Results 1  10
of
10
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
, 2004
"... We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d #(N) and that the factors p, q are of the same bitsize. Our approach is an application of Coppersmith's technique for finding small roots of bivariate integer polynomials.
A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers
 Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science
, 2005
"... Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for diff ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We present a new and flexible formulation of Coppersmith’s method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for different shapes of p(x, y)’s Newton polygon. Our method has several applications. Most interestingly, we reduce the case of solving univariate polynomials f(x) modulo some composite number N of unknown factorization to the case of solving bivariate polynomials over the integers. Hence, our approach unifies both methods given by Coppersmith at Eurocrypt 1996.
On the Security of Multiprime RSA
, 2006
"... Abstract. In this work we collect the strongest known algebraic attacks on multiprime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applie ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. In this work we collect the strongest known algebraic attacks on multiprime RSA. These include factoring, small private exponent, small CRT exponent and partial key exposure attacks. Five of the attacks are new. A new variant of partial key exposure attacks is also introduced which applies only to multiprime RSA with more than two primes. 1
Another Look at Small RSA Exponents
"... Abstract. In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller than N 1/4 which are resistant to all known small private exponent attacks. Thi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this work we consider a variant of RSA whose public and private exponents can be chosen significantly smaller than in typical RSA. In particular, we show that it is possible to have private exponents smaller than N 1/4 which are resistant to all known small private exponent attacks. This allows for instances of RSA with short CRTexponents and short public exponents. In addition, the number of bits required to store the private key information can be significantly reduced in this variant. 1
Cryptanalysis of Short Exponent RSA with Primes Sharing Least Signi…cant Bits 1 HungMin Sun, 1 MuEn Wu,
, 2008
"... LSBSRSA denotes an RSA system with modulus primes, p and q, sharing a large number of least signi…cant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBSRSA. They claimed that short exponent LSBSRSA is much more vulnerable to the lattice attack than the standard RSA. In t ..."
Abstract
 Add to MetaCart
LSBSRSA denotes an RSA system with modulus primes, p and q, sharing a large number of least signi…cant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBSRSA. They claimed that short exponent LSBSRSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we point out that there exist some errors in the calculation of Zhao & Qi’s attack. After recalculating, the result shows that their attack is unable for attacking RSA with primes sharing bits. Consequently, we give a revised version to make their attack feasible. We also propose a new method to further extend the security boundary, compared with the revised version. The proposed attack also supports the result of analogue Fermat factoring on LSBSRSA, which claims least signi…cant bits, where n is the bitlength of pq. In conclusion, it is a tradeo ¤ between the number of sharing bits and the security level in LSBSRSA. One should be more careful when using LSBSRSA with short exponents. that p and q cannot share more than n 4 Keywords: RSA, least signi…cant bits (LSBs), LSBSRSA, short exponent attack, lattice reduction technique, the BonehDurfee attack. 1
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
"... Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, ..."
Abstract
 Add to MetaCart
Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d < φ(N) and that the factors p, q are of the same bitsize. Our approach is an application of Coppersmith’s technique for finding small roots of bivariate integer polynomials.
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
"... Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, ..."
Abstract
 Add to MetaCart
Abstract. We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is wellknown that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d < φ(N) and that the factors p, q are of the same bitsize. Our approach is an application of Coppersmith’s technique for finding small roots of bivariate integer polynomials.
Rounding LLL: Finding Faster Small Roots of Univariate Polynomial Congruences
, 2013
"... In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in publickey cryptanalysis and in a few security proofs. However, the running time of the algorithm is a highdegree polynomi ..."
Abstract
 Add to MetaCart
In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in publickey cryptanalysis and in a few security proofs. However, the running time of the algorithm is a highdegree polynomial, which limits experiments: the bottleneck is an LLL reduction of a highdimensional matrix with extralarge coefficients. We present in this paper a polynomial speedup over Coppersmith’s algorithm. Our improvement is based on a special property of the matrices used by Coppersmith’s algorithm, which allows us to speed up the LLL reduction by rounding. The exact speedup depends on the LLL algorithm used: for instance, the speedup is quadratic in the bitsize of the smallroot bound if one uses the NguyenStehlé L 2 algorithm.