A STUDY OF SOME METHODS FOR FINDING SMALL ZEROS OF POLYNOMIAL CONGRUENCES APPLIED TO RSA

Transcription

1 Jounal of Mathematcal Scences: Advances and Applcatons Volume 38, 06, Pages -48 Avalable at DOI: A STUDY OF SOME METHODS FOR FINDING SMALL ZEROS OF POLYNOMIAL CONGRUENCES APPLIED TO RSA Depatment of Mathematcs Faculty of Scence Jazan Unvesty P. O. Box 77, Jazan Postal Code: 454 Saud Aaba e-mal: aalhakam@jazanu.edu.sa Depatment of Compute Scence Infomaton Secuty Faculty of Scence and Engneeng Queensland Unvesty of Technology Gadens Pont GP, P Block Level 880 Austala Abstact In ths pape, we shall follow Håstad [8], Coppesmth [6, 7], and othes to descbe methods fo fndng small zeos of polynomal conguences. As an applcaton, we study the secuty of publc key cyptosystems. In patcula, we study the RSA publc key cyptosystem by makng use of these methods. 00 Mathematcs Subject Classfcaton: C08, D79. Keywods and phases: small solutons, small zeos, polynomal, conguences, applcatons of lattces, RSA. Receved Febuay 4, Scentfc Advances Publshes

2 . Intoducton and Notatons The pupose of the pesent note s to gve a method fo fndng small oots to polynomal conguence n one o two vaables. We shall follow technque of Coppesmth [6, 7] as a statng pont fo many of ou esult. We wll ntoduce the geneal Coppesmth appoach and povde a few smple examples. We use a smplfed veson due to Howgave- Gaham [30, 3, 3]. In ou wok, we shall use standad noton and wte Z to denote the ng of nteges, Q fo the feld of atonals, and R fo the feld of eal numbes. n n n We denote by Z (esp., Q and R ) the vecto space wth elements that ae n-tuples of elements of Z (esp., Q and R ). We endow these vecto spaces wth the Eucldean nom: f a R, then a = a. We also wok wth the ngs of unvaed polynomals [ x], Q[ x], [ x], n Z and R as well as multvaate polynomals n [ x, y], Q[ x, y], R [ x, y]. Z and Gven a polynomal g( x) = a x, we defne the nom of g ( x ) by g ( x ) =. Gven nonnegatve X R, we defne the weghted nom a of g ( x) by g( xx ) = ( a X ). Smlaly, gven a polynomal j,, j, j b,., j j Gven nonnegatve, Y R, h( x y) = b x y, we defne the nom of h ( x, y ) by g ( x, y ) = h ( x, y) by h( xx, yy ) = ( a X ). X we defne the weghted nom of A unvaate polynomal s sad to be monc when the coeffcent of the leadng tem s equal to. Of pmay mpotance n ths wok s the noton of a lattce (concept fom the geomety of numbes), defned n the next secton.

3 Let A STUDY OF SOME METHODS FOR FINDING 3 u,, u, uw be lnealy ndependent vectos n an nomal n-dmensonal vecto space. The lattce L spanned by ( u, u ) s the, set of all ntege lnea combnatons of u,, u. We call w the w dmenson o ank of the lattce L, and that the lattce s full ank when w = n. We altenatvely say that L s geneated by ( u, u ) and that ( u, u ) foms a bass of L.,, We wok mostly wth lattce n two vecto spaces: the set endowed wth the Eucldean nom; and, the set of polynomals n R [ x] of degee at most n, endowed wth the nom gven by a x = n a. = 0 n = 0 Thee s a natual somophsm between these two vecto spaces gven by dentfyng a polynomal wth ts coeffcents vecto, and thoughout ths wok swtch feely between epesentatons as convenent. We denote by ( u,, u w ) the vectos obtaned by applyng the Gam-Schmdt othogonalzaton pocess to the vectos u,, u. We w = w = defne the detemnant of the lattce L as det( L ) : u. Fo n example, f full ank lattce wth bass n R, then the detemnant of L s equal to the detemnant of the w w matx whose ows ae the bass vectos u,, u. w We note that evey nontval lattce n R has nfntely many bases. Ths gves se to the noton of the qualty of a bass fo a lattce. The noton of qualty appled to a lattce depends on the applcaton, but usually ncludes some measue of the lengths o othogonalty of the vectos n a bass. n R

4 4 The goal of lattce educton s to fnd good lattce bases. The theoy of lattce educton goes back to the wok of Lagange [36]; Gauss [4]; Hemte [9]; and Kokne and Zolotaeff [35], who wee nteested n the educton of quadatc foms. Lattce theoy was gven ts geometc foundaton n Mnkowsk s famous wok Geomete de Zahlen (The Geomety of Numbes) [40] n the late nneteenth centuy. Mnkowsk (see Nven et al. [43]), poved that thee s always a bass u,, u w fo a lattce L satsfyng u γw det ( L) fo some γ w that depend only on w (and not on the entes of u ). Howeve, hs poof s nonconstuctve, and t would be almost a centuy befoe the fst polynomal-tme algothm to compute educed bases of lattces of abtay dmenson was dscoveed. Ths s the celebated Lensta- Lensta-lovaász lattce bass educton algothm. Ths algothm s of pmay mpotance to the esults n ths wok, and s summazed n Lemma... Lattces and t Repesentatons In ode to dscuss the unnng tmes of algothms opeatng on lattces, we must descbe the epesentaton of lattces gven as nput to these algothms. Suppose u,, uw ae vectos n Z. The unnng tme of an algothm wth nput ( u,, ) s paametezed by w, n, and by the lagest element of the u, defned by u lagest : = max uj. Fo n lattces n Q, the stuaton s slghtly moe complex. Suppose we ae gven the vectos that n u,, uw n. n Du,, Duw ae all n. u : = max( Du ). n lagest, j j u w n, j Q Thee s some least ntege D such Z Then we defne the lagest element by n We note that all lattces n R used n ths wok ae n fact lattces n Q snce they ae epesented usng atonal appoxmatons.

5 A STUDY OF SOME METHODS FOR FINDING 5 Lemma. (The LLL algothm). Let L be a lattce spanned by ( u,, u ). The LLL algothm, gven ( u,, u ), poduces a new w bass ( b,, ) of L satsfyng: b w w () b + b fo all w. j= () Fo all, f b = b + µ jbj, then µ j fo all j. The algothm pefoms O( w 4 l ) athmetc opeatons, whee l = log u la gest. We note that an LLL-educed bass satsfes some stonge popetes, but those ae not elevant to ou dscusson. We denote by T LLL ( w, n) the unnng tme of the LLL algothm on a bass ( u,, u w ) satsfyng log u lagest n. When ( b,, b w ) s the output of the LLL algothm on a bass fo a lattce L, we say that t s an LLL-educed bass. We wll make heavy use of the followng fundamental fact about the fst vecto n an LLL-educed bass. Lemma.. Let L be a lattce and bass of L. Then b,, bw be an LLL-educed = b w b ( w) / 4 det( L). Poof. Snce b the bound mmedately follows fom: ( ) w w det( ) = w L b b 4. In sequence sectons, we may also need to bound the length of the second vecto n an LLL-bass. Ths s povded n the followng lemma:

6 6 Lemma.3. Let L be a lattce and bass of L. Then b,, bw be an LLL-educed b w 4 det( L) b w. Poof. Obseve gvng us w ( w)( w), det( L ) = b b b 4 b Then the bound follows fom w 4 det( L) b w. b b + b ( + ) b b. 3. Fndng Small Zeos to Unvaate Polynomal Conguences Much of the wok descbed n ths wok was nsped by the semnal wok of Coppesmth fo fndng small solutons to polynomal conguences [6]. We use ths vey effectve technque as a statng pont fo many of ou esults. In subsequent sectons, we wll apply and extend ths technque to solve a numbe of cyptanalytc poblems, and dscuss subtletes n ts mplementaton and use. In ths secton, we wll ntoduce the geneal Coppesmth appoach and povde a few smple examples. We use a smplfed veson due to Howgave-Gaham [30, 3, 3]. Suppose we ae gvng a polynomal f ( x) and a eal numbe M, and we wsh to fnd a value x Z fo whch f ( x 0 ) 0( mod M ). The man 0 tool we use s stated n the followng smple fact. Ths has been attbuted

7 A STUDY OF SOME METHODS FOR FINDING 7 to many authos. Its fst use we ae awae of s n the wok of Håstad [8]; t was late used was used mplctly by Coppesmth [5, 6], and stated n nealy the followng fom by Howgave-Gaham [3]. Recall that f h( x) = a x, then h ( xx ) = ( X a ). Theoem 3.. Let h ( x) R be a polynomal of degee w, and let X R be gven. Suppose thee s some x 0 < X such that () h ( x ), and fo all w. 0 Z () h ( xx ) <. w Then h ( x 0 ) = 0. Poof. Obseve x0 x0 h( x0 ) = ax0 = ax ( ) ax ( ) ax X X w h( xx ) <, but snce h ( ) Z we must have h ( x 0 ) = 0. x 0 Theoem 3. suggest we should look fo a polynomal h ( x) of small weghted nom satsfyng h ( x ). To do ths, we wll buld a lattce of 0 Z polynomal elated to f and use LLL to look fo shot vectos n that lattce. f Ou fst obsevaton s that ( x0 ) Z M Defne because f ( x 0 ) 0( mod M ). ( x) : x ( g, k = f ( x) ) k. M f ( x0 ) Obseve that ( ) ( ) k g, k x0 = x0 fo all, k 0. Futhemoe, ths s M tue fo all ntege lnea combnatons of the g, k ( x). The dea behnd

8 8 the Coppesmth technque s to buld a lattce L fom g, k ( xx ) and use LLL to fnd a shot vecto n ths lattce. The fst vecto b etuned by the LLL algothm wll be a low-nom polynomal h ( xx ) also satsfyng h ( x ). If ts nom s small enough, Theoem 3. would mply 0 Z h ( x 0 ) = 0. Tadtonal oot-fndng methods [45] such as Newton- Raphson would then fnd x 0. To use Theoem 3. we must have h ( xx ) <. Fotunately, Lemma. allows us to compute a good bound on the nom of the fst vecto n an LLL-educed bass. We see w( w) w det( L) < 4 w h( xx ) <. w (3.) ( ) Usually, the eo tem of w w 4 w det ( L) and ths condton s smplfed as w s nsgnfcant compaed to det( L ) h( xx ) <. (3.) w The detemnant of L depends on the choce of polynomals ( xx ) g, k defnng the lattce. In geneal, t s a dffcult poblem to compute the detemnant of a lattce when the bass has symbolc entes. Howeve, a caeful choce of bass polynomals g, k ( xx ) may lead to a lattce wth a detemnant that can be easly computed. Ideally, we wll be able to choose a bass so that the matx whose ows ae the coeffcents vectos of g, k ( xx ) s full-ank and dagonal, wth an explct fomula fo the entes on the dagonal. We llustate ths technque wth a few examples. Example 3.. A numecal example. Suppose we wsh to fnd a oot x 0 of the polynomal x 849x ( mod 000) (3.3)

9 A STUDY OF SOME METHODS FOR FINDING 9 satsfyng x 7. Defne 0 x 849x f ( x) : =. 000 We buld a lattce wth polynomal {, 7x, f ( 7x), 7xf ( 7), f ( 7x)}. Wtng ths as a matx gves us The detemnant of ths lattce s just the poduct of the entes on the dagonal det ( L ) = Recall we equed det ( L ) < γ, whee γ = 5( 5) Hence, condton (3.) s satsfed. We fnd that the LLL algothm etuns the polynomal x x x 6574x h ( 7x) =. 000 Ths leads to 4 3 5x 53x + 689x 544x h ( x) =. 000 The oots of h ( x) ove the eals ae { 6, }. We fnd the only ntege soluton x 0 to Equaton (3.3) satsfyng x 0 7 s x 0 = 6.

10 0 Example 3.. Håstad s ognal esult. Suppose we ae gven a monc polynomal f ( x) of degee d wth ntege coeffcents, along wth nteges X and M. We wsh to fnd an ntege x 0 such that x 0 < X and f ( x 0 ) 0 ( mod M ). An ealy attempt to solve ths poblem was gven by Håstad [8]. We take as a bass fo ou lattce L the polynomals d {, Xx, ( Xx),, ( Xx), f ( Xx) }. M Fo nstance, when d = 6 ths esults n a lattce spanned by the ows of the matx n Fgue 3.. Xx ( Xx) ( Xx) ( Xx) ( Xx) f ( Xx) / M : : : : : : : X X X 3 X 4 X 5 X 6 M. Coppesmth s lattce fo fndng small solutons to a polynomal conguence. The symbols denote nonzeo off-dagonal entes whose values do not affect the detemnant. Fgue 3.. Example Håstad lattce. The dmenson of ths lattce s w = d + and ts detemnant s w( w) det ( L) = X M.

11 A STUDY OF SOME METHODS FOR FINDING w( w) w To satsfy condton (3.), we eque det ( L) < 4 w. Ths leads to X d( d + < γa M ), (3.4) whee γ a < fo all d. Hence, when X satsfes bound (3.4), the LLL algothm wll fnd a shot vecto h ( xx ) satsfyng h ( x 0 ) = 0 and h ( xx ) <. Standad oot-fndng technques wll ecove x 0 fom h. d The unnng tme of ths method s domnated by the tme to un LLL on a lattce of dmenson d + wth entes of sze at most O ( log M ). Example 3.3. Coppesmth s genec esult. The fst majo mpovement ove Håstad s esult came fom Coppesmth [6]. Coppesmth suggested ncludng powes and shfts of the ognal polynomal n the lattce; as we shall see, ths s the eason fo mpoved esults. We use a pesentaton by Howgave-Gaham [3]. Agan, suppose we ae gven a monc polynomal f ( x) of degee d wth ntege coeffcents, along wth nteges X and M. We wsh to fnd an ntege x 0 such that x 0 < X and f ( x 0 ) 0 ( mod M ). Let m > be an ntege to be detemned late. Defne g, k ( x) : = k f ( x) x. M We use as a bass fo ou lattce L the polynomals g, k ( xx ) fo = 0,, d and k = 0,, m. Fo nstance, when d = 3 and m = 3 ths esult n the lattce spanned by the ows of the matx n Fgue 3..

