Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits

  • Mathias Herrmann
  • Alexander May
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)


We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is well-known that this problem is polynomial-time solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln (2) ≈ 70% of the bits are sufficient for any n in order to find the factorization. The algorithm’s running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for \(n = {\mathcal O}(\log\log N)\) blocks.


Lattices small roots factoring with known bits 


  1. [Ajt98]
    Ajtai, M.: The Shortest Vector Problem in L2 is NP-hard for Randomized Reductions (Extended Abstract). In: STOC, pp. 10–19 (1998)Google Scholar
  2. [BD00]
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N 0.292. IEEE Transactions on Information Theory 46(4), 1339 (2000)MathSciNetCrossRefMATHGoogle Scholar
  3. [BM06]
    Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Public Key Cryptography, pp. 1–13 (2006)Google Scholar
  4. [CJL 1992]
    Coster, M.J., Joux, A., LaMacchia, B.A., Odlyzko, A.M., Schnorr, C.-P., Stern, J.: Improved Low-Density Subset Sum Algorithms. Computational Complexity 2, 111–128 (1992)MathSciNetCrossRefMATHGoogle Scholar
  5. [CM07]
    Coron, J.-S., May, A.: Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring. J. Cryptology 20(1), 39–50 (2007)MathSciNetCrossRefMATHGoogle Scholar
  6. [Cop96a]
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  7. [Cop96b]
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  8. [Cop97]
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefMATHGoogle Scholar
  9. [Cor07]
    Coron, J.-S.: Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. [GM97]
    Girault, M., Misarsky, J.-F.: Selective Forgery of RSA Signatures Using Redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. [GTV88]
    Girault, M., Toffin, P., Vallée, B.: Computation of approximate L-th roots modulo n and application to cryptography. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 100–117. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  12. [Has88]
    Hastad, J.: Solving Simultaneous Modular Equations of Low Degree. SIAM Journal on Computing 17(2), 336–341 (1988)MathSciNetCrossRefGoogle Scholar
  13. [HG97]
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Proceedings of the 6th IMA International Conference on Cryptography and Coding, pp. 131–142 (1997)Google Scholar
  14. [HG01]
    Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring Polynomials with Rational Coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  16. [Mau95]
    Maurer, U.M.: On the Oracle Complexity of Factoring Integers. Computational Complexity 5(3/4), 237–247 (1995)MathSciNetCrossRefMATHGoogle Scholar
  17. [May03]
    May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. PhD thesis, University of Paderborn (2003)Google Scholar
  18. [May04]
    May, A.: Computing the RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. [Min10]
    Minkowski, H.: Geometrie der Zahlen. Teubner (1910)Google Scholar
  20. [Ngu04]
    Nguyen, P.Q.: Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 555–570. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. [NS01]
    Nguyen, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. [NS05]
    Nguyen, P.Q., Stehlé, D.: Floating-Point LLL Revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. [RS85]
    Rivest, R.L., Shamir, A.: Efficient Factoring Based on Partial Information. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 31–34. Springer, Heidelberg (1986)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Mathias Herrmann
    • 1
  • Alexander May
    • 1
  1. 1.Horst Görtz Institute for IT-Security Faculty of MathematicsRuhr Universität BochumGermany

Personalised recommendations