Cryptanalysis of the RSA Subgroup Assumption from TCC 2005

  • Jean-Sébastien Coron
  • Antoine Joux
  • Avradip Mandal
  • David Naccache
  • Mehdi Tibouchi
Conference paper

DOI: 10.1007/978-3-642-19379-8_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6571)
Cite this paper as:
Coron JS., Joux A., Mandal A., Naccache D., Tibouchi M. (2011) Cryptanalysis of the RSA Subgroup Assumption from TCC 2005. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds) Public Key Cryptography – PKC 2011. PKC 2011. Lecture Notes in Computer Science, vol 6571. Springer, Berlin, Heidelberg

Abstract

At TCC 2005, Groth underlined the usefulness of working in small RSA subgroups of hidden order. In assessing the security of the relevant hard problems, however, the best attack considered for a subgroup of size 22ℓ had a complexity of O(2). Accordingly, ℓ= 100 bits was suggested as a concrete parameter.

This paper exhibits an attack with a complexity of roughly 2ℓ/2 operations, suggesting that Groth’s original choice of parameters was overly aggressive. It also discusses the practicality of this new attack and various implementation issues.

Keywords

rsa moduli hidden order subgroup cryptanalysis 

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • Antoine Joux
    • 2
    • 3
  • Avradip Mandal
    • 1
  • David Naccache
    • 4
  • Mehdi Tibouchi
    • 1
    • 4
  1. 1.Université du LuxembourgLuxembourgLuxembourg
  2. 2.Direction générale de l’armement (DGA)France
  3. 3.Laboratoire PRISMUniversité de Versailles–Saint-QuentinVersailles CedexFrance
  4. 4.Département d’informatique, Groupe de cryptographieÉcole normale supérieureParis Cedex 05France

Personalised recommendations