From dawagner@tucson.princeton.edu Wed Nov 23 23:10:50 EST 1994 Article: 30625 of sci.crypt Newsgroups: sci.crypt Path: princeton!tucson.princeton.edu!dawagner From: dawagner@tucson.princeton.edu (David A. Wagner) Subject: Re: Secure Voice is Here NOW! Message-ID: <1994Nov24.040930.15509@Princeton.EDU> Originator: news@hedgehog.Princeton.EDU Sender: news@Princeton.EDU (USENET News System) Nntp-Posting-Host: tucson.princeton.edu Organization: Princeton University References: <3ag744$1f4@news1.delphi.com> <3amrig$pb4@news.umbc.edu> <1994Nov20.181245.21965@Princeton.EDU> <3as1m4$fri@news1.shell> Date: Thu, 24 Nov 1994 04:09:30 GMT Lines: 70 In article <3as1m4$fri@news1.shell>, Hal wrote: > dawagner@tucson.princeton.edu (David A. Wagner) writes: > > >We know |x - kq| < sqrt(q) for some k. Divide by n=pq to see > >|x/n - k/p| < 1/(p sqrt(q)). If p and q are approximately the > >same size, this means that |x/n - k/p| < O(p^(-3/2)). Note that > >x/n is known to the cryptanalyst. Also, the continued fractions > >expansion of x/n will generate all approximants a/b to x/n which > >have error at most O(1/b), since x/n is rational. Thus the > >continued fractions algorithm will generate k/p as one of its > >approximants. > > Without commenting on the rest of David's post, I don't think this > is necessarily true of continued fractions. > You're absolutely correct; I should've looked it up in a number theory textbook instead of relying on my memory. My bad. My notes from my number theory class say (yes, this time I actually checked! :-) that the continued fractions algorithm will only generate approximants a/b which have error at most c b^(-2) [NOT O(1/b) as I erroneously stated before]. Here c is a small positive constant -- something like 1/2 or 2/(1+sqrt(5)) or somesuch. I also took the time to code up a simulation using the GNU mp package. In fact, my proposed method does not succeed in factoring n given the pair (x,n) when p,q have approximately the same size. Hal's objections were correct. Thank you, Hal, for pointing out the flaw. Note that if q ~ p^2, then the error will be ~ 1 / p^2, so in this case, the continued fractions approach should succeed in factoring n. In fact, my simulations bear this out. On the other hand, everyone already knew that one should pick p,q to be approximately the same size, anyhow, so this "attack" is only of academic interest, and even then, only of interest to one particular academic: me! To go off on a tangent... Does anyone understand multiple approximation? Are there any algorithms analogous to continued fractions which solve the generalized multiple Diophantine approximation problem? For those who haven't been inducted into the jargon, I'll explain. The continued fractions algorithm finds a,b with |y - a/b| < c b^(-2) for some given y. The multiple approximation problem is to find a_1, ..., a_k, b such that |y_j - a_j/b| < c b^u for j=1,2,...,k for some given y_1, ..., y_k. [Here u = -(1 + 1/k).] Does anyone know if there are any efficient algorithms to solve the multiple approximation problem? Here's why I'm asking: suppose I have n, x_1, and x_2 such that n=pq is a RSA modulus and x_1, x_2 are within sqrt(q) of a multiple of q. Then note that |x_j/n - a_j/p| < c q^(-3/2) for j=1,2 if p,q are of approximately the same size; thus, if we can find all multiple Diophantine approximations, we should encounter p as denominator of one of the approximations. I think. Then again, maybe it's not worth wasting time on this approach if the amazing Don Coppersmith will show us how his attack works. :-) [Newsgroups trimmed; this has nothing to do with politics...] ------------------------------------------------------------------------------- David Wagner dawagner@princeton.edu