Results 1  10
of
24
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 69 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
Paillier's Cryptosystem Revisited
 IN ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY 2001
, 2001
"... We reexamine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the schem ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
We reexamine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the scheme. The semantic security is now based on a new decisional assumption, namely the hardness of deciding whether an element is a "small" eth residue modulo N². We also
Fast LLLType Lattice Reduction
 Information and Computation
, 2004
"... We modify the concept of LLLreduction of lattice bases in the sense of Lenstra, Lenstra, Lov asz [LLL82] towards a faster reduction algorithm. We organize LLLreduction in segments of the basis. ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
We modify the concept of LLLreduction of lattice bases in the sense of Lenstra, Lenstra, Lov asz [LLL82] towards a faster reduction algorithm. We organize LLLreduction in segments of the basis.
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.
Finding Small Roots of Bivariate Integer Polynomial Equations Revisited
 PROC. ADVANCES IN CRYPTOLOGY EUROCRYPT’04, LNCS 3027
, 2004
"... At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplificati ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplification is analogous to the simplification brought by HowgraveGraham to Coppersmith’s algorithm for finding small roots of univariate modular polynomial equations. As an application, we illustrate the new algorithm with the problem of finding the factors of n = pq if we are given the high order 1/4log 2 n bits of p.
Latticebased cryptography
 In Proc. of the 26th Annual International Cryptology Conference (CRYPTO
, 2006
"... Abstract. We describe some of the recent progress on latticebased cryptography, starting from the seminal work of Ajtai, and ending with some recent constructions of very efficient cryptographic schemes. 1 ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Abstract. We describe some of the recent progress on latticebased cryptography, starting from the seminal work of Ajtai, and ending with some recent constructions of very efficient cryptographic schemes. 1
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
, 2004
"... We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d #(N) and that the factors p, q are of the same bitsize. Our approach is an application of Coppersmith's technique for finding small roots of bivariate integer polynomials.
A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers
 Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science
, 2005
"... Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for diff ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for different shapes of p(x, y)’s Newton polygon. Our method has several applications. Most interestingly, we reduce the case of solving univariate polynomials f(x) modulo some composite number N of unknown factorization to the case of solving bivariate polynomials over the integers. Hence, our approach unifies both methods given by Coppersmith at Eurocrypt 1996.
Reducing lattice bases to find smallheight values of univariate polynomials
 in [13] (2007). URL: http://cr.yp.to/papers.html#smallheight. Citations in this document: §A
, 2004
"... Abstract. This paper generalizes several previous results on finding divisors in residue classes (Lenstra, Konyagin, Pomerance, Coppersmith, HowgraveGraham, Nagaraj), finding divisors in intervals (Rivest, Shamir, Coppersmith, HowgraveGraham), finding modular roots (Hastad, Vallée, Girault, Toffin ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract. This paper generalizes several previous results on finding divisors in residue classes (Lenstra, Konyagin, Pomerance, Coppersmith, HowgraveGraham, Nagaraj), finding divisors in intervals (Rivest, Shamir, Coppersmith, HowgraveGraham), finding modular roots (Hastad, Vallée, Girault, Toffin, Coppersmith, HowgraveGraham), finding highpower divisors (Boneh, Durfee, HowgraveGraham), and finding codeword errors beyond half distance (Sudan, Guruswami, Goldreich, Ron, Boneh) into a unified algorithm that, given f and g, finds all rational numbers r such that f(r) and g(r) both have small height. 1.
Predicting Nonlinear Pseudorandom Number Generators
 MATH. COMPUTATION
, 2004
"... Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecut ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values un of the ICG are given, one can recover the initial value u0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), vn+1 ≡ f(vn) modp, where f ∈ Fp[X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), xn+1 ≡ axn + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.