Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 4: <strong>Cryptanalysis</strong> <strong>of</strong> <strong>RSA</strong> with more than one Decryption Exponent 64<br />
bitsize <strong>of</strong> N and exponential in the number <strong>of</strong> decryption exponents n. Putting<br />
n = 2, we find δ < 0.416. However, for this special case <strong>of</strong> n = 2, we show that our<br />
strategy can extend the bound till δ < 0.422. Our result has another component<br />
that it takes care <strong>of</strong> the case when some <strong>of</strong> the most significant bits (MSBs) <strong>of</strong> the<br />
decryptionexponentsaresame(butunknown). Thisimplicitinformationincreases<br />
the bounds on the decryption exponents even further. We present experimental<br />
results to support our claim. As explained in the introduction <strong>of</strong> [62], we also agree<br />
that studying this kind <strong>of</strong> cryptanalysis may not have direct impact to <strong>RSA</strong> used<br />
in practice. However, there are few issues for which this problem is interesting.<br />
• This shows how one can find further weaknesses <strong>of</strong> <strong>RSA</strong> with additional<br />
public information – in this case more than one encryption exponents.<br />
• Moreover, this shows how one can extend the ideas <strong>of</strong> [15,130], where a single<br />
encryption exponent is considered, to more than one exponents.<br />
4.1 Theoretical Result<br />
We need the following technical result that will be used later. A general treatment<br />
in this direction is available in [63, Theorem 1, Page 230].<br />
Lemma 4.1. For any fixed positive integer r ≥ 1, and a large integer m,<br />
m∑<br />
t=1<br />
t r = mr+1<br />
r+1 +o(mr+1 ).<br />
Pro<strong>of</strong>. Let S = 1 r +2 r +...+m r . Then we have<br />
∫ m<br />
0<br />
x r dx < S <<br />
∫ m+1<br />
1<br />
x r dx<br />
⇒ mr+1<br />
r+1 < S < (m+1)r+1 −1<br />
r+1<br />
⇒ mr+1<br />
r+1 < S < (m+1)r+1 .<br />
r +1<br />
Now, (m+1)r+1<br />
r+1<br />
− mr+1<br />
r+1 contains the terms mi for i ≤ r. Thus, for a fixed r and large<br />
m, one can write<br />
S = mr+1<br />
r+1 +o(mr+1 ).