How to break Okamoto's cryptosystem by reducing lattice bases

Authors:
B. Vallée;M. Girault;P. Toffin
Affiliations:
Univ. Caen Cedex, France;Service d'Etudes communes des Postes et Telecommunications, Caen Cedex, France;Univ. Caen Cedex, France
Venue:
Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88
Year:
1988

Citing 4
Cited 7

On Lova´sz' lattice reduction and the nearest lattice point problem

Combinatorica
An attack on a signature scheme proposed by Okamoto and Shiraishi

Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
Reconstructing truncated integer variables satisfying linear congruences

SIAM Journal on Computing - Special issue on cryptography
How to Guess l-th Roots Modulo n by Reducing Lattice Bases

AAECC-6 Proceedings of the 6th International Conference, on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes

Computation of approximate L-th roots modulo n and application to cryptography

CRYPTO '88 Proceedings on Advances in cryptology
Flaws in Applying Proof Methodologies to Signature Schemes

CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
An Efficient Digital Signature Scheme Based on an Elliptic Curve Over the Ring Zn

CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Threshold Phenomena in Random Lattices and Efficient Reduction Algorithms

ESA '99 Proceedings of the 7th Annual European Symposium on Algorithms
Security of ESIGN-PSS

IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Why provable security matters?

EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
On the optimality of lattices for the coppersmith technique

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

The security of several signature schemes and cryptosystems, essentially proposed by Okamoto, is based on the difficulty of solving polynomial equations or inequations modulo n. The encryption and the decryption of these schemes are very simple when the factorisation of the modulus, a large composite number, is known.We show here that we can, for any odd n, solve, in polynomial probabilistic time, quadratic equations modulo n, even if the factorisation of n is hidden, provided we are given a sufficiently good approximation of the solutions. We thus deduce how to break Okamoto's second degree cryptosystem and we extend, in this way, Brickell's and Shamir's previous attacks.Our main tool is lattices that we use after a linearisation of the problem, and the success of our method depends on the geometrical regularity of a particular kind of lattices.Our paper is organized as follows: First we recall the problems already posed, their partial solutions and describe how our results solve extensions of these problems. We then introduce our main tool, lattices and show how their geometrical properties fit in our subject. Finally, we deduce our results. These methods can be generalized to higher dimensions.