1?, and Benne de Weger2?

In this paper, we first introduce a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes. Note that forgeability does not necessarily imply impersonation ability. We then classify the security of the FDH variant of Chaum's undeniable signature scheme according to three dimensions, the goal of adversaries, the attacks and the ZK level of confirmation and disavowal protocols. We finally relate each security to some well-known computational problem. In particular, we prove...

25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.

We present a new and flexible formulation of Coppersmith's method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for di#erent shapes of p(x, y)'s Newton polygon. Our method has several applications. Most interestingly, we reduce the case of solving univariate polynomials f(x) modulo some composite number N of unknown factorization to the case of solving bivariate polynomials over the integers. Hence, our approach unifies both methods given by Coppersmith at Eurocrypt 1996.

Abstract. We address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is well known that there is a probabilistic polynomial-time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial-time algorithm that factors N given (e, d) provided that e, d <ϕ(N). Our approach is an application of Coppersmith’s technique for finding small roots of univariate modular polynomials. Key words. RSA, Coppersmith’s theorem. 1.

Abstract. We surview variants and extensions of the LLL-algorithm of Lenstra, Lenstra Lovász, extensions to quadratic indefinite forms and to faster and stronger reduction algorithms. The LLLalgorithm with Householder orthogonalisation in floating-point arithmetic is very efficient and highly accurate. We surview approximations of the shortest lattice vector by feasible lattice reduction, in particular by block reduction, primal-dual reduction and random sampling reduction. Segment reduction performs LLL-reduction in high dimension mostly working with a few local coordinates. Keywords. LLL-reduction, Householder orthogonalisation, floating-point arithmetic, block reduction, segment reduction, primal-dual reduction, sampling reduction, reduction of indefinite quadratic forms. 1

We address one of the most fundamental problems concerning the RSA cryptosystem: does the knowledge of the RSA public and secret key-pair (e, d) yield the factorization of N = pq in polynomial time? It is well-known that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d #(N ). Our approach is an application of Coppersmith's technique for finding small roots of univariate modular polynomials.

Abstract. In this work we re-examine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N 0.33 the attack can factor the modulus about 93 % of the time in practice. The success rate of the attack can be increased up to almost 100 % by including a relatively small exhaustive search. Next, we consider Howgrave-Graham and Seifert’s lattice-based attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once n ≥ 7 instances of RSA are used. In particular, by construction, the attack can only succeed when the private exponents are each smaller than N 0.5−ɛ, given sufficiently many instances, instead of the original bound of N 1−ɛ. In addition, we also consider the effectiveness of the attacks when mounted against multi-prime RSA and Tagaki’s variant of RSA. For multi-prime RSA, we show three (or more) instances with a common modulus and private exponents smaller than N 1/3−ɛ is unsafe. For Takagi’s variant, we show that three or more instances with a common modulus N = p r q is unsafe when all the private exponents are smaller than N 2/(3(r+1))−ɛ. The results, for both variants, is obtained using Guo’s method and are successful almost always with the inclusion of a small exhaustive search. When only two instances are available, Howgrave-Graham and Seifert’s attack can be mounted on multi-prime RSA when the private exponents are smaller than N (3+r)/7r−ɛ when there are r primes in the modulus. Keywords: RSA, common modulus attack, multi-prime RSA, Takagi’s variant, small exponent RSA. 1

Abstract. Let N = pq be the product of two large primes. Consider CRT-RSA with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorize N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorize N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task. Keywords: CRT-RSA, Cryptanalysis, Factorization, LLL Algorithm, RSA. 1