Abstract
Recently, in [6] Gomez et al. presented algorithms to recover a decomposition of an integer \(N=rA^2+sB^2\), where N, r, s are positive integers, and A, B are the wanted unknowns. Their first algorithm recovers two addends by directly using rigorous Coppersmith’s bivariate integer method when the error bounds of given approximations to A and B are less than \(N^{\frac{1}{6}}\). Then by combining with the linearization technique, they improved this theoretical bound to \(N^{\frac{1}{4}}\). In this paper, we heuristically reach the bound \(N^{\frac{1}{4}}\) with experimental supports by transforming the integer polynomial concerned in their first algorithm into a modular one. Then we describe a better heuristic algorithm, the dimension of the lattice involved in this improved method is much smaller under the same error bounds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aono, Y.: A new lattice construction for partial key exposure attack for RSA. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 34–53. Springer, Heidelberg (2009)
Bauer, A., Vergnaud, D., Zapalowicz, J.-C.: Inferring sequences produced by nonlinear pseudorandom number generators using Coppersmith’s methods. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 609–626. Springer, Heidelberg (2012)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)
Gomez, D., Gutierrez, J., Ibeas, A.: Attacking the pollard generator. IEEE Trans. Inf. Theor. 52(12), 5518–5523 (2006)
Gutierrez, J., Ibeas, Á., Joux, A.: Recovering a sum of two squares decomposition. J. Symb. Comput. 64, 16–21 (2014)
Hardy, K., Muskat, J.B., Williams, K.S.: A deterministic algorithm for solving \(n = fu^2 + gv^2\) in coprime integers \(u\) and \(v\). J. Math. Comput. 55, 327–343 (1990)
Herrmann, M.: Improved cryptanalysis of the multi-prime \( \phi \) - hiding assumption. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 92–99. Springer, Heidelberg (2011)
Herrmann, M., May, A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Crytography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)
Coron, J.-S.: Finding small roots of bivariate integer polynomial equations revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 492–505. Springer, Heidelberg (2004)
Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012)
Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)
Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen-plaintext attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm: Survey and Applications. ISC, pp. 315–348. Springer, Heidelberg (2010)
Sarkar, S.: Reduction in lossiness of RSA trapdoor permutation. In: Bogdanov, A., Sanadhya, S. (eds.) SPACE 2012. LNCS, vol. 7644, pp. 144–152. Springer, Heidelberg (2012)
Sarkar, S., Maitra, S.: Cryptanalysis of RSA with two decryption exponents. Inf. Process. Lett. 110, 178–181 (2010)
Tosu, K., Kunihiro, N.: Optimal bounds for multi-prime \(\phi \)-hiding assumption. In: Mu, Y., Seberry, J., Susilo, W. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 1–14. Springer, Heidelberg (2012)
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)
Acknowledgements
The authors would like to thank anonymous reviewers for their helpful comments and suggestions. The work of this paper was partially supported by National Natural Science Foundation of China (No. 61170289) and the National Key Basic Research Program of China (2013CB834203).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Analysis for Remark 2
In this part, we give the details to show that when dealing with Eq. (3) as a non-constant modular polynomial (4), the corresponding error bound is \(N^{1/6}\).
First, we display the trick for finding the small roots of \(f_2(x,y)=rx^2+sy^2+2A_0rx+2B_0sy \equiv 0~mod~(N-rA_0^2-sB_0^2).\) Set \(M=N-rA_0^2-sB_0^2\) as the modulus. The shifting polynomials for this equation can be constructed as
Suppose \(|x|\le X=N^{\delta },|y|\le Y=N^{\delta }\), then \(M\approx N^{\frac{1}{2}+\delta }\). Similarly, the coefficients of \(g^1(xX,yY),g^2(xX,yY)\) can be arranged as a lower triangular lattice \(\mathcal {L}_1\), whose determinant can be easily calculated as \(det(\mathcal {L}_1)=X^{S_X}Y^{S_Y}M^{S_M}\), where
Put these values into inequality \(det(\mathcal {L}_1)\le M^{m\omega }\), we obtain \(\delta \le \frac{1}{6},\) which means that the error bound derived by this method is
a poorer bound compared to \(N^{\frac{1}{4}}\). The experimental results in Table 5 show that this method works much better in practice than in theoretic analysis, although still weaker than the result in Sect. 3.2.
B Analysis for Remark 3
Notice that the problem of finding coordinates for vector \(\mathbf {e}-\mathbf {f}\) can also be transformed into solving a non-constant modular equation
Set \(M=|N-2rA_0f_1-2sB_0f_2-rf_1^2-sf_2^2-rA_0^2-sB_0^2|\) as the modulus. Then the problem reduced to solving
Here we assume that \(q'(x,y)\) is a monic irreducible polynomial, since we can make it satisfied by multiplying the modular inverse term. We apply Coppersmith’s method to solve this polynomial. The shifting polynomials can be constructed as
From the former analysis, we know that \(|x|,|y|\le \varDelta ^{3/2}N^{-1/4}=X=Y\), and \(M\approx \varDelta ^{2}\). Similarly, the coefficients of \(g^1(xX,yY),g^2(xX,yY)\) and \(g^3(xX,yY)\) can be arranged as a lower triangular lattice \(\mathcal {L}_2\), whose determinant can be easily calculated as \(det(\mathcal {L}_2)=X^{S_X}Y^{S_Y}M^{S_M}\), where
Put these values into inequality \(det(\mathcal {L}_2)\le M^{m\omega }\), we gain the corresponding error bound
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, X. et al. (2016). Recovering a Sum of Two Squares Decomposition Revisited. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-38898-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-38897-7
Online ISBN: 978-3-319-38898-4
eBook Packages: Computer ScienceComputer Science (R0)