFS. The examples of algorithms in special purposed group are shown as follows:

1) Trial Division Algorithm

Trial division algorithm (TDA) [18], [19] is the simplest integer factorization algorithm and it is divided into two techniques. The concept of this algorithm is to find the correct divisor of n. First, the divisor is begun as 3 and it is increased whenever the result is not the target answer. In addition, only odd numbers or prime numbers are chosen as the divisor to decrease time. With the reason above, it implies that this technique is suitable for a small prime factor. Hence, it is considered as another weak point to break RSA. However, the maximum odd integer which is less than \(\sqrt n\) is chosen as the first divisor instead of 3 for the second method [20]. In addition, this number will be decreased whenever it is not the real prime factor. Then, p which is very close to \(\sqrt n\) is the weak parameter for the second method.

2) Pollard’s p-1

Pollard’s p-1 [21] is one of the strategies in special purposed group. It was discovered by J. Pollard in 1974. The main idea of this algorithm is improved from Fermat’s little theorem [22]. In addition, this algorithm can recover both of p and q very fast whenever all prime factors of p – 1 or q – 1 are small. In general, all of them are examined as the weak point of Pollard’s p - 1.

3) Fermat’s Factorization

Fermat’s Factorization algorithm (FFA) is the factoring algorithm which was discovered by Pirre der Fermat in 1600 [21]. During that time, he found that the equation of n which is the multiplication between p and q can be rewritten as the difference between two perfect square numbers. In addition, the algorithm to recover both of them was proposed in that time. In general, Fermat’s equation is very suitable for the same size of p and q especially the result of q – p is very close to 0. Furthermore, many improvement algorithms were presented to leave some unrelated loops out of the computation such as [24], [25].

4) VFactor

VFactor [26] is the integer factorization algorithm that was presented by P. Sharma et. al. in 2012. It has very high performance when q – p is close to 0, the characteristics of p and q are similar to FFA. That means, the weak point is that p and q are very close to each others. To implement VFactor, two odd integers are chosen as the initial values. One is the maximum integer which is less than \(\sqrt n\) and the other is the minimum integer which is larger than \(\sqrt n\). The main process is about the multiplication between these integers. If the result is equal to n, both of them are certainly prime factors. On the other hand, one of them must be changed until the target is found. In addition, the improvement of VFactor [27], [28] were proposed to skip some loops to decrease computation time.

Therefore, all algorithms which are in the special proposed group and are mentioned in this section can recover d very fast when one of hidden parameters is weak.

3. The Proposed Method

In this paper, the new methodology to recover m without disclosing d and the new algorithm to find d are proposed. Assuming Φ (n) = ad + b, where a,b ∈ \(\mathbb{Z}\), a | b and a | Φ (n) , if a is not too large and the result of \(\frac b a\) is a small integer, then both of them become the new weakness of RSA which is very easy to be solved by using the proposed method. Furthermore, after a and b are disclosed, they can be selected to estimate the new initial value of d.

Theorem 1: Assigning a,b, h ∈ \(\mathbb{Z}\) and Φ (n) = ad + b, where a | b and a | Φ (n), if m = h^a, then m can be recovered by using the following equation: m = \((c^{-1}) ^{\frac b a}\) mod n

Proof:

From, c^Φ(n) mod n = c^{ad + b} mod n

= (c^d)^a * c^b mod n

From Euler’s Theorem, c^Φ(n) mod n = 1, when c is relatively prime to n, then

(c^d)^a * c^b mod n = 1

That means, (c^d)^a *c^-1 *c^b mod n = c^-1 mod n

Or, (c^d)^a *(c^-1)^b *c^b mod n = (c^-1)^b mod n

c^da *c^-b *c^b mod n = (c^-1)^b mod n

Because, c^-b *c^b mod n = 1

Then, c^da mod n = (c^-1)^b mod n

Because m = h^a, it implies that the result of \((h^{ea})^{\frac 1 a}\) is always an integer. Therefore,

\(c^{\frac 1 a}\) mod n = \((m^e)^{\frac 1 a}\) mod n

= \((h^{ea})^{\frac 1 a}\) mod n

= h^e mod n

Because a | b, the result of \(\frac b a\) is always an integer.

