18. Pohlig-Hellman

The Pohlig-Hellman [17] algorithm is a method to compute a discrete logarithm (which is a difficult problem) on a multiplicative group. The order of which is a smooth number (also called friable), meaning its order can be factorized into small primes. A positive integer is called B-smooth if none of its prime factors is greater than <sup>B</sup>. For example, 1620 has prime factorization 2<sup>2</sup> � <sup>3</sup><sup>4</sup> � 5; therefore 1620 is 5 smooth because none of its prime factors are greater than 5. This is similar to that of the Overmars factorization method (Section 10). The Pohlig-Hellman [17] algorithm applies to groups whose order is a prime power. The basic idea is to iteratively compute the p-adic digits of the logarithm by repeatedly "shifting out" all but one unknown digit in the exponent and computing that digit by elementary methods. This is a similar idea to Section 13.

INPUT: A cyclic group G of order n with a generator g, an element h∈ G, and a prime factorization <sup>n</sup> <sup>¼</sup> <sup>Q</sup><sup>r</sup> <sup>i</sup>¼<sup>1</sup> <sup>p</sup>ei <sup>i</sup> OUTPUT: The unique integer <sup>x</sup>∈f g <sup>0</sup>; …; <sup>n</sup> � <sup>1</sup> : <sup>g</sup><sup>x</sup> <sup>¼</sup> <sup>h</sup>

Example: Let <sup>p</sup> <sup>¼</sup> <sup>41</sup>, <sup>α</sup> <sup>¼</sup> <sup>7</sup>, <sup>β</sup> <sup>¼</sup> <sup>12</sup> solve 12 <sup>¼</sup> <sup>7</sup><sup>x</sup> mod <sup>41</sup>


i. x<sup>0</sup> : β p�1 <sup>g</sup><sup>0</sup> ¼ α p�1 <sup>g</sup> <sup>X</sup><sup>0</sup> ) <sup>12</sup><sup>40</sup> <sup>2</sup> ¼ 7 40 2 <sup>x</sup><sup>0</sup> � <sup>1</sup> mod<sup>41</sup> ¼ �ð Þ<sup>1</sup> <sup>x</sup>0mod <sup>41</sup> test for x<sup>0</sup> : <sup>x</sup><sup>0</sup> <sup>¼</sup> <sup>0</sup>, <sup>1</sup>, <sup>2</sup>, … �<sup>1</sup> mod <sup>41</sup>=� �ð Þ<sup>1</sup> <sup>0</sup> mod <sup>41</sup> � <sup>1</sup> mod <sup>41</sup>=� �ð Þ<sup>1</sup> <sup>1</sup> mod 41 hence x<sup>0</sup> ¼ 1 ii. <sup>x</sup><sup>1</sup> : <sup>β</sup><sup>1</sup> <sup>¼</sup> <sup>β</sup><sup>0</sup> <sup>α</sup>�ð Þ <sup>x</sup><sup>0</sup> <sup>¼</sup> 12 7ð Þ�ð Þ<sup>1</sup> <sup>¼</sup> <sup>31</sup> mod <sup>41</sup> β p�1 g1 <sup>1</sup> ¼ α p�1 <sup>g</sup> X<sup>1</sup> , <sup>g</sup><sup>1</sup> <sup>¼</sup> <sup>2</sup>23140 <sup>4</sup> ¼ 7 40 2 <sup>x</sup><sup>1</sup> ) <sup>3110</sup> <sup>¼</sup> <sup>7</sup><sup>20</sup> <sup>x</sup><sup>1</sup> <sup>31</sup><sup>10</sup> ) ð Þ <sup>1</sup> mod<sup>41</sup> hence x<sup>1</sup> <sup>¼</sup> <sup>0</sup> iii. <sup>x</sup><sup>2</sup> : <sup>β</sup><sup>2</sup> <sup>¼</sup> <sup>β</sup><sup>1</sup> <sup>α</sup>�ð Þ <sup>x</sup><sup>1</sup> <sup>¼</sup> ð Þ <sup>31</sup> <sup>7</sup>�ð Þ <sup>0</sup> <sup>¼</sup> <sup>31</sup> mod <sup>41</sup> β p�1 g2 <sup>2</sup> ¼ α p�1 <sup>g</sup> X<sup>2</sup> , <sup>g</sup><sup>2</sup> <sup>¼</sup> 23 <sup>31</sup><sup>40</sup> <sup>8</sup> ¼ 7 40 2 <sup>x</sup><sup>2</sup> ) <sup>31</sup><sup>5</sup> <sup>¼</sup> <sup>7</sup><sup>20</sup> <sup>x</sup><sup>2</sup> � 1 mod 41 ¼ �1 1 <sup>2</sup> mod 41 hence x<sup>2</sup> ¼ 1 Recall: <sup>X</sup> <sup>¼</sup> 20x<sup>0</sup> <sup>þ</sup> <sup>2</sup><sup>1</sup> <sup>x</sup><sup>1</sup> <sup>þ</sup> 22x<sup>2</sup> so X <sup>¼</sup> <sup>1</sup>:<sup>1</sup> <sup>þ</sup> <sup>2</sup>:<sup>0</sup> <sup>þ</sup> <sup>4</sup>:<sup>1</sup> <sup>¼</sup> <sup>5</sup> <sup>x</sup> <sup>¼</sup> <sup>5</sup> mod 23 <sup>¼</sup> <sup>5</sup> mod <sup>8</sup>. Now we need another <sup>x</sup> from the other <sup>g</sup> 3. For <sup>g</sup> <sup>¼</sup> <sup>5</sup>, <sup>x</sup> <sup>¼</sup> <sup>5</sup><sup>0</sup>x<sup>0</sup> only one <sup>5</sup>, only one term: i.x<sup>0</sup> : β p�1 <sup>g</sup><sup>0</sup> ¼ α p�1 <sup>g</sup> <sup>X</sup><sup>0</sup> ) <sup>12</sup><sup>40</sup> <sup>5</sup> ¼ 7 40 5 <sup>x</sup><sup>0</sup> ) <sup>12</sup><sup>8</sup> <sup>¼</sup> <sup>78</sup> <sup>x</sup><sup>0</sup> ) <sup>18</sup> � <sup>37</sup>x<sup>0</sup> mod <sup>41</sup> <sup>x</sup><sup>0</sup> 6¼ <sup>0</sup>, <sup>1</sup> try x<sup>0</sup> <sup>¼</sup> 2 18=� <sup>37</sup><sup>2</sup> mod 41 18 � 373 mod <sup>41</sup> hence x <sup>¼</sup> <sup>5</sup><sup>0</sup>x<sup>0</sup> <sup>¼</sup> ð Þ<sup>1</sup> ð Þ¼ <sup>3</sup> <sup>3</sup> Hence x ¼ 3 mod 5, so x ¼ 5 mod 8 and x ¼ 3 mod 5

factors of N then the phase of P1 and P2 is zero. Shor's algorithm tests the phase of

