Results 1  10
of
25
Solving linear equations modulo divisors: On factoring given any bits
 In Advances in Cryptology  Asiacrypt 2008, volume 5350 of LNCS
, 2008
"... Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln(2) ≈ 70 % of the bits are sufficient for any n in order to find the factorization. The algorithm’s running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for n = O(log logN) blocks.
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
, 2004
"... We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d #(N) and that the factors p, q are of the same bitsize. Our approach is an application of Coppersmith's technique for finding small roots of bivariate integer polynomials.
A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers
 Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science
, 2005
"... Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for diff ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for different shapes of p(x, y)’s Newton polygon. Our method has several applications. Most interestingly, we reduce the case of solving univariate polynomials f(x) modulo some composite number N of unknown factorization to the case of solving bivariate polynomials over the integers. Hence, our approach unifies both methods given by Coppersmith at Eurocrypt 1996.
RSA Moduli with a Predetermined Portion: Techniques and Applications
 PROC. INFORMATION SECURITY PRACTICE AND EXPERIENCE CONF
, 2008
"... This paper discusses methods for generating RSA moduli with a predetermined portion. Predetermining a portion enables to represent RSA moduli in a compressed way, which gives rise to reduced transmission and storage requirements. The first method described in this paper achieves the compression ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
This paper discusses methods for generating RSA moduli with a predetermined portion. Predetermining a portion enables to represent RSA moduli in a compressed way, which gives rise to reduced transmission and storage requirements. The first method described in this paper achieves the compression rate of known methods but is fully compatible with the fastest prime generation algorithms available on constrained devices. This is useful for devising a key escrow mechanism when RSA keys are generated onboard by tamperresistant devices like smart cards. The second method in this paper is a compression technique yielding a compression rate of about 2/3 instead of 1/2. This results in higher savings in both transmission and storage of RSA moduli. In a typical application, a 2048bit RSA modulus can fit on only 86 bytes (instead of 256 bytes for the regular representation). Of independent interest, the methods for prescribing bits in RSA moduli can be used to reduce the computational burden in a variety of cryptosystems.
Toward a rigorous variation of Coppersmith’s algorithm on three variables
 Advances in Cryptology – Eurocrypt 2007, Lecture Notes in Computer Science
"... Abstract. In 1996, Coppersmith introduced two lattice reduction based techniques to find small roots in polynomial equations. One technique works for modular univariate polynomials, the other for bivariate polynomials over the integers. Since then, these methods have been used in a huge variety of ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. In 1996, Coppersmith introduced two lattice reduction based techniques to find small roots in polynomial equations. One technique works for modular univariate polynomials, the other for bivariate polynomials over the integers. Since then, these methods have been used in a huge variety of cryptanalytic applications. Some applications also use extensions of Coppersmith’s techniques on more variables. However, these extensions are heuristic methods. In the present paper, we present and analyze a new variation of Coppersmith’s algorithm on three variables over the integers. We also study the applicability of our method to short RSA exponents attacks. In addition to lattice reduction techniques, our method also uses Gröbner bases computations. Moreover, at least in principle, it can be generalized to four or more variables.
On the Security of Multiprime RSA
, 2006
"... Abstract. In this work we collect the strongest known algebraic attacks on multiprime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applie ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this work we collect the strongest known algebraic attacks on multiprime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applies only to multiprime RSA with more than two primes. 1
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate
 Polynomial Congruences, in "PKC 2014  17th IACR International Conference on Practice and Theory of PublicKey Cryptography", Buenos Aires
"... Abstract. In a seminal work at EUROCRYPT '96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in publickey cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In a seminal work at EUROCRYPT '96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in publickey cryptanalysis and in a few security proofs. However, the running time of the algorithm is a highdegree polynomial, which limits experiments: the bottleneck is an LLL reduction of a highdimensional matrix with extralarge coefficients. We present in this paper the first significant speedups over Coppersmith's algorithm. The first speedup is based on a special property of the matrices used by Coppersmith's algorithm, which allows us to provably speed up the LLL reduction by rounding, and which can also be used to improve the complexity analysis of Coppersmith's original algorithm. The exact speedup depends on the LLL algorithm used: for instance, the speedup is asymptotically quadratic in the bitsize of the smallroot bound if one uses the NguyenStehlé L2 algorithm. The second speedup is heuristic and applies whenever one wants to enlarge the root size of Coppersmith's algorithm by exhaustive search. Instead of performing several LLL reductions independently, we exploit hidden relationships between these matrices so that the LLL reductions can be somewhat chained to decrease the global running time. When both speedups are combined, the new algorithm is in practice hundreds of times faster for typical parameters.
Another Look at Small RSA Exponents
"... Abstract. In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller than N 1/4 which are resistant to all known small private exponent attacks. Thi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller than N 1/4 which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRTexponents and short public exponents. In addition, the number of bits required to store the private key information can be significantly reduced in this variant. 1
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
"... Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d < φ(N) and that the factors p, q are of the same bitsize. Our approach is an application of Coppersmith’s technique for finding small roots of bivariate integer polynomials.