22. Conclusion

a ¼ 90: P<sup>1</sup> ¼ 30m � 11 �

Smooth candidates of the factors of N � <sup>x</sup><sup>2</sup>

N <sup>p</sup> : am �

to bound the range (Table 6). Consider N ¼ 23852269081.

<sup>N</sup>þa<sup>2</sup> <sup>p</sup> �x<sup>2</sup>

60 420 4620 60060

Smooth candidates of the factors of N � <sup>x</sup><sup>2</sup>

iterations.

Table 6.

38

Table 5.

P1: 1 , P<sup>1</sup> , ffiffiffiffi

Here <sup>m</sup> : ffiffiffiffiffiffiffiffiffi

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ <sup>30</sup><sup>m</sup> � <sup>11</sup> <sup>2</sup> � <sup>N</sup>

.

<sup>x</sup> mod60 mod180 mod1620 <sup>N</sup> � <sup>x</sup><sup>2</sup> �<sup>x</sup> b a m n gcd(m,n) Smoothness 1 0 22 3 5 311 433 ⊝⊝ 10 386 261 1 5-smooth 1 0 22 3 5 311 433 ⊕⊕ 6 643 435 1 5-smooth 11 0 0 2<sup>2</sup> 3<sup>2</sup> 5 44887 ⊝⊝ 3 90 43 29 1 5-smooth 19 0 22 3 5 17 892 ⊕⊕ 1 30 128 87 1 5-smooth 29 0 0 0 22 3<sup>4</sup> 5 4 987 ⊝⊝ 18 216 145 1 5-smooth

<sup>N</sup>þa<sup>2</sup> <sup>p</sup> �x<sup>2</sup>

<sup>¼</sup> <sup>1</sup> ) <sup>m</sup> , <sup>N</sup>þ<sup>1</sup>

Whilst this is quite a good result the first failure needs also to be taken into

This can be further bound by the Primorial. In the case of RSA numbers, the binary bits available to represent a particular prime number range can also be used

In this case, solutions using modulo testing generate good candidates to solve for

(m, n), however for a ¼ 30030, three of the candidates have no solution. Using sequential programing, each possible candidate is considered one after another, until the maximum m value. However, using parallel programing techniques on GPUs (such as nVIDIA P100s), all of the candidates can be tested simultaneously and the processes are all terminated when one of the processes finds a solution. This is very efficient and effective in finding P1, P2. Once these are known, along with the public key Pu ¼ ð Þ N;e , using Euler's totient, the private key PR ¼ ð Þ N; d can be determined. Once the private key is known the cypher-text is no longer secure.

<sup>x</sup> Modulo testing <sup>N</sup> � <sup>x</sup><sup>2</sup> a m n gcd(m,n) Smoothness

1 0 2<sup>3</sup> 3<sup>2</sup> 5 101 461 1423 30 5-smooth 11 0 2<sup>5</sup> 3 5 13 97 157 251 30 5524 2002 2 5-smooth 19 0 0 24 3<sup>3</sup> 5 7 1577531 210 789 286 1 7-smooth 61 0 0 0 2<sup>4</sup> 3 5 7 113 10667 2310 11-smooth 401 0 0 0 0 2<sup>3</sup> 357211 13 19 1493 30030 13-smooth 1601 0 0 0 0 23 335 7 11 132 1697 30030 13-smooth 45281 0 0 0 0 23 3 5 7 11 13 181501 30030 13-smooth 45589 0 0 0 0 25 3 5 7 11 13 45317 30030 4 2 2 13-smooth

.

. Look for solutions to

<sup>a</sup> ≤ m , <sup>N</sup>�<sup>1</sup>

2a

<sup>2</sup><sup>a</sup> ≤ 123≤ m , 134663 ) 134540iterations.

.

<sup>2</sup><sup>a</sup> ) 99≤ m , 134663, 30

q

ð Þ <sup>30</sup><sup>m</sup> � <sup>11</sup> <sup>2</sup> � <sup>N</sup> which are a perfect square. In this case, <sup>m</sup> <sup>¼</sup> <sup>129</sup> ) ð Þ <sup>30</sup> <sup>∗</sup> <sup>129</sup> � <sup>11</sup> <sup>2</sup> � <sup>8079781</sup> <sup>¼</sup> <sup>6812100</sup> <sup>¼</sup> <sup>2610</sup><sup>2</sup>

Recall that the starting value for <sup>m</sup> : ffiffiffiffiffiffiffiffiffi

Modern Cryptography – Current Challenges and Solutions

account. This would be bound by the Primorial and

q

<sup>a</sup> ≤ m , <sup>N</sup>þ<sup>1</sup>

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð Þ am

<sup>2</sup> � <sup>N</sup>

In short RSA is secure and difficult to factorise. Conventional sequential computing machines, running in polynomial time, take an infeasible amount of CPU cycles to find factorization solutions to RSA keys. Quantum computing holds great promise and Shor's algorithm [18] demonstrates how this can be achieved. However, quantum computing is realistically still some way off. Opportunities exist using conventional computing (sequential and parallel) with better mathematical techniques. Section 18 showed how implementation vulnerabilities are introduced when "clever" low cost (CPU cycles) are implemented. The case in point showed methods for signature identification, upon which tailored targeted attacks could be launched against infrastruture FIPS140-2 devices, such as cryptographic routers. These sorts of attacks can be deployed in polynomial time using sequential programing techniques. Section 20, Overmars shows how factorization can be implemented using parellel processing techniques.

There is still much to be done and areas of further interest are a better understanding of the structure of primes. This will lead to faster prime number generating algorithms and hence faster solutions to the factorization problem. This will also lead to the generation of more robust primes that are less susceptible to factorization methods. An example of this is the use of non-Pythagorean primes. Section 5 showed how Euler's factorization could be used to attack such composite numbers. Hence a simple method to thwart this would be to use a mix of Pythagorean and Gaussian primes. Section 6 showed how small d values in the RSA private key PR ¼ ð Þ N; d could be attacked using Wiener's method. Small e values in the public key PU ¼ ð Þ N; e can be attacked using a combination of LLL, Coppersmith and Pohlig-Hellman (Sections 15–17). All of these attacks can be mitigated by choosing d and e carefully and ensuring that both are sufficiently large.

Development of quantum computing is continuing at break-neck speed, however useful machines are yet to appear. Parallel computing however is here and now and whilst factorizing RSA keys is not achievable on conventional computers in polynomial time, parallel computing has allowed for multiple solutions to be tested simultaneously. This is an area where research continues and new algorithms such as shown in Sections 20 and 14 lend themselves well to GPU parallel processing systems.

"There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know" [25].
