Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 4: <strong>Cryptanalysis</strong> <strong>of</strong> <strong>RSA</strong> with more than one Decryption Exponent 68<br />
the entries. Since the lattice dimension in our case is exponential in n, so the total<br />
running time for this method is poly{logN,exp(n)}.<br />
Remark 4.3. If the encryption exponents are not relatively prime, as assumed<br />
in Theorem 4.2, then f(x 1 ,x 2 ,...,x n+2 ) will not be an irreducible polynomial.<br />
However, the GCD <strong>of</strong> any two encryption exponents will be small in general, and<br />
hence f(x 1 ,x 2 ,...,x n+2 ) will be <strong>of</strong> the form cg(x 1 ,x 2 ,...,x n+2 ), where c is a small<br />
constant. In this case, one needs to find the root <strong>of</strong> g(x 1 ,x 2 ,...,x n+2 ) instead.<br />
n = 2 n = 3 n = 4 n = 5 n = 6<br />
Method <strong>of</strong> [62] 0.357 0.400 0.441 0.468 0.493<br />
Our Method 0.422 0.500 0.550 0.583 0.607<br />
Table 4.1: Comparison <strong>of</strong> our theoretical bounds with that <strong>of</strong> [62].<br />
Our bound in Theorem 4.2 is clearly better than that <strong>of</strong> Howgrave-Graham<br />
and Seifert [62]. Our approach works when upper bound <strong>of</strong> d i is less than N 0.75 for<br />
1 ≤ i ≤ n as n → ∞, whereas the bound is N 0.5 in [62]. In Table 4.1, we present<br />
comparative upper bounds <strong>of</strong> d i for different values <strong>of</strong> n.<br />
Theorem 4.2 may be extended when some <strong>of</strong> the most significant bits (MSBs)<br />
<strong>of</strong> the decryption exponents are same (but unknown). This implicit information<br />
increases the bound <strong>of</strong> decryption exponents even further, as follows.<br />
Corollary 4.4. Let e 1 ,...,e n (where n ≥ 2) be <strong>RSA</strong> encryption exponents with<br />
common modulus N, and suppose that d 1 ,...,d n are the corresponding decryption<br />
exponents. Also suppose that gcd(e i ,e j ) = 1 for all i ≠ j where 1 ≤ i,j ≤ n. Let<br />
d 1 ,d 2 ,...,d n < N δ and |d u −d v | < N β for u ≠ v ∈ [1,n]. Then one can factor N<br />
in poly{logN,exp(n)} time when τ = max{0, −2nδ+n−2β+2δ<br />
n+1<br />
} and<br />
n 2 τ 2 +4n 2 τδ−2n 2 τ +3nτ 2 +4nτβ +4n 2 δ<br />
+4nτδ −3n 2 −4nτ +2τ 2 +4nβ +8τβ −8τδ +n < 0.<br />
Pro<strong>of</strong>. First consider the case when n is even. If E = ∏ n<br />
i=1 e i, we have<br />
E ·<br />
n∑<br />
(−1) i+1 d i =<br />
i=1<br />
(<br />
n∑<br />
n∑<br />
)<br />
(−1) j+1E +(N +r)·<br />
e j<br />
j=1(−1) j+1E k j .<br />
e j<br />
j=1