Therefore,

\((c^{ad})^{\frac 1 a}\)mod n = \(((c^{-1})^b)^\frac 1 a\) mod n

Or, c^d mod n = \((c^{-1})^\frac b a\) mod n

Therefore,

c^d mod n = \((c^{-1})^\frac b a\) mod n        (1)

In fact, a and b must have the same type, both of them are either odd numbers or even numbers. The proof will be shown in theorem 2. Furthermore, a must be the divisor of Φ (n). In depth, if it is not in the condition, there is certainly the remainder from result of d = \(\frac{\Phi(n)-b}{a}\) that is impossible.

Theorem 2: a and b must be the same type, both of them are either odd numbers or even numbers.

Proof: First, assuming the type of a is different from b, there are two cases as follows:

Case 1: a is an even number and b is an odd number

Assuming a = 2x, b = 2y + 1 and d = 2z + 1, then

ad + b = (2x)*(2z + 1) + 2y + 1

= 4xz + 2x + 2y + 1

= 2(2xz + x + y) + 1

= 2u + 1, where u = 2xz + x + y

Then, ad + b is an odd number. However, Φ (n) is always an even number.

Therefore, it becomes the contradiction.

Case 2: a is an odd number and b is an even number

Assuming a = 2x + 1, b = 2y and d = 2z + 1, then

ad + b = (2x + 1)*(2z + 1) + 2y

= 4xz + 2x + 2z + 1 + 2y

= 2(2xz + x + y + z) + 1

= 2u + 1, where u = 2xz + x + y + z

The same reason with case 1 that Φ (n) is always an even number. Therefore, the contradiction is occured.

From case 1 and case 2, the conclusion is that the contradiction will be happened whenever a and b are the different type.

Next, the similar type of a and b is assummed, there are also two cases as follows:

Case 3: a and b are an odd number

Assuming a = 2x + 1, b = 2y + 1 and d = 2z + 1, then

ad + b = (2x + 1)*(2z + 1) + 2y + 1

= 4xz + 2x + 2z + 1 + 2y + 1

= 2(2xz + x + y + z + 1)

= 2u, where u = 2xz + x + y + z + 1

Case 4: a and b are an even number

Assuming a = 2x, b = 2y and d = 2z + 1, then

ad + b = (2x)*(2z + 1) + 2y

= 4xz + 2x + 2y

= 2(2xz + x + y)

= 2u, where u = 2xz + x + y

The information from case 3 and case 4 shows that the result of ad + b is always an even number. Then, it is possible to be Φ (n). Therefore, both of a and b must be the same type.

Example 1: Assuming n = 4624614191 (46279*99929), Φ (n) = 4624467984, e = 1761702089 and d = 1541489321, encrypting m = 8 (2³) , 27 (3³) and 64 (4³) and recovering all of them.

Sol:

Encryption Process:

Encrypting m₁ = 8: c₁ = 8^1761702089 mod 4624614191 = 4582115474

Encrypting m₂ = 27: c₂ = 27^1761702089 mod 4624614191 = 4250185739

Encrypting m₃ = 64: c₃ = 64^1761702089 mod 4624614191 = 2498965230

Decryption Process:

Because of 4624467984 = 3*1541489321 + 21, 3 | 21 and 3 | 4624467984, then a = 3, b = 21 and the exponent is \(\frac {21} 3 \) = 7.

Decrypting c₁ = 4582115474: because of 4063456358 * 4582115474 mod 4624614191 = 1, then m₁ = 4063456358⁷ mod 4624614191= 8

Decrypting c₂ = 4250185739: because of 4038271146* 4250185739 mod 4624614191 = 1, then m₂ = 4038271146⁷ mod 4624614191= 27

Decrypting c₃ = 2498965230: because of 3200318111* 2498965230 mod 4624614191 = 1, then m₃ = 3200318111⁷ mod 4624614191= 64

Example 2: Assuming n = 4624614191 (46279*99929), Φ (n) = 4624467984, e = 105101545 and d = 1156116985, encrypting m = 16 (2⁴), 81 (3⁴) and 256 (4⁴) and recovering all of them.

Sol:

Encryption Process:

Encrypting m₁ = 16: c₁ = 16^105101545 mod 4624614191 = 3695640335

Encrypting m₂ = 81: c₂ = 81^105101545 mod 4624614191 = 827143163

Encrypting m₃ = 256: c₃ = 256^105101545 mod 4624614191 = 1504158843

Decryption Process:

Because of 4624467984 = 4*1156116985 + 44, 4 | 44 and 4 | 4624467984, then a = 4, b = 44 and the exponent is \(\frac {44} 4\) = 11.

