Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 3: A class <strong>of</strong> Weak Encryption Exponents in <strong>RSA</strong> 48<br />
• The bound on Y can be extended till N γ , with<br />
γ < 4ατ<br />
⎛ √ (<br />
⎝ 1<br />
4τ + 1 1<br />
12α − 4τ + 1 ) 2<br />
+ 1<br />
12α 2ατ<br />
( 1<br />
12 + τ<br />
24α − α ) ⎞ ⎠,<br />
8τ<br />
given e = N α and |N −(p−u)(q −v)| = N τ .<br />
• The only constraint on X is to satisfy the equation eX−(p−u)(q−v)Y = 1,<br />
which gives<br />
X =<br />
1+(p−u)(q −v)Y<br />
e<br />
, i.e., X = ⌈N 1+γ−α ⌉.<br />
• In [96], the constraint 1 ≤ Y < X < 2 −1 4N 1 4 forces that the upper bound <strong>of</strong><br />
e is O(N). However, in our case the value <strong>of</strong> e can exceed this bound. Our<br />
results work for e up to N 1.875 for τ = 1 2 .<br />
In fact, our result is more general. Instead <strong>of</strong> considering some specific form<br />
eX − (p − u)(q − v)Y = 1, we consider equations like eX − ZY = 1, where<br />
Z = ψ(p,q,u,v) is a function <strong>of</strong> the <strong>RSA</strong> primes p,q and integers u,v. Given<br />
e = N α and the constraint |N −Z| = N τ , we can efficiently find Z using the LLL<br />
algorithm when |Y| = N γ , where<br />
γ < 4ατ<br />
⎛ √ (<br />
⎝ 1<br />
4τ + 1 1<br />
12α − 4τ + 1 ) 2<br />
+ 1<br />
12α 2ατ<br />
( 1<br />
12 + τ<br />
24α − α ) ⎞ ⎠.<br />
8τ<br />
We consider Z = ψ(p,q,u,v) = N − pu − v to present a new class <strong>of</strong> weak keys<br />
in <strong>RSA</strong>. This idea does not require any kind <strong>of</strong> factorization as used in [96]. We<br />
estimate a lower bound <strong>of</strong> N 0.75−ǫ for the number <strong>of</strong> weak keys in this class. Hence<br />
the number <strong>of</strong> weak exponents is <strong>of</strong> the same magnitude as Blömer and May [9].<br />
3.1 Our Basic Technique<br />
In this section we build the framework for our analysis related to weak keys. First<br />
we present a result based on continued fraction (CF) expansions.