## Divisibility, Smoothness and Cryptographic Applications (2008)

### BibTeX

@MISC{Naccache08divisibility,smoothness,

author = {David Naccache and Igor E. Shparlinski},

title = {Divisibility, Smoothness and Cryptographic Applications},

year = {2008}

}

### OpenURL

### Abstract

This paper deals with products of moderate-size primes, familiarly known as smooth numbers. Smooth numbers play an crucial role in information theory, signal processing and cryptography. We present various properties of smooth numbers relating to their enumeration, distribution and occurrence in various integer sequences. We then turn our attention to cryptographic applications in which smooth numbers play a pivotal role. 1 1

### Citations

2466 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ... mi of the residue of m modulo each prime factor pi, i = 1, . . . , k of s given by (25), and recovers the message by the Chinese Remainder Theorem, following an idea of PohligHellman [124], see also =-=[44, 114]-=-. Now for every i = 1, . . . , k, to find mi, given the ciphertext c ≡ g m (mod N), the algorithm computes ci ≡ c ϕ(n)/pi ≡ g mϕ(n)/pi ≡ g miϕ(n)/pi (mod N), where the congruence m ≡ mi (mod pi) is us... |

1113 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...he above approach does not apply to the discrete logarithm problem in the elliptic curve settings where smoothness admits no analogous notion. 9.3 Textbook ElGamal Encryption The ElGamal cryptosystem =-=[51]-=- makes use of two primes p, q with q | p − 1 and an element g ∈ IFp of order q (all of which are public), see also [27, Section 8.6], or [114, Sections 8.4.1 and 8.4.2], or [140, Section 6.1] for furt... |

847 |
An Introduction to the Theory of Numbers
- Hardy, Wright
- 1980
(Show Context)
Citation Context ...ction 3 we overview on a number of number-theoretic results commonly used for studying the multiplicative structure of integers. Most of the elementary results which we use are readily available from =-=[83]-=-; more advanced results can be found, often in much more precise forms, in [44, 80, 85, 92, 144] and in many other standard analytic number theory manuals. Some of them are directly used in this paper... |

832 | A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ro-knowledge proof (ZKP) is a protocol allowing Alice to convince Bob that she knows a secret s without revealing to Bob information on s. The best-known ZKP is probably the protocol of Fiat & Shamir =-=[54]-=- which uses an RSA modulus N and k quadratic residues vi as public parameters. In its simplest version, Alice uses the k modular square roots si such that s 2 i ≡ vi (mod N) as secret identification k... |

660 |
An algorithm for the machine calculation of complex fourier series
- Cooley, Tukey
- 1965
(Show Context)
Citation Context ...n even and odd dimensions. The same applies to divisibility by any prime or prime power and allows to derive a recursive Fast Fourier Transform algorithm of sub-quadratic complexity when n is smooth, =-=[33, 69]-=-. Applications of this kind are also left out as we restrict ourselves to the cryptographic genre. 32 Conventions 2.1 Notations Throughout this paper we use Vinogradov’s notation ‘f(x) ≪ g(x)’ which ... |

429 |
zur Gathen and
- von
- 1999
(Show Context)
Citation Context ...n even and odd dimensions. The same applies to divisibility by any prime or prime power and allows to derive a recursive Fast Fourier Transform algorithm of sub-quadratic complexity when n is smooth, =-=[33, 69]-=-. Applications of this kind are also left out as we restrict ourselves to the cryptographic genre. 32 Conventions 2.1 Notations Throughout this paper we use Vinogradov’s notation ‘f(x) ≪ g(x)’ which ... |

385 |
Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme.” Monatshefte für Mathematik und Physik
- Gödel
- 1931
(Show Context)
Citation Context ...] for more information on this somewhat unusual public-key encryption scheme, whose encoding idea dates back to 1931, see Section 9.7. 459.7 Gödel Numbers In his famous work published in 1931, Gödel =-=[73]-=- uses a mapping of mathematical expressions into integers based on divisibility by small prime factors. Gödel [73] starts by assigning a unique natural number τ(ξ) to each basic mathematical symbol ξ ... |

