Interpolation of Functions Related to the Integer Factoring Problem

Transcription

1 Interpolation of Functions Related to the Integer Factoring Problem Clemens Adelmann 1 and Arne Winterhof 2 1 Institut für Analysis und Algebra, Technische Universität Braunschweig, Pockelsstraße 14, D Braunschweig, Germany. c.adelmann@tu-bs.de 2 Johann Radon Institute for Computational and Applied Mathematics, Altenberger Straße 69, A-4040 Linz, Austria. arne.winterhof@oeaw.ac.at Abstract. The security of the RSA public key cryptosystem depends on the intractability of the integer factoring problem. This paper shall give some theoretical support to the assumption of hardness of this number theoretic problem. We obtain lower bounds on degree, weight, and additive complexity of polynomials interpolating functions related to the integer factoring problem, including Euler s totient function, the divisor sum functions, Carmichael s function, and the RSA-function. These investigations are motivated by earlier results of the same flavour on the interpolation of discrete logarithm and Diffie-Hellman mapping. Keywords: polynomials, degree, weight, additive complexity, factoring problem, RSA-problem, Euler s totient function, divisor sum function, Carmichael s function. 1 Introduction Computationally difficult number theoretic problems like the discrete logarithm problem or the integer factoring problem play a fundamental role in public key cryptography. The Diffie-Hellman key exchange depends on the intractability of the discrete logarithm problem and the RSA cryptosystem is based on the hardness of the integer factoring problem (see e. g. [27, Chapter 3]). In the monograph [40] (or its predecessor [38]) and the series of papers [2 4, 8, 10, 14 26, 30 32, 37, 43 45] several results on discrete logarithm problem and Diffie-Hellman problem supporting the assumption of their hardness were proven. In particular, it was shown that there are no low degree or sparse interpolation polynomials of discrete logarithm and Diffie-Hellman mapping for a large set of given data. In the present paper we prove analog results for functions related to the integer factoring problem. We restrict ourselves to the case of factoring RSA-integers N = pq with two odd primes p < q.

2 2 Clemens Adelmann and Arne Winterhof In Section 3 we investigate real and integer interpolation polynomials of mappings allowing to factor N, including Euler s totient function Carmichael s function and divisor sum functions ϕ(pq) = (p 1)(q 1), λ(pq) = ϕ(pq) gcd(p 1, q 1), σ n (pq) = (p n + 1)(q n + 1) with a small positive integer n, and factoring functions ψ n,m (pq) = p n q m with small different nonnegative integers n and m. In Section 4 we prove a lower bound on degree and weight of an integer polynomial representing the RSA-function f(x) x d mod pq, x S, for a subset S of Z pq = {1 x < pq : gcd(x, pq) = 1} and some integer d with gcd(d, (p 1)(q 1)) = 1. We collect some auxiliary results on polynomials in the next section. 2 Preliminaries A proof of the following useful relation between the number of zeros and the degree of a multivariate polynomial, which extends the well-known relation for univariate polynomials, can be found in [11, Lemma 6.44.]. Lemma 1. Let D be an integral domain, n N, S D, and f D[X 1,..., X n ] be a polynomial of total degree d, with at least N zeros in S n. If f is not the zero polynomial, then we have d N S n 1. The additive complexity C ± (f) of a polynomial f(x) is the smallest number of + and signs necessary to write down this polynomial. In [33, 34] the number of different zeros of a real polynomial was estimated in terms of its additive complexity. Lemma 2. For a nonzero polynomial f(x) R[X] having N different real zeros we have ( ) 1/2 1 C ± (f) 5 log(n), where log(n) is the binary logarithm.

