The two faces of lattices in cryptology

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 2146, Issue , 2001, Pages 146-180

  Nguyen, Phong Q ^a   Stern, Jacques ^a  

^a ECOLE NORMALE SUPÉRIEURE   (France)

Author keywords

[No Author keywords available]

Indexed keywords

CRYPTOGRAPHY; NUMBER THEORY; PUBLIC KEY CRYPTOGRAPHY;

19TH CENTURY; CRYPTOGRAPHIC APPLICATIONS; CRYPTOGRAPHIC SCHEMES; LATTICE BASIS REDUCTION; LATTICE PROBLEMS; N-DIMENSIONAL SPACE; PUBLIC KEY CRYPTOSYSTEMS; SECURITY PROOFS;

LATTICE THEORY;

EID: 33846867921     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/3-540-44670-2_12     Document Type: Conference Paper

References (137)

1. L. M. Adleman. On breaking generalized knapsack publick key cryptosystems. In Proc of 15th STOC, pages 402-412. ACM, 1983.
2. L. M. Adleman. Factoring and lattice reduction. Unpublished manuscript, 1995.
3. M. Ajtai. Generating hard instances of lattice problems. In Proc of 28th STOC, pages 99-108. ACM, 1996. Available at[47] as TR96-007.
4. M. Ajtai. The shortest vector problem in L2 is NP-hard for randomized reductions. In Proc of 30th STOC. ACM, 1998. Available at[47] as TR97-047.
5. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc of 29th STOC, pages 284-293. ACM, 1997. Available at[47] as TR96-065.
6. M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd STOC, pages 601-610. ACM, 2001.
7. S. Arora, L. Babai, J. Stern, and Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences, 54(2):317-331, 1997.
8. L. Babai. On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6:1-13, 1986.
9. W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296:625-635, 1993.
10. M. Bellare, S. Goldwasser, and D. Micciancio.”Pseudo-random” number generation within cryptographic algorithms: The DSS case. In Proc of Crypto’97, volume 1294 of LNCS. IACR, Springer-Verlag, 1997.
11. M. Bellare and P. Rogaway. Optimal asymmetric encryption. In Proc of Eurocrypt’94, volume 950 of LNCS, pages 92-111. IACR, Springer-Verlag, 1995.
12. D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc of Crypto’97, volume 1294 of LNCS, pages 235-248. IACR, Springer-Verlag, 1997.
13. D. Bleichenbacher and P. Q. Nguyen. Noisy polynomial interpolation and noisy Chinese remaindering. In Proc of Eurocrypt’00, volume 1807 of LNCS. IACR, Springer-Verlag, 2000.
14. J. Blömer and J.-P. Seifert. On the complexity of computing short linearly independent vectors and short bases in a lattice. In Proc of 31st STOC. ACM, 1999.
15. D. Boneh. The decision Diffie-Hellman problem. In Algorithmic Number Theory – Proc of ANTS-III, volume 1423 of LNCS. Springer-Verlag, 1998.
16. D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 46(2):203-213, 1999.
17. D. Boneh. Finding smooth integers in short intervals using CRT decoding. In Proc of 32nd STOC. ACM, 2000.
18. D. Boneh. Simplified OAEP for the RSA and Rabin functions. In Proc of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.
19. D. Boneh and G. Durfee. Cryptanalysis of RSA with private key d less than N0.292. In Proc of Eurocrypt’99, volume 1592 of LNCS, pages 1-11. IACR, Springer-Verlag, 1999.
20. D. Boneh, G. Durfee, and Y. Frankel. An attack on RSA given a small fraction of the private key bits. In Proc of Asiacrypt’98, volume 1514 of LNCS, pages 25-34. Springer-Verlag, 1998.
21. D. Boneh, G. Durfee, and N. A. Howgrave-Graham. Factoring n = prq for large r. In Proc of Crypto’99, volume 1666 of LNCS. IACR, Springer-Verlag, 1999.
22. D. Boneh, A. Joux, and P. Q. Nguyen. Why textbook ElGamal and RSA encryption are insecure. In Proc of Asiacrypt’00, volume 1976 of LNCS. IACR, Springer-Verlag, 2000.
23. D. Boneh and I. E. Shparlinski. Hard core bits for the elliptic curve Diffie-Hellman secret. In Proc of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.
24. D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In Proc of Crypto’96, LNCS. IACR, Springer-Verlag, 1996.
