August  2021, 15(3): 441-469. doi: 10.3934/amc.2020076

Finding small solutions of the equation $ \mathit{{Bx-Ay = z}} $ and its applications to cryptanalysis of the RSA cryptosystem

1. 

National Innovation Institute of Defense Technology, Beijing 100071, China

2. 

College of Liberal Arts and Sciences, National University of Defense Technology, Changsha 410073, China

3. 

State Key Laboratory of Cryptology, Beijing 100878, China

4. 

College of Computer National University of Defense Technology, Changsha 410073, China

5. 

College of Information Science and Technology/Collage of Cyber Security, Jinan University, Guangzhou 510632, China

* Corresponding Author: Longjiang Qu

Received  September 2019 Published  April 2020

In this paper, we study the condition of finding small solutions $ (x,y,z) = (x_0, y_0, z_0) $ of the equation $ Bx-Ay = z $. The framework is derived from Wiener's small private exponent attack on RSA and May-Ritzenhofen's investigation about the implicit factorization problem, both of which can be generalized to solve the above equation. We show that these two methods, together with Coppersmith's method, are equivalent for solving $ Bx-Ay = z $ in the general case. Then based on Coppersmith's method, we present two improvements for solving $ Bx-Ay = z $ in some special cases. The first improvement pays attention to the case where either $ \gcd(x_0,z_0,A) $ or $ \gcd(y_0,z_0,B) $ is large enough. As the applications of this improvement, we propose some new cryptanalysis of RSA, such as new results about the generalized implicit factorization problem, attacks with known bits of the prime factor, and so on.

Citation: Shixiong Wang, Longjiang Qu, Chao Li, Shaojing Fu, Hao Chen. Finding small solutions of the equation $ \mathit{{Bx-Ay = z}} $ and its applications to cryptanalysis of the RSA cryptosystem. Advances in Mathematics of Communications, 2021, 15 (3) : 441-469. doi: 10.3934/amc.2020076
References:
[1]

Y. Aono, A new lattice construction for partial key exposure attack for RSA, Public Key Cryptography-PKC 2009, Springer Berlin Heidelberg, (2009), 34–53. Google Scholar

[2]

J. Blömer and A. May, New partial key exposure attacks on RSA, Advances in Cryptology - CRYPTO 2003, Lecture Notes in Comput. Sci., Springer, Berlin, 2729 (2003), 27-43.  doi: 10.1007/978-3-540-45146-4_2.  Google Scholar

[3]

D. Boneh and G. Durfee, Cryptanalysis of RSA with private key $d$ less than $N^{0.292}$, Advances in Cryptology - EUROCRYPT '99 (Prague), Lecture Notes in Comput. Sci. Springer, Berlin, 1592 (1999), 1-11.  doi: 10.1007/3-540-48910-X_1.  Google Scholar

[4]

D. BonehG. Durfee and Y. Frankel, An attack on RSA given a small fraction of the private key bits, Advances in Cryptology - ASIACRYPT'98 (Beijing), Lecture Notes in Comput. Sci., Springer, Berlin, 1514 (1998), 25-34.  doi: 10.1007/3-540-49649-1_3.  Google Scholar

[5]

D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 155-165.  doi: 10.1007/3-540-68339-9_14.  Google Scholar

[6]

D. Coppersmith, Finding a small root of a bivariate integer equation, factoring with high bits known, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 178-189.  doi: 10.1007/3-540-68339-9_16.  Google Scholar

[7]

D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, Journal of Cryptology, 10 (1997), 233-260.  doi: 10.1007/s001459900030.  Google Scholar

[8]

J.-S. Coron, Finding small roots of bivariate integer polynomial equations revisited, Advances in Cryptology - EUROCRYPT 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3027 (2004), 492-505.  doi: 10.1007/978-3-540-24676-3_29.  Google Scholar

[9]

J.-S. Coron and A. May, Deterministic polynomial-time equivalence of computing the RSA secret key and factoring, Journal of Cryptology, 20 (2007), 39-50.  doi: 10.1007/s00145-006-0433-6.  Google Scholar

[10]

B. De Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput., 13 (2002), 17-28.  doi: 10.1007/s002000100088.  Google Scholar

[11]

M. ErnstE. JochemszA. May and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in Cryptology - EUROCRYPT 2005, Lecture Notes in Comput. Sci., Springer, Berlin, 3494 (2005), 371-386.  doi: 10.1007/11426639_22.  Google Scholar

[12]

J. C. FaugèreR. Marinier and G. Renault, Implicit factoring with shared most significant and middle bits, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 70-87.  doi: 10.1007/978-3-642-13013-7_5.  Google Scholar

[13]

G. H. Hardy and E. M. Wright, An Introduction to the Theory of Numbers, Fifth edition, The Clarendon Press, Oxford University Press, New York, 1979.  Google Scholar

[14]

M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 53-69.  doi: 10.1007/978-3-642-13013-7_4.  Google Scholar

[15]

N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and Coding (Cirencester, 1997), Lecture Notes in Comput. Sci., Springer, Berlin, 1355 (1997), 131-142.  doi: 10.1007/BFb0024458.  Google Scholar

[16]

N. Howgrave-Graham, Approximate integer common divisors, Cryptography and Lattices (Providence, RI, 2001), Lecture Notes in Comput. Sci., Springer, Berlin, 2146 (2001), 51-66.  doi: 10.1007/3-540-44670-2_6.  Google Scholar

[17]

A. Joux, Algorithmic Cryptanalysis, Chapman & Hall/CRC Cryptography and Network Security, CRC Press, Boca Raton, FL, 2009. doi: 10.1201/9781420070033.  Google Scholar

[18]

