dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Theorem 28. Given an RSA modulus N = pq with p, q > 3 and the public<br />
key < 3, N >, then the constant k in the key equation ed = 1 + kφ(N) satisfies<br />
k = 2.<br />
Proof. From the key equation ed − 1 = kφ(N) we know that 0 < k < e.<br />
So, in our case we have k = 1 or k = 2. Because (3, p − 1) = 1 we have<br />
p − 1 ≇ 0 (mod 3) and, as p > 3, we have (3, p) = 1 and therefore<br />
p − 1 ≇ 2 (mod 3) and so we get that<br />
p − 1 ∼ = 1 (mod 3)<br />
q − 1 ∼ = 1 (mod 3)<br />
So φ(N) = (p − 1)(q − 1) ∼ = 1 (mod 3). Taking the key equation modulo e = 3,<br />
we get:<br />
3d ∼ = 1 + kφ(N) (mod 3) =⇒ k ∼ = 2 (mod 3) (55)<br />
Because k = 1 or k = 2, we have k = 2 and this concludes our proof.<br />
So every time we use e = 3 we are giving away half of the bits of the<br />
private exponent. However, this has not been proven to be enough to factor the<br />
modulus[22], so this attack does not represent a total break of the RSA.<br />
3.4 Factoring the modulus of RSA with Small Private Ex-<br />
ponent d<br />
After the previous attacks, we now study attacks on RSA sessions where the<br />
private exponent, d, is low. These attacks are much more destructive than the<br />
ones presented in the previous section: they aim to factor the modulus, thus<br />
breaking the whole system. The theorems presented on this section suppose the<br />
encrypting and decrypting exponents are defined modulo λ(N). The results,<br />
however, would apply if these exponents were instead defined modulo φ(N) like<br />
in the previous sections.<br />
We present one first result, which will prove useful for the first attack of this<br />
section. Given the key equation ed = 1 + kλ(N), we have<br />
0 < k =<br />
(ed − 1)<br />
λ(N)<br />
In particular we have that k < d.<br />
ed<br />
< < min{e, d} (56)<br />
λ(N)<br />
46