Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 7<br />
Approximate Integer Common<br />
Divisor Problem<br />
Given any two large integers a,b (without loss <strong>of</strong> generality, take a > b), one can<br />
calculate gcd(a,b) efficiently in O(log 2 a) time using the well known Euclidean Algorithm<br />
[126, Page 169]. Howgrave-Graham [61] has shown that it is also possible<br />
to calculate the GCD efficiently when some approximations <strong>of</strong> a,b are available.<br />
This problem is referred to as the approximate common divisor problem in the literature.<br />
As an one important application <strong>of</strong> this problem, Howgrave-Graham [61]<br />
had shown that Okamoto’s cryptosystem [98] is not secure. Using the idea <strong>of</strong> [61],<br />
Coron and May [29] proved deterministic polynomial time equivalence <strong>of</strong> computing<br />
the <strong>RSA</strong> secret key and factoring the <strong>RSA</strong> modulus. In this chapter, we first<br />
present two applications <strong>of</strong> approximate common divisor problem.<br />
Application1: Forthefirstapplication, considerN = pq, wherep,q arelargeprimes<br />
and p > q. In a recent paper [50] presented at Crypto 2009, it has been asked how<br />
one can use q −1 mod p towards factorization <strong>of</strong> N as q −1 mod p is stored as a part<br />
<strong>of</strong> the secret key in PKCS #1 [99]. Using lattice based technique, we show that<br />
factoring N is deterministic polynomial time equivalent to finding q −1 mod p.<br />
Application 2: Next, we consider the problem <strong>of</strong> finding smooth integers in a small<br />
interval [12,13]. Finding smooth numbers is important for application in the<br />
well known factorization algorithms such as quadratic sieve [100] and number field<br />
sieve [76]. We study the results <strong>of</strong> [12,13] and show that slightly improved outcome<br />
could be achieved using a different strategy following the idea <strong>of</strong> [61].<br />
115