Cryptanalysis of Multi-Prime \varPhi -Hiding Assumption
03 Sep 2016-pp 440-453
TL;DR: An improved heuristic algorithm based on the Herrmann-May lattice method to solve the Multi-Prime \(\varPhi \)-Hiding Problem when prime \(e>N^{\frac{2}{3m}-\frac{1}{4m^2}}\).
Abstract: In Crypto 2010, Kiltz, O’Neill and Smith used m-prime RSA modulus N with \(m\ge 3\) for constructing lossy RSA. The security of the proposal is based on the Multi-Prime \(\varPhi \)-Hiding Assumption. In this paper, we propose a heuristic algorithm based on the Herrmann-May lattice method (Asiacrypt 2008) to solve the Multi-Prime \(\varPhi \)-Hiding Problem when prime \(e>N^{\frac{2}{3m}}\). Further, by combining with mixed lattice techniques, we give an improved heuristic algorithm to solve this problem when prime \(e>N^{\frac{2}{3m}-\frac{1}{4m^2}}\). These two results are verified by our experiments. Our bounds are better than the existing works.
Citations
More filters
03 Jul 2017
TL;DR: The security of multi-prime RSA with small prime difference is studied and two improved factoring attacks are proposed by applying the optimal linearization technique and can achieve better bounds in the experiments.
Abstract: In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks The modulus involved in this variant is the product of r distinct prime factors of same bit-size Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations The first attack is based on combining r equations to solve one multivariate modular equation by a generic lattice approach Since the equation form is similar to multi-prime \(\varPhi \)-hiding problem, we propose the second attack by applying the optimal linearization technique We also show that our attacks can achieve better bounds in the experiments
4 citations
References
More filters
TL;DR: This paper is devoted to the description and analysis of a new algorithm to factor positive integers that depends on the use of elliptic curves and it is conjectured that the algorithm determines a non-trivial divisor of a composite number n in expected time at most K( p)(log n)2.
Abstract: This paper is devoted to the description and analysis of a new algorithm to factor positive integers. It depends on the use of elliptic curves. The new method is obtained from Pollard's (p - 1)-method (Proc. Cambridge Philos. Soc. 76 (1974), 521-528) by replacing the multiplicative group by the group of points on a random elliptic curve. It is conjectured that the algorithm determines a non-trivial divisor of a composite number n in expected time at most K( p)(log n)2, where p is the least prime dividing n and K is a function for which log K(x) = /(2 + o(1))log x log log x for x -x o. In the worst case, when n is the product of two primes of the same order of magnitude, this is
1,069 citations
TL;DR: An algorithm for solving Integer Programming problems whose running time depends on the number n of variables as nOn by reducing an n variable problem to 2n5i/2 problems in n-i variables for some i greater than zero chosen by the algorithm.
Abstract: The paper presents an algorithm for solving Integer Programming problems whose running time depends on the number n of variables as nOn. This is done by reducing an n variable problem to 2n5i/2 problems in n-i variables for some i greater than zero chosen by the algorithm. The factor of On5/2 “per variable” improves the best previously known factor which is exponential in n. Minkowski's Convex Body theorem and other results from Geometry of Numbers play a crucial role in the algorithm. Several related algorithms for lattice problems are presented. The complexity of these problems with respect to polynomial-time reducibilities is studied.
841 citations
IBM1
TL;DR: It is shown how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a Poole's inequality in two variables over the integers.
Abstract: We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order $\frac{1}{4} \log_2 N$ bits of P.
743 citations
02 May 1999
TL;DR: A single-database computationally private information retrieval scheme with polylogarithmic communication complexity based on a new, but reasonable intractability assumption, which is essentially the difficulty of deciding whether a small prime divides φ(m), where m is a composite integer of unknown factorization.
Abstract: We present a single-database computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the φ-Hiding Assumption (φHA): essentially the difficulty of deciding whether a small prime divides φ(m), where m is a composite integer of unknown factorization.
699 citations
11 Jul 2005
TL;DR: A single-database private information retrieval (PIR) scheme with communication complexity ${\mathcal O}(k+d)$, where k ≥ log n is a security parameter that depends on the database size n and d is the bit-length of the retrieved database block.
Abstract: We present a single-database private information retrieval (PIR) scheme with communication complexity ${\mathcal O}(k+d)$, where k ≥ log n is a security parameter that depends on the database size n and d is the bit-length of the retrieved database block. This communication complexity is better asymptotically than previous single-database PIR schemes. The scheme also gives improved performance for practical parameter settings whether the user is retrieving a single bit or very large blocks. For large blocks, our scheme achieves a constant “rate” (e.g., 0.2), even when the user-side communication is very low (e.g., two 1024-bit numbers). Our scheme and security analysis is presented using general groups with hidden smooth subgroups; the scheme can be instantiated using composite moduli, in which case the security of our scheme is based on a simple variant of the “Φ-hiding” assumption by Cachin, Micali and Stadler [2].
353 citations