Results 1  10
of
20
Approximate integer common divisors
 CaLC 2001, LNCS
, 2001
"... Abstract. We show that recent results of Coppersmith, Boneh, Durfee and HowgraveGraham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by ap ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract. We show that recent results of Coppersmith, Boneh, Durfee and HowgraveGraham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of “fully ” approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same “proof of algebraic independence ” problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continuedfraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis. Keywords: Greatest common divisor, approximations, Coppersmith’s method, continued fractions, lattice attacks.
A hybrid latticereduction and meetinthemiddle attack against NTRU
, 2007
"... To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meetinthemiddle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in f ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
To date the NTRUEncrypt security parameters have been based on the existence of two types of attack: a meetinthemiddle attack due to Odlyzko, and a conservative extrapolation of the running times of the best (known) lattice reduction schemes to recover the private key. We show that there is in fact a continuum of more efficient attacks between these two attacks. We show that by combining lattice reduction and a meetinthemiddle strategy one can reduce the number of loops in attacking the NTRUEncrypt private key from 2 84.2 to 2 60.3, for the k = 80 parameter set. In practice the attack is still expensive (dependent on ones choice of costmetric), although there are certain space/time tradeoffs that can be applied. Asymptotically our attack remains exponential in the security parameter k, but it dictates that NTRUEncrypt parameters must be chosen so that the meetinthemiddle attack has complexity 2 k even after an initial lattice basis reduction of complexity 2 k.
A Primitive Trinomial of Degree 6972593
 Mathematics of Computation
, 2003
"... We describe a search for primitive trinomials of degree 6972593 over GF(2). The only primitive trinomials found were x + 1 and its reciprocal. This completes the search for primitive trinomials whose degree is a Mersenne exponent less than ten million. ..."
Abstract

Cited by 13 (9 self)
 Add to MetaCart
We describe a search for primitive trinomials of degree 6972593 over GF(2). The only primitive trinomials found were x + 1 and its reciprocal. This completes the search for primitive trinomials whose degree is a Mersenne exponent less than ten million.
Symbolic Computation in Java: an Appraisement
, 1999
"... Windowing Toolkit and the Swing components from the Java Foundation Classes. Internet browsers contain Java virtual machines for interpreting byte code of Java programs that are embedded into Internet documents as applets. Java defines a standard framework for multithreaded execution and for messag ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Windowing Toolkit and the Swing components from the Java Foundation Classes. Internet browsers contain Java virtual machines for interpreting byte code of Java programs that are embedded into Internet documents as applets. Java defines a standard framework for multithreaded execution and for message passing via serialization and socket/datagram protocols. Java assists component composition in two ways. Java objects can discover how to invoke other Java objects at runtime through a process called reflection. Java also supports programming conventions (collectively referred to as "Java Beans") for eventdriven intercomponent operation. The two together allow tools such as Java Studio [27] to provide convenient visual programming methods of connecting up Java software components. In short, Java is being vigorously developed and we ask the natural question whether Java is suited for symbolic computation and whether our discipline should take advantage of the plethora of freely available...
Key agreement from close secrets over unsecured channels
, 2009
"... We consider informationtheoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feas ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
We consider informationtheoretic key agreement between two parties sharing somewhat different versions of a secret w that has relatively little entropy. Such key agreement, also known as information reconciliation and privacy amplification over unsecured channels, was shown to be theoretically feasible by Renner and Wolf (Eurocrypt 2004), although no protocol that runs in polynomial time was described. We propose a protocol that is not only polynomialtime, but actually practical, requiring only a few seconds on consumergrade computers. Our protocol can be seen as an interactive version of robust fuzzy extractors (Boyen et al., Eurocrypt 2005, Dodis et al., Crypto 2006). While robust fuzzy extractors, due to their noninteractive nature, require w to have entropy at least half its length, we have no such constraint. In fact, unlike in prior solutions, in our solution the entropy loss is essentially unrelated to the length or the entropy of w, and depends only on the security parameter.
