Date of Submission

2-28-2011

Date of Award

2-28-2012

Institute Name (Publisher)

Indian Statistical Institute

Document Type

Doctoral Thesis

Degree Name

Doctor of Philosophy

Subject Name

Cryptology

Department

Applied Statistics Unit (ASU-Kolkata)

Supervisor

Maitra, Subhamoy (ASU-Kolkata; ISI)

Abstract (Summary of the Work)

In this thesis, we propose some new results in Cryptanalysis of RSA and related Factorization problems. Till date, the best known algorithm to solve the Integer Factorization problem is the Number Field Sieve, which has a runtime greater than exp(log1/3 N) for factoring an integer N. However, if one obtains certain information about the RSA parameters, there are algorithms which can factor the RSA modulus N = pq quite efficiently. The intention of this thesis is to identify such weaknesses of the RSA cryptosystem and its variants. Further we study results related to factorization.In Africacrypt 2008, Nitaj presented a class of weak keys in RSA considering certain properties of the encryption exponent e. We show that this result can be generalized from different aspects. We consider the cases when e satisfies an equation of the form eX −ψY = 1 under some specific constraints on two integers X, Y and a function ψ. Using the idea of Boneh and Durfee (Eurocrypt 1999, IEEE-IT 2000), we show that the LLL algorithm can be efficiently applied to get ψ in cases where Y satisfies certain bounds. This idea extends the class of weak keys presented by Nitaj when ψ is of the form (p − u)(q − v) for RSA primes p, q and integers u, v. Further, we consider the form ψ = N − pu − v for integers u, v to present a new class of weak keys in RSA. This idea does not require any kind of factorization as used in Nitaj’s work.Next, we analyze the security of RSA where multiple encryption are available for the same modulus N. We show that if n many corresponding decryption exponents (d1, . . . , dn) are generated, then RSA is insecure when di < N 3n−1 4n+4 , for all i, 1 ≤ i ≤ n and n ≥ 2. Our result improves the bound of Howgrave-Graham and Seifert (CQRE 1999).We also discuss the factorization of N by reconstructing the primes from randomly known bits. We revisit the work of Heninger and Shacham (Crypto 2009) and provide a combinatorial model for the reconstruction where some random bits of the primes are known. This shows how one can factorize N given the knowledge of random bits in the least significant halves of the primes. We also explain a lattice based strategy in this direction. More importantly, we study how N can be factored given the knowledge of some blocks of bits in the most significant halves of the primes. We present improved theoretical result and experimental evidences in this direction.In PKC 2009, May and Ritzenhofen presented interesting problems related to factoring large integers with some implicit hints. One of the problems considers N1 = p1q1 and N2 = p2q2, where p1, p2, q1, q2 are large primes, and the primes p1, p2 are of same bitsize such that certain amount of Least Significant Bits (LSBs) of p1, p2 are same. May and Ritzenhofen proposed a strategy to factorize both N1, N2 efficiently with the implicit information that p1, p2 share certain amount of LSBs.

Comments

ProQuest Collection ID: http://gateway.proquest.com/openurl?url_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:dissertation&res_dat=xri:pqm&rft_dat=xri:pqdiss:28842812

Control Number

ISILib-TH306

Creative Commons License

Creative Commons Attribution 4.0 International License
This work is licensed under a Creative Commons Attribution 4.0 International License.

DOI

http://dspace.isical.ac.in:8080/jspui/handle/10263/2146

Download

Included in

Mathematics Commons

Share

COinS