Decrypting c₁ = 3695640335: because of 4330254396 * 3695640335 mod 4624614191 = 1, then m₁ = 4330254396¹¹ mod 4624614191= 16

Decrypting c₂ = 827143163: because of 2428627615* 827143163 mod 4624614191 = 1, then m₂ = 2428627615¹¹ mod 4624614191= 27

Decrypting c₃ = 1504158843: because of 1756256207* 1504158843 mod 4624614191 = 1, then m₃ = 1756256207¹¹ mod 4624614191= 256

The information from example 1 and example 2 shows that the new equation in the theorem 1 can be chosen to recover m. However, the correct result will be occurred whenever m must be generated from h^a. The example 3 shows that the result becomes an incorrect answer when the pattern of m cannot be written as h^a.

Example 3: From n, Φ (n), e and d which are in example 1, encrypting m = 11 and recovering this value.

Sol:

Encryption Process:

Encrypting m = 11: c = 11^1761702089 mod 4624614191 = 4348997977

Decryption Process:

Decrypting c = 4348997977: because of 2334698442 * 4348997977 mod 4624614191 = 1, then m' = 2334698442⁷ mod 4624614191= 182070649 → it is the wrong answer

In fact, the decrytion process in example 3 cannot recover m = 11 because 11 cannot be written as h³.

Nevertheless, some values which are not written as the form h a can be recovered by using the proposed equation, it is shown in example 4.

Example 4: From n, Φ (n), e and d which are in example 1, encrypting m = 15 and recovering this value.

Sol:

Encryption Process:

Encrypting m = 15: c = 15^1761702089 mod 4624614191 = 4542134671

Decryption Process:

Decrypting c = 4542134671: because of 1511425060 * 4542134671 mod 4624614191 = 1, then m = 1511425060⁷ mod 4624614191= 15

From the information in the examples above, it implies that if m = h^a, it can be always recovered by using the proposed equation. On the other hand, the result from decryption process may be the wrong answer when m ≠ h^a.

Assuming, the form of d is in the condition of this research, the concept to find i = \(\frac b a\) is as follows. First, it is the process to assign i = 1 as the initial exponent for the proposed equation. The next process is to select m which is a small integer to find some possible plaintexts which are generated from m. In fact, all of them are m, m², m³, ···, m^a, ···, m^l where m^l < n < m^l+1. Next, all chosen plaintexts are encrypted. The last process is to decrypt all ciphertexts by using i as the key and the inversion of ciphertext modulo n as the base. If there is the matching result, thoroughly rechecking with the other values to ensure that i = \(\frac b a\). On the other hand, i will be increased to find the correct key whenever there is no matching result.

Example 5: Assuming n = 290831 (863*337), and e = 203815 are disclosed, find i,

Sol:

First, choosing m = 3

Because m¹¹ = 177147 < n < m¹² = 531441, therefore, m₁ = 3, m₂ = 3², m₃ = 3³, ···, m₁₁ = 3¹¹ are chosen as the plaintexts for the implementation. The results are m₁=3, m₂=9, m₃=27, m₄=81, m₅=243, m₆=729, m₇=2187, m₈=6561, m₉=19683, m₁₀=59049, m₁₁=177147

The next process is to find c₁ = \(m^e_1\)mod n = 255559, c₂ = \(m^e_2\) mod n = 229797, c₃ = \(m^e_3\) mod n = 60186, c₄ = \(m^e_4\) mod n = 185708, c₅ = \(m^e_5\) mod n = 94037, c₆ = \(m^e_6\) mod n = 54491, c₇ = \(m^e_7\) mod n = 95527, c₈ = \(m^e_8\) mod n = 139622, c₉ = \(m^e_9\) mod n = 184970, c₁₀ = \(m^e_{10}\) mod n = 240814, c₁₁ = \(m^e_{11}\) mod n = 18778.

