Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
79 5.1 LSB Case: Combinatorial Analysis <strong>of</strong> Existing Work<br />
p[i] = 0 p[i] = 0<br />
(0, 0) (1, 1) (1, 0) (0, 1)<br />
p[i]+q[i] ≡ 0 (mod 2) p[i]+q[i] ≡ 1 (mod 2)<br />
Figure 5.2: Branching when exactly one bit <strong>of</strong> p[i],q[i] is known.<br />
and otherwise we do not. In the case where neither <strong>of</strong> the possibilities for p i ,q i<br />
generated from p i−1 ,q i−1 satisfy the relation, we discard the whole subtree rooted<br />
atp i−1 ,q i−1 . Thus, thepruningprocedurenotonlydiscardsthewrongonesatlevel<br />
i, but also discards subtrees from level i−1, thereby narrowing down the search<br />
tree. An example case (p[i] = 0 and q[i] = 1 are known, say) may be presented as<br />
in Figure 5.3.<br />
p[i] = 0<br />
q[i] = 1<br />
p[i] = 0<br />
q[i] = 1<br />
(0, 0) (1, 1) (1, 0) (0, 1)<br />
p[i]+q[i] ≡ 1 (mod 2) p[i]+q[i] ≡ 1 (mod 2)<br />
Figure 5.3: Branching when both the bits p[i],q[i] are known.<br />
Based on our discussion so far, let us try to model the growth <strong>of</strong> the search<br />
tree following Algorithm 7. As both p,q are odd, we have p[0] = 1 and q[0] = 1.<br />
Thus the tree starts from W 0 = 1 and the expansion or contraction <strong>of</strong> the tree at<br />
each level can be modeled as follows.<br />
• p[i] = UNKNOWN, q[i] = UNKNOWN: W i = 2W i−1 .<br />
• p[i] = KNOWN, q[i] = UNKNOWN: W i = W i−1 .<br />
• p[i] = UNKNOWN, q[i] = KNOWN: W i = W i−1 .<br />
• p[i] = KNOWN, q[i] = KNOWN: W i = γ i W i−1 .