85 research outputs found
On the Optimality of Lattices for the Coppersmith Technique
We investigate a method for finding small integer solutions of a univariate modular equation,
that was introduced by Coppersmith and extended by May.
We will refer this method as the Coppersmith technique.
This paper provides a way to analyze
a general limitations of the lattice construction
for the Coppersmith technique.
Our analysis upper bounds the possible range of
that is asymptotically equal to
the bound given by the original result of Coppersmith and May.
This means that
they have already given the best lattice construction.
In addition, we investigate the optimality for the bivariate equation to solve the small inverse problem,
which was inspired by Kunihiro\u27s argument.
In particular, we show the optimality for the Boneh-Durfee\u27s equation used for RSA cryptoanalysis,
To show our results,
we establish framework for the technique
by following the relation of Howgrave-Graham,
and then concretely define the conditions in which the technique succeed and fails.
We then provide a way
to analyze the range of that satisfies these conditions.
Technically, we show that the original result of Coppersmith achieves the optimal bound for
when constructing a lattice in the standard way.
We then provide evidence which indicates that constructing a non-standard lattice is generally difficult
Minkowski sum based lattice construction for multivariate simultaneous Coppersmith\u27s technique and applications to RSA
We investigate a lattice construction method for the Coppersmith technique
for finding small solutions of a modular equation.
We consider its variant for simultaneous equations
and propose a method to construct a lattice
by combining lattices for solving single equations.
As applications,
we consider
a new RSA cryptanalyses.
Our algorithm can factor an RSA modulus from pairs of RSA public exponents with the common modulus
corresponding to secret exponents smaller than ,
which improves on the previously best known result by Sarkar and Maitra.
For partial key exposure situation,
we also can factor the modulus if
,
where and are bit-lengths of the secret exponent and its exposed LSBs,
respectively
Cryptographic applications of capacity theory: On the optimality of Coppersmith\u27s method for univariate polynomials
We draw a new connection between Coppersmith\u27s method for finding
small solutions to polynomial congruences modulo integers and the
capacity theory of adelic subsets of algebraic curves. Coppersmith\u27s
method uses lattice basis reduction to construct an auxiliary
polynomial that vanishes at the desired solutions. Capacity theory
provides a toolkit for proving when polynomials with certain
boundedness properties do or do not exist. Using capacity theory, we
prove that Coppersmith\u27s bound for univariate polynomials is optimal
in the sense that there are no auxiliary polynomials of the
type he used that would allow finding roots of size
for any monic degree- polynomial modulo . Our results rule out the
existence of polynomials of any degree and do not rely on lattice
algorithms, thus eliminating the possibility of improvements for special cases or even
superpolynomial-time improvements to Coppersmith\u27s bound. We extend
this result to constructions of auxiliary polynomials using binomial
polynomials, and rule out the existence of any auxiliary polynomial of
this form that would find solutions of size unless
has a very small prime factor
Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound
Thus far, several lattice-based algorithms for partial key exposure attacks on RSA, i.e., given the most/least significant bits (MSBs/LSBs) of a secret exponent and factoring an RSA modulus , have been proposed such as Blömer and May (Crypto\u2703), Ernst et al. (Eurocrypt\u2705), and Aono (PKC\u2709). Due to Boneh and Durfee\u27s small secret exponent attack, partial key exposure attacks should always work for even without any partial information. However, it was difficult task to make use of the given partial information without losing the quality of Boneh-Durfee\u27s attack. In particular, known partial key exposure attacks fail to work for with only few partial information. Such unnatural situation stems from the fact that the additional information makes underlying modular equations involved. In this paper, we propose improved attacks when a secret exponents is small. Our attacks are better than all known previous attacks in the sense that our attacks require less partial information. Specifically, our attack is better than all known ones for and with the MSBs and the LSBs, respectively. Furthermore, our attacks fully cover the Boneh-Durfee bound, i.e., they always work for . At a high level, we obtain the improved attacks by fully utilizing unravelled linearization technique proposed by Herrmann and May (Asiacrypt\u2709). Although Herrmann and May (PKC\u2710) already applied the technique to Boneh-Durfee\u27s attack, we show elegant and impressive extensions to capture partial key exposure attacks. More concretely, we construct structured triangular matrices that enable us to recover more useful algebraic structures of underlying modular polynomials. We embed the given MSBs/LSBs to the recovered algebraic structures and construct our partial key exposure attacks. In this full version, we provide overviews and explicit proofs of the triangular matrix constructions. We believe that the additional explanations help readers to understand our techniques
Bounding basis reduction properties
The paper describes improved analysis techniques for basis reduction
that allow one to prove strong complexity bounds and reduced basis
guarantees for traditional reduction algorithms and some of their
variants. This is achieved by a careful exploitation of the linear
equations and inequalities relating various bit sizes before and after
one or more reduction steps
Optimal routing in double loop networks
AbstractIn this paper, we study the problem of finding the shortest path in circulant graphs with an arbitrary number of jumps. We provide algorithms specifically tailored for weighted undirected and directed circulant graphs with two jumps which compute the shortest path. Our method only requires O(logN) arithmetic operations and the total bit complexity is O(log2NloglogNlogloglogN), where N is the number of the graphâs vertices. This elementary and efficient shortest path algorithm has been derived from the Closest Vector Problem (CVP) of lattices in dimension two and with an â1 norm
Cryptanalysis of RSA: A Special Case of Boneh-Durfeeâs Attack
Boneh-Durfee proposed (at Eurocrypt 1999) a polynomial time attacks on RSA small decryption exponent which exploits lattices
and sub-lattice structure to obtain an optimized bounds d e = N^α where ε and α are the private and public key exponents respectively) for some α ≤ ε, which satisfy the condition d > φ(N) − N^ε. We analyzed lattices whose basis matrices are triangular and non-triangular using large decryption
exponent and focus group attacks respectively. The core objective is to explore RSA polynomials underlying algebraic structure so that we can improve the performance of weak key attacks. In our solution, we implemented the attack and perform several experiments to show that an RSA cryptosystem successfully attacked and revealed possible weak keys which can ultimately enables an adversary to factorize the RSA modulus
- âŠ