Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
67 4.1 Theoretical Result<br />
s,s 1 ,s 2 and s n+2 . We get,<br />
s ≈<br />
s 1 ≈<br />
s 2 = ··· = s n+1 ≈<br />
s n+2 ≈<br />
1<br />
(n−1)! · m n+2<br />
(n+1)(n+2) + t<br />
(n−1)! · m n+1<br />
n(n+1) ,<br />
m n+2<br />
(n−1)!·(n+2)(n+1) + tm n+1<br />
(n−1)!·n(n+1) ,<br />
m n+2<br />
n!·(n+2) + tm n+1<br />
(n−2)!·n(n−1)(n+1) ,<br />
m n+2<br />
(n−1)!·2(n+2) +t· m n+1 m n<br />
(n−1)!·(n+1) +t2 ·<br />
(n−1)!·2n .<br />
Consider t = τm, where τ ≥ 0 is a real number. Putting the values <strong>of</strong><br />
X 1 ,X 2 ,...,X n+2 , s 1 ,...,s n+2 ,s, and the lower bound <strong>of</strong> W in the condition<br />
X s 1<br />
1 X s 2<br />
2 ...X s n+2<br />
n+2 < W s , we get<br />
n 2 τ 2 +4n 2 τδ−2n 2 τ +3nτ 2 +4n 2 δ+8nτδ−3n 2 −4nτ +2τ 2 +4nδ+n < 0. (4.2)<br />
The optimal value <strong>of</strong> τ to maximize δ is (1−2δ)n . One may note that τ ≤ 0 when<br />
1+n<br />
the maximum value <strong>of</strong> δ is greater than 1 . For the cases n ≥ 3, we get that the<br />
2<br />
upper bound <strong>of</strong> δ greater than 1 for τ = 0. Thus in these cases, it is enough to<br />
2<br />
consider τ = 0, i.e., t = 0. In these cases, putting τ = 0 in (4.2), we get<br />
δ < 3n−1<br />
4n+4 .<br />
For the cases n ≥ 3, extra shifts over the variable x n+2 does not provide any<br />
improvement in the theoretical bound. Thus, it is enough to consider i n+2 =<br />
0,...,i 2 + ··· + i n+1 instead <strong>of</strong> i n+2 = 0,...,i 2 + ··· + i n+1 + t. For the case<br />
n = 2 though, the extra shifts over x 4 provide theoretical improvements. Putting<br />
τ = (1−2δ)n<br />
1+n<br />
in (4.2), we get δ < 0.422, which provides a better bound compared to<br />
3×2−1<br />
4×2+4 ≈ 0.416.<br />
Using the strategy <strong>of</strong> Section 2.6, one can construct a lattice L from S,M. The<br />
bitsize <strong>of</strong> the entries <strong>of</strong> L is poly(logN), and<br />
dim(L) = |M| =<br />
1<br />
(n−1)!·<br />
(m+1) n+2<br />
(n+1)(n+2) +<br />
(n−1)!·(m+1)n+1 t<br />
+o((m+1) n+2 ).<br />
n(n+1)<br />
The running time <strong>of</strong> our algorithm is dominated by the LLL algorithm run on L,<br />
which takes time polynomial in the dimension <strong>of</strong> the lattice and in the bitsize <strong>of</strong>