Factoring the Modulus of Type N = p²q by Finding Small Solutions of the Equation er − (Ns + t) = αp² + βq²

Abstract

The modulus of type $N=p^{2}q$ is often used in many variants of factoring-based cryptosystems due to its ability to fasten the decryption process. Faster decryption is suitable for securing small devices in the Internet of Things (IoT) environment or securing fast-forwarding encryption services used in mobile applications. Taking this into account, the security analysis of such modulus is indeed paramount. This paper presents two cryptanalyses that use new enabling conditions to factor the modulus $N=p^{2}q$ of the factoring-based cryptosystem. The first cryptanalysis considers a single user with a public key pair $(e,N)$ related via an arbitrary relation to equation $er-(Ns+t)=\alpha p^2+\beta q^2$, where $r,s,t$ are unknown parameters. The second cryptanalysis considers two distinct cases in the situation of k-users (i.e., multiple users) for $k\ge 2$, given the instances of $(N_i,e_i)$ where $i=1,\dots ,k$. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of $(N_i,e_i)$ can be successfully factored in polynomial time.

1. Introduction

The integration of digital and physical realms has advanced considerably during the previous decade, resulting in the Internet of Things (IoT). The IoT is frequently viewed as a paradigm shift from the standard Internet to environments connected to everything. The advancement of technology incorporated in heterogeneous devices, such as smartphones, tablets, radio-frequency identification (RFID), Wifi, smart cities, and smart homes enables all types of communications, even unlawful ones. These connected gadgets equipped with actuators or sensors can detect their surroundings, comprehend current events, and act appropriately, resulting in increased data transfers, as [1] points out.

Individuals have been adapting to the IoT ecosystem without realizing that all the data stored, transferred, and processed in the network are not primarily designed with security aspects [2]. Henceforth, this causes more security and privacy risks for the users of these devices, which is currently one of the significant challenges of the IoT, also allowing the ecosystem to be susceptible and prone to many threats and security attacks [3]. Additionally, IoT devices are frequently limited in computing power, energy, and memory capacity, and the prototypical Internet protocols and cryptography algorithms lack many of these resources, potentially making them inadmissible for IoT devices [4].

Several security properties and requirements may need to be satisfied in order to secure the IoT. These general security properties have also been classified into four categories: confidentiality, integrity, authentication, and authorization. Likewise, as mentioned in [5], the security properties that should be considered with the security protocols for IoT are described in the Table 1 as follows.

Table 1. Basic security properties for IoT.

Category	Security Properties
Confidentiality	Confidentiality permit information to be transferred securely during all means. Without authentication or encryptions, the transmitted messages between sensor nodes and the network can be tampered with by the adversaries.
Integrity	Integrity pledges that data received has not been manipulated throughout the transmission process. The addressee should detect any changes.
Authentication	Authentication refers to the verification processes of the exchanged messages whereby the receiver can verify the root of the messages.
Authorization	Authorization refers to the particular entities that have the authority to access the measured data. The authorized IoT devices should be able to access the network.

Developing a cryptographic algorithm is the utmost priority to retain a user’s privacy in IoT’s security issues, explicitly in authentication and data integrity. In order to encrypt the end-to-end messages, either asymmetric cryptography or symmetric cryptography will be implemented. Both techniques can be used to ensure data security in IoT. Recently, the refs. [6,7] independently investigated the symmetric encryption schemes to secure the IoT platform. By contrast, a few studies have been conducted involving asymmetric encryption schemes. The ref. [8] employed a keyword search using public-key encryption in a cloud environment, which focuses on cloud computing popularization, a diversified industry, and personal choices. In the same environment, the ref. [9] proposed a dynamical scheme based on an Efficient and non-shareable Public Key Exponent Secure Scheme (ENPKESS) via a non-linear Diophantine equation on cloud-based security. Besides, the ref. [10] implemented an equality test, which is significantly secure and indistinguishable against the random oracle of the specified model discussed in their studies. To another extent, the ref. [11] designed asymmetric cryptographic functions by employing the generative adversarial neural networks in IoT settings.

The necessity of keeping information private cannot be overstated, particularly in today’s competitive environment, where eavesdroppers are ubiquitous in our communication channels. Thus, we are encouraged to utilise sophisticated encryption algorithms to protect our communication system’s security. Until the 1970s, symmetrical methods for communication security were used, where the same key was utilised for both encryption and decryption. In 1978, Rivest, Shamir and Adleman (RSA) [12] had introduced the first workable asymmetric cryptosystem. In the RSA cryptosystem, two primes p and q of the same bit-size produces the modulus $N=pq$. At the same time, the public exponent, e is a positive integer relatively prime to a parameter $\varphi \left(N\right)=(p-1)(q-1)$, and d is a private exponent used for decryption to satisfy the Diophantine equation $ed-\varphi \left(N\right)k=1$.

The use of the small private exponent d was an early idea in the RSA cryptosystem to lower the computing costs of decryption. Consequently, the total number of modular multiplications needed in the modular exponentiation and overall decryption costs is reduced. Even though RSA is still relatively secure when used with correct cryptographic techniques, the literature on its cryptanalysis is quite extensive. Since then, this system is undoubtedly the most researched topic in cryptology research. For instance, a classical result in [13] shows that if the decryption exponent d is less than $\frac{1}{3}{N}^{\frac{1}{4}}$, then using continued fractions, the RSA cryptosystem is insecure. Later, ref. [14] revised the bound to $d<N^{0.292}$ via Coppersmith’s method [15] for finding small solutions of modular univariate polynomials. The ref. [16] later discovered that it is feasible to increase the bound of $d<\frac{1}{3}{N}^{\frac{1}{4}}$ to $d<\frac{1}{\sqrt[4]{18}}{N}^{\frac{1}{4}}$. The new bound is partially derived from the restriction that both primes p and q have the same bit length.

In recent years, many researchers have extended Wiener’s and Boneh-Durfee’s results. For instance, the ref. [17] presented the type of attacks zoomed into the RSA Diophantine equation in its original form of $ed-k\varphi \left(N\right)=1$, focusing on increasing the bound of d, which combines the continued fraction expansion. Instead of deriving an equation from the RSA key equation in its original, the ref. [18] utilized an arbitrary Diophantine equation in the form of $eX-uY=Z-{\varphi }_b$. Furthermore, their proposed conditions upon parameters have no relation between the parameters X and Y and the parameters d and $\varphi \left(N\right)$. As a result, their strategy enables factoring modulus $N=pq$ for a set of weak keys with $d\approx N$. The ref. [19] then revisited Wiener’s continued fraction technique. Thus, a new attack against RSA is proposed. In contrast to the conclusion of [14] where $e\approx N$, their technique is well-suited to the circumstance when e is substantially less than N. Consequently, when the public key exponent is substantially less than the RSA modulus, the new attack in [19] surpasses the best current attack.

Many RSA variations have been proposed in parallel with these efforts to ensure computational performance while retaining acceptable security levels. There are respective variants of RSA that are established on the moduli, having the form $N=p^{2}q$. Such a modulus is widely employed in cryptography, as explained in [20], representing one of the most critical instances. One such prominent variant is proposed in [21], which applied the Hensel-lifting technique to verify a faster decryption algorithm compared to the original RSA decryption procedure. Other cryptosystems that also employed the modulus of the form $N=p^{2}q$ were designed in [22,23,24]. In comparison to the conventional RSA, their experiments were successful in demonstrating reduced computing costs.

Consequently, the security analysis of $N=p^{2}q$ becomes essential. For instance, the ref. [25] has proved that the cryptosystem that used $N=p^{2}q$ is vulnerable if coupled with a decryption exponent d, which is upper-bounded by $N^{0.395}$. Unlike [25], who solved $ex-Ny=1$, the ref. [26] solved $ex-Ny=z$, which is a more generic equation. Their results increase the number of possible solutions to the problem. Intuitively, the technique in [26] appears to have a better probability of discovering solutions, that is, factoring the modulus N. Successful cryptanalysis for the modulus $N=p^{2}q$ that is linked to partial key exposure was published very recently in [27,28]. They employed Jochemsz and May’s comprehensive approach [29], which is a highly successful methodology for finding small roots of integer polynomials and, as a result, factoring the modulus N. Despite the advantages of using the modulus $N=p^{2}q$, it is susceptible to attackers if the primes share some of their least significant bits (LSBs), as explained in [27], or if the primes and private keys share some of their most significant bits (MSBs), as described in [28].

To demonstrate that the class of keys is indeed weak, we must establish the existence of a probabilistic polynomial-time algorithm that accepts public parameters as input and returns the factors p and q. Thus, the procedure may be used to determine whether the key belongs to the relevant weak class. This trait may be advantageous when designing a cryptosystem’s key generation procedure to avoid mistakenly creating a weak key. The suggested approach may be beneficial in designing a cryptosystem’s key generation process to guarantee that no weak key is created accidentally.

Our contribution. In this paper, we introduce two interesting findings of cryptanalysis of moduli in the form $N=p^{2}q$. Firstly, we consider the solution on the public key pair $(e,N)$ that is related via an arbitrary relation to equation $er-(Ns+t)=\alpha p^2+\beta q^2$, where $r,s,t$ are unknown parameters. We present a strategy by applying the continued fraction expansion to factor primes p and q, given public key pairs $(e,N)$, which satisfy the following enabling conditions; $gcd(r,s)=1,|\alpha p^2-\beta q^2|<N^{\frac{1}{2}},r<\frac{N}{3(\alpha p^2+\beta q^2)}$ and $\left|t\right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$. Furthermore, we show that there exists a significant number of factorizable key pairs $(e,N)$ that fall under our first cryptanalysis.

Secondly, we consider the security of k-users (i.e., multiple users) for $k\ge 2$, given the instances of $(N_i,e_i)$ where $i=1,\dots ,k$. There are two distinct cases to be considered in the second cryptanalysis. Case number one is about solving k-instances $(N_i,e_i)$ for fixed integer $r<N^{{\delta }_1}$, satisfying $e_{i}r-(N_i{s}_i+t_i)=\alpha p_i^2+\beta q_i^2$, where the parameter ${\delta }_1$ will be defined later. Similarly, on the case number two, the analysis worked on fixed integer $s<N^{{\delta }_2}$, satisfying $e_i{r}_i-(N_{i}s+t_i)=\alpha p_i^2+\beta q_i^2$, where the parameter ${\delta }_2$ will be defined later. In the second cryptanalysis, we convert the equations into a simultaneous Diophantine problem and use lattice basis reduction techniques to obtain parameters $(r,s_i)$ or $(s,r_i)$ in both situations. This gives us a good estimate of $\alpha p^2+\beta q^2$, allowing us to calculate the prime factors $p_i$ and $q_i$ of each modulus $N_i$. We further show that, in both situations, the suggested approach allows one to factor k-moduli of the form $N_i=p_i^2{q}_i$ at the same time.

Organization of the article. We begin with a brief review of the continuous fractions expansion, lattice basis reduction, and simultaneous Diophantine approximation techniques discussed in Section 2. Section 3 shows the results and details the discussion. The first cryptanalysis is presented in Section 3.1, together with the estimation of the number of weak exponents. Following that, Section 3.2 discusses the second cryptanalysis. The examples are presented to illustrate the achieved outcomes. Section 4 compares our findings against relevant and significant previous findings corresponding to their enabling conditions. Section 5 summarises our findings and suggests intriguing future work.

2. Mathematical Foundation

In this section, we give brief reviews on Legendre’s theorem of continued fractions expansion and simultaneous Diophantine approximation via lattice reduction that will be used throughout this paper.

2.1. Continued Fraction Expansion

Let $\chi =[a_0,a_1,a_2,\dots ]$ be the continued fraction expansion of $\chi$. If $\chi$ is a rational number, then the process of listing the continued fractions expansion will finish in some finite index n (i.e., $\chi =[a_0,a_1,\dots ,a_n]$). In recent years, there has been an increasing amount of work on using the continued fraction expansion, for instance, [17,30], as a tool for analysing the security of public key cryptosystems. An important result on continued fractions is due to the following theorem, widely known as Legendre’s theorem.

Theorem 1

([31]). Suppose χ is a rational number. Let r and s be integers where $s\ne 0$ and $gcd(r,s)=1$, such that $|\chi -\frac{r}{s}|<\frac{1}{2s^2}$, then $\frac{r}{s}$ is a convergent of χ.

2.2. Simultaneous Diophantine Approximations

Let $u_1,\dots ,u_d$ be d linearly independent vectors of ${\mathbb{R}}^n$ with $d\le n$. The set of all integer linear combinations of the vectors $u_1,\dots ,u_d$ is called a lattice, and is in the form

$$\mathcal{L}=\left\{\sum _{i=1}^d{x}_i{u}_i|x_i\in \mathbb{Z}\right\}.$$

The set $(u_1,\dots ,u_d)$ is the basis of $\mathcal{L}$, and its dimension is d. The determinant of $\mathcal{L}$ is defined as $\det \left(\mathcal{L}\right)=\sqrt{\det \left(U^{T}U\right)}$, where U is the matrix of the $u_i$’s in the canonical basis of ${\mathbb{R}}^n$. Define the Euclidean norm of a vector $v\in \mathcal{L}$ as $\parallel v\parallel$. Define the Euclidean norm of a vector $v\in \mathcal{L}$ as $\parallel v\parallel$. Finding a short non-zero vector in $\mathcal{L}$ is a crucial problem in lattice reduction. The LLL algorithm generates a reduced basis vector [32], and the following result fixes the reduced basis vector’s sizes (see [20]).

Theorem 2

([32]). Let $\mathcal{L}$ be a lattice of dimension ω with a basis $\{v_1,\dots ,v_{\omega }\}$. The LLL algorithm produces a reduced basis $\{b_1,\dots ,b_{\omega }\}$ satisfying

$$\parallel b_1\parallel \le \parallel b_2\parallel \le \cdots \le \parallel b_i\parallel \le 2^{\frac{\omega (\omega -1)}{4(\omega +1-i)}}\det {\left(\mathcal{L}\right)}^{\frac{1}{\omega +1-i}},$$

for all 1 $\le i\le \omega$.

The simultaneous Diophantine approximations problem, which is stated as follows, is one of the most significant applications of the LLL algorithm. Let ${\chi }_1,\dots ,{\chi }_n$ be n real numbers, and $\epsilon$ a real number such that $0<\epsilon <1$. Dirichlet’s classical theorem states that integers exist $p_1,\dots ,p_n$, and a positive integer $q\le {\epsilon }^{-n}$, such that $|q{\chi }_i-p_i|<\epsilon$ for $1\le i\le n$. The LLL algorithm described a method for finding simultaneous Diophantine approximations to rational numbers using a lattice with real number elements [32]. In [33] (Appendix A), a comparable solution for a lattice with integer elements is provided.

Theorem 3

([33]). There is a polynomial time algorithm for given rational numbers ${\chi }_1,\dots ,{\chi }_n$ and $0<\epsilon <1$, to compute integers $p_1,\dots ,p_n$ and a positive integer q, such that

$$\underset{i}{max}|q{\chi }_i-p_i|<\epsilon \mathrm{and}q\le 2^{\frac{n(n-3)}{4}}·3^n·{\epsilon }^{-n}.$$

3. Results and Discussion

In this section, we present our first cryptanalysis which focuses on a single public key pair $(e,N)$, that is related via an arbitrary relation to equation $er-(Ns+t)=\alpha p^2+\beta q^2$, where $N=p^{2}q$ and $r,s,t$ are unknown parameters.

3.1. The First Cryptanalysis

Suppose that for $N=p^{2}q$ with $q<p<2q$, then ${\left(\frac{N}{2}\right)}^{\frac{1}{3}}<q<N^{\frac{1}{3}}<p<{\left(2N\right)}^{\frac{1}{3}}$ holds [27], unless stated otherwise, and this relation defines the integer N throughout this work. Let $\left[x\right]$ be the integer that is closest to x. Let’s start with the lemma below.

Lemma 1.

Let $|\alpha p^2-\beta q^2|<N^{\frac{1}{2}}$ where $\alpha ,\beta$ are suitable small integers with $\gcd (\alpha ,\beta )=1$. Let Δ be an approximation of $\alpha p^2+\beta q^2$ such that $|\alpha p^2+\beta q^2-\Delta |<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$, then $\alpha \beta q=\left[\frac{{\Delta }^2}{4N}\right]$.

Proof. 

Set $\Delta =\alpha p^2+\beta q^2+\nu$ with $\left|\nu \right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$. Consider the following equation.

$$\begin{array}{ccc}\hfill {\Delta }^2-4\alpha \beta qN& =& {(\alpha p^2+\beta q^2+\nu )}^2-4\alpha \beta qN\hfill \\ & =& {(\alpha p^2+\beta q^2)}^2-4\alpha \beta qN+2\nu (\alpha p^2+\beta q^2)+{\nu }^2.\hfill \end{array}$$

By using the identity ${(\alpha p^2-\beta q^2)}^2={(\alpha p^2+\beta q^2)}^2-4\alpha \beta qN$, we can rewrite the equation as

$${\Delta }^2-4\alpha \beta qN={(\alpha p^2-\beta q^2)}^2+2\left|\nu \right|(\alpha p^2+\beta q^2)+{\nu }^2.$$

Since $|\alpha p^2-\beta q^2|<N^{\frac{1}{2}}$ and $\left|\nu \right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}<N^{\frac{1}{3}}$, hence

$$\begin{array}{ccc}\hfill |{\Delta }^2-4\alpha \beta qN|& <& {\left(N^{\frac{1}{2}}\right)}^2+2(\alpha p^2+\beta q^2)\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}+{\left(N^{\frac{1}{3}}\right)}^2\hfill \\ & <& 2N.\hfill \end{array}$$

Divide both sides by $4N$, hence $\left|\frac{{\Delta }^2}{4N}-\alpha \beta q\right|<\frac{1}{2}$. It follows that $\alpha \beta q=\left[\frac{{\Delta }^2}{4N}\right]$.    □

Theorem 4.

Let $N=p^{2}q$ with $q<p<2q$. Let $\alpha ,\beta$ be suitably small integers, such that $|\alpha p^2-\beta q^2|<N^{\frac{1}{2}}$. Let e satisfying the equation $er-(Ns+t)=\alpha p^2+\beta q^2$ with $gcd(r,s)=1$. If $1\le s<r<\frac{N}{3(\alpha p^2+\beta q^2)}$ and $\left|t\right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$, then N can be factored in polynomial time.

Proof. 

Suppose that a public key pair $(e,N)$ satisfies an arbitrary equation

$$\begin{array}{c}\hfill er-(Ns+t)=\alpha p^2+\beta q^2\end{array}$$

(1)

with $gcd(r,s)=1$. Suppose $\left|t\right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$, thus, $\left|t\right|<N^{\frac{1}{3}}$. Rearrange (1) as $er-Ns=\alpha p^2+\beta q^2+t$, and dividing both sides by $Nr$, we have

$$\begin{array}{ccc}\hfill \left|\frac{e}{N}-\frac{s}{r}\right|& =& \left|\frac{\alpha p^2+\beta q^2+t}{Nr}\right|\hfill \\ & \le & \frac{|\alpha p^2+\beta q^2|+|t|}{Nr}\hfill \\ & <& \frac{|(\alpha p^2+\beta q^2)+N^{\frac{1}{3}}|}{Nr}.\hfill \end{array}$$

If the condition $\frac{|(\alpha p^2+\beta q^2)+N^{\frac{1}{3}}|}{Nr}<\frac{1}{2r^2}$ holds, we can infer that $\frac{s}{r}$ is a convergent of the continuing fraction $\frac{e}{N}$ using Theorem 1. Observe that, this is equivalent to $r<\frac{N}{2(\alpha p^2+\beta q^2)+N^{\frac{1}{3}}}$. From Lemma 1, we have $\Delta =\alpha p^2+\beta q^2+\nu$ with $\left|\nu \right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$. This implies that

$$\begin{array}{ccc}\hfill \alpha p^2+\beta q^2+\Delta & <& 2(\alpha p^2+\beta q^2)+\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}\hfill \\ \hfill & <& 2(\alpha p^2+\beta q^2)+N^{1/3}\hfill \\ & <& 3(\alpha p^2+\beta q^2).\hfill \end{array}$$

(2)

We can see from (2) that this requirement is satisfied for $r<\frac{N}{3(\alpha p^2+\beta q^2)}$. As a result, we may deduce that $\frac{s}{r}$ is a convergent of the continuing fraction $\frac{e}{N}$. Following that, we define $\Delta =er-Ns$. By Lemma 1, $\Delta$ is a satisfactory approximation of $\alpha p^2+\beta q^2$, hence this implies that $\alpha \beta q=\left[\frac{{\Delta }^2}{4N}\right]$. It follows that $gcd\left(\left[\frac{{\Delta }^2}{4N}\right],N\right)=q$, hence $p=\sqrt{\frac{N}{q}}$.    □

3.1.1. The Uniqueness of Paramaters $r,s,$ and t for Which the Theorem 4 Applies

Let’s start with the following result. It proves that given fixed integers $\alpha$ and $\beta$, the public parameter $e<N$ satisfies, at most, one equation $er-(Ns+t)=\alpha p^2+\beta q^2$, where the unknown parameters $r,s$ and t satisfy the conditions of Theorem 4.

Proposition 1.

Let e satisfying $e{r}_i-(N{s}_i+t_i)=\alpha p^2+\beta q^2$ with $e<N$ and $i=1,2$. Let $gcd(r_i,s_i)=1$, $r_i<\frac{N}{3(\alpha p^2+\beta q^2)}$ and $|t_i|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$. Then $r_1=r_2,s_1=s_2$ and $t_1=t_2$.

Proof. 

Suppose that e satisfies two equations

$$\begin{array}{c}\hfill e{r}_1-(N{s}_1+t_1)=\alpha p^2+\beta q^2\\ \hfill e{r}_2-(N{s}_2+t_2)=\alpha p^2+\beta q^2\end{array}$$

with $r_1,r_2<\frac{N}{3(\alpha p^2+\beta q^2)}\mathrm{and}|t_1|,|t_2|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$. Then, equating the e, we have

$$\begin{array}{c}\hfill \frac{\alpha p^2+\beta q^2+t_1+N{s}_1}{r_1}=\frac{\alpha p^2+\beta q^2+t_2+N{s}_2}{r_2}.\end{array}$$

(3)

We rearranged (3) to become

$$\begin{array}{c}\hfill (\alpha p^2+\beta q^2)(r_2-r_1)+t_1{r}_2-t_2{r}_1=N(r_1{s}_2-r_2{s}_1).\end{array}$$

(4)

Consider the left-hand side of (4). Since $|\alpha p^2-\beta q^2|<\alpha p^2+\beta q^2$ and $\alpha p^2+\beta q^2>p^2>N^{\frac{2}{3}}$, thus

$$\begin{array}{ccc}\hfill |(\alpha p^2+\beta q^2)(r_2-r_1)+t_1{r}_2-t_2{r}_1|& \le & |\alpha p^2+\beta q^2\left|\right(|r_2|+|r_1\left|\right)+|t_1{r}_2|+|t_2{r}_1|\hfill \\ & <& \frac{2|\alpha p^2+\beta q^2|N}{3(\alpha p^2+\beta q^2)}+\frac{2|\alpha p^2-\beta q^2|N^{\frac{4}{3}}}{{\left(3(\alpha p^2+\beta q^2)\right)}^2}\hfill \\ & <& \frac{2N}{3}+\frac{2(\alpha p^2+\beta q^2)N^{\frac{4}{3}}}{{\left(3(\alpha p^2+\beta q^2)\right)}^2}\hfill \\ & <& \frac{2N}{3}+\frac{2N^{\frac{2}{3}}}{9}\hfill \\ & <& N.\hfill \end{array}$$

We may conclude from the right-hand side of (4) that $r_1{s}_2-r_2{s}_1=0$. Since $gcd(r_1,s_1)=gcd(r_2,s_2)=1$, it shows that $r_1=r_2$ and $s_1=s_2$. As a result, $t_1=t_2$ is obtained.    □

3.1.2. Counting the Number of e’s for Which the Theorem 4 Applies

The number of e’s that fulfil the arbitrary equation $er-(Ns+t)=\alpha p^2+\beta q^2$ is estimated in the following result.

Theorem 5.

Let e satisfy an arbitrary equation $er-(Ns+t)=\alpha p^2+\beta q^2$, where $r,s$ are integers satisfying $1\le s<r<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$ with $gcd(r,s)=1$. Then, the number of the parameter e’s is at least $N^{\frac{2}{3}-ϵ}$, where $ϵ>0$ is suitably small for large N.

Proof. 

Suppose r and s are two integers satisfying $1\le s<r<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$ and $gcd(r,s)=1$. From $er-(Ns+t)=\alpha p^2+\beta q^2$, we have $er\equiv Ns+t+\alpha p^2+\beta q^2\equiv 0(modr)$. Define $t\equiv -(Ns+\alpha p^2+\beta q^2)(modr)$ with $0\le t<r$. Hence, there exists an integer t such that $e=\frac{Ns+t+\alpha p^2+\beta q^2}{r}$ is also an integer. Let $t_0=t+\alpha p^2+\beta q^2$, thus $e=\frac{Ns+t_0}{r}$. The number of the parameter e’s, denoted by $\#\left(e\right)$, satisfying the conditions given in Theorem 4 is

$$\begin{array}{c}\hfill \#\left(e\right)=\sum _{r=1}^{\mathcal{T}}\sum _{\begin{array}{c}s=1\\ gcd(r,s)=1\end{array}}^{r-1}1\end{array}$$

(5)

where $\mathcal{T}=\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}\approx c_1{N}^{\frac{1}{3}}$ for some positive constants $c_1$. Observe the following.

$$\begin{array}{c}\hfill \sum _{\begin{array}{c}s=1\\ gcd(r,s)=1\end{array}}^{r-1}1=\varphi \left(r\right)>\frac{c_{2}r}{loglogr}>\frac{c_{2}r}{loglogN}\end{array}$$

(6)

where $c_2$ is a constant (see [31], Theorem 328). Substitute (6) in (5), we obtain

$$\begin{array}{c}\hfill \#\left(e\right)>\frac{c_2}{loglogN}\sum _{r=1}^{\mathcal{T}}r.\end{array}$$

(7)

Next, for ${\sum }_{r=1}^{\mathcal{T}}r$, we have

$$\begin{array}{c}\hfill \sum _{r=1}^{\mathcal{T}}r=\frac{\mathcal{T}(\mathcal{T}+1)}{2}>\frac{{\mathcal{T}}^2}{2}=\frac{{\left(c_1{N}^{\frac{1}{3}}\right)}^2}{2}.\end{array}$$

(8)

Substitute (8) in (7), we obtain $\#\left(e\right)>\left(\frac{c_2}{loglogN}\right)\frac{{\left(c_1{N}^{\frac{1}{3}}\right)}^2}{2}>\frac{c_1^2{c}_2}{2loglogN}{N}^{\frac{2}{3}}=N^{\frac{2}{3}-ϵ}$. Hence, a good approximation for $\#\left(e\right)$ is at least $N^{\frac{2}{3}-ϵ}$, where $ϵ>0$ is arbitrarily small for suitably large N with $N^{-ϵ}=\frac{c_1^2{c}_2}{2loglogN}$.    □

3.1.3. Numerical Illustration of the First Cryptanalysis

Suppose we are given a public key pairs $(e,N)=(\mathrm{52,043,126,208,617},\mathrm{64,533,181,881,083})$ and satisfy all the condition stated in Theorem 4. At first, we compute the continued fraction of $\frac{e}{N}$, and the list of the first convergents of the continued fraction expansion are

$$\begin{array}{c}\hfill \left[0,1,\frac{4}{5},\frac{21}{26},\frac{25}{31},\frac{7046}{8737},\frac{7071}{8768},\frac{\mathrm{28,259}}{\mathrm{35,041}},\frac{\mathrm{35,330}}{\mathrm{43,809}},\cdots \right].\end{array}$$

Observe that we may omit the first and second convergents. Furthermore, the convergents $\frac{4}{5}$ and $\frac{21}{26}$ give $gcd\left(\left[\frac{{\Delta }^2}{4N}\right],N\right)=1$, respectively. We proceed with the next convergent $\frac{25}{31}$, then we compute $\Delta =er-Ns=\mathrm{7,365,440,052}$, hence $\left[\frac{{\Delta }^2}{4N}\right]=\mathrm{210,162}$. Finally, we compute $gcd(\mathrm{210,162},\mathrm{64,533,181,881,083})=\mathrm{35,027}$, which leads to the factorization of N (i.e., $q=\mathrm{35,027}$ and $p=\sqrt{\frac{N}{q}}=\mathrm{42,923}$).

