Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

53 3.2 Improvements over Existing Work • There is no need to have Y < X when X,Y are of O(N 1 4). • The bound of either X or Y can be greater than N 1 4 when the other one is less than N 1 4. We have already noted that the values of e are bounded by O(N) in the work of [96]. In our case, this bound ( is increased as well. The exponent e is of the order of (p−u)(q−v)·Y N , which is O ). 2−τ Given τ = 1, when X is O(N 1 4), we get the X X 2 2 bound on e as O(N), which is same as what given in [96]. However, our bound increases as X decreases. 3.2.2 Further Improvement in the Bounds With our results in Theorem 3.2, we get further bounds on X,Y. Note that Y = N γ and thus X = ⌈N 1+γ−α ⌉. This gives XY = N 1+2γ−α , where γ < 4ατ ⎛ √ ( ⎝ 1 4τ + 1 1 12α − 4τ + 1 ) 2 + 1 12α 2ατ ( 1 12 + τ 24α − α ) ⎞ ⎠, 8τ as in Theorem 3.2. Our result implies the following improvements. • The bound on Y can be extended till N γ . One may have a look at Table 3.1 for the numerical values of the theoretical bounds of γ given some α. The experimental results are presented in Section 3.2.3. • X has to satisfy the equation eX −(p−u)(q −v)Y = 1, which gives X = ⌈N 1+γ−α ⌉. The value of X becomes smaller as α increases. • The constraint 1 ≤ Y < X < 2 −1 4N 1 4 in [96] forces that the upper bound of e has to be O(N). However, in our case the value of e can exceed this bound and the result works for e up to N 1.875 theoretically, as described in Section 3.1. 3.2.3 Experimental Results Let us start with a complete example, as follows.
Chapter 3: A class of Weak Encryption Exponents in RSA 54 Example 3.3. Let us consider that N,e are available. We choose a 1000-bit N which is a product of two 500-bit primes. Let N be 6965301839116252842151601289304534942713324759565286529653767647876815 5930430666799437161475057925109785426932854120387907825516676039893976 7348434594081678022491354913429428712241705242402188329351298522684586 6182664930993217767070732004829330778668319338402258431072292258308654 308889461963963786753 and e be a 1000-bit number 6131104587526715137731121962949288372067853010907049196083307936858983 5495733258743040864963707793556567754437239459230699951652411404917214 6335728027441527646511562295901427592480445339976342362901246792172093 7327176882146018075507772227029755907501291937300116177647310527785231 764272675507839815927. Running our method as explained in Theorem 3.2, we get (p−u)(q −v) as 6965301839116252842151601289304534942713324759565286529653767647876815 5930430666799437161475057925109785426932854120387907825516676039893976 7348434593866189401923798371559862126676390152959012118814413687219025 3575242273886606436919626785397201816501702315901845767585961196177847 672535848282542000103. The factorization of (p−u)(q −v) is as follows: 3 4 ×17 24 ×61681 24 × 2297 × 141803 × 345133 × 1412745718201607004385882806 3633385965304567483679 × 1734403587161852748161040884417992576345006759 8688121780826850377496712904460130651142191039. This requires 112151.62 seconds (less than 1.3 days) using the ECM method of factoring. In this case, p−u is 3×17 24 ×61681 24 ×345133 and the rest of the terms will give q −v. Since, p−u < N 4, 1 p can be found using the idea of [24] in polynomial time. Finally, one can find p,q as follows. 3232329308513348128043498783477144091769556249463616612811415899259655 9541241660031449960551292345720627446011227767334525515385020845432088 00320998727, 2154886205675565418695665855651429394513037499642411075207610599506437 3027494440020966640367528230480418297340818511556350343590013896954725 33547333239 respectively. In this example, X,Y are respectively 275 and 274 bit numbers as follows. 3035420144102701673311659229411748291628760686018968001955956890217037
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20: Chapter 1: Introduction 2 The motiv
Page 21 and 22: Chapter 1: Introduction 4 there is
Page 23 and 24: Chapter 1: Introduction 6 Discrete
Page 25 and 26: Chapter 1: Introduction 8 Chapter 5
Page 28 and 29: Chapter 2 Mathematical Preliminarie
Page 30 and 31: 13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43: 25 2.3 Cryptanalysis of RSA The att
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49: 31 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 69: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 120 and 121:
103 6.1 Implicit Factoring of Two L
Page 122 and 123:
105 6.1 Implicit Factoring of Two L
Page 124 and 125:
107 6.2 Two Primes with Shared Cont
Page 126 and 127:
109 6.2 Two Primes with Shared Cont
Page 128 and 129:
111 6.3 Exposing a Few MSBs of One
Page 130 and 131:
113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?