Johan Hastad, Solving simultaneous modular equations of low degree, SIAM J. Comput. 17 (1988), no. 2, 336--341.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the underlying problem is already linear, and the attack often heuristic by requiring (at least) that current lattice reduction algorithms behave ideally, as opposed to what is theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties [66, 133]. The first result of that kind, the broadcast attack on low exponent RSA due to Hastad [66] can be viewed as a weaker version of Coppersmith s theorem on univariate modular polynomial equations. A shorter version of this survey previously appeared in [118] The rest of the paper is organized as ....

....that current lattice reduction algorithms behave ideally, as opposed to what is theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties [66, 133] The first result of that kind, the broadcast attack on low exponent RSA due to Hastad [66], can be viewed as a weaker version of Coppersmith s theorem on univariate modular polynomial equations. A shorter version of this survey previously appeared in [118] The rest of the paper is organized as follows. In Section 2, we give basic definitions and results on lattices and their ....

[Article contains additional citation context not shown here]

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336--341, April 1988. Preliminary version in Proc. of Crypto '85.

.... (c Gamma c Thus, if jrj N 1=9 , we can theoretically recover r, from which we can derive the message m = r(c 2c Gamma r ) c Gamma c 2r ) modN) see [7] 3. 3 Broadcast attacks As was pointed out in [15, 1] Coppersmith s result improves known results of Hastad [8]. We consider the situation of a broadcast application, where a user sends linearly related messages m i to several participants with public exponent e i and public modulus N i . That is, m i j ff i m fi i (mod N i ) for some unknown m and known constants ff i and fi i . This precisely happens ....

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput. , 17(2):336--341, April 1988.

....the underlying problem is already linear, and the attack often heuristic by requiring (at least) that current lattice reduction algorithms behave ideally, as opposed to what is theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties [54, 110]. The first result of that kind, the broadcast attack on low exponent RSA due to Hastad [54] can be viewed as a weaker version of Coppersmith s theorem on univariate modular polynomial equations. The rest of the paper is organized as follows. In Section 2, we give basic definitions and results ....

....that current lattice reduction algorithms behave ideally, as opposed to what is theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties [54, 110] The first result of that kind, the broadcast attack on low exponent RSA due to Hastad [54], can be viewed as a weaker version of Coppersmith s theorem on univariate modular polynomial equations. The rest of the paper is organized as follows. In Section 2, we give basic definitions and results on lattices and their algorithmic problems. In Section 3, we survey an old topic of lattice ....

[Article contains additional citation context not shown here]

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336--341, April 1988. Early version in Proc. of Crypto '85.

....and e is the maximal degree of the polynomial equations. After publication, Rivest suggested a great simplification of the proof, reducing the lattice dimension to e 2 and yielding a significant improvement of some bound (see below for more details) This improved version was published in [3]. Recently, Takagi and Naito [4] extended the initial Hastad algorithm to the multivariate case. We will show that the same improvement as Rivest suggested can be applied to the extended algorithm, resulting in the same proof simplification and bound improvement. 2 Improvement The theorem we are ....

Johan Hastad, Solving simultaneous modular equations of low degree, SIAM J. Comput. 17 (1988), no. 2, 336--341. The notation a = b mod \Sigma N means that a is the unique integer congruent to b modulo N such that \GammadN=2e + 1 a bN=2c.

....signature S on m can be veri ed by checking that m = S e # Z=nZ. 6 In practice the public exponent e is usually chosen to be small. This is done to make the public operations (encryption and signature veri cation) fast. Care should be taken with the use of small public exponents, as shown in [29, 30, 28, 47]. The secret exponent d corresponding to a small e is in general of the same order of magnitude as n. There are applications for which a small d (and thus large e) would be attractive. However, small private exponents have been shown to make RSA susceptible to attacks [11, 113] A computational ....

