Efficient factoring based on partial information
Proc. of a workshop on the theory and application of cryptographic techniques on Advances in cryptology---EUROCRYPT '85
The MAGMA algebra system I: the user language
Journal of Symbolic Computation - Special issue on computational algebra and number theory: proceedings of the first MAGMA conference
Complexity of Lattice Problems
Complexity of Lattice Problems
Improved algorithms for integer programming and related lattice problems
STOC '83 Proceedings of the fifteenth annual ACM symposium on Theory of computing
Algorithms for quantum computation: discrete logarithms and factoring
SFCS '94 Proceedings of the 35th Annual Symposium on Foundations of Computer Science
Rigorous and Efficient Short Lattice Vectors Enumeration
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Implicit Factoring: On Polynomial Time Factoring Given Only an Implicit Hint
Irvine Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography: PKC '09
Finding a small root of a bivariate integer equation; factoring with high bits known
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Improved analysis of Kannan's shortest lattice vector algorithm
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
| Hi-index | 0.00 |
We study the problem of integer factoring given implicit information of a special kind. The problem is as follows: let N1=p1q1 and N2=p2q2 be two RSA moduli of same bit-size, where q1, q2 are α-bit primes. We are given the implicit information that p1 and p2 share t most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of N1 and N2 in polynomial time as soon as t≥2 α+3. Subsequently, we heuristically generalize the method to k RSA moduli Ni=piqi where the pi’s all share t most significant bits (MSBs) and obtain an improved bound on t that converges to t≥α+3.55... as k tends to infinity. We study also the case where the k factors pi’s share t contiguous bits in the middle and find a bound that converges to 2α+3 when k tends to infinity. This paper extends the work of May and Ritzenhofen in [9], where similar results were obtained when the pi’s share least significant bits (LSBs). In [15], Sarkar and Maitra describe an alternative but heuristic method for only two RSA moduli, when the pi’s share LSBs and/or MSBs, or bits in the middle. In the case of shared MSBs or bits in the middle and two RSA moduli, they get better experimental results in some cases, but we use much lower (at least 23 times lower) lattice dimensions and so we obtain a great speedup (at least 103 faster). Our results rely on the following surprisingly simple algebraic relation in which the shared MSBs of p1 and p2 cancel out: q1N2−q2N1=q1q2 (p2−p1). This relation allows us to build a lattice whose shortest vector yields the factorization of the Ni’s.