# American Institute of Mathematical Sciences

doi: 10.3934/amc.2020076

## Finding small solutions of the equation $\mathit{{Bx-Ay = z}}$ and its applications to cryptanalysis of the RSA cryptosystem

 1 National Innovation Institute of Defense Technology, Beijing 100071, China 2 College of Liberal Arts and Sciences, National University of Defense Technology, Changsha 410073, China 3 State Key Laboratory of Cryptology, Beijing 100878, China 4 College of Computer National University of Defense Technology, Changsha 410073, China 5 College of Information Science and Technology/Collage of Cyber Security, Jinan University, Guangzhou 510632, China

* Corresponding Author: Longjiang Qu

Received  September 2019 Published  April 2020

In this paper, we study the condition of finding small solutions $(x,y,z) = (x_0, y_0, z_0)$ of the equation $Bx-Ay = z$. The framework is derived from Wiener's small private exponent attack on RSA and May-Ritzenhofen's investigation about the implicit factorization problem, both of which can be generalized to solve the above equation. We show that these two methods, together with Coppersmith's method, are equivalent for solving $Bx-Ay = z$ in the general case. Then based on Coppersmith's method, we present two improvements for solving $Bx-Ay = z$ in some special cases. The first improvement pays attention to the case where either $\gcd(x_0,z_0,A)$ or $\gcd(y_0,z_0,B)$ is large enough. As the applications of this improvement, we propose some new cryptanalysis of RSA, such as new results about the generalized implicit factorization problem, attacks with known bits of the prime factor, and so on.

Citation: Shixiong Wang, Longjiang Qu, Chao Li, Shaojing Fu, Hao Chen. Finding small solutions of the equation $\mathit{{Bx-Ay = z}}$ and its applications to cryptanalysis of the RSA cryptosystem. Advances in Mathematics of Communications, doi: 10.3934/amc.2020076
##### References:
 [1] Y. Aono, A new lattice construction for partial key exposure attack for RSA, Public Key Cryptography-PKC 2009, Springer Berlin Heidelberg, (2009), 34–53. Google Scholar [2] J. Blömer and A. May, New partial key exposure attacks on RSA, Advances in Cryptology - CRYPTO 2003, Lecture Notes in Comput. Sci., Springer, Berlin, 2729 (2003), 27-43.  doi: 10.1007/978-3-540-45146-4_2.  Google Scholar [3] D. Boneh and G. Durfee, Cryptanalysis of RSA with private key $d$ less than $N^{0.292}$, Advances in Cryptology - EUROCRYPT '99 (Prague), Lecture Notes in Comput. Sci. Springer, Berlin, 1592 (1999), 1-11.  doi: 10.1007/3-540-48910-X_1.  Google Scholar [4] D. Boneh, G. Durfee and Y. Frankel, An attack on RSA given a small fraction of the private key bits, Advances in Cryptology - ASIACRYPT'98 (Beijing), Lecture Notes in Comput. Sci., Springer, Berlin, 1514 (1998), 25-34.  doi: 10.1007/3-540-49649-1_3.  Google Scholar [5] D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 155-165.  doi: 10.1007/3-540-68339-9_14.  Google Scholar [6] D. Coppersmith, Finding a small root of a bivariate integer equation, factoring with high bits known, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 178-189.  doi: 10.1007/3-540-68339-9_16.  Google Scholar [7] D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, Journal of Cryptology, 10 (1997), 233-260.  doi: 10.1007/s001459900030.  Google Scholar [8] J.-S. Coron, Finding small roots of bivariate integer polynomial equations revisited, Advances in Cryptology - EUROCRYPT 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3027 (2004), 492-505.  doi: 10.1007/978-3-540-24676-3_29.  Google Scholar [9] J.-S. Coron and A. May, Deterministic polynomial-time equivalence of computing the RSA secret key and factoring, Journal of Cryptology, 20 (2007), 39-50.  doi: 10.1007/s00145-006-0433-6.  Google Scholar [10] B. De Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput., 13 (2002), 17-28.  doi: 10.1007/s002000100088.  