12 g0,0 g,0 g,0 g0, g, g, g0, g, g, ( xx ): ( xx ): ( xx ): ( xx ): ( xx ): ( xx ): ( ) xx : ( xx ): ( xx ): X X 3 X M 4 X M 5 X M 6 X M 7 X M. 8 X M Coppesmth s lattce fo fndng small solutons to a polynomal conguence. The symbols denote nonzeo off-dagonal entes whose values do not affect the detemnant. Fgue 3.. Example Coppesmth lattce. The dmenson of ths lattce s det ( L ) = X M w( w) w w = md and ts detemnant s w( w) w( m). We eque det ( L) < 4 w ; ths leads to X m < M w w w, whch can smplfed to ε X < γ M d w, whee ε we have d = and d( w ) γ w < fo all w. As we take m w and theefoe ε 0. In patcula, f we wsh to solve fo up to ε0 < M d X fo abtay ε 0, t s suffcent to take k m = O, d whee k = mn{, log M }. ε 0

13 A STUDY OF SOME METHODS FOR FINDING 3 We summaze ths n the followng theoem: Theoem 3. (Unvaate Coppesmth). Let a monc polynomal f ( x) of degee d wth ntege coeffcents and ntege X, M be gven. ε Suppose X < M d fo some ε > 0. Thee s an algothm to fnd all x 0 Z satsfyng x 0 < X and f ( x 0 ) 0 ( mod M ). Ths algothm uns n tme O ( T LLL ( md, m log M )), whee k m = O fo k = mn{, d ε log M }. We note that the genec esult s n some sense blnd to the actual polynomal beng used (t takes nto account only the degee, but not the coeffcents), and that thee may be a moe optmal choce of polynomals g, k to nclude n the lattce to solve a patcula poblem. By takng nto account an optmzed set of polynomals, one can mpove ove ths genec (see, fo example, [5, 37, 34]). 4. Fndng Small Zeos to Bvaate Polynomal Conguences In ths secton, we genealze the esults of the pevous secton to fndng solutons of bvaate polynomal conguences. We note that ths s a dffeent applcaton of these technques than the soluton of bvaate polynomal equatons (ove the nteges) [6]. We note that, n contast to the pevous appoach, the method hee s only a heustc. In ode to analyze bvaate polynomal conguences we must ntoduce a few obsevatons. The fst s that thee s a smple genealzaton of Theoem 3. to multvaate polynomals. Theoem 4.. Let h ( x, y) R[ x, y] be a polynomal of whch s a sum of at most w monomals, and let X, Y R be gven. Suppose that () h ( x 0, y 0 ) Z fo some x 0 < X and y 0 < Y ; () h ( xx, yy ) <. w

14 4 Then h ( x y ) 0. 0, 0 = Suppose we ae gven a polynomal f ( x, y) and a eal numbe M, and we wsh to fnd a pa ( x 0, y 0 ) Z Z fo whch f( x0, y0 ) 0( mod M ). The dea s a staghtfowad genealzaton of the appoach n Secton 3. We defne g, j, k ( x, y) : = k f ( x, y) x y, M and obseve g, j, k ( x0, y0 ) Z fo all, j, k 0. We buld a lattce fom g, j, k ( xx, yy ) by selectng cetan ndces (, j, k) so that the detemnant of the esultng lattce s small enough, and compute an LLL-educed bass fo ths lattce. Lemma. bounds the nom of the fst vecto h ( xx, yy ) of ths LLL-educed bass, allowng us to use Theoem 4. to show that h ( x0, y0 ) = 0. Howeve, a sngle bvaate equaton may be nsuffcent to ecove the desed oot. To obtan anothe elaton, we use the second vecto h ( xx, yy ) of the LLL-educed bass. Lemma.3 tells us w det( ) (, ) 4 L w h xx yy. h ( xx, yy ) (4.) So we must also povde a lowe bound on the nom of h. Suppose the ndces of the g ae chosen so that k m fo some, j, k m. Then all coeffcents of g,, k ( xx yy ) ae ntege multples of. j, M m Thus, snce h ( xx, yy ) 0, we know t has at least one coeffcent m geate than o equal to M n absolute value. So h ( xx, yy ) M. Equaton (4.) becomes w (, ) 4 m h xx yy ( M det ( L)) w. m

15 Ths gves us A STUDY OF SOME METHODS FOR FINDING 5 w( w) ( w) m det ( L) < M 4 w h ( xx, yy ) <. w (4.) In patcula, ths condton s usually smplfed as m det ( L) M h ( xx, yy ) <. (4.3) w Hence, we obtan anothe polynomal h ( x, y) [ x, y] R such that h ( x0, y0 ) = 0. It follows that h ( x, y) and h ( x, y) ae lnealy ndependent. If we make the assumpton that h ( x, y) and h ( x, y) ae also algebacally ndependent, we can solve fo y 0 by computng the esultant h( y) = Resx ( h, h ). Then y 0 must be a oot of h ( y), and these oots ae easly detemned. Fom ths, we may fnd x 0 as a oot of h ( x )., y0 It s not clea why lnea ndependence of h and h should mply algebac ndependence, and n fact t s easy to constuct (atfcal) examples whee ths s not the case, fo nstance, the polynomal x y 0 ( mod M ) has too many solutons (even n Z ) thus the method must fal at ths step (snce all othe steps ae povable). So at the moment ths step of the method s only a heustc. Howeve, gowng expemental evdence [33, 3, 9, ] shows that t s a vey good heustc fo polynomals of nteest n cyptology. Example 4.. Genec esult. Suppose we ae gven a polynomal f ( x, y) of total degee d wth at a least one monc monomal x a y d of maxmum total degee. Also suppose nteges X, Y, and M ae gven. We wsh to fnd an ntege pa ( x 0, y 0 ) such that x 0 < X, y0 < Y, and f ( x0, y0 ) 0 ( mod M ).

16 6 We wll follow an appoach suggested by Coppesmth [6], woked out n detal by Jutla [33]. Let m > be an ntege to be detemned late. Defne g, j, k ( x, y) : = k f ( x) x y. M We use as a bass fo ou lattce L the polynomals g, j, k ( xx, yy ), whee the ndces (, j, k) come fom the followng set: 3 S : = {(, j, k) Z + j + kd md and, j, k 0 and ( < a o j < d a) }. Denote by S the set of polynomals g,, k ( xx yy ) such that (, j, k ) S. m j, Evey g Sm has total degee less than md. Indeed, the set S m s n α β one-to-one coespondence wth the set of monomals { x y α+β md} + ka j+ k da gven by g (, ) ( ), j, k xx yy x y. We may wte these polynomals as the ows of a matx n a way that puts the coeffcent of the coespondng monomal on the dagonal. The esultng matx s lowe dagonal, and the contbuton of g, j, k ( xx, yy ) Sm to the k + ka j+ k dagonal s ( da M X Y ). A staghtfowad but tedous calculaton shows that the esultng lattce has detemnant md mdα m d det ( ) ( ) (( ) 3 ) α β m k m k d+ L =. X Y M M α= 0 β= 0 k = 0 Fo smplcty we cay out the computaton usng low-ode tems. We fnd 3 d 3 3 d 3 3 det m + o m m + o m ( L) = ( XY ) 6 M 6 ( ) ( ). m To use condton (4.3), we eque det ( L) M. Ths leads to XY ε < d ( ) M,

17 A STUDY OF SOME METHODS FOR FINDING 7 whee ε 0 as m. (We note that to use the moe pecse condton m w (4.) eques det ( L) < γm M, whee γ w m = fo w = O ( m ). 4 4 O( m d ) So log M γm =, mplyng the method wll not wok f m s too log M lage and M s too small. In most applcatons, howeve, we fnd log M γ m 0 and ths tem may be safely-gnoed.) We note that the shape o coeffcents of a patcula polynomal may allow fo a bette selecton of bass polynomals g, j, k. Fo nstance, when f ( x, y) has degee d n each vaable sepaately and s monc n the monomal x d y d, a dffeent choce of bass leads to the mpoved 3 bound XY < N d. w d 5. Publc Key Cyptogaphy In ths secton, we pesent the noton of a publc key cyptosystem, and n patcula, the RSA publc key cyptosystem. Thee ae many good fomal defntons fo publc key cyptosystems [5,, 39, 49], and we do not ty to cove all of them hee. Instead we ty to develop the ntuton that wll be useful late. A publc key (o asymmetc) cyptosystem s a method fo secung communcaton between pates who have neve met befoe. Moe pecsely, a publc key cyptosystem s descbed by the followng: a set M of plantexts (o messages), and a set C of cphetexts; a set K p of publc keys, and a set K s of secet keys; a key geneaton algothm key-gen: Z K p K s ; an encypton algothm K p K C; and, a decypton algothm D : K C M. s

18 8 The key geneaton, encypton, and decypton algothms can be andomzed and should un n expected tme polynomal n the length of the nputs. Fo all K, K output by key-gen and all messages p M M we must have that D( K, E( K, M )) M. s s p = The nput to the key geneaton algothm s called the secuty paamete. The hope s that as the secuty paamete nceases, the esouces equed to beak the cyptosystem usng the esultng keys should ncease moe apdly than the esouces equed to use t. Ideally, the unnng tme of a beak should be a (sub-) exponental functon of n, whle the unnng tme of key-gen, E, and D should be some (small) polynomal n n. Suppose Al s a use of a publc key cyptosystem. To ntalze she chooses a secuty paamete n and computes K, K : key-gen( n). p s = When anothe use Mohd wshes to send a message to Al secuely, he obtans Al s publc key K p and computes the cphetext C : = E( K p, M ). He sends cphetext C s sent to Al, who upon obtanng t computes the ognal message M = D( Ks, C ). The secuty equements of a cyptosystem can be defned n many ways. In geneal, when defnng a secuty goal t s mpotant to state what esouces ae avalable to an attacke and what success ctea the attacke must fulfll. A vey basc equement s that t should not be possble to deve the secet key fom the publc key effcently; ndeed, t s consdeed the most devastatng cyptanalytc beak to compute fom K p n (say) tme polynomal n the secuty paamete. We wll see examples of ths n next sectons. We mght consde secuty aganst patal key exposue, whee nfomaton about K s (say pehaps a subset of bts of K ) allows an attacke to compute all of K. Thee ae many s ssues that ase n detemnng good notons of secuty, and we do not ty to addess them all hee. Thee ae many good suveys on the subject [39, ]. s K s

19 A STUDY OF SOME METHODS FOR FINDING 9 Snce the publcaton of New Dectons, thee have been countlessly many poposals fo publc key cyptosystems. Ou pmay focus n ths wok, howeve, wll be on the RSA publc key cyptosystem and smple vaants [46, 5, 50]. Now we pesent the basc RSA scheme n the next secton. 6. The RSA Publc Key Cyptosystem In ths secton, we outlne the basc RSA publc key cyptosystem [46]. Let n be a secuty paamete. The key geneaton algothm fo RSA computes pmes p and q appoxmately n / bts n length, so that N : = pq s an ntege n bts n length. Moe pecsely, p and q ae andom pmes subject to the constant that N = pq s an n-bt numbe and N < q < p < N. We denote the set of all such N as Z ( ). Typcally n = 04, so that N s 04 bts n length; p and q ae pmes typcally chosen to be appoxmately 5 bts each. The key geneaton algothm selects nteges e and d such that ed mod φ( N ), whee φ( N ) = N p q + (also called the Eule totent functon). We call e the publc exponent and d the secet exponent. The value N s called the publc modulus. An RSA publc key s the pa of nteges N, e. The coespondng secet key s the pa N, d. Thus K p = Ks = Z ( ) Z. How e and d ae chosen depends on the applcaton. Typcally, e s chosen to satsfy cetan constants (say e s small, lke e = 3 ), then d s pcked fom {,, φ( N )} to satsfy ed mod φ( N ). Howeve, ths pocess may be done n evese, and n many applcatons d s chosen fst (say to make d shot, as n Subsecton 7.4).

20 0 Messages and cphetexts ae epesented as elements of M = C = ZN. Suppose Mohd wshes to send a message N M Z to Al. He obtans Al s publc key N, e and computes C = e M mod N whch he sends to Al. Upon ecevng C, Al may compute d C ed M M ( mod N ), whee the last equvalence follows fom Eule s theoem. Fo dgtal sgnng, the oles of these opeatons ae evesed. If Al ntends to sgn the message M she computes S = d M mod N and sends? e M, S to Mohd. Mohd checks M S mod N. Ths pesentaton smplfes RSA encypton and sgnng; n pactce, andomzed paddng of the messages [, 5] s equed befoe exponentaton to pevent seveal secuty flaws [, 0, 9]. We wll not go nto the detals hee, snce all attacks n subsequent sectons succeed egadless of the paddng scheme that s beng used. 7. Pevous Attacks on RSA In ths secton, we summaze seveal pevously-known attacks on the RSA publc key cyptosystem elevant to ths wok. We follow the pesentaton of the ecent suvey of attacks on RSA [6] and efe to t fo a compehensve lstng of attacks on RSA. 7.. Factong The most staghtfowad attack on RSA s factozaton of the modulus N = pq. Once a facto p s dscoveed, the facto q = N / p may be computed, so φ( N ) = N p q + s evealed. Ths s enough to compute d e mod φ( N ).

