Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

More documents

Recommendations

Info

31 2.5 Solving Modular Polynomials 3 4. ||v 4 1 ∗ || 2 = 4·5 3 = 15 > ||µ 4 2,1v ∗ 1 +v ∗ 2 || = || 1 5 (1,2)+(4 5 ,−2 )|| = ||(1,0)|| = 1. 5 5. v 1 = (1,0),v 2 = (1,2). 6. v ∗ 1 = v 1 = (1,0). [ ] 7. [µ 2,1 ] = 〈v2 ,v ∗ 1 〉 ||v ∗ 1 = [ 1] = 1. || 2 1 8. v 2 = (1,2)−1(1,0) = (0,2). 9. 3 4 ||v 1 ∗ || 2 = 3 4 < ||µ 2,1v 1 ∗ +v 2 ∗ || = ||0(1,0)+(0,2)|| = 2. Hence LLL reduced basis is B ′ = {r 1 ,r 2 } with r 1 = (1,0),r 2 = (0,2). There are numerous applications of lattices in cryptology, both for cryptanalysis and for constructive cryptographic design. In this thesis we mainly focus on Coppersmith’s [24] idea and its modifications for solving polynomials using lattice basis reduction. The root finding techniques proposed by Coppersmith are comprehensively discussed in the Doctoral thesis of Jochemsz [64]. For many more applications of lattices, the reader may refer to the papers by Joux and Stern [68], and Nguyen and Stern [94]. For more results related to lattices and lattice basis reduction, refer to [21,95,106,121]. 2.5 Solving Modular Polynomials In 1996, Coppersmith [23] introduced a method for finding small modular roots of univariate polynomial. Since then, the method is used in various applications in Public Key Cryptography. Let f N (x) = ∑ a i x i be a univariate modular polynomial over Z N . The terms i x i of f N with nonzero coefficients are called monomials. The norm of the polynomial is defined as ||f N || = √ ∑i a2 i . In general, the roots of f N(x) can not be found [25, Section 6] efficiently. However, finding small roots may be possible in polynomial time. To find a small modular root x 0 of f N (x), one needs to find a polynomial h(x) such that h(x 0 ) = 0 holds over integers. Then following the method of Sturm sequence [70], the root x 0 may be obtained efficiently. This is the main idea behind Coppersmith’s method.
Chapter 2: Mathematical Preliminaries 32 2.5.1 Coppersmith’s Method Suppose we have a modular polynomial f N (x) with a small root x 0 in Z N . To construct the polynomial h(x), we fix a positive integer m and generate a set of univariate polynomials g jk , called the shift polynomials, as follows. g jk (x) = x j (f N (x)) k N m−k for k = 0,...,m and some choice of j. Clearly, g jk (x 0 ) = 0 mod N m . Thus, any integer linear combination h(x) of g jk (x) has also got a root x 0 modulo N m . Now if |h(x 0 )| < N m , then h(x 0 ) = 0 holds over integers as well, and we have obtained our desired function h(x). The following theorem due to Howgrave-Graham [59] reformulates Coppersmith’s idea of finding modular roots to prescribe a condition under which we can conclude that h(x 0 ) = 0 holds over integers. Theorem 2.22. Let h(x) ∈ Z[x] be an integer polynomial with n monomials. Further, let m be a positive integer. Then, h(x 0 ) = 0 over integers if the following two conditions are satisfied. • h(x 0 ) ≡ 0 (mod N m ) and |x 0 | < X • ||h(xX)|| < Nm √ n . Proof. Notice that we have ∑ |h(x 0 )| = h ∣ i x i 0 ∣ ≤ ∑ i i ∑ ∣ hi x i ∣ 0 ≤ |h i |X i ≤ √ n·||h(xX)|| < N m . i Now since N m divides h(x 0 ) by the first condition, h(x 0 ) = 0. To obtain the desired function h(x), we construct a lattice L with basis vectors coming from the coefficient vectors of the polynomials g jk (xX). Now, our goal is to find an integer linear combination of these coefficient vectors, that is a vector in the lattice L, for which the norm is smaller than Nm √ n . Such a function will satisfy the conditions of Theorem 2.22. But this problem is analogous to finding a short vector in a given lattice, and one can use the LLL algorithm to the basis spanned by the coefficient vectors of g jk (xX) to do so. Note that the polynomial r 1 (x) corresponds to the smallest vector generated by the LLL algorithm over an
