UCL Crypto Group Technical Report Series

Takagi/Naito's algorithm revisited

M. Joye, F. Koeune and J.-J. Quisquater

R EG AR D S

GROUPE

http://www.dice.ucl.ac.be/crypto/

Technical Report CG{1997/3

Place du Levant, 3 B-1348 Louvain-la-Neuve, Belgium Phone: (+32) 10 472541 Fax: (+32) 10 472598

Takagi/Naito's algorithm revisited

M. Joye

1),

F. Koeune

2)

and J.-J. Quisquater

2)

March 29,1997
1)

Departement de Mathematique (AGEL), Universite catholique de Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: joye@agel.ucl.ac.be 2) Departement d'Electricite (DICE), Universite catholique de Louvain Place du Levant, 3, B-1348 Louvain-la-Neuve, Belgium E-mail: ffkoeune,jjqg@dice.ucl.ac.be

Abstract. Recently, Takagi and Naito extended the Hastad algorithm

to the multivariate case. In this report, we simplify the proof of their theorem. We also signi cantly improve their bound.

1 Introduction
In 2], Hastad presented a way to solve a system of univariate modular polynomial equations. His method was based on the use of LLL to reduce a lattice of dimension k + e + 1, where k is the number of equations and e is the maximal degree of the polynomial equations. After publication, Rivest suggested a great simpli cation of the proof, reducing the lattice dimension to e + 2 and yielding a signi cant improvement of some bound (see below for more details). This improved version was published in 3]. Recently, Takagi and Naito 4] extended the initial Hastad algorithm to the multivariate case. We will show that the same improvement as Rivest suggested can be applied to the extended algorithm, resulting in the same proof simpli cation and bound improvement.

2 Notations
We consider a system of k modular polynomial equations of degree e with l variables given by
j1 +j2 + +j e X l j1 ;j2;:::;jl=0
l ai;j1;:::;jl xj1 xj2 : : : xj 0 (mod ni) for i = 1; 2; : : : ; k l
1 2

(1)

CG{1997/3

http://www.dice.ucl.ac.be/crypto/techreports.html

c 1997 by UCL Crypto Group For more informations, see

Takagi/Naito's algorithm revisited

1 + + + + + + =0

where x ; : : : ; xl < n and n = min ni. We suppose that the moduli ni are j1 j2 ::: jl e ; n ) = 1 for all 1 i k. coprime and that gcd(hai;j1;j2;:::;jl ij i 1 j2 ::: jl Let g be the (max.) number of di erent terms and let f be the (max.) sum of the degrees in x ; x ; : : : ; xl through all of the di erent terms. One can easily show that
1 2

f=

m=1

m+l m

and g =

m=0

l+m m

3 Improvement
The theorem we are going to prove is the following.

Theorem 1. Let N =

If N > nf 2 4 gg , then we can get in polynomial time a real-valued equation which is equivalent to (1).
Q

k n. i=1 i

g (g +1)

Remarks. 1) This bound has to be compared with Takagi's bound, i.e.

N > nf (k + g) 2 2 2 gg : 2) Theorem 1 includes the improved Hastad attack as a special case by reducing the number of variables to one. Our proof will be based on the following simple lemma.

k+g

(k+g)2

Lemma 2. The polynomial modular equation

j1 +j2 + +j e X l j1 ;j2 ;:::;jl=0
1 2

l 0 (mod N ) cj1;j2;:::;jl xj1 xj2 : : : xj l

(2) (3)
j2 + j

is equivalent to its real-valued corresponding if Proof. Since x1 ; x2 ; : : : ; xl < n, we have

j1 +j2 + +j e X l j1 ;j2 ;:::;jl =0 jl 1 j2 cj1;j2;:::;jl xj 1 x2 : : : xl

jcj1;j2;:::;j j g nj1 N j2
l
+

+ l

(8j ; j ; : : : ; jl ):
1 2

<

j1 +j2 + +j e X l

j1 ;j2 ;:::;jl=0 j1 +j2 + +j e X l N j1 ;j2 ;:::;jl=0

jcj1;j2;:::;j j nj1
l

+ l

= N: Therefore, we can simply consider Eq. (2) as a real-valued equation.

