dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
If Marvin knows φ(N), then he can solve the system of equations<br />
<br />
<br />
N = pq ∧ φ(N) = (p − 1)(q − 1)<br />
for p and q and therefore find the factorization of N. It is easy to check that p<br />
and q are the solutions of<br />
x 2 − (N − φ(N) + 1)x + N = 0 (21)<br />
which can be solved efficiently. For this reason, the value of φ(N) should always<br />
be kept secret.<br />
Suppose Alice wishes to send to Bob a plain text m = kp where p is one of<br />
the factors of N. She will encrypt it with Bob’s public key < e, N > obtain-<br />
ing c ∼ = m e (mod N). If Marvin intercepts c, all he has to do is to compute<br />
(c, N) = p to discover a factor of N and consequently break the system. So,<br />
when choosing the plain texts, we cannot choose plain texts which are<br />
not relatively prime to N.<br />
RSA has the Homomorphic Property, that is, the encryption of the prod-<br />
uct of two plain texts is equal to the product of the two encryptions. In RSA,<br />
this is equivalent to the following statement: given two plain texts m1, m2 and<br />
their cypher texts c1, c2, we have:<br />
(m1m2) e ∼ = c1c2 (mod N) (22)<br />
which is verified for RSA. This paves the way for an attack against RSA. Suppose<br />
m is encrypted as c ∼ = m e (mod N). Marvin, knowing c, chooses a random<br />
x ∈ C and asks for the plain text of c0 ∼ = cx e (mod N). Notice that this plain<br />
text, m0, satisfies:<br />
m0 ∼ = c d 0 ∼ = (cx e ) d ∼ = c d x ed ∼ = mx (mod N) (23)<br />
So all he has to do is compute the plain text m ∼ = m0x −1 (mod N).<br />
Another fact about RSA is that it does not provide Semantical Security,<br />
which happens in a cryptosystem when, knowing only the cypher text and the<br />
public key, no information about the plain text can be recovered. This is clearly<br />
17