Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 4<br />
<strong>Cryptanalysis</strong> <strong>of</strong> <strong>RSA</strong> with more<br />
than one Decryption Exponent<br />
From the work <strong>of</strong> Boneh and Durfee [14], we know that one can factor N in<br />
polynomial time when d < N 0.292 . Instead <strong>of</strong> one decryption exponent, consider<br />
that n many decryption exponents (d 1 ,...,d n ) are used with the same N. Let<br />
(e 1 ,e 2 ,...,e n ) be their corresponding public exponents. As explained in [60, Page<br />
121] such a situation can arise if a person is using the same <strong>RSA</strong> modulus N, but<br />
different exponents d i to sign different messages. It has been shown by Howgrave-<br />
Graham and Seifert [62] that in case <strong>of</strong> n many decryption exponents, one can<br />
factor N efficiently when d i < N δ , for 1 ≤ i ≤ n, where<br />
⎧<br />
(2n+1)·2 n −(2n+1) ( )<br />
n<br />
n/2<br />
⎪⎨ (2n−2)·2 n +(4n+2) ( )<br />
n<br />
if n is even.<br />
n/2<br />
δ <<br />
)<br />
(2n+1)·2 −4n·( n n−1<br />
(n−1)/2<br />
⎪⎩<br />
)<br />
(2n−2)·2 +8n·( n n−1<br />
if n is odd.<br />
(n−1)/2<br />
(4.1)<br />
However, Hinek et al [55, Section 5] proved that one needs to satisfy another<br />
condition for the idea <strong>of</strong> [62] to work. That condition makes the upper bound <strong>of</strong><br />
decryption exponents d i < √ N for 1 ≤ i ≤ n.<br />
We show in this chapter that if n many decryption exponents (d 1 ,...,d n ) are<br />
used with the same N, then <strong>RSA</strong> is insecure when d i < N 3n−1<br />
4n+4 , for 1 ≤ i ≤ n<br />
and n ≥ 2. Our result improves the bound <strong>of</strong> Howgrave-Graham and Seifert [62].<br />
The time complexity <strong>of</strong> our technique as well as that <strong>of</strong> [62] is polynomial in the<br />
63