Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
55 3.3 A New Class <strong>of</strong> Weak Keys<br />
9456331382787 and<br />
2671883975804894456278842490580443758950128272095600125097638973022749<br />
4745205672316.<br />
Note that these numbers are clearly greater than N 1 4 (in contrary to the bound<br />
presented in [96] where 1 ≤ Y < X < 2 −1 4N 1 4) as N is a 1000 bit integer here.<br />
Nowweshowthatthetechnique<strong>of</strong>[96]willnotworkhere. WecalculatetheCF<br />
e<br />
expansion <strong>of</strong> and study all the convergents Y with denominator X < 4N 4.<br />
1 N X 2−1<br />
ExceptX = Y = 1, no eX−1 isaninteger. WhenX = Y = 1, wehave eX−1 = e−1.<br />
Y<br />
Y<br />
Thus in this case, (p−u)(q−v) = e−1. As given in [96, Lemma 4], one needs to<br />
satisfy the condition |(p−u)(q − v) −N| < 2 −1 2N 1 2. Thus, in this example, one<br />
needs to satisfy |e−1−N| < 2 −1 2N 1 2, which is not true.<br />
Then we attempted different cases with e = N α having varying α, given the<br />
same p,q as in Example 3.3. The experimental results are as shown in Table 3.2<br />
where each run to find (p−u)(q −v) requires less than 15 minutes.<br />
α 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.875<br />
γ 0.274 0.336 0.399 0.464 0.529 0.596 0.659 0.726 – –<br />
Table 3.2: The numerical values <strong>of</strong> γ given α found by experiment when N is <strong>of</strong><br />
1000 bits and p,q are as in Example 3.3. The lattice has the parameters m =<br />
7,t = 3,w = 60.<br />
Note that compared to Table 3.1, the results in Table 3.2 gives slightly lower<br />
values <strong>of</strong> γ. Further, we do not get the solutions for these p,q values when α =<br />
1.8,1.875 as 1+γ−α becomes very close to zero and hence X does not exist given<br />
the bound <strong>of</strong> Y. The maximum e for which we get a valid X is <strong>of</strong> size 1774 bits in<br />
this example. Thus the maximum value <strong>of</strong> α for which our method works in this<br />
example is 1.774. The value <strong>of</strong> γ in this example is 0.778 as Y is a 778-bit integer.<br />
3.3 A New Class <strong>of</strong> Weak Keys<br />
The problem with the idea <strong>of</strong> [96] is that one needs to factorize (p−u)(q −v) in<br />
order to attack <strong>RSA</strong>, and this is only possible when the factors <strong>of</strong> either (p−u)<br />
or (q−v) are relatively small. In this section we present a new class <strong>of</strong> weak keys