dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
calculates these roots (though, as we saw, there is an algorithm that encrypts<br />
the messages in polynomial time), it is assumed nowadays that it is hard to<br />
calculate such roots when m ∈ ZN is randomly chosen and N is generated by<br />
random large primes p, q.<br />
Another trapdoor one way function in RSA is the modulus. Computing<br />
N = pq is easy, but what about factoring N knowing only < e, N >? The<br />
Problem of Factoring Large Integers is defined as follows:<br />
Definition 14. (The Problem of Factoring Large Integers) Given a large<br />
integer N, compute its prime factorization.<br />
Again this is a trapdoor one way function: it is easy to compute the product<br />
but difficult to compute the factors.<br />
So lets look at the RSA Problem. If he wants to know m, Marvin can try<br />
to find out d and then decrypt m. To compute d, Marvin must first know φ(N)<br />
and for this he needs to factor N. If Marvin can factor N, he can compute<br />
φ(N) and d = e −1 (mod N). This means that once we solve the problem of<br />
factoring N, we can actually solve the RSA Problem for any m. So the RSA<br />
problem is at most as difficult as the Problem of Factoring Large Integers. It<br />
remains nowadays an open question to know whether both problems have the<br />
same complexity.<br />
As the RSA modulus N is a large number, factoring it is a rather hard task<br />
given that its prime factors are generated randomly and balanced. The study<br />
of factoring methods is an active field in Mathematics and, though it gained<br />
special relevance more than 30 years ago with the appearance of RSA, it is still<br />
unknown whether a polynomial time algorithm that solves this problem in a<br />
classic computer exists. For this reason, it is assumed that if Marvin wishes to<br />
factor an RSA modulus, in order to break the system, will need an amount of<br />
time far larger than the usual duration of an RSA session.<br />
So the safety of RSA relies deeply on the assumption that both the RSA<br />
Problem and the Problem of Factoring Large Integers have no polynomial time<br />
algorithm that solves it. But more relevant in practical terms is the fact that,<br />
over 30 years of existence, no devastating attack on RSA has been publicized<br />
which cannot be easily avoided as we will show in this work.<br />
There is some flaws in the definition of RSA presented in the previous section.<br />
In fact, it is not possible to safely implement RSA in such a way. We now present<br />
some reasons why such an implementation does not provide appropriate security.<br />
16