Google Scholar [11] M. Ernst, E. Jochemsz, A. May and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in Cryptology - EUROCRYPT 2005, Lecture Notes in Comput. Sci., Springer, Berlin, 3494 (2005), 371-386.  doi: 10.1007/11426639_22.  Google Scholar [12] J. C. Faugère, R. Marinier and G. Renault, Implicit factoring with shared most significant and middle bits, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 70-87.  doi: 10.1007/978-3-642-13013-7_5.  Google Scholar [13] G. H. Hardy and E. M. Wright, An Introduction to the Theory of Numbers, Fifth edition, The Clarendon Press, Oxford University Press, New York, 1979.  Google Scholar [14] M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 53-69.  doi: 10.1007/978-3-642-13013-7_4.  Google Scholar [15] N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and Coding (Cirencester, 1997), Lecture Notes in Comput. Sci., Springer, Berlin, 1355 (1997), 131-142.  doi: 10.1007/BFb0024458.  Google Scholar [16] N. Howgrave-Graham, Approximate integer common divisors, Cryptography and Lattices (Providence, RI, 2001), Lecture Notes in Comput. Sci., Springer, Berlin, 2146 (2001), 51-66.  doi: 10.1007/3-540-44670-2_6.  Google Scholar [17] A. Joux, Algorithmic Cryptanalysis, Chapman & Hall/CRC Cryptography and Network Security, CRC Press, Boca Raton, FL, 2009. doi: 10.1201/9781420070033.  Google Scholar [18] S. Kumar and C. Narasimham, Cryptanalysis of RSA with small prime difference using unravelled linearization, International Journal of Computer Applications, 61 (2013). Google Scholar [19] A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, 261 (1982), 515-534.  doi: 10.1007/BF01457454.  Google Scholar [20] Y. Lu, L. Q. Peng, R. Zhang, L. Hu and D. D. Lin, Towards optimal bounds for implicit factorization problem, Selected Areas in Cryptography - SAC 2015, Lecture Notes in Comput. Sci., Springer, [Cham], 9566 (2016), 462-476.  doi: 10.1007/978-3-319-31301-6_26.  Google Scholar [21] Y. Lu, R. Zhang and D. Lin, Improved bounds for the implicit factorization problem, Advances in Mathematics of Communications, 7 (2013), 243-251.  doi: 10.3934/amc.2013.7.243.  Google Scholar [22] Y. Lu, R. Zhang, L. Q. Peng and D. D. Lin, Solving linear equations modulo unknown divisors: Revisited, Advances in Cryptology - ASIACRYPT 2015. Part Ⅰ, Lecture Notes in Comput. Sci., Springer, Heidelberg, 9452 (2015), 189-213.  doi: 10.1007/978-3-662-48797-6_9.  Google Scholar [23] A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, Dissertation for Ph.D. Degree, University of Paderborn, 2003. Google Scholar [24] A. May, Computing the RSA secret key is deterministic polynomial time equivalent to factoring, Advances in Cryptology - CRYPTO 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3152 (2004), 213-219.  doi: 10.1007/978-3-540-28628-8_13.  Google Scholar [25] A. May and M. Ritzenhofen, Implicit factoring: On polynomial time factoring given only an implicit hint, Public Key Cryptography - PKC 2009, Lecture Notes in Comput. Sci., Springer, Berlin, 5443 (2009), 1-14.  doi: 10.1007/978-3-642-00468-1_1.  Google Scholar [26] C. D. Meyer, Matrix Analysis and Applied Linear Algebra, Cambridge University Press, Cambridge, 2000.   Google Scholar [27] H. Minkowski, Geometrie der Zahlen, Bibliotheca Mathematica Teubneriana, Band 40 Johnson Reprint Corp., New York-London, 1968.  Google Scholar [28] A. Nitaj and M. R. K. Ariffin, Implicit factorization of unbalanced RSA moduli, Journal of Applied Mathematics and Computing, 48 (2015), 349-363.  doi: 10.1007/s12190-014-0806-1.  Google Scholar [29] A. Nitaj, A new attack on RSA and CRT-RSA, Progress in Cryptology-AFRICACRYPT 2012, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7374 (2012), 221-233.  doi: 10.1007/978-3-642-31410-0_14.  