247 | Analytic Number Theory
- Iwaniec, Kowalski
(Show Context)
Citation Context ...tudying the multiplicative structure of integers. Most of the elementary results which we use are readily available from [83]; more advanced results can be found, often in much more precise forms, in =-=[44, 80, 85, 92, 144]-=- and in many other standard analytic number theory manuals. Some of them are directly used in this paper, others remain in the background but we illustrate with them the variety of cryptographically u... |

233 |
Factoring Integers with Elliptic Curves
- Lenstra
- 1987
(Show Context)
Citation Context ...26]. 6.5 Next Largest Prime Divisors Characterizing the second largest prime divisor is of interest too, as the complexity of factoring an integer n with Lenstra’s elliptic curve factorization method =-=[103]-=- (commonly called ‘the ECM’), depends on this prime divisor. More generally, denoting by Pj(n) the j-th largest prime divisor of n, one may consider the joint distribution ψ(x, y1, . . . , yk) = #{n ≤... |

178 |
Small solutions to polynomial equations, and low exponent RSA vulnerabilities
- Coppersmith
- 1997
(Show Context)
Citation Context ...ve-Graham & Nagaraj [46] on the number of divisors d | n of a given integer n in a prescribed arithmetic progression d ≡ a (mod k), which is based on the ideas of the celebrated attack of Coppersmith =-=[43, 44]-=- on RSA moduli with partially known factors. Yet another example is given by Boneh [22], sec:const smooth see Section 6.2 below. 2 Conventions 2.1 Notations Throughout this paper we use Vinogradov’s n... |

155 |
Sieve methods
- Halberstam, Richert
- 1974
(Show Context)
Citation Context ...tudying the multiplicative structure of integers. Most of the elementary results which we use are readily available from [83]; more advanced results can be found, often in much more precise forms, in =-=[44, 80, 85, 92, 144]-=- and in many other standard analytic number theory manuals. Some of them are directly used in this paper, others remain in the background but we illustrate with them the variety of cryptographically u... |

96 |
Hardness of computing the most significant bits of secret keys
- Boneh, Venkatesan
- 1109
(Show Context)
Citation Context ...e smooth, see [27, Section 10.5], or [114, Section 3.6.4], or [140, Section 6.2.3]. 4 Small values of g allow to significantly speed up square-and-multiply exponentiation. 52Also, Boneh & Venkatesan =-=[21]-=- have shown that the Diffie-Hellman protocol with the g = 2 has some additional attractive bit security properties which are not known for other g values. Finally we recall that Pollard’s (p − 1)-fact... |

87 | Discrete logarithms in finite fields and their cryptographic significance
- Odlyzko
(Show Context)
Citation Context ...≤ m f is k-smooth and monic}. u = m k = log qm log q k (the last expression makes the analogy with formula (6) completely explicit). The systematic study of Nq(m, k) dates back to the work of Odlyzko =-=[122]-=- who also discovered the relevance of this quantity to the discrete logarithm problem in finite fields. Several very precise results about Nq(m, k) have recently been given by Bender & Pomerance [14].... |

74 |
On a problem of Oppenheim concerning Factorisatio Numerorum
- Canfield, os, et al.
- 1983
(Show Context)
Citation Context ... completely wrong! ψ(x, y) ∼ x u . 4.2 Estimating Smooth Integer Densities One of the most popular estimates of ψ(x, y) is: ψ(x, y) = u −u+o(u) x. (7) This formula, due to Canfield, Erdős & Pomerance =-=[31]-=-, is applicable in the very large range: u ≤ y 1−ε or y ≥ (log x) 1+ε but the behavior of ψ(x, y) changes for y < log x. While (7) is not an asymptotic formula (since o(u) is in the exponent), asympto... |

