Results 1  10
of
10
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.
Partial key exposure attacks on RSA up to full size exponents
 Advances in Cryptology  Proceedings of Eurocrypt 2005, Lecture Notes in Computer Science 3494
, 2005
"... 1?, and Benne de Weger2? ..."
The security of the FDH variant of Chaum’s undeniable signature scheme. The full version of this paper. Available from the Cryptology ePrint Archive, http://www.iacr.org
"... Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme ac ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
Abstract. In this paper, we first introduce a new kind of adversarial goal called forgeandimpersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum’s undeniable signature scheme according to three dimensions, the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols. We finally relate each security to some wellknown computational problem. In particular, we prove that the security of the FDH variant of Chaum’s scheme with NIZK confirmation and disavowal protocols is equivalent to the CDH problem, as opposed to the GDH problem as claimed by Okamoto and Pointcheval.
A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers
 Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science
, 2005
"... Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for diff ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for different shapes of p(x, y)’s Newton polygon. Our method has several applications. Most interestingly, we reduce the case of solving univariate polynomials f(x) modulo some composite number N of unknown factorization to the case of solving bivariate polynomials over the integers. Hence, our approach unifies both methods given by Coppersmith at Eurocrypt 1996.
Deterministic PolynomialTime Equivalence of Computing the RSA Secret Key and Factoring
, 2006
"... Abstract. We address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is well known that there is a probabilistic polynomialtime algorithm that on input (N, ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. We address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is well known that there is a probabilistic polynomialtime algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomialtime algorithm that factors N given (e, d) provided that e, d <ϕ(N). Our approach is an application of Coppersmith’s technique for finding small roots of univariate modular polynomials. Key words. RSA, Coppersmith’s theorem. 1.
Progress on LLL and lattice reduction
 Proceedings LLL+25
"... Abstract. We surview variants and extensions of the LLLalgorithm of Lenstra, Lenstra Lovász, extensions to quadratic indefinite forms and to faster and stronger reduction algorithms. The LLLalgorithm with Householder orthogonalisation in floatingpoint arithmetic is very efficient and highly accura ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. We surview variants and extensions of the LLLalgorithm of Lenstra, Lenstra Lovász, extensions to quadratic indefinite forms and to faster and stronger reduction algorithms. The LLLalgorithm with Householder orthogonalisation in floatingpoint arithmetic is very efficient and highly accurate. We surview approximations of the shortest lattice vector by feasible lattice reduction, in particular by block reduction, primaldual reduction and random sampling reduction. Segment reduction performs LLLreduction in high dimension mostly working with a few local coordinates. Keywords. LLLreduction, Householder orthogonalisation, floatingpoint arithmetic, block reduction, segment reduction, primaldual reduction, sampling reduction, reduction of indefinite quadratic forms. 1
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
 JOURNAL OF CRYPTOLOGY
, 2004
"... We address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret keypair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outp ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
We address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret keypair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d #(N ). Our approach is an application of Coppersmith's technique for finding small roots of univariate modular polynomials.
Common Modulus Attacks on Small Private Exponent RSA and Some Fast Variants (in Practice)
, 2009
"... Abstract. In this work we reexamine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N 0.33 the attack can facto ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this work we reexamine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N 0.33 the attack can factor the modulus about 93 % of the time in practice. The success rate of the attack can be increased up to almost 100 % by including a relatively small exhaustive search. Next, we consider HowgraveGraham and Seifert’s latticebased attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once n ≥ 7 instances of RSA are used. In particular, by construction, the attack can only succeed when the private exponents are each smaller than N 0.5−ɛ, given sufficiently many instances, instead of the original bound of N 1−ɛ. In addition, we also consider the effectiveness of the attacks when mounted against multiprime RSA and Tagaki’s variant of RSA. For multiprime RSA, we show three (or more) instances with a common modulus and private exponents smaller than N 1/3−ɛ is unsafe. For Takagi’s variant, we show that three or more instances with a common modulus N = p r q is unsafe when all the private exponents are smaller than N 2/(3(r+1))−ɛ. The results, for both variants, is obtained using Guo’s method and are successful almost always with the inclusion of a small exhaustive search. When only two instances are available, HowgraveGraham and Seifert’s attack can be mounted on multiprime RSA when the private exponents are smaller than N (3+r)/7r−ɛ when there are r primes in the modulus. Keywords: RSA, common modulus attack, multiprime RSA, Takagi’s variant, small exponent RSA. 1
Use of Sparse and/or Complex Exponents in Batch Verification of Exponentiations
, 2005
"... Modular exponentiation in an abelian group is one of the most frequently used mathematical primitives in modern cryptography. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Modular exponentiation in an abelian group is one of the most frequently used mathematical primitives in modern cryptography.
On Deterministic PolynomialTime Equivalence of Computing the CRTRSA Secret Keys and Factoring ⋆
"... Abstract. Let N = pq be the product of two large primes. Consider CRTRSA with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorize N in probabilistic poly(log N) time with success probability almost equ ..."
Abstract
 Add to MetaCart
Abstract. Let N = pq be the product of two large primes. Consider CRTRSA with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorize N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorize N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task. Keywords: CRTRSA, Cryptanalysis, Factorization, LLL Algorithm, RSA. 1