S. Kumar and C. Narasimham, Cryptanalysis of RSA with small prime difference using unravelled linearization, International Journal of Computer Applications, 61 (2013). Google Scholar

[19]

A. K. LenstraH. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, 261 (1982), 515-534.  doi: 10.1007/BF01457454.  Google Scholar

[20]

Y. LuL. Q. PengR. ZhangL. Hu and D. D. Lin, Towards optimal bounds for implicit factorization problem, Selected Areas in Cryptography - SAC 2015, Lecture Notes in Comput. Sci., Springer, [Cham], 9566 (2016), 462-476.  doi: 10.1007/978-3-319-31301-6_26.  Google Scholar

[21]

Y. LuR. Zhang and D. Lin, Improved bounds for the implicit factorization problem, Advances in Mathematics of Communications, 7 (2013), 243-251.  doi: 10.3934/amc.2013.7.243.  Google Scholar

[22]

Y. LuR. ZhangL. Q. Peng and D. D. Lin, Solving linear equations modulo unknown divisors: Revisited, Advances in Cryptology - ASIACRYPT 2015. Part Ⅰ, Lecture Notes in Comput. Sci., Springer, Heidelberg, 9452 (2015), 189-213.  doi: 10.1007/978-3-662-48797-6_9.  Google Scholar

[23]

A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, Dissertation for Ph.D. Degree, University of Paderborn, 2003. Google Scholar

[24]

A. May, Computing the RSA secret key is deterministic polynomial time equivalent to factoring, Advances in Cryptology - CRYPTO 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3152 (2004), 213-219.  doi: 10.1007/978-3-540-28628-8_13.  Google Scholar

[25]

A. May and M. Ritzenhofen, Implicit factoring: On polynomial time factoring given only an implicit hint, Public Key Cryptography - PKC 2009, Lecture Notes in Comput. Sci., Springer, Berlin, 5443 (2009), 1-14.  doi: 10.1007/978-3-642-00468-1_1.  Google Scholar

[26] C. D. Meyer, Matrix Analysis and Applied Linear Algebra, Cambridge University Press, Cambridge, 2000.   Google Scholar
[27]

H. Minkowski, Geometrie der Zahlen, Bibliotheca Mathematica Teubneriana, Band 40 Johnson Reprint Corp., New York-London, 1968.  Google Scholar

[28]

A. Nitaj and M. R. K. Ariffin, Implicit factorization of unbalanced RSA moduli, Journal of Applied Mathematics and Computing, 48 (2015), 349-363.  doi: 10.1007/s12190-014-0806-1.  Google Scholar

[29]

A. Nitaj, A new attack on RSA and CRT-RSA, Progress in Cryptology-AFRICACRYPT 2012, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7374 (2012), 221-233.  doi: 10.1007/978-3-642-31410-0_14.  Google Scholar

[30]

L. Peng, L. Hu, Z. Huang and et al., Partial prime factor exposure attacks on RSA and its Takagi's variant, International Conference on Information Security Practice and Experience-ISPEC 2015, Springer International Publishing, (2015), 96–108. Google Scholar

[31]

L. Peng, L. Hu, Y. Lu and et al., Implicit factorization of RSA moduli revisited (short paper), International Workshop on Security-IWSEC 2015, Springer International Publishing, (2015), 67–76. Google Scholar

[32]

L. Q. PengL. HuJ. XuZ. J. Huang and Y. H. Xie, Further improvement of factoring RSA moduli with implicit hint, Progress in Cryptology - AFRICACRYPT 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8469 (2014), 165-177.  doi: 10.1007/978-3-319-06734-6_11.  Google Scholar

[33]

R. L. RivestA. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21 (1978), 120-126.  doi: 10.1145/359340.359342.  Google Scholar

[34]

S. Sarkar, Partial key exposure: Generalized framework to attack RSA, Progress in Cryptology - INDOCRYPT 2011, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7107 (2011), 76-92.  doi: 10.1007/978-3-642-25578-6_7.  Google Scholar

[35]

S. SarkarS. Sen Gupta and S. Maitra, Partial key exposure attack on RSA - improvements for limited lattice dimensions, Progress in Cryptology - INDOCRYPT 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6498 (2010), 2-16.  doi: 10.1007/978-3-642-17401-8_2.  Google Scholar

[36]

S. Sarkar and S. Maitra, Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors, Information Security and Cryptology - ICISC 2008, Lecture Notes in Comput. Sci., Springer, Berlin, 5461 (2009), 37-51.  doi: 10.1007/978-3-642-00730-9_3.  Google Scholar

[37]

S. Sarkar and S. Maitra, Approximate integer common divisor problem relates to implicit factorization, IEEE Transactions on Information Theory, 57 (2011), 4002-4013.  doi: 10.1109/TIT.2011.2137270.  Google Scholar

[38]

A. Takayasu and N. Kunihiro, Partial key exposure attacks on RSA: Achieving the Boneh-Durfee bound, Selected Areas in Cryptography - SAC 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8781 (2014), 345-362.  doi: 10.1007/978-3-319-13051-4_21.  Google Scholar

[39]

S. Wang, L. Qu, C. Li and et al., Generalized framework to attack RSA with special exposed bits of the private key, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 100 (2017), 2113-2122. Google Scholar

[40]

M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, 36 (1990), 553-558.  doi: 10.1109/18.54902.  Google Scholar

show all references

References:
[1]

Y. Aono, A new lattice construction for partial key exposure attack for RSA, Public Key Cryptography-PKC 2009, Springer Berlin Heidelberg, (2009), 34–53. Google Scholar

[2]

