Optimal Bounds for Multi-Prime Φ-Hiding Assumption

  • Kaori Tosu
  • Noboru Kunihiro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)


We propose a novel attack against the Multi-Prime Φ-Hiding Problem, which was introduced by Kiltz et al. at CRYPTO 2010 to show the instantiability of RSA-OAEP. The cryptanalysis of the Multi-Prime Φ-Hiding Problem is also mentioned by them. At Africacrypt 2011, Herrmann improved their result by making use of the special structure of the polynomial that is derived from the problem instance. In his method, the bound on e is reduced by employing a linear equation with fewer variables. In order to optimize the size and number of variables, we examine every possible variable size and number of variables. Then, we show that our attack achieves a better bound than that of Herrmann, which shows that our attack is the best among all known attacks.


Multi-Prime Φ-Hiding Assumption RSA-OAEP lattice based technique 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  2. 2.
    Cachin, C., Micali, S., Stadler, M.A.: Computationally Private Information Retrieval with Polylogarithmic Communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent rsa vulnerabilities. J. of Cryptology 10(4), 233–260 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Fujisaki, E., Okamoto, T., Pointchval, D., Stern, J.: Rsa-oaep is secure under the rsa assumption. J. of Cryptology 17(2), 81–104 (2004)zbMATHCrossRefGoogle Scholar
  6. 6.
    Herrmann, M.: Improved Cryptanalysis of the Multi-Prime φ - Hiding Assumption. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 92–99. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Herrmann, M., May, A.: Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under Chosen-Plaintext Attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kaori Tosu
    • 1
  • Noboru Kunihiro
    • 1
  1. 1.The University of TokyoJapan

Personalised recommendations