67 | A New Public-Key Cryptosystem Based on Higher Residues
- Naccache, Stern
(Show Context)
Citation Context ... also Section 7.5. 539.14 Smooth-Order Based Public Key Encryption Smooth orders can also be used constructively to provide public key encryption. Here is one such suggestion due to Naccache & Stern =-=[121]-=-: Parameter Generation: Let s be a odd, squarefree, y-smooth integer, where y is a certain small parameter and let N = pq be an RSA modulus such that ( s | ϕ(n) and gcd s, ϕ(N) ) = 1. s Typically, we ... |

53 | Single-database private information retrieval with constant communication rate
- Gentry, Ramzan
- 2005
(Show Context)
Citation Context ... (PIR) scheme is a combination of encoding and encryption which allows a user to retrieve the k-th bit of an n-bit database, without revealing to the database owner the value of k. 48Gentry & Ramzan =-=[70]-=- have used the Chinese Remainder Theorem and properties of products of small primes to design a PIR scheme. The construction of [70] requires a cyclic group G whose order t = #G has a prescribed arith... |

51 | Security analysis of the strong Diffie-Hellman problem
- Cheon
(Show Context)
Citation Context ...eaks out in the generalized Diffie-Hellman setting, solving it is not easier than solving the traditional Diffie-Hellman problem with the same parameters. Surprisingly, Brown & Gallant [26] and Cheon =-=[32]-=-, have shown this intuition to be wrong. Here are some results of Cheon [32]: • given gx and gxd ( for some d | p − 1, one can find x in time about √p/d √ ) O + d (which is O ( p1/4) for d ∼ √ p). 50... |

49 |
von zur Gathen and
- unknown authors
- 1999
(Show Context)
Citation Context ...which concludes our “proof”. ∫ u 16 N ρ(t − 1) dt ) = ρ(u)x tEstimating the largest prime divisor is a necessary step in many numbertheoretic algorithms. For instance, Bach, von zur Gathen & Lenstra =-=[3]-=- introduce an algorithm for factoring polynomials over finite fields of characteristic p. The complexity of this algorithm depends on the largest prime divisor of the product the k cyclotomic polynomi... |

41 | Detecting perfect powers in essentially linear time
- Bernstein
- 1998
(Show Context)
Citation Context ...ity applications sometimes require primality proofs. Here is a way to provide such proofs, due to Pratt [127] • Check that the would-be prime p is not a perfect power. This is easy, see, for example, =-=[16, 17]-=-. • Produce a primitive root g modulo p and provide a proof of this. For that sake it is enough to verify that g p−1 ̸≡ 1 (mod p) and g (p−1)/q ̸≡ 1 (mod p) for all prime divisors q | (p − 1), so the ... |

41 |
Integers without large prime factors
- Hildebrand, Tenenbaum
- 1993
(Show Context)
Citation Context ...tor into products of primes which are all smaller than a bound b? The results listed here are neither exhaustive nor new (we refer the reader to references such number theory books or surveys such as =-=[79, 81, 88]-=- for a more formal and systematic topical treatment). Then, in Section 9, we use these results to shed light on a number of cryptographic constructions and attacks. We remark that the specifics of thi... |

40 | A new public-key cryptosystem
- Naccache, Stern
- 1997
(Show Context)
Citation Context ...d it successfully to a number of industry standards. 9.6 Small Prime Based Public-Key Encryption Products of small primes can also be used for public-key encryption. The idea, due to Naccache & Stern =-=[120]-=-, is based on the following problem: Given a prime p, a positive integer f < p and a set of integers {v1, . . . , vn}, find a binary vector x such that n∏ f ≡ v xi i (mod p), i=1 44if such a vector e... |

