The integer least squares problem is known to be NP-hard, and the algorithms such as the sphere decoding algorithm, which give the optimal solution, are usually too slow. To obtain a solution efficiently one may use o...
详细信息
The integer least squares problem is known to be NP-hard, and the algorithms such as the sphere decoding algorithm, which give the optimal solution, are usually too slow. To obtain a solution efficiently one may use one of the suboptimal algorithms such as the ordered successive interference cancellation (OSIC) algorithm or the lll-aided OSIC algorithm that first modifies the system of equations using the lll algorithm due to Lenstra, Lenstra, and Lovasz. However, these suboptimal algorithms still may not be fast enough depending on the applications. In this paper we present two decoupling techniques to speed-up the lll-aided OSIC algorithm. Our lll-aided decoupled OSIC algorithm, which is applicable to clustered integer least squares problems, has the accuracy comparable to the ordinary lll-aided OSIC algorithm (without decoupling), but is much faster than the OSIC algorithm or the lll-aided OSIC algorithm. Copyright (C) 2011 John Wiley & Sons, Ltd.
We discuss the security of the improved knapsack cryptosystem that Kobayashi and Kimura have proposed. Two attacking methods for their cryptosystem are proposed;one is the method for obtaining secret keys from public ...
详细信息
We discuss the security of the improved knapsack cryptosystem that Kobayashi and Kimura have proposed. Two attacking methods for their cryptosystem are proposed;one is the method for obtaining secret keys from public keys by using the continued fraction, and the other is for decrypting the ciphertext without knowing secret keys. We show that their cryptosystem is not secure against these attacks.
Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents d(p), d(q). It is well known t...
详细信息
Let N = pq be the product of two large primes. Consider Chinese remainder theorem-Rivest, Shamir, Adleman (CRT-RSA) with the public encryption exponent e and private decryption exponents d(p), d(q). It is well known that given any one of d(p) or d(q) (or both) one can factorise N in probabilistic poly(log N) time with success probability almost equal to 1. Though this serves all the practical purposes, from theoretical point of view, this is not a deterministic polynomial time algorithm. In this paper, we present a lattice-based deterministic poly(log N) time algorithm that uses both d(p), d(q) (in addition to the public information e, N) to factorise N for certain ranges of d(p), d(q). We like to stress that proving the equivalence for all the values of d(p), d(q) may be a nontrivial task.
Knapsack problem is a famous NP-complete problem, which is believed to be difficult to be solved even by a quantum computer. Hence, this type of cryptosystem is a good candidate for post-quantum cryptography. Recently...
详细信息
Knapsack problem is a famous NP-complete problem, which is believed to be difficult to be solved even by a quantum computer. Hence, this type of cryptosystem is a good candidate for post-quantum cryptography. Recently, many new knapsack-based cryptosystems were proposed. The basic operations of all these cryptosystems are superincreasing sequences and modular multiplications, which is the same as the basic Merkle-Hellman cryptosystem. In this paper, we revisit and present an improved version of Shamir's attack on the basic Merkle-Hellman cryptosystem, this new idea would be helpful to estimate the security of the new knapsack-based cryptosystems. The main tool of our attack is the orthogonal lattice technique. More precisely, we first obtain a sublattice containing the private key vector by calculating the orthogonal lattice of the public key vector. Combining with the necessary conditions of the equivalent keys, we can easily recover several groups of equivalent keys. The time complexity of our new attack is lower than Shamir's. The feasibility of our attack is validated by the experimental data.
In this paper, we analyze the security of the RSA public key cryptosystem where multiple encryption and decryption exponents are considered with the same RSA modulus N. We consider N = pq, where p, q are of the same b...
详细信息
In this paper, we analyze the security of the RSA public key cryptosystem where multiple encryption and decryption exponents are considered with the same RSA modulus N. We consider N = pq, where p, q are of the same bit size, i.e., q < p < 2q. We show that if n many decryption exponents (d(1), ... , d(n)) are used with the same N. then RSA is insecure when d(i) < N3n-1/4n+4, for all i, 1 <= i <= n and n >= 2. Our result improves the bound of Howgrave-Graham and Seifert (CQRE 1999) for n <= 42 and also generalizes our recent work for n = 2 (IPL 2010). (C) 2010 Elsevier B.V. All rights reserved.