Phase estimation is well suited to quantum computers and hence this factorization technique produces solutions in polynomial time. For further information on quantum phase estimation, the reader is directed to WIKI [20]. The impact of this

P<sup>1</sup> ¼ P<sup>2</sup> ¼ N ¼ 0 (Figure 4).

DOI: http://dx.doi.org/10.5772/intechopen.84852

Survey of RSA Vulnerabilities

1. Choose a , N

3. Check r is even : a

Consider N ¼ 35,

r

1. a : a , N, choose a ¼ 8

2. Find the period r of a<sup>n</sup> mod N

mod 35 ¼ 8

mod 35 ¼ 22

mod 35 ¼ 8 ) period r ¼ 4

<sup>2</sup> � <sup>1</sup>; <sup>N</sup> <sup>¼</sup> gcd 84

<sup>2</sup> <sup>þ</sup> <sup>1</sup>; <sup>N</sup> <sup>¼</sup> gcd 65 ð Þ¼ ; <sup>35</sup> <sup>5</sup>

<sup>N</sup> <sup>¼</sup> ð Þ <sup>a</sup> � <sup>b</sup> ð Þ¼ <sup>a</sup> <sup>þ</sup> <sup>b</sup> <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> <sup>¼</sup> <sup>36</sup> � <sup>1</sup>¼62 � 12

Overmars triangles (Section 8) Δ(m,n) = Δ(a,b,c): Δ(3,1)=Δ (12,35,37)Recalling b mð Þ¼ ; n ð Þ 2m � 1 ð Þ) 2n þ 2m � 1 bð Þ¼ 3; 1 ð Þ5 ð Þ7

b.82mod <sup>35</sup> <sup>¼</sup> <sup>29</sup>

d.84mod <sup>35</sup> <sup>¼</sup> <sup>1</sup>

3. r : r even, r ¼ 4 is even

r

r

Fermat's factorization (Section 5)

Overmars factorization (Section 10)

4.P<sup>1</sup> ¼ gcd a

a. 81

c. 83

e. 85

4.P<sup>1</sup> ¼ gcd a

does 35.

35

P<sup>2</sup> ¼ gcd a

type of attack is discussed in detail by Mosca [21].

r

<sup>2</sup> � <sup>1</sup>; <sup>N</sup> , <sup>P</sup><sup>2</sup> <sup>¼</sup> gcd <sup>a</sup>

2. Find the period r of an mod N (using Quantum computing)

r <sup>2</sup> <sup>þ</sup> <sup>1</sup>; <sup>N</sup>

<sup>2</sup> � <sup>1</sup>; <sup>35</sup> <sup>¼</sup> gcd 63 ð Þ¼ ; <sup>35</sup> <sup>7</sup>

¼ð Þ 6 � 1 ð Þ¼ 6þ1 ð Þ5 ð Þ¼7 35

Euler's factorization (Section 6) cannot be used because 7 has no sum of squares nor

N ¼ ½ � a mð Þþ � n 1 ½a mð Þþ þ n 1�¼½ � 2 4ð Þþ �2 1 ½2 4ð Þþ þ2 1¼½ � 5 ½ � 7

<sup>2</sup>þ1 � 0 mod N

By the Chinese remainder theorem, x ¼ 13 mod 40 since the exponents are p � <sup>1</sup> <sup>¼</sup> <sup>41</sup> � <sup>1</sup> <sup>¼</sup> <sup>40</sup> hence <sup>12</sup> � <sup>7</sup><sup>13</sup> mod41: So the solution to <sup>12</sup> <sup>¼</sup> <sup>7</sup><sup>x</sup> mod 41 ) x ¼ 13.

#### 19. Shor's algorithm

Shor's algorithm [18], factors composite numbers, N ¼ P1P2, consisting of two primes in polynomial time using quantum computing techniques. The algorithm evaluates the period of ax mod n where gcdð Þ¼ <sup>a</sup>; <sup>n</sup> <sup>1</sup>: This is inefficient using sequential computing on a conventional computer. When run on a quantum computer, a congruence of squares with probability 0.5 occurs in polynomial time. For two co-prime sinusoids of period P1 and P2, at what point do they zero-cross each other? The phase of each sinusoid at any given point is observed, and if they are

Figure 4. N as a composite of two Sinusoids P1 and P2 [19].

Survey of RSA Vulnerabilities DOI: http://dx.doi.org/10.5772/intechopen.84852

factors of N then the phase of P1 and P2 is zero. Shor's algorithm tests the phase of P<sup>1</sup> ¼ P<sup>2</sup> ¼ N ¼ 0 (Figure 4).

Phase estimation is well suited to quantum computers and hence this factorization technique produces solutions in polynomial time. For further information on quantum phase estimation, the reader is directed to WIKI [20]. The impact of this type of attack is discussed in detail by Mosca [21].