J. Blömer and A. May, New partial key exposure attacks on RSA, Advances in Cryptology - CRYPTO 2003, Lecture Notes in Comput. Sci., Springer, Berlin, 2729 (2003), 27-43.  doi: 10.1007/978-3-540-45146-4_2.  Google Scholar

[3]

D. Boneh and G. Durfee, Cryptanalysis of RSA with private key $d$ less than $N^{0.292}$, Advances in Cryptology - EUROCRYPT '99 (Prague), Lecture Notes in Comput. Sci. Springer, Berlin, 1592 (1999), 1-11.  doi: 10.1007/3-540-48910-X_1.  Google Scholar

[4]

D. BonehG. Durfee and Y. Frankel, An attack on RSA given a small fraction of the private key bits, Advances in Cryptology - ASIACRYPT'98 (Beijing), Lecture Notes in Comput. Sci., Springer, Berlin, 1514 (1998), 25-34.  doi: 10.1007/3-540-49649-1_3.  Google Scholar

[5]

D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 155-165.  doi: 10.1007/3-540-68339-9_14.  Google Scholar

[6]

D. Coppersmith, Finding a small root of a bivariate integer equation, factoring with high bits known, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 178-189.  doi: 10.1007/3-540-68339-9_16.  Google Scholar

[7]

D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, Journal of Cryptology, 10 (1997), 233-260.  doi: 10.1007/s001459900030.  Google Scholar

[8]

J.-S. Coron, Finding small roots of bivariate integer polynomial equations revisited, Advances in Cryptology - EUROCRYPT 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3027 (2004), 492-505.  doi: 10.1007/978-3-540-24676-3_29.  Google Scholar

[9]

J.-S. Coron and A. May, Deterministic polynomial-time equivalence of computing the RSA secret key and factoring, Journal of Cryptology, 20 (2007), 39-50.  doi: 10.1007/s00145-006-0433-6.  Google Scholar

[10]

B. De Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput., 13 (2002), 17-28.  doi: 10.1007/s002000100088.  Google Scholar

[11]

M. ErnstE. JochemszA. May and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in Cryptology - EUROCRYPT 2005, Lecture Notes in Comput. Sci., Springer, Berlin, 3494 (2005), 371-386.  doi: 10.1007/11426639_22.  Google Scholar

[12]

J. C. FaugèreR. Marinier and G. Renault, Implicit factoring with shared most significant and middle bits, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 70-87.  doi: 10.1007/978-3-642-13013-7_5.  Google Scholar

[13]

G. H. Hardy and E. M. Wright, An Introduction to the Theory of Numbers, Fifth edition, The Clarendon Press, Oxford University Press, New York, 1979.  Google Scholar

[14]

M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 53-69.  doi: 10.1007/978-3-642-13013-7_4.  Google Scholar

[15]

N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and Coding (Cirencester, 1997), Lecture Notes in Comput. Sci., Springer, Berlin, 1355 (1997), 131-142.  doi: 10.1007/BFb0024458.  Google Scholar

[16]

N. Howgrave-Graham, Approximate integer common divisors, Cryptography and Lattices (Providence, RI, 2001), Lecture Notes in Comput. Sci., Springer, Berlin, 2146 (2001), 51-66.  doi: 10.1007/3-540-44670-2_6.  Google Scholar

[17]

A. Joux, Algorithmic Cryptanalysis, Chapman & Hall/CRC Cryptography and Network Security, CRC Press, Boca Raton, FL, 2009. doi: 10.1201/9781420070033.  Google Scholar

[18]

S. Kumar and C. Narasimham, Cryptanalysis of RSA with small prime difference using unravelled linearization, International Journal of Computer Applications, 61 (2013). Google Scholar

[19]

A. K. LenstraH. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, 261 (1982), 515-534.  doi: 10.1007/BF01457454.  Google Scholar

[20]

Y. LuL. Q. PengR. ZhangL. Hu and D. D. Lin, Towards optimal bounds for implicit factorization problem, Selected Areas in Cryptography - SAC 2015, Lecture Notes in Comput. Sci., Springer, [Cham], 9566 (2016), 462-476.  doi: 10.1007/978-3-319-31301-6_26.  Google Scholar

[21]

Y. LuR. Zhang and D. Lin, Improved bounds for the implicit factorization problem, Advances in Mathematics of Communications, 7 (2013), 243-251.  doi: 10.3934/amc.2013.7.243.  Google Scholar

[22]

Y. LuR. ZhangL. Q. Peng and D. D. Lin, Solving linear equations modulo unknown divisors: Revisited, Advances in Cryptology - ASIACRYPT 2015. Part Ⅰ, Lecture Notes in Comput. Sci., Springer, Heidelberg, 9452 (2015), 189-213.  doi: 10.1007/978-3-662-48797-6_9.  Google Scholar

[23]

A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, Dissertation for Ph.D. Degree, University of Paderborn, 2003. Google Scholar

[24]

A. May, Computing the RSA secret key is deterministic polynomial time equivalent to factoring, Advances in Cryptology - CRYPTO 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3152 (2004), 213-219.  doi: 10.1007/978-3-540-28628-8_13.  Google Scholar

[25]

A. May and M. Ritzenhofen, Implicit factoring: On polynomial time factoring given only an implicit hint, Public Key Cryptography - PKC 2009, Lecture Notes in Comput. Sci., Springer, Berlin, 5443 (2009), 1-14.  doi: 10.1007/978-3-642-00468-1_1.  Google Scholar

[26] C. D. Meyer, Matrix Analysis and Applied Linear Algebra, Cambridge University Press, Cambridge, 2000.   Google Scholar
[27]

H. Minkowski, Geometrie der Zahlen, Bibliotheca Mathematica Teubneriana, Band 40 Johnson Reprint Corp., New York-London, 1968.  Google Scholar

[28]

