G. Durfee and P.Q. Nguyen. Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99. In ASIACRYPT 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....selects a random seed, x 0 , then computes the sequence x 1 , x 2 , x l by successively applying the RSA function. The An attack on RSA with short d is known from Wiener [Wie90] This attack will discover d n 4. More recent results improve Wiener s attack to 0. 292 n [BD98, DN00] These attacks pose no threat to normal case RSA where d # n . sequence of pseudorandom bits is formed by the sequence of the least significant bit of x i . The e#ciency is furtherly improved in the Micali Schnorr pseudorandom bit generator [MS91] by generating more bits per exponentiation ....

Glenn Durfee and Phong Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt '99. In Advances in Cryptology: ASIACRYPT '00: Proceedings, number 1976 in Lecture Notes in Computer Science, pages 14--29, Kyoto, December 2000. International Conference on the Theory and Application of Cryptology, Springer-Verlag, 2000.

....indeed, this cryptosystem is insecure for d vf. More over, Sun et al. 8] have proposed three variants of the RSA with small private keys for resisting the Boneh Durfee attack. These variants suggest to use unbalanced factor primes p, q of the RSA modulus. Nevertheless, Dur fee and Nguyen ([4]) have broken two of these three new proposals. More recently, Weger ( 10] has proved that if the prime numbers p, q are chosen in such a way that its difference ]p q] is small enough, then one obtains improvements on the Wiener and Boneh Durfee attacks. These cryptanalyses have increased the ....

G. Durfee and P.Q. Nguyen, Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt'99, Proceedings of Asiacrypt'00, LNCS 1976 (2000), 14-29.

....that LLL outputs two algebraically independent vectors. We show in this report that it is possible to use quite a short secret exponent with the RSA MultiPrime. This improves signature generation in comparison with the use of classical RSA and CRT. Nevertheless, as Durfee and Nguyen explain in [7], one should be very cautious when using a short secret exponent with RSA. The bound N 1 6 is improved by the lattice tools, and it might be possible that it could grow a little if we examine the resolution of modular polynomial equations with low solutions in more details. A way to defeat this ....

Durfee, G., Nguyen, P. Q.: Cryptanalysis of RSA Schemes with Short Secret Exponent from Asiacrypt '99. Advances in Cryptology - Proceedings of Asiacrypt '00, Lecture Notes in Computer Science 1976 (2000) 14--29

....1; r 1. Combining these inequalities gives (2.4) Further, since N is an n bit modulus, we can express (2.4) as N (N) 2r)2 n(1 1=r) 2 : 2.6) Some of the attacks we consider use lattices and lattice reduction algorithms. We now give some notation and facts, for which we follow [DN00] and [BD00] Let u 1 ; uw 2 Z with w m. The set L = f P w i=1 a i u i j a i 2 Zg of all integer linear combinations of the u i s is a lattice. It is called the lattice spanned by hu 1 ; uw i. Further, if the vectors u 1 ; uw are linearly independent over Z, then hu ....

....) e ) e ) and 2 ) Thus, lim m 1 vol(L BD (m; t) 1 and lim m 1 e = 2 ) 0, so (4.9) cannot be satis ed for any , as m gets large. Hence, the bound on is incorrect. This oversight is unfortunate, as ignoring the contribution from 2 seems to be common [BD00, BM01, DN00]. Finding corresponding values for m and t that allow for the largest in (4.9) is a dicult problem, as (4.9) is nonlinear, and N are variables, and we require m 1 and t 0 to be integers. To estimate an upper bound for , with various xed values N and we numerically optimized (4.9) for m ....

G. Durfee and P. Q. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt '99. In Advances in Cryptology - ASIACRYPT 2000, volume 1976 of LNCS, pages 14-29. Springer-Verlag, 2000.

....We carried out cryptanalysis of secret keys up to d N 0:278 . We also compared our experimental results with the experimental results of Boneh and Durfee. In [3] they only provided examples with d N 0:265 . In all cases we considered, our method was faster. 1 This includes among others [1, 4, 8, 12] 2 The Boneh Durfee Lattice In this section we review the lattice attack by Boneh and Durfee on low exponent RSA. For an introduction into lattice theory and lattice basis reduction, we refer to the textbooks [9, 17] Descriptions of Wiener s RSA attack and the method of Coppersmith can be ....

G. Durfee, P. Nguyen, \Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99", Proc. of Asiacrypt '2000

No context found.

G. Durfee and P. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt '99. In proceedings Asiacrypt 2000.

....for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [16] for a survey) and related schemes such as the KMOV cryptosystem (see [12] In particular, the experimental evidence of [19, 12, 46] shows that the method is very effective in practice for certain polynomials. 24 Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) x used to generate the appropriate univariate integer polynomial equation satisfied by all small ....

....h is sufficiently large, and the bounds satisfy X N 2=3 Gamma . Boneh and Durfee [19] applied similar and other tricks to a polynomial of the form P (x; y) xy ax b. This allowed better bounds than the generic bound, leading to improved attacks on RSA with low secret exponent (see also [46] for an extension to the trivariate case, useful when the RSA primes are unbalanced) 6.3 Multivariate integer equations The general problem of solving multivariate polynomial equations over Z is also hard, as integer factorization is a special case. Coppersmith [38] showed that a similar ....

[Article contains additional citation context not shown here]

G. Durfee and P. Q. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from asiacrypt '99. In Proc. of Asiacrypt '00, volume 1976 of LNCS. IACR, Springer-Verlag, 2000.

No context found.

G. Durfee and P.Q. Nguyen. Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99. In ASIACRYPT 2000.

No context found.

G. Durfee, P. Nguyen, "Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt '99", Advances in Cryptology - Asiacrypt 2000, Lecture Notes in Computer Science vol. 1976, Springer, pp. 14--29, 2000

No context found.

G. Durfee and P. Nguyen "Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt'99", Proceedings of Asiacrypt 2000.

No context found.

G. Durfee and P. Nguyen "Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt'99", Proceedings of Asiacrypt 2000.

No context found.

Glenn Durfee and Phong Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt '99. In Advances in Cryptology: ASIACRYPT '00: Proceedings, number 1976 in Lecture Notes in Computer Science, pages 14-29, Kyoto, December 2000. International Conference on the Theory and Application of Cryptology, Springer-Verlag, 2000.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC