The Polynomial Composition Problem in (Z/nZ)[X]

Transcription

1 The Polynomial Composition Problem in (Z/nZ)[X] Marc Joye 1, David Naccache 2, and Stéphanie Porte 3 1 Thomson R&D, Security Competence Center 1 avenue de Belle Fontaine, Cesson-Sévigné Cedex, France marc.joye@thomson.net 2 Ecole normale supérieure, Département d informatique 45 rue d Ulm, Paris Cedex 05, France david.naccache@ens.fr 3 Smart Consulting 2 rue Louis Vignol, La Ciotat, France stef.porte@gmail.com Abstract. Let n be an RSA modulus and let P, Q (Z/nZ)[X]. This paper explores the following problem: Given polynomials Q and Q(P), find polynomial P. We shed light on the connections between the above problem and the RSA problem and derive from it new zero-knowledge protocols suited to smart-card applications. Keywords: Polynomial composition, zero-knowledge protocols, Fiat- Shamir protocol, Guillou-Quisquater protocol, smart cards. 1 Introduction Smart cards play an active role in security systems. Their salient features make them attractive in numerous applications, including to name a few the areas of banking, telephone, health, pay TV, home computers, and communication networks. One of the primary use of smart cards resides in authentication. There exist basically two families of methods currently used for authenticating purposes. The first family relies on secret-key one-way functions while the second one makes use of public-key techniques. Both families have their own advantages. This paper focuses on the second family. In particular, we study zero-knowledge techniques. In a typical scenario, the smart card, characterized by a set of credentials, plays the role of the proving entity. The first practical zero-knowledge protocol is due to Fiat and Shamir [3]. Remarkably, the protocol is rather efficient, computation-wise. It amounts to at most two modular multiplications per interaction. However, in order to reach a level of confidence of (1 2 k ), the basic protocol has to be repeated k times a typical value for k is k = 40. In order to reduce the communication overhead, there is also a multiple-key protocol, at the expense of more key material. Another zero-knowledge protocol well suited to smart-card applications is the

2 Guillou-Quisquater protocol [4] (a.k.a. GQ protocol). The GQ protocol features small storage requirements and needs a single interaction. In this paper we introduce a new problem, the Polynomial Composition Problem, which can be stated as follows. Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given polynomials Q and S := Q(P), find P. Most public-key cryptographic schemes base their security on the difficulty of solving a hard mathematical problem. Given that the number of hard problems harnessable to cryptographic applications is rather limited, the investigation of new problems is of central importance in cryptography. To understand the Polynomial Composition Problem and its variants, we explore in the following sections the way in which the PCP relates to the celebrated RSA problem. The Polynomial Composition Problem in (Z/nZ)[X] does not imply the RSA Problem, that is, the computation of roots in Z/nZ. Nevertheless, we exhibit a related problem that we call Reducible Polynomial Composition Problem (RPCP) and prove that RPCP RSA. In particular, we prove that when Q(X) = X q then the Polynomial Composition Problem is equivalent to the problem of extracting q th roots in Z/nZ. These new problems allow us to broaden the view of existing cryptographic constructions. Namely, we describe a general PCP-based zero-knowledge protocol of which the Fiat-Shamir and the Guillou-Quisquater protocols are particular instances. As will be seen later, if s denotes the secret, they respectively correspond to the cases Q(X) = vx 2 and Q(X) = vx ν (ν 3), with Q(s) = 1. The rest of this paper is organized as follows. In Section 2, we formally define the Polynomial Composition Problem and introduce the notations used throughout this paper. The hardness of the problem and its comparison with RSA are analyzed in Section 3. Finally, in Section 4, we show that the PCP allows one to generalize several zero-knowledge protocols. 2 The Polynomial Composition Problem We suggest the following problem as a basis for building cryptographic protocols. Problem 1 (Polynomial Composition Problem (PCP)). Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given polynomials Q and S := Q(P), find P. Throughout this paper p and q denote the degrees of P and Q, respectively. Let p P(X) = u i X i i=0

