Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

25 2.3 Cryptanalysis of RSA The attacker can find m 1 and m 2 by computing β(c 2 +2α 3 c 1 −β 3 ) α(c 2 −α 3 c 1 +2β 3 ) ≡ m 1 (mod N) and m 2 = αm 1 +β mod N. 2.3.5 Broadcast Attack Håstad [48,49] proved that for small encryption exponent e, if the same plaintext m is sent to different receivers, then RSA may be weak. In 2008, May and Ritzenhofen [85] improved this attack of Håstad. 2.3.6 Timing Attack In 1995, Kocher [72] proposed a new attack on RSA to obtain the private exponent d. He showed that an attacker can get a few bits of d by timing characteristic of an RSA implementing device. After the publication of this idea, the vulnerabilities of RSA were tested against a lot of side channel attacks in this direction [8,16,38]. 2.3.7 Small Decryption Exponent Attack In 1990, Wiener [130] proved that if the decryption exponent d < 1N 4, 1 one can 3 factor N in polynomial time when the primes p,q are of the same bitsize. He used certain results from Continued Fractions to prove this. Let us first take a look at the theoretical background. Continued Fraction (CF) Given a positive rational number a , it can be represented as a finite CF expression b as follows. a b = q 1 1 + 1 q 2 + q 3 +···+ 1 q m
Chapter 2: Mathematical Preliminaries 26 In short, one can write the CF representation as [q 1 ,q 2 ,q 3 ,...,q m ]. For example, take the rational number 34 34 . One can write this as = [0,2,1,10,3], that is, 99 99 0+ 1 99 34 = 0+ 1 2+ 31 34 = 0+ 1 2+ 1 34 31 = 0+ 1 2+ 1 1+ 3 31 = 0+ 1 2+ 1 1+ 31 1 3 = 0+ 1 2+ 1 1+ 1 10+ 1 3 . Now consider a subsequence [0,2,1] of [0,2,1,10,3]. Note that 0 + 1 = 2+ 1 1 1 = 33 34 , which is very close to . This indicates that a subsequence of a CF 3 99 99 representation may produce a good approximation to the rational number. Any initial subsequence of [q 1 ,q 2 ,q 3 ,...,q m ], i.e, [q 1 ,q 2 ,q 3 ,...,q r ], where 1 ≤ r ≤ m is called a convergent of the original sequence [q 1 ,q 2 ,q 3 ,...,q m ]. For example, [0,2,1] is a convergent of [0,2,1,10,3], which implies that 1 = 33 is a convergent 3 99 . Also note that if the subsequence has a 1 at the end then it may also be of 34 99 representedbyaddingthat1tothepreviousintegerandthusshorteningthelength of the subsequence. For example, both [0,2,1] and [0,3] provide the same rational number. There are many interesting results about the convergence of continued fractionrepresentations. Forthepurposeathand, weneedthefollowingresult[47]. Theorem 2.10. Suppose gcd(a,b) = gcd(c,d) = 1 and | a b − c d | < 1 2d 2 . Then c d is represented by one of the convergents of the continued fraction expansion of a b . It is also important to note that for t bit integers a,b, the CF expression [q 1 ,q 2 ,q 3 ,...,q m ] of a can be computed in O(poly(t)) time and can be stored in b O(poly(t)) space. Let us see how this may be utilized to attack RSA. Wiener’s Attack We have ed ≡ 1 (mod N). So we can write ed = 1 + kφ(N) for some integer k. So, e φ(N) − k d = 1 dφ(N) .
Page 1: some results on Cryptanalysis of RS
Page 5 and 6: Abstract In this thesis, we propose
Page 7 and 8: Acknowledgements There are many peo
Page 9: To Thaakuma (Grandmother), the firs
Page 12 and 13: 2.3.7 Small Decryption Exponent Att
Page 14 and 15: 7.4 The General Solution for EPACDP
Page 17 and 18: List of Figures 1.1 Communication o
Page 19 and 20: Chapter 1: Introduction 2 The motiv
Page 21 and 22: Chapter 1: Introduction 4 there is
Page 23 and 24: Chapter 1: Introduction 6 Discrete
Page 25 and 26: Chapter 1: Introduction 8 Chapter 5
Page 28 and 29: Chapter 2 Mathematical Preliminarie
Page 30 and 31: 13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 48 and 49: 31 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93:
Chapter 5 Reconstruction of Primes
Page 94 and 95:
77 5.1 LSB Case: Combinatorial Anal
Page 96 and 97:
Page 98 and 99:
Page 100 and 101:
Page 102 and 103:
85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105:
87 5.3 MSB Case: Our Method and its
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Chapter 6 Implicit Factorization In
Page 114 and 115:
97 6.1 Implicit Factoring of Two La
Page 116 and 117:
99 6.1 Implicit Factoring of Two La
Page 118 and 119:
101 6.1 Implicit Factoring of Two L
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
107 6.2 Two Primes with Shared Cont
Page 126 and 127:
109 6.2 Two Primes with Shared Cont
Page 128 and 129:
111 6.3 Exposing a Few MSBs of One
Page 130 and 131:
113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?