Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
155 8.3 Open Problems<br />
Problem 8.3. Is there any polynomial time algorithm to factor N with encryption<br />
exponents <strong>of</strong> order N if d pi > N 0.073 and d qi > N 0.073 for 1 ≤ i ≤ k?<br />
8.3.3 Reconstruction <strong>of</strong> Primes<br />
The terms {p,q,d,d p ,d q ,q −1 (mod p)} are stored as a part <strong>of</strong> the secret key in<br />
PKCS #1 [99] to expedite the decryption in CRT-<strong>RSA</strong>. Now, one may note<br />
from Chapter 5 that Heninger and Shacham [50] used random known bits <strong>of</strong><br />
{p,q,d,d p ,d q }, and our work uses bits <strong>of</strong> {p,q} to factorize N. None <strong>of</strong> the methods<br />
could utilize the knowledge <strong>of</strong> q −1 mod p to factor N. In Chapter 7, we have<br />
proved that knowing q −1 mod p completely is equivalent to factoring N. But, we<br />
do not have any results if one knows some random bits <strong>of</strong> q −1 mod p. In the presentation<br />
<strong>of</strong> the paper [50] at Crypto 2009, this problem was also asked. In this<br />
line, let us present the following two open questions.<br />
Problem 8.4. Can one use some known random bits <strong>of</strong> q −1 mod p to factor N?<br />
Problem 8.5. Does the knowledge <strong>of</strong> random bits <strong>of</strong> q −1 mod p reduce the required<br />
number <strong>of</strong> bits to be known for other private keys in case <strong>of</strong> factoring N?<br />
In Chapter 5, we studied the case when random bits are known from the lower<br />
half <strong>of</strong> p and q. However consider the situation when random bits are known from<br />
the upper half <strong>of</strong> p and q. Hence, we have the following question.<br />
Problem 8.6. Can one factor N when random bits are known from the upper half<br />
<strong>of</strong> p and q?<br />
8.3.4 Implicit <strong>Factorization</strong><br />
In PKC 2009, May and Ritzenh<strong>of</strong>en [86] introduced the problem <strong>of</strong> implicit factorization.<br />
They presents some results when few LSBs <strong>of</strong> the secret primes are same.<br />
They also extend their results for balanced <strong>RSA</strong> moduli. That is for the case<br />
N 1 = p 1 q 1 ,N 2 = p 2 q 2 ,...,N k = p k q k , with p i and q i are <strong>of</strong> same bitsize and few<br />
LSBs <strong>of</strong> p 1 ,...,p k are same. In Chapter 6 and Chapter 7 we analyze the situation<br />
when p 1 ,...,p k share their MSBs. However, we can not extend our ideas for the<br />
balanced case. Hence, we leave the following open question.<br />
Problem 8.7. Can one factor k balanced <strong>RSA</strong> moduli N 1 ,...,N k in polynomial<br />
time when p 1 ,...,p k share their MSBs?