Cryptanalysis of the RSA subgroup assumption from TCC 2005

Authors:
Jean-Sébastien Coron;Antoine Joux;Avradip Mandal;David Naccache;Mehdi Tibouchi
Affiliations:
Université du Luxembourg, Luxembourg, Luxembourg;Direction générale de l'armement and Université de Versailles-Saint-Quentin, Laboratoire PRISM, Versailles Cedex, France;Université du Luxembourg, Luxembourg, Luxembourg;École normale supérieure, Département d'informatique, Groupe de cryptographie, Paris Cedex 05, France;Université du Luxembourg, Luxembourg, Luxembourg and École normale supérieure, Département d'informatique, Groupe de cryptographie, Paris Cedex 05, France
Venue:
PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
Year:
2011

Citing 6
Cited 1

Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries

ASIACRYPT '99 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
The Middle Product Algorithm I

Applicable Algebra in Engineering, Communication and Computing
Polynomial evaluation and interpolation on special sets of points

Journal of Complexity - Festschrift for the 70th birthday of Arnold Schönhage
Efficient and secure comparison for on-line auctions

ACISP'07 Proceedings of the 12th Australasian conference on Information security and privacy
Factorization of a 768-bit RSA modulus

CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Cryptography in subgroups of Zn

TCC'05 Proceedings of the Second international conference on Theory of Cryptography

Faster algorithms for approximate common divisors: breaking fully-homomorphic-encryption challenges over the integers

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques

Quantified Score

Hi-index	0.00

Visualization

Abstract

At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 22l had a complexity of O(2l). Accordingly, l = 100 bits was suggested as a concrete parameter. This paper exhibits an attack with a complexity of roughly 2l/2 operations, suggesting that Groth's original choice of parameters was overly aggressive. It also discusses the practicality of this new attack and various implementation issues.