Abstract: We consider the problem of solving systems of equations Pi(x) 0 (mod ni) i = 1:::k where Pi are polynomials of degree d and the ni are distinct relatively prime numbers and x < min(ni). We prove that if k> d(d+1) we can recover x in polynomial 2 time provided min(ni)> 2d2. As a consequence the RSA cryptosystem used with a small exponent is not a good choice to use as a public key cryptosystem in a large network. We also show that a protocol by Broder and Dolev [4] is insecure if RSA with a small exponent is used. Warning: Essentially this paper has been published in SIAM Journal on Computing and is hence subject to copyright restrictions. It is for personal use only. 1.

Abstract. We show that recent results of Coppersmith, Boneh, Durfee and Howgrave-Graham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same “proof of algebraic independence ” problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continued-fraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis. Keywords: Greatest common divisor, approximations, Coppersmith’s method, continued fractions, lattice attacks.

. We present new results on the cryptanalysis of the NTRU Cryptosystem by lattice reduction. The new lattices have smaller dimension than those used in former attacks. In addition, they take advantage of the special structure of NTRU secret keys. A certain class of NTRU keys is especially suitable for these attacks, although the new methods apply to all keys. With these lattices, some instances of NTRU for medium security level can be broken in less than 1 hour. Further, weak keys can be broken for high security levels. Keywords: NTRU, lattice reduction, SVP, polynomial ring. 1 Introduction The NTRU Cryptosystem was first presented by J. Hoffstein, J. Pipher and J.H. Silverman in '96 [3]. It is a ring-based cryptosystem operating in the polynomial ring ZZ q [X ]=(X n \Gamma 1) where n is the security parameter. NTRU has achieved considerable attention because of its encryption and decryption speed and the easyness of creating public-key/secret-key pairs, which makes it practical to ...

Let r, s, n be integers satisfying 0 , # > 1/4, and gcd(r, s) = 1. Lenstra showed that the number of integer divisors of n equivalent to r (mod s) is upper bounded by O((# 1/4) -2 ).