A strategy for recovering roots of bivariate polynomials modulo a prime

Let $p$ be a prime and \F_p the finite field with $p$ elements. We show how, when given an irreducible bivariate polynomial f \in \F_p[X,Y] and approximations to (v_0,v_1) \in \F_p^2 such that $f(v_0,v_1)=0$, one can recover $(v_0,v_1)$ efficiently, if the approximations are good enough. This result has been motivated by the predictability problem for non-linear pseudorandom number generators and, other potential applications to cryptography

Recovering zeros of polynomials modulo a prime

Let $p$ be a prime and $\mathbb{F}_p$ the finite field with $p$ elements. We show how, when given an irreducible bivariate polynomial $F \in \mathbb{F}_p[X,Y]$ and an approximation to a zero, one can recover the root efficiently, if the approximation is good enough. The strategy can be generalized to polynomials in the variables $X_1,\ldots ,X_m$ over the field $\mathbb{F}_p$. These results have been motivated by the predictability problem for nonlinear pseudorandom number generators and other potential applications to cryptography

Computing Puiseux series : a fast divide and conquer algorithm

Let $F\in \mathbb{K}[X, Y ]$ be a polynomial of total degree $D$ defined over a perfect field $\mathbb{K}$ of characteristic zero or greater than $D$. Assuming $F$ separable with respect to $Y$ , we provide an algorithm that computes the singular parts of all Puiseux series of $F$ above $X = 0$ in less than $\tilde{\mathcal{O}}(D\delta)$ operations in $\mathbb{K}$, where $\delta$ is the valuation of the resultant of $F$ and its partial derivative with respect to $Y$. To this aim, we use a divide and conquer strategy and replace univariate factorization by dynamic evaluation. As a first main corollary, we compute the irreducible factors of $F$ in $\mathbb{K}[[X]][Y ]$ up to an arbitrary precision $X^N$ with $\tilde{\mathcal{O}}(D(\delta + N ))$ arithmetic operations. As a second main corollary, we compute the genus of the plane curve defined by $F$ with $\tilde{\mathcal{O}}(D^3)$ arithmetic operations and, if $\mathbb{K} = \mathbb{Q}$, with $\tilde{\mathcal{O}}((h+1)D^3)$ bit operations using a probabilistic algorithm, where $h$ is the logarithmic heigth of $F$.Comment: 27 pages, 2 figure

Fast Computation of Special Resultants

We propose fast algorithms for computing composed products and composed sums, as well as diamond products of univariate polynomials. These operations correspond to special multivariate resultants, that we compute using power sums of roots of polynomials, by means of their generating series

Notes on Small Private Key Attacks on Common Prime RSA

We point out critical deficiencies in lattice-based cryptanalysis of common prime RSA presented in ``Remarks on the cryptanalysis of common prime RSA for IoT constrained low power devices'' [Information Sciences, 538 (2020) 54--68]. To rectify these flaws, we carefully scrutinize the relevant parameters involved in the analysis during solving a specific trivariate integer polynomial equation. Additionally, we offer a synthesized attack illustration of small private key attacks on common prime RSA.Comment: 15 pages, 1 figur

Approximate Divisor Multiples -- Factoring with Only a Third of the Secret CRT-Exponents

We address Partial Key Exposure attacks on CRT-RSA on secret exponents $d_p, d_q$ with small public exponent $e$. For constant $e$ it is known that the knowledge of half of the bits of one of $d_p, d_q$ suffices to factor the RSA modulus $N$ by Coppersmith\u27s famous {\em factoring with a hint} result. We extend this setting to non-constant $e$. Somewhat surprisingly, our attack shows that RSA with $e$ of size $N^{\frac 1 {12}}$ is most vulnerable to Partial Key Exposure, since in this case only a third of the bits of both $d_p, d_q$ suffices to factor $N$ in polynomial time, knowing either most significant bits (MSB) or least significant bits (LSB). Let $ed_p = 1 + k(p-1)$ and $ed_q = 1 + \ell(q-1)$. On the technical side, we find the factorization of $N$ in a novel two-step approach. In a first step we recover $k$ and $\ell$ in polynomial time, in the MSB case completely elementary and in the LSB case using Coppersmith\u27s lattice-based method. We then obtain the prime factorization of $N$ by computing the root of a univariate polynomial modulo $kp$ for our known $k$. This can be seen as an extension of Howgrave-Graham\u27s {\em approximate divisor} algorithm to the case of {\em approximate divisor multiples} for some known multiple $k$ of an unknown divisor $p$ of $N$. The point of {\em approximate divisor multiples} is that the unknown that is recoverable in polynomial time grows linearly with the size of the multiple $k$. Our resulting Partial Key Exposure attack with known MSBs is completely rigorous, whereas in the LSB case we rely on a standard Coppersmith-type heuristic. We experimentally verify our heuristic, thereby showing that in practice we reach our asymptotic bounds already using small lattice dimensions. Thus, our attack is highly efficient

A New Method of Constructing a Lattice Basis and Its Applications to Cryptanalyse Short Exponent RSA

We provide a new method of constructing an optimal lattice. Applying our method to the cryptanalysis of the short exponent RSA, we obtain our results which extend Boneh and Durfee's work. Our attack methods are based on a generalization to multivariate modular polynomial equation. The results illustrate the fact that one should be careful when using RSA key generation process with special parameters

Cryptanalysis of a Generalized Subset-Sum Pseudorandom Generator

We present attacks on a generalized subset-sum pseudorandom generator, which was proposed by von zur Gathen and Shparlinski in 2004. Our attacks rely on a sub-quadratic algorithm for solving a vectorial variant of the 3SUM problem, which is of independent interest. The attacks presented have complexities well below the brute-force attack, making the generators vulnerable. We provide a thorough analysis of the attacks and their complexities and demonstrate their practicality through implementations and experiments

Computing the eigenvalue in the Schoof-Elkies-Atkin algorithm using Abelian lifts

The Schoof-Elkies-Atkin algorithm is the best known method for counting the number of points of an elliptic curve defined over a finite field of large characteristic. We use abelian properties of division polynomials to design a fast theoretical and practical algorithm for computing the eigenvalue search