Note on Integer Factoring Methods IV

This note continues the theoretical development of deterministic integer factorization algorithms based on systems of polynomials equations. The main result establishes a new deterministic time complexity bench mark in integer factorization.Comment: 20 Pages, New Versio

Recovering zeros of polynomials modulo a prime

Let $p$ be a prime and $\mathbb{F}_p$ the finite field with $p$ elements. We show how, when given an irreducible bivariate polynomial $F \in \mathbb{F}_p[X,Y]$ and an approximation to a zero, one can recover the root efficiently, if the approximation is good enough. The strategy can be generalized to polynomials in the variables $X_1,\ldots ,X_m$ over the field $\mathbb{F}_p$. These results have been motivated by the predictability problem for nonlinear pseudorandom number generators and other potential applications to cryptography

Notes on Small Private Key Attacks on Common Prime RSA

We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA.Comment: 15 pages, 1 figur

A strategy for recovering roots of bivariate polynomials modulo a prime

Let $p$ be a prime and \F_p the finite field with $p$ elements. We show how, when given an irreducible bivariate polynomial f \in \F_p[X,Y] and approximations to (v_0,v_1) \in \F_p^2 such that $f(v_0,v_1)=0$, one can recover $(v_0,v_1)$ efficiently, if the approximations are good enough. This result has been motivated by the predictability problem for non-linear pseudorandom number generators and, other potential applications to cryptography

A Tool Kit for Partial Key Exposure Attacks on RSA

Thus far, partial key exposure attacks on RSA have been intensively studied using lattice based Coppersmith\u27s methods. In the context, attackers are given partial information of a secret exponent and prime factors of (Multi-Prime) RSA where the partial information is exposed in various ways. Although these attack scenarios are worth studying, there are several known attacks whose constructions have similar flavor. In this paper, we try to formulate general attack scenarios to capture several existing ones and propose attacks for the scenarios. Our attacks contain all the state-of-the-art partial key exposure attacks, e.g., due to Ernst et al. (Eurocrypt\u2705) and Takayasu-Kunihiro (SAC\u2714, ICISC\u2714), as special cases. As a result, our attacks offer better results than previous best attacks in some special cases, e.g., Sarkar-Maitra\u27s partial key exposure attacks on RSA with the most significant bits of a prime factor (ICISC\u2708) and Hinek\u27s partial key exposure attacks on Multi-Prime RSA (J. Math. Cryptology \u2708). We claim that our contribution is not only generalizations or improvements of the existing results. Since our attacks capture general exposure scenarios, the results can be used as a tool kit; the security of some future variants of RSA can be examined without any knowledge of Coppersmith\u27s methods

Improved Results on Factoring General RSA Moduli with Known Bits

We revisit the factoring with known bits problem on general RSA moduli in the forms of $N=p^r q^s$ for $r,s\ge 1$, where two primes $p$ and $q$ are of the same bit-size. The relevant moduli are inclusive of $pq$, $p^r q$ for $r>1$, and $p^r q^s$ for $r,s>1$, which are used in the standard RSA scheme and other RSA-type variants. Previous works acquired the results mainly by solving univariate modular equations. In contrast, we investigate how to efficiently factor $N=p^r q^s$ with given leakage of the primes by the integer method using the lattice-based technique in this paper. More precisely, factoring general RSA moduli with known most significant bits (MSBs) of the primes can be reduced to solving bivariate integer equations, which was first proposed by Coppersmith to factor $N=pq$ with known high bits. Our results provide a unifying solution to the factoring with known bits problem on general RSA moduli. Furthermore, we reveal that there exists an improved factoring attack via the integer method for particular RSA moduli like $p^3 q^2$ and $p^5 q^3$

Solving Generalized Small Inverse Problems

Abstract. We introduce a “generalized small inverse problem (GSIP)” and present an algorithm for solving this problem. GSIP is formulated as finding small solutions of f(x0, x1,..., xn) = x0h(x1,..., xn) + C = 0(mod M) for an n-variate polynomial h, non-zero integers C and M. Our algorithm is based on lattice-based Coppersmith technique. We pro-vide a strategy for construction of a lattice basis for solving f = 0, which are systematically transformed from a lattice basis for solving h = 0. Then, we derive an upper bound such that the target problem can be solved in polynomial time in logM in an explicit form. Since GSIPs in-clude some RSA-related problems, our algorithm is applicable to them. For example, the small key attacks by Boneh and Durfee are re-found automatically. This is a full version of [13]