25. D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. In Proc of Eurocrypt’98, volume 1233 of LNCS, pages 59-71. Springer-Verlag, 1998.
26. V. Boyko, M. Peinado, and R. Venkatesan. Speeding up discrete log and factoring based schemes via precomputations. In Proc of Eurocrypt’98, volume 1403 of LNCS, pages 221-235. IACR, Springer-Verlag, 1998.
27. E. F. Brickell. Solving low density knapsacks. In Proc of Crypto’83. Plenum Press, 1984.
28. E. F. Brickell. Breaking iterated knapsacks. In Proc of Crypto’84, volume 196 of LNCS. Springer-Verlag, 1985.
29. E. F. Brickell and A. M. Odlyzko. Cryptanalysis: A survey of recent results. In G. J. Simmons, editor, Contemporary Cryptology, pages 501-540. IEEE Press, 1991.
30. J.-Y. Cai. Some recent progress on the complexity of lattice problems. In Proc of FCRC, 1999. Available at[47] as TR99-006.
31. J.-Y. Cai. The complexity of some lattice problems. In Proc of ANTS-IV, volume 1838 of LNCS. Springer-Verlag, 2000.
32. J.-Y. Cai and T.W. Cusick. A lattice-based public-key cryptosystem. Information and Computation, 151:17-31, 1999.
33. J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc of 38th FOCS, pages 468-477. IEEE, 1997.
34. S. Cavallar, B. Dodson, A. K. Lenstra, W. Lioen, P. L. Montgomery, B. Murphy, H. te Riele, K. Aardal, J. Gilchrist, G. Guillerm, P. Leyland, J. Marchand, F. Morain, A. Muffett, C. Putnam, and P. Zimmermann. Factorization of 512-bit RSA key using the number field sieve. In Proc of Eurocrypt’00, volume 1807 of LNCS. IACR, Springer-Verlag, 2000.
35. B. Chor and R.L. Rivest. A knapsack-type public key cryptosystem based on arithmetic in finite fields. IEEE Trans. Inform. Theory, 34, 1988.
36. H. Cohen. A Course in Computational Algebraic Number Theory. Springer-Verlag, 1995. Second edition.
37. J.H. Conway and N.J.A. Sloane. Sphere Packings, Lattices and Groups. Springer-Verlag, 1998. Third edition.
38. D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233-260, 1997. Revised version of two articles from Eurocrypt’96.
39. D. Coppersmith. Finding small solutions to small degree polynomials. In Proc of CALC 2001, LNCS. Springer-Verlag, 2001.
40. D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Proc of Eurocrypt’97, LNCS. IACR, Springer-Verlag, 1997.
41. M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern. Improved low-density subset sum algorithms. Comput. Complexity, 2:111-128, 1992.
42. C. Coupé, P. Q. Nguyen, and J. Stern. The effectiveness of lattice attacks against low-exponent RSA. In Proc of PKC’98, volume 1431 of LNCS. Springer-Verlag, 1999.
43. W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, IT-22:644-654, Nov 1976.
44. I. Dinur. Approximating SVP∞ to within almost-polynomial factors is NP-hard. Available at[47] as TR99-016.
45. I. Dinur, G. Kindler, and S. Safra. Approximating CVP to within almostpolynomial factors is NP-hard. In Proc of 39th FOCS, pages 99-109. IEEE, 1998. Available at[47] as TR98-048.
46. G. Durfee and P. Q. Nguyen. Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt’99. In Proc of Asiacrypt’00, volume 1976 of LNCS. IACR, Springer-Verlag, 2000.
47. ECCC. http://www.eccc.uni-trier.de/eccc/. The Electronic Colloquium on Computational Complexity.
48. E. El Mahassni, P. Q. Nguyen, and I. E. Shparlinski. The insecurity of Nyberg–Rueppel and other DSA-like signature schemes with partially known nonces. In Proc of CALC 2001, LNCS. Springer-Verlag, 2001.
49. P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, Mathematische Instituut, University of Amsterdam, 1981. Report 81-04. Available athttp://turing.wins.uva.nl/~peter/.
50. R. Fischlin and J.-P. Seifert. Tensor-based trapdoors for CVP and their application to public key cryptography. In IMA Conference on Cryptography and Coding, LNCS. Springer-Verlag, 1999.
51. A. M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput, 15(2):536-539, 1986.
52. A.M. Frieze, J. Håstad, R. Kannan, J. C. Lagarias, and A. Shamir. Reconstructing truncated integer variables satisfying linear congruences. SIAM J. Comput., 17(2):262-280, 1988. Special issue on cryptography.
53. E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA–OAEP is secure under the RSA assumption. In Proc of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.
54. M. L. Furst and R. Kannan. Succinct certificates for almost all subset sum problems. SIAM J. Comput, 18(3):550-558, 1989.
55. C.F. Gauss. Disquisitiones Arithmeticæ. Leipzig, 1801.
56. C. Gentry. Key recovery and message attacks on NTRU-composite. In Proc. Of Eurocrypt 2001, volume 2045 of LNCS. IACR, Springer-Verlag, 2001.
57. M. Girault and J.-F. Misarsky. Cryptanalysis of countermeasures proposed for repairing ISO 9796–1. In Proc of Eurocrypt’00, volume 1807 of LNCS. IACR, Springer-Verlag, 2000.
58. O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc of 30th STOC. ACM, 1998. Available at[47] as TR97-031.
59. O. Goldreich, S. Goldwasser, and S. Halevi. Challenges for the GGH cryptosystem. Available athttp://theory.lcs.mit.edu/ shaih/challenge.html.
60. O. Goldreich, S. Goldwasser, and S. Halevi. Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In Proc of Crypto’97, volume 1294 of LNCS, pages 105-111. IACR, Springer-Verlag, 1997. Available at[47] as TR97-018.
61. O. Goldreich, S. Goldwasser, and S. Halevi. Pblic-key cryptosystems from lattice reduction problems. In Proc of Crypto’97, volume 1294 of LNCS, pages 112-131. IACR, Springer-Verlag, 1997. Available at[47] as TR96-056.
62. O. Goldreich, D. Micciancio, S. Safra, and J.-P. Seifert. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors, 1999. Available at[47] as TR99-002.
63. M. I. González Vasco and I. E. Shparlinski. On the security of Diffie-Hellman bits. In K.-Y. Lam, I. E. Shparlinski, H. Wang, and C. Xing, editors, Proc. Workshop on Cryptography and Comp. Number Theory (CCNT’99). Birkhauser, 2000.
64. M. Grötschel, L. Lovász, and A. Schrijver. Geometric Algorithms and Combinatorial Optimization. Springer-Verlag, 1993.
65. M. Gruber and C. G. Lekkerkerker. Geometry of Numbers. North-Holland, 1987.
66. J. Håstad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336-341, April 1988. Preliminary version in Proc. of Crypto’85.
67. B. Helfrich. Algorithms to construct Minkowski reduced and Hermite reduced bases. Theoretical Computer Science, 41:125-139, 1985.
68. C. Hermite. Extraits de lettres de M. Hermite à M. Jacobi sur différents objets de la théorie des nombres, deuxième lettre. J. Reine Angew. Math., 40:279-290
69. J. Hoffstein, J. Pipher, and J.H. Silverman. NTRU: a ring based public key cryptosystem. In Proc of ANTS III, volume 1423 of LNCS, pages 267-288. Springer-Verlag, 1998. Additional information at http://www.ntru.com.
70. N. A. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Cryptography and Coding, volume 1355 of LNCS, pages 131-142. Springer-Verlag, 1997.
71. N. A. Howgrave-Graham. Computational Mathematics Inspired by RSA. PhD thesis, University of Bath, 1998.
72. N. A. Howgrave-Graham. Approximate integer common divisors. In Proc. Of CALC 2001, LNCS. Springer-Verlag, 2001.
73. N. A. Howgrave-Graham and N. P. Smart. Lattice attacks on digital signature schemes. Technical report, HP Labs, 1999. HPL-1999-90. To appear in Designs, Codes and Cryptography.
74. E. Jaulmes and A. Joux. A chosen ciphertext attack on NTRU. In Proc of Crypto 2000, volume 1880 of LNCS. IACR, Springer-Verlag, 2000.
75. A. Joux and J. Stern. Lattice reduction: A toolbox for the cryptanalyst. J of Cryptology, 11:161-185, 1998.
76. C. S. Jutla. On finding small solutions of modular multivariate polynomial equations. In Proc of Eurocrypt’98, volume 1403 of LNCS, pages 158–170. IACR, Springer-Verlag, 1998.
77. R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proc of 15th STOC, pages 193-206. ACM, 1983.
78. R. Kannan. Algorithmic geometry of numbers. Annual review of computer science, 2:231-267, 1987.
79. R. Kannan. Minkowski’s convex body theorem and integer programming. Math. Oper. Res., 12(3):415-440, 1987.
