On Black-Box Ring Extraction and Integer Factorization

Transcription

1 On Bac-Box Ring Extraction and Integer Factorization Kristina Atmann, Tibor Jager, and Andy Rupp Horst Görtz Institute for IT-Security Ruhr-University Bochum {ristina.atmann, Abstract. The bac-box extraction probem over rings has at east) two important interpretations in cryptography: An efficient agorithm for this probem impies i) the equivaence of computing discrete ogarithms and soving the Diffie-Heman probem and ii) the in-existence of secure ring-homomorphic encryption schemes. In the specia case of a finite fied, Boneh/Lipton [BL96] and Maurer/Raub [MR07] show that there exist agorithms soving the bac-box extraction probem in subexponentia time. It is unnown whether there exist more efficient agorithms. In this wor we consider the bac-box extraction probem over finite rings of characteristic n, where n has at east two different prime factors. We provide a poynomia-time reduction from factoring n to the bac-box extraction probem for a arge cass of finite commutative unitary rings. Under the factoring assumption, this impies the in-existence of certain efficient generic reductions from computing discrete ogarithms to the Diffie-Heman probem on the one side, and might be an indicator that secure ring-homomorphic encryption schemes exist on the other side. 1 Introduction Informay speaing, the bac-box extraction probem over an agebraic structure A ie a group, ring, or a fied) can be described as foows: Given an expicit representation of A e.g., the cycic group Z n, +) with the canonica binary representation of eements) as we as access to a bac-box resembing the structure of A and hiding an eement x A, the chaenge is to recover x in the given expicit representation. Agorithms that wor on the bac-box representation of an agebraic structure, and thus on any concrete representation, are caed generic or bac-box agorithms. The bac-box extraction probem has been studied in various variants and contexts, e.g., see [Nec94,Sho97,Mau05,BL96,MR07]. The case where the agebraic structure is a cycic group with given representation Z n, +)), and the extraction probem is better nown as the discrete ogarithm probem, was considered by Nechaev [Nec94] and Shoup [Sho97]. They showed that the expected running time of any generic agorithm for this probem is Ω p), where p is the argest prime factor of the group order n. Here, the integer n as we as its factorization is assumed to be pubicy nown. Boneh and Lipton [BL96] considered the bac-box extraction probem over prime fieds F p. Based on a resut due to Maurer [Mau94] they deveoped an agorithm soving the probem in subexponentia time in og p). Maurer and Raub [MR07] augmented this resut to finite extension fieds F p by providing an efficient reduction from the bac-box extraction probem over F p to the bac-box extraction probem over F p. Currenty it is unnown whether there exist more efficient agorithms for bac-box extraction over fieds. In this paper, we address the case where the underying agebraic structure is a finite commutative ring with unity. The characteristic n of the considered rings is the product of at east two different primes, thereby excuding the specia case of a finite fied. We provide an efficient reduction from computing a non-trivia factor of n to the bac-box extraction probem for virtuay any such This is an extended version of the paper with the same tite that appeared in the proceedings of ICALP 2008.

2 ring where computations i.e., appying the ring operations + and, equaity tests and random samping of eements) can be done efficienty. The bac-box extraction probem over fieds/rings has at east two important appications in cryptography. For Z n, +, ) it can be interpreted as the probem of soving the discrete ogarithm probem given access to an orace for the Diffie-Heman probem: Z n, +) forms a cycic additive group. The bac-box provides access to the common operations on this group as we as to the additiona operation. This extra operation can be interpreted as an orace soving the Diffie- Heman probem in the group Z n, +). Hence, an efficient agorithm for the bac-box extraction probem over Z n, +, ) woud correspond to an efficient generic reduction from computing discrete ogarithms to soving the Diffie-Heman probem over cycic groups of order n. Such reductions are nown for groups where the group order is prime and meets certain properties [db88], or if certain side information, depending on the respective group, is given [Mau94]. It is aso nown that no efficient generic reduction exists for groups with orders containing a arge mutipe prime factor [MW98]. Bach [Bac84] provided a reduction from factoring n to computing discrete ogarithms moduo n, i.e., in the mutipicative group Z n of order φn), where φ ) denotes Euer s totient function. Furthermore, the anaysis of the bac-box extraction probem sheds ight on the existence of secure ring/fied-homomorphic encryption schemes. Consider an encryption function enc : K P C, where K, P and C denotes the ey, paintext and ciphertext space, respectivey. Moreover, assume that P and C exhibit an agebraic structure with respect to certain operations. If for any K the function enc := enc, ) is a homomorphism from P to C, the corresponding encryption scheme is said to be homomorphic. For instance, unpadded RSA is group-homomorphic, since the functions enc e : Z n Z n, enc e a) := a e satisfy enc e a b) = a b) e = a e b e = enc e a) enc e b), where denotes the mutipication moduo the RSA moduus n. Further we-nown exampes of group-homomorphic encryption schemes are native EGama [EG85] and the Paiier cryptosystem [Pai99]. A natura question arising in this context is whether there exist secure ring-homomorphic encryption schemes, that is, schemes where P and C exhibit a ring structure, and enc is a ringhomomorphism. An efficient agorithm for the bac-box extraction probem over the ring P woud impy the inexistence of secure ring-homomorphic encryption schemes over P: The bac-box can be considered as an ideaization of the encryption functions enc and the probem of recovering the expicit representation of x as the probem of inverting enc. Note that since the bac-box representation enabes equaity checing, aso the cass of considered encryption schemes aows for checing the equaity of encrypted paintexts. The resuts by Boneh and Lipton [BL96] and Maurer and Raub [MR07] impy that for the specia case of a finite fied any such scheme can be broen in subexponentia time. 1.1 Our Contribution In this wor we consider the bac-box extraction probem over finite commutative rings with unity whose characteristic n is the product of at east two different primes. To the best of our nowedge, this case has not been treated in the iterature yet. We present an efficient reduction from finding a non-trivia factor of n to the bac-box extraction probem over virtuay any ring R where computation is efficient. To this end, we extend a technique due to Leander and Rupp [LR06] which was originay used to prove the equivaence of breaing RSA and factoring regarding generic ring agorithms. 2