A. Nitaj and M. R. K. Ariffin, Implicit factorization of unbalanced RSA moduli, Journal of Applied Mathematics and Computing, 48 (2015), 349-363.  doi: 10.1007/s12190-014-0806-1.  Google Scholar

[29]

A. Nitaj, A new attack on RSA and CRT-RSA, Progress in Cryptology-AFRICACRYPT 2012, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7374 (2012), 221-233.  doi: 10.1007/978-3-642-31410-0_14.  Google Scholar

[30]

L. Peng, L. Hu, Z. Huang and et al., Partial prime factor exposure attacks on RSA and its Takagi's variant, International Conference on Information Security Practice and Experience-ISPEC 2015, Springer International Publishing, (2015), 96–108. Google Scholar

[31]

L. Peng, L. Hu, Y. Lu and et al., Implicit factorization of RSA moduli revisited (short paper), International Workshop on Security-IWSEC 2015, Springer International Publishing, (2015), 67–76. Google Scholar

[32]

L. Q. PengL. HuJ. XuZ. J. Huang and Y. H. Xie, Further improvement of factoring RSA moduli with implicit hint, Progress in Cryptology - AFRICACRYPT 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8469 (2014), 165-177.  doi: 10.1007/978-3-319-06734-6_11.  Google Scholar

[33]

R. L. RivestA. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21 (1978), 120-126.  doi: 10.1145/359340.359342.  Google Scholar

[34]

S. Sarkar, Partial key exposure: Generalized framework to attack RSA, Progress in Cryptology - INDOCRYPT 2011, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7107 (2011), 76-92.  doi: 10.1007/978-3-642-25578-6_7.  Google Scholar

[35]

S. SarkarS. Sen Gupta and S. Maitra, Partial key exposure attack on RSA - improvements for limited lattice dimensions, Progress in Cryptology - INDOCRYPT 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6498 (2010), 2-16.  doi: 10.1007/978-3-642-17401-8_2.  Google Scholar

[36]

S. Sarkar and S. Maitra, Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors, Information Security and Cryptology - ICISC 2008, Lecture Notes in Comput. Sci., Springer, Berlin, 5461 (2009), 37-51.  doi: 10.1007/978-3-642-00730-9_3.  Google Scholar

[37]

S. Sarkar and S. Maitra, Approximate integer common divisor problem relates to implicit factorization, IEEE Transactions on Information Theory, 57 (2011), 4002-4013.  doi: 10.1109/TIT.2011.2137270.  Google Scholar

[38]

A. Takayasu and N. Kunihiro, Partial key exposure attacks on RSA: Achieving the Boneh-Durfee bound, Selected Areas in Cryptography - SAC 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8781 (2014), 345-362.  doi: 10.1007/978-3-319-13051-4_21.  Google Scholar

[39]

S. Wang, L. Qu, C. Li and et al., Generalized framework to attack RSA with special exposed bits of the private key, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 100 (2017), 2113-2122. Google Scholar

[40]

M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, 36 (1990), 553-558.  doi: 10.1109/18.54902.  Google Scholar

