A Unified Framework for Small Secret Exponent Attack on RSA

We address a lattice based method on small secret exponent attack on RSA scheme. Boneh and Durfee reduced the attack into finding small roots of a bivariate modular equation: $x(N+1+y)+1 ¥equiv 0 mod e)$, where $N$ is an RSA moduli and $e$ is the RSA public key. Boneh and Durfee proposed a lattice based algorithm for solving the problem. When the secret exponent $d$ is less than $N^{0.292}$, their method breaks RSA scheme. Since the lattice used in the analysis is not full-rank, the analysis is not easy. Bl¥ omer and May gave an alternative algorithm. Although their bound $d ¥leq N^{0.290}$ is worse than Boneh--Durfee result, their method used a full rank lattice. However, the proof for their bound is still complicated. Herrmann and May gave an elementary proof for the Boneh--Durfee\u27s bound: $d ¥leq N^{0.292}$. In this paper, we first give an elementary proof for achieving the bound of Bl¥ omer--May: $d ¥leq N^{0.290}$. Our proof employs unravelled linearization technique introduced by Herrmann and May and is rather simpler than Bl¥ omer--May\u27s proof. Then, we provide a unified framework to construct a lattice that are used for solving the problem, which includes two previous method: Herrmann--May and Bl¥ omer--May methods as a special case. Furthermore, we prove that the bound of Boneh--Durfee: $d ¥leq N^{0.292}$ is still optimal in our unified framework

Estimation of Shor\u27s Circuit for 2048-bit Integers based on Quantum Simulator

Evaluating exact computational resources necessary for factoring large integers by Shor algorithm using an ideal quantum computer is difficult because simplified circuits were used in past experiments, in which qubits and gates were reduced as much as possible by using the features of the integers, though 15 and 21 were factored on quantum computers. In this paper, we implement Shor algorithm for general composite numbers, and factored 96 RSA-type composite numbers up to 9-bit using a quantum computer simulator. In the largest case, $N=511$ was factored within 2 hours. Then, based on these experiments, we estimate the number of gates and the depth of Shor\u27s quantum circuits for factoring 1024-bit and 2048-bit integers. In our estimation, Shor\u27s quantum circuit for factoring 1024-bit integers requires $2.78 \times 10^{11}$ gates, and with depth $2.24 \times 10^{11}$, while $2.23 \times 10^{12}$ gates, and with depth $1.80 \times 10^{12}$ for 2048-bit integers

Set It and Forget It! Turnkey ECC for Instant Integration

Historically, Elliptic Curve Cryptography (ECC) is an active field of applied cryptography where recent focus is on high speed, constant time, and formally verified implementations. While there are a handful of outliers where all these concepts join and land in real-world deployments, these are generally on a case-by-case basis: e.g.\ a library may feature such X25519 or P-256 code, but not for all curves. In this work, we propose and implement a methodology that fully automates the implementation, testing, and integration of ECC stacks with the above properties. We demonstrate the flexibility and applicability of our methodology by seamlessly integrating into three real-world projects: OpenSSL, Mozilla's NSS, and the GOST OpenSSL Engine, achieving roughly 9.5x, 4.5x, 13.3x, and 3.7x speedup on any given curve for key generation, key agreement, signing, and verifying, respectively. Furthermore, we showcase the efficacy of our testing methodology by uncovering flaws and vulnerabilities in OpenSSL, and a specification-level vulnerability in a Russian standard. Our work bridges the gap between significant applied cryptography research results and deployed software, fully automating the process

On the Security of Brier-Joye's Addition Formula for Weierstrass-form Elliptic Curves

Elliptic curve based cryptosystems (ECC) are thought to be suitable for implementing on low-power devices such as smart cards because of the small key-length. The sid

Fast Elliptic Curve Multiplications with SIMD Operations

The Single Instruction, Multiple Data (SIMD) architecture enables to compute in parallel on a single processor. The SIMD operations are implemented on some processors such as Pentium 3/4, Athlon, SPARC, and even on smart cards. This paper proposes efficient algorithms for assembling an elliptic curve addition (ECADD), doubling (ECDBL), and k-iterated ECDBL (k-ECDBL) with SIMD operations. Using the singed binary chain, we can compute a scalar multiplication about 10 % faster than the previously fastest algorithm by Aoki et al. Combined with the sliding window method or the width-w NAF window method, we also achieve about 10 % faster parallelized scalar multiplication algorithms with SIMD operations. For the implementation on smart cards, we propose two fast parallelized scalar multiplication algorithms with SIMD resistant against side channel attacks

ディジタル署名方式の応用と実装に関する研究

Public-key cryptosystems are a new infrastructure of the coming IT society because they assure the security of digital documents and entities related to these documents. Among them, digital signature schemes are commonly used since they can verify the integrity of signed documents and signers. Since the integrity check of the digital signature schemes is strict, proper alternations such as the sanitization (which is a common technology for paper documents) are prohibited and rejected. Of course, this property is desired as digital signature schemes, however, in some cases, we require such proper alternations on signed documents. For a wider use of digital signature schemes, this thesis focuses on a signature scheme in which proper alternations (sanitizations) are permitted but improper alternations (forgeries) are prohibited (sanitizable signature scheme). Especially, we analyze the security of a sanitizable signature scheme proposed by Miyazaki et al. in 2005, and propose a new sanitizable signature scheme. On the other hand, in this ubiquitous society, identifications via digital signatures are processed on mobile devices such as mobile phones or smartcards. In such low-power devices, side channel attacks are becoming a new threat. In this attack, an adversary observes side channel information (such as computation timings, power consumptions, or electromagnetic fields) and detects the secret information hidden in the device. In this thesis, we propose two efficient countermeasures for elliptic curve cryptosystems (ECC). The first countermeasure uses the Montgomery ladder for scalar multiplications and establishes a new addition-and-doubling formula. The second countermeasure uses the SIMD operations for parallelized scalar multiplications.電気通信大学200

Some Explicit Formulae of NAF and its Left-to-Right Analogue

Non-Adjacent Form (NAF) is a canonical form of signed binary representation of integers. We present some explicit formulae of NAF and its left-to-right analogue (FAN) for randomly chosen n-bit integers. Interestingly, we prove that the zero-run length appeared in FAN is asymptotically 16/7, which is longer than that of the standard NAF. We also apply the proposed formulae to the speed estimation of elliptic curve cryptosystems