Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

91 5.3 MSB Case: Our Method and its Analysis Let us split X ′ = 2 H X 0 + X 1 . Then, clearly X = 2 H X 0 + (X 1 + Y). The addition of Y < 2 H affects the lower part X 1 directly and the carry from the sum (X 1 +Y) affects the first half X 0 up to a certain level. Our goal is to find out the probability that the carry affects less than or equal to t bits of X 0 from the lower side. Let us assume that the probability of (X 1 +Y) generating a carry bit is p c . We also know that this carry bit will propagate through the lower bits of X 0 until it hits a 0, and we can assume any bit of X 0 to be 0 or 1 randomly with equal probabilities of 1/2 each. Then, the probability of the carry bit to propagate less than or equal to t bits of X 0 from the lower side is P[carry propagation ≤ t] t∑ = P[no carry]+ P[carry]·P[carry propagation = i] = P[no carry]+ = (1−p c )+ t∑ i=1 i=1 t∑ P[carry]·P[first 0 occurs at i-th LSB of X 0 ] i=1 p c · 1 2 i = 1− p c 2 t. Now, one may expect the probability of carry generated from the sum (X 1 +Y) to be p c ≈ 1/2. A careful statistical modelling of the difference Y will reveal a better estimate of p c . As we do not assume any distribution of Y here, we consider the trivial bound p c ≤ 1. Thus the probability of X and X 0 , and hence X and X ′ , sharing l X −H −t many MSBs is 1− pc 2 t ≥ 1− 1 2 t . At this point, we can state and prove the main result of this section, the following theorem. Theorem 5.6. Let S = {0,...,T} and k = ⌊T/a⌋ is odd. Suppose U,V ⊆ S such that U = {0,...,a}∪{2a−t,...,3a}∪···∪{(k −1)a−t,...,ka}, V = {a−t,...,2a}∪{3a−t,...,4a}∪···∪{ka−t,...,T}, where p[i]’s are known for i ∈ U and q[j]’s are known for j ∈ V, as discussed before. Then, Algorithm 8 reconstructs T many contiguous most significant bits of one of the primes correctly in O(k) steps with probability at least P a,t (T) = ( 1− 1 2 t ) ⌊T/a⌋. Proof. The success of Algorithm 8 relies on the correct construction of the approximations at various levels. The CORRECT function produces correct approximations with probability 1 given the known sets of bits U,V, as mentioned
Chapter 5: Reconstruction of Primes given few of its Bits 92 before. Hence, success probability of Algorithm 8 depends on the correctness of {q a−t−1 ,p 2a−t−1 ,q 3a−t−1 ,...,p (k−1)a−t−1 ,q ka−t−1 }. Let us first consider the case p > q. We know that in such a case, as p,q are of the same bitsize, one must have √ N/2 < q < √ N of p, sharing the MSBs {0,...,ha} for some 1 ≤ h ≤ k. In this case, |p − p ha | < 2 lp−ha . Using p ha , one constructs ∣ an approximation q ′ = ⌈N/p ha ⌉ of q. Then we have |q − q ′ | ≈ ∣ N − N ∣∣ p p ha = N pp ha |p−p ha | < |p−p ha | < 2 lp−ha , as p,p ha > √ N. If p ha < √ N from the initial approximation, we reassign p ha = ⌈ √ N⌉ as a better approximation to p. The case p < q produces an approximation q ′ of q with |q −q ′ | < 2|p−p ha | < 2 lp−ha+1 . Then, we know for sure that |q −q ′ | < 2 lp−ha+1 . Thus, by Lemma 5.5, setting H = l p −ha+1, we get that q and q ′ share the first l p −(l p −ha+1)−t = ha−t−1 MSBs with probability at least P t = 1− 1 2 t . In other words, the probability that q ′ correctly represents q ha−t−1 is at least P t = 1− 1 2 t . The probability of correctness is the same in case of the approximations of p by p ga−t−1 for all 1 < g < k. Now, the k approximations of p,q at different bit levels, as mentioned above, can be considered independent. Hence, the probability of success of Algorithm 8 in constructing T many contiguous MSBs of q (or p in another case) is at least P a,t = Pt k = ( ) 1− 1 k ( ) 2 = 1− 1 ⌊T/a⌋. t 2 t Once the most significant half of any one of the primes is known using Algorithm 8, one may use a lattice based method of to factorize N = pq. In this context, let us present the following result for factoring the RSA modulus N using Algorithm 8. Corollary 5.7. Let S = {0,...,l N /4} and k = ⌊l N /4a⌋ is odd. Suppose U,V ⊆ S such that U = {0,...,a}∪{2a−t,...,3a}∪···∪{(k −1)a−t,...,ka}, V = {a−t,...,2a}∪{3a−t,...,4a}∪···∪{ka−t,...,l N /4}, where p[i]’s are known for i ∈ U and q[j]’s are known for j ∈ V, as discussed before. Then, one can factor N in poly(logN) time with probability at least P a,t = ( 1− 1 2 t ) ⌊lN /4a⌋ . Proof. By setting T = l N /4 in Theorem 5.6 we obtain that Algorithm 8 is able to recover contiguous l N /4 many MSBs of one of the primes p,q in O(l N /4) steps with probability at least P a,t = ( 1− 1 2 t ) ⌊lN /4a⌋ . Since one call of CORRECT costs O(l N ), thus the total time complexity is O(log 2 N).
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20:
Chapter 1: Introduction 2 The motiv
Page 21 and 22:
Chapter 1: Introduction 4 there is
Page 23 and 24:
Chapter 1: Introduction 6 Discrete
Page 25 and 26:
Chapter 1: Introduction 8 Chapter 5
Page 28 and 29:
Chapter 2 Mathematical Preliminarie
Page 30 and 31:
13 2.2 RSA Cryptosystem are impleme
Page 32 and 33:
15 2.2 RSA Cryptosystem • private
Page 34 and 35:
17 2.2 RSA Cryptosystem istic prima
Page 36 and 37:
19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39:
21 2.2 RSA Cryptosystem integer x <
Page 40 and 41:
23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43:
25 2.3 Cryptanalysis of RSA The att
Page 44 and 45:
27 2.4 Lattice and LLL Algorithm No
Page 46 and 47:
29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49:
31 2.5 Solving Modular Polynomials
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 124 and 125: 107 6.2 Two Primes with Shared Cont
Page 126 and 127: 109 6.2 Two Primes with Shared Cont
Page 128 and 129: 111 6.3 Exposing a Few MSBs of One
Page 130 and 131: 113 6.3 Exposing a Few MSBs of One
Page 132 and 133: Chapter 7 Approximate Integer Commo
Page 134 and 135: 117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137: 119 7.2 Finding Smooth Integers in
Page 138 and 139: 121 7.3 Extension of Approximate Co
Page 140 and 141: 123 7.4 The General Solution for EP
Page 150 and 151: 133 7.5 Sublattice and Generalized
Page 156 and 157: 139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?