Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 2: Mathematical Preliminaries 22<br />
CRT-<strong>RSA</strong> with d p −d q = 2<br />
To reduce the storage space for the CRT-<strong>RSA</strong> parameters, Qiao and Lam [102]<br />
proposed using CRT-<strong>RSA</strong> with d p − d q = 2. In this case, one needs to store<br />
only one <strong>of</strong> the decryption exponents and the other one can be generated trivially<br />
at runtime. This variant <strong>of</strong> <strong>RSA</strong> is very useful in case <strong>of</strong> hand-held devices like<br />
smart-cards, which have comparatively low storage capacities. However, Jochemsz<br />
and May [65] showed that some lattice-based attacks on CRT-<strong>RSA</strong> can be made<br />
stronger if d p −d q = 2, and this is a major drawback <strong>of</strong> this variant <strong>of</strong> <strong>RSA</strong>.<br />
Multi Prime <strong>RSA</strong><br />
Some time it is useful to choose an <strong>RSA</strong> modulus N = p 1 p 2···p r with distinct<br />
primes p i , or to choose N = p r q with p ≠ q. The first one is known as multi prime<br />
<strong>RSA</strong>, and the second variant was proposed by Takagi [127]. The reader may refer<br />
to [53] for various interesting results related to multi prime <strong>RSA</strong>.<br />
Common Prime <strong>RSA</strong><br />
A special instance <strong>of</strong> <strong>RSA</strong> where gcd(p − 1,q − 1) is large, is known as common<br />
prime <strong>RSA</strong>. Attacks on <strong>RSA</strong> which exploit small decryption exponent d work less<br />
efficiently [52] in this variant <strong>of</strong> <strong>RSA</strong>. The reader may refer to [54] to know the<br />
current results related to common prime <strong>RSA</strong>.<br />
2.3 <strong>Cryptanalysis</strong> <strong>of</strong> <strong>RSA</strong><br />
From the previous discussion, we may recall that c = m e mod N is the main<br />
relation between the plaintext and the ciphertext in <strong>RSA</strong>. From the point <strong>of</strong> view<br />
<strong>of</strong> an attacker, the <strong>RSA</strong> Problem can be framed as follows.<br />
Problem 2.9 (<strong>RSA</strong> Problem). Consider an <strong>RSA</strong> setup with public key (e,N),<br />
private key (d,N) and c = m e mod N. Given just 〈c,e,N〉, find message m.<br />
As c 1/e is m in Z N , if one can find the e-th root <strong>of</strong> the ciphertext c in Z N ,<br />
then he/she can obtain the plaintext m. So <strong>RSA</strong> problem can also be stated as a<br />
problem to find the e-th root <strong>of</strong> a given integer modulo N. However it is believed