3. A simple RSA encryption/decryption example

Using two primes P<sup>1</sup> and P<sup>2</sup> to generate a composite number N,

N ¼ P1P<sup>2</sup> ¼ ð1462001 � 1462009Þ ¼ 2137458620009

Totient φ (Euler's totient function)

Calculate totient φ<sup>n</sup> = (P<sup>1</sup> � 1) (P<sup>2</sup> � 1) = (1462001 � 1) (1462009 � 1) = 2137455696000

Arbitrarily choose a public key such that e is an integer, not a factor of mod N, and 1 , e , φ, e = 13

The public key is made up of N and e, such that

PU ¼ ð Þ¼ N;e ð Þ 2137458620009; 13 . A private key is made up of N and d, such that PR ¼ ð Þ¼ N; d ð Þ 2137458620009; d .

d, is determined using the extended Euclidean algorithm.

e d mod φ<sup>n</sup> ¼ 113 d mod 2137455696000 ¼ 1 ) d ¼ 1973036027077. Therefore, private key, PR ¼ ð Þ¼ N1; d ð Þ 2137458620009; 1973036027077 . Vulnerabilities in the selection of primes are exploited in Section 5 using Euler's

Poor RSA key design and their exploits are considered in Section 6 using Wiener's method and in Sections 15–17 using a combination of LLL, Coppersmith and Pohlig-Hellman. All of these attacks can be mitigated by designing the RSA keys with these exploits in mind. RSA key design (Section 2) consists of two parts, a private key ð Þ N; d and a public key ð Þ N; e . A composite number N, is derived from two prime numbers. The ð Þ d; e numbers are selected in an ad hoc manner using

Development of quantum computing is continuing at breakneck speed; however useful machines are yet to appear. Parallel computing however is here and now, and

polynomial time, parallel computing has allowed for multiple solutions to be tested simultaneously. This is an area where research continues and new algorithms as shown in Sections 20 and 14 lend themselves well to GPU parallel processing

RSA � 100 ¼ 152260502792253336053561837813263742971806811496138

RSA100 is a 100 binary bit number made up of two 50 binary bit prime numbers. The motivation in breaking this composite number allows us to find the Euler's totient number φn. Once this is known, using the public key PU ¼ ð Þ N;e , it is possible to derive the private key PR ¼ ð Þ N; d , and hence all cypher-text encrypted

N ¼ P1P<sup>2</sup> ¼ ð1462001 � 1462009Þ ¼ 2137458620009

Calculate totient φ<sup>n</sup> = (P<sup>1</sup> � 1) (P<sup>2</sup> � 1) = (1462001 � 1) (1462009 � 1) =

Arbitrarily choose a public key such that e is an integer, not a factor of mod N,

PU ¼ ð Þ¼ N;e ð Þ 2137458620009; 13 . A private key is made up of N and d, such that

e d mod φ<sup>n</sup> ¼ 113 d mod 2137455696000 ¼ 1 ) d ¼ 1973036027077. Therefore, private key, PR ¼ ð Þ¼ N1; d ð Þ 2137458620009; 1973036027077 .

(e) messages can thus be decrypted back to plain text, using (d).

Using two primes P<sup>1</sup> and P<sup>2</sup> to generate a composite number N,

3. A simple RSA encryption/decryption example

The public key is made up of N and e, such that

d, is determined using the extended Euclidean algorithm.

Totient φ (Euler's totient function)

PR ¼ ð Þ¼ N; d ð Þ 2137458620009; d .

2137455696000

18

and 1 , e , φ, e = 13

0688657908494580122963258952897654000350692006139 ¼ 37975227936943673922808872755445627854565536638199

�40094690950920881030683735292761468389214899724061

whilst factorizing RSA keys is not achievable on conventional computers in

factorization.

Euler's totient.

systems.

2. Structure of RSA numbers

Consider RSA100 challenge number

Modern Cryptography – Current Challenges and Solutions

Encrypt a message m, into cipher text C, with public key PU. Let the message m = 1461989. <sup>C</sup> <sup>¼</sup> <sup>m</sup><sup>e</sup> mod <sup>N</sup> <sup>¼</sup> <sup>146198913</sup>13mod 2137458620009 <sup>ð</sup> Þ ¼ 1912018123454. To recover the original message, decrypt using Private Key, PR= (N, d) = (1912018123454, 1973036027077) <sup>m</sup> <sup>¼</sup> <sup>C</sup>dmod <sup>N</sup> <sup>¼</sup> <sup>1912018123454</sup>1973036027077mod 2137458620009 <sup>ð</sup> Þ ¼ <sup>1461989</sup>:

From this simple example, consider the following: How can we use a known public key PU = (N,e) to decrypt the original message? To decrypt the message, the private key is used: PR ¼ ð Þ N; d . How can d, be discovered? d is derived using Euler's totient function [φ<sup>n</sup> = (P<sup>1</sup> – 1) (P<sup>2</sup> – 1)], and the extended Euclidean algorithm ed mod φ<sup>n</sup> ¼ 1. However when a public key is transmitted, the totient φ<sup>n</sup> and the two primes P<sup>1</sup> and P<sup>2</sup> remain secret. If φn, P<sup>1</sup> or P<sup>2</sup> can be determined, the private key will be compromised and the cypher-text will no longer be secure.

When the totient φ<sup>n</sup> is known, d can be determined through the normal key generation processes, so the determination of the two primes (P1, P2) is not required to recover the message from the cypher-text. The following proof is provided for completeness and shows how the two primes P1, P<sup>2</sup> can be recovered if the composite N and the totient φ<sup>n</sup> are known.

### 4. If the composite N and the totient φ<sup>n</sup> are known, the original primes can be recovered

The quadratic formula can be used to find P<sup>1</sup> and P<sup>2</sup> <sup>φ</sup><sup>n</sup> <sup>¼</sup> ð Þ <sup>P</sup><sup>1</sup> � <sup>1</sup> ð Þ <sup>P</sup><sup>2</sup> � <sup>1</sup> , N <sup>¼</sup> <sup>P</sup>1, P2. General quadratic form: ax<sup>2</sup> <sup>þ</sup> bx <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>0</sup> <sup>¼</sup>. <sup>x</sup> <sup>¼</sup> �b� ffiffiffiffiffiffiffiffiffiffiffi b2 �4ac <sup>p</sup> 2a φ<sup>n</sup> ¼ ð Þ P1 � 1 ð Þ¼ P2 � 1 P1 P2 � P1 � P2 þ 1 recalling N ¼ P<sup>1</sup> P2¼)φ<sup>n</sup> ¼ N � P<sup>1</sup> � P<sup>2</sup> þ 1

Express primes in terms of N, φ<sup>n</sup> P1 = N�φn�P2 + 1, P2 = N�φn�P1 + 1N ¼ P<sup>1</sup> P<sup>2</sup> substitute for P2 ¼) N=P1 (N�φn�P1 + 1) = P1 N�P1 φ<sup>n</sup> – P1 <sup>2</sup> + P1

$$P\_1 + P\_1 \left(\varphi\_\mathbf{n} - N - 1\right) + N = 0 \text{ a} \\ x^2 + b \mathbf{x} + c = 0: \mathbf{a} = \mathbf{1}, \\ b = \left(\varphi\_\mathbf{n} - N - 1\right), \\ c = N, \\ \mathbf{x} = \frac{-b \pm \sqrt{b^2 - 4ac}}{2a}$$

$$P\_1, P\_2 = \frac{-\left(\varphi\_\mathbf{n} - N - 1\right) \pm \sqrt{\left(\varphi\_\mathbf{n} - N - 1\right)^2 - 4(1)N}}{2(1)} = \frac{-\left(\varphi\_\mathbf{n} - N - 1\right) \pm \sqrt{\left(\varphi\_\mathbf{n} - N - 1\right)^2 - 4N}}{2}$$

When N and φ<sup>n</sup> are known: N = 2137458620009, φ<sup>n</sup> = 2137455696000

$$\begin{aligned} P\_{1\sharp}, P\_2 &= \frac{2924010 \pm \sqrt{8549834480100 - 8549834480036}}{2} = \frac{2924010 \pm \sqrt{64}}{2} = 1462005 \pm 400 \\\ P\_{1\sharp}, P\_2 &= (1462001, 1462009) \end{aligned}$$

Using the quadratic formula, P<sup>1</sup> and P<sup>2</sup> can be recovered if the composite N and the totient φ<sup>n</sup> are known.

### 5. Fermat's factorization method

<sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> <sup>¼</sup> ð Þ <sup>a</sup> � <sup>b</sup> ð Þ <sup>a</sup> <sup>þ</sup> <sup>b</sup> is the difference of two squares.

$$P\_1 = a - b, P\_2 = a + b, P\_1 + P\_2 = 2a, P\_2 - P\_1 = 2b; a = \frac{P\_2 + P\_1}{2}, b = \frac{P\_2 - P\_1}{2}$$

Modern Cryptography – Current Challenges and Solutions

$$N = a^2 - b^2 = \left(\frac{P\_2 + P\_1}{2}\right)^2 - \left(\frac{P\_2 - P\_1}{2}\right)^2 = \frac{1}{4}\left((P\_2 + P\_1)^2 - (P\_2 - P\_1)^2\right) = P\_1 P\_2$$

Consider the example N = 2137458620009; find the factorization values of

Using the sum of squares, <sup>N</sup> <sup>¼</sup> <sup>2137458620009</sup> <sup>¼</sup> <sup>324403</sup><sup>2</sup> <sup>þ</sup> <sup>1425560</sup><sup>2</sup> <sup>¼</sup>

<sup>A</sup><sup>2</sup> � <sup>C</sup><sup>2</sup> <sup>¼</sup> <sup>D</sup><sup>2</sup> � <sup>B</sup><sup>2</sup> ) ð Þ <sup>A</sup> � <sup>C</sup> ð Þ¼ <sup>A</sup> <sup>þ</sup> <sup>C</sup> ð Þ <sup>D</sup> � <sup>B</sup> ð Þ¼ <sup>D</sup> <sup>þ</sup> <sup>B</sup> ð Þ <sup>968006</sup> ð Þ¼ <sup>319200</sup> ð Þ <sup>2738280</sup> ð Þ <sup>112840</sup>

<sup>2</sup> <sup>¼</sup> <sup>1201</sup>, gcd Að Þ <sup>þ</sup> <sup>C</sup>; <sup>D</sup> <sup>þ</sup> <sup>B</sup>

<sup>2</sup> <sup>¼</sup> <sup>1140</sup>, gcd Að Þ � <sup>C</sup>; <sup>D</sup> <sup>þ</sup> <sup>B</sup>

Wiener's theorem. Let N ¼ P1P<sup>2</sup> and P<sup>1</sup> , P<sup>2</sup> , 2P<sup>1</sup> and a private key PR ¼ ð Þ N; d

<sup>k</sup> . Consider a public key PU ¼ ð Þ N;e : PU ¼

<sup>2137458620009</sup> ¼ ½0; 1; 11; 1; 4684; 1; 125; 1; 10; 1; 2; 1; 1; 1; 1; 2; 3; 7; 1; 17� ¼

<sup>3</sup> <sup>N</sup><sup>1</sup>

e d � 1 mod φn. The attacker can efficiently recover d [2]. The attack uses the continued fraction method to expose the private key d, when d is small. It

<sup>þ</sup> gcd Að Þ <sup>þ</sup>C;Dþ<sup>B</sup> 2 <sup>2</sup>

<sup>þ</sup> gcd Að Þ �C;Dþ<sup>B</sup> 2 <sup>2</sup>



<sup>2</sup> <sup>¼</sup> gcdð Þ <sup>319200</sup>; <sup>112840</sup>

<sup>2</sup> <sup>¼</sup> gcdð Þ <sup>968006</sup>; <sup>112840</sup>

<sup>¼</sup> 12012 <sup>þ</sup> <sup>140</sup><sup>2</sup> <sup>¼</sup> <sup>1462001</sup>

<sup>¼</sup> <sup>1140</sup><sup>2</sup> <sup>þ</sup> <sup>403</sup><sup>2</sup> <sup>¼</sup> <sup>1462009</sup>

4, given a public key PU ¼ ð Þ N;e , with

.

<sup>2</sup> <sup>¼</sup> <sup>140</sup>

<sup>2</sup> <sup>¼</sup> <sup>403</sup>

P1 and P2.

<sup>643603</sup><sup>2</sup> <sup>þ</sup> <sup>1312720</sup><sup>2</sup>

Survey of RSA Vulnerabilities

gcd Að Þ � C; D � B

gcd Að Þ þ C; D � B

7. Wiener attack

<sup>N</sup> ≈ <sup>k</sup>

assumes <sup>e</sup>

e <sup>N</sup> <sup>≈</sup> <sup>k</sup> d : e

21

<sup>φ</sup><sup>n</sup> <sup>¼</sup> ed � <sup>1</sup>

. Combining the even and odds: 1425560<sup>2</sup>

DOI: http://dx.doi.org/10.5772/intechopen.84852

Using the greatest common divisor (gcd):

<sup>2</sup> <sup>¼</sup> gcdð Þ <sup>968006</sup>; <sup>2738280</sup>

<sup>2</sup> <sup>¼</sup> gcdð Þ <sup>319200</sup>; <sup>2738280</sup>

<sup>P</sup><sup>1</sup> <sup>¼</sup> gcd Að Þ �C;D�<sup>B</sup> 2 <sup>2</sup>

<sup>P</sup><sup>2</sup> <sup>¼</sup> gcd Að Þ <sup>þ</sup>C;D�<sup>B</sup> 2 <sup>2</sup>

and a public key PU <sup>¼</sup> ð Þ <sup>N</sup>;<sup>e</sup> : Let <sup>d</sup> , <sup>1</sup>

<sup>d</sup> ) <sup>φ</sup><sup>n</sup> <sup>¼</sup> ed�<sup>1</sup>

<sup>N</sup> <sup>¼</sup> <sup>1973036027077</sup>

primes P1 and P2 can be recovered.

<sup>2137458620009</sup> <sup>¼</sup> <sup>1</sup>

<sup>k</sup> <sup>¼</sup> <sup>1973036027077</sup> <sup>∗</sup> <sup>13</sup> � <sup>1</sup>

1 þ

1 <sup>11</sup> <sup>þ</sup> <sup>1</sup> <sup>∗</sup> <sup>1</sup> 1

<sup>12</sup> <sup>¼</sup> <sup>25649468352000</sup>

As per Section 2, if the composite N and the totient φ<sup>n</sup> are known, the original

<sup>¼</sup> <sup>12</sup> <sup>13</sup> <sup>¼</sup> <sup>k</sup> d

<sup>12</sup> <sup>¼</sup> <sup>2137455696000</sup>

ð Þ 2137458620009; 1973036027077 Continued fraction <sup>1973036027077</sup>

As the first trial for <sup>a</sup>, <sup>a</sup><sup>1</sup> <sup>¼</sup> ffiffiffiffiffiffi N, <sup>p</sup> then check if <sup>Δ</sup>a<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>1</sup> � N is a square number. There are only 22 combinations of which the last two digits are a square number. The other 78 can be eliminated.

If Δa<sup>1</sup> is not a square number, then a<sup>2</sup> : a<sup>2</sup> ¼ a<sup>1</sup> þ 1. Now <sup>Δ</sup>a<sup>2</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>2</sup> � <sup>N</sup> ¼) ð Þ <sup>a</sup><sup>1</sup> <sup>þ</sup> <sup>1</sup> <sup>2</sup> � <sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>1</sup> � N þ 2a<sup>1</sup> þ 1 ¼ Δa<sup>1</sup> þ 2a<sup>1</sup> þ 1

$$\Delta a\_3 = a\_3^2 - N \Longrightarrow (a\_2 + 1)^2 - N = a\_2^2 - N + 2a\_2 + 1 = \Delta a\_2 + 2(a\_1 + 1) + 1 = \Delta a\_2 + 2a\_1 + 3$$

$$\Delta a\_4 = a\_4^2 - N \Longrightarrow (a\_3 + 1)^2 - N = a\_3^2 - N + 2a\_3 + 1 = \Delta a\_3 + 2(a\_1 + 2) + 1 = \Delta a\_3 + 2a\_1 + 5$$

so the subsequent differences are obtained by adding two. Consider the example N = 2137458620009.

$$\begin{array}{c} a\_1 = \sqrt{N\_1} \ a\_1 = \sqrt{2137458620009} \Rightarrow a\_1 = 1462005 \end{array}$$

Check if <sup>Δ</sup>a<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>1</sup> � N is a square number.

$$\begin{aligned} \Delta a\_1 &= a\_1^2 - N = 1462005^2 - 2137458620009 = 2137458620025 - 2137458620009 = 16 = 4^2 \\ N &= 1462005^2 - 4^2 = (1462005 - 4)(1462005 + 4) = (1462001)(1462009) \end{aligned}$$

Maurice Kraitchik, a Belgian mathematician, considered only values of a and <sup>b</sup> : <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> mod N.

$$a^2 \equiv b^2 \bmod{N} \Longrightarrow \Delta \ 1462005^2 \bmod{2137458620009} \equiv 16^2$$

#### 6. Euler's factorization method

Gaussian primes are of the form 4x � 1, and primes of the form 4x þ 1 are Pythagorean. Fermat's Christmas theorem on sum of two squares states that an odd prime can be expressed as <sup>P</sup> <sup>¼</sup> <sup>x</sup><sup>2</sup> <sup>þ</sup> <sup>y</sup><sup>2</sup> iff <sup>P</sup> � <sup>1</sup> mod 4.

Gaussian primes are of the form P � 3 mod 4 and are not representable as the sum of two squares.

Consider a composite number <sup>N</sup>: <sup>N</sup> <sup>=</sup> P1P2 and <sup>P</sup>1: <sup>P</sup><sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>þ</sup> <sup>b</sup><sup>2</sup> , <sup>P</sup>2: <sup>P</sup><sup>2</sup> <sup>¼</sup> <sup>c</sup><sup>2</sup> <sup>þ</sup> <sup>d</sup><sup>2</sup> .

$$N = P\_1 P\_2 = \left(a^2 + b^2\right)\left(c^2 + d^2\right) = \left(\mathbf{a}c\right)^2 + \left(\mathbf{b}c\right)^2 + \left(\mathbf{d}d\right)^2 + \left(\mathbf{b}d\right)^2$$

$$\text{Let } \quad \mathbf{A}^2 = \left(\mathbf{a}c\right)^2 + \left(\mathbf{a}d\right)^2, \mathbf{B}^2 = \left(b\mathbf{c}\right)^2 + \left(b\mathbf{d}\right)^2, \mathbf{C}^2 = \left(\mathbf{a}c\right)^2 + \left(b\mathbf{c}\right)^2, \mathbf{D}^2 = \left(a\mathbf{d}\right)^2 + \left(b\mathbf{d}\right)^2$$

$$N = P\_1 P\_2 = \left(\mathbf{a}^2 + \mathbf{b}^2\right)\left(\mathbf{c}^2 + \mathbf{d}^2\right) = \left(\mathbf{a}c\right)^2 + \left(bc\right)^2 + \left(ad\right)^2 + \left(bd\right)^2 = A^2 + B^2 = C^2 + D^2$$

$$\begin{aligned} N &= A^2 + B^2 = C^2 + D^2 \Rightarrow A^2 - C^2 = D^2 - B^2\\ A^2 - C^2 &= D^2 - B^2 \Rightarrow (A - C)(A + C) = (D - B)(D + B)\\ P\_1 &= \left(\frac{\gcd(A - C, D - B)}{2}\right)^2 + \left(\frac{\gcd(A + C, D + B)}{2}\right)^2,\\ P\_2 &= \left(\frac{\gcd(A + C, D - B)}{2}\right)^2 + \left(\frac{\gcd(A - C, D + B)}{2}\right)^2\end{aligned}$$

Consider the example N = 2137458620009; find the factorization values of P1 and P2.

Using the sum of squares, <sup>N</sup> <sup>¼</sup> <sup>2137458620009</sup> <sup>¼</sup> <sup>324403</sup><sup>2</sup> <sup>þ</sup> <sup>1425560</sup><sup>2</sup> <sup>¼</sup> <sup>643603</sup><sup>2</sup> <sup>þ</sup> <sup>1312720</sup><sup>2</sup> .

Combining the even and odds: 1425560<sup>2</sup> -1312720<sup>2</sup> = 643603<sup>2</sup> -324403<sup>2</sup> .

$$A^2 - C^2 = D^2 - B^2 \Rightarrow (A - C)(A + C) = (D - B)(D + B) = (968006)\ (319200) = (2738280)\ (112840)$$

Using the greatest common divisor (gcd):

$$\frac{\gcd(A-C,D-B)}{2} = \frac{\gcd(968006, 2738280)}{2} = 1201, \quad \frac{\gcd(A+C,D+B)}{2} = \frac{\gcd(319200, 112840)}{2} = 140$$

$$\frac{\gcd(A+C,D-B)}{2} = \frac{\gcd(319200, 2738280)}{2} = 1140, \quad \frac{\gcd(A-C,D+B)}{2} = \frac{\gcd(968006, 112840)}{2} = 403$$

$$P\_1 = \left(\frac{\gcd(A-CD-B)}{2}\right)^2 + \left(\frac{\gcd(A+CD+B)}{2}\right)^2 = 1201^2 + 140^2 = 1462001$$

$$P\_2 = \left(\frac{\gcd(A+CD-B)}{2}\right)^2 + \left(\frac{\gcd(A-CD+B)}{2}\right)^2 = 1140^2 + 403^2 = 1462009$$

### 7. Wiener attack

<sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> <sup>¼</sup> <sup>P</sup><sup>2</sup> <sup>þ</sup> <sup>P</sup><sup>1</sup>

Now <sup>Δ</sup>a<sup>2</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

Check if <sup>Δ</sup>a<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

<sup>b</sup> : <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> mod N.

sum of two squares.

.

<sup>P</sup><sup>1</sup> <sup>¼</sup> gcd Að Þ �C;D�<sup>B</sup> 2 � �<sup>2</sup>

<sup>P</sup><sup>2</sup> <sup>¼</sup> gcd Að Þ <sup>þ</sup>C;D�<sup>B</sup> 2 � �<sup>2</sup>

<sup>N</sup> <sup>¼</sup> <sup>P</sup>1P<sup>2</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>þ</sup> <sup>b</sup><sup>2</sup> � � <sup>c</sup><sup>2</sup> <sup>þ</sup> <sup>d</sup><sup>2</sup> � � <sup>¼</sup> ð Þ ac

<sup>2</sup> <sup>þ</sup> ð Þ ad <sup>2</sup>

<sup>N</sup> <sup>¼</sup> <sup>P</sup>1P<sup>2</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>þ</sup> b2 � � <sup>c</sup><sup>2</sup> <sup>þ</sup> <sup>d</sup><sup>2</sup> � � <sup>¼</sup> ð Þ ac

<sup>N</sup> <sup>¼</sup> <sup>A</sup><sup>2</sup> <sup>þ</sup> <sup>B</sup><sup>2</sup> <sup>¼</sup> <sup>C</sup><sup>2</sup> <sup>þ</sup> <sup>D</sup><sup>2</sup> ) <sup>A</sup><sup>2</sup> � <sup>C</sup><sup>2</sup> <sup>¼</sup> <sup>D</sup><sup>2</sup> � <sup>B</sup><sup>2</sup>

<sup>P</sup>2: <sup>P</sup><sup>2</sup> <sup>¼</sup> <sup>c</sup><sup>2</sup> <sup>þ</sup> <sup>d</sup><sup>2</sup>

let A<sup>2</sup> <sup>¼</sup> ð Þ ac

20

<sup>Δ</sup>a<sup>3</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

<sup>Δ</sup>a<sup>4</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

<sup>Δ</sup>a<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

2 � �<sup>2</sup>

Modern Cryptography – Current Challenges and Solutions

As the first trial for <sup>a</sup>, <sup>a</sup><sup>1</sup> <sup>¼</sup> ffiffiffiffiffiffi

<sup>3</sup> � <sup>N</sup>¼)ð Þ <sup>a</sup><sup>2</sup> <sup>þ</sup> <sup>1</sup> <sup>2</sup> � <sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

<sup>4</sup> � <sup>N</sup>¼)ð Þ <sup>a</sup><sup>3</sup> <sup>þ</sup> <sup>1</sup> <sup>2</sup> � <sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

<sup>a</sup><sup>1</sup> <sup>¼</sup> ffiffiffiffiffiffi

6. Euler's factorization method

prime can be expressed as <sup>P</sup> <sup>¼</sup> <sup>x</sup><sup>2</sup> <sup>þ</sup> <sup>y</sup><sup>2</sup> iff <sup>P</sup> � <sup>1</sup> mod 4.