21 A STUDY OF SOME METHODS FOR FINDING The cuent fastest method fo factong s the geneal numbe feld / 3 / 3 seve [6]. It has a unnng tme of exp( ( c + O( ) ) ( log N ) ( log log N ) ) fo some < c <. The sze of N s chosen to fol ths attack. The lagest ntege that has been successfully factoed usng ths method was the 5-bt RSA challenge modulus RSA-55, factoed n 999 usng a massve dstbuted mplementaton of GNFS on the Intenet [4]. Even though the speed of compute hadwae contnues to acceleate, t seems unlkely that the best factong algothms wll be able to facto say 04- bt RSA modul n the next twenty yeas. 7.. Håstad s attack on boadcasted messages In ode to speed up RSA encypton (and sgnatue vefcaton), t s useful to use small value fo the publc exponent e, say e = 3. Howeve, ths opens up RSA to the followng attack, dscoveed by Håstad [8]. Let us stat wth a smple veson. Suppose Mohd wshes to send the same message M to k ecpents, all of whom ae usng publc exponent equal to 3. He obtans the publc keys N e fo =,, k, whee 3 e = 3 fo all. Navely, Mohd computes the cphetext C = M mod N fo all and sends C to the -th ecpent. A smple agument shows that as soon as k 3, the message M s no longe secue. Suppose Eman ntecepts C, and C, whee,, C 3 C = M mod N. We may assume gcd ( N, N j ) = fo all j, (othewse, t s possble to compute a facto of one of the N s ). By the Chnese Remande Theoem, she may compute C Z N, N N such 3, that C C mod N. Then C M mod NNN3; howeve, snce M < fo all, we have M < N N N. Thus N C = M holds ove the nteges, and Eman can compute the cube oot of C to obtan M. 3

22 Håstad poves a much stonge esult. To undestand t, consde the followng nave defense aganst the above attack. Suppose Mohd apples a pad to the message M po to encyptng t so that the ecpents eceve slghtly dffeent messages. Fo nstance, f M s m bts long, m + Mohd mght encypt M and send ths to the -th ecpent. Håstad poved that ths lnea paddng scheme s not secue. In fact, he showed that any fxed polynomal appled to the message wll esult n an nsecue scheme. Theoem 7. (Håstad). Suppose nteges and set mn mn ( N ). N = Let g ( x) [ x] N,, Nk ae elatvely pme be k polynomals Z N of maxmum degee d. Suppose thee exsts a unque satsfyng M < Nmn g ( M ) = 0 ( mod N ) fo all { 0,, k}. Futhemoe suppose k > d. Thee s an effcent algothm whch, gven N, g( x) fo all, computes M. Poof. Snce the N ae elatvely pme, we may use the Chnese Remande Theoem to compute coeffcents T satsfyng T ( mod N ) and T 0 ( mod ) fo all j. Settng g( x) : = T g ( x) N j we see g( M ) = ( mod N ). Snce the T ae nonzeo we have that 0 g ( x) s not dentcally zeo. If the leadng coeffcent of g ( x) s not one, then we may multply by ts nvese to obtan a monc polynomal g ( x). The degee of g ( x) s at most d. By Coppesmth s theoem (Theoem 3.), we may compute all ntege oots x 0 satsfyng g ( x 0 ) 0 N / d mod and x0 < ( N ). But we know M < Nmn < ( / k / d N N ) < ( ), so M s such a oot.

23 A STUDY OF SOME METHODS FOR FINDING 3 Ths can be appled to the poblem of boadcast RSA as follows. Suppose the -th plantext s padded wth a polynomal f ( x), so that e e C satsfy the above elaton. The attack succeeds once k > max ( e deg f ). ( f ( M )) ( mod N ). Then the polynomals g ( x) : = ( f ( x) ) C We note that Håstad s ognal esult was sgnfcantly weake, equng k = O( d ) messages, whee d = max ( e deg f ). Ths s because the ognal esult used the Håstad method fo solvng polynomal conguences (see Example 3.) nstead of the full Coppesmth method. Ths attack suggests that andomzed paddng should be used n RSA encypton Coppesmth attack on shot andom pads Lke the pevous attack, ths attack explots a weakness of RSA wth publc exponent e = 3. Coppesmth showed that f andomzed paddng s used mpopely then RSA encypton s not secue [6]. Coppesmth addessed the followng queston: f andomzed paddng s used wth RSA, how many bts of andomness ae needed? To motvate ths queston, consde the followng attack. Suppose Mohd sends a message M to Al usng a small andom pad befoe encyptng. Eman obtans ths and dsupts the tansmsson, pomptng Mohd to esend the message wth a new andom pad. The followng attack shows that even though Eman does not know the andom pads beng used, she can stll ecove the message M f the andom pads ae too shot. Fo smplcty, we wll assume the paddng s placed n the least m e sgnfcant bts, so that C = ( M + ) ( mod N ) fo some small m and andom < m. Eman now knows C e e N m m = ( M + ) ( mod N ) and C = ( M + ) ( mod ),

24 4 fo some unknown M, and. Defne e, C e f ( x y) : = x C and g( x, y) : = ( x + y). m We see that when x = M +, both of these polynomals have y = as a oot mod N. We may compute the esultant h( y) := Resx ( f, g) whch wll be of degee at most e. Then y = s a oot of h ( y) mod N. / / e e If < ( / ) N fo =,, then we have that < N. By Coppesmth s theoem (Theoem 3.), we may compute all of the oots h ( y), whch wll nclude. Once s dscoveed, we may use a esult of Fankln and Rete [8] to extact M (see [6] fo detals) Wene's attack on shot secet exponent To speed up RSA decypton and sgnng, t s temptng to use a small secet exponent d athe a andom d φ( N ). Snce modula exponentaton takes tme lnea n log d, usng a d that s substantally shote than N can mpove pefomance by a facto of 0 o moe. Fo nstance, f N s 04 bts n length and d s 80 bts long, ths esults n a facto of mpovement whle keepng d lage enough to esst exhaustve seach. Unfotunately, a classc attack by Wene [53] shows that a suffcently shot d leads to an effcent attack on the system. Hs method uses appoxmatons of contnued factons. Ths attack s stated n the followng theoem: Theoem 7. (Wene). Suppose N N = pq and < q < p < N. / 4 Futhemoe suppose d < N. Thee s an algothm whch, gven N 3 and e, geneates a lst of length log N of canddates fo d, one of whch wll equal d. Ths algothm uns n tme lnea n log N.

25 A STUDY OF SOME METHODS FOR FINDING 5 Poof. Snce ed ( mod φ( N )), thee s some k such that ed k φ( N ) =. We may wte ths as Hence e φ( N ) e k = φ( N ) d dφ( N ). k s an appoxmaton to. d The attacke does not know N φ ( N ), but he does know N. Snce < q < p < N we have p + q e < 3 N, and thus N φ( N ) < 3 N. Now f the attacke uses as an N appoxmaton we fnd e N k d = ed kφ( N ) + kφ( N ) kn Nd = k( N φ( N )) Nd 3k N Nd = 3k d N. Snce e < φ( N ), we know / k < d < N 4. Thus 3 e N k d = / 4 dn <. d Ths s a classc appoxmaton elaton, and thee ae well-known methods [7, Theoem 77] to solve t. Such methods poduce a lst of all nteges pas ( k, ) satsfyng gcd ( k, ) = and d d e N k d <. d Ths lst s of length at most log N. Snce ed k φ( N ) = we know gcd ( k, d) =. Hence, d = d fo some {,, log N}.