The above illustration can also be viewed as the following algorithm.

Algorithm 1 Factoring public key pairs which satisfy Theorem 4.

Input: A public key pair $(e,N)$. Output: The prime factors $p,q$. 1: Compute the continued fraction $\frac{e}{N}$. 2: For each convergent $\frac{r}{s}$ of $\frac{e}{N}$, compute $\Delta =er-Ns$. 3: Calculate $\left[\frac{{\Delta }^2}{4N}\right]$. 4: Compute $gcd\left(\left[\frac{{\Delta }^2}{4N}\right],N\right)=x_1$. 5: If $1<x_1<N$, then compute $x_2=\sqrt{\frac{N}{x_1}}$. Otherwise, repeat Step 2. 6: Return:$q=x_1$ and $p=x_2$.

3.2. The Second Cryptanalysis

In this section, we consider the security of k-users (i.e., multiple users) for $k\ge 2$, given the instances of $(N_i,e_i)$ where $i=1,\dots ,k$. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of public key pairs $(N_i,e_i)$ can be factored in polynomial time.

3.2.1. The Second Cryptanalysis: Case #1

Suppose that we are given k-instances $(N_i,e_i)$ for fixed integer r, satisfying $e_{i}r-(N_i{s}_i+t_i)=\alpha p_i^2+\beta q_i^2$. The following Theorem 6 proves that we are able to factor in such moduli if the unknown parameters r, $s_i$, and $t_i$ satisfy the given conditions.

Theorem 6.

Let i be integers such that $i=1,\dots ,k$ for $k\ge 2$. Suppose $e_i$ are k-public exponents and $N_i=p_i^2{q}_i$ are k-moduli, each with the same bit-size N where $N=min\left\{N_i\right\}$. Let α, β be suitably small integers with $\gcd (\alpha ,\beta )=1$ such that $\alpha p_i^2+\beta q_i^2<N^{\frac{2}{3}+\gamma }$ where $0<\gamma <\frac{1}{3}$. Define ${\delta }_1=(\frac{1}{3}-\gamma )k$. If there exists a fixed integer $r<N^{{\delta }_1}$, k-integers $s_i<N^{{\delta }_1}$ and $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$ satisfying the equation $e_{i}r-(N_i{s}_i+t_i)=\alpha p_i^2+\beta q_i^2$, then k-moduli of the form $N_i=p_i^2{q}_i$ can be factored in polynomial time.

Proof. 

Let $N=min\left\{N_i\right\}$, $s_i<N^{{\delta }_1}$ and $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$, where $k\ge 2$ and $i=1,\dots ,k$. Thus, $|t_i|<N^{\frac{1}{3}}$. Let $\alpha p_i^2+\beta q_i^2<N^{\frac{2}{3}+\gamma }$ with $0<\gamma <\frac{1}{3}$. Consider the equation $e_{i}r-(N_i{s}_i+t_i)=\alpha p_i^2+\beta q_i^2$. We rearranged the equation and divided by $N_i$ for both sides, and obtained the following;

$$\begin{array}{ccc}\hfill |\frac{e_i}{N_i}r-s_i|& =& \frac{|\alpha p_i^2+\beta q_i^2+t_i|}{N_i}\hfill \\ & \le & \frac{|\alpha p_i^2+\beta q_i^2+t_i|}{N}\hfill \\ & <& \frac{(N^{\frac{2}{3}+\gamma })+N^{\frac{1}{3}}}{N}\hfill \\ & <& \frac{2N^{\frac{2}{3}+\gamma }}{N}\hfill \\ & =& 2N^{-\frac{1}{3}+\gamma }.\hfill \end{array}$$

To show the existence of integer r and $s_i$, let $\epsilon =2N^{-\frac{1}{3}+\gamma }$, ${\delta }_1=\frac{k}{3}-\gamma k$. We have

$$N^{{\delta }_1}·{\epsilon }^k=2^k{N}^{\delta 1-\frac{k}{3}+k\gamma }=2^k.$$

Since $2^k<2^{\frac{k(k-3)}{4}}·3^k$ for $k\ge 2$, thus Theorem 3 gives $N^{\delta }·{\epsilon }^k<2^{\frac{k(k-3)}{4}}·3^k$. It follows that if $r<N^{\delta }$, then $r<2^{\frac{k(k-3)}{4}}·3^k·{\epsilon }^{-k}$. Hence, for $i=1,\dots ,k$, we obtain $|\frac{e_i}{N_i}r-s_i|<\epsilon$ and $r<2^{\frac{k(k-3)}{4}}·3^k·{\epsilon }^{-k}$. If the requirements of Theorem 3 are fulfilled, we will be able to calculate r and $s_i$ for $i=1,\dots ,k$.

Next, observe the equation $e_{i}r-N_i{s}_i-(\alpha p_i^2+\beta q_i^2)=t_i$. If $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$, then from Lemma 1 and Theorem 4, ${\Delta }_i=e_{i}r-N_i{s}_i$ is an approximation of $\alpha p_i^2+\beta q_i^2$. Hence, this implies that $\alpha \beta q_i=\left[\frac{{\Delta }_i^2}{4N}\right]$ for ${\Delta }_i=e_{i}r-N_i{s}_i$. Finally, we compute $q_i=gcd\left(\left[\frac{{\Delta }_i^2}{4N_i}\right],N_i\right)$. Therefore, k-moduli of the form $N_i=p_i^2{q}_i$ can be factored in polynomial time. □

3.2.2. Numerical Illustration of the Second Cryptanalysis: Case #1

As an illustration of our second cryptanalysis for Case $\#1$, suppose we consider three pairs of public keys, as follows.

$$\begin{array}{ccc}\hfill (e_1,N_1)& =& (\mathrm{29,255,562,123,506,221,224,250,868,221},\mathrm{37,592,434,777,609,854,322,998,042,083}),\hfill \\ \hfill (e_2,N_2)& =& (\mathrm{31,666,949,665,785,721,076,995,001,363},\mathrm{37,159,723,778,525,259,456,378,519,073}),\hfill \\ \hfill (e_3,N_3)& =& (\mathrm{31,035,716,184,317,012,442,375,761,677},\mathrm{33,509,497,293,946,637,275,529,693,389}).\hfill \end{array}$$

