This preview shows page 1. Sign up to view the full content.
Unformatted text preview: d q1 mod p [1283, 1276]. These additional numbers can easily be calculated from the private and public keys. Security of RSA
The security of RSA depends wholly on the problem of factoring large numbers. Technically, that’s a lie. It is conjectured that the security of RSA depends on the problem of factoring large numbers. It has never been mathematically proven that you need to factor n to calculate m from c and e. It is conceivable that an entirely different way to cryptanalyze RSA might be discovered. However, if this new way allows the cryptanalyst to deduce d, it could also be used as a new way to factor large numbers. I wouldn’t worry about it too much. It is also possible to attack RSA by guessing the value of (p  1)(q  1). This attack is no easier than factoring n [1616]. For the ultraskeptical, some RSA variants have been proved to be as difficult as factoring (see Section 19.5). Also look at [36], which shows that recovering even certain bits of information from an RSAencrypted ciphertext is as hard as decrypting the entire message. Factoring n is the most obvious means of attack. Any adversary will have the public key, e, and the modulus, n. To find the decryption key, d, he has to factor n. Section 11.4 discusses the current state of factoring technology. Currently, a 129decimaldigit modulus is at the edge of factoring technology. So, n must be larger than that. Read Section 7.2 on public key length. It is certainly possible for a cryptanalyst to try every possible d until he stumbles on the correct one. This bruteforce attack is even less efficient than trying to factor n. From time to time, people claim to have found easy ways to break RSA, but to date no such claim has held up. For example, in 1993 a draft paper by William Payne proposed a method based on Fermat’s little theorem [1234]. Unfortunately, this method is also slower than factoring the modulus. There’s another worry. Most common algorithms for computing primes p and q are probab...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details