New Attacks on RSA with Small Secret CRT-Exponents

Bleichenbacher, Daniel; May, Alexander

doi:10.1007/11745853_1

Cited by 52 publications

(42 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The speed-up (i.e., scaling factor) is the quotient of the real time of the non-parallel version and the real time of the multi-threaded version. The speed-up factor increases with the dimension up to around 1.8 for the 2-thread and factor 3.2 for the 4-thread version 4 It is interesting to note that for the selected parameters the speed-up factor for unimodular lattice bases increases faster than for knapsack or Goldstein-Mayer random lattices, and eventually all three speed-up factors reach a similar maximum value, as one can clearly observe in the 2-thread case. The 2-thread version, as expected, reaches its maximum earlier than the 4-thread version.…”

Section: Resultsmentioning

confidence: 57%

“…One can avoid these restrictions by using a less efficient multi-precision floating point arithmetic. The reduction of lattice bases in high dimensions and entries of high bit length (which requires the use of a multi-precision floating point arithmetic for the approximation) are of interest in various context, e.g., for certain attacks on RSA [22,23,5,4]. Using a multi-precision floating-point arithmetic to approximate the lattice basis changes the running time behavior of the Schnorr-Euchner reduction algorithm dramatically.…”

Section: Parallel Lll Reduction Using Posix Threadsmentioning

confidence: 99%

“…The reduction of these lattice bases is of great interest, e.g., for cryptanalyzing RSA [22,23,5,4]. In experiments with sparse and dense lattice bases, experiments with our new parallel LLL show (compared to the non-parallel algorithm) a speed-up factor of about 1.8 for the 2-thread and about factor 3.2 for the 4-thread version.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Parallel Lattice Basis Reduction Using a Multi-threaded Schnorr-Euchner LLL Algorithm

Backes

Wetzel

2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper, we introduce a new parallel variant of the LLL lattice basis reduction algorithm. Our new, multi-threaded algorithm is the first to provide an efficient, parallel implementation of the Schorr-Euchner algorithm for today's multi-processor, multi-core computer architectures. Experiments with sparse and dense lattice bases show a speed-up factor of about 1.8 for the 2-thread and about factor 3.2 for the 4-thread version of our new parallel lattice basis reduction algorithm in comparison to the traditional non-parallel algorithm.

show abstract

Section: Resultsmentioning

confidence: 57%

Section: Parallel Lll Reduction Using Posix Threadsmentioning

confidence: 99%

See 1 more Smart Citation

Parallel Lattice Basis Reduction Using a Multi-threaded Schnorr-Euchner LLL Algorithm

Backes

Wetzel

2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Starting point is the polynomial equation (3). We proceed similar to [BM06] and perform an (almost) identical linearization.…”

Section: Crt Exponentsmentioning

confidence: 99%

“…In the framework of unravelled linearization, it is obvious why we do not obtain a positive result for smaller parameters. In order to improve upon the bound from Bleichenbacher, May [BM06], we have to use relation (6). However, the lattice parameters m = 2 and t = 1 are the smallest ones for which the monomial vwx appears.…”

Section: Crt Exponentsmentioning

confidence: 99%

Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA

Herrmann

May

2010

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We present an elementary method to construct optimized lattices that are used for finding small roots of polynomial equations. Former methods first construct some large lattice in a generic way from a polynomial f and then optimize via finding suitable smaller dimensional sublattices. In contrast, our method focuses on optimizing f first which then directly leads to an optimized small dimensional lattice.Using our method, we construct the first elementary proof of the Boneh-Durfee attack for small RSA secret exponents with d ≤ N 0.292 . Moreover, we identify a sublattice structure behind the Jochemsz-May attack for small CRT-RSA exponents dp, dq ≤ N 0.073 . Unfortunately, in contrast to the Boneh-Durfee attack, for the Jochemsz-May attack the sublattice does not help to improve the bound asymptotically. Instead, we are able to attack much larger values of dp, dq in practice by LLL reducing smaller dimensional lattices.

show abstract