From dawagner@tucson.princeton.edu Fri Dec 2 23:38:45 EST 1994 Article: 30780 of sci.crypt Newsgroups: sci.crypt Path: princeton!tucson.princeton.edu!dawagner From: dawagner@tucson.princeton.edu (David A. Wagner) Subject: Factoring given a hint Message-ID: <1994Dec3.043528.5432@Princeton.EDU> Summary: Gotta love LLL basis reduction... Originator: news@hedgehog.Princeton.EDU Sender: news@Princeton.EDU (USENET News System) Nntp-Posting-Host: tucson.princeton.edu Organization: Princeton University Date: Sat, 3 Dec 1994 04:35:28 GMT Lines: 77 In email, Don Coppersmith succinctly summarized a problem that's recently been discussed here: You're trying to factor n=pq, and you're given a "hint" s = ap+b. You're given a bound on b. Can you use this information to factor n? Does it help to have several hints? [Here the variable a is chosen randomly from the uniform distribution on {0,1,...,q-1} and b is distributed uniformly over its range, but they are kept secret from the attacker.] Don Coppersmith mentioned in his email that he can factor n if b = O(n^{1/6}). By using multiple "hints", I think I can factor n given the bound b = O(n^c) for any fixed c < 1/2. I'm assuming that n is a RSA modulus, so p ~= q ~= n^{1/2}. [My post a while back was mistaken: I don't think that the continued fractions algorithm helps at all, unless b = O(1) or p >> q.] In the special case b = O(n^{1/4}), I need 5 hints. This means there is a ciphertext-only attack on David Colston's QPK scheme requiring 5 ciphertexts... [Yes, I know Don Coppersmith already demolished the QPK scheme by finding the message from only one known ciphertext, but maybe my post will be of independent interest.] Let me state one result from Lagarias, Crypto '83. Set S = (s_1/n, s_2/n, ..., s_m/n) A = (a_1, a_2, ..., a_m). Call A an "unusually good" simultaneous diophantine approximation to S if |q s_j/n - a_j| < n^{-d} for j=1,2,...,m for some fixed d > 1/m. Lagarias gives a theorem which says that if S has an "unusually good" diophantine approximation, the approximation is essentially unique, and can be found in polynomial time by the LLL basis reduction algorithm. The notation I've used should be suggestive. If we have the bound b = O(n^c) for some c < 1/2, then |q s_j/n - a_j| = |b_j/p| = O(n^{-d}) where d = 1/2 - c; so if d > 1/m, A will be an "unusually good" diophantine approximation to S, and we will be able to find A (thus finding p and factoring n) in polytime. Now observe that if m > 1/(1/2 - c), then we will have d > 1/m. Therefore if m > 1/(1/2 - c), m "hints" are enough to factor n. In the case of QPK, c = 1/4, so m = 5 should work fine. [Didn't Secure Voice also have the option to use your PGP private key with the QPK algorithm? I don't have the original posting here, but if so, I wouldn't let Secure Voice *near* my PGP private key...] I think this is just a simple application of a theorem stated in Lagarias's paper; but I'm *certainly* no expert on basis reduction, and I don't have any software that will let me test my approach. So I hope you'll correct me if my reasoning is flawed... ------------------------------------------------------------------------------- David Wagner dawagner@princeton.edu