3 where the u i s denote the unknowns we are looking for. We assume that is known. Hence, S (X) = Q(Y) = q k j Y j j=0 q ( p ) j k j u i X i. j=0 If, given polynomials Q (Y) := Q(Y) k 0 and S (X) := Q (P(X)), an attacker can recover P then the same attacker can also recover P from {Q, S } by first forming polynomials Q (Y) = Q(Y) k 0 and S (X) = S (X) k 0. Therefore the problem is reduced to that of decomposing polynomials where Q has no constant term, i.e., Q(Y) = q j=1 k jy j. Similarly, once this has been done, the attacker can divide Q by a proper constant and replace one of the coefficients k j by one. Consequently and without loss of generality we restrict our attention to monic polynomials Q with no constant term, that is, i=0 Q(Y) = Y q + k q 1 Y q k 1 Y. (1) Noting that q = 1 implies that S = Q(P) = P, we also assume that q 2. 3 Analyzing the Polynomial Composition Problem As before, let P(X) = p i=0 u ix i and let Q(Y) = Y q + q 1 j=1 k jy j. Generalizing Newton s binomial formula and letting k q := 1, we get S (X) = q ( p ) j k j u i X i j=1 pq = t=0 i=0 1 i 0 + +i p q i 1 +2i 2 + +pi p =t k i0 + +i p (i 0 + +i p )! i 0!...i p! } {{ } :=c t i0 i u 0 u p p X t, (2) where the second sum is extended over all nonnegative integers i j satisfying 1 p j=0 i j q and p j=0 j i j = t. 3.1 RSA Problem Polynomial Composition Problem We define polynomials P 0,..., P pq (Z/nZ)[U 0,..., U p ] as P t (U 0,..., U p ) := 1 i 0 + +i p q i 1 +2i 2 + +pi p =t k i0 + +i p (i i p )! i 0!... i p! Note that P t (u 0,..., u p ) = 0 for all 0 t pq. U 0 i0 U p i p c t. (3)

4 Proposition 1. For all 0 r p, P pq r (Z/nZ)[U p r,..., U p ]. Furthermore, for all 1 r p, P pq r is of degree exactly one in variable U p r. Proof. For r = 0, we have P pq (U 0,..., U p ) = U p q c pq. For r = p, the condition P pq r (Z/nZ)[U p r,..., U p ] is trivially satisfied. Fix r in [1, p). By contradiction, suppose that P pq r (Z/nZ)[U p r,..., U p ]. So from Eq. (3), there exists some i j 0 with 0 j p r 1. Since 1 i 0 + +i p q, it follows that i 1 + 2i pi p j 1 + p (q 1) < pq r; a contradiction because i 1 + 2i pi p = pq r for polynomial P pq r. Moreover, for all 1 r p, P pq r is of degree one in variable U p r since we cannot simultaneously have 1 p j=0 i j q, p j=0 j i j = pq r, and i p r 2. Indeed, i p r 2 implies i 1 + 2i pi p (p r) 2 + p (q 2) < pq r, a contradiction. When i p r = 1, i 1 + 2i pi p = pq r if i p = q 1 and i j = 0 for all 0 (j p r) p 1. This implies that the only term in U p r appearing in polynomial P pq r is qu p r U q 1 p, whatever the values of variables k i s are. Corollary 1. If the value of u p is known then the Polynomial Composition Problem can be solved in time O(p). Proof. Solving for U p 1 the relation P pq 1 (U p 1, u p ) = 0 (which is a univariate polynomial of degree exactly one in U p 1 by virtue of the previous proposition), the value of u p 1 is recovered. Next, the root of P pq 2 (U p 2, u p 1, u p ) gives the value of u p 2 and so on until the value of u 0 is found. Note that the running time of the resolution process is O(p) and is thus exponential in the bit-length of p. This means that for low degree polynomials, the Polynomial Composition Problem in Z/nZ is easier than the problem of computing q th roots in Z/nZ because if an attacker is able to compute a q th modular root (i.e., to solve the RSA Problem) then she can find u p from P pq (u p ) = u p q c pq = 0 and then apply the technique explained in the proof of Corollary 1 to recover u p 1,..., u 0. In other words, Corollary 2. RSA Problem Polynomial Composition Problem. There is a proposition similar to Proposition 1. It says that once u 0 is known, u 1,..., u p can be found successively thanks to polynomials P 1,..., P p, respectively. Proposition 2. For all 0 r p, P r (Z/nZ)[U 0,..., U r ]. Furthermore, for all 1 r p, P r is of degree exactly one in variable U r. Proof. We have P 0 (U 0 ) = q j=1 k ju j 0 c 0. For r [1, p], suppose that P r (Z/nZ)[U 0,..., U r ]. Therefore, i 1 + 2i pi p (r + 1) 1 > r; a contradiction since i 1 + 2i pi p = r. Moreover, we can easily see that P r (U 0,..., U r ) = qu q 1 U 0 r + q 1 j=1 k j j U j 1 0 U r + Q r (U 0,..., U r 1 ) for some polynomial Q r (Z/nZ)[U 0,..., U r 1 ].

