dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
increment m by one and start again. This way, we are sure that m will be equal<br />
to ⌊ g0<br />
k0<br />
⌋ at some point. As m < ⌊ g0<br />
k0<br />
g0<br />
⌋, we try a maximum of ⌊ ⌋ iterations for<br />
k0<br />
each convergents, whose total number is polynomial in log(N).<br />
The implementation of this attack is presented in the appendix. The results<br />
obtained are represented in Table 8.<br />
Table 8: Wiener’s Attack’s Experimental Results<br />
size of N average running time (seconds)<br />
32 0.007722<br />
64 0.012929<br />
128 0.046937<br />
256 0.151693<br />
512 0.497492<br />
1024 1.78601<br />
The most obvious way to avoid this attack is do simply use d > N 0.25 . In its<br />
work, however, Wiener presented yet another solution to avoid this attack: using<br />
a larger public exponent e. This is not a problem: after choosing e, one simply<br />
adds to e successively multiples of φ(N) until e satisfies e > N 3<br />
2 . Therefore, it<br />
is still possible to avoid this attack and at the same time use a small private<br />
exponent as long as this last inequality is satisfied.<br />
3.4.2 Improving Wiener’s Attack<br />
In its Ph.D. dissertation[16], presented in 2002, Durfee, working with Boneh,<br />
discovered a new way to attack RSA when a small secret exponent is used. Its<br />
attack is an improvement over Wiener’s attack as it aims to show that a private<br />
exponent d < N 0.292 renders the system totally insecure, improving Wiener’s<br />
bound of d < N 0.25 . However, proof of this was not found by Durfee, thought<br />
the attacks work in practice. We present a sketch of his attack.<br />
If we take the key equation we can rewrite it in the following way:<br />
ed ∼ = 1 (mod φ(N)) ⇔ ed + k(N + 1 − (p + q)) = 1 (62)<br />
48