3 We first provide a reduction for the case R = Z n. This case is especiay interesting since Boneh and Lipton pointed out that their subexponentia time bac-box extraction agorithm for finite fieds can be extended to finite rings Z n if n is square-free, requiring that the factorization of n is nown. Our resut impies that there are no better agorithms than those that factorize n. Moreover, under the assumption that factoring n is hard, this impies the in-existence of efficient generic reductions from computing discrete ogarithms to soving the Diffie-Heman probem in cycic groups of order n. Note that in contrast to Bach [Bac84] presenting a reduction from factoring n to computing discrete ogarithms in the group Z n of hidden order φn), we consider generic reductions in groups of nown order n. We extend our reduction to more genera rings R which are either given by a poynomia representation or a basis representation. More precisey, in the first case we consider rings of the form R = Z n [X 1,...,X t ]/J, where t 0 and J is an idea in Z n [X 1,...,X t ] for which a Gröbner basis is nown. In the second case, the ring R is given by a tupe n 1,...,n t, c i,j, ) 1 i,j, t ) where n 1,...,n t are the eement orders of an additive basis of R, +) and the c i,j, are integers describing the mutipicative reations of these basis eements. Finay, the reduction naturay extends to product rings R = R 1... R where at east one component R i compies to one of the above forms. We concude that our resuts cover virtuay any ring of cryptographic interest since choosing one of the above representations currenty) seems to be the ony way that aows efficient computation in a finite commutative unitary ring without immediatey reveaing a factor of the ring characteristic. Regarding secure homomorphic encryption our resut has another interesting consequence: Boneh/Lipton [BL96] and Maurer/Raub [MR07] show that any fied-homomorphic encryption scheme can be broen in subexponentia time. It is an open question whether there exist more efficient generic agorithms. For a arge cass of rings we can negate this question, assuming that factoring the ring characteristic cannot be done better than in subexponentia time. This might be seen as an indicator for the existence of secure ring-homomorphic encryption schemes. 2 The Bac-Box Ring Extraction Probem Informay speaing, bac-box ring agorithms are the cass of agorithms that operate on the structure of an agebraic ring without expoiting specific properties of the representation of ring eements. We adopt Shoup s generic group mode [Sho97] to formaize the notion of bac-box ring agorithms: Let R, +, ) be a finite commutative unitary ring and S {0, 1} og 2 R ) be a set of bit strings of cardinaity R. Let σ : R S be a bijective encoding function which assigns ring eements to bit strings, chosen at random among a possibe bijections. A bac-box ring agorithm is an agorithm that taes as input an encoding ist σr 1 ),..., σr )), where r i R. Note that depending on the particuar probem the agorithm might tae some additiona data as input, such as the characteristic of R, for exampe. In order to 3

4 be abe to perform the ring operations on randomy encoded eements, the agorithm may query a bac-box ring orace O. The orace taes two indices i, j into the encoding ist and a symbo {+,, } as input, computes σr i r j ) and appends this bit string to the encoding ist to which the agorithm aways has access). We capture the notion of a bac-box ring representation by the foowing definition: Definition 1 Bac-Box Ring Representation). Let R, +, ) be a finite ring. We ca the tupe σ, O) consisting of a randomy chosen encoding function σ : R S, and a corresponding bac-box ring orace O a bac-box ring representation for R and denote it by R σ. For short, we sometimes ca R σ a bac box ring meaning that we consider a ring exhibiting the structure of R but whose eements are encoded by random bit strings). As an abuse of notation we occasionay write σx) R σ meaning that the unique encoding σx) of an eement x R is given. Moreover, when we say in the foowing that an agorithm A performs operations on the bac-box ring R σ, we mean that A interacts with the bac-box ring orace as described above. Having formaized the notion of a bac-box ring, we can define the bac-box ring extraction BBRE) probem: Definition 2 BBRE Probem). Let R be an expicity given finite commutative ring with unity 1 and nown characteristic n. Furthermore, et B := {r 1,...,r t } be an expicity given) generating set of R. The bac-box ring extraction BBRE) probem for R is the tas of computing x R, where x is chosen uniformy random from R, given σx), σ1), σr 1 ),...,σr t ) R σ. In the foowing we consider the BBRE probem over different rings R and reate the hardness of this probem to the hardness of integer factorization IF) probem, more precisey, to probem of finding a factor of n. 3 The Reation between BBRE and IF for Z n In this section we consider the BBRE probem for the ring Z n, where n has at east two different prime factors. We provide a reduction from factoring n to the BBRE probem in the foowing sense: If there exists an efficient agorithm soving the BBRE probem for Z n with non-negigibe success probabiity, then there exists an efficient agorithm finding a factor of n with non-negigibe probabiity. Theorem 1. Let R := Z n for some integer n having at east two different prime factors. Let A be an agorithm for the BBRE probem that performs at most m n operations on R σ. Assume that A soves the BBRE probem with probabiity ǫ. Then there is an agorithm B having white-box access to A that finds a factor of n with probabiity at east ǫ 1 n m 2 + 3m + 2 by running A once and performing an additiona amount of O m 2) random choices and O m 3) operations on R as we as O m 2) gcd computations on og 2 n)-bit numbers. Remar 1. Assume we have a BBRE agorithm A that wors for a rings R = Z n where n consists of at east two different prime factors. Then agorithm B can be used to factor a given integer n competey. This is done by first running B on n, i.e., B runs A on an instance of the BBRE probem over Z n and performs some additiona operations, resuting in a factor d of n with a certain probabiity. If n/d is not a prime power, which can easiy be determined, we can run B on n/d and so on. If A is efficient and soves the BBRE probem with non-negigibe probabiity, then the same hods for the resuting factoring agorithm. 4