26 6 that 8. Cyptanalyss va the Defnng Equaton Snce ed mod φ( N ), ths mples thee exsts an ntege k such ed + k ( N + ( p + q) =. (8.) Ths equaton succnctly summazes the RSA, and we wll efe to t fequently thoughout ths wok. As dscussed eale, a beak of the RSA publc key cyptosystem can be defned n seveal ways. Most obvously, the scheme s boken f an attacke s able to ecove the secet exponent d. Snce factozaton of the modulus N = pq leads to ecovey of the pvate key d, ths s also a total beak. All of the attacks pesented n subsequent sectons ae of ths type, and nvolve ethe a dect computaton of the pvate key d o one of the factos p of the publc modulus N, gven the publc key nfomaton N, e alone. In [4, 7, 8, 0,,, 3], we can see seveal examples whee the value s = p + q s computed fom the publc nfomaton. We note that ths mmedately allows the ecovey of the factozaton of N; ndeed, when s = p + q, then p and q ae the two oots of the equaton x sx + N = 0. We emphasze that ou esults n ths wok come fom the basc RSA equatons; ou attacks do not use plantext/cphetext pas o sgnatues, so they hold egadless of any paddng schemes used. It s an nteestng open queston to detemne f the attacks pesented n ths wok can be mpoved f a patcula paddng s n use, o f the advesay s gven access to known o chosen plantext/cphetext pas o chosen sgnatues.

27 A STUDY OF SOME METHODS FOR FINDING 7 9. The Lattce Factong Method In ecent yeas, nteges of the fom N = p q have found applcatons n cyptogaphy. Fo example, Fujoke et al. [3] use a modulus N = p q n an electonc cash scheme. Okamoto and Uchyama [44] use N = p q fo an elegant publc key system. Recently, Takag [5] obseved that RSA decypton can be pefomed sgnfcantly faste by usng a modulus of the fom N = p q. In all of these applcatons, the factos p and q ae pmes of appoxmately the same sze. The secuty of the system eles on the dffculty of factong N. We show that modul of the fom N = p q should be used wth cae. In patcula, let p and q be nteges (not necessaly pme) of a cetan length, say 5 bts each. We show that factong N = p q becomes ease as gets bgge. Fo example, when s on the ode of log p, ou algothm factos N n polynomal tme. Ths s a new class of nteges that can be factoed effcently. Ths s dscussed n Subsecton.. When N = p q wth on the ode of log p, ou algothm factos N faste than the best pevously-known method- the ellptc cuve method (ECM) [38]. Hence, f p and q ae 5-bt pmes, then N = p q wth 3 can be factoed by ou algothm faste than wth ECM. These esults suggest that nteges of the fom N = p q wth lage ae nappopate fo cyptogaphc puposes. In patcula, Takag s poposal [47] should not be used wth a lage. Hee s a ough dea of how the algothm s effcency depends on the paamete. Suppose p and q ae k -bt nteges and N = p q. When = k, the ou method uns (asymptotcally) n tme T ( k) = ( ) ( ). Hence, when ε =, the ε ε + O log k modulus N s oughly k bts long and the algothm wll facto N n

28 8 polynomal tme n k. When ε =, the algothm asymptotcally outpefoms ECM. The algothm s effcency and ts compason wth pevously-known factong methods s dscussed n Secton 3. We an expements to compae ou method to ECM factong. It s most nteestng to compae the algothms when ε, namely, log p. Unfotunately, snce N = p q apdly becomes too lage to handle, we could only expement wth small values of p. Ou lagest expement nvolves 96-bt pmes p and q and = 9. In ths case, N s 960 bts long. Ou esults suggest that although ou algothm s asymptotcally supeo, fo such small pme factos the ECM method s bette. Ou expemental esults ae descbed n Secton. An addtonal featue of ou algothm s that t s able to make use of patal nfomaton about a facto. Ths s sometmes called factong wth a hnt. In patcula, ou method gves an algothm fo factong N = pq when half of the bts of the facto p ae known. Ths gves an elegant estatement of a theoem ognally due to Coppesmth [6] fo factong wth a hnt usng bvaate polynomal equatons. In the case that =, ou pesentaton also concdes wth an extenson of Coppesmth s theoem developed by Howgave-Gaham [3]. Ou veson has seveal pactcal advantages, and wll be an mpotant tool used n patal key exposue attacks dscussed n the next secton. Ths s dscussed n Subsecton.. 0. Algothm to Facto Integes of the Fom N = p q Ou goal n ths secton s to develop an algothm to facto nteges of the fom N = p q. The man theoem of ths secton s gven below. n Recall that exp ( n) = and logathms should be ntepeted as logathms to the base.

29 A STUDY OF SOME METHODS FOR FINDING 9 e Theoem 0.. Let N = p q whee q < p fo some e. The facto p can be ecoveed fom N,, and c by an algothm wth a unnng tme of exp c + log p O( γ), + c whee γ = T LLL (, ( + c) log N ). The algothm s detemnstc, and uns n polynomal space. Note that s polynomal n log N. It s wothwhle to consde a few examples usng ths theoem. Fo smplcty, we assume c =, so that both p and q ae oughly the same sze. Takng c as any small constant gves smla esults. c + When c we have that = O. + c ease the factong poblem becomes. When algothm s polynomal tme. Hence, the lage s, the = ε log p fo a fxed ε, the When log / p, then the unnng tme s appoxmately / exp( log p ). Thus, the unnng tme s (asymptotcally) slghtly bette than the Ellptc Cuve Method (ECM) [38]. Fo small, the algothm uns n exponental tme. When c s lage (e.g., on the ode of ) the algothm becomes exponental tme. Hence, the algothm s most effectve when p and q ae appoxmately the same sze. All cyptogaphc applcatons of N = p q we ae awae of use p and q of appoxmately the same sze. We pove Theoem 0. by extendng the appoach fo fndng solutons to unvaate conguences developed n Secton 4. The man tool we wll need s the followng slght vaant of Theoem 3.. Lemma 0.. Let h( x) R[ x] be a polynomal of degee w, and let m Z and X R be gven. Suppose thee s some x 0 < X such that m 0 Z () h( x ) q, and

30 30 m () h( xx ) < q / w. Then h ( x 0 ) = 0. Poof. Apply Theoem 3. to the polynomal q m h( x). Note that fo smplcty we assume and c ae gven to the algothm of Theoem 0.. Clealy, ths s not essental snce one can ty all possble values fo and c untl the coect values ae found. 0.. Lattce-based factong We ae gven N = p q. Suppose that n addton, we ae also gven an ntege P that matches p on a few of p s most sgnfcant bts. In the othe wods, P p < X fo some lage X. Fo now, ou objectve s to fnd p gven N,, and P. Ths s clealy equvalent fndng the pont x0 : = P p. Defne the polynomal f ( x) : = ( P + x) N and obseve f ( x 0 ) = / q. Let m > 0 be an ntege to be detemned late. Fo k = 0,, m and any 0 defne / k ( x) : x f ( ). g, k = x Obseve that g, k ( x0 ) = x0q q Z fo all 0 and all k m k = 0,, m. Theoem 3. suggests that we should look fo a low-nom ntege, k q m lnea combnaton of the g of weghted nom less than / w. Let L be the lattce spanned by () g, k ( xx ) fo k = 0,, m and = 0,,, and () g j, m ( xx ) fo j = 0,, w m.