Then computing \(c^{-1}_1\) mod n = 22749 , \(c^{-1}_2\) mod n = 128652, \(c^{-1}_3\) mod n = 71995, \(c^{-1}_4 \) mod n = 144894, \(c^{-1}_5\)  mod n = 205883, \(c^{-1}_6\)  mod n = 89943, \(c^{-1}_7\) mod n = 117222, \(c^{-1}_8\) mod n = 53839, \(c^{-1}_9\) mod n = 94070, \(c^{-1}_{10} \) mod n = 63932, \(c^{-1}_{11}\) mod n = 234068

Assigning j ∈ Z where j = 1, 2, 3, ···, 11, the next process is to find the exponent i which is the correct result, the initial value is 1,

Loop 1 (i = 1): Computing t_j = \((c^{-1}_j)^1\)mod n, that means t_j = \((c^{-1}_j)\) mod n, however there is no t_j which is matched to m_j.

Loop 2 (i = 2): Computing t_j = \((c^{-1}_j)^2\)mod n, then the results are t₁ = 128652, t₂ = 144894, t₃ = 89943, t₄ = 53839, t₅ = 63932, t₆ = 278984, t₇ = 105027, t₈ = 216175, t₉ = 50063, t₁₀ = 252581, t₁₁ = 212351, there is no t_j which is matched to m_j.

Loop 3 (i = 3): Computing t_j = \((c^{-1}_j)^3\)mod n, then the results are t₁ = 71995, t₂ = 89943, t₃ = 94070, t₄ = 278984, t₅ = 82558, t₆ = 50063, t₇ = 17102, t₈ = 170867, t₉ = 27, t₁₀ = 198879, t₁₁ = 101813, there is no t_j which is matched to m_j.

Loop 4 (i = 4): Computing t_j = \((c^{-1}_j)^4\)mod n, then the results are t₁ = 144894, t₂ = 53839, t₃ = 278984, t₄ = 216175, t₅ = 252581, t₆ = 170867, t₇ = 32561, t₈ = 33052, t₉ = 213242, t₁₀ = 182570, t₁₁ = 182313, there is no t_j which is matched to m_j.

Loop 5 (i = 5): Computing t_j = \((c^{-1}_j)^5\)mod n, then the results are t₁ = 205883, t₂ = 63932, t₃ = 82558, t₄ = 252581, t₅ = 97068, t₆ = 198879, t₇ = 290329, t₈ = 182570, t₉ = 188377, t₁₀ = 144717, t₁₁ = 6654, there is no t_j which is matched to m_j.

Loop 6 (i = 6): Computing t_j = \((c^{-1}_j)^6\)mod n, then the results are t₁ = 89943, t₂ = 278984, t₃ = 50063, t₄ = 170867, t₅ = 198879, t₆ = 213242, t₇ = 193249, t₈ = 170923, t₉ = 729, t₁₀ = 131472, t₁₁ = 88467, there is no t_j which is matched to m_j.

Loop 7 (i = 7): Computing t_j = \((c^{-1}_j)^7\)mod n, then the results are t₁ = 117222, t₂ = 105027, t₃ = 17102, t₄ = 32561, t₅ = 290329, t₆ = 193249, t₇ = 207688, t₈ = 139726, t₉ = 231745, t₁₀ = 252004, t₁₁ = 126556, there is no t_j which is matched to m_j.

Loop 8 (i = 8): Computing t_j = \((c^{-1}_j)^8\)mod n, then the results are t₁ = 53839, t₂ = 216175, t₃ = 170867, t₄ = 33052, t₅ = 182570, t₆ = 170923, t₇ = 139726, t₈ = 73468, t₉ = 142052, t₁₀ = 245652, t₁₁ = 118303, there is no t_j which is matched to m_j.

Loop 9 (i = 9): Computing t_j = \((c^{-1}_j)^9\)mod n, then the results are t₁ = 94070, t₂ = 50063, t₃ = 27 = m₃ , t₄ = 213242, t₅ = 188377, t₆ = 729 = m₆ , t₇ = 231745, t₈ = 142052, t₉ = 19683 = m₉ , t₁₀ = 149664, t₁₁ = 54601

From all results in 9^th Loop, the result of a may be equal to 3, 6 or 9. In fact, both of m₆ and m₉ can be rewritten as the form h³ as follows: m₆ = m³*m³ = (m²)³ and m₉ = m³*m³*m³ = (m³)³. Therefore, it implies that a is equal to 3 and then b = 3*9 = 27. However, to ensure a = 3 is the correct result, the other plaintexts should be selected to verify.

