dissertacao.pdf

More documents

Recommendations

Info

the integers to find out m. All computations can be done in time polynomial in log (N). The implementation of this attack is presented in the appendix. Table 4 contains the experimental results: Table 4: Common Plain text Attack’s Experimental Results size of N (in bits) time to compute m (seconds) 16 0.000169 32 0.000051 64 0.000049 128 0.000049 256 0.000052 512 0.000062 1024 0.000066 2048 0.000095 4096 0.000097 Another attack, known as the Related Plain text Attack, allows for the encrypted messages to be different but related by known polynomials, and requires a larger number of messages to be encrypted. The result, due to Bleichenbacher [17], is as follows: Theorem 22. Given the public keys < e1, N1 >, < e2, N2 >, ..., < ek, Nk > where the modulus are pairwise co-prime, and f1(x) ∈ ZN1 [x], ..., fk(x) ∈ ZNk [x], set N0 = min{N1, N2, ..., Nk} and N = k i=1 Ni. For a plain text m < N0, if k ≥ maxi{eideg(fi(x))} then given ci = fi(m) (mod Ni) and < ei, Ni > for i = 1, 2, ..., k, the plain text m can be computed in time polynomial in log N and maxi{eideg(fi(x))}. Proof. We can suppose all fi(x) are monic. If not, we just need to multiply them for the inverse of the leading coefficient. If this inverse does not exist for fj(x), we find a factor of Nj and from cj we find m. Set δ = maxi{eideg(fi(x))} and also hi = δ − deg(fi(x) ei ) for i = 1, ..., k. Now we define the k monic polynomials of degree δ: gi(x) = x hi (fi(x) ei − ci) ∈ ZNi 37 , for i = 1, ..., k (43)
Notice that gi(m) ∼ = 0 (mod Ni) for i = 1, ..., k, so we can use the Chinese Remainder Theorem using the gi(x) and Ni as inputs and compute a new degree δ monic polynomial G(x) ∈ ZN [x] satisfying: G(m) ∼ = 0 (mod N) (44) where m < N0 < N 1 l < N 1 D . So we are in condition to use Coppersmith’s result. Therefore, we can compute m in time polynomial in log(N) and δ. The results obtained with the algorithm presented in the appendix are shown in Table 5. Table 5: Related Plain text Attack’s Experimental Results size of N (in bits) time to compute the polynomial G(x) (seconds) 782 0.000289 1093 0.000308 1793 0.000390 3373 0.000524 6251 0.000736 12246 0.001269 23918 0.0026934 The reason for such fast results is that the final step of the attack, solving the univariate modular polynomial, was not done. Actually, May and Ritzenhofen [30] have improved the bound for the number of cypher texts required. Setting δi = eideg(fi(x)), if the inequality k 1 ≥ 1 (45) δi i=1 is satisfied then the plain text m can be recovered from the k cypher texts. To prevent this broadcast attacks, we need to ensure that this last inequality is not satisfied. A very straightforward way would be not to transmit the same (or related) message massively. If there is a need for this, then we should ensure that inequality (45) is not satisfied. For this we can transform the messages with polynomials of high degree or alternatively use high public exponents. 38
Page 1 and 2: A Survey of Cryptanalytic Attacks o
Page 3 and 4: Palavras Chave: RSA, criptanálise,
Page 5 and 6: Contents 1 Introduction 1 1.1 Crypt
Page 7 and 8: List of Tables 1 Notation . . . . .
Page 9 and 10: messages, Alice and Bob needed a se
Page 11 and 12: key, have lead to restrictions over
Page 13 and 14: 1.5.2 Time Complexity In cryptograp
Page 15 and 16: Definition 8. Given an integer N >
Page 17 and 18: If we want to solve a system of lin
Page 19 and 20: 1.5.5 Continued Fractions The conti
Page 21 and 22: 1.6 RSA Definition We are now in co
Page 23 and 24: calculates these roots (though, as
Page 25 and 26: not the case regarding RSA as we ha
Page 27 and 28: 1.8.3 Common Prime RSA For the Comm
Page 29 and 30: So if we use contrapositive of this
Page 31 and 32: The consequence of this theorem is
Page 33 and 34: 2.1.4 AKS Test In 2004, a major bre
Page 35 and 36: We will begin with an old method cr
Page 37 and 38: Theorem 18. Let N > 1 be an integer
Page 39 and 40: e reduced. Regarding the GNFS, it s
Page 41 and 42: factorization of N. That is, each u
Page 43: Table 3: DeLaurentis Attack’s Exp
Page 47 and 48: ecovery exponent l to reveal the pl
Page 49 and 50: y fN(x) = 2 −k1e ((m22 k2 + x2 k1
Page 51 and 52: Theorem 25. Let two plain texts m1,
Page 53 and 54: Theorem 28. Given an RSA modulus N
Page 55 and 56: increment m by one and start again.
Page 57 and 58: avoided. It should be noted that, o
Page 59 and 60: 5 Bibliography [1] Kamilah Abdullah
Page 61 and 62: [27] Arjen K. Lenstra, Primality Te
Page 63 and 64: A Implementations of the attacks fr
Page 65 and 66: q = RandomPrime[{2∧ (nbits − 1)
Page 67 and 68: While[i ≤ 23, n0 = Min[n0, nlist[
Page 69 and 70: B Implementations of the attacks fr
Page 71 and 72: C Implementation of Wiener’s atta

dissertacao.pdf

Create successful ePaper yourself

Delete template?

Save as template?