28] for generalized IFP with shared MSBs or LSBs when $ \alpha_1^* \approx \alpha_2^* \approx \alpha^* ,\ \beta_1^* \approx \beta_2^* \approx 1- \alpha^* ,\ \delta_1^* \approx \delta_2^* \approx 0.1 $">Figure 1.  Comparison between our results and those in [28] for generalized IFP with shared MSBs or LSBs when $ \alpha_1^* \approx \alpha_2^* \approx \alpha^* ,\ \beta_1^* \approx \beta_2^* \approx 1- \alpha^* ,\ \delta_1^* \approx \delta_2^* \approx 0.1 $
Figure 2.  Our generalized result and possible improvement for the attack on RSA with known MSBs or LSBs of the prime factor
10,18] for the attack on RSA with a small difference of prime factors">Figure 3.  Comparison between the result of our Proposition 5.2 and that in [10,18] for the attack on RSA with a small difference of prime factors
Table 1.  Results for IFP and generalized IFP
IFP with shared MSBs or LSBs Generalized IFP with shared MSBs or LSBs
(For $ \alpha_1^* \approx \alpha_2^*,\ \beta_1^* \approx \beta_2^*,\ \delta_1^* = \delta_2^* = 0 $) (For any $ \alpha_1^*, \alpha_2^*, \beta_1^*, \beta_2^*, \delta_1^*, \delta_2^* $)
Results in [25] and [12]: $ t^* > 2 \beta_1^* $ Results in [28]: $ t^* > \beta_1^* + \beta_2^* + \delta_1^* + \delta_2^* $
Results in [20]: $ t^* > \frac{2\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*} $ Our results: $ t^* > \frac{\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*} + \frac{\alpha_2^*\beta_2^*}{\alpha_2^*+\beta_2^*} + \delta_1^* + \delta_2^* $
IFP with shared MSBs or LSBs Generalized IFP with shared MSBs or LSBs
(For $ \alpha_1^* \approx \alpha_2^*,\ \beta_1^* \approx \beta_2^*,\ \delta_1^* = \delta_2^* = 0 $) (For any $ \alpha_1^*, \alpha_2^*, \beta_1^*, \beta_2^*, \delta_1^*, \delta_2^* $)
Results in [25] and [12]: $ t^* > 2 \beta_1^* $ Results in [28]: $ t^* > \beta_1^* + \beta_2^* + \delta_1^* + \delta_2^* $
Results in [20]: $ t^* > \frac{2\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*} $ Our results: $ t^* > \frac{\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*} + \frac{\alpha_2^*\beta_2^*}{\alpha_2^*+\beta_2^*} + \delta_1^* + \delta_2^* $
Table 2.  Comparison between the result of our Proposition 5.1 (i.e. $ t_2^* > h(\beta^*,t_1^*) $) and that in [36] (i.e. $ t_2^* > g(\beta^*,t_1^*) $) for $ \beta^* = 0.700,0.650,0.600 $
$ t_1^* $ $ 0.000 $ $ 0.010 $ $ 0.020 $ $ 0.030 $ $ 0.040 $ $ 0.050 $ $ 0.060 $ $ 0.070 $ $ 0.080 $
$ g(0.700,t_1^*) $ $ 0.627 $ $ 0.614 $ $ 0.602 $ $ 0.589 $ $ 0.577 $ $ 0.564 $ $ 0.551 $ $ 0.539 $ $ 0.526 $
$ h(0.700,t_1^*) $ $ 0.592 $ $ 0.580 $ $ 0.567 $ $ 0.555 $ $ 0.542 $ $ 0.530 $ $ 0.517 $ $ 0.504 $ $ 0.491 $
$ g(0.650,t_1^*) $ $ 0.555 $ $ 0.542 $ $ 0.530 $ $ 0.518 $ $ 0.505 $ $ 0.493 $ $ 0.480 $ $ 0.468 $ $ 0.455 $
$ h(0.650,t_1^*) $ $ 0.522 $ $ 0.510 $ $ 0.498 $ $ 0.486 $ $ 0.473 $ $ 0.461 $ $ 0.448 $ $ 0.436 $ $ 0.423 $
$ g(0.600,t_1^*) $ $ 0.482 $ $ 0.470 $ $ 0.457 $ $ 0.445 $ $ 0.433 $ $ 0.421 $ $ 0.409 $ $ 0.396 $ $ 0.384 $
$ h(0.600,t_1^*) $ $ 0.452 $ $ 0.440 $ $ 0.428 $ $ 0.416 $ $ 0.403 $ $ 0.391 $ $ 0.379 $ $ 0.367 $ $ 0.354 $
$ t_1^* $ $ 0.000 $ $ 0.010 $ $ 0.020 $ $ 0.030 $ $ 0.040 $ $ 0.050 $ $ 0.060 $ $ 0.070 $ $ 0.080 $
$ g(0.700,t_1^*) $ $ 0.627 $ $ 0.614 $ $ 0.602 $ $ 0.589 $ $ 0.577 $ $ 0.564 $ $ 0.551 $ $ 0.539 $ $ 0.526 $
$ h(0.700,t_1^*) $ $ 0.592 $ $ 0.580 $ $ 0.567 $ $ 0.555 $ $ 0.542 $ $ 0.530 $ $ 0.517 $ $ 0.504 $ $ 0.491 $
$ g(0.650,t_1^*) $ $ 0.555 $ $ 0.542 $ $ 0.530 $ $ 0.518 $ $ 0.505 $ $ 0.493 $ $ 0.480 $ $ 0.468 $ $ 0.455 $
$ h(0.650,t_1^*) $ $ 0.522 $ $ 0.510 $ $ 0.498 $ $ 0.486 $ $ 0.473 $ $ 0.461 $ $ 0.448 $ $ 0.436 $ $ 0.423 $