5 3.2 Reducible Polynomial Composition Problem RSA Problem The Polynomial Composition Problem cannot be equivalent to the RSA Problem. Consider for example the case p = 2 and q = 3: we have P(X) = u 2 X 2 + u 1 X + u 0 and Q(X) = X 3 + k 2 X 2 + k 1 X, and S (X) = c 6 X 6 + c 5 X 5 + c 4 X 4 + c 3 X 3 + c 2 X 2 + c 1 X + c 0 c 0 = k 1 u 0 + k 2 u u3 0, c 1 = k 1 u 1 + 2k 2 u 0 u 1 + 3u 2 0 u 1, c 2 = k 2 u u 0u k 1u 2 + 2k 2 u 0 u 2 + 3u 2 0 u 2, with c 3 = u k 2u 1 u 2 + 6u 0 u 1 u 2, c 4 = 3u 2 1 u 2 + k 2 u u 0u 2 2, c 5 = 3u 1 u 2 2, c 6 = u 3 2. We define the polynomials P 0 (U 0 ) := k 1 U 0 + k 2 U U3 0 c 0, P 1 (U 0, U 1 ) := k 1 U 1 +2k 2 U 0 U 1 +3U 2 0 U 1 c 1, and P 5 (U 1, U 2 ) := 3U 1 U 2 2 c 5. Now we first compute the resultant of P 0 and P 1 with respect to variable U 0 and obtain a univariate polynomial in U 1, say R 0 = Res U0 (P 0, P 1 ). Next we compute the resultant of R 0 and P 5 with respect to variable U 1 and get a univariate polynomial in U 2, say R 1 = Res U1 (R 0, P 5 ). After computation, we get R 1 (U 2 ) = 27c 3 1 U6 2 + (27c2 1 c 5k 1 9c 2 1 c 5k 2 2 )U4 2 +( 4c 3 5 k3 1 + c3 5 k2 2 b2 18c 0 c 3 5 k 1k 2 + 4c 0 c 3 5 k3 2 27c2 0 c3 5 ). Since u 2 is a root of both R 1 (U 2 ) and P 6 (U 2 ) := U 3 2 c 6, u 2 will be a root of their greatest common divisor in (Z/nZ)[U 2 ], which is given by (27c 2 1 c 5k 1 9c 2 1 c 5k 2 2 )c 6U 2 + (27c 3 1 c2 6 4c3 5 k3 1 + c3 5 k2 1 k2 2 18c 0c 3 5 k 1k 2 + 4c 0 c 3 5 k3 2 27c2 0 c3 5 ), from which we derive the value of u 2. Once u 2 is known, the values of u 1 and u 0 trivially follow by Corollary 1. We now introduce a harder problem: the Reduced Polynomial Composition Problem in (Z/nZ)[X]. Problem 2 (Reduced Polynomial Composition Problem (RPCP)). Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given Q and the deg(p) + 1 most significant coefficients of S := Q(P), find P. Definition 1. When the Polynomial Composition Problem is equivalent to the Reduced Polynomial Composition Problem, it is said to be reducible.