Observe that $N=min(N_1,N_2,N_3)=\mathrm{33,509,497,293,946,637,275,529,693,389}$. Supposing $k=3$ and $0<\gamma <\frac{1}{3}$, we obtain ${\delta }_1=\frac{k}{3}-\gamma k=\frac{1}{4}$ and $\epsilon =2N^{-\frac{1}{3}+\gamma }\approx 0.0083932985$. Suppose that we consider the parameter C as defined in [33], (Appendix A, page 196) using $n=m=3$, hence we have

$$C=\left[3^{n+1}·2^{\frac{(n+1)(n-4)}{4}}·{\epsilon }^{-n-1}\right]=\mathrm{8,160,642,349}.$$

Suppose that the lattice $\mathcal{L}$ is spanned by the following matrix:

$$M=\left[\begin{array}{cccc}1& -\left[\frac{C{e}_1}{N_1}\right]& -\left[\frac{C{e}_2}{N_2}\right]& -\left[\frac{C{e}_3}{N_3}\right]\\ 0& C& 0& 0\\ 0& 0& C& 0\\ 0& 0& 0& C\end{array}\right].$$

After applying the LLL algorithm to $\mathcal{L}$, the following matrix is obtained as a reduced basis.

$$K=\left[\begin{array}{cccc}\mathrm{13,521,818}& \mathrm{140,673}& \mathrm{7,755,891}& \mathrm{7,168,491}\\ -\mathrm{13,012,033}& -\mathrm{19,197,443}& -\mathrm{1,873,112}& \mathrm{13,025,663}\\ \mathrm{3,675,331}& -\mathrm{9,727,267}& -\mathrm{34,041,935}& \mathrm{13,188,947}\\ -\mathrm{16,634,061}& \mathrm{23,434,710}& \mathrm{4,721,887}& \mathrm{19,989,237}\end{array}\right].$$

Now, computing $K·M^{-1}$, we have

$$K·M^{-1}=\left[\begin{array}{cccc}\mathrm{3,521,818}& \mathrm{10,523,085}& \mathrm{11,523,087}& \mathrm{12,523,593}\\ -\mathrm{13,012,033}& -\mathrm{10,126,355}& -\mathrm{11,088,656}& -\mathrm{12,051,442}\\ \mathrm{3,675,331}& \mathrm{2,860,253}& \mathrm{3,132,061}& \mathrm{3,404,006}\\ -\mathrm{16,634,061}& -\mathrm{12,945,126}& -\mathrm{14,175,293}& -\mathrm{15,406,080}\end{array}\right].$$

According to the first row of the above matrix, we obtain $r=\mathrm{13,521,818}$, $s_1=\mathrm{10,523,085}$, $s_2=\mathrm{11,523,087}$ and $s_3=\mathrm{12,523,593}$. By applying r and $s_i$ for $i=1,2,3$, we define ${\Delta }_i=e_{i}r-N_i{s}_i$ as an approximation of $\alpha p_i^2+\beta q_i^2$, respectively. Hence, by using Lemma 1 and Theorem 4, this implies that $\alpha \beta q_i=\left[\frac{{\Delta }_i^2}{4N}\right]$ for ${\Delta }_i=e_{i}r-N_i{s}_i$. Thus, we have the following;

$$\begin{array}{ccc}\hfill {\Delta }_1& =& \mathrm{51,383,531,574,753,359,723},\hfill \\ \hfill {\Delta }_2& =& \mathrm{50,988,468,015,130,899,583},\hfill \\ \hfill {\Delta }_3& =& \mathrm{47,592,177,797,589,142,109}.\hfill \end{array}$$

Next, for each $i=1,2,3$, we compute the following;

$$\begin{array}{c}\hfill \left[\frac{{\Delta }_1^2}{4N_1}\right]=\mathrm{17,558,501,682},\left[\frac{{\Delta }_2^2}{4N_2}\right]=\mathrm{17,490,871,878},\left[\frac{{\Delta }_3^2}{4N_3}\right]=\mathrm{16,898,309,214}.\end{array}$$

This leads us to the factorization of three RSA-Takagi moduli $N_1,N_2$ and $N_3$, where

$$p_1=\mathrm{3,584,116,567},p_2=\mathrm{3,570,311,711},p_3=\mathrm{3,449,355,491}.$$

Hence, by using Lemma 1 and Theorem 4, for each $i=1,2,3$, this implies that $\alpha \beta q_i=\left[\frac{{\Delta }_i^2}{4N}\right]$. Hence, $q_i=\gcd \left(\left[\frac{{\Delta }_i^2}{4N_i}\right],N_i\right)$ which we obtain $q_1=\mathrm{2,926,416,947},q_2=\mathrm{2,915,145,313},q_3=\mathrm{2,816,384,869}$. This results in the factorization of three moduli $N_1,N_2$ and $N_3$ with $p_1=\mathrm{3,584,116,567},p_2=\mathrm{3,570,311,711},p_3=\mathrm{3,449,355,491}$, respectively.

3.2.3. The Second Cryptanalysis: Case #2

In this section, we consider the Case $\#2$ that is when k-moduli of the form $N_i=p_i^2{q}_i$ satisfy k-equations of the form $e_i{r}_i-(N_{i}s+t_i)=\alpha p_i^2+\beta q_i^2$, where the parameters $r_i$, s, and $t_i$ are suitably small unknown parameters. This analysis is for the fixed value of s instead of fixed value of r from Case $\#1$. Thus, the following theorem is looking for k-integers of $r_i$ and an integer s.

Theorem 7.

Let i be integers such that $i=1,\dots ,k$ for $k\ge 2$. Suppose $e_i$ be k-public exponents with $\min \left\{e_i\right\}=N^{\tau }$ and $N_i=p_i^2{q}_i$ be k-moduli, each with the same bit-size N, where $N=max\left\{N_i\right\}$. Let α, β be suitably small integers with $\gcd (\alpha ,\beta )=1$ such that $\alpha p_i^2+\beta q_i^2<N^{\frac{2}{3}+\gamma }$ where $0<\gamma <\frac{1}{3}$. Define ${\delta }_2=(\tau -\gamma -\frac{2}{3})k$. If there exists a fixed integer $s<N^{{\delta }_2}$, k-integers $r_i<N^{{\delta }_2}$ and $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$ satisfy the equation $e_i{r}_i-(N_{i}s+t_i)=\alpha p_i^2+\beta q_i^2$, then k-moduli of the form $N_i=p_i^2{q}_i$ can be factored in polynomial time.

Proof. 

