dissertacao.pdf

More documents

Recommendations

Info

If we set s = −(p + q), A = N + 1 and take the equation (mod e), the equation becomes: k(A + s) ∼ = 1 (mod e) (63) The following notation will be used for this attack and the next: we will write e = N α for some α. As e is usually the same size of N, α is usually close to 1. As for d, as we are talking about small private exponent attacks, we will assume it satisfies the inequality d < N δ for some δ. Therefore the goal of a low private key attack is to work for as high a δ as possible. Now lets look at the existing constraints over k and s: from the key equation we get: |k| < de 3de ≤ φ(N) 2N as we know that p and q are less than 2 2√ N we have: 3 δ−1 < e1+ α . (64) 2 |s| < 3N 0.5 = 3e 1 2α (65) As in the usual case we have α ≈ 1, if we ignore the small constants we have the following problem, known as the small inverse problem: finding integers k and s that satisfy: k(A + s) ∼ = 1 (mod e) such that |s| < e 0.5 and |k| < e δ (66) The reason for the name of the problem is that, in some way, we are given an integer A and we are looking for a number close to it whose inverse is small (mod e). If, for a given δ we can list all the solutions of this problem, then one of them will reveal the true value of s and therefore allow us to factor N This means that the RSA system is insecure when one uses a private exponent satisfying d < N δ for a value of δ for which we can solve the Small Inverse Problem efficiently. Thought it was Boneh and Durfee’s conviction that this problem can be solved for δ < 0.292, they could not prove this fact. The reason for this is that their solution to the small inverse problem, which is based on the LLL algorithm and Coppersmith’s results, requires Conjecture 1 . However, their attack does result in practice and for this reason a decryption exponent δ < 0.292 should be 49
avoided. It should be noted that, on their work, Boneh and Durfee claim their conviction that the small inverse problem can solved even for δ < 0.5. Blomer and May[3], based on the Boneh-Durfee attack, presented a new heuristic attack for solving the small inverse problem for δ < 0.290. Though they do not improve the previous existing bound, their attack is simpler to analyse. Their main result, again dependant on Conjecture 1, is presented now. This is the general result, where the encryption exponent e is not assumed to be of the same magnitude of N, that is, α = 1. Theorem 30. For every ɛ > 0, there exists an N0 such that for every N > N0 the following holds: Let N = pq be an RSA modulus and p, q balanced primes, e = N α the encryption exponent and d = N δ its corresponding decryption exponent defined modulo φ(N) such that δ < 2 5 − 3 5 1 α + 4α2 − 2α + 4 − ɛ. 5 Then N can be factored in time polynomial in log(N), provided that Conjecture 1 holds. We can see that setting α = 1 yields the bound δ < 0.29. 50
Page 1 and 2:
A Survey of Cryptanalytic Attacks o
Page 3 and 4:
Palavras Chave: RSA, criptanálise,
Page 5 and 6: Contents 1 Introduction 1 1.1 Crypt
Page 7 and 8: List of Tables 1 Notation . . . . .
Page 9 and 10: messages, Alice and Bob needed a se
Page 11 and 12: key, have lead to restrictions over
Page 13 and 14: 1.5.2 Time Complexity In cryptograp
Page 15 and 16: Definition 8. Given an integer N >
Page 17 and 18: If we want to solve a system of lin
Page 19 and 20: 1.5.5 Continued Fractions The conti
Page 21 and 22: 1.6 RSA Definition We are now in co
Page 23 and 24: calculates these roots (though, as
Page 25 and 26: not the case regarding RSA as we ha
Page 27 and 28: 1.8.3 Common Prime RSA For the Comm
Page 29 and 30: So if we use contrapositive of this
Page 31 and 32: The consequence of this theorem is
Page 33 and 34: 2.1.4 AKS Test In 2004, a major bre
Page 35 and 36: We will begin with an old method cr
Page 37 and 38: Theorem 18. Let N > 1 be an integer
Page 39 and 40: e reduced. Regarding the GNFS, it s
Page 41 and 42: factorization of N. That is, each u
Page 43 and 44: Table 3: DeLaurentis Attack’s Exp
Page 45 and 46: Notice that gi(m) ∼ = 0 (mod Ni)
Page 47 and 48: ecovery exponent l to reveal the pl
Page 49 and 50: y fN(x) = 2 −k1e ((m22 k2 + x2 k1
Page 51 and 52: Theorem 25. Let two plain texts m1,
Page 53 and 54: Theorem 28. Given an RSA modulus N
Page 55: increment m by one and start again.
Page 59 and 60: 5 Bibliography [1] Kamilah Abdullah
Page 61 and 62: [27] Arjen K. Lenstra, Primality Te
Page 63 and 64: A Implementations of the attacks fr
Page 65 and 66: q = RandomPrime[{2∧ (nbits − 1)
Page 67 and 68: While[i ≤ 23, n0 = Min[n0, nlist[
Page 69 and 70: B Implementations of the attacks fr
Page 71 and 72: C Implementation of Wiener’s atta
show all

dissertacao.pdf

Create successful ePaper yourself

Delete template?

Save as template?