# How to Break Okamoto’s Cryptosystem by Reducing Lattice Bases

## Abstract

The security of several signature schemes and cryptosystems, essentially proposed by Okamoto, is based on the difficulty of solving polynomial equations or inequations modulo *n*. The encryption and the decryption of these schemes are very simple when the factorisation of the modulus, a large composite number, is known.

We show here that we can, for any odd *n*, solve, in polynomial probabilistic time, quadratic equations modulo *n*, even if the factorisation of *n* is hidden, provided we are given a sufficiently good approximation of the solutions. We thus deduce how to break Okamoto’s second degree cryptosystem and we extend, in this way, Brickell’s and Shamir’s previous attacks.

Our main tool is lattices that we use after a linearisation of the problem, and the success of our method depends on the geometrical regularity of a particular kind of lattices.

Our paper is organized as follows:

First we recall the problems already posed, their partial solutions and describe how our results solve extensions of these problems. We then introduce our main tool, lattices and show how their geometrical properties fit in our subject. Finally, we deduce our results. These methods can be generalized to higher dimensions.

## IV. Bibliographic References

- [1]L. Babai: On Lovasz’s lattice reduction and the nearest lattice point problem,
*Combinatorica*6 (1986) pp 1–14.MATHMathSciNetCrossRefGoogle Scholar - [2]E. Brickell, J. Delaurentis: An attack on a signature scheme proposed by Okamoto and Shiraishi,
*Proc. of Crypto’85*, pp 10–14.Google Scholar - [3]A. Frieze, J. Hastad, R. Kannan, J.C. Lagarias, A. Shamir: Reconstructing truncated variables satisfying linear congruences, to appear in
*SIAM Journal of Computing*.Google Scholar - [4]A.K. Lenstra, H.W. Lenstra, L. Lovasz: Factoring polynomials with integer coefficients,
*Mathematische Annalen*, 261, (1982) pp 513–534.CrossRefMathSciNetGoogle Scholar - [5]T. Okamoto, A. Shiraishi: A fast signature scheme based on quadratic inequalities,
*Proc. of the 1985 Symposium on Security and Privacy*, April 1985, Oakland, CA.Google Scholar - [6]T. Okamoto: Fast public-key cryptosystem using congruent polynomial equations,
*Electronics Letters*, 1986, 22, pp 581–582.CrossRefGoogle Scholar - [7]T. Okamoto: Modification of a public-key cryptosystem,
*Electronics Letters*, 1987, 23, pp 814–815.CrossRefGoogle Scholar - [8]A. Shamir: Private communications to Okamoto, quoted in [7], August and October 1986.Google Scholar
- [9]B. Vallée, M. Girault, P. Toffin: How to guess
*ℓ*-th roots modulo*n*by reducing lattices bases, preprint of Université de Caen, to appear in*Proceedings of First International Joint Conference of ISSAC-88 and AAECC-6*(July 88).Google Scholar