Cryptanalysis of a PublicKey Encryption Scheme Based on the Polynomial Reconstruction Problem
 Jianying Zhou (Eds.): Public Key Cryptography  PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 14, 2004. Lecture Notes in Computer Science 2947
, 2003
"... We describe a cryptanalysis of a publickey encryption scheme based on the polynomial reconstruction problem . Given the publickey and a ciphertext, we recover the corresponding plaintext in polynomial time. Therefore, the scheme is not oneway. ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We describe a cryptanalysis of a publickey encryption scheme based on the polynomial reconstruction problem . Given the publickey and a ciphertext, we recover the corresponding plaintext in polynomial time. Therefore, the scheme is not oneway.
Faster Multiplication in GF(2)[x]
"... Abstract. In this paper, we discuss an implementation of various algorithms for multiplying polynomials in GF(2)[x]: variants of the window methods, Karatsuba’s, ToomCook’s, Schönhage’s and Cantor’s algorithms. For most of them, we propose improvements that lead to practical speedups. ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. In this paper, we discuss an implementation of various algorithms for multiplying polynomials in GF(2)[x]: variants of the window methods, Karatsuba’s, ToomCook’s, Schönhage’s and Cantor’s algorithms. For most of them, we propose improvements that lead to practical speedups.
A Multilevel Blocking Distinctdegree Factorization Algorithm
 CONTEMPORARY MATHEMATICS
, 2008
"... We give a new algorithm for performing the distinctdegree factorization of a polynomial P(x) over GF(2), using a multilevel blocking strategy. The coarsest level of blocking replaces GCD computations by multiplications, as suggested by Pollard (1975), von zur Gathen and Shoup (1992), and others. ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
We give a new algorithm for performing the distinctdegree factorization of a polynomial P(x) over GF(2), using a multilevel blocking strategy. The coarsest level of blocking replaces GCD computations by multiplications, as suggested by Pollard (1975), von zur Gathen and Shoup (1992), and others. The novelty of our approach is that a finer level of blocking replaces multiplications by squarings, which speeds up the computation in GF(2)[x]/P(x) of certain interval polynomials when P(x) is sparse. As an application we give a fast algorithm to search for all irreducible trinomials x r + x s + 1 of degree r over GF(2), while producing a certificate that can be checked in less time than the full search. Naive algorithms cost O(r 2) per trinomial, thus O(r 3) to search over all trinomials of given degree r. Under a plausible assumption about the distribution of factors of trinomials, the new algorithm has complexity O(r 2 (log r) 3/2 (log log r) 1/2) for the search over all trinomials of degree r. Our implementation achieves a speedup of greater than a factor of 560 over the naive algorithm in the case r = 24036583 (a Mersenne exponent). Using our program, we have found two new primitive trinomials of degree 24036583 over GF(2) (the previous record degree was 6972593).
Generating Elliptic Curves of Prime Order
 in Cryptographic Hardware and Embedded Systems – CHES 2001, LNCS
, 2001
"... Abstract. Avariation of the Complex Multiplication (CM) method for generating elliptic curves of known order over finite fields is proposed. We give heuristics and timing statistics in the mildly restricted setting of prime curve order. These may be seen to corroborate earlier work of Koblitz in the ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Avariation of the Complex Multiplication (CM) method for generating elliptic curves of known order over finite fields is proposed. We give heuristics and timing statistics in the mildly restricted setting of prime curve order. These may be seen to corroborate earlier work of Koblitz in the class number one setting. Our heuristics are based upon a recent conjecture by R. Gross and J. Smith on numbers of twin primes in algebraic number fields. Our variation precalculates class polynomials as a separate offline process. Unlike the standard approach, which begins with a prime p and searches for an appropriate discriminant D, we choose a discriminant and then search for appropriate primes. Our online process is quick and can be compactly coded. In practice, elliptic curves with near prime order are used. Thus, our timing estimates and data can be regarded as upper estimates for practical purposes. 1