Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

41 2.6 Solving Integer Polynomials Also define the following polynomials: g i1 ,i 2 ,...,i t = x i 1 1 x i 2 2 ···x it t ·f ′ (x 1 ,x 2 ,...,x t )· t∏ j=1 h i1 ,i 2 ,...,i t = x i 1 1 x i 2 2 ···x it t ·R for x i 1 1 x i 2 2 ···x it t ∈ M \S. Note that for any shift polynomial g or h, X l j−i j j for x i 1 1 x i 2 2 ···x it t ∈ S, and g(x (0) 1 ,...,x (0) t ) ≡ h(x (0) 1 ,...,x (0) t ) ≡ 0 (mod R). Now one have to construct a lattice L by taking the coefficient vectors of the polynomials g(x 1 X 1 ,...,x t X t ) and h(x 1 X 1 ,...,x t X t ) as a basis. In [65], it is proved that if X s 1 1 ···X st t < W s−ǫ with s r = ∑ x i i 1 1 ···x i t t ∈M\S r for r = 1,...,t and s = |S|, then one can find t − 1 many polynomials r i as the basis vectors of the LLL reduced basis of L, such that r i (x (0) 1 ,...,x (0) t ) = 0 for all 1 ≤ i ≤ t−1. Thereafter, subject to Assumption 1, we can efficiently collect the common root (x (0) 1 ,...,x (0) t ) from f,r 1 ,...,r t−1 . Note that, similar to the modular case, the choice of m here depends on the arbitrary constant ǫ > 0. Let us now discuss the extended strategy of [65] for finding integer roots of a polynomial. Extended Strategy Alike the modular case, it is useful for some polynomials to use extra shifts for some variable(s). Suppose that we use extra µ many shifts over x 1 . Then the modified sets S, M will be defined as follows. S = ⋃ {x i 1+j 1 x i 2 0≤j≤µ 2 ···x it t |x i 1 1 x i 2 2 ···x it t is a monomial of f m }, and M = ⋃ {monomials of x i 1 1 x i 2 2 ···x it t ·f |x i 1 1 x i 2 2 ···x it t ∈ S}. Now every idea of the basic strategy will remain the same except for the fact that we have to define R = W ·∏t j=1 Xl j j , where l j is the maximum degree of x j in the monomials of S. Let us now give a practical example of this strategy.
Chapter 2: Mathematical Preliminaries 42 Attack by Ernst et al [38] In 2005, Ernst et al [38] studied the case when some most significant bits (MSBs) of the decryption exponent d are known to the attacker. In such a situation, the attacker needs to find out the root of a polynomial of the form f(x,y,z) = a 0 +a 1 x+a 2 y+a 3 yz. Let (x 0 ,y 0 ,z 0 ) be the root of f(x,y,z) satisfying |x 0 | < X, |y 0 | < Y and |z 0 | < Z. Now suppose that we use extra shifts over the variable z. Let us discuss the technique with m = 1,µ = 1. In this case, we have S = {1,x,y,z,xz,yz,yz 2 }, and M = {1,x,y,z,xz,yz,yz 2 ,x 2 ,xy,xyz,y 2 ,y 2 z,x 2 z,xyz 2 ,y 2 z 2 ,y 2 z 3 }. In this case W = max{|a 0 |,|a 1 X|,|a 2 Y|,|a 3 YZ|}. Define R = XYZ 2 W, and calculate f ′ (x,y,z) = a −1 0 f(x,y,z) mod R = 1+ax+by +cyz. In this case, one uses the shift polynomials P 1 ={f ′ XYZ 2 ,xf ′ YZ 2 ,yf ′ XZ 2 ,zf ′ XYZ,xzf ′ YZ,yzf ′ XZ,yz 2 f ′ X}, and P 2 ={x 2 R,xyR,xyzR,y 2 R,y 2 zR,x 2 zR,xyz 2 R,y 2 z 2 R,y 2 z 3 R}, and builds a lattice L with the basis elements coming from the coefficients of p(xX,yY,zZ) where p ∈ P 1 ∪P 2 . The lattice L is represented as follows. poly 1 x y z xz yz yz 2 x 2 xy xyz y 2 y 2 z x 2 z xyz 2 y 2 z 2 y 2 z 3 f ′ XY Z 2 T − − − xf ′ Y Z 2 T − − − yf ′ XZ 2 T − − − zf ′ XY Z T − − − xzf ′ Y Z T − − − yzf ′ XZ T − − − yz 2 f ′ X T − − − x 2 R X 2 R xyR XY R xyzR XY ZR y 2 R Y 2 R y 2 zR Y 2 ZR x 2 zR X 2 ZR xyz 2 R XY Z 2 R y 2 z 2 R Y 2 Z 2 R y 2 z 3 R Y 2 Z 3 R Here T = XYZ 2 and ‘−’ denotes the non zero elements in the matrix. If we perform the LLL lattice reduction on L, we get two polynomials f 1 (x,y,z) and f 2 (x,y,z) which share the root (x 0 ,y 0 ,z 0 ) of f(x,y,z). From f,f 1 ,f 2 , we can collect the root (x 0 ,y 0 ,z 0 ) by calculating the resultants, subject to Assumption 1.
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8: Acknowledgements There are many peo
Page 9: To Thaakuma (Grandmother), the firs
Page 12 and 13: 2.3.7 Small Decryption Exponent Att
Page 14 and 15: 7.4 The General Solution for EPACDP
Page 17 and 18: List of Figures 1.1 Communication o
Page 19 and 20: Chapter 1: Introduction 2 The motiv
Page 21 and 22: Chapter 1: Introduction 4 there is
Page 23 and 24: Chapter 1: Introduction 6 Discrete
Page 25 and 26: Chapter 1: Introduction 8 Chapter 5
Page 28 and 29: Chapter 2 Mathematical Preliminarie
Page 30 and 31: 13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43: 25 2.3 Cryptanalysis of RSA The att
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49: 31 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 106 and 107: 89 5.3 MSB Case: Our Method and its
Page 108 and 109:
91 5.3 MSB Case: Our Method and its
Page 110 and 111:
93 5.3 MSB Case: Our Method and its
Page 112 and 113:
Chapter 6 Implicit Factorization In
Page 114 and 115:
97 6.1 Implicit Factoring of Two La
Page 116 and 117:
99 6.1 Implicit Factoring of Two La
Page 118 and 119:
101 6.1 Implicit Factoring of Two L
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
107 6.2 Two Primes with Shared Cont
Page 126 and 127:
109 6.2 Two Primes with Shared Cont
Page 128 and 129:
111 6.3 Exposing a Few MSBs of One
Page 130 and 131:
113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

Create successful ePaper yourself

Delete template?

Save as template?