1. Choose a , N

i. x<sup>0</sup> : β p�1 <sup>g</sup><sup>0</sup> ¼ α p�1 <sup>g</sup> <sup>X</sup><sup>0</sup> ) <sup>12</sup><sup>40</sup>

β p�1 g1 <sup>1</sup> ¼ α p�1 <sup>g</sup> X<sup>1</sup>

β p�1 g2 <sup>2</sup> ¼ α p�1 <sup>g</sup> X<sup>2</sup> <sup>2</sup> ¼ 7 40 2 <sup>x</sup><sup>0</sup>

Modern Cryptography – Current Challenges and Solutions

ii. <sup>x</sup><sup>1</sup> : <sup>β</sup><sup>1</sup> <sup>¼</sup> <sup>β</sup><sup>0</sup> <sup>α</sup>�ð Þ <sup>x</sup><sup>0</sup> <sup>¼</sup> 12 7ð Þ�ð Þ<sup>1</sup> <sup>¼</sup> <sup>31</sup> mod <sup>41</sup>

iii. <sup>x</sup><sup>2</sup> : <sup>β</sup><sup>2</sup> <sup>¼</sup> <sup>β</sup><sup>1</sup> <sup>α</sup>�ð Þ <sup>x</sup><sup>1</sup> <sup>¼</sup> ð Þ <sup>31</sup> <sup>7</sup>�ð Þ <sup>0</sup> <sup>¼</sup> <sup>31</sup> mod <sup>41</sup>

<sup>x</sup> <sup>¼</sup> <sup>5</sup> mod 23 <sup>¼</sup> <sup>5</sup> mod <sup>8</sup>. Now we need another <sup>x</sup> from the other <sup>g</sup>

<sup>5</sup> ¼ 7 40 5 <sup>x</sup><sup>0</sup>

<sup>4</sup> ¼ 7 40 2 <sup>x</sup><sup>1</sup>

<sup>8</sup> ¼ 7 40 2 <sup>x</sup><sup>2</sup>

3. For <sup>g</sup> <sup>¼</sup> <sup>5</sup>, <sup>x</sup> <sup>¼</sup> <sup>5</sup><sup>0</sup>x<sup>0</sup> only one <sup>5</sup>, only one term:

<sup>g</sup> <sup>X</sup><sup>0</sup> ) <sup>12</sup><sup>40</sup>

, <sup>g</sup><sup>1</sup> <sup>¼</sup> <sup>2</sup>23140

, <sup>g</sup><sup>2</sup> <sup>¼</sup> 23 <sup>31</sup><sup>40</sup>

Recall: <sup>X</sup> <sup>¼</sup> 20x<sup>0</sup> <sup>þ</sup> <sup>2</sup><sup>1</sup>

p�1 <sup>g</sup><sup>0</sup> ¼ α p�1

i.x<sup>0</sup> : β

mod 41 ) x ¼ 13.

Figure 4.

34

N as a composite of two Sinusoids P1 and P2 [19].

19. Shor's algorithm

�<sup>1</sup> mod <sup>41</sup>=� �ð Þ<sup>1</sup> <sup>0</sup> mod <sup>41</sup> � <sup>1</sup> mod <sup>41</sup>=� �ð Þ<sup>1</sup> <sup>1</sup>

) <sup>3110</sup> <sup>¼</sup> <sup>7</sup><sup>20</sup> <sup>x</sup><sup>1</sup>

) <sup>31</sup><sup>5</sup> <sup>¼</sup> <sup>7</sup><sup>20</sup> <sup>x</sup><sup>2</sup>

<sup>x</sup><sup>1</sup> <sup>þ</sup> 22x<sup>2</sup> so X <sup>¼</sup> <sup>1</sup>:<sup>1</sup> <sup>þ</sup> <sup>2</sup>:<sup>0</sup> <sup>þ</sup> <sup>4</sup>:<sup>1</sup> <sup>¼</sup> <sup>5</sup>

<sup>x</sup><sup>0</sup> 6¼ <sup>0</sup>, <sup>1</sup> try x<sup>0</sup> <sup>¼</sup> 2 18=� <sup>37</sup><sup>2</sup> mod 41 18 � 373 mod <sup>41</sup> hence x <sup>¼</sup> <sup>5</sup><sup>0</sup>x<sup>0</sup> <sup>¼</sup> ð Þ<sup>1</sup> ð Þ¼ <sup>3</sup> <sup>3</sup> Hence x ¼ 3 mod 5, so x ¼ 5 mod 8 and x ¼ 3 mod 5

Shor's algorithm [18], factors composite numbers, N ¼ P1P2, consisting of two primes in polynomial time using quantum computing techniques. The algorithm evaluates the period of ax mod n where gcdð Þ¼ <sup>a</sup>; <sup>n</sup> <sup>1</sup>: This is inefficient using sequential computing on a conventional computer. When run on a quantum computer, a congruence of squares with probability 0.5 occurs in polynomial time. For two co-prime sinusoids of period P1 and P2, at what point do they zero-cross each other? The phase of each sinusoid at any given point is observed, and if they are

By the Chinese remainder theorem, x ¼ 13 mod 40 since the exponents are p � <sup>1</sup> <sup>¼</sup> <sup>41</sup> � <sup>1</sup> <sup>¼</sup> <sup>40</sup> hence <sup>12</sup> � <sup>7</sup><sup>13</sup> mod41: So the solution to <sup>12</sup> <sup>¼</sup> <sup>7</sup><sup>x</sup>

� <sup>1</sup> mod<sup>41</sup> ¼ �ð Þ<sup>1</sup> <sup>x</sup>0mod <sup>41</sup> test for x<sup>0</sup> : <sup>x</sup><sup>0</sup> <sup>¼</sup> <sup>0</sup>, <sup>1</sup>, <sup>2</sup>, …

� 1 mod 41 ¼ �1

) <sup>12</sup><sup>8</sup> <sup>¼</sup> <sup>78</sup> <sup>x</sup><sup>0</sup> ) <sup>18</sup> � <sup>37</sup>x<sup>0</sup> mod <sup>41</sup>

mod 41 hence x<sup>0</sup> ¼ 1

<sup>31</sup><sup>10</sup> ) ð Þ <sup>1</sup> mod<sup>41</sup> hence x<sup>1</sup> <sup>¼</sup> <sup>0</sup>

<sup>2</sup> mod 41 hence x<sup>2</sup> ¼ 1

1


$$4. P\_1 = \gcd\left(a^{\sharp} - \mathbf{1}, \ N\right), P\_2 = \gcd\left(a^{\sharp} + \mathbf{1}, N\right)$$

