We introduce a "generalized small inverse problem (GSIP)" and present an algorithm for solving this problem. GSIP is formulated as finding small solutions of f(x(0), x(1),...x(n)) = x(0)h(x(1),...,x(n))+C = ...
详细信息
We introduce a "generalized small inverse problem (GSIP)" and present an algorithm for solving this problem. GSIP is formulated as finding small solutions of f(x(0), x(1),...x(n)) = x(0)h(x(1),...,x(n))+C = 0(mod M) for an n-variate polynomial h, non-zero integers C and M. Our algorithm is based on lattice-based Coppersmith technique. We provide a strategy for construction of a lattice basis for solving f = 0, which is systematically transformed from a lattice basis for solving h = 0. Then, we derive an upper bound such that the target problem can be solved in polynomial time in log M in an explicit form. Since GSIPs include some RSA-related problems, our algorithm is applicable to them. For example, the small key attacks by Boneh and Durfee are re-found automatically.
The authors' recent classification of trilinear operations includes, among other cases, a fourth family of operations with parameter q epsilon Q boolean OR {infinity}, and weakly commutative and weakly anticommuta...
详细信息
The authors' recent classification of trilinear operations includes, among other cases, a fourth family of operations with parameter q epsilon Q boolean OR {infinity}, and weakly commutative and weakly anticommutative operations. These operations satisfy polynomial identities in degree 3 and further identities in degree 5. For each operation, using the row canonical form of the expansion matrix E to find the identities in degree 5 gives extremely complicated results. We use lattice basis reduction to simplify these identities: we compute the Hermite normal form H of E-t, obtain a basis of the nullspace lattice from the last rows of a matrix U for which UEt = H, and then use the lll algorithm to reduce the basis. (C) 2008 Elsevier Inc. All rights reserved.
We analyze the Lagarias-Odlyzko low-density attack precisely, and show that this low-density attack can be applied to the Chor-Rivest and the Okamoto-Tanaka-Uchiyama cryptosystemes, which are considered to be secure a...
详细信息
We analyze the Lagarias-Odlyzko low-density attack precisely, and show that this low-density attack can be applied to the Chor-Rivest and the Okamoto-Tanaka-Uchiyama cryptosystemes, which are considered to be secure against the low-density attack. According to our analysis, these schemes turn out to be no longer secure against the low-density attack.
In this paper, we investigate the security property of RSA when some middle bits of the private key d are known to an attacker. Using the technique of unravelled linearization, we present a new attack on RSA with know...
详细信息
In this paper, we investigate the security property of RSA when some middle bits of the private key d are known to an attacker. Using the technique of unravelled linearization, we present a new attack on RSA with known middle bits, which improves a previous result under certain circumstance. Our approach is based on Coppersmith's method for finding small roots of modular polynomial equations.
Reduction can be important to aid quickly attaining the integer least squares (ILS) estimate from noisy data. We present an improved lll algorithm with fixed complexity by extending a parallel reduction method for pos...
详细信息
Reduction can be important to aid quickly attaining the integer least squares (ILS) estimate from noisy data. We present an improved lll algorithm with fixed complexity by extending a parallel reduction method for positive definite quadratic forms to lattice vectors. We propose the minimum angle of a reduced basis as an alternative quality measure of orthogonality, which is intuitively more appealing to measure the extent of orthogonality of a reduced basis. Although the lll algorithm and its variants have been widely used in practice, experimental simulations were only carried out recently and limited to the quality measures of the Hermite factor, practical running behaviors and reduced Gram-Schmidt coefficients. We conduct a large scale of experiments to comprehensively evaluate and compare five reduction methods for decorrelating ILS problems, including the lll algorithm, its variant with deep insertions and our improved lll algorithm with fixed complexity, based on six quality measures of reduction. We use the results of the experiments to investigate the mean running behaviors of the lll algorithm and its variants with deep insertions and the sorted QR ordering, respectively. The improved lll algorithm with fixed complexity is shown to perform as well as the lll algorithm with deep insertions with respect to the quality measures on length reduction but significantly better than this lll variant with respect to the other quality measures. In particular, our algorithm is of fixed complexity, but the lll algorithm with deep insertions could seemingly not be terminated in polynomial time of the dimension of an ILS problem. It is shown to perform much better than the other three reduction methods with respect to all the six quality measures. More than six millions of the reduced Gram-Schmidt coefficients from each of the five reduction methods clearly show that they are not uniformly distributed but depend on the reduction algorithms used. The simulation results of
Let f (X, Y) is an element of Z[X, Y] be an irreducible polynomial over Q. We give a Las Vegas absolute irreducibility test based on a property of the Newton polytope off, or more precisely, off modulo some prime inte...
