Generalised Cycling Attacks on RSA

Given an RSA modulus n, a ciphertext c and the encryption exponent e, one can construct the sequence x 0 = c mod n; x i+1 = x e i mod n; i = 0; 1; : : : until gcd(x i+1 ? x 0 ; n) 6 = 1 or i > B, B a given boundary. If i B, there are two cases. Case 1: gcd(x i+1 ? x 0 ; n) = n. In this case x i = m and the secret message m can be recovered. Case 2: 1 6 = gcd(x i+1 ? x 0 ; n) 6 = n. In this case, the RSA modulus n can be factorised. If i B, then Case 2 is much more likely to occur than Case 1. This attack is called a cycling attack. We introduce some new generalised cycling attacks. These attacks work without the knowledge of e and c. Therefore, these attacks can be used as factorisation algorithms. We introduce Lucas sequences V (P; 1), the Carmichael function () and we deene the (;) function. The attacks involve Lucas sequences. The Carmichael and the Omega functions then describe an upper bound of the complexity of the attacks. We also translate these attacks to elliptic curves. For this case we call these attacks EC generalised cycling attacks. 1 Preliminaries The reader is assumed to be familiar with the RSA cryptosystem, RivShaAdl78]. We brieey reintroduce Lucas sequences and elliptic curves. Throughout this paper we will use the following notations. If x 0 ; x 1 ; x 2 ; : : : is a sequence of elements, then fXg will denote the whole sequence. If the elements are taken modulo a certain number, say p, and the sequence is periodic, then we will denote its period by fXg;p. We write a j b for a divides b, note that a = b is still possible. (a=n) denotes the Legendre or Jacobi symbol if n is prime or composite, respectively. 1.1 The Carmichael and Omega Function We will make use of the Carmichael and Omega functions () and (;), respectively. () is deened as follows (see, for example, Riesel85]):