How to Guess l-th Roots Modulo n by Reducing Lattice Bases
AAECC-6 Proceedings of the 6th International Conference, on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes
Low-exponent RSA with related messages
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Reducing the Elliptic Curve Cryptosystem of Meyer-Müllerto the Cryptosystem of Rabin-Williams
Designs, Codes and Cryptography
Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis
IEEE Transactions on Computers
Paillier's cryptosystem revisited
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
On the Security of the Digital Signature Algorithm
Designs, Codes and Cryptography
Extended Notions of Security for Multicast Public Key Cryptosystems
ICALP '00 Proceedings of the 27th International Colloquium on Automata, Languages and Programming
Design and Analysis of Fast Provably Secure Public-Key Cryptosystems Based on a Modular Squaring
ICISC '01 Proceedings of the 4th International Conference Seoul on Information Security and Cryptology
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
RSA-OAEP Is Secure under the RSA Assumption
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Universal Padding Schemes for RSA
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
An Attack on RSA Given a Small Fraction of the Private Key Bits
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
The Effectiveness of Lattice Attacks Against Low-Exponent RSA
PKC '99 Proceedings of the Second International Workshop on Practice and Theory in Public Key Cryptography
Multi-recipient Public-Key Encryption with Shortened Ciphertext
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
New Semantically Secure Public-Key Cryptosystems from the RSA-Primitive
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
A Practical Public Key Cryptosystemfrom Paillier and Rabin Schemes
PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
Approximate Integer Common Divisors
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Finding Small Solutions to Small Degree Polynomials
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Heuristics on lattice basis reduction in practice
Journal of Experimental Algorithmics (JEA)
Searching Worst Cases of a One-Variable Function Using Lattice Reduction
IEEE Transactions on Computers
Password authenticated key exchange using hidden smooth subgroups
Proceedings of the 12th ACM conference on Computer and communications security
Toward a Rigorous Variation of Coppersmith's Algorithm on Three Variables
EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A New Lattice Construction for Partial Key Exposure Attack for RSA
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
One-wayness equivalent to general factoring
IEEE Transactions on Information Theory
Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Low-exponent RSA with related messages
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Finding a small root of a bivariate integer equation; factoring with high bits known
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Binding ElGamal: a fraud-detectable alternative to key-escrow proposals
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Computationally private information retrieval with polylogarithmic communication
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
New attacks on PKCS#1 v1.5 encryption
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Efficient algorithms for solving overdefined systems of multivariate polynomial equations
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Cryptography and the methodology of provable security
AAECC'03 Proceedings of the 15th international conference on Applied algebra, algebraic algorithms and error-correcting codes
Why provable security matters?
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Finding small roots of bivariate integer polynomial equations: a direct approach
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
RSA moduli with a predetermined portion: techniques and applications
ISPEC'08 Proceedings of the 4th international conference on Information security practice and experience
Factoring unbalanced moduli with known bits
ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
SCN'10 Proceedings of the 7th international conference on Security and cryptography for networks
Low-cost client puzzles based on modular exponentiation
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
On the broadcast and validity-checking security of PKCS#1 v1.5 encryption
ACNS'10 Proceedings of the 8th international conference on Applied cryptography and network security
Solving generalized small inverse problems
ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Cryptanalysis of a type of CRT-based RSA algorithms
Journal of Computer Science and Technology
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Interpolation of functions related to the integer factoring problem
WCC'05 Proceedings of the 2005 international conference on Coding and Cryptography
Single-database private information retrieval with constant communication rate
ICALP'05 Proceedings of the 32nd international conference on Automata, Languages and Programming
A tool kit for finding small roots of bivariate polynomials over the integers
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
A provably secure elliptic curve scheme with fast encryption
INDOCRYPT'04 Proceedings of the 5th international conference on Cryptology in India
Maximizing small root bounds by linearization and applications to small secret exponent RSA
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Multi-query computationally-private information retrieval with constant communication rate
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Simplified high-speed high-distance list decoding for alternant codes
PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
A unified framework for small secret exponent attack on RSA
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Partial key exposure on RSA with private exponents larger than N
ISPEC'12 Proceedings of the 8th international conference on Information Security Practice and Experience
Optimal security proofs for full domain hash, revisited
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
An efficient probabilistic public-key cryptosystem over quadratic fields quotients
Finite Fields and Their Applications
Inferring sequences produced by nonlinear pseudorandom number generators using coppersmith's methods
PKC'12 Proceedings of the 15th international conference on Practice and Theory in Public Key Cryptography
On the optimality of lattices for the coppersmith technique
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Verified security of redundancy-free encryption from Rabin and RSA
Proceedings of the 2012 ACM conference on Computer and communications security
Small private-exponent attack on RSA with primes sharing bits
ISC'07 Proceedings of the 10th international conference on Information Security
On optimal bounds of small inverse problems and approximate GCD problems with higher degree
ISC'12 Proceedings of the 15th international conference on Information Security
Implicit polynomial recovery and cryptanalysis of a combinatorial key cryptosystem
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
On the improvement of fermat factorization
NSS'12 Proceedings of the 6th international conference on Network and System Security
On the improvement of Fermat factorization using a continued fraction technique
Future Generation Computer Systems
Hi-index | 0.07 |
We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N. With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N.