Consider the example N = 2137458620009.

The other 78 can be eliminated.

� <sup>P</sup><sup>2</sup> � <sup>P</sup><sup>1</sup> 2 � �<sup>2</sup>

If Δa<sup>1</sup> is not a square number, then a<sup>2</sup> : a<sup>2</sup> ¼ a<sup>1</sup> þ 1.

<sup>2</sup> � <sup>N</sup> ¼) ð Þ <sup>a</sup><sup>1</sup> <sup>þ</sup> <sup>1</sup> <sup>2</sup> � <sup>N</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

so the subsequent differences are obtained by adding two.

N, <sup>p</sup> <sup>a</sup><sup>1</sup> <sup>¼</sup> ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

<sup>1</sup> � N is a square number.

2137458620009

<sup>N</sup> <sup>¼</sup> <sup>1462005</sup><sup>2</sup> � <sup>4</sup><sup>2</sup> <sup>¼</sup> ð Þ <sup>1462005</sup> � <sup>4</sup> <sup>ð</sup><sup>1462005</sup> <sup>þ</sup> <sup>4</sup>Þ ¼ ð Þ <sup>1462001</sup> ð Þ <sup>1462009</sup>

Maurice Kraitchik, a Belgian mathematician, considered only values of a and

<sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> mod N¼)<sup>Δ</sup> <sup>1462005</sup><sup>2</sup> mod <sup>2137458620009</sup> � <sup>16</sup>

Gaussian primes are of the form 4x � 1, and primes of the form 4x þ 1 are Pythagorean. Fermat's Christmas theorem on sum of two squares states that an odd

Gaussian primes are of the form P � 3 mod 4 and are not representable as the

<sup>2</sup> <sup>þ</sup> ð Þ bc <sup>2</sup> <sup>þ</sup> ð Þ ad <sup>2</sup> <sup>þ</sup> ð Þ bd <sup>2</sup>

<sup>2</sup> <sup>þ</sup> ð Þ bc <sup>2</sup>

<sup>2</sup> <sup>þ</sup> ð Þ bc <sup>2</sup> <sup>þ</sup> ð Þ ad <sup>2</sup> <sup>þ</sup> ð Þ bd <sup>2</sup> <sup>¼</sup> <sup>A</sup><sup>2</sup> <sup>þ</sup> <sup>B</sup><sup>2</sup> <sup>¼</sup> <sup>C</sup><sup>2</sup> <sup>þ</sup> <sup>D</sup><sup>2</sup>

, <sup>C</sup><sup>2</sup> <sup>¼</sup> ð Þ ac

,

Consider a composite number <sup>N</sup>: <sup>N</sup> <sup>=</sup> P1P2 and <sup>P</sup>1: <sup>P</sup><sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup> <sup>þ</sup> <sup>b</sup><sup>2</sup>

, <sup>B</sup><sup>2</sup> <sup>¼</sup> ð Þ bc <sup>2</sup> <sup>þ</sup> ð Þ bd <sup>2</sup>

<sup>A</sup><sup>2</sup> � <sup>C</sup><sup>2</sup> <sup>¼</sup> <sup>D</sup><sup>2</sup> � <sup>B</sup><sup>2</sup> ) ð Þ <sup>A</sup> � <sup>C</sup> ð Þ¼ <sup>A</sup> <sup>þ</sup> <sup>C</sup> ð Þ <sup>D</sup> � <sup>B</sup> ð Þ <sup>D</sup> <sup>þ</sup> <sup>B</sup>

<sup>þ</sup> gcd Að Þ <sup>þ</sup>C;Dþ<sup>B</sup> 2 � �<sup>2</sup>

<sup>þ</sup> gcd Að Þ �C;Dþ<sup>B</sup> 2 � �<sup>2</sup>

<sup>1</sup> � <sup>N</sup> <sup>¼</sup> <sup>1462005</sup><sup>2</sup> � <sup>2137458620009</sup> <sup>¼</sup> <sup>2137458620025</sup> � <sup>2137458620009</sup> <sup>¼</sup> <sup>16</sup> <sup>¼</sup> 42

<sup>p</sup> ) <sup>a</sup><sup>1</sup> <sup>¼</sup> <sup>1462005</sup>

¼ 1

N, <sup>p</sup> then check if <sup>Δ</sup>a<sup>1</sup> <sup>¼</sup> <sup>a</sup><sup>2</sup>

There are only 22 combinations of which the last two digits are a square number.

<sup>4</sup> ð Þ <sup>P</sup><sup>2</sup> <sup>þ</sup> <sup>P</sup><sup>1</sup>

<sup>2</sup> � ð Þ <sup>P</sup><sup>2</sup> � <sup>P</sup><sup>1</sup> <sup>2</sup> � �

,

, <sup>D</sup><sup>2</sup> <sup>¼</sup> ð Þ ad <sup>2</sup> <sup>þ</sup> ð Þ bd <sup>2</sup>

<sup>1</sup> � N þ 2a<sup>1</sup> þ 1 ¼ Δa<sup>1</sup> þ 2a<sup>1</sup> þ 1

<sup>2</sup> � N þ 2a<sup>2</sup> þ 1 ¼ Δa<sup>2</sup> þ 2ð Þþ a<sup>1</sup> þ 1 1 ¼ Δa<sup>2</sup> þ 2a<sup>1</sup> þ 3

<sup>3</sup> � N þ 2a<sup>3</sup> þ 1 ¼ Δa<sup>3</sup> þ 2ð Þþ a<sup>1</sup> þ 2 1 ¼ Δa<sup>3</sup> þ 2a<sup>1</sup> þ 5

<sup>1</sup> � N is a square number.

¼ P1P<sup>2</sup>

Wiener's theorem. Let N ¼ P1P<sup>2</sup> and P<sup>1</sup> , P<sup>2</sup> , 2P<sup>1</sup> and a private key PR ¼ ð Þ N; d and a public key PU <sup>¼</sup> ð Þ <sup>N</sup>;<sup>e</sup> : Let <sup>d</sup> , <sup>1</sup> <sup>3</sup> <sup>N</sup><sup>1</sup> 4, given a public key PU ¼ ð Þ N;e , with e d � 1 mod φn. The attacker can efficiently recover d [2]. The attack uses the continued fraction method to expose the private key d, when d is small. It assumes <sup>e</sup> <sup>N</sup> ≈ <sup>k</sup> <sup>d</sup> ) <sup>φ</sup><sup>n</sup> <sup>¼</sup> ed�<sup>1</sup> <sup>k</sup> . Consider a public key PU ¼ ð Þ N;e : PU ¼ ð Þ 2137458620009; 1973036027077

Continued fraction <sup>1973036027077</sup> <sup>2137458620009</sup> ¼ ½0; 1; 11; 1; 4684; 1; 125; 1; 10; 1; 2; 1; 1; 1; 1; 2; 3; 7; 1; 17� ¼

$$\frac{e}{N} \approx \frac{k}{d} : \frac{e}{N} = \frac{1973036027077}{2137458620009} = \frac{1}{1 + \cfrac{1}{11 + 1 \* \frac{1}{1}}} = \frac{12}{13} = \frac{k}{d}$$

$$\rho\_{\text{n}} = \frac{ed - 1}{k} = \frac{1973036027077 \* 13 - 1}{12} = \frac{25649468352000}{12} = 2137455696000$$

As per Section 2, if the composite N and the totient φ<sup>n</sup> are known, the original primes P1 and P2 can be recovered.

### 8. Sum of squares

Overmars [3] showed that all Pythagorean triples could be represented as <sup>N</sup> <sup>¼</sup> <sup>n</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> <sup>2</sup> . If the composite number N, is constructed using two Pythagorean primes (4x + 1) then two representations as the sum of two squares can be found. Euler's Factorization Method (Section 4) can be applied. Finding these two representations is non-trivial and CPU-intensive. The equation N mð Þ¼ ; <sup>n</sup> <sup>n</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> <sup>2</sup> provides a course search using increments of <sup>n</sup> and fine convergence using m. In this way n is incremented and m is decremented about N to find the two solutions along the diagonal of a field of N mð Þ ; n ≈ N.

<sup>649</sup> <sup>¼</sup> <sup>11</sup> <sup>∗</sup> <sup>59</sup> <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> 82 <sup>þ</sup> <sup>24</sup><sup>2</sup> <sup>¼</sup> 62 <sup>þ</sup> <sup>17</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup>

iii. Mixed Pythagorean-Gaussian prime construction N ¼ ð Þ 4x þ 1 ð Þ¼ 4y � 1 16xy � 4ð Þ� x � y 1,

Possible composite constructs using Pythagorean and Gaussian primes.

<sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> <sup>27</sup><sup>2</sup> <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> 12 þ þ18<sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> 12 <sup>þ</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> 262 <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> <sup>17</sup><sup>2</sup> <sup>þ</sup> 212

<sup>¼</sup> 92 <sup>þ</sup> <sup>10</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> 112 <sup>þ</sup> <sup>14</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> 152

a, b∈Z,

Survey of RSA Vulnerabilities

DOI: http://dx.doi.org/10.5772/intechopen.84852

Table 1.

3 � P mod 4. 13 ∗ 59 ¼ 767

10. Overmars factorization method

1. Let <sup>m</sup><sup>0</sup> <sup>≥</sup> ffiffiffi

2. Let n<sup>0</sup> ¼

3. Let n ¼

23

N p

<sup>2</sup> , m ∈ N<sup>þ</sup>

4.P<sup>1</sup> ¼ 2ð Þþ m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1

ffiffiffiffiffiffiffiffiffiffiffiffi 4m<sup>2</sup> <sup>0</sup>�<sup>N</sup> <sup>p</sup> <sup>þ</sup><sup>1</sup>

ffiffiffiffiffiffiffiffiffiffiffiffi 4m<sup>2</sup> <sup>x</sup>�<sup>N</sup> <sup>p</sup> <sup>þ</sup><sup>1</sup>

used, and the test is both simple and concise [4].

<sup>8</sup><sup>2</sup> <sup>þ</sup> <sup>12</sup><sup>2</sup> <sup>þ</sup> <sup>21</sup><sup>2</sup> <sup>¼</sup> 102 <sup>þ</sup> <sup>15</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>12</sup><sup>2</sup> <sup>þ</sup> <sup>12</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> Legendre's three-square theorem can test the composite: <sup>N</sup> <sup>¼</sup> <sup>x</sup><sup>2</sup> <sup>þ</sup> <sup>y</sup><sup>2</sup> <sup>þ</sup> <sup>z</sup><sup>2</sup> true if N 6¼ <sup>4</sup>að Þ <sup>8</sup><sup>b</sup> <sup>þ</sup> <sup>7</sup>

4y – 1 16xy � 4ð Þþ x þ y 1 16xy � 4ð Þ� x � y 1 59 649 767 4y + 1 16xy � 4ð Þ� y � x 1 16xy þ 4ð Þþ x þ y 1 61 671 793

N ¼ ð Þ 4x � 1 ð Þ¼ 4y þ 1 16xy þ 4ð Þ� x � y 1: Sums of four squares exist.

<sup>¼</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>11</sup><sup>2</sup> <sup>þ</sup> 232 <sup>¼</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>17</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> 112 <sup>þ</sup> <sup>13</sup><sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> <sup>7</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> 142 <sup>þ</sup> 212 <sup>¼</sup> <sup>7</sup><sup>2</sup> <sup>þ</sup> <sup>13</sup><sup>2</sup> <sup>þ</sup> <sup>15</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>9</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>11</sup><sup>2</sup> <sup>þ</sup> <sup>22</sup><sup>2</sup>

In summary, a composite whose construction is based upon both Pythagorean and Gaussian primes can easily be identified when P mod 4 � 3 is true. However, sums of four squares exist and Euler's factorization cannot be used. When

P mod 4 � 1 is true, the composite could be constructed using Pythagorean primes or Gaussian primes. Use the Legendre test to further discriminate. When the Pythagorean construct is confirmed, the two sums of two squares can be found, and Euler's factorization can be used. If the composite construction is both Pythagorean and Gaussian, sums of three squares exist and Euler's factorization cannot be used.

Another classification of the composite number uses a different construct for primes and seeks to define the composite number as follows: Let N ¼ P1P<sup>2</sup> and test N : ð Þ N � 1 mod4 ¼ 0. Two cases are considered in the classification, and this determines the constructs of the primes used. Note the sign of �1 determines the case

Case (1) ⊕⊝ ð Þ N þ 1 mod4 ¼ 0, P<sup>1</sup> ¼ 2ð Þþ m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1

<sup>2</sup> , n ∈ N<sup>þ</sup>?, n∉ N<sup>þ</sup> ) mx ¼ m<sup>0</sup> þ 1

<sup>2</sup> , n∉ N<sup>þ</sup>, mx ¼ mx þ 1 ) n : n ∈ N<sup>þ</sup>

<sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>10</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> 212 <sup>¼</sup> <sup>2</sup><sup>2</sup> <sup>þ</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>5</sup><sup>2</sup> <sup>þ</sup> <sup>27</sup><sup>2</sup> <sup>¼</sup> <sup>2</sup><sup>2</sup> <sup>þ</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> 232 <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>7</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> <sup>22</sup><sup>2</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>11</sup><sup>2</sup> <sup>þ</sup> <sup>14</sup><sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> 52 <sup>þ</sup> 62 <sup>þ</sup> <sup>9</sup><sup>2</sup> <sup>þ</sup> 252

4x � 1 4x + 1 x, y ¼ 3, 15 11 13

Consider the example, N ¼ 2137458620009.

N mð Þ¼ <sup>1</sup>; <sup>n</sup><sup>1</sup> <sup>n</sup><sup>2</sup> <sup>1</sup> <sup>þ</sup> ð Þ <sup>n</sup><sup>1</sup> <sup>þ</sup> <sup>2</sup>m<sup>1</sup> � <sup>1</sup> <sup>2</sup> <sup>¼</sup> 3244032 <sup>þ</sup> ð Þ <sup>324403</sup> <sup>þ</sup> 2 550579 ð Þþ <sup>1</sup> <sup>2</sup> <sup>¼</sup> <sup>324403</sup><sup>2</sup> <sup>þ</sup> <sup>1425560</sup><sup>2</sup> N mð Þ¼ <sup>2</sup>; <sup>n</sup><sup>2</sup> <sup>n</sup><sup>2</sup> <sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup><sup>2</sup> <sup>þ</sup> <sup>2</sup>m<sup>2</sup> � <sup>1</sup> <sup>2</sup> <sup>¼</sup> <sup>643603</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>643603</sup> <sup>þ</sup> 2 334559 ð Þþ <sup>1</sup> <sup>2</sup> <sup>¼</sup> 6436032 <sup>þ</sup> 13127202 N1ð324403; 550579Þ ¼ N2ð643603; 334559Þ ¼ 2137458620009

For completeness N can be represented as two Pythagorean triangles as shown [3] Δ(m,n)=Δ(a,b,c).

a mð Þ¼ ; <sup>n</sup> <sup>2</sup>n nð Þ <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> , bmð Þ¼ ; <sup>n</sup> ð Þ <sup>2</sup><sup>m</sup> � <sup>1</sup> ð Þ <sup>2</sup><sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> , cmð Þ¼ :<sup>n</sup> <sup>n</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> <sup>2</sup> Δð Þ¼ m1; n<sup>1</sup> Δð Þ a1; b1;c<sup>1</sup> : Δ ð324403; 550579Þ ¼ Δð Þ 28197495801360; 8357740887191; 29410042540009 Δð Þ¼ m2; n<sup>2</sup> Δð Þ a2; b2;c<sup>2</sup> : Δð643603; 334559Þ ¼ Δð Þ 1689741060320; 1309008976791; 29410042540009

Once the two sum of two squares has been found, Euler's factorization method (Section 4), can be used to find the prime constructions of N : N ¼ P1P2.

If the composite number (N) is constructed using Pythagorean primes (4x þ 1), then a solution exists as two sums of two squares and Euler's factorization method can be applied.

#### 9. Gaussian and Pythagorean primes

As shown in Section 4, if Pythagorean primes (4x þ 1 � 4x � 3) are used to construct the composite number (N), a solution exists as two sums of two squares. However, if N is constructed using Gaussian primes (4x � 1 � 4x þ 3), then Euler's sum of two squares method cannot be used. Is there a test that we can use to see if the composite has been constructed using Pythagorean primes? (Table 1)

Consider the following composite constructions:

i. N ¼ ð Þ 4x þ 1 ð Þ 4y þ 1 using Pythagorean primes

ii. N ¼ ð Þ 4x � 1 ð Þ 4y � 1 using Gaussian primes

iii. N ¼ ð Þ 4x þ 1 ð Þ 4y � 1 using a mix of Pythagorean and Gaussian primes

i. Pythagorean prime construction

N ¼ ð Þ 4x þ 1 ð Þ¼ 4y þ 1 16xy þ 4ð Þþ x þ y 1 Two sum of two squares representations exist and Euler's factorization can be used. 1 � P mod 4. <sup>9</sup> � P mod 16. See Section 4. 793 <sup>¼</sup> <sup>13</sup> <sup>∗</sup> <sup>61</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>28</sup><sup>2</sup> <sup>¼</sup> <sup>8</sup><sup>2</sup> <sup>þ</sup> <sup>27</sup><sup>2</sup>

ii. Gaussian prime construction

N ¼ ð Þ 4x � 1 ð Þ¼ 4y � 1 16xy � 4ð Þþ x þ y 1 � 4m � 3 � 4n þ 1 Sums of three squares exist. 1 � P mod 4. 9 � P mod 16.


#### Table 1.

8. Sum of squares

N mð Þ¼ <sup>1</sup>; <sup>n</sup><sup>1</sup> <sup>n</sup><sup>2</sup>

N mð Þ¼ <sup>2</sup>; <sup>n</sup><sup>2</sup> <sup>n</sup><sup>2</sup>

can be applied.

22

[3] Δ(m,n)=Δ(a,b,c).

<sup>N</sup> <sup>¼</sup> <sup>n</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> <sup>2</sup>

Overmars [3] showed that all Pythagorean triples could be represented as

Pythagorean primes (4x + 1) then two representations as the sum of two squares can be found. Euler's Factorization Method (Section 4) can be applied. Finding these two representations is non-trivial and CPU-intensive. The equation

N mð Þ¼ ; <sup>n</sup> <sup>n</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> <sup>2</sup> provides a course search using increments of <sup>n</sup> and fine convergence using m. In this way n is incremented and m is decremented about

N to find the two solutions along the diagonal of a field of N mð Þ ; n ≈ N.

Consider the example, N ¼ 2137458620009.

Modern Cryptography – Current Challenges and Solutions

N1ð324403; 550579Þ ¼ N2ð643603; 334559Þ ¼ 2137458620009

9. Gaussian and Pythagorean primes

. If the composite number N, is constructed using two

<sup>1</sup> <sup>þ</sup> ð Þ <sup>n</sup><sup>1</sup> <sup>þ</sup> <sup>2</sup>m<sup>1</sup> � <sup>1</sup> <sup>2</sup> <sup>¼</sup> 3244032 <sup>þ</sup> ð Þ <sup>324403</sup> <sup>þ</sup> 2 550579 ð Þþ <sup>1</sup> <sup>2</sup> <sup>¼</sup> <sup>324403</sup><sup>2</sup> <sup>þ</sup> <sup>1425560</sup><sup>2</sup>

<sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup><sup>2</sup> <sup>þ</sup> <sup>2</sup>m<sup>2</sup> � <sup>1</sup> <sup>2</sup> <sup>¼</sup> <sup>643603</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>643603</sup> <sup>þ</sup> 2 334559 ð Þþ <sup>1</sup> <sup>2</sup> <sup>¼</sup> 6436032 <sup>þ</sup> 13127202

For completeness N can be represented as two Pythagorean triangles as shown

a mð Þ¼ ; <sup>n</sup> <sup>2</sup>n nð Þ <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> , bmð Þ¼ ; <sup>n</sup> ð Þ <sup>2</sup><sup>m</sup> � <sup>1</sup> ð Þ <sup>2</sup><sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> , cmð Þ¼ :<sup>n</sup> <sup>n</sup><sup>2</sup> <sup>þ</sup> ð Þ <sup>n</sup> <sup>þ</sup> <sup>2</sup><sup>m</sup> � <sup>1</sup> <sup>2</sup> Δð Þ¼ m1; n<sup>1</sup> Δð Þ a1; b1;c<sup>1</sup> : Δ ð324403; 550579Þ ¼ Δð Þ 28197495801360; 8357740887191; 29410042540009 Δð Þ¼ m2; n<sup>2</sup> Δð Þ a2; b2;c<sup>2</sup> : Δð643603; 334559Þ ¼ Δð Þ 1689741060320; 1309008976791; 29410042540009

Once the two sum of two squares has been found, Euler's factorization method

If the composite number (N) is constructed using Pythagorean primes (4x þ 1), then a solution exists as two sums of two squares and Euler's factorization method

As shown in Section 4, if Pythagorean primes (4x þ 1 � 4x � 3) are used to construct the composite number (N), a solution exists as two sums of two squares. However, if N is constructed using Gaussian primes (4x � 1 � 4x þ 3), then Euler's sum of two squares method cannot be used. Is there a test that we can use to see if

the composite has been constructed using Pythagorean primes? (Table 1)

iii. N ¼ ð Þ 4x þ 1 ð Þ 4y � 1 using a mix of Pythagorean and Gaussian primes

<sup>9</sup> � P mod 16. See Section 4. 793 <sup>¼</sup> <sup>13</sup> <sup>∗</sup> <sup>61</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>28</sup><sup>2</sup> <sup>¼</sup> <sup>8</sup><sup>2</sup> <sup>þ</sup> <sup>27</sup><sup>2</sup>

N ¼ ð Þ 4x þ 1 ð Þ¼ 4y þ 1 16xy þ 4ð Þþ x þ y 1 Two sum of two squares representations exist and Euler's factorization can be used. 1 � P mod 4.

N ¼ ð Þ 4x � 1 ð Þ¼ 4y � 1 16xy � 4ð Þþ x þ y 1 � 4m � 3 � 4n þ 1 Sums of

Consider the following composite constructions:

ii. N ¼ ð Þ 4x � 1 ð Þ 4y � 1 using Gaussian primes

i. Pythagorean prime construction

ii. Gaussian prime construction

i. N ¼ ð Þ 4x þ 1 ð Þ 4y þ 1 using Pythagorean primes

three squares exist. 1 � P mod 4. 9 � P mod 16.

(Section 4), can be used to find the prime constructions of N : N ¼ P1P2.

Possible composite constructs using Pythagorean and Gaussian primes.