Page 1: some results on Cryptanalysis of RS
Page 5 and 6: Abstract In this thesis, we propose
Page 7 and 8: Acknowledgements There are many peo
Page 9: To Thaakuma (Grandmother), the firs
Page 12 and 13: 2.3.7 Small Decryption Exponent Att
Page 14 and 15: 7.4 The General Solution for EPACDP
Page 17 and 18: List of Figures 1.1 Communication o
Page 19 and 20: Chapter 1: Introduction 2 The motiv
Page 21 and 22: Chapter 1: Introduction 4 there is
Page 23 and 24: Chapter 1: Introduction 6 Discrete
Page 25 and 26: Chapter 1: Introduction 8 Chapter 5
Page 28 and 29: Chapter 2 Mathematical Preliminarie
Page 30 and 31: 13 2.2 RSA Cryptosystem are impleme
Page 32 and 33: 15 2.2 RSA Cryptosystem • private
Page 34 and 35: 17 2.2 RSA Cryptosystem istic prima
Page 36 and 37: 19 2.2 RSA Cryptosystem Afterfindin
Page 38 and 39: 21 2.2 RSA Cryptosystem integer x <
Page 40 and 41: 23 2.3 Cryptanalysis of RSA to be h
Page 42 and 43: 25 2.3 Cryptanalysis of RSA The att
Page 44 and 45: 27 2.4 Lattice and LLL Algorithm No
Page 46 and 47: 29 2.4 Lattice and LLL Algorithm Wh
Page 50 and 51: 33 2.5 Solving Modular Polynomials
Page 56 and 57: 39 2.6 Solving Integer Polynomials
Page 58 and 59: 41 2.6 Solving Integer Polynomials
Page 60 and 61: 43 2.7 Analysis of the Root Finding
Page 62: 45 2.9 Conclusion 2.9 Conclusion No
Page 65 and 66: Chapter 3: A class of Weak Encrypti
Page 81 and 82: Chapter 4: Cryptanalysis of RSA wit
Page 92 and 93: Chapter 5 Reconstruction of Primes
Page 94 and 95: 77 5.1 LSB Case: Combinatorial Anal
Page 96 and 97: 79 5.1 LSB Case: Combinatorial Anal
Page 98 and 99:
81 5.1 LSB Case: Combinatorial Anal
Page 100 and 101:
83 5.1 LSB Case: Combinatorial Anal
Page 102 and 103:
85 5.2 LSB Case: Lattice Based Tech
Page 104 and 105:
87 5.3 MSB Case: Our Method and its
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
Page 112 and 113:
Chapter 6 Implicit Factorization In
Page 114 and 115:
97 6.1 Implicit Factoring of Two La
Page 116 and 117:
99 6.1 Implicit Factoring of Two La
Page 118 and 119:
101 6.1 Implicit Factoring of Two L
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
107 6.2 Two Primes with Shared Cont
Page 126 and 127:
109 6.2 Two Primes with Shared Cont
Page 128 and 129:
111 6.3 Exposing a Few MSBs of One
Page 130 and 131:
113 6.3 Exposing a Few MSBs of One
Page 132 and 133:
Chapter 7 Approximate Integer Commo
Page 134 and 135:
117 7.1 Finding q −1 mod p ≡ Fa
Page 136 and 137:
119 7.2 Finding Smooth Integers in
Page 138 and 139:
121 7.3 Extension of Approximate Co
Page 140 and 141:
123 7.4 The General Solution for EP
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
133 7.5 Sublattice and Generalized
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
139 7.6 Improved Results for Larger
Page 158 and 159:
141 7.6 Improved Results for Larger
Page 160 and 161:
143 7.7 EGACDP The approach in this
Page 162 and 163:
145 7.7 EGACDP Sinceinthiscasethema
Page 164:
147 7.8 Conclusion poly{loga,k}. Th
Page 167 and 168:
Chapter 8: Conclusion 150 Chapter 3
Page 169 and 170:
Chapter 8: Conclusion 152 p 1 ,p 2
Page 171 and 172:
Chapter 8: Conclusion 154 represent
Page 173 and 174:
Chapter 8: Conclusion 156 Final Wor
Page 175 and 176:
BIBLIOGRAPHY 158 [9] J. Blömer and
Page 177 and 178:
BIBLIOGRAPHY 160 [31] B. de Weger.
Page 179 and 180:
BIBLIOGRAPHY 162 [54] M.J.Hinek. Cr
Page 181 and 182:
BIBLIOGRAPHY 164 [76] A. K. Lenstra
Page 183 and 184:
BIBLIOGRAPHY 166 [97] A. Nitaj. Cry
Page 185:
BIBLIOGRAPHY 168 [121] C. L. Siegel
show all

Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...

Create successful ePaper yourself

Delete template?

Save as template?