Cryptanalysis of RSA variants with primes sharing most significant bits (Q2154038)

Here, four variants of the RSA encryption based on factoring \(N = pq\) are considered, where the public exponent \(e\) and the private exponent \(d\) satisfy the equation \(ed \equiv 1\pmod{({p^2} - 1)({q^2} - 1)}\). The authors consider attacks using the continued fraction algorithm and by applying \textit{D. Coppersmith}'s method (see [J. Cryptology 10, No. 4, 233--260 (1997; Zbl 0912.11056)]) together with lattice reduction techniques and show for both attacks that the variants are insecure if the difference \(p - q\) and the private exponent \(d\) are small. For the entire collection see [Zbl 1490.68022].