Small CRT-Exponent RSA Revisited

Since May (Crypto\u2702) revealed the vulnerability of the small CRT-exponent RSA using Coppersmith\u27s lattice-based method, several papers have studied the problem and two major improvements have been made. (1) Bleichenbacher and May (PKC\u2706) proposed an attack for small $d_q$ when the prime factor $p$ is significantly smaller than the other prime factor $q$; the attack works for $p<N^{0.468}$. (2) Jochemsz and May (Crypto\u2707) proposed an attack for small $d_p$ and $d_q$ when the prime factors $p$ and $q$ are balanced; the attack works for $d_p, d_q<N^{0.073}$. Even a decade has passed since their proposals, the above two attacks are still considered as the state-of-the-art, and no improvements have been made thus far. A novel technique seems to be required for further improvements since it seems that the attacks have been studied with all the applicable techniques for Coppersmith\u27s methods proposed by Durfee-Nguyen (Asiacrypt\u2700), Jochemsz-May (Asiacrypt\u2706), and Herrmann-May (Asiacrypt\u2709, PKC\u2710). In this paper, we propose two improved attacks on the small CRT-exponent RSA: a small $d_q$ attack for $p<N^{0.5}$ (an improvement of Bleichenbacher-May\u27s) and a small $d_p$ and $d_q$ attack for $d_p, d_q < N^{0.122}$ (an improvement of Jochemsz-May\u27s). The latter result is also an improvement of our result in the proceeding version (Eurocrypt \u2717); $d_p, d_q < N^{0.091}$. We use Coppersmith\u27s lattice-based method to solve modular equations and obtain the improvements from a novel lattice construction by exploiting useful algebraic structures of the CRT-RSA key generation equation. We explicitly show proofs of our attacks and verify the validities by computer experiments. In addition to the two main attacks, we also propose small $d_q$ attacks on several variants of RSA

Solving Linear Equations Modulo Unknown Divisors: Revisited

We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor $p$ for a known composite integer $N$. In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations; since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt\u2708) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS\u2712). Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc. In this paper, by introducing multiple parameters, we propose several generalizations of the above equations. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically, \begin{itemize} \item We improve May\u27s results (PKC\u2704) on small secret exponent attack on RSA variant with moduli $N = p^rq$ ($r\geq 2$). \item We experimentally improve Boneh et al.\u27s algorithm (Crypto\u2798) on factoring $N=p^rq$ ($r\geq 2$) with known bits problem. \item We significantly improve Jochemsz-May\u27 attack (Asiacrypt\u2706) on Common Prime RSA. \item We extend Nitaj\u27s result (Africacrypt\u2712) on weak encryption exponents of RSA and CRT-RSA. \end{itemize

Utilization of Polysaccharide-Based High Internal Phase Emulsion for Nutraceutical Encapsulation: Enhancement of Carotenoid Loading Capacity and Stability

The main goal of the present work was to access the ability of high internal phase emulsions (HIPEs) to encapsulate fl-carotene. The carotenoid loading capacity of the HIPEs was around 20-fold higher when OSAstarch/chitosan complexes were used than when only OSA-starch was used. This impact could be mainly assigned to the capacity of the former HIPEs to trap carotenoid caystals in a stable form. The OSA-starch/chitosan complexes were shown to absorb on the oil droplets interface and form a 3D network in the aqueous phase, which helped to prevent droplet coalescence induced by fl-carotene crystal. The incorporation of fl-carotene within the oil droplets enhanced its resistance to chemical degradation when exposed to heat, ultraviolet radiation, or gastrointestinal conditions. Our results provide information that may aid the design and development of edible soft solids containing high carotenoid levels, which may be applied in food and pharmaceutical industry

Optical Coherence Tomography of Spontaneous Basilar Artery Dissection in a Patient With Acute Ischemic Stroke

The diagnosis of intracranial arterial dissection (IAD) may be challenging and multimodal imaging techniques are often needed to confirm the diagnosis. Previous studies have based their criteria for diagnosis of IAD on conventional angiography, computed tomography, or magnetic resonance imaging. We report a case with acute ischemic stroke due to spontaneous basilar artery dissection in which intravascular optical coherence tomography (OCT) was used to show features of IAD. A 59-years-old woman presented with symptoms of acute ischemic stroke. Thrombosis related to basilar artery (BA) stenosis was assumed on conventional angiography; however, no clot was retrieved after mechanical thrombectomy (MT) and a restored BA caliber was observed after a rescue recanalization with the detachment of a self-expanding stent was performed. Spontaneous IAD was suspected; however, angiographic findings were ambiguous for confirming IAD. The patient remained symptom-free until 18-months follow-up. At this point, angiography showed restenosis at the proximal tapered length of the stent. In vivo OCT was performed to assess the pathological changes of the restenosis and confirm the diagnosis of IAD.OCT revealed BA dissection with the presence of remnant transverse flap, double lumen and mural hematoma. Imaging at multiple levels identified intimal disruption that originated in the right vertebral artery and extended distally to the BA. The use of intravascular imaging with OCT enabled the accurate diagnosis of IAD. Care should be taken as the procedure may add additional risks to the patient. Future studies are needed to validate the safety of OCT in IAD