$ g(0.600,t_1^*) $ $ 0.482 $ $ 0.470 $ $ 0.457 $ $ 0.445 $ $ 0.433 $ $ 0.421 $ $ 0.409 $ $ 0.396 $ $ 0.384 $
$ h(0.600,t_1^*) $ $ 0.452 $ $ 0.440 $ $ 0.428 $ $ 0.416 $ $ 0.403 $ $ 0.391 $ $ 0.379 $ $ 0.367 $ $ 0.354 $
Table 3.  Attacks on RSA related to Proposition 5.1
$ t_1^* = 0 $ $ t_1^*\geqslant 0 $
$ t_2^* = 0 $ Result in [3,14]: Result in [30]:
$ \beta^* < 1 - \sqrt{0.5} \approx 0.292 $ $ \beta^* < 1 - \sqrt{0.5-t_1^*} $
(No extra conditions) ($ t_1^* \leqslant 0.25 $)
$ t_2^*\geqslant 0 $ Result in [39]: Our result:
$ \beta^* < 1+t_2^* - \sqrt{0.5(1+t_2^*)} $ $ \beta^* < 1+t_2^* - \sqrt{(1+t_2^*)(0.5-t_1^*)} $
($ d_l < N^{\beta^*-0.5} $) ($ d_l < N^{\beta^*-t_1^*-0.5},\ 4t_1^* + t_2^* \leqslant 1 $)
$ t_1^* = 0 $ $ t_1^*\geqslant 0 $
$ t_2^* = 0 $ Result in [3,14]: Result in [30]:
$ \beta^* < 1 - \sqrt{0.5} \approx 0.292 $ $ \beta^* < 1 - \sqrt{0.5-t_1^*} $
(No extra conditions) ($ t_1^* \leqslant 0.25 $)
$ t_2^*\geqslant 0 $ Result in [39]: Our result:
$ \beta^* < 1+t_2^* - \sqrt{0.5(1+t_2^*)} $ $ \beta^* < 1+t_2^* - \sqrt{(1+t_2^*)(0.5-t_1^*)} $
($ d_l < N^{\beta^*-0.5} $) ($ d_l < N^{\beta^*-t_1^*-0.5},\ 4t_1^* + t_2^* \leqslant 1 $)
Table 4.  Some experimental examples for Proposition 4.1 (the case of MSBs) and Proposition 4.2 (the case of LSBs) with $ \beta_1^*\approx 1- \alpha_1^*,\ \beta_2^*\approx 1- \alpha_2^* $ and $ \log_2M\approx \log_2N_1\approx \log_2N_2\approx 1500 $
Case $ t^* $ $ \alpha_1^* $ $ \alpha_2^* $ $ \delta_1^* $ $ \delta_2^* $ $ m $ $ \tau $ $ i $ $ \dim(\Lambda) $ Bit size Time(LLL)
MSBs $ 0.606 $ $ 0.679 $ $ 0.684 $ $ 0.066 $ $ 0.061 $ $ 15 $ $ 10 $ $ 10 $ $ 16 $ $ 1.008 \times 10^{4} $ 6.596 seconds
MSBs $ 0.533 $ $ 0.666 $ $ 0.799 $ $ 0.133 $ $ 0.000 $ $ 15 $ $ 11 $ $ 9 $ $ 16 $ $ 1.198 \times 10^{4} $ 7.649 seconds
MSBs $ 0.687 $ $ 0.733 $ $ 0.500 $ $ 0.000 $ $ 0.233 $ $ 23 $ $ 16 $ $ 11 $ $ 24 $ $ 1.725 \times 10^{4} $ 116.3 seconds
LSBs $ 0.529 $ $ 0.580 $ $ 0.579 $ $ 0.000 $ $ 0.000 $ $ 23 $ $ 13 $ $ 13 $ $ 24 $ $ 1.093 \times 10^{4} $ 27.73 seconds
LSBs $ 0.433 $ $ 0.752 $ $ 0.805 $ $ 0.053 $ $ 0.000 $ $ 19 $ $ 15 $ $ 14 $ $ 20 $ $ 1.782 \times 10^{4} $ 35.12 seconds
LSBs $ 0.756 $ $ 0.803 $ $ 0.479 $ $ 0.000 $ $ 0.324 $ $ 19 $ $ 15 $ $ 9 $ $ 20 $ $ 1.802 \times 10^{4} $ 88.97 seconds
Case $ t^* $ $ \alpha_1^* $ $ \alpha_2^* $ $ \delta_1^* $ $ \delta_2^* $ $ m $ $ \tau $ $ i $ $ \dim(\Lambda) $ Bit size Time(LLL)
MSBs $ 0.606 $ $ 0.679 $ $ 0.684 $ $ 0.066 $ $ 0.061 $ $ 15 $ $ 10 $ $ 10 $ $ 16 $ $ 1.008 \times 10^{4} $ 6.596 seconds
MSBs $ 0.533 $ $ 0.666 $ $ 0.799 $ $ 0.133 $ $ 0.000 $ $ 15 $ $ 11 $ $ 9 $ $ 16 $ $ 1.198 \times 10^{4} $ 7.649 seconds
MSBs $ 0.687 $ $ 0.733 $ $ 0.500 $ $ 0.000 $ $ 0.233 $ $ 23 $ $ 16 $ $ 11 $ $ 24 $ $ 1.725 \times 10^{4} $ 116.3 seconds
LSBs $ 0.529 $ $ 0.580 $ $ 0.579 $ $ 0.000 $ $ 0.000 $ $ 23 $ $ 13 $ $ 13 $ $ 24 $ $ 1.093 \times 10^{4} $ 27.73 seconds
LSBs $ 0.433 $ $ 0.752 $ $ 0.805 $ $ 0.053 $ $ 0.000 $ $ 19 $ $ 15 $ $ 14 $ $ 20 $ $ 1.782 \times 10^{4} $ 35.12 seconds
LSBs $ 0.756 $ $ 0.803 $ $ 0.479 $ $ 0.000 $ $ 0.324 $ $ 19 $ $ 15 $ $ 9 $ $ 20 $ $ 1.802 \times 10^{4} $ 88.97 seconds
Table 5.  Some experimental examples for Proposition 4.3 (the case of MSBs) and Proposition 4.4 (the case of LSBs) with $ k = 1 $ and $ \log_2N\approx1000 $
Case $ t^* $ $ \alpha^* $ $ \theta^* $ $ m $ $ \tau $ $ i $ $ \dim(\Lambda) $ Bit size Time(LLL)
MSBs $ 0.240 $ $ 0.500 $ $ 0.165 $ $ 27 $ $ 13 $ $ 22 $ $ 28 $ $ 6.474 \times 10^{3} $ 23.14 seconds
MSBs $ 0.203 $ $ 0.603 $ $ 0.247 $ $ 27 $ $ 16 $ $ 20 $ $ 28 $ $ 9.531 \times 10^{3} $ 48.51 seconds
