Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

37 2.5 Solving Modular Polynomials Let us discuss the technique for m = 3,µ = 1, say. Then we have M 0 ={x 3 y 4 ,x 3 y 3 ,x 3 y 2 ,x 2 y 3 ,x 3 y,x 2 y 2 ,x 3 ,x 2 y,xy 2 ,x 2 ,xy,x,y,1}, M 1 ={x 3 y 4 ,x 3 y 3 ,x 3 y 2 ,x 2 y 3 ,x 3 y,x 2 y 2 ,x 2 y,xy 2 ,xy}, M 2 ={x 3 y 4 ,x 3 y 3 ,x 3 y 2 ,x 2 y 3 ,x 2 y 2 }, M 3 ={x 3 y 4 ,x 3 y 3 }, and M 4 =∅. The shift polynomials for the extended strategy in this case are as follows. P = {ye 3 ,e 3 ,x 2 e 3 ,x 3 e 3 ,xe 3 ,x 2 fe 2 ,xfe 2 ,fe 2 ,yfe 2 ,xf 2 e,f 2 e,yf 2 e,f 3 ,yf 3 }. Now take positive integers X,Y such that |k| ≤ X and |−p−q+1| ≤ Y, and build a lattice L with the basis elements coming from the coefficients of the polynomials p(xX,yY) where p ∈ P. The lattice L is represented as follows. poly y 1 x 2 x 3 x x 3 y x 2 y xy xy 2 x 3 y 2 x 2 y 2 x 2 y 3 x 3 y 3 x 3 y 4 ye 3 Y e 3 e 3 e 3 x 2 e 3 X 2 e 3 x 3 e 3 X 3 e 3 xe 3 Xe 3 x 2 fe 2 − − X 3 Y e 2 xfe 2 − − X 2 Y e 2 fe 2 − − XY e 2 yfe 2 − − XY 2 e 2 xf 2 e − − − − − X 3 Y 2 e f 2 e − − − − − X 2 Y 2 e yf 2 e − − − − − X 2 y 3 e f 3 − − − − − − − − − X 3 Y 3 yf 3 − − − − − − − − − x 3 y 4 Here ‘−’ denotes nonzero elements not belonging to the diagonal. If we perform LLL lattice reduction over L as defined by the above mentioned matrix, we shall obtain two polynomials f 1 (x,y),f 2 (x,y) such that f 1 (x 0 ,y 0 ) = f 2 (x 0 ,y 0 ) = 0. Thereafter, we can collect the x 0 and y 0 from f 1 (x,y),f 2 (x,y) efficiently, subject to Assumption 1. In [14], Boneh and Durfee proved that when m → ∞, if a proper choice of µ is made depending on m, then one can solve f e (x,y) in Z e when |d| < N 0.284 . However, in the same paper [14], they improved the bound to |d| < N 0.292 using a sublattice of the lattice L described above. This is the best bound till date. Though they [14] conjectured that RSA may be insecure for |d| < √ N, it is still an open problem.
Chapter 2: Mathematical Preliminaries 38 2.6 Solving Integer Polynomials Although there exist several techniques for solving univariate polynomials over integers, it is not so easy to solve bivariate integer polynomials. Coppersmith [22] introduced a method to find small integer roots for a bivariate polynomial f(x,y). Without loss of generality, we can assume that f(x,y) is irreducible. If f(x,y) is reducible, we can factor f(x,y) by the method of Wang and Rothschild [129] and try to find the roots of its factors individually. Coron [28] reformulated Coppersmith’s method to propose the following idea. 2.6.1 Coron’s Method The main aim is to find a polynomial h(x,y) which is algebraically independent of f(x,y) and which shares the integer root (x 0 ,y 0 ) of f(x,y). Let, |x 0 | ≤ X, |y 0 | ≤ Y, and assume that f(x,y) = ∑ i,j a ijx i y j . Now, define W = max|a ij X i Y j |. i,j Define R = X l 1 Y l 2 W for some non-negative integers l 1 ,l 2 . Further let us define g ij (x,y) = x i y j R f(x,y) and h WX i Y j ij (x,y) = x i y j R, for some pair of integers i,j. Note that these g ij (x,y)’s are analogous to the shift polynomials as in Section 2.5.2. To ensure that all the shift polynomials g ij (x,y) have integer coefficients, choose l 1 ≥ i and l 2 ≥ j. Also note that g ij (x 0 ,y 0 ) ≡ 0 (mod R) and h ij (x 0 ,y 0 ) ≡ 0 (mod R). Now, construct a lattice L using the coefficient vectors of g ij (xX,yY) and h ij (xX,yY) as a basis. Let ω be the dimension of the lattice L, and assume that r 1 (xX,yY),...,r ω (xX,yY) are the polynomials corresponding to the vectors of the LLL reduced basis of L. Now, from Lemma 2.20, we know that ||r 1 (xX,yY)|| ≤ 2 ω−1 4 det(L) 1 ω. Also, from Theorem 2.22, we know that if ||r 1 (xX,yY)|| < R √ ω , then r 1 (x 0 ,y 0 ) = 0. So, when 2 ω−1 4 det(L) 1 ω < R √ ω , then r 1 (x 0 ,y 0 ) = 0. Since we choose R = X l 1 Y l 2 W, r 1 (x,y) is divisible byX l 1 Y l 2 . Now it can be shown that r 1 (x,y) is algebraically independent of f(x,y). One can deduce this from the following result by Coron [28]. Theorem 2.25. If h(x,y) is a multiple of f(x,y), then h(x,y) is divisible by X l 1 Y l 2 if and only if it has norm at least 2 −(ρ+1)2 +1 X l 1 Y l 2 W, where ρ is the maximum degree of the polynomials f,h in each variable separately. Hence, if ||r 1 (xX,yY)|| ≤ 2 ω−1 4 det(L) 1 ω ≤ 2 −(ρ+1)2 +1 X l 1 Y l 2 W = 2 −(ρ+1)2 +1 R,
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6: Abstract In this thesis, we propose
Page 7 and 8: Acknowledgements There are many peo
Page 9: To Thaakuma (Grandmother), the firs
Page 12 and 13: 2.3.7 Small Decryption Exponent Att
Page 14 and 15: 7.4 The General Solution for EPACDP
Page 17 and 18: List of Figures 1.1 Communication o
Page 19 and 20: Chapter 1: Introduction 2 The motiv
Page 21 and 22: Chapter 1: Introduction 4 there is
Page 23 and 24: Chapter 1: Introduction 6 Discrete
Page 25 and 26: Chapter 1: Introduction 8 Chapter 5
Page 28 and 29: Chapter 2 Mathematical Preliminarie
Page 30 and 31: 13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43: 25 2.3 Cryptanalysis of RSA The att
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49: 31 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105:
87 5.3 MSB Case: Our Method and its
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Chapter 6 Implicit Factorization In
Page 114 and 115:
97 6.1 Implicit Factoring of Two La
Page 116 and 117:
99 6.1 Implicit Factoring of Two La
Page 118 and 119:
101 6.1 Implicit Factoring of Two L
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
107 6.2 Two Primes with Shared Cont
Page 126 and 127:
109 6.2 Two Primes with Shared Cont
Page 128 and 129:
111 6.3 Exposing a Few MSBs of One
Page 130 and 131:
113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?