Although in most cases this assumption is not rigorous in theory, it usually works well in practice. One may then hope that the secret key can be recovered once the solutions from these short vectors are extracted. The basic idea of the lattice-based approach is that if the system parameters of the target problem can be transformed into a basis of a certain lattice, one can find some short vectors in the desired lattice using dedicated algorithms, like the LLL-algorithm . Lattice-based cryptanalysis is a very useful tool in various cryptographic systems, e.g., historically, it was used to break the Merkle-Hellman knapsack cryptosystem . We extend Nitaj’s result (Africacrypt’12) on weak encryption exponents of RSA and CRT-RSA.
![solving linear modular equation systems number of solutions solving linear modular equation systems number of solutions](https://i.ytimg.com/vi/e-WpjC1yMWo/maxresdefault.jpg)
We significantly improve Jochemsz-May’ attack (Asiacrypt’06) on Common Prime RSA. We experimentally improve Boneh et al.’s algorithm (Crypto’98) on factoring \(N=p^rq\) ( \(r\ge 2\)) with known bits problem. We improve May’s results (PKC’04) on small secret exponent attack on RSA variant with moduli \(N = p^rq\) ( \(r\ge 2\)). Applying our algorithms, we obtain the best analytical/experimental results for some attacks on RSA and its variants, specifically, We present new approaches to solve them, and compared with previous methods, our new algorithms are more flexible and especially suitable for some cases. The motivation behind these extensions is that some attacks on RSA variants can be reduced to solving these generalized equations, and previous algorithms do not apply. In this paper, by introducing multiple parameters, we propose several generalizations of the above equations.
![solving linear modular equation systems number of solutions solving linear modular equation systems number of solutions](https://education4fun.com/wp-content/uploads/2020/01/WhatsApp-Image-2018-06-28-at-13.43.39-6.jpeg)
Their algorithms have many important applications in cryptanalysis, such as factoring with known bits problem, fault attacks on RSA signatures, analysis of approximate GCD problem, etc. In CaLC 2001, Howgrave-Graham introduced an efficient algorithm for solving univariate linear equations since then, two forms of multivariate generalizations have been considered in the context of cryptanalysis: modular multivariate linear equations by Herrmann and May (Asiacrypt’08) and simultaneous modular univariate linear equations by Cohn and Heninger (ANTS’12). We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor p for a known composite integer N.