Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
145 7.7 EGACDP<br />
SinceinthiscasethematrixcorrespondingtothelatticeLisnotsquare, finding<br />
det(L) may not be easy for general k. Further, for large k, dimension <strong>of</strong> L will be<br />
very large.<br />
7.7.2 Method II<br />
Here we follow the idea <strong>of</strong> Section 7.6. We have<br />
ã 1 = gq 1 − ˜x 1 ,<br />
ã 2 = gq 2 − ˜x 2 ,<br />
.<br />
ã k = gq k − ˜x k ,<br />
where ã 1 ,...,ã k are known and ã i ≈ a for 1 ≤ i ≤ k. Suppose, ˜x i ≈ a β for<br />
1 ≤ i ≤ k and g ≈ a 1−α . Then q i ≈ a α for i ∈ [1,k]. Let us construct<br />
⎛<br />
⎞<br />
2 ρ ã 2 ã 3 ... ã k<br />
0 −ã<br />
M =<br />
1 0 ... 0<br />
⎜<br />
⎝ . . .<br />
...<br />
⎟<br />
. ⎠<br />
0 0 0 ... −ã 1<br />
where 2 ρ ≈ 2˜x 1 . One can note that (q 1 ,q 2 ,...,q k ) · M = (2 ρ q 1 ,˜x 1 q 2 −<br />
q 1˜x 2 ,...,˜x 1 q k −q 1˜x k ) = b, say. It can be checked that<br />
||b|| < 2 √ ka α+β . (7.31)<br />
Moreover, |det(M)| = 2 ρ (ã 1 ) k−1 ≈ 2a β+k−1 . FollowingMinkowski’stheorem, there<br />
is a vector v in the lattice L corresponding to M such that<br />
||v|| < √ k2 1 k a<br />
β+k−1<br />
k . (7.32)<br />
Under Assumption 2 (Section 7.6), and from (7.31) and (7.32), one can obtain b<br />
from L if<br />
a α+β < a β+k−1<br />
k<br />
⇔ β < 1− k<br />
k −1 α,