Prime Numbers

432 Chapter 8 THE UBIQUITY OF PRIME NUMBERS
Argue now that the private key D can be obtained (since you know the
public pair N,E) in polynomial effort (operation count bounded by a
power of ln N).
(4) So-called timing attacks have also been developed. If a machine calculates
numbers such as xD using a power ladder whose square and multiply
operations take different but fixed times, one can glean information about
the exponent D. Say that you demand of a cryptosystem the generation
of many signatures x D i
mod N for i running through some set, and that
you store the respective times Ti required for the signing system to give
the i-th signature. Then do the same timing experiment but for each x 3 i ,
say. Describe how correlations between the sets {ti} and {Ti} can be used
to determine bits of the private exponent D.
We have given above just a smattering of RSA attack notions. There are
also attacks based on lattice reduction [Coppersmith 1997] and interesting
issues involving the (incomplete) relation between factoring and breaking RSA
[Boneh and Venkatesan 1998]. There also exist surveys on this general topic
[Boneh 1999]. We are grateful to D. Cao for providing some ideas for this
exercise.
8.3. We have noted that both y-coordinates and the “clue” point are not
fundamentally necessary in the transmission of embedded encryption from
Algorithm 8.1.10. With a view to Algorithm 7.2.8 and the Miller generator,
equation (8.1), work out an explicit, detailed algorithm for direct embedding
but with neither y-coordinates nor data expansion (except that one will still
need to transmit the sign bit d—an asymptotically negligible expansion). You
might elect to use a few more “parity bits,” for example in Algorithm 7.2.8
you may wish to specify one of two quadratic roots, and so on.
8.4. Describe how one may embed any plaintext integer X ∈{0,...,p− 1}
on a single given curve, by somehow counting up from X as necessary, until
X 3 + aX + b is a quadratic residue (mod p). One such scheme is described in
[Koblitz 1987].
8.5. In Algorithm 8.1.10 when is it the case that X is the x-coordinate of a
point on both curves E,E ′ ?
8.6. Whenever we use Montgomery parameterization (Algorithm 7.2.7) in
any cryptographic mode, we do not have access to the precise Y -coordinate.
Actually, for the Montgomery (X, Z) pair we know that Y 2 = (X/Z) 3 +
c(X/Z) 2 + a(X/Z) +b, thustherecanbetwopossiblerootsforY . Explain
how, if Alice is to communicate to Bob a point (X, Y ) on the curve, then she
can effect so-called “point compression,” meaning that she can send Bob the
X coordinate and just a very little bit more.
But before she can send accurate information, Alice still needs to know
herself which is the correct Y root. Design a cryptographic scheme (e.g.,
key exchange) where Montgomery (X, Z) algebra is used but Y is somehow
recovered. (One reason to have Y present is simply that some current industry