Abstract
We present a new formulation and its simpler analysis of the lattice-based attack of Boneh and Durfee for the RSA cryptography [1]. We follow the same approach as theirs, however, we propose a new way of defining a lattice with which we can achieve the same solvable key bound \(d<N^{0.292}\). Our lattice is represented as a lower triangle matrix, which makes its analysis much simpler than that of [1]. We think that our analysis technique would be useful for considering applications/generalizations of this approach.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Our \(g_{i,j}(x,y)\) for \(i\ge j\) and for \(i<j\) correspond to their \(g_{i,j}(x,y)\) and \(h_{i,j}(x,y)\) respectively.
- 2.
For example, for \(m=3\) and \(\delta =0.25\); we have \(\mathbf {I}_1 = ((0,0),(1,0),(1,1),(2,0),\) \((2,1),(2,2),(3,0),(3,1),(3,2),(3,3))\) and \(\mathbf {I}_2 = ((2,3),(3,4))\). By them, we have the monomial sequence \(\mathbf {K}_1 = (1,x,z,x^2,xz,z^2,x^3,x^2z,xz^2,z^3)\) and \(\mathbf {K}_2 = (yz^2,yz^3)\).
- 3.
This \(\delta \) is L\(^2\) algorithm’s parameter and different from \(\delta \) used for defining RSA instance. See the original paper [9] about this \(\delta \).
- 4.
TSUBAME is a grid type supercomputer at Tokyo Inst. of Tech. A node of the supercomputer which we used contains eight Opteron Dual Core model 880 processors of 2.4 GHz and 32 GB RAM. Note, however, we have not been able to make a parallel version of our algorithm; it was used only for reducing the total experiment time.
References
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)
Blömer, J., May, A.: Low secret exponent RSA revisited. In: Proceedings of the CaLC 2001. LNCS, vol. 2146, pp. 4–19 (2001)
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Proceedings of the EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165 (1996)
Healy, A.D.: Resultants, resolvents and the computation of Galois Groups. http://www.alexhealy.net/papers/math250a.pdf
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Proceedings of the Cryptography and Coding. LNCS, vol. 1355, pp. 131–142 (1997)
Herrmann, M., May, A.: Maximizing small root bounds by linearization and applications to small secret exponent RSA. In: Proceedings of the PKC 2010. LNCS, vol. 6056, pp. 53–69 (2010)
Jochemz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Proceedings of the Asiacrypt 2006. LNCS, vol. 4284, pp. 267–282 (2006)
Lenstra, A.K., Lenstra Jr, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)
Nguyen, P., Stehlé, D.: Floating-point LLL (Full version). ftp://ftp.di.ens.fr/pub/users/pnguyen/FullL2.pdf.
Shoup, V., NTL: A library for doing number theory. http://www.shoup.net/ntl/index.html
Acknowledgments
I am grateful to Osamu Watanabe for his advice, careful reading, and for correcting some expressions. The author and this research was supported in part by the JSPS Global COE program “Computationism as a Foundation for the Sciences.”
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aono, Y. (2014). Simplification of the Lattice Based Attack of Boneh and Durfee for RSA Cryptoanalysis. In: Feng, R., Lee, Ws., Sato, Y. (eds) Computer Mathematics. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43799-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-43799-5_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43798-8
Online ISBN: 978-3-662-43799-5
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)