MSBs $ 0.260 $ $ 0.400 $ $ 0.000 $ $ 42 $ $ 16 $ $ 42 $ $ 43 $ $ 6.101 \times 10^{3} $ 102.1 seconds
LSBs $ 0.156 $ $ 0.501 $ $ 0.332 $ $ 42 $ $ 21 $ $ 28 $ $ 43 $ $ 1.043 \times 10^{4} $ 756.2 seconds
LSBs $ 0.255 $ $ 0.473 $ $ 0.071 $ $ 34 $ $ 16 $ $ 31 $ $ 35 $ $ 7.582 \times 10^{3} $ 65.23 seconds
LSBs $ 0.220 $ $ 0.720 $ $ 0.000 $ $ 34 $ $ 24 $ $ 34 $ $ 35 $ $ 1.709 \times 10^{4} $ 117.4 seconds
Case $ t^* $ $ \alpha^* $ $ \theta^* $ $ m $ $ \tau $ $ i $ $ \dim(\Lambda) $ Bit size Time(LLL)
MSBs $ 0.240 $ $ 0.500 $ $ 0.165 $ $ 27 $ $ 13 $ $ 22 $ $ 28 $ $ 6.474 \times 10^{3} $ 23.14 seconds
MSBs $ 0.203 $ $ 0.603 $ $ 0.247 $ $ 27 $ $ 16 $ $ 20 $ $ 28 $ $ 9.531 \times 10^{3} $ 48.51 seconds
MSBs $ 0.260 $ $ 0.400 $ $ 0.000 $ $ 42 $ $ 16 $ $ 42 $ $ 43 $ $ 6.101 \times 10^{3} $ 102.1 seconds
LSBs $ 0.156 $ $ 0.501 $ $ 0.332 $ $ 42 $ $ 21 $ $ 28 $ $ 43 $ $ 1.043 \times 10^{4} $ 756.2 seconds
LSBs $ 0.255 $ $ 0.473 $ $ 0.071 $ $ 34 $ $ 16 $ $ 31 $ $ 35 $ $ 7.582 \times 10^{3} $ 65.23 seconds
LSBs $ 0.220 $ $ 0.720 $ $ 0.000 $ $ 34 $ $ 24 $ $ 34 $ $ 35 $ $ 1.709 \times 10^{4} $ 117.4 seconds
Table 6.  Some experimental examples for Proposition 5.1 (under the extra condition $ d_l < N^{\beta^*-t_1^*-0.5},\ 4t_1^* + t_2^* \leqslant 1 $) with $ \log_2N\approx2000 $
$ \beta^* $ $ t_1^* $ $ t_2^* $ $ m $ $ \tau $ $ \theta_1,\theta_2,\cdots,\theta_{\tau} $ $ \dim(\Lambda) $ Bit size Time(LLL)
$ 0.650 $ $ 0.100 $ $ 0.500 $ $ 5 $ $ 4 $ $ 2,3,4,5 $ $ 31 $ $ 1.480 \times 10^{4} $ 40.83 seconds
$ 0.656 $ $ 0.141 $ $ 0.435 $ $ 5 $ $ 4 $ $ 2,3,4,5 $ $ 31 $ $ 1.426 \times 10^{4} $ 36.50 seconds
$ 0.580 $ $ 0.049 $ $ 0.480 $ $ 7 $ $ 5 $ $ 2,3,4,5,7 $ $ 55 $ $ 2.024 \times 10^{4} $ 1282 seconds
$ 0.543 $ $ 0.012 $ $ 0.440 $ $ 7 $ $ 5 $ $ 2,3,5,6,7 $ $ 53 $ $ 1.989 \times 10^{4} $ 680.9 seconds
$ 0.784 $ $ 0.072 $ $ 0.692 $ $ 6 $ $ 5 $ $ 2,3,4,5,6 $ $ 43 $ $ 2.022 \times 10^{4} $ 238.9 seconds
$ 0.708 $ $ 0.118 $ $ 0.525 $ $ 6 $ $ 5 $ $ 2,3,4,5,6 $ $ 43 $ $ 1.820 \times 10^{4} $ 225.9 seconds
$ \beta^* $ $ t_1^* $ $ t_2^* $ $ m $ $ \tau $ $ \theta_1,\theta_2,\cdots,\theta_{\tau} $ $ \dim(\Lambda) $ Bit size Time(LLL)
$ 0.650 $ $ 0.100 $ $ 0.500 $ $ 5 $ $ 4 $ $ 2,3,4,5 $ $ 31 $ $ 1.480 \times 10^{4} $ 40.83 seconds
$ 0.656 $ $ 0.141 $ $ 0.435 $ $ 5 $ $ 4 $ $ 2,3,4,5 $ $ 31 $ $ 1.426 \times 10^{4} $ 36.50 seconds
$ 0.580 $ $ 0.049 $ $ 0.480 $ $ 7 $ $ 5 $ $ 2,3,4,5,7 $ $ 55 $ $ 2.024 \times 10^{4} $ 1282 seconds
$ 0.543 $ $ 0.012 $ $ 0.440 $ $ 7 $ $ 5 $ $ 2,3,5,6,7 $ $ 53 $ $ 1.989 \times 10^{4} $ 680.9 seconds
$ 0.784 $ $ 0.072 $ $ 0.692 $ $ 6 $ $ 5 $ $ 2,3,4,5,6 $ $ 43 $ $ 2.022 \times 10^{4} $ 238.9 seconds
$ 0.708 $ $ 0.118 $ $ 0.525 $ $ 6 $ $ 5 $ $ 2,3,4,5,6 $ $ 43 $ $ 1.820 \times 10^{4} $ 225.9 seconds
Table 7.  The basis matrix $ \mathcal{B} $ when $ m = 5, \tau = 4, i = 3 $
$ (b')^2 (x')^5 $ $ b' (x')^4 z^* $ $ (x')^3 (z^*)^2 $ $ v (x')^2 (z^*)^3 $ $ v^2 x' (z^*)^4 $ $ v^3 (z^*)^5 $
$ g_0 $ $ A^4(B')^2 (X')^5 $
$ g_1 $ $ * $ $ A^3 B' (X')^4 Z^* $
$ g_2 $ $ * $ $ * $ $ A^2(X')^3 (Z^*)^2 $
$ g_3 $ $ * $ $ * $ $ * $ $ A V (X')^2 (Z^*)^3 $
$ g_4 $ $ * $ $ * $ $ * $ $ * $ $ V^2 X' (Z^*)^4 $
$ g_5 $ $ * $ $ * $ $ * $ $ * $ $ * $ $ V^3 (Z^*)^5 $
$ (b')^2 (x')^5 $ $ b' (x')^4 z^* $ $ (x')^3 (z^*)^2 $ $ v (x')^2 (z^*)^3 $ $ v^2 x' (z^*)^4 $ $ v^3 (z^*)^5 $
$ g_0 $ $ A^4(B')^2 (X')^5 $
$ g_1 $ $ * $ $ A^3 B' (X')^4 Z^* $
$ g_2 $ $ * $ $ * $ $ A^2(X')^3 (Z^*)^2 $
$ g_3 $ $ * $ $ * $ $ * $ $ A V (X')^2 (Z^*)^3 $
$ g_4 $ $ * $ $ * $ $ * $ $ * $ $ V^2 X' (Z^*)^4 $
$ g_5 $ $ * $ $ * $ $ * $ $ * $ $ * $ $ V^3 (Z^*)^5 $
[1]

