Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

145 7.7 EGACDP SinceinthiscasethematrixcorrespondingtothelatticeLisnotsquare, finding det(L) may not be easy for general k. Further, for large k, dimension of L will be very large. 7.7.2 Method II Here we follow the idea of Section 7.6. We have ã 1 = gq 1 − ˜x 1 , ã 2 = gq 2 − ˜x 2 , . ã k = gq k − ˜x k , where ã 1 ,...,ã k are known and ã i ≈ a for 1 ≤ i ≤ k. Suppose, ˜x i ≈ a β for 1 ≤ i ≤ k and g ≈ a 1−α . Then q i ≈ a α for i ∈ [1,k]. Let us construct ⎛ ⎞ 2 ρ ã 2 ã 3 ... ã k 0 −ã M = 1 0 ... 0 ⎜ ⎝ . . . ... ⎟ . ⎠ 0 0 0 ... −ã 1 where 2 ρ ≈ 2˜x 1 . One can note that (q 1 ,q 2 ,...,q k ) · M = (2 ρ q 1 ,˜x 1 q 2 − q 1˜x 2 ,...,˜x 1 q k −q 1˜x k ) = b, say. It can be checked that ||b|| < 2 √ ka α+β . (7.31) Moreover, |det(M)| = 2 ρ (ã 1 ) k−1 ≈ 2a β+k−1 . FollowingMinkowski’stheorem, there is a vector v in the lattice L corresponding to M such that ||v|| < √ k2 1 k a β+k−1 k . (7.32) Under Assumption 2 (Section 7.6), and from (7.31) and (7.32), one can obtain b from L if a α+β < a β+k−1 k ⇔ β < 1− k k −1 α,
Chapter 7: Approximate Integer Common Divisor Problem 146 neglecting the terms 2 and 2 1 k. With the knowledge of b, one can find q 1 , from which g is obtained if |˜x 1 | ≤ q 1 . So we need 1− k k −1 α ≤ α ⇒ α ≥ k −1 2k −1 . The running time is determined by the time to calculate a shortest vector in L which is polynomial in loga but exponential in k. Thus, we get the following result. Theorem 7.16. Consider EGACDP with g ≈ a 1−α and ˜x 1 ≈ ˜x 2 ≈ ··· ≈ ˜x k ≈ a β . Then, under Assumption 2, one can solve EGACDP in poly{loga,exp(k)} time when provided that α ≥ k−1 2k−1 . β < 1− k α, (7.33) k −1 7.7.3 Experimental Results In this section we present a few experimental results for both the methods, as shown in Table 7.8. When k = 3 and 1−α = 0.25, we have 1− k α < 0. In such k−1 a situation one can not get results using Method II, but Method I will succeed. For example, Method I succeeds given 250-bit g for k = 3,4, whereas Method II does not provide results in such cases. Results using Method I. k g error LD Time (in sec.) 3 250-bit 36-bit 31 11.72 3 500-bit 245-bit 31 2.85 4 250-bit 82-bit 65 210.91 4 500-bit 320-bit 65 63.04 Results using Method II. k g error LD Time (in sec.) 3 500-bit 249-bit 3 < 1 4 500-bit 331-bit 4 < 1 10 500-bit 441-bit 10 < 1 50 500-bit 487-bit 50 4.62 100 500-bit 490-bit 100 40.17 Table 7.8: EGACDP: Experimental results for 1000-bit a. For large values of k, we can not perform experiments corresponding to Method I due to high lattice dimensions. Theorem 7.16 states that the time complexity is poly{loga,exp(k)}. However, under the assumption that “the shortest vector of the lattice L can be found by the LLL algorithm”, the complexity becomes
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20:
Chapter 1: Introduction 2 The motiv
Page 21 and 22:
Chapter 1: Introduction 4 there is
Page 23 and 24:
Chapter 1: Introduction 6 Discrete
Page 25 and 26:
Chapter 1: Introduction 8 Chapter 5
Page 28 and 29:
Chapter 2 Mathematical Preliminarie
Page 30 and 31:
13 2.2 RSA Cryptosystem are impleme
Page 32 and 33:
15 2.2 RSA Cryptosystem • private
Page 34 and 35:
17 2.2 RSA Cryptosystem istic prima
Page 36 and 37:
19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39:
21 2.2 RSA Cryptosystem integer x <
Page 40 and 41:
23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43:
25 2.3 Cryptanalysis of RSA The att
Page 44 and 45:
27 2.4 Lattice and LLL Algorithm No
Page 46 and 47:
29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49:
31 2.5 Solving Modular Polynomials
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
39 2.6 Solving Integer Polynomials
Page 58 and 59:
41 2.6 Solving Integer Polynomials
Page 60 and 61:
43 2.7 Analysis of the Root Finding
Page 62:
45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66:
Chapter 3: A class of Weak Encrypti
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Chapter 4: Cryptanalysis of RSA wit
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 92 and 93:
Chapter 5 Reconstruction of Primes
Page 94 and 95:
77 5.1 LSB Case: Combinatorial Anal
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105:
87 5.3 MSB Case: Our Method and its
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 124 and 125: 107 6.2 Two Primes with Shared Cont
Page 126 and 127: 109 6.2 Two Primes with Shared Cont
Page 128 and 129: 111 6.3 Exposing a Few MSBs of One
Page 130 and 131: 113 6.3 Exposing a Few MSBs of One
Page 132 and 133: Chapter 7 Approximate Integer Commo
Page 134 and 135: 117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137: 119 7.2 Finding Smooth Integers in
Page 138 and 139: 121 7.3 Extension of Approximate Co
Page 140 and 141: 123 7.4 The General Solution for EP
Page 150 and 151: 133 7.5 Sublattice and Generalized
Page 156 and 157: 139 7.6 Improved Results for Larger
Page 158 and 159: 141 7.6 Improved Results for Larger
Page 160 and 161: 143 7.7 EGACDP The approach in this
Page 164: 147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168: Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170: Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172: Chapter 8: Conclusion 154 represent
Page 173 and 174: Chapter 8: Conclusion 156 Final Wor
Page 175 and 176: BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178: BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180: BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182: BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184: BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185: BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

Create successful ePaper yourself

Delete template?

Save as template?