Solving a Class of Modular Polynomial Equations and its Relation to Modular Inversion Hidden Number Problem and Inversive Congruential Generator

In this paper we revisit the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and consider how to attack them more efficiently. We consider systems of modular polynomial equations of the form a_{ij}+b_{ij}x_i+c_{ij}x_j+x_ix_j=0 (mod p) and show the relation between solving such equations and attacking MIHNP and ICG. We present three heuristic strategies using Coppersmith\u27s lattice-based root-finding technique for solving the above modular equations. In the first strategy, we use the polynomial number of samples and get the same asymptotic bound on attacking ICG proposed in PKC 2012, which is the best result so far. However, exponential number of samples is required in the work of PKC 2012. In the second strategy, a part of polynomials chosen for the involved lattice are linear combinations of some polynomials and this enables us to achieve a larger upper bound for the desired root. Corresponding to the analysis of MIHNP we give an explicit lattice construction of the second attack method proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. We provide better bound than that in the work of PKC 2012 for attacking ICG. Moreover, we propose the third strategy in order to give a further improvement in the involved lattice construction in the sense of requiring fewer samples

Automated optical inspection of FAST’s reflector surface using drones and computer vision

The Five-hundred-meter Aperture Spherical radio Telescope (FAST) is the world ’ s largest single-dish radio telescope. Its large reflecting surface achieves unprecedented sensitivity but is prone to damage, such as dents and holes, caused by naturally-occurring falling objects. Hence, the timely and accurate detection of surface defects is crucial for FAST’s stable operation. Conventional manual inspection involves human inspectors climbing up and examining the large surface visually, a time-consuming and potentially unreliable process. To accelerate the inspection process and increase its accuracy, this work makes the first step towards automating the inspection of FAST by integrating deep-learning techniques with drone technology. First, a drone flies over the surface along a predetermined route. Since surface defects significantly vary in scale and show high inter-class similarity, directly applying existing deep detectors to detect defects on the drone imagery is highly prone to missing and misidentifying defects. As a remedy, we introduce cross-fusion, a dedicated plug-in operation for deep detectors that enables the adaptive fusion of multi-level features in a point-wise selective fashion, depending on local defect patterns. Consequently, strong semantics and fine-grained details are dynamically fused at different positions to support the accurate detection of defects of various scales and types. Our AI-powered drone-based automated inspection is time-efficient, reliable, and has good accessibility, which guarantees the long-term and stable operation of FAST

Unbalanced Circuit-PSI from Oblivious Key-Value Retrieval

Circuit-based Private Set Intersection (circuit-PSI) enables two parties, a client and a server, with their input sets $X$ and $Y$ respectively, to securely compute a function $f$ on the intersection $X \cap Y$, while keeping $X \cap Y$ secret from both parties. Although several computationally efficient circuit-PSI protocols have been proposed recently, they most focus on the balanced scenario where $|X|$ is similar to $|Y|$. However, in many realistic scenarios, a circuit-PSI protocol may be performed in the unbalanced case where $|X|$ is remarkably smaller than $|Y|$ (e.g., the client is a constrained device holding a small set, while the server is a service provider holding a large set). Directly applying existing protocols to this scenario will lead to significant efficiency issues because the communication complexity of the protocols scales at least linearly with the size of the larger set, i.e., $\max(|X|, |Y|)$. In this work, we put forth efficient constructions for unbalanced circuit-PSI with sublinear communication complexity in the size of the larger set. The main insight is that we formalize unbalanced circuit-PSI as obliviously retrieving values corresponding to keys from a set of key-value pairs. To this end, we present a new functionality called Oblivious Key-Value Retrieval (OKVR) and design the OKVR protocol from a new notion called sparse Oblivious Key-Value Stores (sparse OKVS). We conduct extensive experiments and the results show that our constructions remarkably outperform the state-of-the-art circuit-PSI schemes (EUROCRYPT\u2719, PETs\u2722, CCS\u2722), i.e., $1.84 \sim 48.86 \times$ communication improvement and $1.50 \sim39.81 \times$ faster computation. Very recently, Son and Jeong (AsiaCCS\u2723) also present unbalanced circuit-PSI protocols, and our constructions outperform them by $1.18 \sim 15.99 \times$ and $1.22 \sim 10.44 \times$ in communication and computation overhead, respectively, depending on set sizes and network environments