<sup>649</sup> <sup>¼</sup> <sup>11</sup> <sup>∗</sup> <sup>59</sup> <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> 82 <sup>þ</sup> <sup>24</sup><sup>2</sup> <sup>¼</sup> 62 <sup>þ</sup> <sup>17</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>8</sup><sup>2</sup> <sup>þ</sup> <sup>12</sup><sup>2</sup> <sup>þ</sup> <sup>21</sup><sup>2</sup> <sup>¼</sup> 102 <sup>þ</sup> <sup>15</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>12</sup><sup>2</sup> <sup>þ</sup> <sup>12</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> Legendre's three-square theorem can test the composite: <sup>N</sup> <sup>¼</sup> <sup>x</sup><sup>2</sup> <sup>þ</sup> <sup>y</sup><sup>2</sup> <sup>þ</sup> <sup>z</sup><sup>2</sup> true if N 6¼ <sup>4</sup>að Þ <sup>8</sup><sup>b</sup> <sup>þ</sup> <sup>7</sup> a, b∈Z,

iii. Mixed Pythagorean-Gaussian prime construction N ¼ ð Þ 4x þ 1 ð Þ¼ 4y � 1 16xy � 4ð Þ� x � y 1, N ¼ ð Þ 4x � 1 ð Þ¼ 4y þ 1 16xy þ 4ð Þ� x � y 1: Sums of four squares exist. 3 � P mod 4. 13 ∗ 59 ¼ 767

<sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> <sup>27</sup><sup>2</sup> <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> 12 þ þ18<sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> 12 <sup>þ</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> 262 <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> <sup>17</sup><sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> <sup>1</sup><sup>2</sup> <sup>þ</sup> <sup>10</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> 212 <sup>¼</sup> <sup>2</sup><sup>2</sup> <sup>þ</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>5</sup><sup>2</sup> <sup>þ</sup> <sup>27</sup><sup>2</sup> <sup>¼</sup> <sup>2</sup><sup>2</sup> <sup>þ</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> 232 <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>7</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> <sup>22</sup><sup>2</sup> <sup>¼</sup> <sup>3</sup><sup>2</sup> <sup>þ</sup> <sup>11</sup><sup>2</sup> <sup>þ</sup> <sup>14</sup><sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> 52 <sup>þ</sup> 62 <sup>þ</sup> <sup>9</sup><sup>2</sup> <sup>þ</sup> 252 <sup>¼</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>11</sup><sup>2</sup> <sup>þ</sup> 232 <sup>¼</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>17</sup><sup>2</sup> <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> <sup>6</sup><sup>2</sup> <sup>þ</sup> 112 <sup>þ</sup> <sup>13</sup><sup>2</sup> <sup>þ</sup> 212 <sup>¼</sup> <sup>7</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> 142 <sup>þ</sup> 212 <sup>¼</sup> <sup>7</sup><sup>2</sup> <sup>þ</sup> <sup>13</sup><sup>2</sup> <sup>þ</sup> <sup>15</sup><sup>2</sup> <sup>þ</sup> <sup>18</sup><sup>2</sup> <sup>¼</sup> <sup>9</sup><sup>2</sup> <sup>þ</sup> 92 <sup>þ</sup> <sup>11</sup><sup>2</sup> <sup>þ</sup> <sup>22</sup><sup>2</sup> <sup>¼</sup> 92 <sup>þ</sup> <sup>10</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> <sup>19</sup><sup>2</sup> <sup>¼</sup> 112 <sup>þ</sup> <sup>14</sup><sup>2</sup> <sup>þ</sup> 152 <sup>þ</sup> 152

In summary, a composite whose construction is based upon both Pythagorean and Gaussian primes can easily be identified when P mod 4 � 3 is true. However, sums of four squares exist and Euler's factorization cannot be used. When P mod 4 � 1 is true, the composite could be constructed using Pythagorean primes or Gaussian primes. Use the Legendre test to further discriminate. When the Pythagorean construct is confirmed, the two sums of two squares can be found, and Euler's factorization can be used. If the composite construction is both Pythagorean and Gaussian, sums of three squares exist and Euler's factorization cannot be used.

#### 10. Overmars factorization method

Another classification of the composite number uses a different construct for primes and seeks to define the composite number as follows: Let N ¼ P1P<sup>2</sup> and test N : ð Þ N � 1 mod4 ¼ 0. Two cases are considered in the classification, and this determines the constructs of the primes used. Note the sign of �1 determines the case used, and the test is both simple and concise [4].

Case (1) ⊕⊝ ð Þ N þ 1 mod4 ¼ 0, P<sup>1</sup> ¼ 2ð Þþ m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1

$$\begin{aligned} \textbf{1.} \textbf{Let } m\_0 \ge \frac{\sqrt{N}}{2}, m \in \mathbb{N}^+ \\\\ \textbf{2.} \textbf{Let } n\_0 = \frac{\sqrt{4m\_0^2 - N} + 1}{2}, \ n \in \mathbb{N}^+ ; \text{ } n \notin \mathbb{N}^+ \Rightarrow m\_\mathbf{x} = m\_0 + \mathbf{1} \\\\ \textbf{3.} \textbf{Let } n = \frac{\sqrt{4m\_\mathbf{x}^2 - N} + 1}{2}, \ n \notin \mathbb{N}^+ ; \text{ } m\_\mathbf{x} = m\_\mathbf{x} + \mathbf{1} \Rightarrow n : n \in \mathbb{N}^+ \\\\ \textbf{4.} \textbf{P}\_1 = 2(m - n) + \mathbf{1}, \mathbf{P}\_2 = 2(m + n) - \mathbf{1} \end{aligned}$$

Case (2) ⊝⊝ð Þ N � 1 mod4 ¼ 0, P<sup>1</sup> ¼ 2ð Þ� m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1 1. Let <sup>m</sup><sup>0</sup> <sup>≥</sup> ffiffiffi N <sup>p</sup> <sup>þ</sup><sup>1</sup> <sup>2</sup> , m ∈ N<sup>þ</sup> 2. Let n<sup>0</sup> ¼ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>2</sup>m0�<sup>1</sup> <sup>2</sup> �N p <sup>2</sup> , n∈ Nþ?, n∉ N<sup>þ</sup> ) mx ¼ m<sup>0</sup> þ 1 3. Let n ¼ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>2</sup>mx�<sup>1</sup> <sup>2</sup> �N p <sup>2</sup> , n ∉ Nþ, mx ¼ mx þ 1 ) n : n∈ N<sup>þ</sup> 4.P<sup>1</sup> ¼ 2ð Þ� m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1 Example N ¼ 5959 1. Test ð Þ N � 1 mod4 ¼ 0 : 5959 ð Þ þ 1 mod 4 ¼ 0 ) case ð Þ1 ⊕⊝ 2. <sup>m</sup><sup>0</sup> <sup>≥</sup> ffiffiffi N p <sup>2</sup> ) <sup>m</sup><sup>0</sup> <sup>¼</sup> ffiffiffiffiffiffiffi <sup>5959</sup> <sup>p</sup> <sup>2</sup> ) m<sup>0</sup> ¼ 39, n ¼ 6:09, n∉ N<sup>þ</sup> 3. m<sup>1</sup> ¼ m<sup>0</sup> þ 1 ¼ 39 þ 1 ¼ 40 4.n ¼ ffiffiffiffiffiffiffiffiffiffiffi 4m<sup>2</sup> <sup>1</sup>�<sup>N</sup> <sup>p</sup> <sup>þ</sup><sup>1</sup> <sup>2</sup> ) n<sup>1</sup> ¼ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 4 40 ð Þ<sup>2</sup> �<sup>5959</sup> <sup>p</sup> <sup>þ</sup><sup>1</sup> <sup>2</sup> ¼ 11, n<sup>1</sup> ∈ N<sup>þ</sup> 5. <sup>P</sup><sup>1</sup> <sup>¼</sup> <sup>2</sup>ð Þþ <sup>m</sup> � <sup>n</sup> <sup>1</sup> ) <sup>P</sup><sup>1</sup> <sup>¼</sup> 2 40 ð Þþ � <sup>11</sup> <sup>1</sup> <sup>¼</sup> <sup>59</sup>, P<sup>2</sup> <sup>¼</sup> <sup>2</sup>ð Þ� <sup>m</sup> <sup>þ</sup> <sup>n</sup> <sup>1</sup> ) <sup>P</sup>\_2 <sup>¼</sup> 2 40 ð Þ� <sup>þ</sup> <sup>11</sup> <sup>1</sup> <sup>¼</sup> <sup>101</sup> N ¼ P1P<sup>2</sup> ¼ 59 x 101 ¼ 5959

<sup>N</sup> <sup>¼</sup> ½ � a mð Þ� � <sup>n</sup> <sup>1</sup> <sup>½</sup>a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>1</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � � <sup>2</sup>am <sup>þ</sup> <sup>1</sup>

Case (4) ⊕⊕ð Þ <sup>N</sup> � <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þþ � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>m a : a is a factor of N � <sup>1</sup>

, m ≥

Case (3) ⊝⊝ ð Þ <sup>N</sup> � <sup>1</sup> mod a<sup>2</sup> ) ð Þ <sup>211276133</sup> � <sup>1</sup> mod<sup>4</sup> <sup>¼</sup> <sup>0</sup> ) <sup>a</sup> <sup>¼</sup> <sup>2</sup>

Case (2) ⊝⊕ ð Þ <sup>N</sup> <sup>þ</sup> <sup>1</sup> mod a<sup>2</sup> ) ð Þ <sup>211276133</sup> <sup>þ</sup> <sup>1</sup> mod<sup>9</sup> <sup>¼</sup> <sup>0</sup> ) <sup>a</sup> <sup>¼</sup> <sup>3</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þþ � <sup>n</sup> <sup>1</sup> <sup>½</sup>a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � <sup>þ</sup> <sup>2</sup>am <sup>þ</sup> <sup>1</sup>

ffiffiffiffi N <sup>p</sup> <sup>∓</sup> <sup>1</sup> a

a: a ¼ gcdð Þ m; n for all cases. Choosing the largest value of a ensures a rapid

Factors of ð Þ) <sup>N</sup> <sup>þ</sup> <sup>1</sup> <sup>211276133</sup> <sup>þ</sup> <sup>1</sup> <sup>¼</sup> ð Þ<sup>2</sup> 33 � �ð Þ <sup>881</sup> ð Þ <sup>4441</sup> possible values for a Factors of ð Þ) <sup>N</sup> � <sup>1</sup> <sup>211276133</sup> � <sup>1</sup> <sup>¼</sup> <sup>2</sup><sup>2</sup> � �ð Þ <sup>52819033</sup> possible values for a

½ � 2ð Þ� m � n 1 ½2ð Þ� m þ n 1� ¼ 211276133, m ¼ 10247, n ¼ 7223 ) gcd 10247 ð Þ¼ ; 7223 1 P<sup>1</sup> ¼ 2 10247 ð � 7223Þ � 1 ¼ 6047, P<sup>2</sup> ¼ 2 10247 ð þ 7223Þ � 1 ¼ 34939

½ � 3ð Þ� m � n 1 ½ �¼ 3ð Þ� m þ n 1 211276133, m ¼ 6831, n ¼ 4815 ) gcd 6831 ð Þ¼ ; 4815 9 ½ � 27ð Þ� m � n 1 ½27ð Þ� m þ n 1� ¼ 211276133, m ¼ 759, n ¼ 535 ) gcd 759 ð Þ¼ ; 535 1 P<sup>1</sup> ¼ 27 759 ð Þ� � 535 1 ¼ 6047, P<sup>2</sup> ¼ 27 759 ð Þþ þ 535 1 ¼ 34939

Factors of ð Þ) <sup>N</sup> � <sup>1</sup> <sup>5959</sup> � <sup>1</sup> <sup>¼</sup> ð Þ<sup>2</sup> <sup>3</sup><sup>2</sup> � �ð Þ <sup>331</sup> possible values for a P<sup>1</sup> ¼ 3ð Þ� m � n 1, P<sup>2</sup> ¼ 3ð Þ� m þ n 1, m ¼ 27, n ¼ 7, gcd 27 ð Þ¼ ; 7 1 Factors of ð Þ) <sup>N</sup> <sup>þ</sup> <sup>1</sup> <sup>5959</sup> <sup>þ</sup> <sup>1</sup> <sup>¼</sup> 23 � �ð Þ<sup>5</sup> ð Þ <sup>149</sup> possible values for a P<sup>1</sup> ¼ 20ð Þþ m � n 1, P<sup>2</sup> ¼ 20ð Þ� m þ n 1, m ¼ 4, n ¼ 1, gcd 4ð Þ¼ ; 1 1

P<sup>1</sup> ¼ 37975227936943673922808872755445627854565536638199 P<sup>2</sup> ¼ 40094690950920881030683735292761468389214899724061

<sup>P</sup><sup>1</sup> <sup>¼</sup> <sup>2</sup><sup>3</sup> � �ð Þ<sup>3</sup> 52 � �ð Þ <sup>109</sup> ð Þ <sup>409</sup> ð Þ <sup>20839813</sup> ð Þ <sup>60236089</sup> ð Þ <sup>49147216823</sup> <sup>ð</sup>23011759155976667Þ � <sup>1</sup> <sup>P</sup><sup>2</sup> <sup>¼</sup> 22 � �ð Þ<sup>5</sup> ð Þ <sup>41</sup> ð Þ <sup>2119363</sup> ð Þ <sup>602799725049211</sup> <sup>ð</sup>38273186726790856290328531Þ þ <sup>1</sup> P<sup>2</sup> ¼ ð Þ2 ð Þ3 ð Þ 11 ð Þ 59 ð10296530804037206222569012658644444886804031773Þ � 1

P<sup>1</sup> ¼ ð Þ2 ð Þ 3167 ð Þ 3613 ð1659412543822590349622856694449324700910569Þ þ 1

<sup>2</sup> <sup>¼</sup> ð Þ am � <sup>1</sup> <sup>2</sup> � ð Þ an

<sup>2</sup> <sup>¼</sup> ð Þ am <sup>þ</sup> <sup>1</sup> <sup>2</sup> � ð Þ an

, m ¼

q

2

2

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi N þ ð Þ an

a

2

� 1

<sup>2</sup> � <sup>2</sup>am <sup>þ</sup> <sup>1</sup> � ð Þ an

<sup>2</sup> <sup>þ</sup> <sup>2</sup>am <sup>þ</sup> <sup>1</sup> � ð Þ an

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am � <sup>1</sup> <sup>2</sup> � <sup>N</sup> a2

convergence to the solution. This is illustrated by example.