Google Scholar [30] L. Peng, L. Hu, Z. Huang and et al., Partial prime factor exposure attacks on RSA and its Takagi's variant, International Conference on Information Security Practice and Experience-ISPEC 2015, Springer International Publishing, (2015), 96–108. Google Scholar [31] L. Peng, L. Hu, Y. Lu and et al., Implicit factorization of RSA moduli revisited (short paper), International Workshop on Security-IWSEC 2015, Springer International Publishing, (2015), 67–76. Google Scholar [32] L. Q. Peng, L. Hu, J. Xu, Z. J. Huang and Y. H. Xie, Further improvement of factoring RSA moduli with implicit hint, Progress in Cryptology - AFRICACRYPT 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8469 (2014), 165-177.  doi: 10.1007/978-3-319-06734-6_11.  Google Scholar [33] R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21 (1978), 120-126.  doi: 10.1145/359340.359342.  Google Scholar [34] S. Sarkar, Partial key exposure: Generalized framework to attack RSA, Progress in Cryptology - INDOCRYPT 2011, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7107 (2011), 76-92.  doi: 10.1007/978-3-642-25578-6_7.  Google Scholar [35] S. Sarkar, S. Sen Gupta and S. Maitra, Partial key exposure attack on RSA - improvements for limited lattice dimensions, Progress in Cryptology - INDOCRYPT 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6498 (2010), 2-16.  doi: 10.1007/978-3-642-17401-8_2.  Google Scholar [36] S. Sarkar and S. Maitra, Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors, Information Security and Cryptology - ICISC 2008, Lecture Notes in Comput. Sci., Springer, Berlin, 5461 (2009), 37-51.  doi: 10.1007/978-3-642-00730-9_3.  Google Scholar [37] S. Sarkar and S. Maitra, Approximate integer common divisor problem relates to implicit factorization, IEEE Transactions on Information Theory, 57 (2011), 4002-4013.  doi: 10.1109/TIT.2011.2137270.  Google Scholar [38] A. Takayasu and N. Kunihiro, Partial key exposure attacks on RSA: Achieving the Boneh-Durfee bound, Selected Areas in Cryptography - SAC 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8781 (2014), 345-362.  doi: 10.1007/978-3-319-13051-4_21.  Google Scholar [39] S. Wang, L. Qu, C. Li and et al., Generalized framework to attack RSA with special exposed bits of the private key, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 100 (2017), 2113-2122. Google Scholar [40] M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, 36 (1990), 553-558.  doi: 10.1109/18.54902.  Google Scholar

show all references

##### References:
 [1] Y. Aono, A new lattice construction for partial key exposure attack for RSA, Public Key Cryptography-PKC 2009, Springer Berlin Heidelberg, (2009), 34–53. Google Scholar [2] J. Blömer and A. May, New partial key exposure attacks on RSA, Advances in Cryptology - CRYPTO 2003, Lecture Notes in Comput. Sci., Springer, Berlin, 2729 (2003), 27-43.  doi: 10.1007/978-3-540-45146-4_2.  Google Scholar [3] D. Boneh and G. Durfee, Cryptanalysis of RSA with private key $d$ less than $N^{0.292}$, Advances in Cryptology - EUROCRYPT '99 (Prague), Lecture Notes in Comput. Sci. Springer, Berlin, 1592 (1999), 1-11.  doi: 10.1007/3-540-48910-X_1.  Google Scholar [4] D. Boneh, G. Durfee and Y. Frankel, An attack on RSA given a small fraction of the private key bits, Advances in Cryptology - ASIACRYPT'98 (Beijing), Lecture Notes in Comput. Sci., Springer, Berlin, 1514 (1998), 25-34.  doi: 10.1007/3-540-49649-1_3.  Google Scholar [5] D. Coppersmith, Finding a small root of a univariate modular equation, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 155-165.  doi: 10.1007/3-540-68339-9_14.  Google Scholar [6] D. Coppersmith, Finding a small root of a bivariate integer equation, factoring with high bits known, Advances in Cryptology - EUROCRYPT '96 (Saragossa, 1996), Lecture Notes in Comput. Sci., Springer, Berlin, 1070 (1996), 178-189.  doi: 10.1007/3-540-68339-9_16.  Google Scholar [7] D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities, Journal of Cryptology, 10 (1997), 233-260.  doi: 10.1007/s001459900030.  Google Scholar [8] J.-S. Coron, Finding small roots of bivariate integer polynomial equations revisited, Advances in Cryptology - EUROCRYPT 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3027 (2004), 492-505.  doi: 10.1007/978-3-540-24676-3_29.  Google Scholar [9] J.