Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 8: Conclusion 154<br />
representation is motivated by similar tables presented in [64, Page 44], and the<br />
results we present here extend the array <strong>of</strong> results provided in [64]. The reader<br />
may refer back to the respective sections to obtain the relevant details.<br />
8.3 Open Problems<br />
In this section, we propose a few open problems related to our work. These may<br />
lead to new interesting research topics in the related field.<br />
8.3.1 Weak Encryption Keys<br />
One may note that Blömer and May [9] and our work in Chapter 3 present a<br />
different classes <strong>of</strong> weak encryption exponents <strong>of</strong> cardinality N 0.75−ǫ . For fixed<br />
N, there are O(N) many encryption exponents e which are less than N. Hence<br />
most <strong>of</strong> the encryption exponents are not weak based on the current knowledge<br />
in this field. It is unknown whether there is a class <strong>of</strong> weak encryption exponents<br />
<strong>of</strong> cardinality substantially greater than N 0.75−ǫ . So, we have the following open<br />
problem.<br />
Problem 8.1. Is there any new class <strong>of</strong> weak encryption exponents <strong>of</strong> cardinality<br />
substantially greater than N 0.75−ǫ ?<br />
8.3.2 More than one Decryption Key<br />
Since the time complexity <strong>of</strong> the work <strong>of</strong> Howgrave-Graham and Seifert [62] as<br />
well as our approach in Chapter 4 are exponential in n, we can not get better<br />
experimental results for large n. Hence we have the following question.<br />
Problem 8.2. Is there any algorithm with runtime polynomial in (log 2 N,n) which<br />
can improve the bound achieved by our method?<br />
Furthermore,considerthesamesituationforCRT-<strong>RSA</strong>.Supposethate 1 ,...,e k<br />
are k encryption exponents and (d p1 ,d q1 ),...,(d pk ,d qk ) are the corresponding decryption<br />
exponents for the same CRT-<strong>RSA</strong> modulus N. We know when e is <strong>of</strong><br />
order N, then one can factor N in polynomial time [66] if d p ,d q < N 0.073 . So, we<br />
can pose the following problem in the same direction.