35 |
Shifted primes without large prime factors
- Baker, Harman
- 1998
(Show Context)
Citation Context ...ch is presently out of reach. In fact, even the obtaining of lower bounds on πa(x, y) is an extremely difficult task where progress seems to be very slow. The best known result, due to Baker & Harman =-=[9]-=- only asserts that there is a positive constant A such that for a ̸= 0, πa(x, y) ≫ π(x) (log x) A for u ≤ 3.377 . . . (where as before, u is defined by (6)), see also [85]. For most applications the l... |

35 |
The distribution of quadratic residues and non-residues
- Burgess
(Show Context)
Citation Context ... u for 1 ≤ u ≤ 2. For example, ρ( √ e) = 1/2, that is, about half of the integers n ≤ x has no prime divisors larger than n 1/√ e = n 0.6065... . This has been used by Vinogradov [152] and by Burgess =-=[30]-=-, to estimate the smallest quadratic non-residue modulo a prime. It is not difficult to show that as u → ∞: ρ(u) = u −u+o(u) (1) and, more precisely, ρ(u) = ( ) u e + o(1) ; u log u even more accurate... |

33 | Introduction to Cryptography - Buchmann - 2001 |

33 |
Heuristics on class groups of number fields, Number theory
- Lenstra
- 1983
(Show Context)
Citation Context ...ch that • either d ≡ 1 (mod 4) and d is square-free, • or d ≡ 0 (mod 4), d/4 ≡ 2, 3 (mod 4) and d/4 is square-free. Using the so-called Cohen–Lenstra heuristics for divisibility of class numbers, see =-=[35]-=-, Hamdy & Saidak [82] derived a conditional asymptotic formula for the number of d ∈ D with −d ≤ x for which h(d) is y-smooth. Unfortunately, this seems to be the only know result in this really excit... |

31 |
Primes in arithmetic progressions to large moduli
- Bombieri, Friedlander, et al.
- 1989
(Show Context)
Citation Context ...nger than results immediately implied by the GRH exist. One such estimates is the Brun-Titchmarsh theorem, see Section 3.1. Other examples include a thread of works by Bombieri, Friedlander & Iwaniec =-=[19, 20, 21]-=- which extends Bombieri–Vinogradov’s theorem, see Section 3.1, beyond the square-root range. One of the important applications of these result is a remarkable result of Mikawa [126], which asserts tha... |

30 | Finding smooth integers in short intervals using CRT decoding
- Boneh
(Show Context)
Citation Context ...ers appears to be a challenging problem. A natural constraint, stemming from the study of digital signatures, is the requirement that the y-smooth number belongs to a given interval [x, x + z]. Boneh =-=[19]-=-, motivated by certain cryptographic problems, has devised a polynomial-time algorithm solving this problem for some x, y, z parameter combinations. 2 proven or conjectured 17Results about the existe... |

30 | A Chosen Text Attack on the RSA Cryptosystem and Some Discrete Logarithm Problems
- Desmedt, Odlykzo
- 1986
(Show Context)
Citation Context ...scribed work because of the inability of the affine padding to eradicate the homomorphic properties of RSA. However, there are other attacks that apply in theory to any type of message padding. 42In =-=[49]-=-, Desmedt & Odlyzko describe an existential RSA signature forgery scenario. Here, the opponent is allowed to query from the legitimate signer e-th roots (signatures) of validly padded messages of his ... |

30 |
On the number of positive integers ≤ x and free of prime factor ≥ y
- Hildebrand
- 1986
(Show Context)
Citation Context ...(log x) 1+ε but the behavior of ψ(x, y) changes for y < log x. While (7) is not an asymptotic formula (since o(u) is in the exponent), asymptotic formulae for ψ(x, y) exist. In particular, Hildebrand =-=[78]-=- gave the asymptotic formula ψ(x, y) ∼ ρ(u)x (8) for u ≤ exp ( (log y) 3/5−ε) or y ≥ exp ( (log log x) 5/3+ε) . A precise estimate of the error term in (8) is given by Saias [113]. 11Note that (7) an... |

