|
|
@@ -7,15 +7,50 @@ expansions whenever a good estimate of the fraction $\frac{e}{N}$ is known.
|
|
|
More specifically, given $d < \frac{1}{3} ^{4}\sqrt{N}$ one can efficiently
|
|
|
recover $d$ only knowing $\angular{N, e}$.
|
|
|
|
|
|
-\section{A small digression into continued fractions \label{sec:wiener:cf}}
|
|
|
+The scandalous implication behind Wiener's attack is that, even if there are
|
|
|
+situations where having a small private exponent may be
|
|
|
+particularly tempting with respect to performance (for example, a smart card
|
|
|
+communication with a computer), they represent a threat to the security of the
|
|
|
+cipher.
|
|
|
+Fortunately, ~\cite{wiener} \S 6 presents a couple of precautions that make a
|
|
|
+RSA key-pair immune to this attack, namely
|
|
|
+(i) making $e > \sqrt{N}$ and
|
|
|
+(ii) $gcd(p-1, q-1)$ large.
|
|
|
|
|
|
-\section{The actual attack}
|
|
|
+\section{Continued Fractions background \label{sec:wiener:cf}}
|
|
|
+
|
|
|
+Let us call ``continued fraction'' any expression of the form:
|
|
|
+%% why \cfrac sucks this much. |-------------------------|
|
|
|
+$$
|
|
|
+a_0 + \frac{1}{a_1
|
|
|
+ + \frac{1}{a_2
|
|
|
+ + \frac{1}{a_3
|
|
|
+ + \frac{1}{a_4 + \ldots}}}}
|
|
|
+$$
|
|
|
+hereby described as a series for convenience:
|
|
|
+$\angular{a_0, a_1, a_2, a_3, \ \ldots, a_n}$.
|
|
|
+Any floating point number $x$ can be represented as a continued fraction, and
|
|
|
+for each $i < n$ there exists fraction $\rfrac{h_i}{k_i}$ approximating $x$.
|
|
|
+By definition, each new approximation is recursively defined as:
|
|
|
+$$
|
|
|
+
|
|
|
+ a_{-1} = 0 \quad
|
|
|
+ a_i = h_i // k_i
|
|
|
+
|
|
|
+ h_{-1} = 1 \quad h_{-2} = 0 \quad
|
|
|
+ h_i = a_i h_{i-1} + h_{i-2}
|
|
|
|
|
|
+ k_{-1} = 0 \quad k_{-2} = 1 \quad
|
|
|
+ k_i = a_i k_{i-1} + k_{i-2}
|
|
|
+$$
|
|
|
+
|
|
|
+
|
|
|
+\section{The actual attack}
|
|
|
|
|
|
-As we saw in ~\ref{sec:preq:rsa}, by contruction the two exponents are such that
|
|
|
+As we saw in ~\ref{sec:preq:rsa}, by construction the two exponents are such that
|
|
|
$ed \equiv 1 \pmod{\varphi(N)}$. This implies that there exists a
|
|
|
$k \in \naturalN \mid ed = k\varphi(N) + 1$. This can be formalized to be
|
|
|
-the same problem we saw in ~\ref{sec:wiener:cf}:
|
|
|
+the same problem we formalized in ~\ref{sec:wiener:cf}:
|
|
|
\begin{align*}
|
|
|
ed = k\varphi(N) + 1 \\
|
|
|
\abs{\frac{ed - k\eulerphi{N}}{d\eulerphi{N}}} = \frac{1}{d\eulerphi{N}} \\
|
Michele Orrù