6 Equivalently, the Polynomial Composition Problem is reducible when the values of c 0,..., c p(q 1) 1 can be derived from c p(q 1),..., c pq and k 1,..., k q 1. This is for example the case when p = q = 2, that is, when P(X) = u 2 X 2 + u 1 X + u 0, Q(X) = X 2 + k 1 X, and S (X) = c 4 X 4 + c 3 X 3 + c 2 X 2 + c 1 X + c 0 c 0 = k 1 u 0 + u 2 0, c 1 = k 1 u 1 + 2u 0 u 1, with c 2 = k 1 u 2 + 2u 0 u 2 + u 2 1, c 3 = 2u 1 u 2, c 4 = u 2 2. An astute algebraic manipulation yields: c 1 = 4c 2c 3 c 4 c 3 3 8c 2 4 (mod n) and c 0 = 4c2 1 c 4 c 2 3 k2 1 4c 2 3 (mod n). If follows that we can omit the first two relations (the information included therein is anyway contained in the remaining three as we had just shown) and the problem amounts to solving the Reduced Polynomial Composition Problem: c 2 = k 1 u 2 + 2u 0 u 2 + u 2 1, c 3 = 2u 1 u 2, c 4 = u 2 2. Theorem 1. Reducible Polynomial Composition Problem RSA Problem. Proof. Assume that we are given an oracle O PCP (k 1,..., k q 1 ; c 0,..., c pq ) which on input polynomials Q(X) = X q + q 1 j=1 k jx j and S (X) = pq t=0 c tx t returns the polynomial P(X) = p i=0 u ix i such that S (X) = Q(P(X)). When the polynomial composition is reducible, oracle O PCP can be used to compute a q th root of a given x Z/nZ, i.e., compute a y satisfying y q x (mod n). 1. choose p + q 1 random values k 1,..., k q 1, c p(q 1),..., c pq 1 Z/nZ; 2. compute c 0,..., c p(q 1) 1 ; 3. run O PCP (k 1,..., k q 1 ; c 0,..., c pq 1, x); 4. get u 0,..., u p ; 5. set y := u p and so y q x (mod n). Note that Step 2 can be executed since the composition is supposed to be reducible. Furthermore, note that the values of c pq 1,..., c p(q 1) uniquely determine the values of u p 1,..., u 0, respectively. Indeed, from Proposition 1, P pq r (U p r, u p r+1,..., u p ) (Z/nZ)[U p r ] is a polynomial of degree exactly one of which u p r is root, for all 1 r p.

7 3.3 A Practical Criterion In this section, we present a simple criterion allowing to decide if a given composition problem is reducible. During the proof of Proposition 1, we have shown that there exists a polynomial Q pq r (Z/nZ)[U p r+1,..., U p ] such that P pq r (U p r,..., U p ) = qu p r U p q 1 + Q pq r (U p r+1,..., U p ) for all 1 r p. From c pq = (u p ) q, we infer: u p r = Q pq r(u p r+1,..., u p ) q c pq u p, (1 r p). (4) Using Eq. (4), for r = 1,..., p, we now iteratively compute u p 1,..., u 0 as a polynomial function in u p. We let Υ p r denote this polynomial function, i.e., u p r = Υ p r (u p ) for all 1 r p. We then respectively replace u 0,..., u p 1 by Υ 0 (u p ),..., Υ p 1 (u p ) in the expressions of c 0,..., c pq p 1. If, for each c i (0 i pq p 1), the powers of u p cancel thanks to (u p ) q 1 = c pq then the problem is reducible. We illustrate the technique with the example P(X) = u 3 X 3 + u 2 X 2 + u 1 X + u 0 and Q(Y) = Y 3. Then S (X) = 9 t=0 c tx t with c 0 = u 3 0, c 1 = 3u 2 0 u 1, c 2 = 3u 2 0 u 2 + 3u 0 u 2 1, c 3 = 3u 2 0 u 3 + 6u 0 u 1 u 2 + u 3 1, c 4 = 6u 0 u 1 u 3 + 3u 0 u u2 1 u 2, c 5 = 6u 0 u 2 u 3 + 3u 2 1 u 3 + 3u 1 u 2 2, c 6 = 3u 0 u u 1u 2 u 3 + u 3 2, c 7 = 3u 1 u u2 2 u 3, c 8 = 3u 2 u 2 3, c 9 = u 3 3. From the respective expressions of c 8, c 7 and c 6, we successively find Υ 2 (u 3 ) = c 8 u 3, Υ 1 (u 3 ) = 3c 7c 9 c 8 u 3c 9 9c 2 3, 9 and Υ 0 (u 3 ) = 27c 6c 2 9 6c 8(3c 7 c 9 c 2 8 ) c3 8 u 81c Since c 0,..., c 5 are homogeneous in u 0, u 1, u 2, u 3 and of degree three, they can be evaluated by replacing u 0, u 1, u 2 by Υ 0 (u 3 ), Υ 1 (u 3 ), Υ 2 (u 3 ), respectively, and then replacing (u 3 ) 3 by c 9. Consequently, the composition is reducible: the values of

