Factoring pq2 with Quadratic Forms: Nice Cryptanalyses

  • Guilhem Castagnos
  • Antoine Joux
  • Fabien Laguillaumie
  • Phong Q. Nguyen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


We present a new algorithm based on binary quadratic forms to factor integers of the form N = pq 2. Its heuristic running time is exponential in the general case, but becomes polynomial when special (arithmetic) hints are available, which is exactly the case for the so-called NICE family of public-key cryptosystems based on quadratic fields introduced in the late 90s. Such cryptosystems come in two flavours, depending on whether the quadratic field is imaginary or real. Our factoring algorithm yields a general key-recovery polynomial-time attack on NICE, which works for both versions: Castagnos and Laguillaumie recently obtained a total break of imaginary-NICE, but their attack could not apply to real-NICE. Our algorithm is rather different from classical factoring algorithms: it combines Lagrange’s reduction of quadratic forms with a provable variant of Coppersmith’s lattice-based root finding algorithm for homogeneous polynomials. It is very efficient given either of the following arithmetic hints: the public key of imaginary-NICE, which provides an alternative to the CL attack; or the knowledge that the regulator of the quadratic field \(\mathbb{Q}(\sqrt{p})\) is unusually small, just like in real-NICE.


Public-key Cryptanalysis Factorisation Binary Quadratic Forms Homogeneous Coppersmith’s Root Finding Lattices 


