Implicit Factoring with Shared Most Significant and Middle Bits

Faugère, Jean-Charles; Marinier, Raphaël; Renault, Guénaël

doi:10.1007/978-3-642-13013-7_5

Cited by 29 publications

(41 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To make this assertion more clear, we need to implement our method for more cases. Contrary to the experimental evaluation, we get no cant and middle bits [2]; 6. Application to other RSA moduli types, for example Okamoto-Uchiyama's RSA modulus p 2 q [12] and Takagi's RSA modulus p r q [17].…”

Section: Two Rsa Modulicontrasting

confidence: 73%

A Simple Improvement for Integer Factorizations with Implicit Hints

Harasawa

Ryuto

Sueyoshi

2016

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

SUMMARY In this paper, we describe an improvement of integer factorization of k RSA moduli N i = p i q i (1 ≤ i ≤ k) with implicit hints, namely all p i share their t least significant bits. May et al. reduced this problem to finding a shortest (or a relatively short) vector in the lattice of dimension k obtained from a given system of k RSA moduli, for which they applied Gaussian reduction or the LLL algorithm. In this paper, we improve their method by increasing the determinant of the lattice obtained from the k RSA moduli. We see that, after our improvement, May et al.'s method works smoothly with higher probability. We further verify the efficiency of our method by computer experiments for various parameters. key words: integer factorization with implicit hints

show abstract

Section: Two Rsa Modulicontrasting

confidence: 73%

A Simple Improvement for Integer Factorizations with Implicit Hints

Harasawa

Ryuto

Sueyoshi

2016

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

show abstract

“…Further, the technique takes care of the case considering some portions of MSBs and LSBs together. Our work is of the same quality (in general) and slightly improved (in certain cases) in comparison to [MAY09,FAU10]. We generalize the ideas of [HOW01] for the lattice based technique that we exploit in this paper and our strategy is different from that of [MAY09,SAR09,FAU10].…”

Section: Introductionmentioning

confidence: 85%

“…However, the technique of [SAR09] could only be applied for k = 2. Recently in [FAU10], the results of [SAR09] has been improved. Note that the work of [FAU10] and certain part of this work (Sections 2, 3, except Section 3.1) [SAR10] are done independently at the similar time.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Approximate Integer Common Divisor Problem Relates to Implicit Factorization

Sarkar

Maitra

2011

IEEE Trans. Inform. Theory

View full text Add to dashboard Cite

Abstract. In this paper, we analyse how to calculate the GCD of k (≥ 2) many large integers, given their approximations. Two versions of the approximate common divisor problem, presented by Howgrave-Graham in CaLC 2001, are special cases of our analysis when k = 2. We then relate the approximate common divisor problem to the implicit factorization problem. This has been introduced by May and Ritzenhofen in PKC 2009 and studied under the assumption that some of Least Significant Bits (LSBs) of certain primes are same. Our strategy can be applied to the implicit factorization problem in a general framework considering the equality of (i) Most Significant Bits (MSBs), (ii) Least Significant Bits (LSBs) and (iii) MSBs and LSBs together. We present new and improved theoretical as well as experimental results in comparison with the state of the art works in this area.

show abstract

“…Ritzenhofen and May [19] and Faugère, Marinier, and Renault [9] give algorithms to factor RSA moduli when it is known that two or more moduli have prime factors that share large numbers of bits in common. Unfortunately, these results seem to apply only when the moduli have prime factors of unbalanced size, whereas in our case, both prime factors have 512 bits.…”

Section: Extension To Implicit Factoringmentioning

confidence: 99%

Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild

Bernstein

Chang

Chen

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper explains how an attacker can efficiently factor 184 distinct RSA keys out of more than two million 1024-bit RSA keys downloaded from Taiwan's national "Citizen Digital Certificate" database. These keys were generated by government-issued smart cards that have built-in hardware random-number generators and that are advertised as having passed FIPS 140-2 Level 2 certification.These 184 keys include 103 keys that share primes and that are efficiently factored by a batch-GCD computation. This is the same type of computation that was used last year by two independent teams (USENIX Security 2012: Heninger, Durumeric, Wustrow, Halderman; Crypto 2012: Lenstra, Hughes, Augier, Bos, Kleinjung, Wachter) to factor tens of thousands of cryptographic keys on the Internet.The remaining 81 keys do not share primes. Factoring these 81 keys requires taking deeper advantage of randomness-generation failures: first using the shared primes as a springboard to characterize the failures, and then using Coppersmith-type partial-key-recovery attacks. This is the first successful public application of Coppersmith-type attacks to keys found in the wild.

show abstract

Implicit Factoring with Shared Most Significant and Middle Bits

Cited by 29 publications

References 16 publications

A Simple Improvement for Integer Factorizations with Implicit Hints

A Simple Improvement for Integer Factorizations with Implicit Hints

Approximate Integer Common Divisor Problem Relates to Implicit Factorization

Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild

Contact Info

Product

Resources

About