Christoforidou Amalia, Christian-Oliver Ewald. A lattice method for option evaluation with regime-switching asset correlation structure. Journal of Industrial & Management Optimization, 2021, 17 (4) : 1729-1752. doi: 10.3934/jimo.2020042

[2]

Mikhail Dokuchaev, Guanglu Zhou, Song Wang. A modification of Galerkin's method for option pricing. Journal of Industrial & Management Optimization, 2021  doi: 10.3934/jimo.2021077

[3]

Jiangxing Wang. Convergence analysis of an accurate and efficient method for nonlinear Maxwell's equations. Discrete & Continuous Dynamical Systems - B, 2021, 26 (5) : 2429-2440. doi: 10.3934/dcdsb.2020185

[4]

Marion Darbas, Jérémy Heleine, Stephanie Lohrengel. Numerical resolution by the quasi-reversibility method of a data completion problem for Maxwell's equations. Inverse Problems & Imaging, 2020, 14 (6) : 1107-1133. doi: 10.3934/ipi.2020056

[5]

Maolin Cheng, Yun Liu, Jianuo Li, Bin Liu. Nonlinear Grey Bernoulli model NGBM (1, 1)'s parameter optimisation method and model application. Journal of Industrial & Management Optimization, 2021  doi: 10.3934/jimo.2021054

[6]

Zhang Chen, Xiliang Li, Bixiang Wang. Invariant measures of stochastic delay lattice systems. Discrete & Continuous Dynamical Systems - B, 2021, 26 (6) : 3235-3269. doi: 10.3934/dcdsb.2020226

[7]

Xinyuan Liao, Caidi Zhao, Shengfan Zhou. Compact uniform attractors for dissipative non-autonomous lattice dynamical systems. Communications on Pure & Applied Analysis, 2007, 6 (4) : 1087-1111. doi: 10.3934/cpaa.2007.6.1087

[8]

Mia Jukić, Hermen Jan Hupkes. Dynamics of curved travelling fronts for the discrete Allen-Cahn equation on a two-dimensional lattice. Discrete & Continuous Dynamical Systems, 2021, 41 (7) : 3163-3209. doi: 10.3934/dcds.2020402

[9]

Skyler Simmons. Stability of Broucke's isosceles orbit. Discrete & Continuous Dynamical Systems, 2021, 41 (8) : 3759-3779. doi: 10.3934/dcds.2021015

[10]

Z. Reichstein and B. Youssin. Parusinski's "Key Lemma" via algebraic geometry. Electronic Research Announcements, 1999, 5: 136-145.

[11]

Ugo Bessi. Another point of view on Kusuoka's measure. Discrete & Continuous Dynamical Systems, 2021, 41 (7) : 3241-3271. doi: 10.3934/dcds.2020404

[12]

Jun Tu, Zijiao Sun, Min Huang. Supply chain coordination considering e-tailer's promotion effort and logistics provider's service effort. Journal of Industrial & Management Optimization, 2021  doi: 10.3934/jimo.2021062

[13]

Armin Lechleiter, Tobias Rienmüller. Factorization method for the inverse Stokes problem. Inverse Problems & Imaging, 2013, 7 (4) : 1271-1293. doi: 10.3934/ipi.2013.7.1271

[14]

Ronald E. Mickens. Positivity preserving discrete model for the coupled ODE's modeling glycolysis. Conference Publications, 2003, 2003 (Special) : 623-629. doi: 10.3934/proc.2003.2003.623

[15]

Bernold Fiedler, Carlos Rocha, Matthias Wolfrum. Sturm global attractors for $S^1$-equivariant parabolic equations. Networks & Heterogeneous Media, 2012, 7 (4) : 617-659. doi: 10.3934/nhm.2012.7.617

[16]

Enkhbat Rentsen, Battur Gompil. Generalized Nash equilibrium problem based on malfatti's problem. Numerical Algebra, Control & Optimization, 2021, 11 (2) : 209-220. doi: 10.3934/naco.2020022

[17]

Huy Dinh, Harbir Antil, Yanlai Chen, Elena Cherkaev, Akil Narayan. Model reduction for fractional elliptic problems using Kato's formula. Mathematical Control & Related Fields, 2021  doi: 10.3934/mcrf.2021004

[18]

Kun Hu, Yuanshi Wang. Dynamics of consumer-resource systems with consumer's dispersal between patches. Discrete & Continuous Dynamical Systems - B, 2021  doi: 10.3934/dcdsb.2021077

[19]

Yinsong Bai, Lin He, Huijiang Zhao. Nonlinear stability of rarefaction waves for a hyperbolic system with Cattaneo's law. Communications on Pure & Applied Analysis, , () : -. doi: 10.3934/cpaa.2021049

[20]

Françoise Demengel. Ergodic pairs for degenerate pseudo Pucci's fully nonlinear operators. Discrete & Continuous Dynamical Systems, 2021, 41 (7) : 3465-3488. doi: 10.3934/dcds.2021004

2019 Impact Factor: 0.734

Metrics

  • PDF downloads (99)
  • HTML views (534)
  • Cited by (0)

[Back to Top]