N ¼ ð Þ am

DOI: http://dx.doi.org/10.5772/intechopen.84852

Survey of RSA Vulnerabilities

N ¼ ð Þ am

s

n ¼

Consider N ¼ 211276133

Consider N ¼ 5959 (Section 8)

Consider RSA100

25

Case (3, 4) <sup>N</sup>�<sup>1</sup>

This method is reasonable for small composites but becomes computationally unfeasible for large composites.

#### 11. Extensions of the Overmars factorization method

$$\text{Case (1) } \oplus \ominus (N+1) \\ \text{mod } a^2 = 0, \quad P\_1 = a(m-n) + \mathbf{1}, \quad P\_2 = a(m+n) - \mathbf{1}$$

$$N = [a(m-n) + \mathbf{1}][a(m+n) - \mathbf{1}] = a^2(m^2 - n^2) + 2an - \mathbf{1}$$

$$N = (am)^2 - \left[ (an)^2 - 2an + \mathbf{1} \right] = (am)^2 - (an-\mathbf{1})^2$$

Case (2) ⊝⊕ð Þ <sup>N</sup> <sup>þ</sup> <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>

$$N = [a(m - n) - 1][a(m + n) + 1] = a^2(m^2 - n^2) - 2an - 1$$

$$N = (am)^2 - \left[\left(an\right)^2 + 2an + 1\right] = (am)^2 - \left(an + 1\right)^2$$

Case (1, 2) <sup>N</sup>þ<sup>1</sup> <sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>n a : a is a factor of N <sup>þ</sup> <sup>1</sup>

$$m = \frac{\sqrt{\left(am\right)^2 - N} \pm 1}{a}, m \ge \frac{\sqrt{N}}{a}m = \sqrt{\frac{N + \left(an \pm 1\right)^2}{a^2}},$$

Case (3) ⊝⊝ð Þ <sup>N</sup> � <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>1</sup>

Survey of RSA Vulnerabilities DOI: http://dx.doi.org/10.5772/intechopen.84852

Case (2) ⊝⊝ð Þ N � 1 mod4 ¼ 0, P<sup>1</sup> ¼ 2ð Þ� m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1

<sup>2</sup> , n∈ Nþ?, n∉ N<sup>þ</sup> ) mx ¼ m<sup>0</sup> þ 1

<sup>2</sup> , n ∉ Nþ, mx ¼ mx þ 1 ) n : n∈ N<sup>þ</sup>

<sup>2</sup> ) m<sup>0</sup> ¼ 39, n ¼ 6:09, n∉ N<sup>þ</sup>

<sup>2</sup> ¼ 11, n<sup>1</sup> ∈ N<sup>þ</sup>

5. <sup>P</sup><sup>1</sup> <sup>¼</sup> <sup>2</sup>ð Þþ <sup>m</sup> � <sup>n</sup> <sup>1</sup> ) <sup>P</sup><sup>1</sup> <sup>¼</sup> 2 40 ð Þþ � <sup>11</sup> <sup>1</sup> <sup>¼</sup> <sup>59</sup>, P<sup>2</sup> <sup>¼</sup> <sup>2</sup>ð Þ� <sup>m</sup> <sup>þ</sup> <sup>n</sup> <sup>1</sup> ) <sup>P</sup>\_2 <sup>¼</sup> 2 40 ð Þ� <sup>þ</sup> <sup>11</sup> <sup>1</sup> <sup>¼</sup> <sup>101</sup>

N ¼ P1P<sup>2</sup> ¼ 59 x 101 ¼ 5959

This method is reasonable for small composites but becomes computationally

Case (1) ⊕⊝ð Þ <sup>N</sup> <sup>þ</sup> <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þþ � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>1</sup>

Case (2) ⊝⊕ð Þ <sup>N</sup> <sup>þ</sup> <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þ� � <sup>n</sup> <sup>1</sup> <sup>½</sup>a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � � <sup>2</sup>an � <sup>1</sup>

<sup>2</sup> � <sup>2</sup>an <sup>þ</sup> <sup>1</sup> h i

<sup>2</sup> <sup>þ</sup> <sup>2</sup>an <sup>þ</sup> <sup>1</sup> h i

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>n a : a is a factor of N <sup>þ</sup> <sup>1</sup>

, m ≥

Case (3) ⊝⊝ð Þ <sup>N</sup> � <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>1</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þþ � <sup>n</sup> <sup>1</sup> <sup>½</sup>a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>1</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � <sup>þ</sup> <sup>2</sup>an � <sup>1</sup>

¼ ð Þ am

¼ ð Þ am

s

ffiffiffiffi N p a m ¼ <sup>2</sup> � ð Þ an � <sup>1</sup> <sup>2</sup>

<sup>2</sup> � ð Þ an <sup>þ</sup> <sup>1</sup> <sup>2</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi <sup>N</sup> <sup>þ</sup> ð Þ an � <sup>1</sup> <sup>2</sup> a2

,

1. Test ð Þ N � 1 mod4 ¼ 0 : 5959 ð Þ þ 1 mod 4 ¼ 0 ) case ð Þ1 ⊕⊝

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 4 40 ð Þ<sup>2</sup> �5959 <sup>p</sup> <sup>þ</sup><sup>1</sup>

11. Extensions of the Overmars factorization method

<sup>2</sup> � ð Þ an

<sup>2</sup> � ð Þ an

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am

a

<sup>2</sup> � <sup>N</sup>

� 1

1. Let <sup>m</sup><sup>0</sup> <sup>≥</sup> ffiffiffi

2. Let n<sup>0</sup> ¼

3. Let n ¼

2. <sup>m</sup><sup>0</sup> <sup>≥</sup> ffiffiffi N p

4.n ¼

N <sup>p</sup> <sup>þ</sup><sup>1</sup>

p

p

Example N ¼ 5959

<sup>2</sup> , m ∈ N<sup>þ</sup>

�N

Modern Cryptography – Current Challenges and Solutions

�N

4.P<sup>1</sup> ¼ 2ð Þ� m � n 1, P<sup>2</sup> ¼ 2ð Þ� m þ n 1

<sup>5959</sup> <sup>p</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>2</sup>m0�<sup>1</sup> <sup>2</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>2</sup>mx�<sup>1</sup> <sup>2</sup>

<sup>2</sup> ) <sup>m</sup><sup>0</sup> <sup>¼</sup> ffiffiffiffiffiffiffi

<sup>2</sup> ) n<sup>1</sup> ¼

3. m<sup>1</sup> ¼ m<sup>0</sup> þ 1 ¼ 39 þ 1 ¼ 40

ffiffiffiffiffiffiffiffiffiffiffi 4m<sup>2</sup> <sup>1</sup>�<sup>N</sup> <sup>p</sup> <sup>þ</sup><sup>1</sup>

unfeasible for large composites.

N ¼ ð Þ am

N ¼ ð Þ am

n ¼

q

Case (1, 2) <sup>N</sup>þ<sup>1</sup>

24

$$N = [a(m - n) - 1][a(m + n) - 1] = a^2(m^2 - n^2) - 2am + 1$$

$$N = \left(am\right)^2 - 2am + 1 - \left(an\right)^2 = \left(am - 1\right)^2 - \left(an\right)^2$$

Case (4) ⊕⊕ð Þ <sup>N</sup> � <sup>1</sup> mod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þþ � <sup>n</sup> <sup>1</sup>, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>

$$N = [a(m - n) + 1][a(m + n) + 1] = a^2(m^2 - n^2) + 2am + 1$$

$$N = (am)^2 + 2am + 1 - (an)^2 = (am + 1)^2 - (an)^2$$

Case (3, 4) <sup>N</sup>�<sup>1</sup> <sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>m a : a is a factor of N � <sup>1</sup>

$$m = \sqrt{\frac{\left(am \pm 1\right)^2 - N}{a^2}}, m \ge \frac{\sqrt{N} \mp 1}{a}, m = \frac{\sqrt{N + \left(an\right)^2} \pm 1}{a}$$

a: a ¼ gcdð Þ m; n for all cases. Choosing the largest value of a ensures a rapid convergence to the solution. This is illustrated by example.

Consider N ¼ 211276133

$$\begin{aligned} \text{Factors of } (N+1) &\Rightarrow 211276133 + 1 = (2)(3^3)(881)(4441) \quad possible \ values \ for \ a \\ \text{Factors of } (N-1) &\Rightarrow 211276133 - 1 = (2^2)(52819033) \qquad possible \ values \ for \ a \\ \text{Case (3) } &\bigoplus (N-1) \text{mod } a^2 \Rightarrow (211276133 - 1) \text{mod } 4 = 0 \Rightarrow a = 2 \end{aligned}$$

$$[2(m-n)-1][2(m+n)-1] = 211276133, m = 10247, n = 7223 \Rightarrow \gcd(10247, 7223) = 1$$

$$\begin{aligned} [2(m-n)-1][2(m+n)-1] &= 211276133, m = 10247, n = 7223 \Rightarrow \gcd(10247, 7223) = 10247, \\ P\_1 &= 2(10247 - 7223) - 1 = 6047, \; P\_2 = 2(10247 + 7223) - 1 = 34939 \end{aligned}$$

Case (2) ⊝⊕ ð Þ <sup>N</sup> <sup>þ</sup> <sup>1</sup> mod a<sup>2</sup> ) ð Þ <sup>211276133</sup> <sup>þ</sup> <sup>1</sup> mod<sup>9</sup> <sup>¼</sup> <sup>0</sup> ) <sup>a</sup> <sup>¼</sup> <sup>3</sup>

½ � 3ð Þ� m � n 1 ½ �¼ 3ð Þ� m þ n 1 211276133, m ¼ 6831, n ¼ 4815 ) gcd 6831 ð Þ¼ ; 4815 9 ½ � 27ð Þ� m � n 1 ½27ð Þ� m þ n 1� ¼ 211276133, m ¼ 759, n ¼ 535 ) gcd 759 ð Þ¼ ; 535 1 P<sup>1</sup> ¼ 27 759 ð Þ� � 535 1 ¼ 6047, P<sup>2</sup> ¼ 27 759 ð Þþ þ 535 1 ¼ 34939

Consider N ¼ 5959 (Section 8)

$$\begin{aligned} \text{Factors of } (N-1) &\Rightarrow 5959 - 1 = (2)(3^2)(331) & \text{ possible values for } a\\ P\_1 &= 3(m-n) - 1, \quad P\_2 = 3(m+n) - 1, \quad m = 27, \quad n = 7, \quad \gcd(27,7) = 1\\ \text{Factors of } (N+1) &\Rightarrow 5959 + 1 = (2^3)(5)(149) & \text{ possible values for } a\\ P\_1 &= 20(m-n) + 1, \quad P\_2 = 20(m+n) - 1, \quad m = 4, \quad n = 1, \quad \gcd(4,1) = 1\\ \text{Consider RSA100} \end{aligned}$$