详细信息
Let f (X, Y) is an element of Z[X, Y] be an irreducible polynomial over Q. We give a Las Vegas absolute irreducibility test based on a property of the Newton polytope off, or more precisely, off modulo some prime integer p. The same idea of choosing a p satisfying some prescribed properties together with lll is used to provide a new strategy for absolute factorization of f (X, Y). We present our approach in the bivariate case but the techniques extend to the multivariate case. Maple computations show that it is efficient and promising as we are able to construct the algebraic extension containing one absolute factor of a polynomial of degree up to 400. (C) 2010 Elsevier Ltd. All rights reserved.
Let alpha be a totally positive algebraic integer of degree d, with conjugates alpha(1) = alpha, alpha(2),..., alpha(d). The absolute S-k-measure of alpha is defined by s(k)(alpha) = d(-1)Sigma(d)(i=1) alpha(k)(i). We...
详细信息
Let alpha be a totally positive algebraic integer of degree d, with conjugates alpha(1) = alpha, alpha(2),..., alpha(d). The absolute S-k-measure of alpha is defined by s(k)(alpha) = d(-1)Sigma(d)(i=1) alpha(k)(i). We compute the lower bounds v(k) of s(k)(alpha) for each integer in the range 2 <= k <= 15 and give a conjecture on the results for integers k > 15. Then we derive the lower bounds of s(k)(alpha) for all real numbers k > 2. Our computation is based on an improvement in the application of the lll algorithm and analysis of the polynomials in the explicit auxiliary functions.
In this paper we address the task of finding well approximating lattices for a given finite set A of points in R-n motivated by practical texture analytic problems. More precisely, we search for o, d(1),..., d(n) is a...
详细信息
In this paper we address the task of finding well approximating lattices for a given finite set A of points in R-n motivated by practical texture analytic problems. More precisely, we search for o, d(1),..., d(n) is an element of R-n such that a - o is close to Lambda = d(1)Z + ... + d(n)Z for every a is an element of A. First we deal with the one-dimensional case, where we show that in a sense the results are almost the best possible. These results easily extend to the multi-dimensional case where the directions of the axes are given, too. Thereafter we treat the general multidimensional case. Our method relies on the lll algorithm. Finally, we apply the least squares algorithm to optimize the results. We give several examples to illustrate our approach.
For the Fibonacci sequence the identity F-n(2) + F-n+1(2) = F2n+1 holds for all n >= 0. Let X := (X-l)(l >= 1) be the sequence of X-coordinates of the positive integer solutions (X, Y) of the Pell equation X-2 -...
详细信息
For the Fibonacci sequence the identity F-n(2) + F-n+1(2) = F2n+1 holds for all n >= 0. Let X := (X-l)(l >= 1) be the sequence of X-coordinates of the positive integer solutions (X, Y) of the Pell equation X-2 - dY(2) = +/- 1 corresponding to a nonsquare integer d > 1. In this paper, we investigate all positive nonsquare integers d for which there are at least two positive integers X and X' of X having a representation as the sum of xth powers of two consecutive terms of a Lucas sequence. Then we solve this problem for Fibonacci numbers.
The integer least squares (ILS) problem, also known as the weighted closest point problem, is highly interdisciplinary, but no algorithm can find its global optimal integer solution in polynomial time. We first outlin...
详细信息
The integer least squares (ILS) problem, also known as the weighted closest point problem, is highly interdisciplinary, but no algorithm can find its global optimal integer solution in polynomial time. We first outline two suboptimal integer solutions, which can be important either in real time communication systems or to solve high dimensional GPS integer ambiguity unknowns. We then focus on the most efficient algorithm to search for the exact integer solution, which is shown to be faster than LAMBDA in the sense that the ratio of integer candidates to be checked by the efficient algorithm to those by LAMBDA can be theoretically expressed by r(m) where r <= 1 and m is the number of integer unknowns. Finally, we further improve the searching efficiency of the most powerful combined algorithm by implementing two sorting strategies, which can either be used for finding the exact integer solution or for constructing a suboptimal integer solution. Test examples clearly demonstrate that the improved methods can perform significantly better than the most powerful combined algorithm to simultaneously find the optimal and second optimal integer solutions, if the ILS problem cannot be well reduced.
暂无评论