80. P. Klein. Finding the closest lattice vector when it’s unusually close. In Proc. Of SODA’00. ACM–SIAM, 2000.
81. S. V. Konyagin and T. Seger. On polynomial congruences. Mathematical Notes, 55(6):596-600, 1994.
82. A. Korkine and G. Zolotareff. Sur les formes quadratiques positives ternaires. Math. Ann., 5:581-583, 1872.
83. A. Korkine and G. Zolotareff. Sur les formes quadratiques. Math. Ann., 6:336-389, 1873.
84. J. C. Lagarias. Point lattices. In R. Graham, M. Grötschel, and L. Lovász, editors, Handbook of Combinatorics, volume 1, chapter 19. Elsevier, 1995.
85. 85. J. C. Lagarias and A. M. Odlyzko. Solving low-density subset sum problems. Journal of the Association for Computing Machinery, January 1985.
86. L. Lagrange. Recherches d’arithmátique. Nouv. Mém. Acad., 1773
87. A. K. Lenstra and H. W. Lenstra Jr. The Development of the Number Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, 1993.
88. A. K. Lenstra, H. W. L enstra Jr., and L. Lovész. Factoring polynomials with rational coefficients. Mathematische Ann., 261:513-534, 1982.
89. H. W. Lenstra Jr. Integer programming with a fixed number of variables. Technical report, Mathematisch Instituut, Universiteit van Amsterdam, April 1981. Report 81-03.
90. H. W. Lenstra Jr. Integer programming with a fixed number of variables. Math. Oper. Res., 8(4):538-548, 1983.
91. L. Lovász. An Algorithmic Theory of Numbers, Graphs and Convexity, volume 50. SIAM Publications, 1986. CBMS-NSF Regional Conference Series in Applied Mathematics.
92. J. Martinet. Les Réseaux Parfaits des Espaces Euclidiens. Éditions Masson, 1996. English translation to appear at Springer-Verlag.
93. J. E. Mazo and A. M. Odlyzko. Lattice points in high-dimensional spheres. Monatsh. Math., 110:47–61, 1990.
94. R.J. McEliece. A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory, 1978. DSN Progress Report 42-44.
95. A. Menezes, P. Van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
96. R. Merkle and M. Hellman. Hiding information and signatures in trapdoor knapsacks. IEEE Trans. Inform. Theory, IT-24:525-530, September 1978.
97. D. Micciancio. On the Hardness of the Shortest Vector Problem. PhD thesis, Massachusetts Institute of Technology, 1998.
98. D. Micciancio. The shortest vector problem is NP-hard to approximate within some constant. In Proc of 39th FOCS. IEEE, 1998. Available at[47] as TR98-016.
99. D. Micciancio. Lattice based cryptography: A global improvement. Technical report, Theory of Cryptography Library, 1999. Report 99-05.
100. D. Micciancio. The hardness of the closest vector problem with preprocessing. IEEE Trans. Inform. Theory, 47(3):1212-1215, 2001.
101. D. Micciancio. Improving lattice-based cryptosystems using the Hermite normal form. In Proc of CALC 2001, LNCS. Springer-Verlag, 2001.
102. J. Milnor and D. Husemoller. Symmetric Bilinear Forms. Springer-Verlag, 1973.
103. H. Minkowski. Geometrie der Zahlen. Teubner-Verlag, Leipzig, 1896.
104. J.-F. Misarsky. A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In Proc of Crypto’97, volume 1294 of LNCS, pages 221-234. IACR, Springer-Verlag, 1997.
105. P. L. Montgomery. Square roots of products of algebraic numbers. In Walter Gautschi, editor, Mathematics of Computation 1943-1993: a Half-Century of Computational Mathematics, Proc of Symposia in Applied Mathematics, pages 567-571. American Mathematical Society, 1994.
106. National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.
107. P. Q. Nguyen. A Montgomery-like square root for the number field sieve. In Algorithmic Number Theory – Proc of ANTS-III, volume 1423 of LNCS. Springer-Verlag, 1998.
108. P. Q. Nguyen. Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto’97. In Proc of Crypto’99, volume 1666 of LNCS, pages 288–304. IACR, Springer-Verlag, 1999.
109. P. Q. Nguyen. La Géométrie des Nombres en Cryptologie. PhD thesis, Université Paris 7, November 1999. Available at http://www.di.ens.fr/~pnguyen/.
110. P. Q. Nguyen. The dark side of the hidden number problem: Lattice attacks on DSA. In K.-Y. Lam, I. E. Shparlinski, H. Wang, and C. Xing, editors, Proc. Workshop on Cryptography and Comp. Number Theory (CCNT’99). Birkhauser, 2000.
111. P. Q. Nguyen and I. E. Shparlinski. The insecurity of the Digital Signature Algorithm with partially known nonces. J of Cryptology, 2001. To appear.
112. P. Q. Nguyen and I. E. Shparlinski. The insecurity of the elliptic curve Digital Signature Algorithm with partially known nonces. Preprint, 2001.
113. P. Q. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In Proc of Crypto’97, volume 1294 of LNCS, pages 198-212. IACR, Springer-Verlag, 1997.
114. P. Q. Nguyen and J. Stern. Cryptanalysis of a fast public key cryptosystem presented at SAC’97. In Selected Areas in Cryptography - Proc. of SAC’98, volume 1556 of LNCS. Springer-Verlag, 1998.
115. P. Q. Nguyen and J. Stern. Cryptanalysis of the Ajtai-Dwork cryptosystem. In Proc of Crypto’98, volume 1462 of LNCS, pages 223-242. IACR, Springer-Verlag, 1998.
116. P. Q. Nguyen and J. Stern. The Béguin-Quisquater server-aided RSA protocol from Crypto’95 is not secure. In Proc of Asiacrypt’98, volume 1514 of LNCS, pages 372-379. Springer-Verlag, 1998.
117. P. Q. Nguyen and J. Stern. The hardness of the hidden subset sum problem and its cryptographic implications. In Proc of Crypto’99, volume 1666 of LNCS, pages 31-46. IACR, Springer-Verlag, 1999.
118. P. Q. Nguyen and J. Stern. Lattice reduction in cryptology: An update. In Proc of ANTS-IV, volume 1838 of LNCS. Springer-Verlag, 2000.
119. A. M. Odlyzko. The rise and fall of knapsack cryptosystems. In Cryptology and Computational Number Theory, volume 42 of Proc. of Symposia in Applied Mathematics, pages 75-88. A.M.S., 1990.
120. R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120-126, 1978.
121. C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201-224, 1987.
122. C. P. Schnorr. A more efficient algorithm for lattice basis reduction. J of algorithms, 9(1):47-62, 1988.
123. C. P. Schnorr. Factoring integers and computing discrete logarithms via Diophantine approximation. In Proc of Eurocrypt’91, volume 547 of LNCS, pages 171-181. IACR, Springer-Verlag, 1991.
124. C. P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming, 66:181-199, 1994.
125. C. P. Schnorr and H. H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Proc of Eurocrypt’95, volume 921 of LNCS, pages 1-12. IACR, Springer-Verlag, 1995.
126. A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Proc of 23rd FOCS, pages 145-152. IEEE, 1982.
127. V. Shoup. Number Theory C++ Library (NTL) version 3.6. Available athttp://www.shoup.net/ntl/.
128. V. Shoup. OAEP reconsidered. In Proc of Crypto 2001, LNCS. IACR, Springer-Verlag, 2001.
129. I. E. Shparlinski. On the generalized hidden number problem and bit security of XTR. In Proc of 14th Symp. on Appl. Algebra, Algebraic Algorithms, and Error-Correcting Codes, LNCS. Springer-Verlag, 2001.
130. I. E. Shparlinski. Sparse polynomial approximation in finite fields. In Proc. 33rd STOC. ACM, 2001.
131. C. L. Siegel. Lectures on the Geometry of Numbers. Springer-Verlag, 1989.
132. B. Vallée. La réduction des réseaux. autour de l’algorithme de Lenstra, Lenstra, Lovász. RAIRO Inform. Théor. Appl, 23(3):345-376, 1989.
133. B. Vallée, M. Girault, and P. Toffin. How to guess -th roots modulo n by reducing lattice bases. In Proc of AAEEC-6, volume 357 of LNCS, pages 427-442. Springer-Verlag, 1988.
134. S. A. Vanstone and R. J. Zuccherato. Short RSA keys and their generation. J of Cryptology, 8(2):101-114, 1995.
135. S. Vaudenay. Cryptanalysis of the Chor-Rivest cryptosystem. In Proc. Of Crypto’98, volume 1462 of LNCS. IACR, Springer-Verlag, 1998.
136. E. R. Verheul. Certificates of recoverability with scalable recovery agent security. In Proc of PKC’00, LNCS. Springer-Verlag, 2000.
137. M. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Trans. Inform. Theory, 36(3):553-558, 1990.