On Deterministic Polynomial-time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorise N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice-based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorise N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task.Defence Science Journal, 2012, 62(2), pp.122-126, DOI:http://dx.doi.org/10.14429/dsj.62.171

Note on Integer Factoring Methods IV

This note continues the theoretical development of deterministic integer factorization algorithms based on systems of polynomials equations. The main result establishes a new deterministic time complexity bench mark in integer factorization.Comment: 20 Pages, New Versio

Asymptotic Bound for RSA Variant with Three Decryption Exponents

This paper presents a cryptanalysis attack on the RSA variant with modulus $N=p^rq$ for $r\geq 2$ with three public and private exponents $(e_1,d_1),$ $(e_2,d_2),$ $(e_3,d_3)$ sharing the same modulus $N$ where $p$ and $q$ are consider to prime having the same bit size. Our attack shows that we get the private exponent \sigma_1\sigma_2\sigma_3<\left(\frac{r-1}{r+1}\right)^4, which makes the modulus vulnerable to Coppersmith's attacks and can lead to the factorization of $N$ efficiently where d_1 The asymptotic bound of our attack is greater than the bounds for May \cite{May}, Zheng and Hu \cite{Z}, and Lu et al. \cite{Y} for 2\leq r \leq 10 and greater than Sarkar's \cite{Sarkar1} and \cite{Sarkar} bounds for 5 \leq r \leq10$

On small secret key attack against RSA with high bits known prime factor

It is well known that if the higher half bits of a prime factor are known or the secret key is small enough then the RSA cryptosystem is broken (e.g. [Coppersmith, J. Cryptology, 1997] and [Boneh-Durfee, Eurocrypt\u2799]). Recently, Sarkar-Maitra-Sarkar [Cryptology ePrint Archiv, 2008/315] proposed attacks against RSA under the conditions that the higher bits of a prime factor is known and the secret key is small. In the present paper, we improve their attacks to be effective for larger secret keys

A New Method of Constructing a Lattice Basis and Its Applications to Cryptanalyse Short Exponent RSA

We provide a new method of constructing an optimal lattice. Applying our method to the cryptanalysis of the short exponent RSA, we obtain our results which extend Boneh and Durfee's work. Our attack methods are based on a generalization to multivariate modular polynomial equation. The results illustrate the fact that one should be careful when using RSA key generation process with special parameters

A Unified Method for Private Exponent Attacks on RSA using Lattices

International audienceLet (n = pq, e = n^β) be an RSA public key with private exponent d = n^δ , where p and q are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding small roots of univariate modular equations based on lattice reduction and then succussed to factorize the RSA modulus. Since then, a series of attacks on the key equation ed − kφ(n) = 1 of RSA have been presented. In this paper, we show that many of such attacks can be unified in a single attack using a new notion called Coppersmith's interval. We determine a Coppersmith's interval for a given RSA public key (n, e). The interval is valid for any variant of RSA, such as Multi-Prime RSA, that uses the key equation. Then we show that RSA is insecure if δ < β + 1/3 α − 1/3 √ (12αβ + 4α^2) provided that we have approximation p0 ≥ √ n of p with |p − p0| ≤ 1/2 n^α , α ≤ 1/2. The attack is an extension of Coppersmith's result

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

International audienceIn a seminal work at EUROCRYPT '96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an LLL reduction of a high-dimensional matrix with extra-large coefficients. We present in this paper the first significant speedups over Coppersmith's algorithm. The first speedup is based on a special property of the matrices used by Coppersmith's algorithm, which allows us to provably speed up the LLL reduction by rounding, and which can also be used to improve the complexity analysis of Coppersmith's original algorithm. The exact speedup depends on the LLL algorithm used: for instance, the speedup is asymptotically quadratic in the bit-size of the small-root bound if one uses the Nguyen-Stehlé L2 algorithm. The second speedup is heuristic and applies whenever one wants to enlarge the root size of Coppersmith's algorithm by exhaustive search. Instead of performing several LLL reductions independently, we exploit hidden relationships between these matrices so that the LLL reductions can be somewhat chained to decrease the global running time. When both speedups are combined, the new algorithm is in practice hundreds of times faster for typical parameters