• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.9
• /
• pp.3841-3857
• /
• 2020

RSA is one of the best well-known public key cryptosystems. This methodology is widely used at present because there is not any algorithm which can break this system that has all strong parameters within polynomial time. However, it may be easily broken when at least one parameter is weak. In fact, many weak parameters are already found and are solved by some algorithms. Some examples of weak parameters consist of a small private key, a large private key, a small prime factor and a small result of the difference between two prime factors. In this paper, the new weakness of RSA is proposed. Assuming Euler's totient value, Φ (n), can be rewritten as Φ (n) = ad + b, where d is the private key and a, b ∈ ℤ, if a divides both of Φ (n) and b and the new exponent for the decryption equation is a small integer, this condition is assigned as the new weakness for breaking RSA. Firstly, the specific algorithm which is created for this weakness directly is proposed. Secondly, two equations are presented to find a, b and d. In fact, one of two equations must be implemented to find a and b at first. After that, the other equation is chosen to find d. The experimental results show that if this weakness has happened and the new exponent is small, original plaintext, m, will be recovered very fast. Furthermore, number of steps to recover d are very small when a is large. However, if a is too large, d may not be recovered because m which must be always written as m = h^a is higher than modulus.

• Journal of the Korea Society of Computer and Information
• /
• v.20 no.8
• /
• pp.29-33
• /
• 2015

This paper proposes a discrete logarithm algorithm that remarkably reduces the execution time of Pollard's Rho algorithm. Pollard's Rho algorithm computes congruence or collision of ${\alpha}^a{\beta}^b{\equiv}{\alpha}^A{\beta}^B$ (modp) from the initial value a = b = 0, only to derive ${\gamma}$ from $(a+b{\gamma})=(A+B{\gamma})$, ${\gamma}(B-b)=(a-A)$. The basic Pollard's Rho algorithm computes $x_i=(x_{i-1})^2,{\alpha}x_{i-1},{\beta}x_{i-1}$ given ${\alpha}^a{\beta}^b{\equiv}x$(modp), and the general algorithm computes $x_i=(x_{i-1})^2$, $Mx_{i-1}$, $Nx_{i-1}$ for randomly selected $M={\alpha}^m$, $N={\beta}^n$. This paper proposes 4-model Pollard Rho algorithm that seeks ${\beta}_{\gamma}={\alpha}^{\gamma},{\beta}_{\gamma}={\alpha}^{(p-1)/2+{\gamma}}$, and ${\beta}_{{\gamma}^{-1}}={\alpha}^{(p-1)-{\gamma}}$) from $m=n={\lceil}{\sqrt{n}{\rceil}$, (a,b) = (0,0), (1,1). The proposed algorithm has proven to improve the performance of the (0,0)-basic Pollard's Rho algorithm by 71.70%.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.16 no.6
• /
• pp.2074-2093
• /
• 2022

RSA is known as one of the best techniques for securing secret information across an unsecured network. The private key which is one of private parameters is the aim for attackers. However, it is exceedingly impossible to derive this value without disclosing all unknown parameters. In fact, many methods to recover the private key were proposed, the performance of each algorithm is acceptable for the different cases. For example, Wiener's attack is extremely efficient when the private key is very small. On the other hand, Fermat's factoring can quickly break RSA when the difference between two large prime factors of the modulus is relatively small. In general, if all private parameters are not disclosed, attackers will be able to confirm that the private key is unquestionably inside the scope [3, n - 2], where n is the modulus. However, this scope has already been reduced by increasing the greatest lower bound to [d_il, n - 2], where d_il ≥ 3. The aim of this paper is to decrease the least upper bound to narrow the scope that the private key will remain within this boundary. After finishing the proposed method, the new scope of the private key can be allocated as [d_il, d_ir], where d_ir ≤ n - 2. In fact, if the private key is extremely close to the new greatest lower bound, it can be retrieved quickly by performing a brute force attack, in which d_ir is decreased until it is equal to the private key. The experimental results indicate that the proposed method is extremely effective when the difference between prime factors is close to each other and one of two following requirement holds: the first condition is that the multiplier of Euler totient function is very close to the public key's small value whereas the second condition is that the public key should be large whenever the multiplier is far enough.

• Journal of the Korea Society of Computer and Information
• /
• v.18 no.8
• /
• pp.87-93
• /
• 2013

A baby-step giant-step algorithm divides n by n blocks that possess $m={\lceil}\sqrt{n}{\rceil}$ elements, and subsequently computes and stores $a^x$ (mod n) for m elements in the 1st block. It then calculates mod n for m blocks and identifies each of them with those in the 1st block of an identical elemental value. This paper firstly proposes a modified baby-step giant-step algorithm that divides ${\lceil}m/2{\rceil}$ blocks with m elements applying $a^{{\phi}(n)/2}{\equiv}1(mod\;n)$ and $a^x(mod\;n){\equiv}a^{{\phi}(n)+x}$ (mod n) principles. This results in a 50% decrease in the process of the giant-step. It then suggests a reverse baby-step giant step algorithm that performs and saves ${\lceil}m/2{\rceil}$ blocks firstly and computes $a^x$ (mod n) for m elements. The proposed algorithm is found to successfully halve the memory and search time of the baby-step giant step algorithm.