CG{1997/3

t u

Takagi/Naito's algorithm revisited

Proof (Theorem 1). Let uj = ij (mod ni ), where ij is Kronecker's delta. Using the Chinese remainder theorem, we obtain

j1 +j2 + +j e X l

j1 ;j2 ;:::;jl =0 i=1 j1 +j2 + +j e X l jl 1 j2 cj1;j2;:::;jl xj 1 x2 : : : xl j1 ;j2 ;:::;jl =0

l ai;j1;j2;:::;jl ui xj1 xj2 : : : xj l

1 2

(mod N );

(4)

which is equivalent to Eq. (1). The idea is to multiply Eq. (4) by a constant factor in order to meet the conditions of Lemma 2. Therefore, we will consider a lattice L whose basis is given by ~1 = (c ;:::; ;nc ;:::; ; ;nc ;:::; ; ; ; : : : ;nj1 j2 jl cj1;j2;:::;jl ; : : : ;nece; ;:::; ; g ) b ~2 = ( N ; 0 ; 0 ; : : : ; b 0 ; : : : ; 0 ;0) ~ b3 = ( 0 ; nN ; 0 ; : : : ; 0 ; : : : ; 0 ;0) ~ b4 = ( 0 ; 0 ; nN ; : : : ; 0 ; : : : ; 0 ;0) ... b~ 0 ; 0 ; : : : ; nj1 j2 jl N ; : : : ; 0 ;0) i 1= ( 0 ; ... ~ 1= ( 0 ; 0 ; 0 ; : : : ; bg 0 ; : : : ; neN ;0) ~ + Pg ~ = Sb A vector of this lattice is of the form V i si bi~ . Its ith coordinate is given by Vi = nj1 jl (Scj1;:::;jl + siN ): ~ such kV ~ k < N=g, then jVij < N=g. So, Suppose that we nd a vector V
0 0 0 01 0 010 + + + 0 0 1 + + + + + 1 =1 +1 + +

= nj1 Vi jl mod N = jScj1;:::;jl mod N j < g nj1N jl ; for all j ; : : : ; jl .y ~ . As proved All we have to do is thus to nd a su ciently small vector V in 1, pp. 84-85], we can, using the LLL algorithm, nd within polynomial ~ such that time a vector V ~ k 2g= (det L) = g : kV

nj1 +
1

Vi

+ l

1 ( +1)

dN=2e + 1
CG{1997/3

y If a = b mod N , then a is the unique integer congruent to b modulo N such that

a

bN=2c.

Takagi/Naito's algorithm revisited

~ if Therefore, LLL will provide us the required vector V

2g=4

N g nf g

!1 ( +1)

=g

gg <N g () 2

( +1) 4

= g g nf

< N:

t u

References
1] Henri Cohen, A course in computational algebraic number theory, Graduate Texts in Mathematics, vol. 138, Springer-Verlag, 1993. 2] Johan Hastad, On using RSA with low exponent in a public key network, Advances in Cryptology { Crypto '85 (H. C. Williams, ed.), Lecture Notes in Computer Science, vol. 218, Springer-Verlag, 1986, pp. 404{ 408. 3] Johan Hastad, Solving simultaneous modular equations of low degree, SIAM J. Comput. 17 (1988), no. 2, 336{341. 4] Tsuyoshi Takagi and Shozo Naito, The multi-variable modular polynomial and its applications to cryptography, 7th International Symposium on Algorithm and Computation, ISAAC'96, Lecture Notes in Computer Science, vol. 1178, Springer-Verlag, 1996, pp. 386{396.

CG{1997/3