Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

119 7.2 Finding Smooth Integers in a Short Interval Let us denote the n-th prime by p n , e.g., p 1 = 2,p 2 = 3 and so on. Suppose we want to find a strongly B smooth integer N in the interval [U,V]. Now let us present our main result of this section. Theorem 7.5. Let S = ∏ n i=1 pa i i where a i = ⌊ logB logp i ⌋ and p 1 ,...,p n are all distinct primes not exceeding B. Let I = [U,V]. One can find all strongly B smooth integers N ∈ I for which gcd(N,S) > d in poly(logS) time when |I| < 2d logd logS and V < 2d. Proof. WewilltrytofindN suchthatgcd(N,S) > d. Letustaketakea 0 = ⌊ U+V 2 ⌋. We consider a 0 as an approximation of N. Thus we will try to find the GCD of S,N, by knowing S exactly and some approximation of N, which is a 0 (but N is notknown). HerewefollowtheideaofsolvingthePartiallyApproximateCommon Divisor Problem (PACDP) as explained in [61]. Let x 0 = N − a 0 . We want to calculate x 0 from a 0 ,S. Assume X = d β is an upper bound of x 0 . Let S = d δ . Using the same approach as in the proof of Theorem 7.10, we get the condition as (m+t)(m+t+1) 2 β + m(m+1) δ < m(m+t+1). (7.6) 2 Let t = τm. Then neglecting the terms of o(m 2 ) we can rewrite (7.6) as β 2 τ2 +(β −1)τ + β 2 + δ −1 < 0. (7.7) 2 Now, the optimal value of τ to minimize the left hand side of (7.7) is 1−β . Putting β this optimal value in (7.7), we get β < 1 logS . Now δ = . So x δ logd 0 should be less than d logd logS . Thus, we get x 0 and hence N in poly(logS) time. As, V < 2d, we have N < 2d (since U ≤ N ≤ V). When gcd(N,S) > d, then gcd(N,S) = N as N < 2d. Hence N divides S, i.e., N is strongly B smooth. Our strategy exploits the solution of Partially Approximate Common Divisor Problem (PACDP) presented in [61]. That, all such strongly B smooth numbers will be available, follows from [61, Algorithm 12, Page 53] as in that case all the common divisors are reported. Asymptotically, our result is 8 times better than that of [12, Theorem 3.1],
Chapter 7: Approximate Integer Common Divisor Problem 120 as that bound was |I| < 1 4 d logd logS . In Table 7.2, we present a few experimental results, where we find improved outcomes (in terms of execution time) using our strategy than that of [12]. We have implemented the ideas of [12] for experimental comparison. In the table, LD denotes Lattice Dimension, and the time denotes the Lattice reduction time. One should also note that the method of [12] requires the implementation of CRT on several primes, which is not included in the time mentioned in Table 7.2. Our strategy, using the idea of [61], does not require such computation. B log 2 d log 2 (V −U) LD (Our), Time (sec.) LD ([12]), Time (sec.) 1000 450 130 36, 15.51 32, 21.33 1000 496 156 29, 3.77 26, 8.06 1000 496 161 45, 36.88 41, 64.71 Table 7.2: Comparison of our experimental results with that of [12]. We have implemented the ideas of [12] for the comparison. LD denotes lattice dimension. Note that finding smooth integers in an interval was also discussed in [84] consideringasimilarideaoflatticeconstruction. However,wearriveatthesolution following the PACDP. 7.3 Extension of Approximate Common Divisor Problem Let us now describe the generalized version of PACDP [61]. We name this version the Extended Partially Approximate Common Divisor Problem (EPACDP). Problem Statement 1. EPACDP. Let a,a 1 ,a 2 ,...,a k be large integers (of same bitsize) and g = gcd(a 1 ,a 2 ,...,a k ), for k ≥ 2. Consider that ã 2 ,...,ã k are the approximations of a 2 ,...,a k respectively, and ã 2 ,...,ã k are of same bitsize too. Suppose that a 2 = ã 2 + ˜x 2 ,...,a k = ã k + ˜x k . The goal is to find ˜x 2 ,...,˜x k from the knowledge of a 1 ,ã 2 ,...,ã k . The integer a is referred to in EPACDP as the representative element of the same bit size as a 1 ,a 2 ,...,a k . This ‘a’ will be used frequently throughout this chapter, mainly in calculating the time complexities. Similarly, we also consider N to be the representative integer of the same bitsize as N 1 ,N 2 ,...,N k .
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20:
Chapter 1: Introduction 2 The motiv
Page 21 and 22:
Chapter 1: Introduction 4 there is
Page 23 and 24:
Chapter 1: Introduction 6 Discrete
Page 25 and 26:
Chapter 1: Introduction 8 Chapter 5
Page 28 and 29:
Chapter 2 Mathematical Preliminarie
Page 30 and 31:
13 2.2 RSA Cryptosystem are impleme
Page 32 and 33:
15 2.2 RSA Cryptosystem • private
Page 34 and 35:
17 2.2 RSA Cryptosystem istic prima
Page 36 and 37:
19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39:
21 2.2 RSA Cryptosystem integer x <
Page 40 and 41:
23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43:
25 2.3 Cryptanalysis of RSA The att
Page 44 and 45:
27 2.4 Lattice and LLL Algorithm No
Page 46 and 47:
29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49:
31 2.5 Solving Modular Polynomials
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
39 2.6 Solving Integer Polynomials
Page 58 and 59:
41 2.6 Solving Integer Polynomials
Page 60 and 61:
43 2.7 Analysis of the Root Finding
Page 62:
45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66:
Chapter 3: A class of Weak Encrypti
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Chapter 4: Cryptanalysis of RSA wit
Page 83 and 84:
Chapter 4: Cryptanalysis of RSA wit
Page 85 and 86: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 124 and 125: 107 6.2 Two Primes with Shared Cont
Page 126 and 127: 109 6.2 Two Primes with Shared Cont
Page 128 and 129: 111 6.3 Exposing a Few MSBs of One
Page 130 and 131: 113 6.3 Exposing a Few MSBs of One
Page 132 and 133: Chapter 7 Approximate Integer Commo
Page 134 and 135: 117 7.1 Finding q −1 mod p ≡ Fa
Page 138 and 139: 121 7.3 Extension of Approximate Co
Page 140 and 141: 123 7.4 The General Solution for EP
Page 150 and 151: 133 7.5 Sublattice and Generalized
Page 156 and 157: 139 7.6 Improved Results for Larger
Page 158 and 159: 141 7.6 Improved Results for Larger
Page 160 and 161: 143 7.7 EGACDP The approach in this
Page 162 and 163: 145 7.7 EGACDP Sinceinthiscasethema
Page 164: 147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168: Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170: Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172: Chapter 8: Conclusion 154 represent
Page 173 and 174: Chapter 8: Conclusion 156 Final Wor
Page 175 and 176: BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178: BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180: BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182: BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184: BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185: BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?