28 | The distribution of integers with a divisor in a given interval
- Ford
- 2004
(Show Context)
Citation Context ...ome examples of such breakthrough achievements include: 2• the estimate of Ford [55] on the counting function for the number of values of the Euler function, see Section 3.4; • the estimates of Ford =-=[58]-=- on the counting function of integers with an integer divisor in a given interval, see Section 8.3; • the very tight estimates of Croot, Granville, Pemantle & Tetali [47] on the stopping time of the D... |

25 | Minding Your P’s and Q’s
- Anderson, Vaudenay
- 1996
(Show Context)
Citation Context ...of p and q. η(863, 80, 160) ≈ 0.09576 > 9.5% We also note that similar attacks on the ElGamal signature scheme and the Diffie Hellman key exchange protocols, have been outlined by Anderson & Vaudenay =-=[2]-=-. 9.13 Smooth Orders Let l(n) be the multiplicative order of 2 modulo n, gcd(2, n) = 1 (in the following 2 can be replaces by any integer a ̸= 0, ±1). Motivated by several cryptographic applications, ... |

23 | Why Textbook ElGamal and RSA Encryption are Insecure (Extended Abstract
- Boneh, Joux, et al.
- 2000
(Show Context)
Citation Context ...ather small integer. For example, p can be about 500 bits long to thwart discrete logarithm calculation attempts, but µ can be only 80 bits long to resist the brute force search. Boneh, Joux & Nguyen =-=[20]-=- have shown that in this case, with a reasonable probability, µ can be recovered significantly faster then by any of the above two attacks. Let Gq be the subgroup of IF ∗ p of order q generated by g. ... |

22 | Asymptotic semi-smoothness probabilities
- Bach, Peralta
- 1992
(Show Context)
Citation Context ...lly important. Indeed, using above notation, the ECM algorithm factors n completely in time: ( exp (2 + o(1)) √ ) log p log log p n O(1) , where p = P2(n). This case has also got special attention in =-=[4]-=-. 6.6 Other Facts In this section we present several unrelated results, which while unlikely to have any obvious cryptographic applications, still prove interesting for our exploration of smooth numbe... |

22 |
Prime numbers: A Computational Perspective, 2nd Ed
- Crandall, Pomerance
- 2005
(Show Context)
Citation Context ...tudying the multiplicative structure of integers. Most of the elementary results which we use are readily available from [83]; more advanced results can be found, often in much more precise forms, in =-=[44, 80, 85, 92, 144]-=- and in many other standard analytic number theory manuals. Some of them are directly used in this paper, others remain in the background but we illustrate with them the variety of cryptographically u... |

22 |
Primality of the number of points on an elliptic curve over a finite field
- Koblitz
- 1988
(Show Context)
Citation Context ...rroz [95], Liu [106, 107, 108], Miri & Murty [116] and Steuding & A. Weng [139]. Some heuristics about the number of prime values of Np for p ≤ x has been discussed by Galbraith & McKee [68], Koblitz =-=[97, 98]-=- and Weng [154]. An upper bound on this quantity is obtained by Cojocaru, Luca & Shparlinski [38], see also [36]. However, it seems that there are no smootheness results about the numbers Np, although... |

22 |
On integers free of large prime factors
- Hildebrand, Tenenbaum
- 1986
(Show Context)
Citation Context ... also be obtained independently. Unfortunately the validity range of (8) is much narrower than that of (7), and is likely to remain so for quite some time. Indeed, as per another result of Hildebrand =-=[77]-=-, the validity of (8) in the range: 1 ≤ u ≤ y 1/2−ε or y ≥ (log x) 2+ε is equivalent to the Riemann Hypothesis. 5 Estimating ψ(x, y) 5.1 Counting Very Smooth Numbers: Lattices To estimate ψ(x, y) for ... |

