Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 5: Reconstruction <strong>of</strong> Primes given few <strong>of</strong> its Bits 94<br />
Here, the theoretical bound on the probability with p c ≤ 1 is 44.9% whereas with<br />
p c = 0.5, the same bound comes as 67.9%. The experimental evidence <strong>of</strong> 66.7%<br />
is quite clearly closer to the second one. But we could not correctly estimate the<br />
value <strong>of</strong> p c and hence opted for a safe (conservative) margin.<br />
The results in italic font are <strong>of</strong> special interest. In these cases one can factorize<br />
N in poly(logN) time, with probability greater than 1 by knowing less than 70%<br />
2<br />
<strong>of</strong> the bits <strong>of</strong> both the primes combined, that is, by knowing approximately just<br />
35% <strong>of</strong> the bits <strong>of</strong> each prime p,q. Note that the result by Herrmann and May [51]<br />
requires about 70% <strong>of</strong> the bits <strong>of</strong> one <strong>of</strong> the primes in a similar case where the<br />
known bits are distributed over small blocks. Their result factorizes N in time<br />
exponential in the number <strong>of</strong> such blocks, whereas our method produces the same<br />
result in time polynomial in the number <strong>of</strong> blocks.<br />
5.4 Conclusion<br />
Our work discusses the factorization <strong>of</strong> <strong>RSA</strong> modulus N by reconstructing the<br />
primes from randomly known bits. The reconstruction method exploits the known<br />
bits to prune wrong branches <strong>of</strong> the search tree and reduces the total search space.<br />
We have revisited the work <strong>of</strong> Heninger and Shacham [50] in Crypto 2009 and<br />
provided a combinatorial model for the search where certain bits <strong>of</strong> the primes<br />
are known at random. This, combined with existing lattice based techniques,<br />
can factorize N given the knowledge <strong>of</strong> randomly chosen prime bits in the least<br />
significant halves <strong>of</strong> the primes. We also explain a lattice based strategy to remedy<br />
one <strong>of</strong> the shortcomings <strong>of</strong> the reconstruction algorithm. Moreover, we study how<br />
N canbefactoredgiventheknowledge<strong>of</strong>someblocks<strong>of</strong>bitsinthemostsignificant<br />
halves <strong>of</strong> the primes. We propose an algorithm that recovers the most significant<br />
halves <strong>of</strong> one or both the primes exploiting the known bits.<br />
Inthischapter, wehaveassumedtheknowledge<strong>of</strong>certainfraction <strong>of</strong>bits<strong>of</strong>the<br />
<strong>RSA</strong> primes. However, one may not have such an explicit information regarding<br />
the primes, but may gain certain implicit knowledge instead. In the next chapter,<br />
we discuss <strong>RSA</strong> factorization in the light <strong>of</strong> such an implicit knowledge about the<br />
<strong>RSA</strong> primes. This problem is aptly termed as the ‘implicit factorization problem’.