Consider N ¼ 35,


$$\begin{aligned} \text{a. } 8^1 \\\\ \text{b. } 8^2 \\\\ \text{c. } 8^3 \\\\ \text{c. } 8^4 \\\\ \text{d. } 8^4 \\\\ \text{e. } 8^5 \\\\ \text{e. } 8^5 \\\\ \text{e. } 8^5 \\\\ \text{end } 35 = 8 \\\\ \text{period } r = 4 \end{aligned}$$

$$3. r: r \text{ even}, r = 4 \text{ is even}$$

$$\begin{aligned} 4. & P\_1 = \gcd(a^\sharp - 1, N) = \gcd(\mathsf{8}^\sharp - 1, \mathsf{35}) = \mathsf{gcd}(\mathsf{63}, \mathsf{35}) = 7\\ P\_2 &= \gcd(a^\sharp + 1, N) = \mathsf{gcd}(\mathsf{65}, \mathsf{35}) = \mathsf{5} \end{aligned}$$

Euler's factorization (Section 6) cannot be used because 7 has no sum of squares nor does 35.

Fermat's factorization (Section 5)

$$N = (\mathbf{a} - \mathbf{b})(\mathbf{a} + \mathbf{b}) = \mathbf{a}^2 - \mathbf{b}^2 = \mathbf{3}\mathbf{6} - \mathbf{1} = \mathbf{6}^2 - \mathbf{1}^2 = (\mathbf{6} - \mathbf{1})(\mathbf{6} + \mathbf{1}) = (\mathbf{5})(7) = \mathbf{35}$$

Overmars factorization (Section 10)

$$N = [a(m - n) + \mathbf{1}][a(m + n) + \mathbf{1}] = [\mathbf{2}(\mathbf{4} - \mathbf{2}) + \mathbf{1}][\mathbf{2}(\mathbf{4} + \mathbf{2}) + \mathbf{1} = [\mathbf{5}][\mathbf{7}]$$

Overmars triangles (Section 8) Δ(m,n) = Δ(a,b,c): Δ(3,1)=Δ (12,35,37)Recalling b mð Þ¼ ; n ð Þ 2m � 1 ð Þ) 2n þ 2m � 1 bð Þ¼ 3; 1 ð Þ5 ð Þ7

#### 20. Attacking public key infrastructure

Public infrastructure cryptographic hardware uses a library RSALib. This is found in both NIST FIPS 140-2 and CC EAL 5+. These are certified devices for use in identity cards, passports, Trusted Platform Modules, PGP and tokens for authentication and software signing. This is in use in tens of millions of devices worldwide. Nemec et al. [22] have identified a vulnerability that allows for the factorization of 1024 and 2048 bit keys in less than 3 CPU months.

n ¼

<sup>N</sup> � <sup>x</sup><sup>2</sup>

q

n ¼

q

Survey of RSA Vulnerabilities

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am <sup>2</sup> � <sup>N</sup>

DOI: http://dx.doi.org/10.5772/intechopen.84852

P<sup>1</sup> ¼ a mð Þ � n ∓ x ¼ am �

<sup>a</sup> , m :

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am <sup>∓</sup> <sup>x</sup> <sup>2</sup> � <sup>N</sup>

P<sup>1</sup> ¼ a mð Þ � n ∓x ¼ am ∓x �

mod 60060 � 0 ) a ¼ 30030…

<sup>N</sup>�x<sup>2</sup>

(6) third.

37

tion 19) is now given: Case (1 ⊕⊝, 2 ⊝⊕) <sup>N</sup>þx<sup>2</sup>

(1 ⊕⊝, 2 ⊝⊕) N mod P½ ��<sup>1</sup> 0, P<sup>1</sup> : P<sup>1</sup> ¼ am �

N mod P½ ��<sup>1</sup> 0, P<sup>1</sup> : P<sup>1</sup> ¼ am ∓ x �

Integer solutions <sup>x</sup> <sup>¼</sup> ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

<sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> � �mod a � <sup>0</sup>, <sup>a</sup> : <sup>a</sup> <sup>¼</sup> <sup>2</sup>Pk#, <sup>x</sup> : <sup>1</sup>≤x<sup>≤</sup> ffiffiffi

� x <sup>a</sup> , <sup>m</sup> : ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi <sup>N</sup> <sup>þ</sup> ð Þ <sup>a</sup>∓<sup>x</sup> <sup>2</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am <sup>2</sup> � <sup>N</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þ � <sup>n</sup> <sup>∓</sup><sup>x</sup> <sup>½</sup>a mð Þ <sup>þ</sup> <sup>n</sup> <sup>∓</sup> <sup>x</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ∓2amx <sup>þ</sup> <sup>x</sup><sup>2</sup> <sup>¼</sup> ð Þ am <sup>∓</sup> <sup>x</sup> <sup>2</sup> � ð Þ an <sup>2</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am <sup>∓</sup><sup>x</sup> <sup>2</sup> � <sup>N</sup>

Recall the following (Section 12). Primes are of the form P ¼ 4x � 1 and P ¼ 6x � 1. Composite numbers, constructed from these primes: N ¼ P1P<sup>2</sup> , are a combination of Pythagorean and Gaussian primes. The following test

of only Gaussian or only Pythagorean primes. The Sieve of Atkin [5] uses mod12 � 0 and mod 60 � 0. This is now applied as per Overmars [4] in the following manner, if mod 12 � 0 is true then a ¼ 6, if mod 60 � 0 is true let

mod 4 � 0 ) a ¼ 2, mod 420 � 0 ) a ¼ 210, mod 4620 � 0 ) a ¼ 2310,

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> � �<sup>∓</sup> <sup>2</sup>mx, <sup>N</sup> � <sup>x</sup><sup>2</sup> � �mod a � <sup>0</sup>, <sup>a</sup> : <sup>a</sup> <sup>¼</sup> <sup>2</sup>Pk#, <sup>x</sup> : <sup>1</sup><sup>≤</sup> <sup>x</sup><sup>≤</sup> ffiffiffi

to <sup>N</sup> � <sup>x</sup><sup>2</sup> � �modð Þ� <sup>2</sup>Pk# <sup>0</sup> A solution is found for <sup>P</sup>1ð Þ <sup>m</sup> , when <sup>P</sup><sup>1</sup> <sup>∈</sup> <sup>Z</sup>. Case

q

Consider Section 11 example, N ¼ P1P<sup>2</sup> ) 8079781 ¼ 1249 ∗ 6469

should be used is not clear. Whilst x ¼ 1 should work, no solutions will be found if a : a ¼ 30: From Table 5 only when x ¼ 11 or 19 do we find solutions. Ranking the possible solutions in terms of factors 29 (8) would be first, 19 (7) second and 11