8 c 0,..., c 5 can be inferred from c 6,..., c 9 and the problem amounts to computing cubic roots in Z/nZ. This is not fortuitous and can easily be generalized as follows. Corollary 3. For Q(Y) = Y q, the Polynomial Composition Problem in Z/nZ is equivalent to the RSA Problem, i.e. to the problem of extracting q th roots in Z/nZ. Proof. From Eq. (2), it follows that S (X) = pq t=0 c tx t with c t = i 0 + +i p =q i 1 +2i 2 + +pi p =t q! i 0! i p! u 0 i0 u p i p, which is homogeneous in u 0,..., u p and of degree i i p = q. Moreover since by induction, for 1 r p, Υ p r (u p ) = K p r u p for some constant K p r, the corollary follows. 4 Cryptographic Applications Loosely speaking, a zero-knowledge protocol allows a prover to demonstrate the knowledge of a secret without revealing any useful information about the secret. We show how to construct such a protocol thanks to composition of polynomials. 4.1 A PCP-Based Zero-Knowledge Protocol A trusted third party selects and publishes an RSA modulus n. Each prover P chooses two polynomials P, Q in (Z/nZ)[X] and computes S = Q(P). {Q, S } is P s public key given to the verifier V so as to ascertain P s knowledge of the secret key P. Execute l times the following protocol: P selects a random r Z/nZ. P evaluates c = S (r) and sends c to V. V sends to P a random bit b. If b = 0, P reveals t = r and V checks that S (t) = c. If b = 1, P reveals t = P(r) and V checks that Q(t) = c. PCP-Based Protocol. 4.2 Improvements Efficiency can be increased by using the following trick: P chooses ν polynomials P 1,..., P ν 1, Q in (Z/nZ)[X], with ν 3. Her secret key is the set {P 1,..., P ν 1 } while her public key consists of the set {S 0 =

9 Q, S 1 = Q(P ν 1 ), S 2 = Q(P ν 1 (P ν 2 )),..., S j = Q(P ν 1 (... (P ν j ))),..., S ν 1 = Q(P ν 1 (... (P 1 )))}. The protocol is shown below: P selects a random r Z/nZ P evaluates c = S ν 1 (r) and sends c to V. V sends to P a random integer 0 b ν 1. If b = 0, P reveals t = r and V checks that S ν 1 (t) = c. If b 0, P reveals t = P b (... (P 1 (r))) and V checks that S ν b 1 (t) = c. Nested PCP Protocol. 4.3 Relations with Other Zero-Knowledge Protocols It is interesting to note that our first protocol coincides with the (simplified) Fiat-Shamir protocol [3] (see also [5, Protocol 10.24]) when P(X) = sx and Q(X) = vx 2 where vs 2 1 (mod n). The nested variant may be seen as a generalization of the Guillou-Quisquater protocol [4] by taking P 1 (X) = P 2 (X) = = P ν 1 (X) = sx where s is a secret value and Q(X) = vx ν so that vs ν 1 (mod n). Indeed, in this case we have P ν 1 (... (P ν j (X))) = s j X and hence S j (X) = v 1 j X ν. An interesting research direction would be to extend the above protocols to Dickson polynomials. 5 Conclusion This paper introduced the Polynomial Composition Problem (PCP) and the related Reducible Polynomial Composition Problem (RPCP). Relations between these two problems and the RSA Problem were explored. Further, two concrete zero-knowledge protocols suited to smart-card applications were given as particular instances of PCP-based constructs. Acknowledgments We are grateful to Jesper Buus Nielsen (ETHZ) for attracting our attention to an important detail in the proof of Corollary 1. We are also grateful to the anonymous referees for useful comments. References 1. Henri Cohen. A Course in Computational Algebraic Number Theory, GTM 138, Springer-Verlag, Don Coppersmith, Matthew Franklin, Jacques Patarin, and Michael Reiter. Lowexponent RSA with related messages. In U. Maurer, ed., Advances in Cryptology EUROCRYPT 96, LNCS 1070, pp. 1 9, Springer-Verlag, 1996.