31 A STUDY OF SOME METHODS FOR FINDING 3 The values of m and w wll be detemned late. To use Lemma., we must bound the detemnant of the esultng lattce. Let M be a matx whose ows ae the coeffcents vectos fo the bass of L (see Fgue 0.). Notce that M s a tangula matx, so the detemnant of L s just the poduct of the dagonal entes of M. Ths s gven by m w j m w / m det( ) ( m ) / wm M k + k + = X N X N g X N. k = 0 = 0 j= m Lemma. guaantees that the LLL algothm wll fnd a shot vecto h ( xx ) n L satsfyng w w / 4 w / 4 w / m ( ) det ( ) ( m+ ) / wm h xx L X N. (0.) Futhemoe, snce h ( xx ) s an ntege lnea combnaton of the g, k ( xx ), the coespondng h ( x) as an ntege lnea combnaton of the m g, k ( x). Theefoe h( x0 ) q Z. g0,0 g,0 g0, g, g0, g, g0,3 g,3 g,3 ( xx ) ( xx ) ( xx ) ( xx ) ( xx ) ( xx ) ( ) xx ( xx ) ( xx ) x x x x N 3 x 3 x N 4 x 4 x N 5 x 5 x N 6 x 6 3 x N 7 x 7 3 x N 8 x. 8 3 x N Example LFM lattce fo N = p q when m = 3 and d = 9. The entes maked wth epesent non-zeo off-dagonal entes we may gnoe. Fgue 0.. Example LFM lattce.

32 3 To apply Theoem 3., we also eque that m h( xx ) < q / w. Pluggng n the bound on h ( xx ) fom Equaton (0.) and eodeng tems, we see ths condton s satsfed when w / w / wm wm m ( ) ( m+ ) / X < q N N N /( w ). (0.) We may substtute q N = p. Because w c q < p fo some c, we know c+ N < p. So nequalty (0.) s satsfed when the followng holds: w / wmm ( ) ( c+ )( m+ ) / X < q /( w ). / w We note that ( w ) ( ) fo all w 4, so ths leads to w X < / w m / wm ( / ) ( c+ )( m+ p ). Lage values of X allow us to use weake appoxmatons P, so we wsh to fnd the lagest X satsfyng the bound. The optmal value of m s attaned at w m 0 =, and we may choose w + c 0 so that w 0 so that w0 s wthn + c max{ w0, 4} bound + c of an ntege. Pluggng n m = m0 and w = and wokng though tedous athmetc esults n the X < ( / ) p c + c w ( +δ), whee δ = + c + c. 4w Snce δ < we obtan the slghtly weake, but moe appealng bound X c + < ( / ) p c w. (0.3) So when X satsfes nequalty (0.3), the LLL algothm wll fnd a vecto m h ( xx ) n L satsfyng h( xx ) < q / w. The polynomal h ( x) s an ntege lnea combnaton of the g, k ( x) and thus satsfes

33 A STUDY OF SOME METHODS FOR FINDING 33 m h( x ) q. But snce w 4, h( xx ) s bounded, we have by Theoem 0 Z 3. that h ( x 0 ) = 0. Tadtonal oot-fndng methods [45] such as Newton-Raphson can extact the oots of h ( x). Gven a canddate fo x 0, t s easy to check f P + x0 dvdes N. Snce h s of degee w, thee ae at most w oots to check befoe x 0 s found and the factozaton of N s exposed. We summaze ths esult n the followng theoem: Theoem 0.. Let N = p q be gven, and assume Futhemoe assume that P s an ntege satsfyng c q < p fo some c. P p < c + ( / ) p c w, fo some w. Then the facto p may be computed fom N,, c, and P by an algothm whose unnng tme s domnated by T LLL ( w, w / log N ). Note that as w tends to nfnty, the bound on P becomes c P p ( / ) p + c <. When c =, takng w = povdes a smla bound and s suffcent fo pactcal puposes. We can now complete the poof of the man theoem. c Poof of Theoem 0.. Suppose N = p q wth q < p fo some c. Let w = ( + c). Then, by Theoem 0. we know that gven an ntege P satsfyng c+ P p < + c p the factozaton of N can be found n tme T LLL ( w, w / log N ). Let ε : = c +. We poceed as follows: + c (a) Fo all k =,, ( log N )/ do: εk + (b) Fo all j = 0,, do: n,

34 34 (c) Set P = k + ( ε ) k j. (d) Run the algothm of Theoem 0. usng the appoxmaton P. The outemost loop to detemne the length k of p s not necessay f the sze of p s known. If p s k bts long then one of the canddate values P geneated n step (c) wll satsfy ( ε) k P p < and hence ε P p < ( / ) p as equed. Hence, the algothm wll facto N n the equed tme.. Applcatons.. Factong N = pq wth a hnt One mmedate applcaton of Theoem 0. s the factozaton of nteges of the fom N = pq when patal nfomaton about one of the factos s known. Suppose ( n / 4) + δ bts of one of factos of an n-bt value N = pq s known fo some small δ > 0, Coppesmth showed [6] how to apply a bvaate veson of hs technque to solve the ntege factozaton poblem usng ths patal nfomaton. The lattce factong method descbed hee s the fst applcaton of the unvaate Coppesmth method to the poblem of ntege factozaton wth a hnt. Ths method genealzes to nteges of the fom N = p q, whle the bvaate method does not. Theefoe, t appeas ths technque appeas to be supeo to the ognal bvaate Coppesmth appoach. Ou method has sgnfcant pefomance advantages ove the ognal bvaate method of Coppesmth. Gven ( n / 4) + δ bts of one of the factos of N = pq, the bvaate method of Coppesmth bulds a lattce n /( 9δ ) wth entes of sze at most n /( δ). Ou method ceates lattces of dmenson n / δ wth entes of sze at most n / δ. Ths esults n a substantal pefomance mpovement.

35 Factong esult fo A STUDY OF SOME METHODS FOR FINDING 35 N = pq knowng MSBs of p. We fst descbe the N = pq when most sgnfcant bts of p ae known. Coollay. (MSBFact). Let N = pq of bnay length n be gven and assumeq q < p. Futhemoe assume P > 0 and t > n / 4 ae nteges satsfyng P p < ( n / ) t. Then thee s an algothm that gven N, P, and t computes the facto p n tme T LLL ( w, nw), whee n w = t ( n / 4). We denote the unnng tme of ths algothm by T ( n, t). MSBFact Poof. In ode to use Theoem 0. we must choose w such that P p < ( / ) p w. Ths s acheved once P n ( ) p < w,.e., w n t ( n / 4). Some comments: When P and p ae most sgnfcant bts, we have MSBFact s gven the t most sgnfcant bts of p. n / -bt nteges such that P matches p on the t ( n / ) t P p <. Infomally, we say that Note that as t nceases, T MSBFact ( n, t) deceases. Whle ths follows fom the fact that w s nvesely popotonal to t, t s also makes ntutve sense snce the factong poblem natually becomes ease as moe bts of p ae gven to MSBFact. Ths algothm can be extended to t n / 4 by unnng MSBFact sequentally wth appoxmatons P j : = P ( n / ) t ( ) ( n / 4 ) + j,

