Some applications of lattice based root finding techniques

In this paper we present some problems and their solutions exploiting lattice based root finding techniques.    In CaLC 2001, Howgrave-Graham proposed a method to find the Greatest Common Divisor (GCD) of two large integers when one of the integers is exactly known and the other one is known approximately. In this paper, we present three applications of the technique. The first one is to show deterministic polynomial time equivalence between factoring $N$ ($N = pq$, where $p > q$ or $p, q$ are of same bit size) and knowledge of $q$-1 mod $p$. Next, we consider the problem of finding smooth integers in a short interval. The third one is to factorize $N$ given a multiple of the decryption exponent in RSA.    In Asiacrypt 2006, Jochemsz and May presented a general strategy for finding roots of a polynomial. We apply that technique to solve the following two problems. The first one is to factorize $N$ given an approximation of a multiple of the decryption exponent in RSA. The second one is to solve the implicit factorization problem given three RSA moduli considering certain portions of LSBs as well as MSBs of one set of three secret primes are same.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[3]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[6]  Jean-Sébastien Coron,et al.  Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring , 2006, Journal of Cryptology.

[7]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[8]  Santanu Sarkar,et al.  Approximate Integer Common Divisor Problem Relates to Implicit Factorization , 2011, IEEE Transactions on Information Theory.

[9]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[10]  Jean-Charles Faugère,et al.  Implicit Factoring with Shared Most Significant and Middle Bits , 2010, Public Key Cryptography.

[11]  Santanu Sarkar,et al.  Further results on implicit factoring in polynomial time , 2009, Adv. Math. Commun..

[12]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[13]  Alexander May,et al.  Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring , 2004, CRYPTO.

[14]  Alexander May,et al.  Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint , 2009, Public Key Cryptography.

[15]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[16]  Dan Boneh,et al.  Finding smooth integers in short intervals using CRT decoding , 2000, STOC '00.

[17]  László Csirmaz,et al.  The Size of a Share Must Be Large , 1994, Journal of Cryptology.

[18]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[19]  A. K. Lenstra,et al.  The Development of the Number Field Sieve , 1993 .

[20]  Jean-Sébastien Coron,et al.  Finding Small Roots of Bivariate Integer Polynomial Equations Revisited , 2004, EUROCRYPT.

[21]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[22]  Dan Boneh,et al.  Exposing an RSA Private Key Given a Small Fraction of its Bits , 1998 .

[23]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .