Cryptanalysis of Multi-Prime \(\varPhi \)-Hiding Assumption

Abstract

In Crypto 2010, Kiltz, O’Neill and Smith used m-prime RSA modulus N with \(m\ge 3\) for constructing lossy RSA. The security of the proposal is based on the Multi-Prime \(\varPhi \)-Hiding Assumption. In this paper, we propose a heuristic algorithm based on the Herrmann-May lattice method (Asiacrypt 2008) to solve the Multi-Prime \(\varPhi \)-Hiding Problem when prime \(e>N^{\frac{2}{3m}}\). Further, by combining with mixed lattice techniques, we give an improved heuristic algorithm to solve this problem when prime \(e>N^{\frac{2}{3m}-\frac{1}{4m^2}}\). These two results are verified by our experiments. Our bounds are better than the existing works.

A Proof on \(|v_{11}|\le \sqrt{2e}\) and \(v_{11}\ne 0\)

Proof

Note that \(\mathbf {v_1}=(v_{11}, v_{12})\) is the shortest nonzero vector in lattice \(\mathcal {L}\). According to Minkowski bound, we know that

$$\Vert \mathbf {v_1}\Vert \le \sqrt{2\det (\mathcal {L})}=\sqrt{2e}.$$

Since \(v_{11}\) is a component of \(\mathbf {v_1}\), we have \(|v_{11}|\le \sqrt{2e}\). Now, we prove that \(v_{11}\ne 0\). Since \(v_1 \in \mathcal {L}\), there exists some integer \(c_1\) such that

$$v_{11}+rv_{12}= c_1 e.$$

If \(v_{11}=0\), we get \(rv_{12}=c_1e\). Since e is a prime and \(0<r<e\), e divides \(v_{12}\). Thus e divides \(\Vert \mathbf {v_1}\Vert \). So \(\Vert \mathbf {v_1}\Vert \ge e\). However, it is impossible since \(\Vert \mathbf {v_1}\Vert \le \sqrt{2e}\). Therefore, \(v_{11}\ne 0\).    \(\square \)