Solving simultaneous modular equations of low degree
01 Apr 1988-SIAM Journal on Computing (Society for Industrial and Applied Mathematics)-Vol. 17, Iss: 2, pp 336-341
TL;DR: It is shown that a protocol by Broder and Dolev is insecure if RSA with a small exponent is used and the RSA cryptosystem used with asmall exponent is not a good choice to use as a public-key cryptos system in a large network.
Abstract: We consider the problem of solving systems of equations $P_i (x) \equiv 0(\bmod n_i )i = 1 \cdots k$ where $P_i $ are polynomials of degree d and the $n_i $ are distinct relatively prime numbers and $x {{d(d + 1)} / 2}$ we can recover x in polynomial time provided $\min (n_i ) > 2^{d^2 } $. As a consequence the RSA cryptosystem used with a small exponent is not a good choice to use as a public-key cryptosystem in a large network. We also show that a protocol by Broder and Dolev [Proceedings on the 25th Annual IEEE Symposium on the Foundations of Computer Science, 1984] is insecure if RSA with a small exponent is used.
Citations
More filters
Book•
01 Jan 1996TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Abstract: From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.
13,597 citations
Cites background from "Solving simultaneous modular equati..."
...2(ii)) is discussed by Håstad [544], who showed more generally that sending the encryptions of more than e(e+ 1)/2 linearly related messages (messages of the form (aim + bi), where the ai and bi are known) enables an eavesdropper to recover the messages provided that the moduli ni satisfy ni > 2(e+1)....
[...]
Book•
01 Jan 2004
TL;DR: This guide explains the basic mathematics, describes state-of-the-art implementation methods, and presents standardized protocols for public-key encryption, digital signatures, and key establishment, as well as side-channel attacks and countermeasures.
Abstract: After two decades of research and development, elliptic curve cryptography now has widespread exposure and acceptance. Industry, banking, and government standards are in place to facilitate extensive deployment of this efficient public-key mechanism. Anchored by a comprehensive treatment of the practical aspects of elliptic curve cryptography (ECC), this guide explains the basic mathematics, describes state-of-the-art implementation methods, and presents standardized protocols for public-key encryption, digital signatures, and key establishment. In addition, the book addresses some issues that arise in software and hardware implementation, as well as side-channel attacks and countermeasures. Readers receive the theoretical fundamentals as an underpinning for a wealth of practical and accessible knowledge about efficient application. Features & Benefits: * Breadth of coverage and unified, integrated approach to elliptic curve cryptosystems * Describes important industry and government protocols, such as the FIPS 186-2 standard from the U.S. National Institute for Standards and Technology * Provides full exposition on techniques for efficiently implementing finite-field and elliptic curve arithmetic* Distills complex mathematics and algorithms for easy understanding* Includes useful literature references, a list of algorithms, and appendices on sample parameters, ECC standards, and software toolsThis comprehensive, highly focused reference is a useful and indispensable resource for practitioners, professionals, or researchers in computer science, computer engineering, network design, and network data security.
2,893 citations
Cites methods from "Solving simultaneous modular equati..."
...The motivation for their work was to account for attacks such as Håstad’s attacks [195] whereby an adversary can easily recover a plaintext m if the same m (or linearly related m) is encrypted for three legitimate entities using the basic RSA encryption scheme with encryption exponent e = 3....
[...]
IBM1
TL;DR: It is shown how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a Poole's inequality in two variables over the integers.
Abstract: We show how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a polynomial in two variables over the integers. The methods sometimes extend to more variables. As applications: RSA encryption with exponent 3 is vulnerable if the opponent knows two-thirds of the message, or if two messages agree over eight-ninths of their length; and we can find the factors of N=PQ if we are given the high order $\frac{1}{4} \log_2 N$ bits of P.
743 citations
IBM1
TL;DR: A probabilistic public key cryptosystem which is secure unless the worst case of the following lattice problem can be solved in polynomial time is presented.
673 citations
Journal Article•
TL;DR: A simplified version of RSA encryption is described and a malicious attacker wishing to eavesdrop or tamper with the communication between Alice and Bob is used, to illustrate the dangers of improper use of RSA.
