dissertacao.pdf
dissertacao.pdf
dissertacao.pdf
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
If we set s = −(p + q), A = N + 1 and take the equation (mod e), the equation<br />
becomes:<br />
k(A + s) ∼ = 1 (mod e) (63)<br />
The following notation will be used for this attack and the next: we will write<br />
e = N α for some α. As e is usually the same size of N, α is usually close to 1.<br />
As for d, as we are talking about small private exponent attacks, we will assume<br />
it satisfies the inequality d < N δ for some δ. Therefore the goal of a low private<br />
key attack is to work for as high a δ as possible. Now lets look at the existing<br />
constraints over k and s:<br />
from the key equation we get:<br />
|k| < de 3de<br />
≤<br />
φ(N) 2N<br />
as we know that p and q are less than 2 2√ N we have:<br />
3 δ−1<br />
< e1+ α . (64)<br />
2<br />
|s| < 3N 0.5 = 3e 1<br />
2α (65)<br />
As in the usual case we have α ≈ 1, if we ignore the small constants we have<br />
the following problem, known as the small inverse problem: finding integers<br />
k and s that satisfy:<br />
k(A + s) ∼ = 1 (mod e) such that |s| < e 0.5 and |k| < e δ<br />
(66)<br />
The reason for the name of the problem is that, in some way, we are given an<br />
integer A and we are looking for a number close to it whose inverse is small<br />
(mod e). If, for a given δ we can list all the solutions of this problem, then<br />
one of them will reveal the true value of s and therefore allow us to factor N<br />
This means that the RSA system is insecure when one uses a private exponent<br />
satisfying d < N δ for a value of δ for which we can solve the Small Inverse<br />
Problem efficiently.<br />
Thought it was Boneh and Durfee’s conviction that this problem can be<br />
solved for δ < 0.292, they could not prove this fact. The reason for this is that<br />
their solution to the small inverse problem, which is based on the LLL algorithm<br />
and Coppersmith’s results, requires Conjecture 1 . However, their attack does<br />
result in practice and for this reason a decryption exponent δ < 0.292 should be<br />
49