5 Proof Outine. In a nutshe, our proof wors as foows: We repace the origina bac-box ring orace O with an orace O sim that simuates O without using the nowedge of the secret x. We ca this setting the simuation game. Then we show that the behavior of O sim is perfecty indistinguishabe from O uness a certain simuation faiure F occurs. Denoting the success event of A when interacting with O and O sim by S and S sim, respectivey, it immediatey foows that ǫ = Pr[S] is upper bound by Pr[S sim ] + Pr[F]. In other words, the probabiity Pr[F] of a faiure is at east ǫ Pr[S sim ]. Showing that Pr[F] mutipied by a certain prefactor) is in turn a ower bound on the the probabiity of reveaing a divisor of n competes our proof. 3.1 Detaied Proof of Theorem 1 Before introducing the actua simuation orace, as announced in the proof outine, et us first define a sighty modified but equivaent version of the origina bac-box ring orace O: Instead of using the ring R = Z n for the interna representation of ring eements, these eements are represented by poynomias in the variabe X over R which are evauated with x each time the encoding of a newy computed eement must be determined. Definition 3 An Equivaent Orace). The orace O has an input and an output port as we as a random tape and performs computations as foows. Input. As input O receives the moduus n and an eement x U R. Interna State. As interna state O maintains two ists L R[X] and E S n. For an index i et L i and E i denote the i-th eement of L and E, respectivey. Encoding of Eements. Each time a poynomia P shoud be appended to the ist L the foowing computation is triggered to determine the encoding of Px): O checs if there exists any index 1 i L such that P L i )x) 0 mod n. If this equation hods for some i, then the respective encoding E i is appended to E again. Otherwise the orace chooses a new encoding s U S\E and appends it to E. The computation of O starts with an initiaization phase, which is run once, foowed by the execution of the query-handing phase: Initiaization. The ist L is initiaized with the poynomias 1, X and the ist E is initiaized with corresponding encodings. Query-handing. Upon receiving a query, i 1, i 2 ) on its input tape, where {+,, } identifies an operation and i 1, i 2 are indices identifying the ist eements the operation shoud be appied to, O appends the poynomia P := L i1 L i2 to L and the corresponding encoding to E. We say that an agorithm is successfu in this game iff it outputs x and denote this event by S. A Simuation Game. Now we repace O by a simuation orace O sim. The simuation orace is defined exacty ie O except that it determines the encodings of eements in a different way in order to be independent of the secret x. Each time a poynomia P is appended to the end of ist L during initiaization or queryhanding), O sim does the foowing: Let L j = P denote the ast entry of the updated ist. Then for each 1 i < j the simuation orace chooses a new eement x i,j R uniformy at random and checs whether the equation L i L j )x i,j ) 0 mod n hods. If it is not satisfied for any i, the orace chooses a new encoding s U S\E and appends it to E. Otherwise, for the first i the equation is satisfied, the corresponding encoding E i is appended 5

6 to E again i.e., E j = E i ). The agorithm is successfu in the simuation game if it outputs the eement x given as input to O sim ). We denote this event by S sim. Note that due to the modification of the eement encoding procedure, it is now possibe that both an eement L i x) is assigned to two or more different encodings and that different eements are assigned to the same encoding. In these cases the behavior of O sim differs from that of O, what may aow to distinguish between the oraces. In the case of a differing behavior the foowing faiure event F occurred: There exist i, j {1,..., L } satisfying the equation L i L j )x) 0 mod n and L i L j )x i,j ) 0 mod n, 1) or the equation L i L j )x) 0 mod n and L i L j )x i,j ) 0 mod n. 2) Remar 2. There is a technica subtety. If there is i < j such that L i L j )x) 0 mod n but L i L j )x i,j ) 0 mod n then O sim does not necessariy determine different encodings for L j x). There may be some i < i < j such that L i L j )x) 0 mod n and L i L j )x i,j) 0 mod n and E i = E i. So the simuation faiure event as defined by us is just a necessary but not a sufficient condition for discriminative behavior of O and O sim. It is important to observe that the origina game and the simuation game proceed identicay uness F occurs: To this end consider the agorithm A as deterministic Turing machine with identica input and random tape in both games. Aso, consider the oraces O and O sim as deterministic Turing machines receiving the same inputs and random tapes. 1 Assuming that F does not occur, the agorithm receives the same sequence of encodings and thus issues the same sequence of queries in both games. Furthermore, it outputs the same eement in the end of both games and thus wins the simuation game if and ony if it wins the origina game. Hence, we have the foowing reation between the considered events S F S sim F. We can obtain an upper bound on Pr[S] by deriving upper bounds on Pr[S sim ] and Pr[F] and appying the Difference Lemma Lemma 1). Lemma 1 Difference Lemma [Sho04]). Let E 1,E 2, and E 3 be events over the same probabiity space. If E 1 E 3 E 2 E 3, then it hods that Pr[E 1 ] Pr[E 2 ] Pr[E 3 ]. Bounding the Probabiity of Success in the Simuation Game. Since a computations are independent of the uniformy random eement x R, the agorithm A can ony guess x: Pr[S sim ] 1 R = 1 n. Bounding the Probabiity of a Simuation Faiure. Let D = {L i L j 1 i < j L } denote the set of a non-trivia differences of poynomias in L after a run of A. In the foowing we show how the probabiity that a poynomia D causes a simuation faiure is reated to the probabiity of reveaing a factor of n by simpy evauating with a uniformy random eement from R. 1 To be precise here, we actuay shoud have defined O to perform exacty the same random choices as O sim i.e., etting O aso choose the eements x i,j but without using them). 6

7 For fixed D et F denote the event that causes a simuation faiure as defined by Equations 1) and 2). Furthermore, et D denote the event that gcdn, a)) / {1, n} when choosing an eement a uniformy at random from R. Now, we are going to express the probabiities of both events using the same terms. Let n = pe i i be the prime factor decomposition of n. Hence, R is isomorphic to Z e p 1... Z e 1 p by the Chinese Remainder Theorem. Then we can write Pr [ a) 0 mod n] = Pr [ a) 0 mod a U R a U R pe 1 1 )... a) 0 mod pe )] = Pr [ a) 0 mod a U R pe i i ] = ν i, 3) where ν i := {a R a) 0 mod pe i i } R. Note that the second ine of the above equation foows from the fact that the events defined by the predicates a) 0 mod p e i i are mutuay independent. Using Equation 3) we can express the probabiity of F by Pr[F ] = Pr a U R + Pr = 2 a U R [ a) 0 mod n] [ a) 0 mod n] 1 ν i) Simiary, we can write the probabiity of D as ν i ) 1 Pr a U R ) [ a) 0 mod n] ) 1 Pr [ a) 0 mod n] a U R. 4) Pr[D ] = 1 Pr [ a) 0 mod n] Pr [ a) 0 mod a U R a U R pe 1 1 )... a) 0 mod pe )] = 1 Pr [ a) 0 mod n] Pr [ a) 0 mod a U R a U R pe i = 1 ν i 1 ν i ) i ] 5) Now, the ey observation is that we have the foowing reation between the probabiities of the events F and D : Lemma 2. D : 2 Pr[D ] Pr[F ] Proof. We have 2 Pr[D ] Pr[F ] = ν i 1 ν i ) + 1 ν 2 i ) 0 ) 2 ν i 1 ν i ) 7