-S. Coron and A. May, Deterministic polynomial-time equivalence of computing the RSA secret key and factoring, Journal of Cryptology, 20 (2007), 39-50.  doi: 10.1007/s00145-006-0433-6.  Google Scholar [10] B. De Weger, Cryptanalysis of RSA with small prime difference, Appl. Algebra Engrg. Comm. Comput., 13 (2002), 17-28.  doi: 10.1007/s002000100088.  Google Scholar [11] M. Ernst, E. Jochemsz, A. May and B. de Weger, Partial key exposure attacks on RSA up to full size exponents, Advances in Cryptology - EUROCRYPT 2005, Lecture Notes in Comput. Sci., Springer, Berlin, 3494 (2005), 371-386.  doi: 10.1007/11426639_22.  Google Scholar [12] J. C. Faugère, R. Marinier and G. Renault, Implicit factoring with shared most significant and middle bits, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 70-87.  doi: 10.1007/978-3-642-13013-7_5.  Google Scholar [13] G. H. Hardy and E. M. Wright, An Introduction to the Theory of Numbers, Fifth edition, The Clarendon Press, Oxford University Press, New York, 1979.  Google Scholar [14] M. Herrmann and A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, Public Key Cryptography - PKC 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6056 (2010), 53-69.  doi: 10.1007/978-3-642-13013-7_4.  Google Scholar [15] N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Cryptography and Coding (Cirencester, 1997), Lecture Notes in Comput. Sci., Springer, Berlin, 1355 (1997), 131-142.  doi: 10.1007/BFb0024458.  Google Scholar [16] N. Howgrave-Graham, Approximate integer common divisors, Cryptography and Lattices (Providence, RI, 2001), Lecture Notes in Comput. Sci., Springer, Berlin, 2146 (2001), 51-66.  doi: 10.1007/3-540-44670-2_6.  Google Scholar [17] A. Joux, Algorithmic Cryptanalysis, Chapman & Hall/CRC Cryptography and Network Security, CRC Press, Boca Raton, FL, 2009. doi: 10.1201/9781420070033.  Google Scholar [18] S. Kumar and C. Narasimham, Cryptanalysis of RSA with small prime difference using unravelled linearization, International Journal of Computer Applications, 61 (2013). Google Scholar [19] A. K. Lenstra, H. W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, 261 (1982), 515-534.  doi: 10.1007/BF01457454.  Google Scholar [20] Y. Lu, L. Q. Peng, R. Zhang, L. Hu and D. D. Lin, Towards optimal bounds for implicit factorization problem, Selected Areas in Cryptography - SAC 2015, Lecture Notes in Comput. Sci., Springer, [Cham], 9566 (2016), 462-476.  doi: 10.1007/978-3-319-31301-6_26.  Google Scholar [21] Y. Lu, R. Zhang and D. Lin, Improved bounds for the implicit factorization problem, Advances in Mathematics of Communications, 7 (2013), 243-251.  doi: 10.3934/amc.2013.7.243.  Google Scholar [22] Y. Lu, R. Zhang, L. Q. Peng and D. D. Lin, Solving linear equations modulo unknown divisors: Revisited, Advances in Cryptology - ASIACRYPT 2015. Part Ⅰ, Lecture Notes in Comput. Sci., Springer, Heidelberg, 9452 (2015), 189-213.  doi: 10.1007/978-3-662-48797-6_9.  Google Scholar [23] A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, Dissertation for Ph.D. Degree, University of Paderborn, 2003. Google Scholar [24] A. May, Computing the RSA secret key is deterministic polynomial time equivalent to factoring, Advances in Cryptology - CRYPTO 2004, Lecture Notes in Comput. Sci., Springer, Berlin, 3152 (2004), 213-219.  doi: 10.1007/978-3-540-28628-8_13.  Google Scholar [25] A. May and M. Ritzenhofen, Implicit factoring: On polynomial time factoring given only an implicit hint, Public Key Cryptography - PKC 2009, Lecture Notes in Comput. Sci., Springer, Berlin, 5443 (2009), 1-14.  doi: 10.1007/978-3-642-00468-1_1.  Google Scholar [26] C. D. Meyer, Matrix Analysis and Applied Linear Algebra, Cambridge University Press, Cambridge, 2000.   Google Scholar [27] H. Minkowski, Geometrie der Zahlen, Bibliotheca Mathematica Teubneriana, Band 40 Johnson Reprint Corp., New York-London, 1968.  Google Scholar [28] A. Nitaj and M. R. K. Ariffin, Implicit factorization of unbalanced RSA moduli, Journal of Applied Mathematics and Computing, 48 (2015), 349-363.  