58 research outputs found
On Deterministic Polynomial-time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents dp, dq. It is well known that given any one of dp or dq (or both) one can factorise N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice-based deterministic poly(log N) time algorithm that uses both dp, dq (in addition to the public information e, N) to factorise N for certain ranges of dp, dq. We like to stress that proving the equivalence for all the values of dp, dq may be a nontrivial task.Defence Science Journal, 2012, 62(2), pp.122-126, DOI:http://dx.doi.org/10.14429/dsj.62.171
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
Some Applications of Lattice Based Root Finding Techniques
In this paper we present some problems and their solutions exploiting
lattice based root finding techniques.
In CaLC 2001, Howgrave-Graham proposed a method to find the Greatest
Common Divisor (GCD) of two large integers when one of the integers is
exactly known and the other one is known approximately. In this paper, we present three applications of the technique. The first one is
to show deterministic polynomial time equivalence between factoring
(, where or are of same bit size) and knowledge of . Next, we consider the problem of finding smooth integers in a short interval. The third one is to factorize given a multiple of the decryption exponent in RSA.
In Asiacrypt 2006, Jochemsz and May presented a general strategy
for finding roots of a polynomial. We apply that technique for solving the following two problems. The first one is to factorize given an
approximation of a multiple of the decryption exponent in RSA. The second one is to solve the implicit factorization problem given three RSA moduli considering certain portions of LSBs as well as MSBs of one set of three secret primes are same
Analysis of RSA based on Quantitating Key Security Strength
AbstractRSA is an asymmetric crypto algorithm which is applied widely in the information security of E-Commerce and Internet-Bank. Its security has been withstanding tests since several decades ago. But the key security isn’t equal to that of algorithm, which is often neglected by most of users and scholars. As to most constructions, they lack definite recognition to the safety of the RSA key. As a result, even some strong crypto-algorithms used it still meets the security predicament. In this paper, start with the known plaintext attack to RSA public key crypto scheme, we pioneer the mechanism of quantitation of the RSA key security strength, the concept of key security coefficient, the evaluation model of security coefficient and the algorithm to extract security strength. Further more, an innovative method of generating secure keys is proposed. After some experimentations, the security performance of key and distribution of secure key-amount, and their key security coefficient are surveyed and analyzed in detail. The theoretic analysis and statistics demonstrate that our mechanism could elevate security of RSA in effect
Approximate Divisor Multiples -- Factoring with Only a Third of the Secret CRT-Exponents
We address Partial Key Exposure attacks on CRT-RSA on secret exponents with small public exponent . For constant it is known that the knowledge of half of the bits of one of suffices to factor the RSA modulus by Coppersmith\u27s famous {\em factoring with a hint} result. We extend this setting to non-constant . Somewhat surprisingly, our attack shows that RSA with of size is most vulnerable to Partial Key Exposure, since in this case only a third of the bits of both suffices to factor in polynomial time, knowing either most significant bits (MSB) or least significant bits (LSB).
Let and . On the technical side, we find the factorization of in a novel two-step approach. In a first step we recover and in polynomial time, in the MSB case completely elementary and in the LSB case using Coppersmith\u27s lattice-based method. We then obtain the prime factorization of by computing the root of a univariate polynomial modulo for our known . This can be seen as an extension of Howgrave-Graham\u27s {\em approximate divisor} algorithm to the case of {\em approximate divisor multiples} for some known multiple of an unknown divisor of . The point of {\em approximate divisor multiples} is that the unknown that is recoverable in polynomial time grows linearly with the size of the multiple .
Our resulting Partial Key Exposure attack with known MSBs is completely rigorous, whereas in the LSB case we rely on a standard Coppersmith-type heuristic. We experimentally verify our heuristic, thereby showing that in practice we reach our asymptotic bounds already using small lattice dimensions. Thus, our attack is highly efficient
Minkowski sum based lattice construction for multivariate simultaneous Coppersmith\u27s technique and applications to RSA
We investigate a lattice construction method for the Coppersmith technique
for finding small solutions of a modular equation.
We consider its variant for simultaneous equations
and propose a method to construct a lattice
by combining lattices for solving single equations.
As applications,
we consider
a new RSA cryptanalyses.
Our algorithm can factor an RSA modulus from pairs of RSA public exponents with the common modulus
corresponding to secret exponents smaller than ,
which improves on the previously best known result by Sarkar and Maitra.
For partial key exposure situation,
we also can factor the modulus if
,
where and are bit-lengths of the secret exponent and its exposed LSBs,
respectively
Recovering cryptographic keys from partial information, by example
Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this tutorial, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas
On the Security of Some Variants of RSA
The RSA cryptosystem, named after its inventors, Rivest, Shamir and Adleman, is the most widely known and widely used public-key cryptosystem in the world today. Compared to other public-key cryptosystems, such as
elliptic curve cryptography, RSA requires longer keylengths and is computationally more expensive. In order to address these shortcomings, many variants of RSA have been proposed over the years. While the security
of RSA has been well studied since it was proposed in 1977, many of these variants have not. In this thesis, we investigate the security of five of these variants of RSA. In particular, we provide detailed analyses of the best known algebraic attacks (including some new attacks) on instances of
RSA with certain special private exponents, multiple instances of RSA sharing a common small private exponent, Multi-prime RSA, Common Prime RSA and Dual RSA
On the Possibility of a Backdoor in the Micali-Schnorr Generator
In this paper, we study both the implications and potential impact of backdoored parameters for two RSA-based pseudorandom number generators: the ISO-standardized Micali-Schnorr generator and a closely related design, the RSA PRG. We observe, contrary to common understanding, that the security of the Micali-Schnorr PRG is not tightly bound to the difficulty of inverting RSA. We show that the Micali-Schnorr construction remains secure even if one replaces RSA with a publicly evaluatable PRG, or a function modeled as an efficiently invertible random permutation. This implies that any cryptographic backdoor must somehow exploit the algebraic structure of RSA, rather than an attacker\u27s ability to invert RSA or the presence of secret keys. We exhibit two such backdoors in related constructions: a family of exploitable parameters for the RSA PRG, and a second vulnerable construction for a finite-field variant of Micali-Schnorr. We also observe that the parameters allowed by the ISO standard are incompletely specified, and allow insecure choices of exponent. Several of our backdoor constructions make use of lattice techniques, in particular multivariate versions of Coppersmith\u27s method for finding small solutions to polynomials modulo integers
Quantum Algorithms from a Linear Algebra Perspective
The field of quantum computing has gained much attention in recent years due to further advances in the development of quantum computers and the recognition that this new paradigm will greatly endanger many modern encryption practices. This paper gives analysis of some of these algorithms, notably Grover’s database search algorithm, and Shor’s factoring and discrete log algorithms, from the perspective of linear algebra. The consequences these have for modern cryptography are discussed, and a brief overview of the current state of the field is given. Without assuming a physics background, this paper aims to provide a self-contained and mathematically rigorous explanation of quantum algorithms for an undergraduate audience
- …