21 | Smooth numbers: computational number theory and beyond. Algorithmic Number Theory
- Granville
(Show Context)
Citation Context ...tor into products of primes which are all smaller than a bound b? The results listed here are neither exhaustive nor new (we refer the reader to references such number theory books or surveys such as =-=[79, 81, 88]-=- for a more formal and systematic topical treatment). Then, in Section 9, we use these results to shed light on a number of cryptographic constructions and attacks. We remark that the specifics of thi... |

19 |
Rigorous discrete logarithm computations in finite fields via smooth polynomials
- Bender, Pomerance
- 1998
(Show Context)
Citation Context ...[122] who also discovered the relevance of this quantity to the discrete logarithm problem in finite fields. Several very precise results about Nq(m, k) have recently been given by Bender & Pomerance =-=[14]-=-. For example, by [14, Theorem 2.1] we have Nq(m, k) = u −u+o(u) q m as k → ∞ and u → ∞, uniformly for q k ≥ m(log m) 2 , and by [14, Theorem 2.2] we also have Nq(m, k) ≥ qm m u for k ≤ √ m. 8 Distrib... |

18 |
A hyperelliptic smoothness test
- Lenstra, Pila, et al.
- 1993
(Show Context)
Citation Context ...t the result of Croot [46] applies to intervals of similar length but unfortunately for y values which are much larger than these appearing in [103]. Finally, we recall that Lenstra, Pila & Pomerance =-=[104, 105]-=- have found an ingenious way to circumvent this problem by introducing a hyperelliptic factoring algorithm. For this algorithm, smooth numbers in large intervals ought to be studied, which is already ... |

17 |
On the normal number of prime factors of φ(n
- Erdös, Pomerance
- 1984
(Show Context)
Citation Context ...larly to H(x, y, z; N ). However the behaviour of H(x, y, z; ϕ(IN)) is very different. Given that typical values of the Euler function • have more prime divisors, due to a result of Erdős & Pomerance =-=[53]-=-, • have more integer divisors, due to a result of Luca & Pomerance [110], • are smoother, due to a result of Banks, Friedlander, Pomerance & Shparlinski [10], see also Section 7.5, 32than a typical ... |

17 |
Shifted primes without large prime factors, in Number Theory and Applications
- FRIEDLANDER
- 1989
(Show Context)
Citation Context ...re, u is defined by (6)), see also [85]. For most applications the logarithmic loss in the density of such primes is not important. However, if this becomes an issue, one can use bound of Friedlander =-=[65]-=-: πa(x, y) ≫ π(x) which, however, is proven only for u ≤ 2 √ e = 3.2974 . . .. Finally, we recall yet another result of Baker & Harman [9] guarantees that π(x) − πa(x, y) ≫ π(x) 23for u ≥ 1.477 . . .... |

15 | The distribution of totients
- Ford
- 1998
(Show Context)
Citation Context ... improvements are often principal steps forward and require the development of new ideas and very refined techniques. Some examples of such breakthrough achievements include: 2• the estimate of Ford =-=[55]-=- on the counting function for the number of values of the Euler function, see Section 3.4; • the estimates of Ford [58] on the counting function of integers with an integer divisor in a given interval... |

15 |
An improvement of the Fiat-Shamir identification and signature scheme
- Micali, Shamir
(Show Context)
Citation Context ... , ek−1〉 and sends it to Alice. • Alice replies to Bob with: • Bob verifies that: k−1 ∏ y ≡ r s ei i i=0 ∏ y 2 k−1 ≡ x i=0 v ei i (mod N). (mod N). To ease Bob’s computational burden, Micali & Shamir =-=[115]-=- suggest to use very small vi-values. As it turns out, using small primes as vi-values presents particular security and simplicity advantages. 499.11 The Generalized Diffie-Hellman Problem Recently, ... |