36 36 fo { ( n / 4,, ) t+ j = }. One of these P j wll satsfy P j p < ( n / 4 ). + ).( n / 4) t+. n + MSBFact Hence the total unnng tme s ( / 4 ) t. T ( n, ( n / 4) Fo t = ( n / 4) + we have w = n. In pactce, ths may esult n a lattce too lage to handle (e.g., factong n = 04 bt RSA modul). The pevous tck can be appled to get a unnng tme of ( n / 4 ) t+ c. T MSBFact ( n, ( n / 4) + C) fo any C > 0 to get w = n / C. In most cases w can be taken to be much smalle, but the method s no longe povable. Factong N = pq knowng LSBs of p. We now descbe a slght vaant of the lattce factong method that can be used to facto when least sgnfcant bts of a facto p ae known. Coollay. (LSBFact). Let N = pq N = pq of bnay length n be gven and assume q < p. Futhemoe assume P > 0, R > 0, and n / t > n / 4 ae nteges satsfyng P t p( mod R), R. Then thee s an algothm that gven N, P, R, and t computes the facto p n tme T LLL ( w, 6nw), whee n w = t ( n / 4). We denote the unnng tme of ths algothm by T LSBFact ( n, t). Poof. In ths poblem, we ae seekng to dscove the value n : = ( P p) /, whee / t x <. We cannot apply Theoem 0. x0 R 0 dectly, so we deve the followng vaant. We have gcd ( R, N ) = (othewse we know the factozaton of N mmedately), so we can compute a and b satsfyng ar + bn =. Defne the polynomal f ( x) : = ( ap + x) / N,

37 and obseve But A STUDY OF SOME METHODS FOR FINDING Z f ( arx ) = ( ap + arx ) / N = ( ap) / N = a / q q. fo some C Z, so f ( x0 ) q Z. f ( arx ) = f ( x bnx ) = f ( x ) +, C Ths encodes the factozaton poblem as a unvaate oot-fndng poblem, and we use exactly the same technques used n Subsecton 0. to solve t. Namely, let m > 0 be an ntege to be detemned late. Fo k = 0,, m and any 0 defne m k g, k : = x f ( x). Then g, k ( x0 ) q Z fo all 0 and all k m. We buld a lattce fom these polynomals and use LLL to fnd a shot vecto. The poof follows as n Lemma 0., and we deve the same bound x ( / ) c c p + c w. In ths case = c =, so the bound s acheved once 0 < x0 n ( ) w,.e., w Some comments: n t ( n / 4). When P and p ae n / -bt nteges such that P matches p on the t least sgnfcant bts, we have P p( mod t ). Infomally, we say that LSBFact s gven the t least sgnfcant bts of p. Note that as t nceases, T LSBFact ( n, t) deceases. Whle ths follows fom the fact that w s nvesely popotonal to t, t s also makes ntutve sense snce the factong poblem natually becomes ease as moe bts of p ae gven to LSBFact.

38 38 Ths algothm can be extended to t n / 4 by unnng LSBFact wth ( / 4 R n ) t =. R, and appoxmatons P j : = P + ( j )R fo j = {, ( n / 4, ) t }. One of these P j wll satsfy P p mod R, whee R n / 4. Hence the total unnng tme s ( n, ( n / 4) + ). ( n / 4) t+. TLSBFact Fo t = ( n / 4) + we have w = n. In pactce, ths may esult n a lattce too lage to handle (e.g., factong n = 04 bt RSA modul). The pevous tck can be appled to get a unnng tme of ( n / 4 ) t+ C. T LSBFact ( n, ( n / 4) + C) fo any C > 0 to get w = n / C. In most cases w can be taken to be much smalle, but the method s no longe povable, see [30, 37, 4, 4, 5]... Polynomal-tme factong fo N = p q, = Ω( log p) When log p the lattce factong method uns n tme polynomal n log N. Ths s a new class of nteges that can be effcently factoed. We state ths fomally n the followng: Coollay.3. Let N = p q whee c q < p fo some c. Suppose = M log p. The facto p can be ecoveed fom N,, and c by an algothm wth a unnng tme of ( c+ ) / M. T LLL (( / M ) log N, ( + c) log N ). The algothm s detemnstc, and uns n polynomal space. Poof. Ths follows fom Theoem 0. wth the obsevaton that and = ( / M ) log N. c + c + ( c + ) c c + log p =, + c M M log p + c M

39 A STUDY OF SOME METHODS FOR FINDING 39. Expements We mplemented the lattce factong method usng Maple veson 5.0 and Vcto Shoup s Numbe Theoy Lbay package [47]. The pogam opeates n two phases. Fst, t guesses the most sgnfcant bts P of the facto p, then bulds the lattce descbed n Secton 9. Usng NTL s mplementaton of LLL, t educes the lattce fom Secton 9, lookng fo shot vectos. Second, once a shot vecto s found, the coespondng polynomal s passed to Maple, whch computes the oots fo compason to the factozaton of N. We tested MSBFact, LSBFact, and the algothm of Theoem 0.. The algothm of Theoem 0. uses Theoem 0. and smple exhaustve seach. Examples of unnng tmes fo LSBFact ae gven n Secton. Runnng tmes fo MSBFact ae smla. Hee we estct attenton to the coe algothm gven n Theoem 0.. Example unnng tmes of ths algothm ae lsted n Fgue.. To extend ths to the full veson (Theoem 0.) would eque exhaustve seach fo the bts gven. P N Bts Lattce Runnng (bts) (bts) gven dm. tme mnutes hous hous hous hous Expements pefomed on a GHz Intel Pentum III unnng Lnux. Fgue.. Runnng tmes fo LFM. Ths ntoduces a lage multplcatve facto n the unnng tmes lsted above. The esultng unnng tmes ae not so mpessve; fo such small N, ECM pefoms much bette. Howeve, we expect the unnng tme to scale polynomally wth the sze of the nput, quckly outpacng the unnng tmes of ECM and NFS, whch scale much less favoably.

40 40 Optmzatons. The executon tmes of the algothms pesented n ths sectons ae domnated by the unnng tme of the LLL algothm. In ths secton, we addess seveal pactcal concens that geatly mpove the pefomance of ths step. The fst obsevaton s that n ou expements, the shot vecto etuned by the LLL algothm almost always coesponds to a polynomal of degee w. Ths means that a lnea combnaton whch yelds a shot vecto wll nclude those bass vectos coespondng to the g and g k of geatest degee. We focus attenton of the LLL, k j, algothm on these bass vectos by usng the followng odeng on the bass vectos: g j, m ( xx ) fo j = w m,, 0 followed by g, k ( xx ) fo k = m, m,, 0 and = 0,,. Ths esulted n a speedup of ove facto of two compaed to the natual odeng, n whch LLL spent a lage amount of tme educng a poton of the bass that would ultmately be elevant. The second obsevaton s that n an LLL-educed lattce, the wostcase esult fo the shotest vecto wll be T α ( p) = 3xp(( log p) ). Implementatons of LLL often ty to mpove ths by educng the fudge facto of ( w )/ 4. Howeve, as the analyss fom Subsecton 4. shows, the fnal contbuton of ths tem s neglgble. Thus a hgh-qualty bass educton s unnecessay, and unnng tmes can be geatly mpoved by deactvatng featues such as Block Kokn-Zolotaeff educton. 3. Compason to Othe Factong Methods α We estate the Theoem 0. so that t s ease to compae lattce factong to exstng algothms. We fst ntoduce some notaton. Let T α ( p) be the functon defned by