  1. [AM94]
    Adleman, L.M., McCurley, K.S.: Open problems in number theoretic complexity, II. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 291–322. Springer, Heidelberg (1994)Google Scholar
  2. [BDH99]
    Boneh, D., Durfee, G., Howgrave-Graham, N.: Factoring N = p r q for large r. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 326–337. Springer, Heidelberg (1999)Google Scholar
  3. [Ber08]
    Bernstein, D.J.: List decoding for binary Goppa codes, (2008) Preprint
  4. [BGS07]
    Bostan, A., Gaudry, P., Schost, É.: Linear Recurrences with Polynomial Coefficients and Application to Integer Factorization and Cartier-Manin Operator. SIAM J. Comput. 36(6), 1777–1806 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  5. [BPT04]
    Biehl, I., Paulus, S., Takagi, T.: Efficient Undeniable Signature Schemes based on Ideal Arithmetic in Quadratic Orders. Des. Codes Cryptography 31(2), 99–123 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  6. [BTV04]
    Buchmann, J., Takagi, T., Vollmer, U.: Number Field Cryptography. In: van der Poorten, Stein (eds.) High Primes & Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams. Fields Institute Communications, vol. 41, pp. 111–125. AMS (2004)Google Scholar
  7. [BTW95]
    Buchmann, J., Thiel, C., Williams, H.C.: Short Representation of Quadratic Integers. In: Proc. of CANT 1992, Math. Appl., vol. 325, pp. 159–185. Kluwer Academic Press, Dordrecht (1995)Google Scholar
  8. [BW88]
    Buchmann, J., Williams, H.C.: A Key-Exchange System based on Imaginary Quadratic Fields. J. Cryptology 1, 107–118 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  9. [CC87]
    Chudnovsky, D.V., Chudnovsky, G.V.: Approximations and Complex Multiplication According to Ramanujan. In: Ramanujan Revisited: Proceedings, pp. 375–472. Academic Press, Boston (1987)Google Scholar
  10. [Chi89]
    Chistov, A.L.: The complexity of constructing the ring of integers of a global field. Dolk. Akad. Nauk. SSSR, 306, 1063–1067 (1989); English translation: Soviet. Math. Dolk. 39, 597–600 (1989)Google Scholar
  11. [CL84]
    Cohen, H., Lenstra Jr., H.W.: Heuristics on class groups. Springer LNM, vol. 1052, pp. 26–36 (1984)Google Scholar
  12. [CL09]
    Castagnos, G., Laguillaumie, F.: On the Security of Cryptosystems with Quadratic Decryption: The Nicest Cryptanalysis. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 260–277. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. [Coh00]
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2000)Google Scholar
  14. [Cop97]
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. J. Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  15. [Cox99]
    Cox, D.A.: Primes of the form x 2 + ny 2. John Wiley & Sons, Chichester (1999)Google Scholar
  16. [CP01]
    Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective. Springer, Heidelberg (2001)Google Scholar
  17. [CW05]
    Cheng, K.H.F., Williams, H.C.: Some Results Concerning Certain Periodic Continued Fractions. Acta Arith. 117, 247–264 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  18. [Deg58]
    Degert, G.: Uber die Bestimmung der Grundeinheit gewisser reell- quadratischer Zhalkörper. Abh. Math. Sem. Univ. Hanburg 22, 92–97 (1958)zbMATHCrossRefMathSciNetGoogle Scholar
  19. [GW08]
    Gower, J.E., Wagstaff Jr., S.S.: Square form factorization. Math. Comput. 77(261), 551–588 (2008)zbMATHCrossRefMathSciNetGoogle Scholar
  20. [How97]
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  21. [How01]
    Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. [HPT99]
    Hartmann, M., Paulus, S., Takagi, T.: NICE - New Ideal Coset Encryption. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 328–339. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  23. [JJ00]
    Jaulmes, É., Joux, A.: A NICE Cryptanalysis. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 382–391. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. [JLW95]
    Jacobson Jr., M.J., Lukes, R.F., Williams, H.C.: An investigation of bounds for the regulator of quadratic fields. Experimental Mathematics 4(3), 211–225 (1995)zbMATHMathSciNetGoogle Scholar
  25. [Jou09]
    Joux, A.: Algorithmic Cryptanalysis. CRC Press, Boca Raton (2009)zbMATHGoogle Scholar
  26. [JSW08]
    Jacobson Jr., M.J., Scheidler, R., Weimer, D.: An Adaptation of the NICE Cryptosystem to Real Quadratic Orders. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 191–208. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. [LLL82]
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring Polynomials with Rational Coefficients. Math. Ann. 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  28. [May07]
    May, A.: Using LLL-Reduction for Solving RSA and Factorization Problems: A Survey. In: LLL+25 Conference in honour of the 25th birthday of the LLL algorithm (2007)Google Scholar
  29. [McK99]
    McKee, J.: Speeding Fermat’s factoring method. Math. Comput. 68(228), 1729–1737 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  30. [Mil07]
    Milan, J.: Factoring Small Integers: An Experimental Comparison. INRIA report (2007),
  31. [Oka86]
    Okamoto, T.: Fast public-key cryptosystem using congruent polynomial equations. Electronic Letters 22(11), 581–582 (1986)CrossRefGoogle Scholar
  32. [Oka90]
    Okamoto, T.: A fast signature scheme based on congruential polynomial operations. IEEE Transactions on Information Theory 36(1), 47–53 (1990)zbMATHCrossRefGoogle Scholar
  33. [OU98]
    Okamoto, T., Uchiyama, S.: A New Public-Key Cryptosystem as Secure as Factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  34. [Per01]
    Peralta, R.: Elliptic curve factorization using a partially oblivious function. In: Cryptography and computational number theory, Progr. Comput. Sci. Appl. Logic., vol. 20, pp. 123–128 (2001)Google Scholar
  35. [PO96]
    Peralta, R., Okamoto, E.: Faster Factoring of Integers of a Special Form. IEICE Trans. Fundamentals E79-A, 4, 489–493 (1996)Google Scholar
  36. [PT99]
    Paulus, S., Takagi, T.: A generalization of the Diffie-Hellman problem and related cryptosystems allowing fast decryption. In: Proc. of ICISC 1998, pp. 211–220 (1999)Google Scholar
  37. [PT00]
    Paulus, S., Takagi, T.: A New Public-Key Cryptosystem over a Quadratic Order with Quadratic Decryption Time. J. Cryptology 13(2), 263–272 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  38. [Sch82]
    Schoof, R.: Quadratic fields and factorization. Computational Methods in Number Theory, MC-Tracts 154/155, 235–286 (1982)Google Scholar
  39. [Ste]
  40. [Str76]
    Strassen, V.: Einige Resultate über Berechnungskomplexität. Jber. Deutsch. Math.-Verein., 78, 1–8 (1976/1977)Google Scholar
  41. [Tak98]
    Takagi, T.: Fast RSA-type cryptosystem modulo p k q. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 318–326. Springer, Heidelberg (1998)Google Scholar
  42. [Wei04]
    Weimer, D.: An Adaptation of the NICE Cryptosystem to Real Quadratic Orders. Master’s thesis, Technische Universität Darmstadt (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Guilhem Castagnos
    • 1
  • Antoine Joux
    • 2
    • 3
  • Fabien Laguillaumie
    • 4
  • Phong Q. Nguyen
    • 5
  1. 1.Institut de Mathématiques de BordeauxUniversité Bordeaux 1 
  2. 2.PRISM – Université de Versailles St-Quentin-en-Yvelines 
  3. 3.DGA 
  4. 4.GREYC – Université de Caen Basse-Normandie 
  5. 5.INRIA and ENSFrance

Personalised recommendations