Finding small roots of univariate modular equations revisited

Howgrave-Graham, Nick

doi:10.1007/bfb0024458

Cited by 251 publications

(150 citation statements)

References 4 publications

Supporting

Mentioning

149

Contrasting

Unclassified

Order By: Relevance

“…To find the small zero (z 1 ,z 2 ) of (11) and (12) we use the bivariate modular polynomial lattice method of Coppersmith [11] as simplified by Howgrave-Graham [20] and used in many subsequent works. Namely, for an integer m we use the polynomials f (z 1 , z 2 ) and g(z 1 ) to construct the following family of polynomials h i,k (z 1 , z 2 ) indexed by a pair of integers i = 0, 1, .…”

Section: Cryptanalysis Of the Fs-rsa Problemmentioning

confidence: 99%

On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

Steinfeld

Pieprzyk

Wang

2006

Advances in Cryptology – ASIACRYPT 2006

View full text Add to dashboard Cite

Abstract. Pseudorandom Generators (PRGs) based on the RSA inversion (one-wayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, despite extensive study, the most efficient provably secure RSA-based generators output asymptotically only at most O(log n) bits per multiply modulo an RSA modulus of bitlength n, and hence are too slow to be used in many practical applications. To bring theory closer to practice, we present a simple modification to the proof of security by Fischlin and Schnorr of an RSA-based PRG, which shows that one can obtain an RSA-based PRG which outputs Ω(n) bits per multiply and has provable pseudorandomness security assuming the hardness of a well-studied variant of the RSA inversion problem, where a constant fraction of the plaintext bits are given. Our result gives a positive answer to an open question posed by Gennaro (J. of Cryptology, 2005) regarding finding a PRG beating the rate O(log n) bits per multiply at the cost of a reasonable assumption on RSA inversion.

show abstract

Section: Cryptanalysis Of the Fs-rsa Problemmentioning

confidence: 99%

On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

Steinfeld

Pieprzyk

Wang

2006

Advances in Cryptology – ASIACRYPT 2006

View full text Add to dashboard Cite

show abstract

“…In general, solving modular equation is not easy, whereas there are some cases where we may be able to use the standard numerical method for solving this problem. The Howgrave-Graham lemma [7] provides us with one of such cases.…”

Section: Preliminariesmentioning

confidence: 99%

Simplification of the Lattice Based Attack of Boneh and Durfee for RSA Cryptoanalysis

Aono¹

2014

Computer Mathematics

View full text Add to dashboard Cite

In this paper we present a new formulation and its simpler analysis of the lattice based attack of Boneh and Durfee for the RSA cryptography [2]. We follow the same approach of Boneh and Durfee, however we propose a new way of defining a lattice with which we can achieve the same solvable key bound d < N 0.292 . Our lattice is represented as a lower triangle matrix, which makes its analysis much simpler that of [2]. We think that this simpler analysis would be useful for considering applications/generalisations of this approach. In fact, as an example of such applications, we give a way of attacking RSA secret key with a certain repetitive structure.

show abstract

“…Indeed, in 1996, Coppersmith [5] introduced a technique, based on lattice reduction, allowing to recover the root of a univariate modular polynomial provided that this root is small enough. This construction was reformulated in simpler terms by Howgrave-Graham [12] and its extensions to more variables found numerous cryptanalytic applications.…”

Section: B Finding Small Modular Roots Of a Multivariate Polynomialmentioning

confidence: 99%

On the Broadcast and Validity-Checking Security of pkcs#1 v1.5 Encryption

Bauer

Coron

Naccache

et al. 2010

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. This paper describes new attacks on pkcs#1 v1.5, a deprecated but still widely used rsa encryption standard.The first cryptanalysis is a broadcast attack, allowing the opponent to reveal an identical plaintext sent to different recipients. This is nontrivial because different randomizers are used for different encryptions (in other words, plaintexts coincide only partially).The second attack predicts, using a single query to a validity checking oracle, which of two chosen plaintexts corresponds to a challenge ciphertext. The attack's success odds are very high.The two new attacks rely on different mathematical tools and underline the need to accelerate the phase out of pkcs#1 v1.5.

show abstract

Finding small roots of univariate modular equations revisited

Cited by 251 publications

References 4 publications

On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

On the Provable Security of an Efficient RSA-Based Pseudorandom Generator

Simplification of the Lattice Based Attack of Boneh and Durfee for RSA Cryptoanalysis

On the Broadcast and Validity-Checking Security of pkcs#1 v1.5 Encryption

Contact Info

Product

Resources

About