Now I am a Phd student in Academy of Mathematics and Systems Science (AMSS). I was previously educated in the Chern Class (Honor Class) at Nankai University, named after Shiing-Shen Chern, and obtained my bachelor’s degree in 2022.

My research interests lie broadly in cryptography and security, especially Lattice-based Cryptography and Succinct Zero-Knowledge Proof.

Let (N,e) be a public key of the RSA cryptosystem, and (N,d) be the corresponding private key. In practice, we usually choose a small e for encryption. In this paper, we improve Partial Key Exposure attacks on standard RSA on secret exponents d with small public exponent e. Compared to previous results, we reduced it by \log_N(e) bits. We turn it into solving univariate modular polynomials, so we don’t rely on the assumptions of the Coppersmith method (for multivariate polynomials). Moreover, our experiments show that for 1024-bit N, our algorithm can achieve the theoretical bound on a personal computer.

New Results for Coppersmith’s Method from the Perspective of Sumsets Theory

Coppersmith’s method, combined with the Jochemsz-May strategy, is widely used to find the small roots of multivariate polynomials for cryptanalysis. At Asiacrypt’23, Meers and Nowakowski improved the Jochemsz-May strategy from a single polynomial equation to a system of polynomial equations and proposed a new method, called Automated Coppersmith. Note that it is typically a tedious and non-trivial task to determine asymptotic upper bounds for Coppersmith’s method and manual analysis has to be performed anew when a new set of polynomials is considered. By making certain heuristic assumption, Meers and Nowakowski showed that the bound can be obtained using Lagrange interpolation with the computer, but it is still time-consuming. Moreover, we find that sometimes the interpolation method may get stuck in local convergence, which will result in an incorrect bound when a natural termination strategy is employed in the method. In this paper, we revisit the Jochemsz-May strategy as well as the work of Meers and Nowakowski and point out that the bound can be obtained by calculating the leading coefficient of some Hilbert function, which is exactly the volume of the corresponding Newton polytope. To this end, we introduce the concept of Sumsets theory and propose a series of related results and algorithms. Compared with the Automated Coppersmith, we overcome the issue of getting stuck in local convergence and directly eliminate the time-consuming calculation for f^m in Automated Coppersmith when m is large, which brings a 1000x\sim1200x improvement in running time for some polynomials in our experiment. Additionally, our new method offers a new perspective to understand Automated Coppersmith, thus providing proof of Meers and Nowakowski’s Heuristic 2 for the system of a single polynomial.

Embedding

Embedding Integer Lattices as Ideals into Polynomial Rings

Many lattice-based crypstosystems employ ideal lattices for high efficiency. However, the additional algebraic structure of ideal lattices usually makes us worry about the security, and it is widely believed that the algebraic structure will help us solve the hard problems in ideal lattices more efficiently. In this paper, we study the additional algebraic structure of ideal lattices further and find that a given ideal lattice in a polynomial ring can be embedded as an ideal into infinitely many different polynomial rings by the coefficient embedding. We design an algorithm to verify whether a given full-rank lattice in \mathbbZ^n is an ideal lattice and output all the polynomial rings that the given lattice can be embedded into as an ideal with time complexity \mathcalO(n^3B(B+\log n), where n is the dimension of the lattice and B is the upper bound of the bit length of the entries of the input lattice basis. We would like to point out that Ding and Lindner proposed an algorithm for identifying ideal lattices and outputting a single polynomial ring that the input lattice can be embedded into with time complexity \mathcalO(n^5B^2) in 2007. However, we find a flaw in Ding and Lindner’s algorithm that causes some ideal lattices can’t be identified by their algorithm.

PPFE Attack

Partial Prime Factor Exposure Attacks on Some RSA Variants

In this paper, we consider five variants of the RSA cryptosystem, where the modulus is N=pq, and the public key e and the secret key d satisfy ed−k(p2+p+1)(q2+q+1)=1 or ed−k(p2−1)(q2−1)=1. Our results show that if a certain amount of the most significant bits of p are known so that |p−p0|=Nβ with a known p0, then one can factor the RSA modulus with a better bound than low private exponent attacks. We also present the experimental results to verify our analysis.

The Implicit Factorization Problem (IFP) was first introduced by May and Ritzenhofen at PKC’09, which concerns the factorization of two RSA moduli N_1=p_1q_1 and N_2=p_2q_2, where p_1 and p_2 share a certain consecutive number of least significant bits. Since its introduction, many different variants of IFP have been considered, such as the cases where p_1 and p_2 share most significant bits or middle bits at the same positions. In this paper, we consider a more generalized case of IFP, in which the shared consecutive bits can be located at \textitany positions in each prime, not necessarily required to be located at the same positions as before. We propose a lattice-based algorithm to solve this problem under specific conditions, and also provide some experimental results to verify our analysis.