Abstract: Introduction The RSA cryptosystem, invented by Ron Rivest, Adi Shamir, and Len Adleman [18], was first publicized in the August 1977 issue of Scientific American. The cryptosystem is most commonly used for providing privacy and ensuring authenticity of digital data. These days RSA is deployed in many commercial systems. It is used by Web servers and browsers to secure Web traffic, it is used to ensure privacy and authenticity of e-mail, it is used to secure remote login sessions, and it is at the heart of electronic credit card payment systems. In short, RSA is frequently used in applications where security of digital data is a concern. Since its initial publication, the RSA system has been analyzed for vulnerability by many researchers. Although twenty years of research have led to a number of fascinating attacks, none of them is devastating. They mostly illustrate the dangers of improper use of RSA. Indeed, securely implementing RSA is a nontrivial task. Our goal is to survey some of these attacks and describe the underlying mathematical tools they use. Throughout the survey we follow standard naming conventions and use “Alice” and “Bob” to denote two generic parties wishing to communicate with each other. We use “Marvin” to denote a malicious attacker wishing to eavesdrop or tamper with the communication between Alice and Bob. We begin by describing a simplified version of RSA encryption. Let N = pq be the product of two large primes of the same size (n/2 bits each). A typical size for N is n = 1024 bits, i.e., 309 decimal digits. Each of the factors is 512 bits. Let e, d be two integers satisfying ed = 1 mod φ(N) where φ(N) = (p − 1)(q − 1) is the order of the multiplicative group ZN. We call N the RSA modulus, e the encryption exponent, and d the decryption exponent. The pair 〈N, e〉 is the public key. As its name suggests, it is public and is used to encrypt messages. The pair 〈N,d〉 is called the secret key or private key and is known only to the recipient of encrypted messages. The secret key enables decryption of ciphertexts. A message is an integer M ∈ ZN. To encrypt M, one computes C =Me mod N . To decrypt the ciphertext, the legitimate receiver computes Cd mod N. Indeed, Cd =Med =M mod N,
620 citations
Cites methods from "Solving simultaneous modular equati..."
...The following theorem is a stronger version of Hastad’s original result....
[...]
...As a first application of Coppersmith’s theorem, we present an improvement to an old attack due to Hastad [11]....
[...]
...Hastad’s Broadcast Attack As a first application of Coppersmith’s theorem, we present an improvement to an old attack due to Hastad [11]....
[...]
...Theorem 6 (Hastad)....
[...]
...Unfortunately, Hastad showed that this linear padding is insecure....
[...]
References
More filters
TL;DR: This technique enables the construction of robust key management schemes for cryptographic systems that can function securely and reliably even when misfortunes destroy half the pieces and security breaches expose all but one of the remaining pieces.
Abstract: In this paper we show how to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D. This technique enables the construction of robust key management schemes for cryptographic systems that can function securely and reliably even when misfortunes destroy half the pieces and security breaches expose all but one of the remaining pieces.
14,340 citations
"Solving simultaneous modular equati..." refers methods in this paper
...Two of their essential ingredients were Shamir's method of sharing a secret [11] and the use of a deterministic PKC....
[...]
01 Jan 1979
TL;DR: It is proved that for any given n, if the authors can invert the function y = E (x1) for even a small percentage of the values y then they can factor n, which seems to be the first proved result of this kind.
Abstract: We introduce a new class of public-key functions involving a number n = pq having two large prime factors. As usual, the key n is public, while p and q are the private key used by the issuer for production of signatures and function inversion. These functions can be used for all the applications involving public-key functions proposed by Diffie and Hellman, including digitalized signatures. We prove that for any given n, if we can invert the function y = E (x1) for even a small percentage of the values y then we can factor n. Thus, as long as factorization of large numbers remains practically intractable, for appropriate chosen keys not even a small percentage of signatures are forgeable. Breaking the RSA function is at most hard as factorization, but is not known to be equivalent to factorization even in the weak sense that ability to invert all function values entails ability to factor the key. Computation time for these functions, i.e. signature verification, is several hundred times faster than for the RSA scheme. Inversion time, using the private key, is comparable. The almost-everywhere intractability of signature-forgery for our functions (on the assumption that factoring is intractable) is of great practical significance and seems to be the first proved result of this kind.