Assuming \(m^{'}_1\) = 125 (5³) and \(m^{'}_2\) = 1331 (11³) are chosen, then

Encryption Process:

Encrypting \(m^{'}_1\) = 125: \(c^{'}_1\) = 125²⁰³⁸¹⁵ mod 290831 = 194710

Encrypting \(m^{'}_2\) = 1331: \(c^{'}_1\) = 1331²⁰³⁸¹⁵ mod 290831 = 124812

Decryption Process:

Decrypting \(c^{'}_1\) = 194710: because 55503* 194710 mod 290831 = 1, then

\(m^{'}_1\) = 55503⁹ mod 4624614191= 125

Decrypting \(c^{'}_2\) = 124812: because 181922* 124812 mod 290831 = 1, then

\(m^{'}_2\) = 181922⁹ mod 4624614191= 1331

Therefore, i = 9 with a = 3, b = 27

In addition, the total loops to find a and b are 11 (number of c^-1 mod n) * 9 (number of loops) = 99.

Furthermore, if a and b are disclosed, the initial integer can be estimated to decrease loops. After this integer is found, d can be recovered by using brute force attack.

Theorem 3: Assuming a, b are disclosed, then d ≤ \(\frac{n-2\lceil\sqrt{n}\rceil-(b-1)}{a}\)

Proof:

From, ad + b = Φ (n)

= (p – 1)(q – 1)

= n – (p + q) +1

Because, p + q ≥ 2\(\lceil\sqrt{n}\rceil\)

ad + b ≤ n - \(\lceil\sqrt{n}\rceil\)+1

ad ≤ n − 2\(\lceil\sqrt{n}\rceil\)− (b −1)

Then, d ≤\(\frac{n-2\lceil\sqrt{n}\rceil-(b-1)}{a}\)

Therefore, d ≤ \(\frac{n-2\lceil\sqrt{n}\rceil-(b-1)}{a}\)

Therefore, the scope to find d is narrowed by using the following equation,

d ≤ \(\frac{n-2\lceil\sqrt{n}\rceil-(b-1)}{a}\)       (2)

Assigning d_i = \(\frac{n-2\lceil\sqrt{n}\rceil-(b-1)}{a}\), it can be chosen as the initial value to find d and it is always decreased by two (d is always an odd number) whenever the decrypted result is still incorrect.

Example 6: From the solution in example 5, the aim of this example is to find the initial value by using the equation in theorem 3

Sol:

From, d_i = \(\frac{n-2\lceil\sqrt{n}\rceil-(b-1)}{a}\)

\(\frac {290831 -2\lceil\sqrt{{290831}}\rceil -(27-1)} 3\) 

= 96575

In fact, the real value of d = 96535. Then, the distance between d i and d is only 96575 – 96535 = 40. Therefore, there are only 20 loops of the computation to find the target. On the other hand, if the process is implemented by using traditional brute force attack choosing d_o = 3 as the initial exponent, the loops are 48266. In depth, it is very higher than the proposed equation.

4. Experimental Results

The aim of this section is to ensure the hypothesis that the proposed method can recover both of m and d very fast when a is large, but 2^a is still less than n, and \(\frac b a\) is small. Many pairs of e and d from the same value of n are chosen for the experiment. However, all values of d must generate a and b in the condition. In addition, 32 bits of n is chosen randomly. In fact, n in this experiment is 2078092697 (55619 * 37363) and then Φ (n) is 2077999716. In addition, m = 2 is selected as the base of original plaintext because it is the smallest plaintext. Because of 2³⁰ = 1073741824 < n < 2³¹ = 2147483648, then the maximum value of a is 30. Despites of 2077999716 = 2²*3*13*479*27809. Therefore, there are 6 possible values of a consist of 2, 3, 4 (2*2), 6 (2 * 3), 12 (2 * 2 * 3), 13 and 26 (2 *13).

From Table 1, Number of steps to find a, b can be estimated from the following equation:

\(t_{ab} = l * \frac b a\)       (3)

Where, t_ab is represented as number of steps to find a, b

l is number of all possible plaintexts which are from m = m¹, m², ···, m^l.

