Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

55 3.3 A New Class of Weak Keys 9456331382787 and 2671883975804894456278842490580443758950128272095600125097638973022749 4745205672316. Note that these numbers are clearly greater than N 1 4 (in contrary to the bound presented in [96] where 1 ≤ Y < X < 2 −1 4N 1 4) as N is a 1000 bit integer here. Nowweshowthatthetechniqueof[96]willnotworkhere. WecalculatetheCF e expansion of and study all the convergents Y with denominator X < 4N 4. 1 N X 2−1 ExceptX = Y = 1, no eX−1 isaninteger. WhenX = Y = 1, wehave eX−1 = e−1. Y Y Thus in this case, (p−u)(q−v) = e−1. As given in [96, Lemma 4], one needs to satisfy the condition |(p−u)(q − v) −N| < 2 −1 2N 1 2. Thus, in this example, one needs to satisfy |e−1−N| < 2 −1 2N 1 2, which is not true. Then we attempted different cases with e = N α having varying α, given the same p,q as in Example 3.3. The experimental results are as shown in Table 3.2 where each run to find (p−u)(q −v) requires less than 15 minutes. α 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.875 γ 0.274 0.336 0.399 0.464 0.529 0.596 0.659 0.726 – – Table 3.2: The numerical values of γ given α found by experiment when N is of 1000 bits and p,q are as in Example 3.3. The lattice has the parameters m = 7,t = 3,w = 60. Note that compared to Table 3.1, the results in Table 3.2 gives slightly lower values of γ. Further, we do not get the solutions for these p,q values when α = 1.8,1.875 as 1+γ−α becomes very close to zero and hence X does not exist given the bound of Y. The maximum e for which we get a valid X is of size 1774 bits in this example. Thus the maximum value of α for which our method works in this example is 1.774. The value of γ in this example is 0.778 as Y is a 778-bit integer. 3.3 A New Class of Weak Keys The problem with the idea of [96] is that one needs to factorize (p−u)(q −v) in order to attack RSA, and this is only possible when the factors of either (p−u) or (q−v) are relatively small. In this section we present a new class of weak keys
Chapter 3: A class of Weak Encryption Exponents in RSA 56 where there is no involvement of factorization at all. For this, let us first refer to the following existing result from [83, Theorem 10]. Theorem 3.4 (from [83]). Let N = pq be an RSA modulus with q of q. Suppose we know an approximation ˆP of pu with |pu − ˆP| ≤ 2N 1 4. Then N can be factorized in time polynomial in logN. After finding X and Y from the continued fraction expression (as given in Lemma 3.1 of e N , one can get N −pu−v and hence pu+v. In our case, the ˆP of Theorem 3.4 is pu+v. Following Theorem 3.4, if |v| < N 1 4 and u is not a multiple of q, then one can get p. Next we present further extension on this class of weak keys using the idea of Theorem 3.2 and noting Z = ψ(p,q,u,v) = pq − pu − v = N − pu − v. In this case, |N −Z| = |pu+v| = N τ . When Y = N γ and e = N α then X = ⌈N 1+γ−α ⌉. This gives, XY = N 1+2γ−α , where γ < 4ατ as in Theorem 3.2. ⎛ √ ( ⎝ 1 4τ + 1 1 12α − 4τ + 1 ) 2 + 1 12α 2ατ ( 1 12 + τ 24α − α ) ⎞ ⎠, 8τ It is clear that when N 1+2γ−α is greater than the bound N pu+v = N1−τ of Lemma 3.1, then we get a larger class of weak keys using the LLL method instead of the technique using continued fraction expression. This happens when 1+2γ −α > 1−τ, which is true taking the value of the upper bound on γ. For example, taking α = 1 and τ = 1 the upper bound of γ is 0.284 and in this 2 case XY will be N 0.568 . However, the bound from Lemma 3.1 in this case is N 0.5 . For larger values of α, the bound on XY will increase further. 3.3.1 Experimental Results We consider the same N as used in Example 3.3. Example 3.5. Let us first apply the continued fraction method as explained in Lemma 3.1. The public exponent e is a 1000-bit number 6924191794904822444331919988065675834958089478755604021224486550741286 9094970482880973033565767568702443953304958933817087359916417417403418
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20:
Chapter 1: Introduction 2 The motiv
Page 21 and 22: Chapter 1: Introduction 4 there is
Page 23 and 24: Chapter 1: Introduction 6 Discrete
Page 25 and 26: Chapter 1: Introduction 8 Chapter 5
Page 28 and 29: Chapter 2 Mathematical Preliminarie
Page 30 and 31: 13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43: 25 2.3 Cryptanalysis of RSA The att
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49: 31 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 71: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 120 and 121: 103 6.1 Implicit Factoring of Two L
Page 122 and 123:
105 6.1 Implicit Factoring of Two L
Page 124 and 125:
107 6.2 Two Primes with Shared Cont
Page 126 and 127:
109 6.2 Two Primes with Shared Cont
Page 128 and 129:
111 6.3 Exposing a Few MSBs of One
Page 130 and 131:
113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?