Generating a Shortest B-Chain using Multi-GPUs

Let B be a finite set of binary operations over the set of natural numbers N. A B-chain for a natural number n, denoted by BC(n), is a sequence of numbers 1 = c0,c1,...,cl = n such that for each i \u3e 0,ci = cj ◦ck, where 0 ≤ j,k ≤ i−1 and ◦ is an operation of B. Generating a shortest B-chain for n plays an important role in increasing the performance of some cryptosystems and protocols. This paper has two purposes. The first is to propose a generic algorithm to generate a shortest B-chain using a single CPU and a single GPU for any B. The second is to propose two strategies to improve the generation of a shortest B-chain using two (or more) GPUs. Using two GPUs, the experimental study shows that the first strategy improves the performance by about 20%, while the second strategy improves the performance by about 30 ∼ 35% in case of B = {+}. It is also possible to combine both strategies when we have at least four GPUs

A Unified Method for Private Exponent Attacks on RSA using Lattices

International audienceLet (n = pq, e = n^β) be an RSA public key with private exponent d = n^δ , where p and q are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding small roots of univariate modular equations based on lattice reduction and then succussed to factorize the RSA modulus. Since then, a series of attacks on the key equation ed − kφ(n) = 1 of RSA have been presented. In this paper, we show that many of such attacks can be unified in a single attack using a new notion called Coppersmith's interval. We determine a Coppersmith's interval for a given RSA public key (n, e). The interval is valid for any variant of RSA, such as Multi-Prime RSA, that uses the key equation. Then we show that RSA is insecure if δ < β + 1/3 α − 1/3 √ (12αβ + 4α^2) provided that we have approximation p0 ≥ √ n of p with |p − p0| ≤ 1/2 n^α , α ≤ 1/2. The attack is an extension of Coppersmith's result

(Extended Abstract)

Abstract — An addition sequence problem is given a set of numbers X = {n1, n2, · · · , nm}, what is the minimal number of additions needed to compute all m numbers starting from 1? Downey et al. [9] showed that the addition sequence problem is NPcomplete. This problem has application in evaluating the monomials y n1, y n2, · · · , y nm. In this paper, we present an algorithm to generate an addition sequence with minimal number of elements. We generalize some results on addition chain (m = 1) to addition sequence to speed up the computation

Small Private Exponent Attacks on RSA Using Continued Fractions and Multicore Systems

The RSA (Rivest–Shamir–Adleman) asymmetric-key cryptosystem is widely used for encryptions and digital signatures. Let (n,e) be the RSA public key and d be the corresponding private key (or private exponent). One of the attacks on RSA is to find the private key d using continued fractions when d is small. In this paper, we present a new technique to improve a small private exponent attack on RSA using continued fractions and multicore systems. The idea of the proposed technique is to find an interval that contains ϕ(n), and then propose a method to generate different points in the interval that can be used by continued fraction and multicore systems to recover the private key, where ϕ is Euler’s totient function. The practical results of three small private exponent attacks on RSA show that we extended the previous bound of the private key that is discovered by continued fractions. When n is 1024 bits, we used 20 cores to extend the bound of d by 0.016 for de Weger, Maitra-Sarkar, and Nassr et al. attacks in average times 7.67 h, 2.7 h, and 44 min, respectively

Factoring RSA Modulus with Primes not Necessarily Sharing Least Significant Bits

The security of many public-key cryptosystems, such as RSA, is based on the difficulty of factoring a composite integer. Until now, there is no known polynomial time algorithm to factor any composite integer with classical computers. In this paper, we study factoring n when n= pq is a product of two primes p and q satisfying that p≡lk1 mod 2q1 and q≡lk2 mod 2q2 for some positive integers q1,q2, k1, k2 ≤ logn and l.We show that n can be factored in time polynomial in logn if l \u3c 2q and either | p−lk1 2q1 || q−lk2 2q2 |\u3c lk or 2q ′ ≥ n1/4, where q = min{q1,q2}, q ′ = max{q1,q2} and k = min{k1, k2}. We also show that the result of Steinfeld and Zheng [21] when the two primes p and q share least significant bits is a special case of our results. Our results point out the warring for cryptographic designers to be careful when generating primes for the RSA modulu

A Unified Method for Private Exponent Attacks on RSA using Lattices

International audienceLet (n = pq, e = n^β) be an RSA public key with private exponent d = n^δ , where p and q are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding small roots of univariate modular equations based on lattice reduction and then succussed to factorize the RSA modulus. Since then, a series of attacks on the key equation ed − kφ(n) = 1 of RSA have been presented. In this paper, we show that many of such attacks can be unified in a single attack using a new notion called Coppersmith's interval. We determine a Coppersmith's interval for a given RSA public key (n, e). The interval is valid for any variant of RSA, such as Multi-Prime RSA, that uses the key equation. Then we show that RSA is insecure if δ < β + 1/3 α − 1/3 √ (12αβ + 4α^2) provided that we have approximation p0 ≥ √ n of p with |p − p0| ≤ 1/2 n^α , α ≤ 1/2. The attack is an extension of Coppersmith's result

Three Strategies for Improving Shortest Vector Enumeration Using GPUs

Hard Lattice problems are assumed to be one of the most promising problems for generating cryptosystems that are secure in quantum computing. The shortest vector problem (SVP) is one of the most famous lattice problems. In this paper, we present three improvements on GPU-based parallel algorithms for solving SVP using the classical enumeration and pruned enumeration. There are two improvements for preprocessing: we use a combination of randomization and the Gaussian heuristic to expect a better basis that leads rapidly to a shortest vector and we expect the level on which the exchanging data between CPU and GPU is optimized. In the third improvement, we improve GPU-based implementation by generating some points in GPU rather than in CPU. We used NVIDIA GeForce GPUs of type GTX 1060 6G. We achieved a significant improvement upon Hermans’s improvement. The improvements speed up the pruned enumeration by a factor of almost 2.5 using a single GPU. Additionally, we provided an implementation for multi-GPUs by using two GPUs. The results showed that our algorithm of enumeration is scalable since the speedups achieved using two GPUs are almost faster than Hermans’s improvement by a factor of almost 5. The improvements also provided a high speedup for the classical enumeration. The speedup achieved using our improvements and two GPUs on a challenge of dimension 60 is almost faster by factor 2 than Correia’s parallel implementation using a dual-socket machine with 16 physical cores and simultaneous multithreading technology