Based upon low order factors the rankings would be 29 22 3<sup>4</sup> � � first and 11 22 <sup>3</sup><sup>2</sup> � � second. Setting <sup>a</sup> <sup>¼</sup> <sup>30</sup>, x <sup>¼</sup> 29 will not find solutions for m, n. Setting a ¼ 30, x ¼ 11 ) m ¼ 129, n ¼ 57, gcd 129 ð Þ¼ ; 57 3, so the optimal value for

This is Primorial, Pk# : Pk#, kth Primorial is"Smooth". The general form (Sec-

If a : a ¼ 2Pk# can be choosen, then we search x in the primes to find solutions

a ¼ 30. The ideas of Atkin are further extended in both directions:

ð Þ N � 1 mod 4 � 0 can be used to determine which combination of primes was used to construct the composite. If ð Þ N þ 1 mod 4 � 0 is true a mix of Pythagorean and Gaussian primes was used. If ð Þ N � 1 mod 4 � 0 is true then the composite consists

<sup>a</sup> <sup>≤</sup> <sup>m</sup> , <sup>∞</sup>, m <sup>¼</sup>

Now we need to develop the methodology for finding (selecting) a and x. This brings together the concepts of primorials [9], Smooth [24], small factors [17], factorization (Fermat), modulo testing as per Atkin's Sieve [5] and the structure of primes (Sections 12 and 18), to find as large an a as possible so that Overmars

<sup>a</sup> <sup>≤</sup> <sup>m</sup> , <sup>∞</sup><sup>m</sup> <sup>¼</sup>

N mod am �

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi þð Þ an<sup>∓</sup> <sup>x</sup> <sup>2</sup>

a

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am <sup>2</sup> � <sup>N</sup> � � q

� <sup>x</sup><sup>2</sup>

� � q

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am <sup>∓</sup><sup>x</sup> <sup>2</sup> � <sup>N</sup>

� 0

� 0

q

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi <sup>N</sup> <sup>þ</sup> ð Þ an <sup>2</sup>

a

q

N mod amð Þ� ∓ x

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> � � � <sup>2</sup>nx,

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am

<sup>2</sup> � <sup>N</sup>

<sup>a</sup> Case (3 ⊝⊝, 4 ⊕⊕)

N p a

Case (3 ⊝⊝, 4⊕⊕)

N p

q

<sup>2</sup> � <sup>N</sup>

<sup>N</sup> � <sup>2</sup>bPk# <sup>p</sup> . From Table 5, determining which <sup>x</sup> value

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am ∓x

q

q

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> � �∓2mx a : a is a smooth factor of N � <sup>x</sup><sup>2</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffi <sup>N</sup> <sup>þ</sup> <sup>a</sup><sup>2</sup> <sup>p</sup> � <sup>x</sup><sup>2</sup>

q

Factorization [4] converges more rapidly to a solution.

Case 3ð Þ ⊝⊝; <sup>4</sup>⊕⊕ <sup>N</sup> � <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ � <sup>n</sup> <sup>∓</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þ <sup>þ</sup> <sup>n</sup> <sup>∓</sup> <sup>x</sup>

RSALib primes are of the form <sup>p</sup> <sup>¼</sup> <sup>k</sup> <sup>M</sup> <sup>þ</sup> <sup>65537</sup><sup>a</sup> ð Þ mod M .

These can be fingerprinted using the discrete logarithm log <sup>65537</sup>N mod M.

<sup>N</sup> <sup>¼</sup> <sup>P</sup>1P<sup>2</sup> <sup>¼</sup> <sup>k</sup> <sup>∗</sup> <sup>M</sup> <sup>þ</sup> <sup>65537</sup><sup>a</sup> ð Þ mod M <sup>l</sup> <sup>∗</sup> <sup>M</sup> <sup>þ</sup> <sup>65537</sup><sup>b</sup> mod M ) <sup>N</sup> � <sup>65537</sup>aþ<sup>b</sup> � <sup>65537</sup><sup>c</sup> mod M

The public modulus N is generated by 65537 in the multiplicative group ZM. The public modulus of RSALib can thus be fingerprinted with the discrete logarithm c ¼ log <sup>65537</sup>N mod M. This can be factorized using Pohlig-Hellman (Section 16). The group <sup>G</sup> <sup>¼</sup> <sup>65537</sup> is smooth j j¼ <sup>G</sup> 24 <sup>∗</sup> <sup>3</sup><sup>4</sup> <sup>∗</sup> 52 <sup>∗</sup> <sup>7</sup> <sup>∗</sup> <sup>11</sup> <sup>∗</sup> <sup>13</sup> <sup>∗</sup> <sup>17</sup> <sup>∗</sup> <sup>23</sup> <sup>∗</sup> <sup>29</sup> <sup>∗</sup> <sup>37</sup> <sup>∗</sup> 41 ∗ 53 ∗ 83 for RSA512 keys. The smoothness of G is due to the smoothness of M being Primorial.

Factorization is achieved using the Coppersmith algorithm with a known p mod M : 65537<sup>a</sup> mod M. Nemec et al used the Howgrave-Graham[23] implementation of the Coppersmith's algorithm to find a small solution x<sup>0</sup> of:

f xð Þ¼ <sup>x</sup> <sup>þ</sup> <sup>M</sup>p�<sup>1</sup> mod N 65537a<sup>0</sup> mod M<sup>0</sup> ð Þ mod N

A summary of RSALib vulnerability and its impact is now given and the reader is directed to Memec et al. [22] for further detail. eIDs used in passports for citizens are affected. Code signing is vulnerable. Twenty-four percent of TPMs used in laptops are affected (sample size 41). A third of PGP, used in email systems could be factorizable. There was no observable impact on TLS/HTTPS. One hundred percent of SCADA systems sampled were affected (sample 15). E-health and EMV payment cards were also likely to be susceptible.

