Date of Submission


Date of Award


Institute Name (Publisher)

Indian Statistical Institute

Document Type

Doctoral Thesis

Degree Name

Doctor of Philosophy

Subject Name



Applied Statistics Unit (ASU-Kolkata)


Maitra, Subhamoy (ASU-Kolkata; ISI)

Abstract (Summary of the Work)

In this thesis, we propose some new results in Cryptanalysis of RSA and related Factorization problems. Till date, the best known algorithm to solve the Integer Factorization problem is the Number Field Sieve, which has a runtime greater than exp(log1/3 N) for factoring an integer N. However, if one obtains certain information about the RSA parameters, there are algorithms which can factor the RSA modulus N = pq quite efficiently. The intention of this thesis is to identify such weaknesses of the RSA cryptosystem and its variants. Further we study results related to factorization.In Africacrypt 2008, Nitaj presented a class of weak keys in RSA considering certain properties of the encryption exponent e. We show that this result can be generalized from different aspects. We consider the cases when e satisfies an equation of the form eX −ψY = 1 under some specific constraints on two integers X, Y and a function ψ. Using the idea of Boneh and Durfee (Eurocrypt 1999, IEEE-IT 2000), we show that the LLL algorithm can be efficiently applied to get ψ in cases where Y satisfies certain bounds. This idea extends the class of weak keys presented by Nitaj when ψ is of the form (p − u)(q − v) for RSA primes p, q and integers u, v. Further, we consider the form ψ = N − pu − v for integers u, v to present a new class of weak keys in RSA. This idea does not require any kind of factorization as used in Nitaj’s work.Next, we analyze the security of RSA where multiple encryption are available for the same modulus N. We show that if n many corresponding decryption exponents (d1, . . . , dn) are generated, then RSA is insecure when di < N 3n−1 4n+4 , for all i, 1 ≤ i ≤ n and n ≥ 2. Our result improves the bound of Howgrave-Graham and Seifert (CQRE 1999).We also discuss the factorization of N by reconstructing the primes from randomly known bits. We revisit the work of Heninger and Shacham (Crypto 2009) and provide a combinatorial model for the reconstruction where some random bits of the primes are known. This shows how one can factorize N given the knowledge of random bits in the least significant halves of the primes. We also explain a lattice based strategy in this direction. More importantly, we study how N can be factored given the knowledge of some blocks of bits in the most significant halves of the primes. We present improved theoretical result and experimental evidences in this direction.In PKC 2009, May and Ritzenhofen presented interesting problems related to factoring large integers with some implicit hints. One of the problems considers N1 = p1q1 and N2 = p2q2, where p1, p2, q1, q2 are large primes, and the primes p1, p2 are of same bitsize such that certain amount of Least Significant Bits (LSBs) of p1, p2 are same. May and Ritzenhofen proposed a strategy to factorize both N1, N2 efficiently with the implicit information that p1, p2 share certain amount of LSBs.


ProQuest Collection ID:

Control Number


Creative Commons License

Creative Commons Attribution 4.0 International License
This work is licensed under a Creative Commons Attribution 4.0 International License.


Included in

Mathematics Commons