Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 4: <strong>Cryptanalysis</strong> <strong>of</strong> <strong>RSA</strong> with more than one Decryption Exponent 66<br />
where t is a non-negative integer. Thus we get the following:<br />
x i 1<br />
1 x i 2<br />
2 ···x i n+2<br />
n+2 ∈ S ⇔<br />
⎧<br />
⎪⎨<br />
i 1 = 0,...,m<br />
i 2 = 0,...,m−i 1<br />
.<br />
⎪⎩<br />
i n+1 = 0,...,m−i 1 −···−i n<br />
i n+2 = 0,...,i 2 +···+i n+1 +t<br />
x i 1<br />
1 x i 2<br />
2 ···x i n+2<br />
n+2 ∈ M ⇔<br />
⎧<br />
⎪⎨<br />
⎪⎩<br />
i 1 = 0,...,m+1<br />
i 2 = 0,...,m+1−i 1<br />
.<br />
i n+1 = 0,...,m+1−i 1 −···−i n ,<br />
i n+2 = 0,...,i 2 +···+i n+1 +t.<br />
Apart from f, we need to find at least n+1 more polynomials f 1 ,f 2 ,...f n+1 that<br />
share the same root (d 1 −d 2 −···−d n ,k 1 ,...,k n ,r) over the integers.<br />
Considering a small fixed n, we know that these polynomials can be found by<br />
LLL [77] algorithm in poly(logN) time if<br />
X s 1<br />
1 X s 2<br />
2 ···X s n+2<br />
n+2 < W s<br />
for s j = ∑ x i 1<br />
1 ···x i n+2<br />
n+2 ∈M\Si j with j = 1,...,n+2, s = |S|, and<br />
W = ||f(x 1 X 1 ,...x n+2 X n+2 )|| ∞ ≥ Ne 2···e n X 2 ≈ N n+δ ,<br />
assuming the e i ’s are <strong>of</strong> full bitsize for 2 ≤ i ≤ n. From the structure <strong>of</strong> the<br />
polynomialf,itisclearthats 2 ,...,s n+1 areequal. Thusweonlyneedtocalculate 1<br />
1 The detailed calculations for s,s 1 ,...,s n+2 are quite tedious and these are presented a little<br />
later, not to hamper the continuity <strong>of</strong> this pro<strong>of</strong>.