Mitigating the impact of the RSALib vulnerability requires changing the algorithm. This requires a firmware replacement which is not possible in already deployed devices such as smartcards and TPMs whose code is stored in read-only memory. Key lengths not of 512, 1024, 2048 and 4096, such as RSA3936 appear to be resilient. The use of key pairs outside of vulnerable devices could be deployed using another library. Changes to RSALib are required so that proveable safe primes are constructed not using the vulnerability.

#### 21. Overmars factorization, bringing it together

Section 11 considered the following cases. The following discussion generalizes these cases and provides the structure for algorthmic solutions to be found. The palindromic nature of primes (Section 12) can be exploited further to explore solutions in a particular Primorial range. Recall;

$$\text{Case } (\mathbf{1} \oplus \odot, \mathbf{2} \oplus \oplus) \text{ ( $N + \mathbf{x}^2$ )}\\\text{mod } a^2 = \mathbf{0}, \quad P\_1 = a(m - n) \pm \mathbf{x}, \quad P\_2 = a(m + n) \mp \mathbf{x}$$

$$\text{N } = [a(m - n) \pm \mathbf{x}][a(m + n) \mp \mathbf{x}] = a^2(m^2 - n^2) \mp 2am\mathbf{x} - \mathbf{x}^2 = (am)^2 - (am \mp \mathbf{x})^2$$

$$\frac{\mathbf{N} + \mathbf{x}^2}{a} = a(m^2 - n^2) \pm 2m\mathbf{x} \quad a \text{ : } a \text{ is a smooth factor of } \mathbf{N} + \mathbf{x}^2$$

Survey of RSA Vulnerabilities DOI: http://dx.doi.org/10.5772/intechopen.84852

20. Attacking public key infrastructure

Modern Cryptography – Current Challenges and Solutions

<sup>N</sup> <sup>¼</sup> <sup>P</sup>1P<sup>2</sup> <sup>¼</sup> <sup>k</sup> <sup>∗</sup> <sup>M</sup> <sup>þ</sup> <sup>65537</sup><sup>a</sup> ð Þ mod M <sup>l</sup> <sup>∗</sup> <sup>M</sup> <sup>þ</sup> <sup>65537</sup><sup>b</sup>

mod N 65537a<sup>0</sup>

cards were also likely to be susceptible.

constructed not using the vulnerability.

21. Overmars factorization, bringing it together

solutions in a particular Primorial range. Recall;

<sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup>

36

being Primorial.

p mod M : 65537<sup>a</sup>

f xð Þ¼ <sup>x</sup> <sup>þ</sup> <sup>M</sup>p�<sup>1</sup>

Public infrastructure cryptographic hardware uses a library RSALib. This is found in both NIST FIPS 140-2 and CC EAL 5+. These are certified devices for use in identity cards, passports, Trusted Platform Modules, PGP and tokens for authentication and software signing. This is in use in tens of millions of devices worldwide. Nemec et al. [22] have identified a vulnerability that allows for the

These can be fingerprinted using the discrete logarithm log <sup>65537</sup>N mod M.

Factorization is achieved using the Coppersmith algorithm with a known

A summary of RSALib vulnerability and its impact is now given and the reader is directed to Memec et al. [22] for further detail. eIDs used in passports for citizens are affected. Code signing is vulnerable. Twenty-four percent of TPMs used in laptops are affected (sample size 41). A third of PGP, used in email systems could be factorizable. There was no observable impact on TLS/HTTPS. One hundred percent of SCADA systems sampled were affected (sample 15). E-health and EMV payment

Mitigating the impact of the RSALib vulnerability requires changing the algo-

Section 11 considered the following cases. The following discussion generalizes these cases and provides the structure for algorthmic solutions to be found. The palindromic nature of primes (Section 12) can be exploited further to explore

Case 1ð Þ ⊕⊝; <sup>2</sup>⊝⊕ <sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, <sup>P</sup><sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> <sup>x</sup>, <sup>P</sup><sup>2</sup> <sup>¼</sup> a mð Þ <sup>þ</sup> <sup>n</sup> <sup>∓</sup><sup>x</sup>

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> � <sup>2</sup>nx a : a is a smooth factor of N <sup>þ</sup> <sup>x</sup><sup>2</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þ� � <sup>n</sup> <sup>x</sup> <sup>½</sup>a mð Þ <sup>þ</sup> <sup>n</sup> <sup>∓</sup>x� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ <sup>∓</sup>2anx � <sup>x</sup><sup>2</sup> <sup>¼</sup> ð Þ am <sup>2</sup> � ð Þ an∓<sup>x</sup> <sup>2</sup>

rithm. This requires a firmware replacement which is not possible in already deployed devices such as smartcards and TPMs whose code is stored in read-only memory. Key lengths not of 512, 1024, 2048 and 4096, such as RSA3936 appear to be resilient. The use of key pairs outside of vulnerable devices could be deployed using another library. Changes to RSALib are required so that proveable safe primes are

tation of the Coppersmith's algorithm to find a small solution x<sup>0</sup> of:

mod M<sup>0</sup>

The public modulus N is generated by 65537 in the multiplicative group ZM. The public modulus of RSALib can thus be fingerprinted with the discrete logarithm c ¼ log <sup>65537</sup>N mod M. This can be factorized using Pohlig-Hellman (Section 16). The group <sup>G</sup> <sup>¼</sup> <sup>65537</sup> is smooth j j¼ <sup>G</sup> 24 <sup>∗</sup> <sup>3</sup><sup>4</sup> <sup>∗</sup> 52 <sup>∗</sup> <sup>7</sup> <sup>∗</sup> <sup>11</sup> <sup>∗</sup> <sup>13</sup> <sup>∗</sup> <sup>17</sup> <sup>∗</sup> <sup>23</sup> <sup>∗</sup> <sup>29</sup> <sup>∗</sup> <sup>37</sup> <sup>∗</sup> 41 ∗ 53 ∗ 83 for RSA512 keys. The smoothness of G is due to the smoothness of M

mod M

mod M. Nemec et al used the Howgrave-Graham[23] implemen-

ð Þ mod N

) <sup>N</sup> � <sup>65537</sup>aþ<sup>b</sup> � <sup>65537</sup><sup>c</sup> mod M

factorization of 1024 and 2048 bit keys in less than 3 CPU months. RSALib primes are of the form <sup>p</sup> <sup>¼</sup> <sup>k</sup> <sup>M</sup> <sup>þ</sup> <sup>65537</sup><sup>a</sup> ð Þ mod M .