In this paper, we obtain a new estimate of an irrationality measure of the number log 3. We have mu(log 3) <= 5.1163051 with an "arithmetical method". The previous results were mu(log 3) <= 8.616... by...
详细信息
In this paper, we obtain a new estimate of an irrationality measure of the number log 3. We have mu(log 3) <= 5.1163051 with an "arithmetical method". The previous results were mu(log 3) <= 8.616... by G. Rhin in 1987 and mu(log 3) <= 5.125... by V.H. Salikhov in 2007. (C) 2014 Elsevier Inc. All rights reserved.
Livernet and Loday constructed a polarization of the nonsymmetric associative operad A with one operation into a symmetric operad SA with two operations (the Lie bracket and Jordan product), and defined a one-paramete...
详细信息
Livernet and Loday constructed a polarization of the nonsymmetric associative operad A with one operation into a symmetric operad SA with two operations (the Lie bracket and Jordan product), and defined a one-parameter deformation of SA, which includes Poisson algebras. We combine this with the dendriform splitting of an associative operation into the sum of two nonassociative operations, and use Koszul duality for quadratic operads, to construct one-parameter deformations of the nonsymmetric dendriform and diassociative operads into the category of symmetric operads.
For a totally positive algebraic integer alpha not equal 0, 1 of degree d, we consider the set R of values of L(alpha)(1/d) = R(alpha) and the set L of values of M(alpha)(1/d) = Omega(alpha). where L(alpha) is the len...
详细信息
For a totally positive algebraic integer alpha not equal 0, 1 of degree d, we consider the set R of values of L(alpha)(1/d) = R(alpha) and the set L of values of M(alpha)(1/d) = Omega(alpha). where L(alpha) is the length of cc and M(alpha) is the Mahler measure of alpha. In this paper, we prove that all except finitely many totally positive algebraic integers alpha have R(alpha) >= 2.364950 and Omega(alpha) >= 1.721916. The computation uses a family of explicit auxiliary functions. We notice that several polynomials with complex roots are used to construct the functions. We also find eight totally positive irreducible polynomials with absolute length greater than 2.364950 and less than 2.37. (C) 2012 Elsevier Inc. All rights reserved.
Let (n = pq, e = n(beta)) be an RSA public key with private exponent d = n(delta), where p and q are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding sm...
详细信息
Let (n = pq, e = n(beta)) be an RSA public key with private exponent d = n(delta), where p and q are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding small roots of univariate modular equations based on lattice reduction and then succussed to factorize the RSA modulus. Since then, a series of attacks on the key equation ed - k phi(n) = 1 of RSA have been presented. In this paper, we show that many of such attacks can be unified in a single attack using a new notion called Coppersmith's interval. We determine a Coppersmith's interval for a given RSA public key (n, e): The interval is valid for any variant of RSA, such as Multi-Prime RSA, that uses the key equation. Then we show that RSA is insecure if delta < beta + 1/3 alpha - 1/3 root 12 alpha beta + 4 alpha(2) provided that we have approximation p(0) >= root n of p with vertical bar p - p(0)vertical bar <= 1/2 n(alpha), alpha <= 1/2. The attack is an extension of Coppersmith's result.
In the present paper we show how to speed up lattice parameter searches for Monte Carlo and quasi-Monte Carlo node sets. The classical measure for such parameter searches is the spectral test which is based on a calcu...
详细信息
In the present paper we show how to speed up lattice parameter searches for Monte Carlo and quasi-Monte Carlo node sets. The classical measure for such parameter searches is the spectral test which is based on a calculation of the shortest nonzero vector in a lattice. Instead of the shortest vector we apply an approximation given by the lll algorithm for lattice basis reduction. We empirically demonstrate the speed-up and the quality loss obtained by the lll reduction, and we present important applications for parameter selections.
暂无评论