P<sup>1</sup> ¼ 37975227936943673922808872755445627854565536638199 P<sup>2</sup> ¼ 40094690950920881030683735292761468389214899724061 P<sup>1</sup> ¼ ð Þ2 ð Þ 3167 ð Þ 3613 ð1659412543822590349622856694449324700910569Þ þ 1 <sup>P</sup><sup>1</sup> <sup>¼</sup> <sup>2</sup><sup>3</sup> � �ð Þ<sup>3</sup> 52 � �ð Þ <sup>109</sup> ð Þ <sup>409</sup> ð Þ <sup>20839813</sup> ð Þ <sup>60236089</sup> ð Þ <sup>49147216823</sup> <sup>ð</sup>23011759155976667Þ � <sup>1</sup> <sup>P</sup><sup>2</sup> <sup>¼</sup> 22 � �ð Þ<sup>5</sup> ð Þ <sup>41</sup> ð Þ <sup>2119363</sup> ð Þ <sup>602799725049211</sup> <sup>ð</sup>38273186726790856290328531Þ þ <sup>1</sup> P<sup>2</sup> ¼ ð Þ2 ð Þ3 ð Þ 11 ð Þ 59 ð10296530804037206222569012658644444886804031773Þ � 1

N ¼ P1P<sup>2</sup> <sup>¼</sup> 23 � �ð Þ<sup>3</sup> 52 � �ð Þ <sup>109</sup> ð Þ <sup>409</sup> ð Þ <sup>20839813</sup> ð Þ <sup>60236089</sup> ð Þ <sup>49147216823</sup> <sup>ð</sup>23011759155976667Þ � <sup>1</sup> � � <sup>∗</sup> 22 � �ð Þ<sup>5</sup> ð Þ <sup>41</sup> ð Þ <sup>2119363</sup> ð Þ <sup>602799725049211</sup> <sup>ð</sup>38273186726790856290328531Þ þ <sup>1</sup> � � factors of N <sup>þ</sup> <sup>1</sup> <sup>¼</sup> <sup>2</sup><sup>2</sup> � �ð Þ<sup>5</sup> ð Þ<sup>7</sup> <sup>13</sup><sup>2</sup> � �ð Þ <sup>63421</sup> ð Þ <sup>83694613</sup> ð121238883482226494959007093210067761113089 3465646351221267386320068406978173999673Þ factors of N � <sup>1</sup> <sup>¼</sup> ð Þ<sup>2</sup> 32 � �ð Þ <sup>210974974123</sup> ð400944086233670527306310281636760087998315 351567377660286363410284049027879820778576767Þ

N + 1 is the better candidate, as it has more factors to try. So cases (1,2) are considered.

Case (1,2) <sup>N</sup>þx<sup>2</sup>

Survey of RSA Vulnerabilities

DOI: http://dx.doi.org/10.5772/intechopen.84852

Table 2. <sup>N</sup> � <sup>x</sup><sup>2</sup> .

n ¼

q

N ¼ ð Þ am

N ¼ ð Þ am

s

n ¼

modification of Fermat'<sup>s</sup> <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup>

and convergence faster to a solution.

Case (3,4) <sup>N</sup>�x<sup>2</sup>

13. Primes

27

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am

a

<sup>2</sup> � <sup>N</sup>

� x

, m ≥

<sup>2</sup> � <sup>2</sup>amx <sup>þ</sup> <sup>x</sup><sup>2</sup> � ð Þ an

<sup>2</sup> <sup>þ</sup> <sup>2</sup>amx <sup>þ</sup> <sup>x</sup><sup>2</sup> � ð Þ an

<sup>2</sup> � <sup>N</sup>

, m ≥

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am � x

a2

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>nx a : a is a factor of N <sup>þ</sup> <sup>x</sup><sup>2</sup>

x N � <sup>x</sup><sup>2</sup> �<sup>x</sup> a m n gcd(m,n) Smoothness 1 2<sup>2</sup> 3 5 311 433 ⊝⊝ 10 386 261 1 5-smooth

7 2<sup>2</sup> 3<sup>2</sup> 103 2179 ⊕⊕ 18 214 145 1 3-smooth 11 2<sup>2</sup> 32 5 44887 ⊝⊝ 90 43 29 1 5-smooth

19 2<sup>2</sup> 3 5 17 89<sup>2</sup> ⊕⊕ 30 128 87 1 5-smooth

29 2<sup>2</sup> 3<sup>4</sup> 5 4987 ⊝⊝ 18 216 145 1 5-smooth

3 22 479 4217 ⊝⊝ 2 1931 1305 1 5 2<sup>2</sup> 3 673313 ⊝⊝ 6 644 435 1

13 2<sup>2</sup> 3 211 3191 ⊕⊕ 6 641 435 1 17 22 3 673291 ⊝⊝ 6 646 435 1

23 2<sup>2</sup> 3 673271 ⊝⊝ 6 647 435 1

Case (3) ⊝⊝ <sup>N</sup> � <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>x</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þ� � <sup>n</sup> <sup>x</sup> <sup>½</sup>a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>x</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � � <sup>2</sup>amx <sup>þ</sup> <sup>x</sup><sup>2</sup>

Case (4) ⊕⊕ <sup>N</sup> � <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þþ � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>x</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þþ � <sup>n</sup> <sup>x</sup> <sup>½</sup>a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>x</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � <sup>þ</sup> <sup>2</sup>amx <sup>þ</sup> <sup>x</sup><sup>2</sup>

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>mx a : a is a factor of N � <sup>x</sup><sup>2</sup>

ffiffiffiffi N <sup>p</sup> <sup>∓</sup>x<sup>2</sup> a

N ¼ ½ � 90 43 ð Þ� � 29 11 ½90 43 ð Þ� þ 29 11� ¼ 1249 � 6469

When a smooth x can be found, larger a values allow for faster convergence to a solution. The selection of x and a is somewhat arbitrary and prime constructs are a

The current state of the art in prime number generation is Atkin's sieve [5, 6]. The algorithm completely ignores any numbers with remainder mod 60 that is divisible by 2, 3 or 5, since numbers with a mod 60 remainder divisible by one of

q

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi N þ ð Þ a∓x

a

2

<sup>2</sup> <sup>¼</sup> ð Þ am � <sup>x</sup>

<sup>2</sup> <sup>¼</sup> ð Þ am <sup>þ</sup> <sup>x</sup>

, m ¼

q

. Smooth factors of <sup>N</sup> � <sup>x</sup><sup>2</sup> produce larger <sup>a</sup> values

, m ¼

s

<sup>2</sup> � ð Þ an 2

<sup>2</sup> � ð Þ an 2

> ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi N þ ð Þ an

> > a

2

� <sup>x</sup><sup>2</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi N þ ð Þ an � x

a2

2

$$\begin{array}{l}\text{Case } [2] \text{ N } = [a(m-n)-1][a(m+n)+1] = a^2(m^2-n^2)-2am-1 \xrightarrow{N+1} \\ a(m^2-n^2)-2n \text{ Try } a:a = (2)(5) \xrightarrow{N+1} = a(m^2-n^2)-2n \text{ N } \xrightarrow{N+1} \\ \frac{N+1}{10} = 10(m^2-n^2)-2n \xrightarrow{N+1} = 5(m^2-n^2)-n \\ m \ge \frac{N}{a} = 3902057185540126551228975333948443701089050069019 \\\\ \frac{N+1}{a} = (152260502792533360558163781326374297180681149613806886 \\\\ 57908494580122963258952897654000350692006139) + 1/20 \\ = 76130251396126668026780918906348714859034075346609304 \\\\ 43289544279290614816294764488270000173346600307 \\\\ a = 10 \rightarrow m = 390349594439322774676430402410354812189021818113, \\ n = 105973315066866355937431266657920027342665152939 \text{ deg}(m,n) = 1 \\ \qquad n = 105973150668663559374312666579200273466522678456553663919 \\\\ P\_1 = 10(m-n) + 1 = 37972279648976372088077254456276845$$

When a is small, this method becomes computationally unfeasible.

#### 12. Overmars factorization using smooth factors

Consider the construction of primes (Sections 8 and 9), P ¼ a mð Þ� � n 1. More generally, P : P ¼ a mð Þ� � n x Consider N ¼ P1P<sup>2</sup> ) 8079781 ¼ 1249 � 6469 (Table 2).

$$\text{Case (1) } \oplus \ominus (N + \ge^2) \\ \text{mod } a^2 = 0, \quad P\_1 = a(m - n) + \infty, \quad P\_2 = a(m + n) - \infty$$

$$N = [a(m - n) + \mathfrak{x}][a(m + n) - \mathfrak{x}] = a^2(m^2 - n^2) + 2an\mathfrak{x} - \mathfrak{x}^2$$

$$N = (am)^2 - \left[ (an)^2 - 2an\mathfrak{x} + \mathfrak{1} \right] = (am)^2 - (an - \mathfrak{x})^2$$

Case (2) ⊝⊕ <sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>x</sup>

$$N = [a(m - n) - 1][a(m + n) + 1] = a^2(m^2 - n^2) - 2anx - x^2$$

$$N = (am)^2 - \left[\left(an\right)^2 + 2anx + 1\right] = \left(am\right)^2 - \left(an + x\right)^2$$

Survey of RSA Vulnerabilities DOI: http://dx.doi.org/10.5772/intechopen.84852


Table 2. <sup>N</sup> � <sup>x</sup><sup>2</sup> .

N ¼ P1P<sup>2</sup>

considered.

Nþ1

N þ 1

(Table 2).

26

N ¼ ð Þ am

N ¼ ð Þ am

<sup>m</sup> <sup>≥</sup> ffiffiffi N p

<sup>¼</sup> 23 � �ð Þ<sup>3</sup> 52 � �ð Þ <sup>109</sup> ð Þ <sup>409</sup> ð Þ <sup>20839813</sup> ð Þ <sup>60236089</sup> ð Þ <sup>49147216823</sup> <sup>ð</sup>23011759155976667Þ � <sup>1</sup> � �

ð121238883482226494959007093210067761113089 3465646351221267386320068406978173999673Þ

ð400944086233670527306310281636760087998315 351567377660286363410284049027879820778576767Þ

<sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>n,

<sup>a</sup> ¼

<sup>∗</sup> 22 � �ð Þ<sup>5</sup> ð Þ <sup>41</sup> ð Þ <sup>2119363</sup> ð Þ <sup>602799725049211</sup> <sup>ð</sup>38273186726790856290328531Þ þ <sup>1</sup> � �

N + 1 is the better candidate, as it has more factors to try. So cases (1,2) are

<sup>20</sup> <sup>¼</sup> <sup>5</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>n</sup>

<sup>a</sup> ¼ 3902057185540126551228957333948437101890500690019

<sup>a</sup> <sup>¼</sup> <sup>ð</sup><sup>15226050279225333605356183781326374297180681149613806886</sup> 57908494580122963258952897654000350692006139Þ þ 1=20 ¼ 76130251396126668026780918906631871485903405748069034 432895424729006148162947644882700017534600307

n ¼ 105973150698860355393743126865792026732468154293 gcdð Þ¼ m; n 1

Case (2) <sup>N</sup> <sup>¼</sup> ½ � a mð Þ� � <sup>n</sup> <sup>1</sup> <sup>½</sup>a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>an � <sup>1</sup> <sup>N</sup>þ<sup>1</sup>

a ¼ 10 ) m ¼ 3903495944393227747674630402410354812189021818113,

When a is small, this method becomes computationally unfeasible.

