Optimal bounds for multi-prime Φ-hiding assumption

Authors:
Kaori Tosu;Noboru Kunihiro
Affiliations:
The University of Tokyo, Japan;The University of Tokyo, Japan
Venue:
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Year:
2012

Citing 7
Cited 1

Approximate Integer Common Divisors

CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
RSA-OAEP Is Secure under the RSA Assumption

Journal of Cryptology
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits

ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Finding a small root of a bivariate integer equation; factoring with high bits known

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Computationally private information retrieval with polylogarithmic communication

EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Instantiability of RSA-OAEP under chosen-plaintext attack

CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Improved cryptanalysis of the multi-prime φ-hiding assumption

AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa

Reduction in lossiness of RSA trapdoor permutation

SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose a novel attack against the Multi-Prime Φ-Hiding Problem, which was introduced by Kiltz et al. at CRYPTO 2010 to show the instantiability of RSA-OAEP. The cryptanalysis of the Multi-Prime Φ-Hiding Problem is also mentioned by them. At Africacrypt 2011, Herrmann improved their result by making use of the special structure of the polynomial that is derived from the problem instance. In his method, the bound on e is reduced by employing a linear equation with fewer variables. In order to optimize the size and number of variables, we examine every possible variable size and number of variables. Then, we show that our attack achieves a better bound than that of Herrmann, which shows that our attack is the best among all known attacks.