3 Interpolation of Functions Related to the Integer Factoring Problem 3 In [35, 36] the following improvement was obtained for integer polynomials. Lemma 3. For a nonzero polynomial f(x) Z[X] having N different rational zeros we have log(n) = O(C ± (f) log(c ± (f))). The weight w(f) of a polynomial f is the number of its nonzero coefficients. For polynomials over a finite field F q of q elements we have the following lower bound on the weight (see [40, Lemma 2.5]). Lemma 4. Let f(x) F q [X] be a nonzero polynomial of degree at most q 2 with N different zeros in F q. Then we have w(f) q 1 q 1 N. Obviously, for any univariate polynomial f we have C ± (f) w(f) 1 deg(f). 3 Interpolation of Factoring Functions For example, the knowledge of the value ϕ(n) = (p 1)(q 1) of Euler s totient function at an integer N = pq with unknown primes p and q is sufficient to determine p and q by solving the quadratic equation X 2 + (ϕ(n) N 1)X + N = 0. (1) In general, let g(x) and h(x) be (known) real rational functions, such that the product g(x)h(n/x) is not constant. Then from the knowledge of the values in N = pq of a function f with the property f(n) = g(p)h(q) = g(p)h(n/p) we can determine the unknown factors p and q of N by solving an algebraic equation which is derived from g(x)h(n/x) = f(n) (2) by clearing denominators and negative powers of X. If we could interpolate the function f by a polynomial of low degree or low additive complexity and the degree of the algebraic equation derived from (2) were small, then we could efficiently factorize N. Hence, it becomes important to prove lower bounds on degree and additive complexity of such interpolation polynomials. First we prove lower bounds on degree and additive complexity of a real polynomial with some special prescribed values.

4 4 Clemens Adelmann and Arne Winterhof Proposition 1. For M 3 let be a set of ordered reals, 0 < a 1 < a 2 <... < a M g : {a 1, a 2,..., a M 1 } R, h : {a 2, a 3,..., a M } R, real valued functions, and G the unique interpolation polynomial of g of degree at most M 2. Let f R[X] be a polynomial satisfying f(a i a j ) = g(a i )h(a j ), 1 i < j M. If there exist 1 i < j M 1 such that ( ) ai a j G h(a M ) g(a i )h(a j ) (3) a M then we have deg(f) M 1, C ± (f) ( ) 1/2 1 log(m 1) C ± (G) 1, 5 and if f(a M X) h(a M )G(X) Q[X] and a 1,..., a M 1 Q then we have ( ) log(m) C ± (f) + C ± (G) = Ω. log log(m) Proof. The polynomial F (X) = f(a M X) G(X)h(a M ) (4) is not identically zero by (3) and has zeros at a 1,..., a M 1. So we have max(deg(f), M 2) max(deg(f), deg(g)) deg(f ) M 1 by Lemma 1 and thus deg(f) M 1. By Lemma 2 and observing that C ± (F ) C ± (f) + C ± (G) + 1 we obtain our second assertion. The third assertion follows by Lemma 3 if we multiply (4) with the least common denominator of the coefficients of F. Condition (3) in Proposition 1 is necessary and natural. For example, if the given values are g(a i ) = h(a i ) = a n i, i = 1,..., M,

5 Interpolation of Functions Related to the Integer Factoring Problem 5 with M n + 2, they determine the interpolation polynomial f(x) = X n of degree n M 2 having additive complexity 0. However, the interpolation polynomial of g is G(X) = X n and we have ( ) ai a j G h(a M ) = a n i a n j = g(a i )h(a j ), 1 i < j M 1, a M contradicting (3). On the other hand, if g and h are polynomials of small degree with respect to M, then (3) being not valid implies that g(x)h(y ) = g(xy/a M )h(a M ) by Lemma 1. Hence, for each fixed curve Y = N/X the polynomial g(x)h(n/x) is constant and (2) cannot be used to determine the factorization of N. Proposition 1 provides lower bounds on degree and additive complexity of real polynomials f interpolating several well-known functions, as generalizations of Euler s totient function and generalized divisor sums ϕ n (pq) = (p n 1)(q n 1), n 0, (5) σ n (pq) = (p n + 1)(q n + 1), n 0, (6) but also factoring functions ψ n,m of the form ψ n,m (pq) = p n q m, n m, (7) where n and m are nonnegative integers and p and q are primes with p < q. Theorem 1. For M 3 let p 1 < p 2 <... < p M be a set of primes and F a function of the form (5), (6), or (7). Let f R[X] be a polynomial satisfying f(p i p j ) = F (p i p j ), 1 i < j M. Then we have and C ± (f) deg(f) M 1 ( ) 1/2 1 log (M 1) 2. 5 Proof. Since the functions (( a ) n ) h n (X) = 1 (X n 1), a > 0, n = 1, 2,..., X are decreasing for x > a we have for all 1 i < j < k M, (( pi p j p k ) n 1) (p n k 1) < (p n i 1)(p n j 1)