12. Overmars factorization using smooth factors

<sup>2</sup> � ð Þ an

<sup>2</sup> � ð Þ an

P<sup>1</sup> ¼ 10ð Þþ m � n 1 ¼ 37975227936943673922808872755445627854565536638199, P<sup>2</sup> ¼ 10ð Þ� m þ n 1 ¼ 40094690950920881030683735292761468389214899724061

Consider the construction of primes (Sections 8 and 9), P ¼ a mð Þ� � n 1. More

generally, P : P ¼ a mð Þ� � n x Consider N ¼ P1P<sup>2</sup> ) 8079781 ¼ 1249 � 6469

<sup>2</sup> � <sup>2</sup>anx <sup>þ</sup> <sup>1</sup> h i

<sup>2</sup> <sup>þ</sup> <sup>2</sup>anx <sup>þ</sup> <sup>1</sup> h i

Case (1) ⊕⊝ <sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þþ � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>x</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þþ � <sup>n</sup> <sup>x</sup> <sup>½</sup>a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>x</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � <sup>þ</sup> <sup>2</sup>anx � <sup>x</sup><sup>2</sup>

Case (2) ⊝⊕ <sup>N</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>x</sup>

<sup>N</sup> <sup>¼</sup> ½ � a mð Þ� � <sup>n</sup> <sup>1</sup> <sup>½</sup>a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>1</sup>� ¼ <sup>a</sup><sup>2</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> � � � <sup>2</sup>anx � <sup>x</sup><sup>2</sup>

¼ ð Þ am

¼ ð Þ am

<sup>2</sup> � ð Þ an � <sup>x</sup>

<sup>2</sup> � ð Þ an <sup>þ</sup> <sup>x</sup>

2

2

factors of N <sup>þ</sup> <sup>1</sup> <sup>¼</sup> <sup>2</sup><sup>2</sup> � �ð Þ<sup>5</sup> ð Þ<sup>7</sup> <sup>13</sup><sup>2</sup> � �ð Þ <sup>63421</sup> ð Þ <sup>83694613</sup>

factors of N � <sup>1</sup> <sup>¼</sup> ð Þ<sup>2</sup> 32 � �ð Þ <sup>210974974123</sup>

Modern Cryptography – Current Challenges and Solutions

a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>n Try a : <sup>a</sup> <sup>¼</sup> ð Þ<sup>2</sup> ð Þ<sup>5</sup> : <sup>N</sup>þ<sup>1</sup>

<sup>10</sup> <sup>¼</sup> <sup>10</sup> <sup>m</sup><sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup><sup>n</sup> <sup>¼</sup> <sup>N</sup>þ<sup>1</sup>

Case (1,2) <sup>N</sup>þx<sup>2</sup> <sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>nx a : a is a factor of N <sup>þ</sup> <sup>x</sup><sup>2</sup>

$$m = \frac{\sqrt{\left(am\right)^2 - N} \pm \pi}{a}, m \ge \frac{\sqrt{N + \left(a \mp \pi\right)^2}}{a}, m = \sqrt{\frac{N + \left(an \pm \pi\right)^2}{a^2}}$$

Case (3) ⊝⊝ <sup>N</sup> � <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þ� � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þ� <sup>þ</sup> <sup>n</sup> <sup>x</sup>

$$N = [a(m - n) - \varkappa][a(m + n) - \varkappa] = a^2(m^2 - n^2) - 2am\varkappa + \varkappa^2$$

$$N = (am)^2 - 2am\varkappa + \varkappa^2 - (an)^2 = (am - \varkappa)^2 - (an)^2$$

Case (4) ⊕⊕ <sup>N</sup> � <sup>x</sup><sup>2</sup> ð Þmod a<sup>2</sup> <sup>¼</sup> <sup>0</sup>, P<sup>1</sup> <sup>¼</sup> a mð Þþ � <sup>n</sup> x, P<sup>2</sup> <sup>¼</sup> a mð Þþ <sup>þ</sup> <sup>n</sup> <sup>x</sup>

$$N = [a(m - n) + \varkappa][a(m + n) + \varkappa] = a^2(m^2 - n^2) + 2am\varkappa + \varkappa^2$$

$$N = (am)^2 + 2am\varkappa + \varkappa^2 - (an)^2 = (am + \varkappa)^2 - (an)^2$$

Case (3,4) <sup>N</sup>�x<sup>2</sup> <sup>a</sup> <sup>¼</sup> a m<sup>2</sup> � <sup>n</sup><sup>2</sup> ð Þ� <sup>2</sup>mx a : a is a factor of N � <sup>x</sup><sup>2</sup>

$$m = \sqrt{\frac{(am \pm x)^2 - N}{a^2}}, m \ge \frac{\sqrt{N} \mp x^2}{a}, m = \frac{\sqrt{N + (an)^2} \pm x^2}{a}$$

$$N = [90(43 - 29) - 11][90(43 + 29) - 11] = 1249 \times 6469$$

When a smooth x can be found, larger a values allow for faster convergence to a solution. The selection of x and a is somewhat arbitrary and prime constructs are a modification of Fermat'<sup>s</sup> <sup>a</sup><sup>2</sup> � <sup>b</sup><sup>2</sup> . Smooth factors of <sup>N</sup> � <sup>x</sup><sup>2</sup> produce larger <sup>a</sup> values and convergence faster to a solution.

#### 13. Primes

The current state of the art in prime number generation is Atkin's sieve [5, 6]. The algorithm completely ignores any numbers with remainder mod 60 that is divisible by 2, 3 or 5, since numbers with a mod 60 remainder divisible by one of

these three primes are themselves divisible by that prime. Atkin stated three theorems given below:


None of the primes are divisible by 2, 3 or 5 and are not divisible by their squares (2<sup>2</sup> , 3<sup>2</sup> , and 52 ). For a thorough analysis of "primes of the Form x<sup>2</sup> + ny<sup>2</sup> " the reader is referred to a text by Cox [7].

The often overlooked works of Dubner, who is credited with the term "primorial" [8] are now considered [9, 10]. The primorial is a factorial of primes: 1# ¼ 2, 2# ¼ 2x3 ¼ 6, 3# ¼ 2x3x5 ¼ 30, 4# ¼ #3x7 ¼ 210 and so on. 0# ¼ 1. The primorial is by definition squarefree.

The nth primorial is the product of n primes, where πð Þ n is the prime counting function.

$$m\# = \prod\_{i=1}^{\pi(n)} p\_i = p\_{\pi(n)}\#$$

Using this structure, Dubner was able to create series of primes in a particular primorial.

It can be shown that the structure of primes is palindromic in the primorials [11].

For example, in Figure 1, take the discrete derivative of the numbers in the third primorial, 3#. The following palindromic sequence can be added to #3 ¼ 30 and subtracted from #4 ¼ 210 to determine all of the primes in that primorial:

30 þ 1, 10, 2, 4, 2, 4, 6, 2, 6, 4, 2, 4, 6, 6, 2, 6, 4, 2, 6, 4, 6, 8, 4, 2 210 � 1, 10, 2, 4, 2, 4, 6, 2, 6, 4, 2, 4, 6, 6, 2, 6, 4, 2, 6, 4, 6, 8, 4, 2

This describes the second table in Figure 1. All of the primes in the third primorial can be found using 24 small numbers. Mod 7 is used to sieve and eliminate composite multiples of 7. Mod 11 and 13 are used to highlight further composites, but these are kept and used to generate primes in the next primorial.

Modulo testing: P mod m <sup>¼</sup> <sup>0</sup>, Pk , <sup>m</sup> , ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>k</sup> <sup>þ</sup> <sup>1</sup> # <sup>p</sup>

For <sup>k</sup> <sup>¼</sup> <sup>3</sup>, Pk : <sup>P</sup><sup>3</sup> <sup>¼</sup> <sup>5</sup>, Pkþ<sup>1</sup> : <sup>P</sup><sup>4</sup> <sup>¼</sup> <sup>7</sup>, #3 <sup>¼</sup> <sup>30</sup>, #4 <sup>¼</sup> <sup>210</sup>, ffiffiffiffiffiffiffiffi <sup>210</sup> <sup>p</sup> <sup>≈</sup>14, m ¼ 7, 11, 13, eliminate Pkþ<sup>1</sup> ¼ 7

As shown in Figure 2, 24 small numbers are used to derive 482 new values. This uses 10 modulo tests to identify composites and 1 modulo test to eliminate factors of 11 (Figure 3).

14. Number systems

Figure 1.

Figure 2.

Figure 3.

29

Primes in the 4th primorial.

Creating primes using primorials.

Survey of RSA Vulnerabilities

DOI: http://dx.doi.org/10.5772/intechopen.84852

numbering of the primorials (Table 3).

Gaps between primes of each successive primorial.

Conventional numbering systems consist of a base (or radix).

The primorial number system is said to be 'primoradic'; having a primorial base.

The primorial number system is a mixed radix numeral system adapted to the

Pn#, ΔPn�1# Current primorial and the difference between primes from the previous. Simple array descriptor provides rich prime fields of higher densities. Small numbers describe primes of higher magnitude. Large arrays of primes can be stored in much less memory.

#### Survey of RSA Vulnerabilities DOI: http://dx.doi.org/10.5772/intechopen.84852

#### Figure 1.

these three primes are themselves divisible by that prime. Atkin stated three theo-

<sup>2</sup> = n

<sup>2</sup> = n

<sup>2</sup> = n

" the reader

1. All numbers n with mod 60 remainder 1, 13, 17, 29, 37, 41, 49 or 53 are mod 4 � 1. These numbers are prime if the number of solutions to 4x<sup>2</sup> <sup>+</sup> <sup>y</sup>

2. All numbers n with mod 60 remainder 7, 19, 31 or 43 have a mod 6 � 1. These numbers are prime if and only if the number of solutions to 3x<sup>2</sup> + y

3. All numbers n with mod 60 remainder 11, 23, 47 or 59 have a mod 12 � 11. These numbers are prime if and only if the number of solutions to 3x<sup>2</sup> � <sup>y</sup>

None of the primes are divisible by 2, 3 or 5 and are not divisible by their squares

The nth primorial is the product of n primes, where πð Þ n is the prime counting

pi <sup>¼</sup> <sup>p</sup>πð Þ <sup>n</sup> #

). For a thorough analysis of "primes of the Form x<sup>2</sup> + ny<sup>2</sup>

The often overlooked works of Dubner, who is credited with the term "primorial" [8] are now considered [9, 10]. The primorial is a factorial of primes: 1# ¼ 2, 2# ¼ 2x3 ¼ 6, 3# ¼ 2x3x5 ¼ 30, 4# ¼ #3x7 ¼ 210 and so on. 0# ¼ 1. The

> π Y ð Þ n

i¼1

Using this structure, Dubner was able to create series of primes in a particular

It can be shown that the structure of primes is palindromic in the primorials [11]. For example, in Figure 1, take the discrete derivative of the numbers in the third primorial, 3#. The following palindromic sequence can be added to #3 ¼ 30 and subtracted from #4 ¼ 210 to determine all of the primes in that primorial:

30 þ 1, 10, 2, 4, 2, 4, 6, 2, 6, 4, 2, 4, 6, 6, 2, 6, 4, 2, 6, 4, 6, 8, 4, 2 210 � 1, 10, 2, 4, 2, 4, 6, 2, 6, 4, 2, 4, 6, 6, 2, 6, 4, 2, 6, 4, 6, 8, 4, 2

As shown in Figure 2, 24 small numbers are used to derive 482 new values. This uses 10 modulo tests to identify composites and 1 modulo test to eliminate factors of

Pn#, ΔPn�1# Current primorial and the difference between primes from the previous. Simple array descriptor provides rich prime fields of higher densities. Small numbers describe primes of higher magnitude. Large arrays of primes can be

ð Þ <sup>k</sup> <sup>þ</sup> <sup>1</sup> # <sup>p</sup>

210 <sup>p</sup> <sup>≈</sup>14,

This describes the second table in Figure 1. All of the primes in the third primorial can be found using 24 small numbers. Mod 7 is used to sieve and eliminate composite multiples of 7. Mod 11 and 13 are used to highlight further composites,

but these are kept and used to generate primes in the next primorial.

For <sup>k</sup> <sup>¼</sup> <sup>3</sup>, Pk : <sup>P</sup><sup>3</sup> <sup>¼</sup> <sup>5</sup>, Pkþ<sup>1</sup> : <sup>P</sup><sup>4</sup> <sup>¼</sup> <sup>7</sup>, #3 <sup>¼</sup> <sup>30</sup>, #4 <sup>¼</sup> <sup>210</sup>, ffiffiffiffiffiffiffiffi

Modulo testing: P mod m <sup>¼</sup> <sup>0</sup>, Pk , <sup>m</sup> , ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

m ¼ 7, 11, 13, eliminate Pkþ<sup>1</sup> ¼ 7

stored in much less memory.

11 (Figure 3).

28

n# ¼

rems given below:

(2<sup>2</sup> , 3<sup>2</sup>

function.

primorial.

, and 52

is referred to a text by Cox [7].

primorial is by definition squarefree.

is odd and the number is squarefree.

Modern Cryptography – Current Challenges and Solutions

is odd and the number is squarefree.

is odd and the number is squarefree.

Creating primes using primorials.

#### Figure 2. Primes in the 4th primorial.


#### Figure 3.

Gaps between primes of each successive primorial.