Let $e_i$ be k-public exponents with $\min \left\{e_i\right\}=N^{\tau }$ and $N=max\left\{N_i\right\}$ where $i=1,\dots ,k$ for $k\ge 2$. Let $\alpha p_i^2+\beta q_i^2<N^{\frac{2}{3}+\gamma }$, where $0<\gamma <\frac{1}{3}$. Suppose that $s<N^{{\delta }_2}$, where ${\delta }_2=(\tau -\gamma -\frac{2}{3})k$. Observe that $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}<N^{\frac{1}{3}}$. Consider the equation $e_i{r}_i-(N_{i}s+t_i)=\alpha p_i^2+\beta q_i^2$. Rearranging the equation and dividing by $e_i$ for both sides, we have the following:

$$\begin{array}{ccc}\hfill |\frac{N_i}{e_i}s-r_i|& =& \frac{|\alpha p_i^2+\beta q_i^2+t_i|}{e_i}\hfill \\ & \le & \frac{\alpha p_i^2+\beta q_i^2+\left|t_i\right|}{N^{\tau }}\hfill \\ & <& \frac{N^{\frac{2}{3}+\gamma }+N^{\frac{1}{3}}}{N^{\tau }}\hfill \\ & <& \frac{2N^{\frac{2}{3}+\gamma }}{N^{\tau }}\hfill \\ & =& 2N^{\frac{2}{3}+\gamma -\tau }.\hfill \end{array}$$

We now continue to demonstrate the existence of integers $r_i$ and s. Let $\epsilon =2N^{\frac{2}{3}+\gamma -\tau }$ and ${\delta }_2=(\tau -\gamma -\frac{2}{3})k$. Then, we obtain

$$N^{{\delta }_2}·{\epsilon }^k=N^{{\delta }_2}{(2N^{\frac{2}{3}+\gamma -\tau })}^k=2^k(N^{{\delta }_2+(\frac{2}{3}+\gamma -\tau )k})=2^k.$$

Since $2^k<2^{\frac{k(k-3)}{4}}·3^k$ for $k\ge 2$, therefore, Theorem 3 gives $N^{\delta }·{\epsilon }^k<2^{\frac{k(k-3)}{4}}·3^k$. It follows that if $s<N^{{\delta }_2}$, then $s<2^{\frac{k(k-3)}{4}}·3^k·{\epsilon }^{-k}$. Next, for $i=1,\dots ,k$, we have $|\frac{N_i}{e_i}s-r_i|<\epsilon$ and $s<2^{\frac{k(k-3)}{4}}·3^k·{\epsilon }^{-k}$. If the conditions of Theorem 3 are fulfilled, we will find s and $r_i$. Next, by rearranging the equation $e_i{r}_i-(N_{i}s+t_i)=\alpha p_i^2+\beta q_i^2$, observe the following equation;

$$e_i{r}_i-N_{i}s-(\alpha p_i^2+\beta q_i^2)=t_i.$$

Since $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$, hence, using Lemma 1 and Theorem 4 confirms that such ${\Delta }_i=e_i{r}_i-N_{i}s$ is an approximation of $\alpha p_i^2+\beta q_i^2$, which implies that $\left[\frac{{\Delta }_i^2}{4N}\right]=\alpha \beta q_i$. Finally, we compute $q_i=\gcd \left(\left[\frac{{\Delta }_i^2}{4N_i}\right],N_i\right)$. Therefore, k-moduli of the form $N_i=p_i^2{q}_i$ can be factored in. □

3.2.4. Numerical Illustration of the Second Cryptanalysis: Case #2

It should be noted that the numerical illustration can be accomplished in a similar manner and with a slight adjustment with the Case $\#1$. We consider three moduli and three public exponents to show our second cryptanalysis for Case $\#2$ as follows.

$$\begin{array}{ccc}\hfill (e_1,N_1)& =& (\mathrm{32,951,266,308,456,173,805,039,470,651},\mathrm{41,828,330,615,126,280,338,151,779,539}),\hfill \\ \hfill (e_2,N_2)& =& (\mathrm{44,947,125,051,796,195,048,817,663,864},\mathrm{51,165,390,796,774,300,447,936,871,731}),\hfill \\ \hfill (e_3,N_3)& =& (\mathrm{28,130,995,660,813,675,001,279,183,769},\mathrm{33,865,943,931,730,327,074,467,227,163}).\hfill \end{array}$$

Observe that $N=\max \left\{N_1,N_2,N_3\right\}=\mathrm{51,165,390,796,774,300,447,936,871,731}$. We also obtain $\min \left\{e_1,e_2,e_3\right\}=N^{\tau }$ with $\tau \approx 0.9909508724$. Let $k=3$ and $0<\gamma <\frac{1}{3}$, therefore ${\delta }_2=(\tau -\gamma -\frac{2}{3})k=0.222852617$ and $\epsilon =2N^{\frac{2}{3}+\gamma -\tau }\approx 0.014736912$. Consider the parameter C as defined in [33] (Appendix A, page 196) using $n=m=3$; hence, we obtain

$$C=\left[3^{n+1}·2^{\frac{(n+1)(n-4)}{4}}·{\epsilon }^{-n-1}\right]=\mathrm{858,675,450}.$$

Suppose that the lattice $\mathcal{L}$ is spanned by the following matrix:

$$M=\left[\begin{array}{cccc}1& -\left[\frac{C{N}_1}{e_1}\right]& -\left[\frac{C{N}_2}{e_2}\right]& -\left[\frac{C{N}_3}{e_3}\right]\\ 0& C& 0& 0\\ 0& 0& C& 0\\ 0& 0& 0& C\end{array}\right].$$

After applying the LLL algorithm to $\mathcal{L}$, the following matrix is obtained as a reduced basis.

$$K=\left[\begin{array}{cccc}-\mathrm{1,526,872}& -\mathrm{106,014}& -\mathrm{1,217,082}& -\mathrm{1,225,226}\\ -\mathrm{1,318,171}& -\mathrm{5,327,802}& \mathrm{140,949}& -\mathrm{41,543}\\ -\mathrm{2,844,631}& \mathrm{822,078}& \mathrm{82,689}& \mathrm{4,989,427}\\ -\mathrm{2,916,075}& -\mathrm{233,400}& \mathrm{7,550,325}& -\mathrm{4,455,075}\end{array}\right].$$

Now, computing $K·M^{-1}$, we have

$$K·M^{-1}=\left[\begin{array}{cccc}-\mathrm{1,526,872}& -\mathrm{1,938,211}& -\mathrm{1,738,109}& -\mathrm{1,838,149}\\ -\mathrm{1,318,171}& -\mathrm{1,673,286}& -\mathrm{1,500,535}& -\mathrm{1,586,901}\\ -\mathrm{2,844,631}& -\mathrm{3,610,974}& -\mathrm{3,238,175}& -\mathrm{3,424,554}\\ -\mathrm{2,916,075}& -\mathrm{3,701,665}& -\mathrm{3,319,503}& -\mathrm{3,510,563}\end{array}\right].$$

We derive $s=\mathrm{1,526,872}$, $r_1=\mathrm{1,938,211}$, $r_2=\mathrm{1,738,109}$ and $r_3=\mathrm{1,838,149}$ from the first row of the aforementioned matrix. By applying s and $r_i$ for $i=1,2,3$, we look at the relation ${\Delta }_i=e_i{r}_i-N_{i}s$ as an approximation of $\alpha p_i^2+\beta q_i^2$, respectively. Thus, we have the following;

$$\begin{array}{ccc}\hfill {\Delta }_1& =& \mathrm{55,174,364,873,521,673,353},\hfill \\ \hfill {\Delta }_2& =& \mathrm{63,106,563,153,707,337,744},\hfill \\ \hfill {\Delta }_3& =& \mathrm{47,929,080,406,292,979,445}.\hfill \end{array}$$

Hence, by using Lemma 1 and Theorem 4, for each $i=1,2,3$, this implies that $\alpha \beta q_i=\left[\frac{{\Delta }_i^2}{4N}\right]$. Hence, $q_i=\gcd \left(\left[\frac{{\Delta }_i^2}{4N_i}\right],N_i\right)$ which we obtain $q_1=\mathrm{3,032,444,851},q_2=\mathrm{3,243,108,811},q_3=\mathrm{2,826,335,843}$. This results in the factorization of three moduli $N_1,N_2$ and $N_3$ with $p_1=\mathrm{3,713,973,583},p_2=\mathrm{3,971,983,061},p_3=\mathrm{3,461,542,829}$, respectively.

