#### Date of Submission

2-28-2011

#### Date of Award

2-28-2012

#### Institute Name (Publisher)

Indian Statistical Institute

#### Document Type

Doctoral Thesis

#### Degree Name

Doctor of Philosophy

#### Subject Name

Cryptology

#### Department

Applied Statistics Unit (ASU-Kolkata)

#### Supervisor

Maitra, Subhamoy (ASU-Kolkata; ISI)

#### Abstract (Summary of the Work)

In this thesis, we propose some new results in Cryptanalysis of RSA and related Factorization problems. Till date, the best known algorithm to solve the Integer Factorization problem is the Number Field Sieve, which has a runtime greater than exp(log1/3 N) for factoring an integer N. However, if one obtains certain information about the RSA parameters, there are algorithms which can factor the RSA modulus N = pq quite efficiently. The intention of this thesis is to identify such weaknesses of the RSA cryptosystem and its variants. Further we study results related to factorization.In Africacrypt 2008, Nitaj presented a class of weak keys in RSA considering certain properties of the encryption exponent e. We show that this result can be generalized from different aspects. We consider the cases when e satisfies an equation of the form eX âˆ’ÏˆY = 1 under some specific constraints on two integers X, Y and a function Ïˆ. Using the idea of Boneh and Durfee (Eurocrypt 1999, IEEE-IT 2000), we show that the LLL algorithm can be efficiently applied to get Ïˆ in cases where Y satisfies certain bounds. This idea extends the class of weak keys presented by Nitaj when Ïˆ is of the form (p âˆ’ u)(q âˆ’ v) for RSA primes p, q and integers u, v. Further, we consider the form Ïˆ = N âˆ’ pu âˆ’ v for integers u, v to present a new class of weak keys in RSA. This idea does not require any kind of factorization as used in Nitajâ€™s work.Next, we analyze the security of RSA where multiple encryption are available for the same modulus N. We show that if n many corresponding decryption exponents (d1, . . . , dn) are generated, then RSA is insecure when di < N 3nâˆ’1 4n+4 , for all i, 1 â‰¤ i â‰¤ n and n â‰¥ 2. Our result improves the bound of Howgrave-Graham and Seifert (CQRE 1999).We also discuss the factorization of N by reconstructing the primes from randomly known bits. We revisit the work of Heninger and Shacham (Crypto 2009) and provide a combinatorial model for the reconstruction where some random bits of the primes are known. This shows how one can factorize N given the knowledge of random bits in the least significant halves of the primes. We also explain a lattice based strategy in this direction. More importantly, we study how N can be factored given the knowledge of some blocks of bits in the most significant halves of the primes. We present improved theoretical result and experimental evidences in this direction.In PKC 2009, May and Ritzenhofen presented interesting problems related to factoring large integers with some implicit hints. One of the problems considers N1 = p1q1 and N2 = p2q2, where p1, p2, q1, q2 are large primes, and the primes p1, p2 are of same bitsize such that certain amount of Least Significant Bits (LSBs) of p1, p2 are same. May and Ritzenhofen proposed a strategy to factorize both N1, N2 efficiently with the implicit information that p1, p2 share certain amount of LSBs.

#### Control Number

ISILib-TH306

#### Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

#### DOI

http://dspace.isical.ac.in:8080/jspui/handle/10263/2146

#### Recommended Citation

Sarkar, Santanu Dr., "Some Results on Cryptanalysis of RSA And Factorization." (2012). *Doctoral Theses*. 36.

https://digitalcommons.isical.ac.in/doctoral-theses/36

## Comments

ProQuest Collection ID: http://gateway.proquest.com/openurl?url_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:dissertation&res_dat=xri:pqm&rft_dat=xri:pqdiss:28842812