doi: 10.1007/s12190-014-0806-1.  Google Scholar [29] A. Nitaj, A new attack on RSA and CRT-RSA, Progress in Cryptology-AFRICACRYPT 2012, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7374 (2012), 221-233.  doi: 10.1007/978-3-642-31410-0_14.  Google Scholar [30] L. Peng, L. Hu, Z. Huang and et al., Partial prime factor exposure attacks on RSA and its Takagi's variant, International Conference on Information Security Practice and Experience-ISPEC 2015, Springer International Publishing, (2015), 96–108. Google Scholar [31] L. Peng, L. Hu, Y. Lu and et al., Implicit factorization of RSA moduli revisited (short paper), International Workshop on Security-IWSEC 2015, Springer International Publishing, (2015), 67–76. Google Scholar [32] L. Q. Peng, L. Hu, J. Xu, Z. J. Huang and Y. H. Xie, Further improvement of factoring RSA moduli with implicit hint, Progress in Cryptology - AFRICACRYPT 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8469 (2014), 165-177.  doi: 10.1007/978-3-319-06734-6_11.  Google Scholar [33] R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, 21 (1978), 120-126.  doi: 10.1145/359340.359342.  Google Scholar [34] S. Sarkar, Partial key exposure: Generalized framework to attack RSA, Progress in Cryptology - INDOCRYPT 2011, Lecture Notes in Comput. Sci., Springer, Heidelberg, 7107 (2011), 76-92.  doi: 10.1007/978-3-642-25578-6_7.  Google Scholar [35] S. Sarkar, S. Sen Gupta and S. Maitra, Partial key exposure attack on RSA - improvements for limited lattice dimensions, Progress in Cryptology - INDOCRYPT 2010, Lecture Notes in Comput. Sci., Springer, Berlin, 6498 (2010), 2-16.  doi: 10.1007/978-3-642-17401-8_2.  Google Scholar [36] S. Sarkar and S. Maitra, Improved partial key exposure attacks on RSA by guessing a few bits of one of the prime factors, Information Security and Cryptology - ICISC 2008, Lecture Notes in Comput. Sci., Springer, Berlin, 5461 (2009), 37-51.  doi: 10.1007/978-3-642-00730-9_3.  Google Scholar [37] S. Sarkar and S. Maitra, Approximate integer common divisor problem relates to implicit factorization, IEEE Transactions on Information Theory, 57 (2011), 4002-4013.  doi: 10.1109/TIT.2011.2137270.  Google Scholar [38] A. Takayasu and N. Kunihiro, Partial key exposure attacks on RSA: Achieving the Boneh-Durfee bound, Selected Areas in Cryptography - SAC 2014, Lecture Notes in Comput. Sci., Springer, Cham, 8781 (2014), 345-362.  doi: 10.1007/978-3-319-13051-4_21.  Google Scholar [39] S. Wang, L. Qu, C. Li and et al., Generalized framework to attack RSA with special exposed bits of the private key, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 100 (2017), 2113-2122. Google Scholar [40] M. J. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, 36 (1990), 553-558.  doi: 10.1109/18.54902.  Google Scholar
Comparison between our results and those in [28] for generalized IFP with shared MSBs or LSBs when $\alpha_1^* \approx \alpha_2^* \approx \alpha^* ,\ \beta_1^* \approx \beta_2^* \approx 1- \alpha^* ,\ \delta_1^* \approx \delta_2^* \approx 0.1$
Our generalized result and possible improvement for the attack on RSA with known MSBs or LSBs of the prime factor
Comparison between the result of our Proposition 5.2 and that in [10,18] for the attack on RSA with a small difference of prime factors
Results for IFP and generalized IFP
 IFP with shared MSBs or LSBs Generalized IFP with shared MSBs or LSBs (For $\alpha_1^* \approx \alpha_2^*,\ \beta_1^* \approx \beta_2^*,\ \delta_1^* = \delta_2^* = 0$) (For any $\alpha_1^*, \alpha_2^*, \beta_1^*, \beta_2^*, \delta_1^*, \delta_2^*$) Results in [25] and [12]: $t^* > 2 \beta_1^*$ Results in [28]: $t^* > \beta_1^* + \beta_2^* + \delta_1^* + \delta_2^*$ Results in [20]: $t^* > \frac{2\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*}$ Our results: $t^* > \frac{\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*} + \frac{\alpha_2^*\beta_2^*}{\alpha_2^*+\beta_2^*} + \delta_1^* + \delta_2^*$
