Factoring a Multiprime Modulus N with Random Bits
نویسندگان
چکیده
In 2009, Heninger and Shacham presented an algorithm using the Hensel's lemma for reconstructing the prime factors of the modulus N = r1r2. This algorithm computes the prime factors of N in polynomial time, with high probability, assuming that a fraction greater than or equal to 59% random bits of its primes r1 and r2 is given. In this paper, we present the analysis of Hensel's lemma for a multi-prime modulus N = ∏u i=1 ri (for u ≥ 2) and we generalise the Heninger and Shacham's algorithm to determine the minimum fraction of random bits of its prime factors that is su cient to factor N in polynomial time with high probability.
منابع مشابه
How to Compress Rabin Ciphertexts and Signatures (and More)
Ordinarily, RSA and Rabin ciphertexts and signatures are log N bits, where N is a composite modulus; here, we describe how to “compress” Rabin ciphertexts and signatures (among other things) down to about (2/3) log N bits, while maintaining a tight provable reduction from factoring in the random oracle model. The computational overhead of our compression algorithms is small. We also improve upo...
متن کاملFactoring RSA Modulus Using Prime Reconstruction from Random Known Bits
This paper discusses the factorization of the RSA modulus N (i.e., N = pq, where p, q are primes of same bit size) by reconstructing the primes from randomly known bits. The reconstruction method is a modified brute-force search exploiting the known bits to prune wrong branches of the search tree, thereby reducing the total search space towards possible factorization. Here we revisit the work o...
متن کاملSmall Private Exponent Partial Key-Exposure Attacks on Multiprime RSA
Given knowledge of one or more of the primes in a multiprime RSA modulus we show that the private exponent can be recovered provided it is sufficiently small. In particular, we present a simple and efficient method that given v of the u primes dividing the modulus N recovers any private exponent d satisfying d < Nv/u− . When only one prime is known, this bound can be increased to approximately ...
متن کاملFactoring Unbalanced Moduli with Known Bits
Let n = pq > q be an rsa modulus. This note describes a lll-based method allowing to factor n given 2 log2 q contiguous bits of p, irrespective to their position. A second method is presented, which needs fewer bits but whose length depends on the position of the known bit pattern. Finally, we introduce a somewhat surprising ad hoc method where two different known bit chunks, totalling 3 2 log2...
متن کاملMinkowski sum based lattice construction for solving simultaneous modular equations and applications to RSA
We investigate a lattice construction method for the Coppersmith technique for finding small solu-tions of a modular equation. We consider its variant for simultaneous equations and propose a methodto construct a lattice by combining lattices for solving single equations. As applications, we consider(i) a new RSA cryptanalysis for multiple short secret exponents, (ii) its partial ke...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2013