Approximate Integer Common Divisors

We show that recent results of Coppersmith, Boneh, Durfee and Howgrave-Graham actually apply in the more general setting of (partially) approximate common divisors. This leads us to consider the question of "fully" approximate common divisors, i.e. where both integers are only known by approximations. We explain the lattice techniques in both the partial and general cases. As an application of the partial approximate common divisor algorithm we show that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time. In contrast to the partial setting, our technique with respect to the general setting can only be considered heuristic, since we encounter the same "proof of algebraic independence" problem as a subset of the above authors have in previous papers. This problem is generally considered a (hard) problem in lattice theory, since in our case, as in previous cases, the method still works extremely reliably in practice; indeed no counter examples have been obtained. The results in both the partial and general settings are far stronger than might be supposed from a continued-fraction standpoint (the way in which the problems were attacked in the past), and the determinant calculations admit a reasonably neat analysis.

[1]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[2]  Tatsuaki Okamoto Fast public-key cryptosystem using congruent polynomial equations , 1986 .

[3]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[4]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.

[5]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[6]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[7]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[8]  D. Boneh,et al.  Factoring N = pr q for large r , 1999 .

[9]  Nicholas A. Howgrave-Graham Computational mathematics inspired by RSA , 1998 .

[10]  Dan Boneh,et al.  Factoring N = prq for Large r , 1999, CRYPTO.

[11]  E. Wright,et al.  An Introduction to the Theory of Numbers , 1939 .

[12]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[13]  Leonard M. Adleman,et al.  NP-Complete Decision Problems for Binary Quadratics , 1978, J. Comput. Syst. Sci..

[14]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[15]  A. K. Lenstra,et al.  Factoring polynomials with integer coefficients , 1982 .

[16]  Brigitte Vallée,et al.  How to Break Okamoto's Cryptosystem by Reducing Lattice Bases , 1988, EUROCRYPT.

[17]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[18]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .