Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits

We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N . An important application of this problem is factorization of N with given bits of p . It is well-known that this problem is polynomial-time solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln (2) ≈ 70% of the bits are sufficient for any n in order to find the factorization. The algorithm's running time is however exponential in the parameter n . Thus, our algorithm is polynomial time only for $n = {\mathcal O}(\log\log N)$ blocks.

[1]  H. Minkowski,et al.  Geometrie der Zahlen , 1896 .

[2]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[3]  Adi Shamir,et al.  Efficient Factoring Based on Partial Information , 1985, EUROCRYPT.

[4]  Brigitte Vallée,et al.  Computation of Approximate L-th Roots Modulo n and Application to Cryptography , 1988, CRYPTO.

[5]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..

[6]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[7]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[8]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[9]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[10]  Marc Girault,et al.  Selective Forgery of RSA Signatures Using Redundancy , 1997, EUROCRYPT.

[11]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[12]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[13]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[14]  Franz Pichler,et al.  Advances in Cryptology — EUROCRYPT’ 85 , 2000, Lecture Notes in Computer Science.

[15]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[16]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[17]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[18]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[19]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[20]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[21]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[22]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[23]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[24]  Alexander May,et al.  Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring , 2004, CRYPTO.

[25]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[26]  Phong Q. Nguyen Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 , 2004, EUROCRYPT.

[27]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[28]  Ueli Maurer On the oracle complexity of factoring integers , 2005, computational complexity.

[29]  Antoine Joux,et al.  Improved low-density subset sum algorithms , 1992, computational complexity.

[30]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[31]  Jean-Sébastien Coron,et al.  Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring , 2006, Journal of Cryptology.

[32]  Alexander May,et al.  New Attacks on RSA with Small Secret CRT-Exponents , 2006, Public Key Cryptography.

[33]  Jean-Sébastien Coron,et al.  Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach , 2007, CRYPTO.

[34]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.