10 3. Amos Fiat, and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. M. Odlyzko, ed., Advances in Cryptology CRYPTO 86, LNCS 263, pp , Springer-Verlag, Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In C. Günther, ed., Advances in Cryptology EUROCRYPT 88, LNCS 330, pp , Springer-Verlag, Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography, CRC Press, A Mathematical Background Let R be an integral domain with quotient field K. Definition 2. Given two polynomials A, B R[X], the resultant of A and B, denoted by Res(A, B), is defined as Res(A, B) = (a m ) n (b n ) m (α i β j ) (5) 1 i m,1 j n if A (X) = a m 1 i m(x α i ) and B(X) = b n 1 j n(x β j ) are the decompositions of A and B in the algebraic closure of K. From this definition, we see that Res(A, B) = 0 if and only if polynomials A and B have a common root (in K); hence if and only if A and B have a (non-trivial) common factor. Equivalently, we have Res(A, B) = (a m ) n B(α i ) = (b n ) m A (β j ). 1 i m 1 j n The resultant Res(A, B) can be evaluated without knowing the decomposition of A and B. Letting A (X) = 1 i m a i X i and B(X) = 1 j n b j X j, we have a m a m 1... a Res(A, B) = det This clearly shows that Res(A, B) R. 0 a m a m 1... a a m a m 1... a 0 b n b n 1... b n rows 0 b n b n 1... b m rows b n b n 1... b 0 A multivariate polynomial A R[X 1,..., X k ] (with k 2) may be viewed as a univariate polynomial in R[X 1,..., X k 1 ][X k ]. Consequently, it makes sense.

11 to compute the resultant of two multivariate polynomials with respect to one variable, say X k. If A, B R[X 1,..., X k ], we let Res Xk (A, B) denote the resultant of A and B with respect to X k. Lemma 1. Let A, B R[X 1,..., X k ] (with k 2). Then (α 1,..., α k ) is a common root (in K) of A and B if and only if (α 1,..., α k 1 ) is a root of Res Xk (A, B). B Additional Examples B.1 The case p = 3 and q = 2 Using the previous notations and simplifications, we write P(X) = u 3 X 3 + u 2 X 2 + u 1 X + u 0 and Q(Y) = Y 2 + k 1 Y. Expressing the c i s we get: c 0 = k 1 u 0 + u 2 0, c 1 = k 1 u 1 + 2u 0 u 1, c 2 = u k 1u 2 + 2u 0 u 2, c 3 = 2u 1 u 2 + k 1 u 3 + 2u 0 u 3, c 4 = u u 1u 3, c 5 = 2u 2 u 3, c 6 = u 2 3. Now using the criterion of 3.3, we find u 2 = c 5 2c 6 u 3, u 1 = Vu 3, and u 0 = k Lu 3 with V := 4c 4c 6 c 2 5 8c 2 6 and L := 8c 3c 2 6 c 5(4c 4 c 6 c 2 5 ). Hence, we derive: 16c 3 6 c 2 = c 6 V 2 + c 5 L, c 1 = 2c 6 LV, and c 0 = k L2 c 6. Being reducible, this proves that solving the PCP for p = 3 and q = 2 amounts to computing square roots in Z/nZ. B.2 The case p = 3 and q = 3 We have P(X) = u 3 X 3 + u 2 X 2 + u 1 X + u 0 and Q(X) = X 3 + k 2 X 2 + k 1 X. Defining polynomials P i as in Eq. (3), we successively compute R 0 := Res U0 (P 0, P 1 ), R 1 := Res U1 (R 0, P 7 ), and R 2 = Res U2 (R 1, P 8 ) wherefrom R 2 (u 3 ) = 19683c 3 1 u ( 6561c2 1 c 7k c2 1 c 7k 1 )u (2187c 2 1 c2 8 k c2 1 c2 8 k 1)u (2916c 0 c 3 7 k c3 7 k2 1 k c 0c 3 7 k 2k c 3 7 k3 1 = c 3 7 c2 0 )u ( 2916c 0 c 2 7 c2 8 k c2 8 c2 7 k2 2 k c2 8 c2 7 c 0k 2 k c 2 8 c2 7 k c 2 8 c2 7 c2 0 )u9 3 + (972c 4 8 c 7c 0 k c4 8 c 7k 2 1 k c4 8 c 7c 0 k 1 k 2 972c 4 8 c 7k c 4 8 c 7c 2 0 )u6 3 + ( 108c 6 8 c 0k c6 8 k2 1 k c6 8 c 0k 1 k c 6 8 k c6 8 c2 0 )u3 3

12 So, we obtain the value of u 3 by exploiting the additional relation c 9 = u 3 3 and hence the values of u 2, u 1, and u 0. Note that if we choose k 1 = k 2 /3 then the terms in u16 (= c u 3) and in u 13 3 (= c 4 9 u 3) disappear and consequently the value of u 3 cannot be recovered. In this case, the criterion shows again that the problem is equivalent to that of computing cubic roots in Z/nZ.