Results 1 
6 of
6
Solving simultaneous modular equations of low degree
 SIAM J. of Computing
, 1988
"... Abstract: We consider the problem of solving systems of equations Pi(x) 0 (mod ni) i = 1:::k where Pi are polynomials of degree d and the ni are distinct relatively prime numbers and x < min(ni). We prove that if k> d(d+1) we can recover x in polynomial 2 time provided min(ni)> 2d2. As a co ..."
Abstract

Cited by 78 (0 self)
 Add to MetaCart
Abstract: We consider the problem of solving systems of equations Pi(x) 0 (mod ni) i = 1:::k where Pi are polynomials of degree d and the ni are distinct relatively prime numbers and x < min(ni). We prove that if k> d(d+1) we can recover x in polynomial 2 time provided min(ni)> 2d2. As a consequence the RSA cryptosystem used with a small exponent is not a good choice to use as a public key cryptosystem in a large network. We also show that a protocol by Broder and Dolev [4] is insecure if RSA with a small exponent is used. Warning: Essentially this paper has been published in SIAM Journal on Computing and is hence subject to copyright restrictions. It is for personal use only. 1.
Approximate integer common divisors
 CaLC 2001, LNCS
, 2001
"... Abstract. We show that recent results of Coppersmith, Boneh, Durfee and HowgraveGraham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by ap ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
Abstract. We show that recent results of Coppersmith, Boneh, Durfee and HowgraveGraham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same “proof of algebraic independence ” problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continuedfraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis. Keywords: Greatest common divisor, approximations, Coppersmith’s method, continued fractions, lattice attacks.
Divisors in Residue Classes, Constructively
 URL: http://eprint.iacr.org/2004/339. Citations in this paper
, 2004
"... Let r, s, n be integers satisfying 0 , # > 1/4, and gcd(r, s) = 1. Lenstra showed that the number of integer divisors of n equivalent to r (mod s) is upper bounded by O((# 1/4) 2 ). ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Let r, s, n be integers satisfying 0 , # > 1/4, and gcd(r, s) = 1. Lenstra showed that the number of integer divisors of n equivalent to r (mod s) is upper bounded by O((# 1/4) 2 ).
Cryptanalysis of NTRU
, 1999
"... . We present new results on the cryptanalysis of the NTRU Cryptosystem by lattice reduction. The new lattices have smaller dimension than those used in former attacks. In addition, they take advantage of the special structure of NTRU secret keys. A certain class of NTRU keys is especially suitable f ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
. We present new results on the cryptanalysis of the NTRU Cryptosystem by lattice reduction. The new lattices have smaller dimension than those used in former attacks. In addition, they take advantage of the special structure of NTRU secret keys. A certain class of NTRU keys is especially suitable for these attacks, although the new methods apply to all keys. With these lattices, some instances of NTRU for medium security level can be broken in less than 1 hour. Further, weak keys can be broken for high security levels. Keywords: NTRU, lattice reduction, SVP, polynomial ring. 1 Introduction The NTRU Cryptosystem was first presented by J. Hoffstein, J. Pipher and J.H. Silverman in '96 [3]. It is a ringbased cryptosystem operating in the polynomial ring ZZ q [X ]=(X n \Gamma 1) where n is the security parameter. NTRU has achieved considerable attention because of its encryption and decryption speed and the easyness of creating publickey/secretkey pairs, which makes it practical to ...
Cryptanalysis of RSAtype cryptosystem: A visit
 Theoretical Computer Science
, 1998
"... ABSTRACT. This paper surveys RSAtype implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko’s system. It also gives some directions for the choice of the most appropriate RSAtype system for a g ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
ABSTRACT. This paper surveys RSAtype implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko’s system. It also gives some directions for the choice of the most appropriate RSAtype system for a given application. 1.
A NEW ALGORITHM TO SEARCH FOR SMALL NONZERO x 3 − y 2  VALUES
"... Abstract. In relation to Hall’s conjecture, a new algorithm is presented to search for small nonzero k = x 3 −y 2  values. Seventeen new values of k<x 1/2 are reported. 1. Hall’s conjecture Dealing with natural numbers, the difference (1.1) k = x 3 − y 2 is zero when x = t 2 and y = t 3 but, in ..."
Abstract
 Add to MetaCart
Abstract. In relation to Hall’s conjecture, a new algorithm is presented to search for small nonzero k = x 3 −y 2  values. Seventeen new values of k<x 1/2 are reported. 1. Hall’s conjecture Dealing with natural numbers, the difference (1.1) k = x 3 − y 2 is zero when x = t 2 and y = t 3 but, in other cases, it seems difficult to achieve small absolute values. For a given k ̸ = 0, (1.1), known as Mordell’s equation, is an elliptic curve and has only finitely many solutions in integers by Siegel’s theorem. Therefore, for any nonzero k value, there are only finitely many solutions in x (which is hence bounded). There is a proven lower bound, due to A. Baker [1] and improved by H. M. Stark [14], that places the size of k above the order of log c (x) for any c<1. A bound concerning the minimal growth rate of k  was found early by M. Hall [2, 7] by means of a parametric family of the form (1.2) f(t) = t 9 (t9 +6t 6 +15t 3 + 12), g(t) = t15 27 + t12 +4t9 +8t6 3 f 3 (t) − g2 (t) = − 3t6 +14t3+27