$$\begin{aligned} m &= \frac{\sqrt{(am)^2 - N} \pm \mathfrak{x}}{a}, m : \frac{\sqrt{N + (a \mp \mathfrak{x})^2}}{a} \le m < \infty\\ P\_1 &= a(m - n) \mp \mathfrak{x} = am - \sqrt{(am)^2 - N} \text{N mod } \left[am - \sqrt{(am)^2 - N}\right] \equiv 0 \end{aligned}$$

$$\text{Case } (3\ominus 9, 4\oplus 6) \text{ ( $N - x^2$ )}\\ \text{mod } a^2 = 0, \quad P\_1 = a(m - n) \mp \text{x}, \quad P\_2 = a(m + n) \mp \text{x}$$

$$N = [a(m - n) \mp \text{x}][a(m + n) \mp \text{x}] = a^2(m^2 - n^2) \mp 2amx + \text{x}^2 = (am \mp \text{x})^2 - (an)^2$$

$$\frac{N - \text{x}^2}{a} = a\left(m^2 - n^2\right) \mp 2mx \qquad a : a \text{ is a smooth factor of } N - \text{x}^2$$

$$n = \frac{\sqrt{(am \mp \text{x})^2 - N}}{a}, m : \frac{\sqrt{N + a^2} \pm \text{x}^2}{a} \le m < \infty, \quad m = \frac{\sqrt{N + (am)^2} \pm \text{x}^2}{a}$$

$$P\_1 = a(m - n) \mp \text{x} = am \mp \text{x} - \sqrt{(am \mp \text{x})^2 - N}N \text{ mod } \left[ (am \mp \text{x}) - \sqrt{(am \mp \text{x})^2 - N} \right] \equiv 0$$

Now we need to develop the methodology for finding (selecting) a and x. This brings together the concepts of primorials [9], Smooth [24], small factors [17], factorization (Fermat), modulo testing as per Atkin's Sieve [5] and the structure of primes (Sections 12 and 18), to find as large an a as possible so that Overmars Factorization [4] converges more rapidly to a solution.

Recall the following (Section 12). Primes are of the form P ¼ 4x � 1 and P ¼ 6x � 1. Composite numbers, constructed from these primes: N ¼ P1P<sup>2</sup> , are a combination of Pythagorean and Gaussian primes. The following test ð Þ N � 1 mod 4 � 0 can be used to determine which combination of primes was used to construct the composite. If ð Þ N þ 1 mod 4 � 0 is true a mix of Pythagorean and Gaussian primes was used. If ð Þ N � 1 mod 4 � 0 is true then the composite consists of only Gaussian or only Pythagorean primes. The Sieve of Atkin [5] uses mod12 � 0 and mod 60 � 0. This is now applied as per Overmars [4] in the following manner, if mod 12 � 0 is true then a ¼ 6, if mod 60 � 0 is true let a ¼ 30. The ideas of Atkin are further extended in both directions: mod 4 � 0 ) a ¼ 2, mod 420 � 0 ) a ¼ 210, mod 4620 � 0 ) a ¼ 2310, mod 60060 � 0 ) a ¼ 30030…

This is Primorial, Pk# : Pk#, kth Primorial is"Smooth". The general form (Section 19) is now given: Case (1 ⊕⊝, 2 ⊝⊕) <sup>N</sup>þx<sup>2</sup> <sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> � � � <sup>2</sup>nx, <sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> � �mod a � <sup>0</sup>, <sup>a</sup> : <sup>a</sup> <sup>¼</sup> <sup>2</sup>Pk#, <sup>x</sup> : <sup>1</sup>≤x<sup>≤</sup> ffiffiffi N p <sup>a</sup> Case (3 ⊝⊝, 4 ⊕⊕) <sup>N</sup>�x<sup>2</sup> <sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> � �<sup>∓</sup> <sup>2</sup>mx, <sup>N</sup> � <sup>x</sup><sup>2</sup> � �mod a � <sup>0</sup>, <sup>a</sup> : <sup>a</sup> <sup>¼</sup> <sup>2</sup>Pk#, <sup>x</sup> : <sup>1</sup><sup>≤</sup> <sup>x</sup><sup>≤</sup> ffiffiffi N p a

If a : a ¼ 2Pk# can be choosen, then we search x in the primes to find solutions to <sup>N</sup> � <sup>x</sup><sup>2</sup> � �modð Þ� <sup>2</sup>Pk# <sup>0</sup> A solution is found for <sup>P</sup>1ð Þ <sup>m</sup> , when <sup>P</sup><sup>1</sup> <sup>∈</sup> <sup>Z</sup>. Case

$$\begin{aligned} & \left( \mathbf{1} \oplus \odot, \mathbf{2} \oplus \oplus \right) \mathbf{N} \bmod \left[ \mathbf{P}\_{1} \right] \equiv \mathbf{0}, \; \mathbf{P}\_{1} : \mathbf{P}\_{1} = \mathbf{a} \mathbf{m} - \sqrt{\left( \mathbf{a} \mathbf{m} \right)^{2} - \mathbf{N}} \text{Case } \left( \mathbf{3} \ominus \oplus, \mathbf{4} \oplus \oplus \right), \\ & \mathbf{N} \bmod \left[ \mathbf{P}\_{1} \right] \equiv \mathbf{0}, \; \mathbf{P}\_{1} : \mathbf{P}\_{1} - \mathbf{a} \mathbf{m} \sqsubseteq \mathbf{v} - \sqrt{\left( \mathbf{a} \mathbf{m} \sqsubseteq \mathbf{r} \right)^{2} - \mathbf{N}} \end{aligned}$$

N mod P½ ��<sup>1</sup> 0, P<sup>1</sup> : P<sup>1</sup> ¼ am ∓ x � ð Þ am ∓x <sup>2</sup> � <sup>N</sup>

Consider Section 11 example, N ¼ P1P<sup>2</sup> ) 8079781 ¼ 1249 ∗ 6469

Integer solutions <sup>x</sup> <sup>¼</sup> ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi <sup>N</sup> � <sup>2</sup>bPk# <sup>p</sup> . From Table 5, determining which <sup>x</sup> value should be used is not clear. Whilst x ¼ 1 should work, no solutions will be found if a : a ¼ 30: From Table 5 only when x ¼ 11 or 19 do we find solutions. Ranking the possible solutions in terms of factors 29 (8) would be first, 19 (7) second and 11 (6) third.

