Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

111 6.3 Exposing a Few MSBs of One Prime 9864355429485398257581885621415132927137653573 and 5984825641870931585823382220962926344220670532554403933352105675571066 6727036032597303235163473076823311343759215354840931554536631098033574 6996932026050432396316389068925325234493940473852769406714934240353469 4186411407834893900732303380146620012528421339. Note that, p 1 ,p 2 share middle 504 many bits (leaving 177 bits from the least significant side). Further, q 1 ,q 2 are 150-bit primes 1038476608131498405684472704928794724111541861 and 1281887704228770097092001008195142506836912053 respectively. Given N 1 ,N 2 , with only the implicit information, we can factorize both of them efficiently. We use lattice of dimension 70 (parameters m = 1,t 1 = 1,t 2 = 1) and the lattice reduction takes 175.83 seconds. Referring to Theorems 6.1,6.10 together, one may be tempted to consider the case that a few contiguous intervals of bits are same in p 1 ,p 2 . However, in such a scenario, the polynomials contain increased number of variables as well as monomials. Thus, encouraging results cannot be obtained in this method. 6.3 Exposing a Few MSBs of One Prime In this section we study what actually happens when a few bits of q 1 or q 2 gets exposed. Without loss of generality, consider that a few MSBs of q 2 are available. In this case, q 2 can be written as q 20 + q 21 , where q 20 is known and it takes care of the higher order bits of q 2 . In such a case we can generalize Theorem 6.1 as follows. We do not write the proof as it is similar to that of Theorem 6.1. Theorem 6.13. Let N 1 = p 1 q 1 and N 2 = p 2 q 2 , where p 1 ,q 1 ,p 2 ,q 2 are primes. Let q 1 ,q 2 ≈ N α . Suppose q 20 is known such that |q 2 − q 20 | ≤ N δ . Consider that γ 1 log 2 N many MSBs and γ 2 log 2 N many LSBs of p 1 ,p 2 are same. Let β = 1−α−γ 1 −γ 2 . Under Assumption 1, one can factor N 1 ,N 2 in polynomial time if −18δ 2 −12δα−2α 2 −20δβ +4αβ −2β 2 +24δ +8α+ 40 β −8 < 0, 3 provided 1− 3 2 β − α 2 − 3 2 δ ≥ 0.
Chapter 6: Implicit Factorization 112 Remark 6.14. If one puts δ = α in Theorem 6.13, then the statement of Theorem 6.1 appears immediately. Since a few MSBs of q 2 are known, we have δ < α. So we get increased upper bound on β here than the bound of β in Theorem 6.1. This has two implications: 1. Knowing few MSBs of q 2 requires less number of bits to be shared in p 1 ,p 2 . 2. Keeping the same number of bits to be shared, knowing few MSBs of q 2 may increase the bound on α. Now we summarize the effect of knowing a few bits of q 2 in Table 6.5. We like to refer Example 6.8 (presented in Section 6.1.3) for the corresponding case when none of the bits of q 2 is known. Examples 6.15, 6.16 consider the cases when a few MSBs of q 2 are known. Example l qi MSBs known in q 2 l pi Number of shared LSBs in p 1 ,p 2 Example 6.8 350 None 650 531 Example 6.15 350 30 650 524 Example 6.16 360 30 640 531 Table 6.5: Effect of knowing a few MSBs of q 2 . Example 6.15. In this experiment, we consider 650-bit primes p 1 and p 2 2775767775790591046985561869233542957775274354805022086049845364080279 5440244280573885472845851243011213318288730705557808640463498077884662 12373756028939921330525120578684995831943366630235878261 and 3801183388452299712401650983522590415108473350487714213507812938100060 4705988087731376063723045978466857969967252244163227348367433438951447 21500290301718857429556533325996125827735316520359080821. Note that, p 1 ,p 2 share 524 many LSBs. Further, q 1 ,q 2 are 350-bit primes 2209314625764053417894986194593494065883964634454958947790531142197386 120832336613378820991430378869014127 and 2204557440995913372286125950717602197195022637415287838524947867913051 465973479416134708098578709098671857 respectively. Given N 1 ,N 2 , with the implicit information and 30 MSBs of q 2 , we can factorize both of them efficiently. We use lattice of dimension 105 and the lattice reduction takes 12889.92 seconds.
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20:
Chapter 1: Introduction 2 The motiv
Page 21 and 22:
Chapter 1: Introduction 4 there is
Page 23 and 24:
Chapter 1: Introduction 6 Discrete
Page 25 and 26:
Chapter 1: Introduction 8 Chapter 5
Page 28 and 29:
Chapter 2 Mathematical Preliminarie
Page 30 and 31:
13 2.2 RSA Cryptosystem are impleme
Page 32 and 33:
15 2.2 RSA Cryptosystem • private
Page 34 and 35:
17 2.2 RSA Cryptosystem istic prima
Page 36 and 37:
19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39:
21 2.2 RSA Cryptosystem integer x <
Page 40 and 41:
23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43:
25 2.3 Cryptanalysis of RSA The att
Page 44 and 45:
27 2.4 Lattice and LLL Algorithm No
Page 46 and 47:
29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49:
31 2.5 Solving Modular Polynomials
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
39 2.6 Solving Integer Polynomials
Page 58 and 59:
41 2.6 Solving Integer Polynomials
Page 60 and 61:
43 2.7 Analysis of the Root Finding
Page 62:
45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66:
Chapter 3: A class of Weak Encrypti
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78: Chapter 3: A class of Weak Encrypti
Page 79 and 80: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 124 and 125: 107 6.2 Two Primes with Shared Cont
Page 126 and 127: 109 6.2 Two Primes with Shared Cont
Page 130 and 131: 113 6.3 Exposing a Few MSBs of One
Page 132 and 133: Chapter 7 Approximate Integer Commo
Page 134 and 135: 117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137: 119 7.2 Finding Smooth Integers in
Page 138 and 139: 121 7.3 Extension of Approximate Co
Page 140 and 141: 123 7.4 The General Solution for EP
Page 150 and 151: 133 7.5 Sublattice and Generalized
Page 156 and 157: 139 7.6 Improved Results for Larger
Page 158 and 159: 141 7.6 Improved Results for Larger
Page 160 and 161: 143 7.7 EGACDP The approach in this
Page 162 and 163: 145 7.7 EGACDP Sinceinthiscasethema
Page 164: 147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168: Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170: Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172: Chapter 8: Conclusion 154 represent
Page 173 and 174: Chapter 8: Conclusion 156 Final Wor
Page 175 and 176: BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178: BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?