8 It is easy to prove by induction over that the inequaity ) 1 ν i 1 ν i ) hods for a 1. From this our caim foows immediatey since 1 hods for a 2. ) 2 ) ν i 1 ν i The Factoring Agorithm. Based on the reation given by Lemma 2, we construct an efficient factoring agorithm. Consider an agorithm B that runs the BBRE agorithm A on an arbitrary instance of the BBRE probem over Z n. During this run it records the sequence of queries that A issues, i.e., it records the same ist L of poynomias as the bac-box ring orace. Then for each D the agorithm B chooses a new random eement a Z n ie the orace is doing), and computes gcdn, a)). There are at most m + 2)m + 1)/2 such poynomias and each of them can be evauated using at most m + 1 ring operations since it is given as a straight-ine program of ength at most m). Thus, B chooses O m 2) random eements and performs O m 3) operations on R as we as O m 2) gcd computations on og 2 n)-bit numbers. Let the event that at east one of these gcd computations yieds a non-trivia factor of n be denoted by D. Then ceary we have Pr[D] max D Pr[D ]). From this we can derive the foowing ower bound on the the success probabiity of B in terms of the faiure probabiity: Pr[F] D Pr[F ] 2 DPr[D ] m + 2)m + 1)Pr[D] 6) To Summarize. Remember that ǫ = Pr[S] denotes the success probabiity of the BBRE agorithm A. From Lemma 1 foows that Pr[F] Pr[S] Pr[S sim ] ǫ 1 n. Depoying the above ower bound on Pr[F] in Equation 6) finay yieds Pr[D] Pr[F] m + 2)m + 1) ǫ 1 n m + 2)m + 1). 4 Extending our Reduction to Mutivariate Poynomia Rings In this section we are going to ift our reduction from the specia case R = Z n to the case R = Z n [X 1,...,X t ]/J, where Z n [X 1,...,X t ] denotes the ring of poynomias over Z n in indeterminates X 1,...,X t t 0) and J is an idea in this poynomia ring such that R is finite. Note that any finite commutative ring with unity can be represented in this way: 8

9 Lemma 3 Poynomia Representation). Let R be a finite commutative unitary ring of characteristic n. Then there is a number t og 2 R and a finitey generated idea J of Z n [X 1,...,X t ] such that R = Z n [X 1,...,X t ]/J. Proof. Let M = {m 1,...m t } R be a generating subset of R, i.e., R = M. Consider the mapping φ : Z n [X 1,...,X t ] R such that 1 1 and X i m i for 1 i t. Certainy, φ is a ring homomorphism impying that J := erφ) is an idea of Z n [X 1,...,X t ]. Appying the fundamenta theorem on homomorphisms e.g., see [Lan02, p.89]) yieds that Z n [X 1,...,X t ]/J = R. Since Z n triviay is a Noetherian ring it foows by Hibert s basis theorem e.g, see [Gri99, p.181]) that aso the poynomia ring Z n [X 1,...,X t ] is Noetherian. Thus, every idea of Z n [X 1,...,X t ], especiay J, is finitey generated. By the fundamenta theorem of finitey generated abeian groups e.g., see [Gri99, p.48]) the additive group of a finite ring decomposes uniquey up to order) into a direct product of cycic groups. Observe that a group of cardinaity R decomposes into a product of at most og 2 R groups. Hence, setting M to be the set of generators of these subgroups of R, +), we see that a number of t og 2 R eements is sufficient to generate the entire ring. We start by considering a usefu decomposition of such rings simiar to the CRT-decomposition for Z n. Next, we give some facts about Gröbner bases over these rings and their component rings. Finay, we use these resuts in a reduction proof which is simiar to the one for Z n. 4.1 A Prime-Power Decomposition for Mutivariate Poynomia Rings It is a we-nown fact that any finite commutative ring is uniquey up to order) decomposabe into a direct product of oca rings [McD74, p.95]. However, since this decomposition does not meet our requirements, we devise another simpe way of decomposing R into a direct product of rings with prime-power characteristic, but not necessariy oca rings. Lemma 4. Let R = Z n [X 1,...,X t ]/ F and n = pe i i be the prime factor decomposition of the characteristic n of R. Then R is decomposabe into a direct product of rings R = R 1... R, where R i := Z e p i [X 1,...,X t ]/J. i Proof. Let F be a set of poynomias generating the idea J in Z n [X 1,...,X t ]. We denote this by J = F. Note that the ring R can equivaenty be written as Z[X 1,...,X t ]/ n, F. For 1 i et J i := p e i i, F which is an idea in Z[X 1,...,X t ]. Then for each 1 i < j it hods that J i +J j := {a + b a J i, b J j } = Z[X 1,...,X t ]. Moreover, we have J i = n, F. Thus, by the generaized Chinese Remainder Theorem [Gri99, p.184], we obtain the isomorphism Z n [X 1,...,X t ]/ F = Z[X 1,...,X t ]/ n, F = Z[X 1,...,X t ]/ p e 1 1, F... Z[X 1,...,X t ]/ p e, F = Z e p 1 [X 1,...,X t ]/J... Z e 1 p [X 1,...,X t ]/J. We ca this way of decomposing R the prime-power decomposition of R. Note that Lemma 4 hods for any finite commutative unitary ring since any such ring can be represented as poynomia ring: Coroary 1. Let R be a finite commutative unitary ring of characteristic n = is isomorphic to a product of rings R 1 R where R i has characteristic p e i i. 9 pe i i. Then R

10 4.2 Gröbner Bases for Poynomia Ideas over Rings Roughy speaing, a Gröbner basis G is a generating set of an idea J in a mutivariate poynomia ring exhibiting the specia property that reduction of poynomias from J moduo the set G aways yieds the residue zero. This property is not satisfied for arbitrary idea bases and enabes effective computation in residue cass rings moduo poynomia ideas in the first pace. Gröbner bases were originay introduced by Buchberger [Buc65] for ideas J in K[X 1,...,X t ] where the coefficient space K is a fied. Later this notion was generaized to the case where K is a Noetherian ring such as Z n e.g., see [AL94, Chapter 4]). Let us introduce some notation. A monomia or power product in indeterminates X 1,...,X t is a product of the form X = X a Xat t for some a 1,...,a t ) N t 0. In the foowing et an arbitrary but admissibe order > on monomias be given. For instance, this coud be the exicographic order > ex defined as: X 1 = X a 1 1 Xat t > ex X 2 = X b 1 1 Xbt t iff the eftmost non-zero entry of a 1 b 1,...,a t b t ) is positive. Let f Z n [X 1,...,X t ] with f 0. Then we can write f as f = c 1 X c s X s, where c 1,...,c s Z n \{0} and X 1 >... > X s. The eading coefficient cf), the eading monomia pf), and the eading term tf) of f with respect to > are defined as cf) := a 1, pf) := X 1, and tf) := a 1 X 1, respectivey. Now, we are abe to define the reduction of a poynomia moduo a set of poynomias. To this end, we adopt the respective definitions from [AL94, Chapter 4]. In the foowing we do not mention the fixed monomia ordering expicity anymore. Definition 4 Poynomia Reduction). Let two poynomias f and h and a set of non-zero poynomias F = {f 1,...,f s } in Z n [X 1,...,X t ] be given. F a) We say that f can be reduced to h moduo F in one step, denoted by f h, if and ony if h = f c 1 X 1 f c s X s f s ) for c 1,...,c s R and power products X 1,...,X s where pf) = X i pf i ) for a i such that c i 0 and tf) = c 1 X 1 tf 1 ) c s X s tf s ). b) We say that f can be reduced to h moduo F, denoted by f + h, if and ony if there exist poynomias h 1,...,h 1 Z n [X 1,...,X t ] such that f F F F F F h 1 h 2... h 1 h. c) A poynomia h is caed minima with respect to F if h cannot be reduced moduo F. F d) We ca h a minima) residue of f moduo F, denoted by h = f mod F, if f + h and h is minima. Note that there is an efficient agorithm computing a minima residue of a poynomia f moduo a set F provided that the representation of f and F is efficient) according to the above definition. For instance, see Agorithm in [AL94]. Definition 5 Gröbner Basis). Let J be an idea in Z n [X 1,...,X t ] and G = {g 1,...,g s } be a set of non-zero poynomias such that G = J. Then G is caed a Gröbner basis for J if for any poynomia f Z n [X 1,...,X t ] we have f J f mod G = 0. Fortunatey, there aways exists an idea basis with this specia property, as stated by Lemma 5. However, note that given an arbitrary idea basis, a Gröbner basis for the corresponding idea is not aways easy to compute, see Section 7. In the foowing we aways assume that Gröbner bases for the considered ideas are given. Lemma 5. Let J be a non-zero idea of Z n [X 1,...,X t ], then J has a finite Gröbner basis. F 10

11 The foowing emma is crucia for proving that simiar to the Z n -case) an eement f R = R 1... R that is congruent to zero over a component R i but not congruent to zero over another component R j cf. Lemma 4) heps in factoring n. Observe that Lemma 6 requires that the eading coefficients of a given Gröbner basis eements are units. For our purposes, this is not a restriction at a but a reasonabe assumption since otherwise the given representation of R woud immediatey revea a factor of n. A proof for this emma based on the notion of syzygies can be found in Appendix A. Lemma 6. Let A = Z n [X 1,...,X t ] and n = pe i i. Furthermore, et G = {g 1,...,g s } be a Gröbner basis for the idea J = g 1,...,g s in A such that cg i ) Z n for a 1 i s. Then for each 1 s the set G = { p e, g } 1,...,g s is a Gröbner basis for the idea J = p e, g 1,...,g s in A. 4.3 The Reation between BBRE and IF for Z n [X 1,..., X t ]/J We are going to ift our reduction from the specia case R = Z n to the more genera case of finite mutivariate poynomias rings R = Z n [X 1,...,X t ]/J, where J is given by a Gröbner basis. Let n = pe i i. In the case R = Z n our factoring agorithm was successfu if it was abe to find an eement a R such that a p e i i and a pe j j for some 1 i < j. The foowing theorem shows that a generaization of this fact hods for residue cass rings moduo poynomia ideas given by Gröbner basis. Theorem 2. Let A = Z n [X 1,...,X t ] where n = pe i i and 2. Furthermore, et G = {g 1,...,g s } be a Gröbner basis for the idea J = g 1,...,g s in A such that cg i ) Z n for a 1 i s. Assume an eement f A is given, such that f J i = p e i i, g 1,...,g s and f J j = p e j j, g 1,...,g s for some 1 i < j. Then computing gcdcr), n), where r = f mod G, yieds a non-trivia factor of n. Proof. First of a, observe that since f J j we have that f J and so r = f mod G is not zero by Definition 5. Since r is a minima residue and the eading coefficients cg i ) of a Gröbner basis eements are units, it foows by Definition 4 that the eading monomia pr) of r is not divisibe by any eading monomia pg i ) of a Gröbner basis eement. Otherwise, r woud be reducibe to G r r cg i ) 1 cr)x i g i, where X i pg i ) = pr), using some g i such that pg i ) divides pr). Moreover, by Lemma 6, the set G i = {p e i i, g 1,...,g s } is a Gröbner basis for the idea J i. Thus, since f J i aso r J i and the reduction of r moduo G i woud yied the minima residue zero. As the eading monomia pr) is not divisibe by any pg i ), the eading coefficient cr) must be divisibe by p e i i. Since r 0 and cr) 0 mod n by definition of the eading coefficient) computing gcdcr), n) yieds a non-trivia factor of n. The foowing exampe iustrates the resut captured by the above theorem. Moreover, it shows that in the case where G is not a Gröbner basis, eements f satisfying the properties from Theorem 2 seem not to revea a factor of n by considering their residues moduo G. Exampe 1. Consider the finite ring R = Z 225 [X 1, X 2 ]/J where 225 = and J = X 1 X 2 + 1, X Let us use the exicographic order where X 1 > X 2 for poynomia reduction. Note that F = {X 1 X 2 + 1, X } is a generating set, but not a Gröbner basis for J with respect to this order. Furthermore, not that G = {X 1 + X 2, X } is a Gröbner basis for J. Let f = X1 4X X4 1 +2X 1+7X2 2+38X = 4X 2 )3 2 )+X1 4+7)X )+2X 1+X 2 ) mod 225. It hods that f J 1 = 3 2, X 1 +X 2, X but f J 2 = 5 2, X 1 +X 2, X The poynomia 11

12 f can be reduced moduo F to the minima residue f mod F = 2X 1 + 7X X = f X )X ) mod 225. It is easy to see that no coefficient of this residue share a nontrivia factor with 225. Moduo the Gröbner basis G the poynomia f can be reduced to the minima residue r = f mod G = 36X 2 = f X1 4+7)X ) 2X 1+X 2 ) mod 225. Computing gcdcr), 225) = 9 yieds a non-trivia factor of 225. The above fact aows us to formuate and prove a theorem simiar to Theorem 1. Theorem 3. Let R := Z n [X 1,...,X t ]/J for some integer n having at east two different prime factors and idea J in Z n [X 1,...,X t ]. Assume a Gröbner basis G = {g 1,...,g s } for J is given. Let A be an agorithm for the BBRE probem that performs at most m R operations on R σ. Assume that A soves the BBRE probem with probabiity ǫ. Then there is an agorithm B having white-box access to A that finds a factor of n with probabiity at east ǫ 1 n m + t + 2)m + t + 1) by running A once and performing an additiona amount of O m + t) 2) random choices and O mm + t) 2) operations on R as we as O m + t) 2 + s ) gcd computations on og 2 n)-bit integers. 2 Proof. We adapt the proof of Theorem 1. The description of the origina and the simuation game amost carries over competey by setting R := Z n [X 1,...,X t ]/J. There are ony a few sight technica differences concerning the oraces O and O sim considered in the origina game cf. Definition 3) and the simuation game: The ist L maintained by both oraces is initiaized with the t+1 generating eements 1, X 1,...,X t of R, and with the variabe X. As before, computed ring eements are represented by poynomias in R[X] = Z n [X 1,...,X t ]/J)[X]. Whenever an eement P R[X] is appended to the ist L, say as eement L j = P, O checs whether there exists an eement L i L such that L i L j )x) J which is equivaent to checing whether the residue r = L i L j )x) mod G is the zero poynomia over Z n. Instead of using the given secret x in the above evauation, the simuation orace O sim performs this chec using a new random eement x i,j R for each difference poynomia L i L j i < j {1,..., L }). The rest of the description of the games appies unchanged. Let the events S, S sim and F be defined anaogousy to the case R = Z n. We are eft with deriving bounds for the success probabiity Pr[S sim ] in the simuation game and for the probabiity Pr[F] of a simuation faiure. This aso wors simiary to the previous case except for some technica differences. Bounding the Probabiity of Success in the Simuation Game. A computations in the simuation game are independent of the uniformy random eement x. Thus, the agorithm A can ony guess x, resuting in Pr[S sim ] 1 R 1 n. 2 We count the addition/mutipication of two ring eements together with the reduction moduo G as one ring operation. 12

13 Bounding the Probabiity of a Simuation Faiure. Again et D := {L i L j 1 i < j L } denote the set of a non-trivia differences of poynomias in L after a run of A, and et be some fixed) eement of D. Let n = pe i i be the prime factor decomposition of n, then R has a prime power decomposition into according to Lemma 4. Let R = Z[X 1,...,X t ]/ p e 1 1, G... Z[X 1,...,X t ]/ p e, G ν i := {a R a) pe i i, G } R be the probabiity that a) p e i i, G for a uniformy random eement a R. Using this redefinition of ν i, the probabiity Pr[F ] that causes a simuation faiure is given by Equation 4. By Theorem 2, reveas a factor of n if we can find an eement a R such that a) p e i i, G and a) p e j j, G for some 1 i < j. In this case computing gcdc a) mod G), n) yieds a non-trivia factor provided that cg) Z n for a g G. The probabiity Pr[D ] of finding such an eement a at random is given in terms of ν i by Equation 5. Ceary, we again obtain the foowing reation between Pr[D ] and Pr[F ] in this case: 2 Pr[D ] Pr[F ] The Factoring Agorithm. Consider an agorithm B that first tries to find a factor of n by computing gcdcg), n) for a g G. Then it runs the BBRE agorithm A on an arbitrary instance of the BBRE probem over R and records the sequence of queries that A issues. For each D the agorithm B chooses a new random eement a R, and computes gcdc a) mod G), n). There are at most m + t + 2)m + t + 1)/2 such poynomias and each can be evauated using at most m + 1 ring operations. Thus, in tota B chooses O m + t) 2) random eements and performs O mm + t) 2) operations on R as we as O m + t) 2 + s ) gcd computations on og 2 n)-bit integers. Let D denote the event that B finds a factor of n. The tota probabiity of simuation faiure Pr[F] is upper bounded by Pr[F] D Pr[F ] 2 DPr[D ] m + t + 2)m + t + 1)Pr[D]. Therefore, the probabiity of finding a factor of n with this agorithm is at east Pr[D] ǫ 1 n m + t + 2)m + t + 1). Note that univariate poynomia quotient rings of the form Z n [X 1 ]/J for some idea J in Z n [X 1 ] are covered by Theorem 3 as a specia case. A Gröbner basis for J can aways be easiy determined: If J is given by a singe poynomia g we are done. In the case where J is described by a set of poynomias {g 1,...,g s }, a unique poynomia g generating J can be computed as g = gcdg 1,...,g s ). Furthermore, we can use the standard poynomia division agorithm for univariate poynomias) to impement reduction moduo g. Let n, t, G) RGenκ) be a ring instance generator that on input of a security parameter κ in unary representation) outputs the description n, t, G) of a ring R = Z n [X 1,...,X t ]/ G, where n is an integer consisting of at east two different primes, t specifies the number of indeterminates, and G is a Gröbner basis for the idea G. Note that the parameters n, t, as we as the Gröbner basis 13

14 i.e., G and the individua eements of the Göbner basis) may a depend on κ. Let us assume that addition, subtraction, mutipication, reduction moduo G as we as samping random eements in the rings R taes poynomia-time in κ. Furthermore, et there exist a non-constant poynomia q ) over N such that for a κ and possibe outputs n, t, G) RGenκ) it hods that og 2 n) qκ). Then Theorem 3 provides a poynomia-time in κ) reduction from finding a factor of n to the bac-box ring extraction probem for the famiy of rings described by RGen. 5 Extending our Reduction to Rings in Basis Representation In this section, we show that our reductions aso wors for rings that are given in basis representation. A basis representation of a ring R is a tupe n 1,...,n t, c i,j, ) 1 i,j, t ) where n 1,...,n t are the additive orders of eements b 1,...,b t R generating R, +) and the c i,j, ) Z n are integers describing the effect of mutipication on the b i via b i b j := Thus, eements of R are represented by tupes t c i,j, b. =1 r 1,...,r t ) Z n1... Z nt. The addition of two eements r = r 1,...,r t ) and s = s 1,...,s t ) in this representation is defined by their componentwise addition, i.e., Mutipication is defined by r + s = r 1 + s 1,...,r t + s t ). r s = 1 i,j t r i s j c i,j,1,...,r i s j c i,j,t ). The two eements are equa, which is denoted by r s, if and ony if r i s i mod n i for a 1 i t. The eements b 1 = 1, 0,...,0), b 2 = 0, 1, 0,...,0),..., b t = 0,...,0, 1) represent an additive basis of R. Remar 3. Note that the ring R is not necessariy ring-isomorphic to the product ring Z n1... Z nt since mutipication is defined differenty. However, if the basis representation satisfies { 1, i = j = c i,j, = 0, ese then such an isomorphism exists. Indeed, the basis representation of R essentiay corresponds to the canonica representation Z n1... Z nt. As a specia case, we obtain R = Z n by setting n 1 = n and t = 1. The size of this representation is bounded by O og R ) 3). Thus, choosing this representation for genera finite commutative rings might be of interest for cryptographic purposes. However, the integers n i which need to be nown are factors of the characteristic n. Hence, in the foowing we ony need to consider the case where a n i are equa to the characteristic n, since otherwise at east one of the n i is a non-trivia factor of n and thus the representation woud not hide the factorization of n. Theorem 4 formuates our reduction for this case. 14

15 Theorem 4. Let R = n 1,...,n t, c i,j, ) 1 i,j, t ) be a finite commutative unitary ring of characteristic n in basis representation such that n 1 = = n t = n. Let A be an agorithm for the BBRE probem that performs at most m R operations on R σ and soves the BBRE probem with probabiity ǫ. Then there is an agorithm B having white-box access to A that finds a factor of n with probabiity at east ǫ 1 n m + t + 2)m + t + 1) by running A once and performing an additiona amount of O m + t) 2) random choices and O mm + t) 2) operations on R as we as O m + t) 2) gcd computations on og 2 n)-bit integers. Proof. Let n = pe i i be the prime factor decomposition of n. Then according to Coroary 1 R can be decomposed into a direct product R 1... R of rings such that R i has characteristic p e i i for 1 i. Let φ i : R R i be the surjective homomorphisms projecting R to the i-th component R i. Then we can again setup a simuation game that is simiar to the one in the proofs of Theorems 1 and 3. In particuar, we get the we-nown reation ) Pr[F ] = 2 Pr [ a) = 0 R] 1 Pr [ a) = 0 R] a U R a U R 2 Pr a U R [ i, j : φ i a)) = 0 R i and φ j a)) 0 R j ] = 2 Pr[D ] It remains to show that the basis representation of an eement a) projecting to zero in a component R i and not to zero in a component R j indeed reveas a factor of n. Let r = r 1,...,r t ), where r i Z n, denote the basis representation of a). Then we have r 0,...,0). Furthermore, et I := {i φ i a)) 0 R i } and ρ := i I pe i i. The integer ρ is a mutipe of the characteristic of R i and thus we obtain φ i ρ a)) = 0 R i for each i I. Hence, ρ a) is equa to the zero eement in the ring R which woud ead to the basis representation ρr = ρr 1,...,ρr t ) 0,...,0) From that we can observe that each non-zero component r i must aready be a zero divisor in Z n and so computing gcdr i, n) yieds a factor. As before, our factoring agorithm B chooses a new random eement a R for each D and computes gcdr i, n), where r i is a non-zero component in the basis representation of a). 6 Extending our Reduction to Product Rings Our reduction naturay extends to product rings where at east one component ring is given in a representation aready covered by Theorem 3, or 4. Note that in the foowing theorem the integer n is not necessariy the characteristic of the product ring R. Theorem 5. Let R := R 1... R be the direct product of finitey many rings where R 1 = Z n [X 1,...,X t ]/J or R 1 = n 1,...,n t, c i,j, ) 1 i,j, t ). Let the integer n consist of at east two different prime factors, et n 1 = = n t = n, and et the idea J be given by a Gröbner basis 7) 15

16 G = {g 1,...,g s }. Let A be an agorithm for the BBRE probem that performs at most m R operations on R σ. Assume that A soves the BBRE probem with probabiity ǫ. Then there is an agorithm B having white-box access to A that finds a factor of n with probabiity at east ǫ 1 n m + t + 2)m + t + 1) by running A once and performing an additiona amount of O m + t) 2) random choices and O mm + t) 2) operations on R 1 as we as O m + t) 2 + s ) gcd computations on og 2 n)-bit integers where s = 0 if R 1 is not given in poynomia representation). Proof. Given σx) R σ where x = x 1,...,x ) is uniformy chosen from R = R 1... R the agorithm A finds x, i.e., a components x 1,...,x, with probabiity ǫ. Thus, given σx) it outputs an eement y 1,...,y ) such that y 1 = x 1 with probabiity at east ǫ. Furthermore, observe that choosing an eement x uniformy at random from R is equivaent to choosing each component x i uniformy at random from R i. Thus, informay speaing, A soves the BBRE probem over each component ring separatey. Hence, we can simpy appy the ideas from the proofs of Theorems 1, 3, and 4 to this case, namey to the component R 1. More precisey, we can just generaize the description of the origina and the simuation game to product rings which is a straightforward tas) except for one modification: instead of maing the computations in the simuation game independent of x, i.e., a components x 1,...,x, we mae them ony independent of the component x 1. That means, when determining encodings, the simuation orace O sim sti evauates poynomias over R 2,...,R with the given inputs x 2,...,x exacty as O does and ony chooses new random eements for evauating poynomias over R 1. In this way, ony the modification over R 1 can ead to a difference in the behavior of O sim and O and so we can define the event of a simuation faiure as before. The success probabiity of A in the simuation game is upper bounded by the probabiity that it outputs x 1 which is at most 1 n. The probabiity of a simuation faiure can be bounded exacty as before. Simiary, the factoring agorithm B runs A on some instance of the BBRE probem over R and records the sequence of queries. The corresponding difference poynomias can be seen as poynomias over R 1 and so B does the same steps as the factoring agorithms described in the previous proofs depending on the representation of R 1. Hence, we concude that we obtain the same reation between the success probabiity of A and B and the same number of additiona operations B performs as in the simpe cases. 7 Impications for Genera Rings In this section we ie to carify the impications of our resut to genera finite commutative rings with unity. Our reduction seems to appy to any representation of such a ring R that does not immediatey revea a factor of the characteristic of R and aows for efficient computations, as expained in the foowing. There are essentiay three ways to represent a finite commutative ring [AS05], namey the tabe representation, the basis representation, and the poynomia representation. Using the tabe representation for a ring R means to represent R by an addition and mutipication tabe which requires O R 2) space. Hence, considering ring sizes of cryptographic interest this type of representation can be immediatey excuded from the ist of possibe representations. We considered the basis representation of a ring in Section 5 and provided a reduction for a cases where the representation itsef does not immediatey ea a factor of the ring characteristic. 16

17 A reduction for rings in poynomia representation was given in Section 4. Unfortunatey, to mae our reduction wor for this representation the idea J must not be given by an arbitrary basis but a Gröbner basis. If we are given a basis other than a Gröbner, we theoreticay coud compute a Gröbner basis from this input using a variant of Buchberger s agorithm for Noetherian rings [AL94] or corresponding variants of Faugere s F4 [Fau99] and F5 [Fau02] agorithm). However, for Gröbner basis agorithms one sti does not now an upper bound on their running times even in the case when the coefficient space is a fied). The wor due to Mayr and Meier [MM82] impies that there are instances where constructing such a basis taes time in the order of 2 2Ot), where t is the number variabes. Thus, we cannot give the factoring agorithm described in our reduction an arbitrary basis of the idea J as input and et it first compute a Gröbner basis, since there are cases where this computation easiy exceeds the time needed to factor n directy using the GNFS. So the reduction woud be meaningess. Hence, our resut ony hods for famiies of rings in poynomia representation where a Gröbner basis for J is given or nown to be efficienty computabe. This is the bad news. The good news is that in order to be abe to perform equaity checs between ring eements in this representation efficienty which corresponds to soving instances of the idea membership probem there is currenty no other way than providing a Gröbner basis for the idea J. However, we note that apparenty there are rings where this representation does not aow for efficient computations e.g., because J cannot be efficienty represented by a Gröbner basis). Acnowedgments. We ie to than Roberto Avanzi, Lothar Gerritzen, and Gregor Leander for hepfu discussions as we as Danie Brown for pointing out an error in a previous version of the paper. References [AL94] Wiiam Adams and Phiippe Loustaunau. An introduction to Gröbner bases. Graduate Studies in Math. Vo. 3. Oxford University Press, [AS05] Manindra Agrawa and Nitin Saxena. Automorphisms of finite rings and appications to compexity of probems. In Voer Dieert and Bruno Durand, editors, 22nd Annua Symposium on Theoretica Aspects of Computer Science, STACS 2005, voume 3404 of Lecture Notes in Computer Science, pages Springer, [Bac84] Eric Bach. Discrete ogarithms and factoring. Technica Report UCB/CSD , EECS Department, University of Caifornia, Bereey, Jun [BL96] Dan Boneh and Richard J. Lipton. Agorithms for bac-box fieds and their appication to cryptography extended abstract). In Nea Kobitz, editor, Advances in Cryptoogy CRYPTO 96, 16th Annua Internationa Cryptoogy Conference, voume 1109 of Lecture Notes in Computer Science, pages Springer, [Buc65] Bruno Buchberger. Ein Agorithmus zum Auffinden der Basiseemente des Restassenringes nach einem nudimensionaen Poynomidea An Agorithm for Finding the Basis Eements in the Residue Cass Ring Moduo a Zero Dimensiona Poynomia Idea). PhD thesis, Mathematica Institute, University of Innsbruc, [db88] Austria, Engish transation in Journa of Symboic Computation, 2004). Bert den Boer. Diffie-Heman is as strong as discrete og for certain primes. In Shafi Godwasser, editor, Advances in Cryptoogy CRYPTO 88, 8th Annua Internationa Cryptoogy Conference, voume 403 of Lecture Notes in Computer Science, pages Springer, [EG85] Taher EGama. A pubic ey cryptosystem and a signature scheme based on discrete ogarithms. IEEE Transactions on Information Theory, 314): , [Fau99] Jean Chares Faugère. A new efficient agorithm for computing Gröbner bases F 4). Journa of Pure and Appied Agebra, ):61 88, [Fau02] Jean Chares Faugère. A new efficient agorithm for computing Gröbner bases without reduction to zero F 5). In Internationa Symposium on Symboic and Agebraic Computation ISSAC 2002, pages ACM, [Gri99] Pierre A. Griet. Agebra Pure and Appied Mathematics). John Wiey & Sons Inc.,