Based upon low order factors the rankings would be 29 22 3<sup>4</sup> � � first and 11 22 <sup>3</sup><sup>2</sup> � � second. Setting <sup>a</sup> <sup>¼</sup> <sup>30</sup>, x <sup>¼</sup> 29 will not find solutions for m, n. Setting a ¼ 30, x ¼ 11 ) m ¼ 129, n ¼ 57, gcd 129 ð Þ¼ ; 57 3, so the optimal value for


22. Conclusion

Survey of RSA Vulnerabilities

DOI: http://dx.doi.org/10.5772/intechopen.84852

know" [25].

39

Author details

Anthony Overmars

Curtin University, Perth, Australia

\*Address all correspondence to: 3@crykey.com

provided the original work is properly cited.

In short RSA is secure and difficult to factorise. Conventional sequential computing machines, running in polynomial time, take an infeasible amount of CPU cycles to find factorization solutions to RSA keys. Quantum computing holds great promise and Shor's algorithm [18] demonstrates how this can be achieved. However, quantum computing is realistically still some way off. Opportunities exist using conventional computing (sequential and parallel) with better mathematical techniques. Section 18 showed how implementation vulnerabilities are introduced when "clever" low cost (CPU cycles) are implemented. The case in point showed methods for signature identification, upon which tailored targeted attacks could be launched against infrastruture FIPS140-2 devices, such as cryptographic routers. These sorts of attacks can be deployed in polynomial time using sequential programing techniques. Section 20, Overmars shows how factorization can be

There is still much to be done and areas of further interest are a better understanding of the structure of primes. This will lead to faster prime number generating algorithms and hence faster solutions to the factorization problem. This will also lead to the generation of more robust primes that are less susceptible to factorization methods. An example of this is the use of non-Pythagorean primes. Section 5 showed how Euler's factorization could be used to attack such composite numbers. Hence a simple method to thwart this would be to use a mix of Pythagorean and Gaussian primes. Section 6 showed how small d values in the RSA private key PR ¼ ð Þ N; d could be attacked using Wiener's method. Small e values in the public key PU ¼ ð Þ N; e can be attacked using a combination of LLL, Coppersmith and Pohlig-Hellman (Sections 15–17). All of these attacks can be mitigated by choosing

Development of quantum computing is continuing at break-neck speed, however useful machines are yet to appear. Parallel computing however is here and now and whilst factorizing RSA keys is not achievable on conventional computers in polynomial time, parallel computing has allowed for multiple solutions to be tested simultaneously. This is an area where research continues and new algorithms such as shown in Sections 20 and 14 lend themselves well to GPU parallel processing systems.

"There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't

© 2019 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

implemented using parellel processing techniques.

d and e carefully and ensuring that both are sufficiently large.

Table 5.

Smooth candidates of the factors of N � <sup>x</sup><sup>2</sup> .

a ¼ 90: P<sup>1</sup> ¼ 30m � 11 � ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>30</sup><sup>m</sup> � <sup>11</sup> <sup>2</sup> � <sup>N</sup> q . Look for solutions to ð Þ <sup>30</sup><sup>m</sup> � <sup>11</sup> <sup>2</sup> � <sup>N</sup> which are a perfect square. In this case, <sup>m</sup> <sup>¼</sup> <sup>129</sup> ) ð Þ <sup>30</sup> <sup>∗</sup> <sup>129</sup> � <sup>11</sup> <sup>2</sup> � <sup>8079781</sup> <sup>¼</sup> <sup>6812100</sup> <sup>¼</sup> <sup>2610</sup><sup>2</sup> .

Recall that the starting value for <sup>m</sup> : ffiffiffiffiffiffiffiffiffi <sup>N</sup>þa<sup>2</sup> <sup>p</sup> �x<sup>2</sup> <sup>a</sup> ≤ m , <sup>N</sup>�<sup>1</sup> <sup>2</sup><sup>a</sup> ) 99≤ m , 134663, 30 iterations.

Whilst this is quite a good result the first failure needs also to be taken into account. This would be bound by the Primorial and

$$\begin{aligned} P\_1 &\colon 1 < P\_1 < \sqrt{N}: am - \sqrt{\left(am\right)^2 - N} = 1 \Rightarrow m &< \frac{N+1}{2a} \\ \text{Here } m &: \frac{\sqrt{N+a^2} \pm x^2}{\cdot \cdot \cdot \cdot} \le m < \frac{N+1}{2a} \le 123 \le m \le 134663 \Rightarrow 134540 \text{ iterations.} \end{aligned}$$

This can be further bound by the Primorial. In the case of RSA numbers, the binary bits available to represent a particular prime number range can also be used to bound the range (Table 6).

Consider N ¼ 23852269081.

In this case, solutions using modulo testing generate good candidates to solve for (m, n), however for a ¼ 30030, three of the candidates have no solution. Using sequential programing, each possible candidate is considered one after another, until the maximum m value. However, using parallel programing techniques on GPUs (such as nVIDIA P100s), all of the candidates can be tested simultaneously and the processes are all terminated when one of the processes finds a solution. This is very efficient and effective in finding P1, P2. Once these are known, along with the public key Pu ¼ ð Þ N;e , using Euler's totient, the private key PR ¼ ð Þ N; d can be determined. Once the private key is known the cypher-text is no longer secure.


#### Table 6.

Smooth candidates of the factors of N � <sup>x</sup><sup>2</sup> .
