Results 1  10
of
55
Cryptanalysis of RSA with Private Key d Less Than N^0.292
 IEEE Transactions on Information Theory
, 2000
"... We show that if the private exponent d used in the RSA publickey cryptosystem is less than N^0.292 then the system is insecure. This is the first improvement over an old result of Wiener showing that when d is less than N^0.25 the RSA system is insecure. We hope our approach can be used to eventual ..."
Abstract

Cited by 116 (5 self)
 Add to MetaCart
We show that if the private exponent d used in the RSA publickey cryptosystem is less than N^0.292 then the system is insecure. This is the first improvement over an old result of Wiener showing that when d is less than N^0.25 the RSA system is insecure. We hope our approach can be used to eventually improve the bound to d less than N^0.5.
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
Lattice attacks on digital signature schemes
 Designs, Codes and Cryptography
, 1999
"... digital signatures, lattices * Internal Accession Date Only © Copyright HewlettPackard Company 1999 We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, mi, under the assumption that a proportion of the bits of each of the associated ephemeral keys, ..."
Abstract

Cited by 37 (7 self)
 Add to MetaCart
digital signatures, lattices * Internal Accession Date Only © Copyright HewlettPackard Company 1999 We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, mi, under the assumption that a proportion of the bits of each of the associated ephemeral keys, yi, can be recovered by alternative techniques.
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
Exposing an RSA Private Key Given a Small Fraction of its Bits
, 1998
"... We show that for low public exponent RSA, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N^(1/4), N^(1/2)], half the bits of the ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
We show that for low public exponent RSA, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for larger values of e. For instance, when e is a prime in the range [N^(1/4), N^(1/2)], half the bits of the private key suffice to reconstruct the entire private key. Our results point out the danger of partial key exposure in the rsa public key system.
Low Secret Exponent RSA Revisited
, 2001
"... We present a lattice attack on low exponent RSA with short secret exponent d = N^x for every x < 0:265. Our method as well as the method by Boneh and Durfee is a heuristic, since the method is based on Coppersmith's approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
We present a lattice attack on low exponent RSA with short secret exponent d = N^x for every x < 0:265. Our method as well as the method by Boneh and Durfee is a heuristic, since the method is based on Coppersmith's approach for bivariate polynomials. Coppersmith [6] pointed out that this heuristic must fail in some cases. We argue in this paper, that a (practically not interesting) variant of the Boneh/Durfee attack proposed in [4] always fails. Many authors have already stressed the necessity for rigorous proofs of Coppersmith's method in the multivariate case. This is even more evident in light of these results...
Hedged publickey encryption: How to protect against bad randomness. IACR ePrint Archive, 2009. Full Version of this paper
"... Abstract. Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we ..."
Abstract

Cited by 20 (10 self)
 Add to MetaCart
Abstract. Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide publickey encryption schemes that achieve INDCPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call INDCDA. This hedged publickey encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RObased ways to make inpractice INDCPA schemes hedge secure with minimal software changes. We also provide nonRO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. 1
A hybrid latticereduction and meetinthemiddle attack against NTRU
, 2007
"... To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meetinthemiddle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in f ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meetinthemiddle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meetinthemiddle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 2 84.2 to 2 60.3, for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of costmetric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meetinthemiddle attack has complexity 2 k even after an initial lattice basis reduction of complexity 2 k.