Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
25 2.3 <strong>Cryptanalysis</strong> <strong>of</strong> <strong>RSA</strong><br />
The attacker can find m 1 and m 2 by computing<br />
β(c 2 +2α 3 c 1 −β 3 )<br />
α(c 2 −α 3 c 1 +2β 3 ) ≡ m 1 (mod N) and m 2 = αm 1 +β mod N.<br />
2.3.5 Broadcast Attack<br />
Håstad [48,49] proved that for small encryption exponent e, if the same plaintext<br />
m is sent to different receivers, then <strong>RSA</strong> may be weak. In 2008, May and<br />
Ritzenh<strong>of</strong>en [85] improved this attack <strong>of</strong> Håstad.<br />
2.3.6 Timing Attack<br />
In 1995, Kocher [72] proposed a new attack on <strong>RSA</strong> to obtain the private exponent<br />
d. He showed that an attacker can get a few bits <strong>of</strong> d by timing characteristic <strong>of</strong> an<br />
<strong>RSA</strong> implementing device. After the publication <strong>of</strong> this idea, the vulnerabilities<br />
<strong>of</strong> <strong>RSA</strong> were tested against a lot <strong>of</strong> side channel attacks in this direction [8,16,38].<br />
2.3.7 Small Decryption Exponent Attack<br />
In 1990, Wiener [130] proved that if the decryption exponent d < 1N 4, 1 one can<br />
3<br />
factor N in polynomial time when the primes p,q are <strong>of</strong> the same bitsize. He used<br />
certain results from Continued Fractions to prove this. Let us first take a look at<br />
the theoretical background.<br />
Continued Fraction (CF)<br />
Given a positive rational number a , it can be represented as a finite CF expression<br />
b<br />
as follows.<br />
a<br />
b = q 1<br />
1 +<br />
1<br />
q 2 +<br />
q 3 +···+ 1<br />
q m