13 | VSH, an efficient and provable collisionresistant hash function
- Contini, Lenstra, et al.
(Show Context)
Citation Context ...thus the bounds of Π−1(x, y) from Section 7.5 can be applied. 9.17 Small Prime Based Hash Functions The Very Smooth Hash function, VSH, recently introduced and studied by Contini, Lenstra & Steinfeld =-=[34]-=-, is defined as follows. Let pi denote the i-th prime number and let Qk = denote the product of the first k primes. k∏ i=1 Assume that integers k and N satisfy pi Qk < N ≤ Qk+1. (29) Let the message l... |

12 |
The static diffie-hellman problem,” Cryptology ePrint Archive, Report 2004/306
- Brown, Gallant
- 2004
(Show Context)
Citation Context ...ormation on x leaks out in the generalized Diffie-Hellman setting, solving it is not easier than solving the traditional Diffie-Hellman problem with the same parameters. Surprisingly, Brown & Gallant =-=[26]-=- and Cheon [32], have shown this intuition to be wrong. Here are some results of Cheon [32]: • given gx and gxd ( for some d | p − 1, one can find x in time about √p/d √ ) O + d (which is O ( p1/4) fo... |

12 | Security analysis of the Gennaro-Halevi-Rabin signature scheme
- Coron, Naccache
- 2000
(Show Context)
Citation Context ...r unexpected direction, can be found in a work by Joux, Naccache & Thomé [93]. Finally, although unrelated, other recreative applications of ad-hoc factoring in cryptanalysis can be found in [41] and =-=[42]-=-. 9.5 Desmedt-Odlyzko Attack The attacks that we have just described work because of the inability of the affine padding to eradicate the homomorphic properties of RSA. However, there are other attack... |

12 | Efficient generation of prime numbers
- Joye, Paillier, et al.
- 2000
(Show Context)
Citation Context ...s can be viewed as “approximations” to primes. Rough numbers can be easily found and are proven to exist in various integer sequences of cryptographic interest. For example, Joye, Paillier & Vaudenay =-=[94]-=- use rough numbers as ”interesting” candidates for primality testing during cryptographic key generation. 6.4 Large Smooth Divisors It also natural to ask how often integers are expected to have a lar... |

12 |
Factoring integers with elliptic curves, Annals of Mathematics
- Lenstra
- 1987
(Show Context)
Citation Context ...08]. 6.5 Next Largest Prime Divisors Characterizing the second largest prime divisor is of interest too, as the complexity of factoring an integer n with Lenstra’s elliptic curve factorization method =-=[90]-=- (commonly called ‘the ECM’), depends on this prime divisor. More generally, denoting by Pj(n) the j-th largest prime divisor of n, one may consider the joint distribution ψ(x, y1, . . .,yk) = #{n ≤ x... |

11 |
Selective forgery of RSA signatures using redundancy
- Girault, Misarsky
- 1997
(Show Context)
Citation Context ...s(m) of an ℓ bit message m is computed as s(m) ≡ R(m) d (mod N), 1 ≤ s(m) ≤ N, (that is, P = 2 ℓ Π where Π is the appended padding pattern). In a thread of works by Misarsky [117], Girault & Misarsky =-=[71, 72]-=- and Brier, Clavier, Coron & Naccache [25], existential forgery attacks on affinepadded RSA signatures have been progressively developed and refined. Lenstra & Shparlinski [102] have improved [25] by ... |

11 |
A multiplicative attack using LLL algorithm on RSA signatures with redundancy
- Misarsky
- 1997
(Show Context)
Citation Context ...we see that the signature s(m) of an ℓ bit message m is computed as s(m) ≡ R(m) d (mod N), 1 ≤ s(m) ≤ N, (that is, P = 2 ℓ Π where Π is the appended padding pattern). In a thread of works by Misarsky =-=[117]-=-, Girault & Misarsky [71, 72] and Brier, Clavier, Coron & Naccache [25], existential forgery attacks on affinepadded RSA signatures have been progressively developed and refined. Lenstra & Shparlinski... |