Table 1. Number of steps to find a, b and d when n = 2078092697 and Φ (n) = 2077999716

For example, in 1^st Row, l = 30 and \(\frac b a\) = 3, therefore t_ab = 90. Furthermore, total steps to find d, t_d, can be calculated by using the following equation:

\(t_d = \frac {d_i -d} 2\)       (4)

However, d_i must be computed as first. For the example, d_i in 1^st Row is d_i = \(\frac {2078092697 - \lceil\sqrt{2078092697}\rceil -(9-1)} 3\) = 692667171.67. In fact, d is always an odd integer and d_i is larger than d. Therefore, d_i can be estimated as 692667171. Then,

t_d = \(\frac {692667171 - 692666569} 2\) =301

The information in this table shows that from the same value of a, the number of steps to find a and b are larger when b is higher. The reason is that the exponent for the new decryption equation is from \(\frac b a \). However, for the same value of a, after a and b are found, the number of steps to find d from the different values of b are same. In addition, it will be shown in theorem 4.

Theorem 4: From the condition in theorem 1, the total steps to find d from the same value of a are not changed.

Proof: From t_d = \(\frac {d_i -d} 2\)

= \(\frac{n-2 \lceil\sqrt{n}\rceil -(b-1)}{a}-\frac{\Phi(n)-b}{a}\)

= \(\frac{n-2\lceil\sqrt{n}\rceil-\Phi(n)+1}{a}\)

From this equation, it implies that any values of b do not affect to t_d. Therefore, the total steps to find d from the same value of a is not changed.

Example 7: From the value of n in Table 1, t_d is always equal to \(\frac {2078092697-2\lceil\sqrt{2078092697}\rceil -2077999716+1} 3 \approx\) 301, when a = 3.

Furthermore, t_d is very small when a is large. On the other hand, if a is too large, the solution is not found by using the proposed method. The reason is that 2^a which is the smallest plaintext becomes larger than n.

Therefore, to avoid an attack by using the proposed method, the parameters should not be assigned in the condition of theorem 1. In fact, the condition is as follows. If Φ (n) = ad + b, then both of Φ (n) and b must not be divided by a.

The next experiment is about the comparison between the proposed method and some algorithms in special proposed group in order to finish the process. The selected algorithms to compare with the proposed method consist of:

1) The improvement of FFA which was proposed in [23]

2) The improvement of TDA which was proposed in [18]

3) The improvement of VFactor which was proposed in [28]

4) Bruteforce attack that the exponent must be always an odd number

5) The algorithm for high value of private key which was proposed in [13]

In fact, the objective of this experiment is to ensure that the proposed method is the best algorithm when both of a and b are weak, they respond to the proposed method well. In fact, a = 3 and small value of b are chosen for this experiment. In addition, bits length of n consist of 128, 256 and 512.

However, the total loops to find d from g bits of n are usually very large when they are compared with the others from g – 1 bits of n. Therefore, the exponent of each result is chosen for the comparison instead of the real result.

Assuming the total loops to find d are written as the form x x 10^y, where x ∈ \(\mathbb{R}\) and y ∈ \(\mathbb{Z}\), the information in Fig. 1 is that the exponent, y, is shown at y-axis and three different bits length of n are represented at x-axis. For example, y = 75 when 128 bits of n is chosen. Then, it implies that the total loops are about 10⁷⁵.

Fig. 1. the exponent of result from each algorithm to discover d

The experimental results show that the proposed method requires the smallest loops of the computation. The reason is that both of a and b in this experiment are good responses to the proposed method.

However, the proposed method becomes an inefficient algorithm when a and b are strong, b is very large and a is very small. In addition, if a is not a divisor of b or Φ (n) , then d cannot be recovered by using the proposed method, because the result of \(\frac b a\) is not an integer. Therefore, the proposed method must be organized in the special proposed group.

5. Conclusion

This research has disclosed the new weakness of RSA. The condition to create the weak point is that Euler’s totient value, Φ (n) , must be written as the form Φ (n) = ad + b where d is the private key , \(a, b ∈ \mathbb{Z}\) and a divides both of Φ (n) and b. The experimental results show that total steps to recover d is small when a is large and \(\frac b a\) is small. However, if a is too large, the solution may not be found because the smallest possible value of plaintext is larger than the modulus. Therefore, to avoid an attack by using the proposed method, a and b should not be in the condition.