 IFP with shared MSBs or LSBs Generalized IFP with shared MSBs or LSBs (For $\alpha_1^* \approx \alpha_2^*,\ \beta_1^* \approx \beta_2^*,\ \delta_1^* = \delta_2^* = 0$) (For any $\alpha_1^*, \alpha_2^*, \beta_1^*, \beta_2^*, \delta_1^*, \delta_2^*$) Results in [25] and [12]: $t^* > 2 \beta_1^*$ Results in [28]: $t^* > \beta_1^* + \beta_2^* + \delta_1^* + \delta_2^*$ Results in [20]: $t^* > \frac{2\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*}$ Our results: $t^* > \frac{\alpha_1^* \beta_1^*}{\alpha_1^*+\beta_1^*} + \frac{\alpha_2^*\beta_2^*}{\alpha_2^*+\beta_2^*} + \delta_1^* + \delta_2^*$
Comparison between the result of our Proposition 5.1 (i.e. $t_2^* > h(\beta^*,t_1^*)$) and that in [36] (i.e. $t_2^* > g(\beta^*,t_1^*)$) for $\beta^* = 0.700,0.650,0.600$
 $t_1^*$ $0.000$ $0.010$ $0.020$ $0.030$ $0.040$ $0.050$ $0.060$ $0.070$ $0.080$ $g(0.700,t_1^*)$ $0.627$ $0.614$ $0.602$ $0.589$ $0.577$ $0.564$ $0.551$ $0.539$ $0.526$ $h(0.700,t_1^*)$ $0.592$ $0.580$ $0.567$ $0.555$ $0.542$ $0.530$ $0.517$ $0.504$ $0.491$ $g(0.650,t_1^*)$ $0.555$ $0.542$ $0.530$ $0.518$ $0.505$ $0.493$ $0.480$ $0.468$ $0.455$ $h(0.650,t_1^*)$ $0.522$ $0.510$ $0.498$ $0.486$ $0.473$ $0.461$ $0.448$ $0.436$ $0.423$ $g(0.600,t_1^*)$ $0.482$ $0.470$ $0.457$ $0.445$ $0.433$ $0.421$ $0.409$ $0.396$ $0.384$ $h(0.600,t_1^*)$ $0.452$ $0.440$ $0.428$ $0.416$ $0.403$ $0.391$ $0.379$ $0.367$ $0.354$
 $t_1^*$ $0.000$ $0.010$ $0.020$ $0.030$ $0.040$ $0.050$ $0.060$ $0.070$ $0.080$ $g(0.700,t_1^*)$ $0.627$ $0.614$ $0.602$ $0.589$ $0.577$ $0.564$ $0.551$ $0.539$ $0.526$ $h(0.700,t_1^*)$ $0.592$ $0.580$ $0.567$ $0.555$ $0.542$ $0.530$ $0.517$ $0.504$ $0.491$ $g(0.650,t_1^*)$ $0.555$ $0.542$ $0.530$ $0.518$ $0.505$ $0.493$ $0.480$ $0.468$ $0.455$ $h(0.650,t_1^*)$ $0.522$ $0.510$ $0.498$ $0.486$ $0.473$ $0.461$ $0.448$ $0.436$ $0.423$ $g(0.600,t_1^*)$ $0.482$ $0.470$ $0.457$ $0.445$ $0.433$ $0.421$ $0.409$ $0.396$ $0.384$ $h(0.600,t_1^*)$ $0.452$ $0.440$ $0.428$ $0.416$ $0.403$ $0.391$ $0.379$ $0.367$ $0.354$
Attacks on RSA related to Proposition 5.1
 $t_1^* = 0$ $t_1^*\geqslant 0$ $t_2^* = 0$ Result in [3,14]: Result in [30]: $\beta^* < 1 - \sqrt{0.5} \approx 0.292$ $\beta^* < 1 - \sqrt{0.5-t_1^*}$ (No extra conditions) ($t_1^* \leqslant 0.25$) $t_2^*\geqslant 0$ Result in [39]: Our result: $\beta^* < 1+t_2^* - \sqrt{0.5(1+t_2^*)}$ $\beta^* < 1+t_2^* - \sqrt{(1+t_2^*)(0.5-t_1^*)}$ ($d_l < N^{\beta^*-0.5}$) ($d_l < N^{\beta^*-t_1^*-0.5},\ 4t_1^* + t_2^* \leqslant 1$)
 $t_1^* = 0$ $t_1^*\geqslant 0$ $t_2^* = 0$ Result in [3,14]: Result in [30]: $\beta^* < 1 - \sqrt{0.5} \approx 0.292$ $\beta^* < 1 - \sqrt{0.5-t_1^*}$ (No extra conditions) ($t_1^* \leqslant 0.25$) $t_2^*\geqslant 0$ Result in [39]: Our result: $\beta^* < 1+t_2^* - \sqrt{0.5(1+t_2^*)}$ $\beta^* < 1+t_2^* - \sqrt{(1+t_2^*)(0.5-t_1^*)}$ ($d_l < N^{\beta^*-0.5}$) ($d_l < N^{\beta^*-t_1^*-0.5},\ 4t_1^* + t_2^* \leqslant 1$)
Some experimental examples for Proposition 4.1 (the case of MSBs) and Proposition 4.2 (the case of LSBs) with $\beta_1^*\approx 1- \alpha_1^*,\ \beta_2^*\approx 1- \alpha_2^*$ and $\log_2M\approx \log_2N_1\approx \log_2N_2\approx 1500$
 Case $t^*$ $\alpha_1^*$ $\alpha_2^*$ $\delta_1^*$ $\delta_2^*$ $m$ $\tau$ $i$ $\dim(\Lambda)$ Bit size Time(LLL) MSBs $0.606$ $0.679$ $0.684$ $0.066$ $0.061$ $15$ $10$ $10$ $16$ $1.008 \times 10^{4}$ 6.596 seconds MSBs $0.533$ $0.666$ $0.799$ $0.133$ $0.000$ $15$ $11$ $9$ $16$ $1.198 \times 10^{4}$ 7.649 seconds MSBs $0.687$ $0.733$ $0.500$ $0.000$ $0.233$ $23$ $16$ $11$ $24$ $1.725 \times 10^{4}$ 116.3 seconds LSBs $0.529$ $0.580$ $0.579$ $0.000$ $0.000$ $23$ $13$ $13$ $24$ $1.093 \times 10^{4}$ 27.73 seconds LSBs $0.433$ $0.752$ $0.805$ $0.053$ $0.000$ $19$ $15$ $14$ $20$ $1.782 \times 10^{4}$ 35.12 seconds LSBs $0.756$ $0.803$ $0.479$ $0.000$ $0.324$ $19$ $15$ $9$ $20$ $1.802 \times 10^{4}$ 88.97 seconds
 Case $t^*$ $\alpha_1^*$ $\alpha_2^*$ $\delta_1^*$ $\delta_2^*$ $m$ $\tau$ $i$ $\dim(\Lambda)$ Bit size Time(LLL) MSBs $0.606$ $0.679$ $0.684$ $0.066$ $0.061$ $15$ $10$ $10$ $16$ $1.008 \times 10^{4}$ 6.596 seconds MSBs $0.533$ $0.666$ $0.799$ $0.133$ $0.000$ $15$ $11$ $9$ $16$ $1.198 \times 10^{4}$ 7.649 seconds MSBs $0.687$ $0.733$ $0.500$ $0.000$ $0.233$ $23$ $16$ $11$ $24$ $1.725 \times 10^{4}$ 116.3 seconds LSBs $0.529$ $0.580$ $0.579$ $0.000$ $0.000$ $23$ $13$ $13$ $24$ $1.093 \times 10^{4}$ 27.73 seconds LSBs $0.433$ $0.752$ $0.805$ $0.053$ $0.000$ $19$ $15$ $14$ $20$ $1.782 \times 10^{4}$ 35.12 seconds LSBs $0.756$ $0.803$ $0.479$ $0.000$ $0.324$ $19$ $15$ $9$ $20$ $1.802 \times 10^{4}$ 88.97 seconds
Some experimental examples for Proposition 4.3 (the case of MSBs) and Proposition 4.4 (the case of LSBs) with $k = 1$ and $\log_2N\approx1000$
 Case $t^*$ $\alpha^*$ $\theta^*$ $m$ $\tau$ $i$ $\dim(\Lambda)$ Bit size Time(LLL) MSBs $0.240$ $0.500$ $0.165$ $27$ $13$ $22$ $28$ $6.474 \times 10^{3}$ 23.14 seconds MSBs $0.203$ $0.603$ $0.247$ $27$ $16$ $20$ $28$ $9.531 \times 10^{3}$ 48.51 seconds MSBs $0.260$ $0.400$ $0.000$ $42$ $16$ $42$ $43$ $6.101 \times 10^{3}$ 102.1 seconds LSBs $0.156$ $0.501$ $0.332$ $42$ $21$ $28$ $43$ $1.043 \times 10^{4}$ 756.2 seconds LSBs $0.255$ $0.473$ $0.071$ $34$ $16$ $31$ $35$ $7.582 \times 10^{3}$ 65.23 seconds LSBs $0.220$ $0.720$ $0.000$ $34$ $24$ $34$ $35$ $1.709 \times 10^{4}$ 117.4 seconds
 Case $t^*$ $\alpha^*$ $\theta^*$ $m$ $\tau$ $i$ $\dim(\Lambda)$ Bit size Time(LLL) MSBs $0.240$ $0.500$ $0.165$ $27$ $13$ $22$ $28$ $6.474 \times 10^{3}$ 23.14 seconds MSBs $0.203$ $0.603$ $0.247$ $27$ $16$ $20$ $28$ $9.531 \times 10^{3}$ 48.51 seconds MSBs $0.260$ $0.400$ $0.000$ $42$ $16$ $42$ $43$ $6.101 \times 10^{3}$ 102.1 seconds LSBs $0.156$ $0.501$ $0.332$ $42$ $21$ $28$ $43$ $1.043 \times 10^{4}$ 756.2 seconds LSBs $0.255$ $0.473$ $0.071$ $34$ $16$ $31$ $35$ $7.582 \times 10^{3}$ 65.23 seconds LSBs $0.220$ $0.720$ $0.000$ $34$ $24$ $34$ $35$ $1.709 \times 10^{4}$ 117.4 seconds
Some experimental examples for Proposition 5.1 (under the extra condition $d_l < N^{\beta^*-t_1^*-0.5},\ 4t_1^* + t_2^* \leqslant 1$) with $\log_2N\approx2000$
 $\beta^*$ $t_1^*$ $t_2^*$ $m$ $\tau$ $\theta_1,\theta_2,\cdots,\theta_{\tau}$ $\dim(\Lambda)$ Bit size Time(LLL) $0.650$ $0.100$ $0.500$ $5$ $4$ $2,3,4,5$ $31$ $1.480 \times 10^{4}$ 40.83 seconds $0.656$ $0.141$ $0.435$ $5$ $4$ $2,3,4,5$ $31$ $1.426 \times 10^{4}$ 36.50 seconds $0.580$ $0.049$ $0.480$ $7$ $5$ $2,3,4,5,7$ $55$ $2.024 \times 10^{4}$ 1282 seconds $0.543$ $0.012$ $0.440$ $7$ $5$ $2,3,5,6,7$ $53$ $1.989 \times 10^{4}$ 680.9 seconds $0.784$ $0.072$ $0.692$ $6$ $5$ $2,3,4,5,6$ $43$ $2.022 \times 10^{4}$ 238.9 seconds $0.708$ $0.118$ $0.525$ $6$ $5$ $2,3,4,5,6$ $43$ $1.820 \times 10^{4}$ 225.9 seconds
 $\beta^*$ $t_1^*$ $t_2^*$ $m$ $\tau$ $\theta_1,\theta_2,\cdots,\theta_{\tau}$ $\dim(\Lambda)$ Bit size Time(LLL) $0.650$ $0.100$ $0.500$ $5$ $4$ $2,3,4,5$ $31$ $1.480 \times 10^{4}$ 40.83 seconds $0.656$ $0.141$ $0.435$ $5$ $4$ $2,3,4,5$ $31$ $1.426 \times 10^{4}$ 36.50 seconds $0.580$ $0.049$ $0.480$ $7$ $5$ $2,3,4,5,7$ $55$ $2.024 \times 10^{4}$ 1282 seconds $0.543$ $0.012$ $0.440$ $7$ $5$ $2,3,5,6,7$ $53$ $1.989 \times 10^{4}$ 680.9 seconds $0.784$ $0.072$ $0.692$ $6$ $5$ $2,3,4,5,6$ $43$ $2.022 \times 10^{4}$ 238.9 seconds $0.708$ $0.118$ $0.525$ $6$ $5$ $2,3,4,5,6$ $43$ $1.820 \times 10^{4}$ 225.9 seconds
The basis matrix $\mathcal{B}$ when $m = 5, \tau = 4, i = 3$
 $(b')^2 (x')^5$ $b' (x')^4 z^*$ $(x')^3 (z^*)^2$ $v (x')^2 (z^*)^3$ $v^2 x' (z^*)^4$ $v^3 (z^*)^5$ $g_0$ $A^4(B')^2 (X')^5$ $g_1$ $*$ $A^3 B' (X')^4 Z^*$ $g_2$ $*$ $*$ $A^2(X')^3 (Z^*)^2$ $g_3$ $*$ $*$ $*$ $A V (X')^2 (Z^*)^3$ $g_4$ $*$ $*$ $*$ $*$ $V^2 X' (Z^*)^4$ $g_5$ $*$ $*$ $*$ $*$ $*$ $V^3 (Z^*)^5$
 $(b')^2 (x')^5$ $b' (x')^4 z^*$ $(x')^3 (z^*)^2$ $v (x')^2 (z^*)^3$ $v^2 x' (z^*)^4$ $v^3 (z^*)^5$ $g_0$ $A^4(B')^2 (X')^5$ $g_1$ $*$ $A^3 B' (X')^4 Z^*$ $g_2$ $*$ $*$ $A^2(X')^3 (Z^*)^2$ $g_3$ $*$ $*$ $*$ $A V (X')^2 (Z^*)^3$ $g_4$ $*$ $*$ $*$ $*$ $V^2 X' (Z^*)^4$ $g_5$ $*$ $*$ $*$ $*$ $*$ $V^3 (Z^*)^5$