4. Comparative Analysis

In this section, we compare our findings against previous findings of security analysis related to $N=p^{2}q$ concerning the form of the modified key equations and their conditions. The comparisons are illustrated in Table 2.

Table 2. Comparison of Our Results Against Previous Findings.

Reference	Utilized Key Equations	Enabling Conditions
[25]	$ex-(N-(p^2-pq-p))y=1$	$x=N^{\delta }$, $y^{2}z=N$
[26]	$ex-(N-(p^2-pq-p))y=z$	$\left|x\right|<N^{\delta }$, $z<N^{\gamma }$ $\left|xz\right|<N^{\delta +\gamma }\approx N^{0.22}$
[27]	$ed-k(N-(p^2+pq-p))=1$	$p-q=2^b\approx N^{\alpha }$, $e\approx N^{\gamma }$, $d<N^{\delta }$, $\delta <\frac{11}{9}-\frac{2}{9}\sqrt{4+18\gamma }$
[34]	$ex-(N-(a{p}^2+b{q}^2))y=z$	$1\le y\le x<\frac{1}{2}{N}^{\frac{1}{6}-\frac{\alpha }{2}}$, $\left|z\right|<\frac{1}{3}{N}^{1/3+\alpha }y$
[35]	$ex-Ny=(a{p}^2+b{q}^2)z$	$1\le y<x<\frac{N}{2\left|z\right|(a{p}^2+b{q}^2)}$, $\left|z\right|<\frac{\sqrt{2}{N}^{1/2}}{|a{p}^2-b{q}^2|}$
Our result: Theorem 4	$er-(Ns+t)=\alpha p^2+\beta q^2$	$1\le s<r<\frac{N}{3(\alpha p^2+\beta q^2)}$, $\left|t\right|<\frac{|\alpha p^2-\beta q^2|}{3(\alpha p^2+\beta q^2)}{N}^{\frac{1}{3}}$
Our result: Theorem 6	$e_{i}r-(N_i{s}_i+t_i)=\alpha p_i^2+\beta q_i^2$	$r,s_i<N^{{\delta }_1}$, $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$, $\alpha p_i^2+\beta q_i^2<N^{\frac{2}{3}+\gamma }$, $0<\gamma <\frac{1}{3}$, ${\delta }_1=\frac{k}{3}-\gamma k$, $N=\min \left\{N_i\right\}$.
Our result: Theorem 7	$e_i{r}_i-(N_{i}s+t_i)=\alpha p_i^2+\beta q_i^2$	$r_i,s<N^{{\delta }_2}$, $|t_i|<\frac{|\alpha p_i^2-\beta q_i^2|}{3(\alpha p_i^2+\beta q_i^2)}{N}^{\frac{1}{3}}$, $\alpha p_i^2+\beta q_i^2<N^{\frac{2}{3}+\gamma }$, $0<\gamma <\frac{1}{3}$, $\min \left\{e_i\right\}=N^{\tau }$, ${\delta }_2=(\tau -\gamma -\frac{2}{3})k$, $N=\max \left\{N_i\right\}$.

From Table 2, based on the references given (i.e., [25,26,27,34,35], we can view that all earlier first five findings are a type of cryptanalysis as a zoomed-in generalized Diophantine equation in the form $eX-NY=Z$ for suitable integers $X,Y,Z$. The first five findings had to dictate conditions upon the key pairs $(e,N)$ and its corresponding generalized parameters. All of the mentioned attacks usually combine the continued fraction method, the lattice reduction technique such as the Coppersmith’s method [15] or utilize Jochemsz and May’s strategy [29] to formulate a new strategy in factoring N.

The above collection depicts the progress of cryptanalysis efforts over some time. To continue the research, there might be more generalization key equations that can be provided to emphasize the technique to factor $N=p^{2}q$ in polynomial time. Hence, this paper presents two new cryptanalyses that depend on an arbitrary Diophantine key equation, which differ from earlier studies.

There are two different results of cryptanalysis of the modulus in the form $N=p^{2}q$ presented in this paper, which is briefly summarized in Table 2. As a consequence, our strategy enables us to factor $N=p^{2}q$ for a collection of weak keys with requirements as specified in Theorems 4, 6 and 7, respectively. Thus, our results are novel and essential. The conditions upon our parameters cannot be compared to conditions upon parameters of earlier results. It is due to the proposed results in another addition to the not-to-do list during the key generation process to guarantee that the crypto-designers or implementors do not unawarely construct a weak key.

5. Conclusions and Future Work

The modulus of type $N=p^{2}q$ is often used in many variants of factoring-based public-key encryption due to its ability to fasten the decryption process. Faster decryption is very suitable for securing small devices in the IoT environment or securing fast-forwarding encryption services used in mobile applications. Taking this into account, the security of those devices is paramount. Finally, two new cryptanalyses of the modulus $N=p^{2}q$ were presented. This study focused on two cryptanalyses that use new enabling conditions to factor the modulus $N=p^{2}q$ of the factoring-based cryptosystem. The first cryptanalysis considered a single user with a public key pair $(e,N)$ related via an arbitrary relation to equation $er-(Ns+t)=\alpha p^2+\beta q^2$, where $r,s,t$ are unknown parameters. The second cryptanalysis considered two distinct cases in the situation of k-users (i.e., multiple users) for $k\ge 2$, given the instances of $(N_i,e_i)$ where $i=1,\dots ,k$. By using the lattice basis reduction algorithm for solving simultaneous Diophantine approximation, the k-instances of $(N_i,e_i)$ can be successfully factored in polynomial time.

It was proven that a probabilistic polynomial-time algorithm exists that takes public parameters as an input and returns the factors p and q. Hence, we executed the procedure to see if the key belonged to the weak class. The proposed results may be helpful during key generation to avoid creating a weak key by accident. This study revealed specific flaws in the relaxed model using faulty public variables and limited parameter selection. These flaws do not compromise the factoring-based cryptosystem’s security. Nevertheless, our findings can help uncover possible flaws and better understand the underlying mathematics and parameter choices.

Future work. Given the resource constraints associated with various IoT devices, cryptographic solutions in this environment must be resilient while remaining practical, posing a challenge for security analysts and crypto designers. Therefore, other generalization key equations can be presented in the future to demonstrate how to recover the prime factors p and q in polynomial time. It would be splendid if a small private exponent could reduce the encryption and decryption time. Under partial key exposure attacks, future researchers can analyze the RSA variant’s security when the prime factor p and q share many LSBs or MSBs. There are other schemes that one might be interested in by using a small private exponent that can be employed to recover the prime factor p and q in polynomial time, such as [27,28].