1,292 citations
"Solving simultaneous modular equati..." refers background in this paper
...Another way of encrypting messages was proposed by Rabin [9]....
[...]
...References: [1] Alexi W., Chor B., Goldreich O. and Schnorr C.P. \RSA/Rabin Bits are 12+ 1 poly(logN) Secure" Proceedings of 25th Annual IEEE Symposium on Foundations of Computer Science, 1984, 449-457....
[...]
...Using the same methods we get: Application 2: Sending linearly related messages using the Rabin encryption function is insecure....
[...]
...[9] Rabin M....
[...]
Book•
01 Jan 1959
TL;DR: In this article, the authors introduce the concept of the quotient space and the notion of automorphs for diophantine approximations of diophantas in the Euclidean space.
Abstract: Notation Prologue Chapter I. Lattices 1. Introduction 2. Bases and sublattices 3. Lattices under linear transformation 4. Forms and lattices 5. The polar lattice Chapter II. Reduction 1. Introduction 2. The basic process 3. Definite quadratic forms 4. Indefinite quadratic forms 5. Binary cubic forms 6. Other forms Chapter III. Theorems of Blichfeldt and Minkowski 1. Introduction 2. Blichfeldt's and Mnowski's theorems 3. Generalisations to non-negative functions 4. Characterisation of lattices 5. Lattice constants 6. A method of Mordell 7. Representation of integers by quadratic forms Chapter IV. Distance functions 1. Introduction 2. General distance-functions 3. Convex sets 4. Distance functions and lattices Chapter V. Mahler's compactness theorem 1. Introduction 2. Linear transformations 3. Convergence of lattices 4. Compactness for lattices 5. Critical lattices 6. Bounded star-bodies 7. Reducibility 8. Convex bodies 9. Speres 10. Applications to diophantine approximation Chapter VI. The theorem of Minkowski-Hlawka 1. Introduction 2. Sublattices of prime index 3. The Minkowski-Hlawka theorem 4. Schmidt's theorems 5. A conjecture of Rogers 6. Unbounded star-bodies Chapter VII. The quotient space 1. Introduction 2. General properties 3. The sum theorem Chapter VIII. Successive minima 1. Introduction 2. Spheres 3. General distance-functions Chapter IX. Packings 1. Introduction 2. Sets with V(/varphi) =n^2/Delta(/varphi) 3. Voronoi's results 4. Preparatory lemmas 5. Fejes Toth's theorem 6. Cylinders 7. Packing of spheres 8. The proudctio of n linear forms Chapter X. Automorphs 1. Introduction 2. Special forms 3. A method of Mordell 4. Existence of automorphs 5. Isolation theorems 6. Applications of isolation 7. An infinity of solutions 8. Local methods Chapter XI. Ihomogeneous problems 1. Introduction 2. Convex sets 3. Transference theorems for convex sets 4. The producti of n linear forms Appendix References Index quotient space. successive minima. Packings. Automorphs. Inhomogeneous problems.
1,257 citations
"Solving simultaneous modular equati..." refers background in this paper
...Hermite's constant is not known exactly for n > 8 but Minkowski,s convex body theorem ([5], ix....
[...]
24 Oct 1984
TL;DR: It is proved that RSA least significant bit is 1/2 + (1/[logc N]) secure, for any constant c (where N is the RSA modulus).
Abstract: We prove that RSA least significant bit is 1/2 + (1/[logc N]) secure, for any constant c (where N is the RSA modulus). This means that an adversary, given the ciphertext, cannot guess the least sigiiilicatnt bit of the plaintext with probability better than 1/2 + (1/[logc N]), unless he can break RSA.
46 citations
"Solving simultaneous modular equati..." refers background in this paper
...By [1],[3] this can be done with as much e ciency as in the deterministic case....
[...]
Journal Article•
45 citations