Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
59 3.3 A New Class <strong>of</strong> Weak Keys<br />
this example. Thus the maximum value <strong>of</strong> α for which our method works in this<br />
example is 1.653. The value <strong>of</strong> γ in such a case is 0.656 as Y is a 656-bit integer.<br />
We like to point out that one can exploit the techniques using sublattices given<br />
in [15] for improvement in the bound <strong>of</strong> γ than in Theorem 3.2 (where we use<br />
the idea <strong>of</strong> lattices following [14]). In practice, the idea <strong>of</strong> sublattices helps in<br />
getting the same result with less lattice dimension. During actual execution, for<br />
fixed N,e,u,v,Y, consider that t 1 is the time in seconds to run the LLL algorithm,<br />
t 2 is the time in seconds to calculate the resultant and t 3 is the time in<br />
seconds to find the integer root <strong>of</strong> the resultant; and let us refer this as a tuple<br />
〈(l N ,l e ,l u ,l v ,l Y ),t 1 ,t 2 ,t 3 〉 a , where l N ,l e ,l u ,l v ,l Y are the bitsizes <strong>of</strong> N,e,u,v,Y respectively;<br />
and a = L for full rank lattice and a = S for sublattice. Our examples<br />
are with lattice parameters m = 7,t = 3 and thereby giving the dimension 60 for<br />
full rank lattice (following the idea <strong>of</strong> [14]) and dimension 43 for sublattice (exactly<br />
following [15] the dimension should be 45, but due to the upper bounds X 1 ,Y 1 in<br />
Theorem 3.2, we get lower sublattice dimension). The examples are as follows:<br />
〈(1000,1000,52,175,240),20,373,4〉 L , 〈(1000,1000,52,175,240),14,377,4〉 S ,<br />
〈(2000,1995,104,350,465),79,1074,16〉 L , 〈(2000,1995,104,350,465),68,1075,<br />
15〉 S , 〈(9999,9999,520,1750,2350),4722,5021,248〉 L , 〈(9999,9999,520,1750,<br />
2350),4426,5028,198〉 S .<br />
As long as t 1 is much less than t 2 , using sublattices (following [15]) instead <strong>of</strong><br />
lattices (following [14]) will not provide significant improvement in total execution<br />
time. However, when t 1 becomes dominant, then the implementation using<br />
sublattices will provide faster execution.<br />
3.3.2 Estimation <strong>of</strong> Weak Keys<br />
In this section, we estimate the number <strong>of</strong> exponents for which our method works.<br />
We first present a simple analysis.<br />
Lemma 3.7. Consider <strong>RSA</strong> with N = pq, where p,q are primes such that q < p <<br />
2q. Let e be the public encryption exponent that satisfies eX−(N −pu−v)Y = 1.<br />
Then for X = Y = 1, N can be factorized in poly(logN) time from the knowledge<br />
<strong>of</strong> N,e when u is not a multiple <strong>of</strong> q and |v| < N 1 4. The number <strong>of</strong> such weak keys<br />
e, such that e < N is N 3 4 −ǫ , where ǫ > 0 is arbitrarily small for suitably large N.<br />
Pro<strong>of</strong>. Given the equation eX − (N − pu − v)Y = 1, we consider the scenario