6 6 Clemens Adelmann and Arne Winterhof and (3) is satisfied in case of generalizations of Euler s totient function. Since h n (X) = are increasing for x > a we have (( pi p j (( a X ) n + 1 ) (X n + 1), a > 0, n = 1, 2,..., p k ) n + 1) (p n k + 1) > (p n i + 1)(p n j + 1) and (3) is satisfied in case of generalized divisor sums. Trivially, we have ( pi p j p k ) n p m k p n i p m j for all n m and (3) is satisfied in case of factoring functions. Now the Theorem follows by Proposition 1. Proposition 1 does not apply to the Carmichael function λ(n) = ϕ(n) gcd(p 1, q 1), N = pq, with two odd primes p q, which can also be used to factorize N. We first study how λ can be used to factor N. Proposition 2. Let N = pq be a product of two unknown odd primes p < q and put = N/λ(N). Then either = p or p and q are the solutions of the quadratic equation X 2 + ( λ(n) N 1)X + N = 0. Proof. Put g = gcd(p 1, q 1). Then we have N λ(n) 2g p 1 < g < N λ(n) 2g q 1. If g = p 1, then we have N/λ(N) = p + p/(q 1), such that = p. If g (p 1)/2, then the above inequalities give N/λ(N) 1 < g < N/λ(N) and thus = g. Hence in this case we have ϕ(n) = λ(n) and can determine p and q from the quadratic equation (1). Next we prove an analog of Theorem 1 for the Carmichael function. Let τ(x) denote the number of positive divisors of an integer x.

7 Interpolation of Functions Related to the Integer Factoring Problem 7 Theorem 2. For M 3 let p 1 < p 2 <... < p M be a set of primes and f R[X] be a polynomial satisfying f(p i p j ) = (p i 1)(p j 1) gcd(p i 1, p j 1), 1 i < j M. Put T = min 1 i M τ(p i 1). Then we have deg(f) M 1 T and ( ( )) 1/2 1 M 1 C ± (f) 5 log 2. T Proof. Choose 1 k M with τ(p k 1) = min τ(p i 1). 1 i M For each divisor d of p k 1 we define a polynomial F d (X) = f(p k X) (X 1)(p k 1). d Then each p i with 1 i M and i k is a zero of at least one F d. These polynomials are not identically zero. Otherwise, for three different primes p i, p j, p k, F d (p i p j /p k ) = 0 yields a monic quadratic equation in p k with constant term p i p j, and the only possible integral solutions p k have to be divisors of p i p j, which is impossible by assumption. Now the result follows analogously to the proof of Proposition 1 by the pigeon hole principle. Remark. The dependence of the result on T may indicate that factoring integers N = pq is easier if p 1 and q 1 are smooth which fits to the expected running time of Pollard s p 1 factoring algorithm. On the other hand the expected running time of the (in general faster) number field sieve does not depend on the factorization of p 1 and q 1. 4 Interpolation of the RSA-Function The RSA problem is the following: Given a positive integer N that is a product of two distinct odd primes p and q, a positive integer e such that gcd(e, (p 1)(q 1)) = 1, and an integer c, find an integer m such that m e c mod N. In other words, if d is an (unknown) integer with ed 1 mod (p 1)(q 1) then we have to evaluate the mapping f(x) = x d in c. The following result excludes the existence of very simple interpolation polynomials of this mapping in the case of low public exponent e.

8 8 Clemens Adelmann and Arne Winterhof Theorem 3. Let N = pq be the product of two odd primes with p < q. Choose integers d, e > 1 such that ed 1 mod (p 1)(q 1). Let S Z N be a set of size s 2. If f(x) = m i=0 a ix i Z[X] is a polynomial with degree m < (q 1)/e and gcd(a 0,..., a m, N) = 1 which satisfies f(x) x d mod N for all x S, then we have ( ) s deg(f) max e(p 1), s1/2 e and ( ) 1/e s w(f). (p 1)(q 1) s Proof. Put F (X) = f(x) e X. Since s 2 and e > 1 the interpolation polynomial f(x) is not constant and we have deg(f ) = e deg(f). For n 1 let Z n (F ) denote the number of different zeros of F mod n lying in Z n. We have Z pq (F ) = Z p (F )Z q (F ) by the Chinese Remainder Theorem. From our conditions on f we infer that deg(f ) < q 1. Thus s Z p (F )Z q (F ) (p 1)Z q (F ) (p 1) deg(f ) = e(p 1) deg(f). If s < (p 1) 2 then we may assume deg(f ) = e deg(f) < p 1 and get s Z p (F )Z q (F ) (deg(f )) 2 = (e deg(f)) 2. By Lemma 4 and the same arguments we get w(f ) q 1 q 1 Z q (F ) q 1 (p 1)(q 1) = q 1 s/(p 1) (p 1)(q 1) s, and the last statement is a consequence of w(f ) (w(f)) e + 1. If d is small then e has to be large and the lower bounds become very weak. In this case the attack of [42] for small d (see also [5, Section 3]) solves the RSAproblem. It should be also mentioned that for low public exponents e attacks on RSA are known [6, 7, 13]. 5 Some Related Results In [1] it was shown that if the discrete logarithm problem in Z N can be solved in polynomial time, then N can be factored in polynomial time, and the Diffie- Hellman problem in Z N is at least as difficult as the problem of factoring N. Most of the results on the discrete logarithm and the Diffie-Hellman mapping modulo a prime in [40] can be extended to composite moduli. Such results can also be regarded as complexity lower bounds on functions related to the factoring problem of the same flavour as in this paper.