J. Hastad, Solving simultaneous modular equations of low degree, SIAM J. Comput. 17 (1988) 336-341.

....referred problems are RSA [26] the factorization or the discrete logarithm. But no really efficient cryptosystem can aspire to such a strong argument. Indeed, the best encryption scheme that achieves chosen ciphertext security in this sense was proposed at Crypto 98 by Cramer and Shoup [13], and still requires more than four exponentiations for an encryption. Furthermore, it relies on the weakest problem known as the Decisional Diffie Hellman problem [8] which requires particular settings to be difficult. In 1993, Bellare and Rogaway [3] defined a model, the so called Random ....

....D. Coppersmith, S. Halevi, and C. S. Jutla. ISO 9796 and the New Forgery Strategy. Working Draft presented at the Rump Session of Crypto 99, 1999. 12] S. Coron, D. Naccache, and Ju. Stern. On the Security of RSA Padding. In Crypto 99, LNCS 1666, pages 1 18. Springer Verlag, Berlin, 1999. [13] R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In Crypto 98, LNCS 1462, pages 13 25. Springer Verlag, Berlin, 1998. 14] W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, ....

[Article contains additional citation context not shown here]

J. Hastad. Solving Simultaneous Modular Equations of Low Degree. SIAM Journal of Computing, 17:336--341, 1988.

....stronger results have been proven. For example, it has been shown [81, 6, 18] that if a polynomial fraction of RSA ciphertexts can t be decrypted in polynomial time, then neither can just the least signi cant bit of the message be guessed from the ciphertext with better than an bias. Hastad [88] shows that it is unwise to use a low encryption exponent e, such as 3, if it is likely that a user may send the same message (or the same message with known variations) to a number of other users. 6.2.2 Knapsacks A number of public key cryptosystems have been proposed which are based on the ....

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Computing, 17(2):336-341, April 1988. 42

....of worst case or random instances of problems involving lattices has proved extremely fruitful. Prior to Ajtai s work, lattices, and in particular, the lattice basis reduction algorithm of Lenstra, Lenstra, and Lov asz, were used in cryptography principally to prove cryptographic insecurity [1, 9, 10, 20, 22, 25]. We describe more positive applications of lattices: constructions for public key cryptosystems, cryptographically strong hash functions, and pseudo random bit generators whose security depends only on the worst case hardness of the underlying lattice problem; a digital signature scheme whose ....

J. Hastad, Solving Simultaneous Modular Equations of Low Degree, SIAM J. Computing 17(2), pp.336--341, 1988

....recommendations motivated by cryptanalytic advances made in the intervening years. It is recommended that the pseudorandom octets in EME PKCS1 v1 5 be generated independently for each encryption process, especially if the same data is input to more than one encryption process. Hastad s results [13] are one motivation for this recommendation. The padding string PS in EME PKCS1 v1 5 is at least eight octets long, which is a security condition for public key operations that prevents an attacker from recovering data by trying all possible encryption blocks. The pseudorandom octets can also ....

J. Hastad. Solving Simultaneous Modular Equations of Low Degree. SIAM Journal of Computing, 17, 1988, pp. 336-341.

....the recovery of plaintext messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA public key with low encrypting exponent. Our attacks di er from the low exponent attacks described by Moore [6] and Hastad [5] and the common modulus attack identi ed by Simmons [10] which pertain only to ciphertexts encrypted under di erent public keys. Given encryptions of k messages under the same RSA public key with exponent e, together with knowledge of a polynomial relation of degree among the messages, the goal ....

J. Hastad. Solving simultaneous modular equations of low degree. SIAM Journal of Computing 17:336-341, 1988.

....underlying problem is already linear, and the attack often heuristic by requiring (at least) that current lattice reduction algorithms behave ideally, as opposed to what is 3 theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties [54, 110]. The first result of that kind, the broadcast attack on low exponent RSA due to Hastad [54] can be viewed as a weaker version of Coppersmith s theorem on univariate modular polynomial equations. The rest of the paper is organized as follows. In Section 2, we give basic definitions and results ....