 [1] Pavel Eichler, Radek Fučík, Robert Straka. Computational study of immersed boundary - lattice Boltzmann method for fluid-structure interaction. Discrete & Continuous Dynamical Systems - S, 2021, 14 (3) : 819-833. doi: 10.3934/dcdss.2020349 [2] Marion Darbas, Jérémy Heleine, Stephanie Lohrengel. Numerical resolution by the quasi-reversibility method of a data completion problem for Maxwell's equations. Inverse Problems & Imaging, 2020, 14 (6) : 1107-1133. doi: 10.3934/ipi.2020056 [3] Wenya Qi, Padmanabhan Seshaiyer, Junping Wang. A four-field mixed finite element method for Biot's consolidation problems. Electronic Research Archive, , () : -. doi: 10.3934/era.2020127 [4] Maika Goto, Kazunori Kuwana, Yasuhide Uegata, Shigetoshi Yazaki. A method how to determine parameters arising in a smoldering evolution equation by image segmentation for experiment's movies. Discrete & Continuous Dynamical Systems - S, 2021, 14 (3) : 881-891. doi: 10.3934/dcdss.2020233 [5] Agnaldo José Ferrari, Tatiana Miguel Rodrigues de Souza. Rotated $A_n$-lattice codes of full diversity. Advances in Mathematics of Communications, 2020  doi: 10.3934/amc.2020118 [6] François Dubois. Third order equivalent equation of lattice Boltzmann scheme. Discrete & Continuous Dynamical Systems - A, 2009, 23 (1&2) : 221-248. doi: 10.3934/dcds.2009.23.221 [7] Pablo Neme, Jorge Oviedo. A note on the lattice structure for matching markets via linear programming. Journal of Dynamics & Games, 2020  doi: 10.3934/jdg.2021001 [8] Amira M. Boughoufala, Ahmed Y. Abdallah. Attractors for FitzHugh-Nagumo lattice systems with almost periodic nonlinear parts. Discrete & Continuous Dynamical Systems - B, 2021, 26 (3) : 1549-1563. doi: 10.3934/dcdsb.2020172 [9] Hong Fu, Mingwu Liu, Bo Chen. Supplier's investment in manufacturer's quality improvement with equity holding. Journal of Industrial & Management Optimization, 2021, 17 (2) : 649-668. doi: 10.3934/jimo.2019127 [10] Skyler Simmons. Stability of Broucke's isosceles orbit. Discrete & Continuous Dynamical Systems - A, 2021  doi: 10.3934/dcds.2021015 [11] François Ledrappier. Three problems solved by Sébastien Gouëzel. Journal of Modern Dynamics, 2020, 16: 373-387. doi: 10.3934/jmd.2020015 [12] Ugo Bessi. Another point of view on Kusuoka's measure. Discrete & Continuous Dynamical Systems - A, 2020  doi: 10.3934/dcds.2020404 [13] Mia Jukić, Hermen Jan Hupkes. Dynamics of curved travelling fronts for the discrete Allen-Cahn equation on a two-dimensional lattice. Discrete & Continuous Dynamical Systems - A, 2020  doi: 10.3934/dcds.2020402 [14] Dmitry Dolgopyat. The work of Sébastien Gouëzel on limit theorems and on weighted Banach spaces. Journal of Modern Dynamics, 2020, 16: 351-371. doi: 10.3934/jmd.2020014 [15] Giuseppe Capobianco, Tom Winandy, Simon R. Eugster. The principle of virtual work and Hamilton's principle on Galilean manifolds. Journal of Geometric Mechanics, 2021  doi: 10.3934/jgm.2021002 [16] Françoise Demengel. Ergodic pairs for degenerate pseudo Pucci's fully nonlinear operators. Discrete & Continuous Dynamical Systems - A, 2021  doi: 10.3934/dcds.2021004 [17] Mehdi Bastani, Davod Khojasteh Salkuyeh. On the GSOR iteration method for image restoration. Numerical Algebra, Control & Optimization, 2021, 11 (1) : 27-43. doi: 10.3934/naco.2020013 [18] Xiaoxiao Li, Yingjing Shi, Rui Li, Shida Cao. Energy management method for an unpowered landing. Journal of Industrial & Management Optimization, 2020  doi: 10.3934/jimo.2020180 [19] Ying Liu, Yanping Chen, Yunqing Huang, Yang Wang. Two-grid method for semiconductor device problem by mixed finite element method and characteristics finite element method. Electronic Research Archive, 2021, 29 (1) : 1859-1880. doi: 10.3934/era.2020095 [20] Hong Niu, Zhijiang Feng, Qijin Xiao, Yajun Zhang. A PID control method based on optimal control strategy. Numerical Algebra, Control & Optimization, 2021, 11 (1) : 117-126. doi: 10.3934/naco.2020019

2019 Impact Factor: 0.734

## Tools

Article outline

Figures and Tables

[Back to Top]