9 Interpolation of Functions Related to the Integer Factoring Problem 9 The linear complexity of several sequences related to the factoring problem including RSA-generator, Blum-Blum-Shub-generator, and two prime generator was investigated in [4, 9, 12, 39]. Finally, we mention that an analog of Theorem 3 for the LUC cryptosystem can be easily proven, where instead of monomial X d Dickson polynomials are used (see [28, 29, 41]). Acknowledgments Parts of this paper were written during a visit of the first author to RICAM. He wishes to thank the Austrian Academy of Sciences for hospitality and financial support. The second author is supported by the Austrian Academy of Sciences and by the Austrian Science Fund (FWF) grant S8313. We wish to thank Tanja Lange for helpful discussions. References 1. E. Bach, Discrete logarithms and factoring, Report No. UCB/CSD , Computer Science Division (EECS), University of California, Berkeley, California, N. Brandstätter, T. Lange, and A. Winterhof, Interpolation of the discrete logarithm in finite fields of characteristic two by Boolean functions (Extended abstract), Workshop on Coding and Cryptography (WCC) 2005, N. Brandstätter and A. Winterhof, Approximation of the discrete logarithm in finite fields of even characteristic by real polynomials, Preprint N. Brandstätter and A. Winterhof, Some notes on the two-prime generator, IEEE Trans. Inform. Theory., to appear. 5. D. Boneh, Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math. Soc. 46 (1999), D. Boneh and R. Venkatesan, Breaking RSA may not be equivalent to factoring (extended abstract), Advances in cryptology EUROCRYPT 98 (Espoo), Lecture Notes in Comput. Sci. 1403, Springer, Berlin, 1998, D. Coppersmith, Finding a small root of univariate modular equation, Advances in cryptology EUROCRYPT 96 (Saragossa, 1996), Lecture Notes in Comput. Sci. 1070, Springer, Berlin, 1996, ,. 8. D. Coppersmith and I. Shparlinski, On polynomial approximation of the discrete logarithm and the Diffie-Hellman mapping, J. Cryptology 13 (2000), C. Ding, Linear complexity of generalized cyclotomic binary sequences of order 2, Finite Fields Appl. 3 (1997), C. Ding and T. Helleseth, On cyclotomic generator of order r, Inform. Process. Lett. 66 (1998), J. von zur Gathen and J. Gerhard, Modern Computer Algebra, Cambridge University Press, New York, F. Griffin and I. Shparlinski, On the linear complexity profile of the power generator, IEEE Trans. Inform. Theory 46 (2000), J. Hastad, Solving simultaneous modular equations of low degree, SIAM J. Comput. 17 (1988),

10 10 Clemens Adelmann and Arne Winterhof 14. E. Kiltz and A. Winterhof, Lower bounds on weight and degree of bivariate polynomials related to the Diffie-Hellman mapping, Bull. Austral. Math. Soc. 69 (2004), E. Kiltz and A. Winterhof, Polynomial interpolation of cryptographic functions related to Diffie-Hellman and discrete logarithm problem, Discrete Appl. Math., to appear. 16. S. Konyagin, T. Lange, and I. Shparlinski, Linear complexity of the discrete logarithm, Des. Codes Cryptogr. 28 (2003), T. Lange and A. Winterhof, Polynomial interpolation of the elliptic curve and XTR discrete logarithm, Proceedings of the 8th Annual International Computing and Combinatorics Conference (COCOON 02) (Singapore, 2002), Springer, 2002, T. Lange and A. Winterhof, Incomplete character sums over finite fields and their application to the interpolation of the discrete logarithm by Boolean functions, Acta Arith. 101 (2002), T. Lange and A. Winterhof, Interpolation of the discrete logarithm in F q by Boolean functions and by polynomials in several variables modulo a divisor of q 1, International Workshop on Coding and Cryptography (WCC 2001) (Paris), Discrete Appl. Math. 128 (2003), T. Lange and A. Winterhof, Interpolation of the elliptic curve Diffie-Hellman mapping, Lecture Notes in Comput. Sci. 2643, Springer, Berlin, 2003, E. El Mahassni and I. Shparlinski, Polynomial representations of the Diffie-Hellman mapping, Bull. Austral. Math. Soc. 63 (2001), W. Meidl and A. Winterhof, Lower bounds on the linear complexity of the discrete logarithm in finite fields, IEEE Trans. Inform. Theory 47 (2001), W. Meidl and A. Winterhof, A polynomial representation of the Diffie-Hellman mapping, Appl. Algebra Engrg. Comm. Comput. 13 (2002), G.C. Meletiou, Explicit form for the discrete logarithm over the field GF(p, k), Arch. Math. (Brno) 29 (1993), G.C. Meletiou, Explicit form for the discrete logarithm over the field GF(p, k), Bul. Inst. Politeh. Iaşi. Secţ. I. Mat. Mec. Teor. Fiz. 41(45) (1995), G. Meletiou and G.L. Mullen, A note on discrete logarithms in finite fields, Appl. Algebra Engrg. Comm. Comput. 3 (1992), A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of applied cryptography. With a foreword by Ronald L. Rivest, CRC Press Series on Discrete Mathematics and its Applications, CRC Press, Boca Raton, FL, W.B. Müller and W. Nöbauer, Some remarks on public-key cryptosystems, Studia Sci. Math. Hungar. 16 (1981) W.B. Müller and R. Nöbauer, Cryptanalysis of the Dickson-scheme, Lecture Notes in Comput. Sci. 219 (1985) G.L. Mullen and D. White, A polynomial representation for logarithms in GF(q), Acta Arith. 47 (1986), H. Niederreiter, A short proof for explicit formulas for discrete logarithms in finite fields, Appl. Algebra Engrg. Comm. Comput. 1 (1990), H. Niederreiter and A. Winterhof, Incomplete character sums and polynomial interpolation of the discrete logarithm, Finite Fields Appl. 8 (2002), J.-J. Risler, Hovansky s theorem and complexity theory. Ordered fields and real algebraic geometry (Boulder, Colo., 1983), Rocky Mountain J. Math. 14 (1984), J.-J. Risler, Additive complexity and zeros of real polynomials, SIAM J. Comput. 14 (1985),

11 Interpolation of Functions Related to the Integer Factoring Problem J.M. Rojas, Additive complexity and p-adic roots of polynomials, Lecture Notes in Comput. Sci. 2369, Springer, Berlin, 2002, J.M. Rojas, Arithmetic multivariate Descartes rule, Amer. J. Math. 126 (2004), T. Satoh, On degrees of polynomial interpolations related to elliptic curve cryptography (Extended abstract), Workshop on Coding and Cryptography (WCC) 2005, I. Shparlinski, Number theoretic methods in cryptography. Complexity lower bounds, Progress in Computer Science and Applied Logic, 17, Birkhäuser, Basel, I. Shparlinski, On the linear complexity of the power generator, Des. Codes Cryptogr. 23 (2001), I. Shparlinski, Cryptographic applications of analytic number theory. Complexity lower bounds and pseudorandomness, Progress in Computer Science and Applied Logic, 22, Birkhäuser, Basel, P. Smith and M. Lennon, LUC: a new public key system, in: Proceedings of the Ninth IFIP Int. Symp. on Computer Security, North Holland, 1993, M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform. Theory 36 (1990), A. Winterhof, A note on the interpolation of the Diffie-Hellman mapping, Bull. Austral. Math. Soc. 64 (2001), A. Winterhof, Polynomial interpolation of the discrete logarithm, Des. Codes Cryptogr. 25 (2002), A. Winterhof, A note on the linear complexity profile of the discrete logarithm in finite fields, Progress Comp. Sci. Appl. Logic 23 (2004),