....current lattice reduction algorithms behave ideally, as opposed to what is 3 theoretically guaranteed. The use of lattice reduction techniques to solve polynomial equations goes back to the eighties [54, 110] The first result of that kind, the broadcast attack on low exponent RSA due to Hastad [54], can be viewed as a weaker version of Coppersmith s theorem on univariate modular polynomial equations. The rest of the paper is organized as follows. In Section 2, we give basic definitions and results on lattices and their algorithmic problems. In Section 3, we survey an old topic of lattice ....

[Article contains additional citation context not shown here]

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336--341, April 1988. Early version in Proc. of Crypto '85.

....x 2 M [ x = 2 M decode(e; s i ; P) x fe [i]g s i verify(e; s i ; P) isCommon e = encode(decode(e; s i ; P) P) When using VCS vectors, secrecy holds only if x is not revealed when encrypted multiple times with different public keys. This is not true of RSA with small exponents or Rabin [13, 14, 8]. For this reason, caution must be exercised when selecting a public key encryption technique. Commonality holds because any secret key corresponding to a key in P can be used to decode e to learn x. Decrypting e [i] with s i yields the same secret x for all i. Any member of P can use decode( ....

J. Hastad, "Solving Simultaneous Modular Equations of Low Degree," SIAM Journal on Computing, v. 17 no. 2, Apr 1988, pp. 336--341.

.... old conjectures in mathematics [65] break the Merkle Hellman crypto system [74, 2, 11, 50, 51, 63] check the solvability by radicals [55] solve low density subset sum problems [54, 24, 20] heuristically factor integers [70, 18] and solve many other Diophantine and cryptanalysis problems (e.g. [52, 19, 35, 25, 10]) The first and preeminent reason to study the computational complexity of lattice problems is therefore the wide applicability of lattice based techniques to solve a variety of combinatorial and optimization problems. In the last few years one more reason emerged to study lattices specifically ....

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336--341, Apr. 1988.

....to the message. Another single message attack can occur if someone sends the same message m to three others, who each have public exponent e = 3. An attacker who knows this and sees the three messages will be able to recover the message m; this attack and ways to prevent it are discussed by Hastad [35]. There are also some chosen ciphertext attacks, in which the attacker creates some ciphertext and gets to see the corresponding plaintext, perhaps by tricking a legitimate user into decrypting a fake message; Davida [23] gives some examples. Of course, there are also attacks that aim not at ....

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Computing, 17:336--241, 1988.

....encryption has been the subject of several specific attacks, notably directed against low exponent RSA [18] Basically, if e is the common public exponent, then e encryptions of a given message under different public keys lead to an easy recovery of the plaintext. Further results by Hastad [12, 20] and Coppersmith [4, 5] proved that time stamp variants of broadcast, attaching time to the message before encryption, can be successfully cryptanalyzed with e encrypted messages. So far, most known attacks against RSA assume that related plaintexts have been encrypted to different ....

J. Hastad. Solving Simultaneous Modular Equations of Low Degree. SIAM Journal of Computing, 17:336--341, 1988.

No context found.

Johan Hastad, Solving simultaneous modular equations of low degree, SIAM J. Comput. 17 (1988), no. 2, 336--341.

No context found.

J. Hastad, Solving simultaneous modular equations of low degree, SIAM Journal on Computing, 17 (1988), pp. 336-341.

No context found.

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Computing, 17:336--341, 1988.

No context found.

J. Hastad. Solving simultaneous modular equations of low degree. SIAM Journal on Computing, vol. 17, no. 2, pp. 336--341, 1988.

No context found.

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336--341, Apr. 1988.

No context found.

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Computing, 17:336--241, 1988.

No context found.

J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Computing, 17:336--241, 1988.

No context found.

J. Hastad. Solving Simultaneous Modular Equations of Low Degree. SIAM Journal of Computing, volume 17, pp. 336-341, 1988,.

No context found.

J. Hastad, Solving Simultaneous Modular Equations of Low Degree, SIAM J. Computing 17(2), pp.336--341, 1988

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC