hardness of factorisation, when n is unkonwn but phi(n) is known

Question

I'm exploring a unique scenario within the RSA framework, which does not align with typical schemes and thus, lacks readily available references.

Consider a standard RSA setup but with a twist:

$$ n = pq, \\ \varphi(n) = (p-1)(q-1), \\ e \cdot d \equiv 1 \mod \lambda(n) $$

In this variant, (n) is kept secret—yes, (n) is not disclosed—while (\phi(n)) is made public. Here's what is publicly known and what remains private:

$$ \text{Public Info} = (\varphi(n), e) \\ \text{Private Info} = (n, d, \lambda(n)) $$

Question 1: Can an adversary, given the public information, efficiently breach what is commonly referred to as "the factorization assumption"? This scenario slightly deviates from the standard definition of the factorization assumption, but the concept is similar.

Question 2: Given the public information, can the adversary deduce the value of (d) that was computed using (e) and (\lambda(n))?

Thank you everyone in advance for your answers.

Answer 1

Given the public information, can the adversary deduce the value of (d) that was computed using (e) and (\lambda(n))?

If $p, q$ were chosen randomly, then the adversary could generate a short list of possible $d$ values where the actual $d$ will be on there with high probability.

Here's how this could be done: we know that $\lambda(n) = \varphi(n) / \gcd(p-1, q-1)$.

Now, for random primes $p, q$, $\gcd(p-1, q-1)$ will be small with high probability and can be limited by looking at the small factors of $\varphi(n)$, specifically, those small prime factors that exist with multiplicity > 1.

By listing the possible values of $\lambda(n)$, the adversary could find the possible values of $d = e^{-1} \bmod \lambda(n)$, and if the correct value of $\gcd(p-1,q-1)$ is on the list, so will the correct value of $d$.

How can this be addressed? The obvious way would be to select $p, q$ so that $p-1, q-1$ share a large (too large for ECM) prime factor, say, of 512 bits. That should prevent this approach from finding the correct value of $d$.

Of course, depending on the what is actually done, the adversary may be able to use $d' = e^{-1} \bmod \varphi(n)$ (which he can certainly compute), and if so, that would break the protocol.