Factoring pq2 with Quadratic Forms: Nice Cryptanalyses

We present a new algorithm based on binary quadratic forms to factor integers of the form N = pq 2. Its heuristic running time is exponential in the general case, but becomes polynomial when special (arithmetic) hints are available, which is exactly the case for the so-called NICE family of public-key cryptosystems based on quadratic fields introduced in the late 90s. Such cryptosystems come in two flavours, depending on whether the quadratic field is imaginary or real. Our factoring algorithm yields a general key-recovery polynomial-time attack on NICE, which works for both versions: Castagnos and Laguillaumie recently obtained a total break of imaginary -NICE, but their attack could not apply to real -NICE. Our algorithm is rather different from classical factoring algorithms: it combines Lagrange's reduction of quadratic forms with a provable variant of Coppersmith's lattice-based root finding algorithm for homogeneous polynomials. It is very efficient given either of the following arithmetic hints: the public key of imaginary -NICE, which provides an alternative to the CL attack; or the knowledge that the regulator of the quadratic field $\mathbb{Q}(\sqrt{p})$ is unusually small, just like in real -NICE.

[1]  René Peralta Elliptic Curve Factorization Using a “Partially Oblivious” Function , 2001 .

[2]  Fabien Laguillaumie,et al.  On the Security of Cryptosystems with Quadratic Decryption: The Nicest Cryptanalysis , 2009, EUROCRYPT.

[3]  Michael J. Jacobson,et al.  An Investigation of Bounds for the Regulator of Quadratic Fields , 1995, Exp. Math..

[4]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[5]  J. Buchmann,et al.  Binary Quadratic Forms , 2007 .

[6]  Leonard M. Adleman,et al.  Open problems in number theoretic complexity, II , 1994, ANTS.

[7]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[8]  Serge Vaudenay Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008. Proceedings , 2008, AFRICACRYPT.

[9]  Johannes Buchmann,et al.  Binary quadratic forms - an algorithmic approach , 2007, Algorithms and computation in mathematics.

[10]  T. Hagedorn,et al.  PRIMES OF THE FORM x 2 + ny 2 AND THE GEOMETRY OF ( CONVENIENT ) NUMBERS , 2010 .

[11]  Johannes A. Buchmann,et al.  A key-exchange system based on imaginary quadratic fields , 1988, Journal of Cryptology.

[12]  Tsuyoshi Takagi,et al.  A generalization of the Diffie-Hellman problem and related cryptosystems allowing fast decryption , 1998, ICISC.

[13]  Antoine Joux,et al.  A NICE Cryptanalysis , 2000, EUROCRYPT.

[14]  Jérôme Milan Factoring Small Integers: An Experimental Comparison , 2007 .

[15]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[16]  Dan Boneh,et al.  Factoring N = prq for Large r , 1999, CRYPTO.

[17]  B. Vallée,et al.  Lattice reduction in two dimensions: analyses under realistic probabilistic models , 2007 .

[18]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[19]  Tatsuaki Okamoto A fast signature scheme based on congruential polynomial operations , 1990, IEEE Trans. Inf. Theory.

[20]  Tsuyoshi Takagi,et al.  A New Public-Key Cryptosystem over a Quadratic Order with Quadratic Decryption Time , 2000, Journal of Cryptology.

[21]  D. Boneh,et al.  Factoring N = pr q for large r , 1999 .

[22]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[23]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[24]  Samuel S. Wagstaff,et al.  Square form factorization , 2008, Math. Comput..

[25]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[26]  Michael J. Jacobson,et al.  An Adaptation of the NICE Cryptosystem to Real Quadratic Orders , 2008, AFRICACRYPT.

[27]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[28]  Johannes Buchmann,et al.  Binary Quadratic Forms: An Algorithmic Approach (Algorithms and Computation in Mathematics) , 2007 .

[29]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[30]  Tsuyoshi Takagi,et al.  Number field cryptography , 2003 .

[31]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[32]  Tsuyoshi Takagi,et al.  NICE - New Ideal Coset Encryption , 1999, CHES.

[33]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[34]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[35]  GÜnteR Von Degert Über die Bestimmung der Grundeinheit gewisser reell-quadratischer Zahlkörper , 1958 .

[36]  Henri Cohen,et al.  Heuristics on class groups , 1984 .

[37]  H. C. Williams,et al.  Short Representation of Quadratic Integers , 1995 .

[38]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[39]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[40]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[41]  E. Okamoto,et al.  Faster factoring of integers of a special form , 1996 .

[42]  Tsuyoshi Takagi,et al.  Efficient Undeniable Signature Schemes Based on Ideal Arithmetic in Quadratic Orders , 2004, Des. Codes Cryptogr..

[43]  James McKee,et al.  Speeding Fermat's factoring method , 1999, Math. Comput..

[44]  Leonard M. Adleman,et al.  Open Problems in Number Theoretic Complexity , 1987 .

[45]  D. V. Chudnovsky,et al.  Approximations and complex multiplication according to Ramanujan , 2000 .

[46]  Daniel J. Bernstein List Decoding for Binary Goppa Codes , 2011, IWCC.

[47]  H. C. Williams,et al.  Some results concerning certain periodic continued fractions , 2005 .

[48]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[49]  Tsuyoshi Takagi,et al.  Fast RSA-Type Cryptosystem Modulo pkq , 1998, CRYPTO.

[50]  Tatsuaki Okamoto Fast public-key cryptosystem using congruent polynomial equations , 1986 .