2,648 research outputs found
Generalized Implicit Factorization Problem
The Implicit Factorization Problem was first introduced by May and
Ritzenhofen at PKC'09. This problem aims to factorize two RSA moduli
and when their prime factors share a certain number
of least significant bits (LSBs). They proposed a lattice-based algorithm to
tackle this problem and extended it to cover RSA moduli. Since then,
several variations of the Implicit Factorization Problem have been studied,
including the cases where and share some most significant bits
(MSBs), middle bits, or both MSBs and LSBs at the same position.
In this paper, we explore a more general case of the Implicit Factorization
Problem, where the shared bits are located at different and unknown positions
for different primes. We propose a lattice-based algorithm and analyze its
efficiency under certain conditions. We also present experimental results to
support our analysis
Implicit factorization of unbalanced RSA moduli
International audienceLet N1 = p1q1 and N2 = p2q2 be two RSA moduli, not necessarily of the same bit-size. In 2009, May and Ritzenhofen proposed a method to factor N1 and N2 given the implicit information that p1 and p2 share an amount of least significant bits. In this paper, we propose a generalization of their attack as follows: suppose that some unknown multiples a1p1 and a2p2 of the prime factors p1 and p2 share an amount of their Most Significant Bits (MSBs) or an amount of their Least Significant Bits (LSBs). Using a method based on the continued fraction algorithm, we propose a method that leads to the factorization of N1 and N2. Using simultaneous diophantine approximations and lattice reduction , we extend the method to factor k ≥ 3 RSA moduli Ni = piqi, i = 1,. .. , k given the implicit information that there exist unknown multiples a1p1,. .. , ak pk sharing an amount of their MSBs or their LSBs. Also, this paper extends many previous works where similar results were obtained when the pi's share their MSBs or their LSBs
Generalized Implicit Factorization Problem
The Implicit Factorization Problem (IFP) was first introduced by May and Ritzenhofen at PKC\u2709, which concerns the factorization of two RSA moduli and , where and share a certain consecutive number of least significant bits. Since its introduction, many different variants of IFP have been considered, such as the cases where and share most significant bits or middle bits at the same positions. In this paper, we consider a more generalized case of IFP, in which the shared consecutive bits can be located at positions in each prime, not necessarily required to be located at the same positions as before. We propose a lattice-based algorithm to solve this problem under specific conditions, and also provide some experimental results to verify our analysis
Further Results on Implicit Factoring in Polynomial Time
In PKC 2009, May and Ritzenhofen presented interesting problems related to factoring large integers with some implicit hints. One
of the problems is as follows. Consider and
, where are large primes. The primes are of same bit-size with the constraint that certain amount of Least Significant Bits (LSBs) of are same. Further the primes are of same bit-size without any constraint. May and Ritzenhofen proposed a strategy to factorize both in poly time ( is an integer with same
bit-size as ) with the implicit information that share certain amount of LSBs. We explore the same problem with a different lattice-based strategy. In a general framework, our method works when implicit information is available related to Least Significant as well as Most Significant Bits (MSBs). Given , we show that one can factor simultaneously in poly time (under some assumption related to Gröbner Basis) when share certain amount of MSBs and/or LSBs. We also study the case when share some bits
in the middle. Our strategy presents new and encouraging results in this direction. Moreover, some of the observations by May and Ritzenhofen get improved when we apply our ideas for the LSB case
A New Cryptosystem Based On Hidden Order Groups
Let be a cyclic multiplicative group of order . It is known that the
Diffie-Hellman problem is random self-reducible in with respect to a
fixed generator if is known. That is, given and
having oracle access to a `Diffie-Hellman Problem' solver with fixed generator
, it is possible to compute in polynomial time (see
theorem 3.2). On the other hand, it is not known if such a reduction exists
when is unknown (see conjuncture 3.1). We exploit this ``gap'' to
construct a cryptosystem based on hidden order groups and present a practical
implementation of a novel cryptographic primitive called an \emph{Oracle Strong
Associative One-Way Function} (O-SAOWF). O-SAOWFs have applications in
multiparty protocols. We demonstrate this by presenting a key agreement
protocol for dynamic ad-hoc groups.Comment: removed examples for multiparty key agreement and join protocols,
since they are redundan
Finding shared RSA factors in the Certificate Transparency logs
When generating RSA keys, proper random generators are crucial. If the generators are not truly random, keys may be generated with the same factors, making them vulnerable to compromise. Doing a simple greatest common divisor computation would reveal the secret factors. We collected over 159 million unique RSA public keys from the Certificate Transparency logs, which is, to our knowledge, the largest set used for such an analysis so far. Our goal was to check if any of these keys shared factors, thus allowing us to compute the private keys easily. To do this, we implemented a batch greatest common divisor algorithm used for this purpose in previous studies. Our result from checking the 159 million RSA keys was that we factored eight keys, all of which were issued by the same certificate authority. We then gathered more than 700,000 keys from that particular certificate authority, of which we were able to factor 355 keys. We reached out to the issuer of the broken certificates, and they launched an investigation into our findings. Their investigation concluded that all broken keys were generated by a single user who they claim had abused their system.Masteroppgave i informatikkINF399MAMN-PROGMAMN-IN
- …