Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 8: Conclusion 150<br />
Chapter 3: Class <strong>of</strong> Weak Encryption Exponents<br />
Blömer and May [9] have shown that N can be factored in polynomial time if<br />
the public exponent e satisfies ex+y ≡ 0 (mod φ(N)), with x ≤ 1 3 N 1 4 and |y| =<br />
O(N −3 4ex). Someextensionsconsideringthedifferencep−q havealsobeenstudied.<br />
The number <strong>of</strong> such weak keys has been estimated as N 3 4 −ǫ . In a similar direction,<br />
more weak keys are presented by Nitaj [96]. Nitaj proved that [ if e satisfies ] eX −<br />
(p−u)(q −v)Y = 1 with 1 ≤ Y < X < 2 −1 4N 4, 1 |u| < N 1 4, v = − qu , and if all<br />
p−u<br />
the prime factors <strong>of</strong> p−u or q−v are less than 10 50 , then N can be factored from<br />
the knowledge <strong>of</strong> N,e. The number <strong>of</strong> such weak exponents is estimated as N 1 2 −ǫ .<br />
We concentrate on the cases when e(= N α ) satisfies eX − ZY = 1, given<br />
|N −Z| = N τ . Using the idea <strong>of</strong> Boneh and Durfee [14,15], we show that the LLL<br />
algorithm can be efficiently applied to get Z when |Y| = N γ and<br />
γ < 4ατ<br />
⎛ √ (<br />
⎝ 1<br />
4τ + 1 1<br />
12α − 4τ + 1 ) 2<br />
+ 1<br />
12α 2ατ<br />
( 1<br />
12 + τ<br />
24α − α ) ⎞ ⎠.<br />
8τ<br />
This idea substantially extends the class <strong>of</strong> weak keys presented in [96] when Z =<br />
ψ(p,q,u,v) = (p−u)(q −v). Further, we consider Z = ψ(p,q,u,v) = N −pu−v<br />
to provide a new class <strong>of</strong> weak keys in <strong>RSA</strong>. This idea does not require any kind<br />
<strong>of</strong> factorization as in [96]. A very conservative estimate for the number <strong>of</strong> such<br />
weak exponents is N 0.75−ǫ , where ǫ > 0 is arbitrarily small for suitably large N.<br />
Chapter 4: More than one Decryption Exponent<br />
From the results <strong>of</strong> Howgrave-Graham et al [62] and Hinek et al [55] we know<br />
that in the presence <strong>of</strong> n many decryption exponents, one can factor N when the<br />
decryption exponents d i < N δ , for 1 ≤ i ≤ n, where<br />
δ <<br />
⎧<br />
⎪⎨<br />
⎪⎩<br />
{ }<br />
(2n+1)·2 n −(2n+1)( n min<br />
2<br />
)<br />
(2n−2)·2 n +(4n+2)( n 2<br />
) ,0.5<br />
min<br />
{ (2n+1)·2 n −4n·( n−1<br />
n−1<br />
)<br />
2<br />
(2n−2)·2 n +8n·( n−1<br />
n−1<br />
2 ),0.5 }<br />
if n is even<br />
if n is odd<br />
We improved this bound by showing that if n many decryption exponents<br />
(d 1 ,...,d n ) are used with the same N, then <strong>RSA</strong> is insecure when d i < N 3n−1<br />
4n+4 , for