Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

65 4.1 Theoretical Result Hence the required result. Now we may proceed to our main result for this section. Theorem 4.2. Suppose that n ≥ 2 and (e 1 ,...,e n ) are n RSA encryption exponents with common modulus N. Also suppose that gcd(e i ,e j ) = 1 for all i ≠ j where 1 ≤ i,j ≤ n. Let d 1 ,...,d n be the corresponding decryption exponents with d 1 ,...,d n < N δ . Then, under Assumption 1, one can factor N in poly{logN,exp(n)} time if ⎧ ⎪⎨ δ < ⎪⎩ 0.422 for n = 2 3n−1 4n+4 for n ≥ 3 Proof. We have, e 1 d 1 = 1 + k 1 (N + r), e 2 d 2 = 1 + k 2 (N + r), ..., e n d n = 1 + k n (N+r), where r = −p−q+1. Let ∏ n i=1 e i = E. Multiplying the n equations by E e 1 , E e 2 ,..., E e n respectively, and then subtracting all the other equations from the first one, we get E ( d 1 − ) n∑ d i = E − e 1 i=2 n∑ j=2 ( E E +(N +r) k 1 − e j e 1 n∑ j=2 ) E k j . e j Now, we want to find a solution (d 1 −d 2 −···−d n ,k 1 ,...,k n ,r) of the polynomial f(x 1 ,x 2 ,...,x n+2 ) = Ex 1 − ( E e 1 − n∑ j=2 ) ( E E −(N +x n+2 ) x 2 − e j e 1 n∑ j=2 ) E x j+1 . e j Note that f(x 1 ,x 2 ,...,x n+2 ) is an irreducible polynomial as the encryption exponents are relatively prime. Since d i < N δ for 1 ≤ i ≤ n, |d 1 − ∑ n i=2 d i| < N δ , treating n as a constant and neglecting it. Also, we have |r| < ( 1+ √ 2 ) N 1 2 and k i < N δ for 1 ≤ i ≤ n. Let X 1 = X 2 = ··· = X n+1 = N δ and X n+2 = N 1 2. Then X 1 ,X 2 ,...,X n+2 aretheupperboundsof(d 1 − ∑ n i=2 d i),k 1 ,...,k n ,r respectively, neglecting constant terms. Using the extended strategy of Section 2.6.2, we define S = ⋃ 0≤j≤t {x i 1 1 x i 2 2 ···x i n+2+j n+2 : x i 1 1 x i 2 2 ···x i n+2 n+2 is a monomial of f m } M = {monomials of x i 1 1 x i 2 2 ···x i n+2 n+2 ·f : x i 1 1 x i 2 2 ···x i n+2 n+2 ∈ S},
Chapter 4: Cryptanalysis of RSA with more than one Decryption Exponent 66 where t is a non-negative integer. Thus we get the following: x i 1 1 x i 2 2 ···x i n+2 n+2 ∈ S ⇔ ⎧ ⎪⎨ i 1 = 0,...,m i 2 = 0,...,m−i 1 . ⎪⎩ i n+1 = 0,...,m−i 1 −···−i n i n+2 = 0,...,i 2 +···+i n+1 +t x i 1 1 x i 2 2 ···x i n+2 n+2 ∈ M ⇔ ⎧ ⎪⎨ ⎪⎩ i 1 = 0,...,m+1 i 2 = 0,...,m+1−i 1 . i n+1 = 0,...,m+1−i 1 −···−i n , i n+2 = 0,...,i 2 +···+i n+1 +t. Apart from f, we need to find at least n+1 more polynomials f 1 ,f 2 ,...f n+1 that share the same root (d 1 −d 2 −···−d n ,k 1 ,...,k n ,r) over the integers. Considering a small fixed n, we know that these polynomials can be found by LLL [77] algorithm in poly(logN) time if X s 1 1 X s 2 2 ···X s n+2 n+2 < W s for s j = ∑ x i 1 1 ···x i n+2 n+2 ∈M\Si j with j = 1,...,n+2, s = |S|, and W = ||f(x 1 X 1 ,...x n+2 X n+2 )|| ∞ ≥ Ne 2···e n X 2 ≈ N n+δ , assuming the e i ’s are of full bitsize for 2 ≤ i ≤ n. From the structure of the polynomialf,itisclearthats 2 ,...,s n+1 areequal. Thusweonlyneedtocalculate 1 1 The detailed calculations for s,s 1 ,...,s n+2 are quite tedious and these are presented a little later, not to hamper the continuity of this proof.
Page 1:
some results on Cryptanalysis of RS
Page 5 and 6:
Abstract In this thesis, we propose
Page 7 and 8:
Acknowledgements There are many peo
Page 9:
To Thaakuma (Grandmother), the firs
Page 12 and 13:
2.3.7 Small Decryption Exponent Att
Page 14 and 15:
7.4 The General Solution for EPACDP
Page 17 and 18:
List of Figures 1.1 Communication o
Page 19 and 20:
Chapter 1: Introduction 2 The motiv
Page 21 and 22:
Chapter 1: Introduction 4 there is
Page 23 and 24:
Chapter 1: Introduction 6 Discrete
Page 25 and 26:
Chapter 1: Introduction 8 Chapter 5
Page 28 and 29:
Chapter 2 Mathematical Preliminarie
Page 30 and 31:
13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43: 25 2.3 Cryptanalysis of RSA The att
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49: 31 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 81: Chapter 4: Cryptanalysis of RSA wit
Page 85 and 86: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 102 and 103: 85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105: 87 5.3 MSB Case: Our Method and its
Page 112 and 113: Chapter 6 Implicit Factorization In
Page 114 and 115: 97 6.1 Implicit Factoring of Two La
Page 116 and 117: 99 6.1 Implicit Factoring of Two La
Page 118 and 119: 101 6.1 Implicit Factoring of Two L
Page 124 and 125: 107 6.2 Two Primes with Shared Cont
Page 126 and 127: 109 6.2 Two Primes with Shared Cont
Page 128 and 129: 111 6.3 Exposing a Few MSBs of One
Page 130 and 131: 113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?