Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries
ASIACRYPT '99 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
The Middle Product Algorithm I
Applicable Algebra in Engineering, Communication and Computing
Polynomial evaluation and interpolation on special sets of points
Journal of Complexity - Festschrift for the 70th birthday of Arnold Schönhage
Efficient and secure comparison for on-line auctions
ACISP'07 Proceedings of the 12th Australasian conference on Information security and privacy
Factorization of a 768-bit RSA modulus
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Cryptography in subgroups of Zn
TCC'05 Proceedings of the Second international conference on Theory of Cryptography
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Hi-index | 0.00 |
At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 22l had a complexity of O(2l). Accordingly, l = 100 bits was suggested as a concrete parameter. This paper exhibits an attack with a complexity of roughly 2l/2 operations, suggesting that Groth's original choice of parameters was overly aggressive. It also discusses the practicality of this new attack and various implementation issues.