# How to guess ℓ-th roots modulo *n* by reducing lattice bases

## Abstract

In numerous problems of computational number theory, there often arise polynomial equations or inequations modulo a number *n*. When *n* is a power of a prime number, polynomial-time algorithms, either deterministic or probabilistic, allow one to solve these problems. The same is true, via the Chinese remainder theorem, when the factorisation of *n* is known. A natural and important question is the following one: *Is the task of solving polynomial equations or inequations modulo n as difficult as the factorisation of n?*

We show here that, even if the factorisation of *n* is unknown, we can solve in polynomial probabilistic time polynomial inequations or polynomial equations modulo *n* provided we are given a sufficiently good initial approximation of a solution.

Our main tool is lattices that we use after a linearisation of the problem; we study a particular kind of lattice, which generalize that of Frieze et al, and the solution of our problem relies on the geometrical regularity of these lattices.

Our results are both algorithmical and structural:

On the one hand, we exhibit an algorithm, based on lattice reduction ideas, which reconstructs truncated roots of polynomials, and we extend here some previous results, only obtained in the linear case by Frieze et al. This algorithm has numerous practical applications, since the security of many cryptographic schemes is based on the difficulty of solving polynomial equations or inequations modulo *n*. We first deduce that it is easy to break higher-degree versions of Okamoto's recent cryptosystem and we extend, in this way, previous attacks of Brickell and Shamir. We also obtain new results about the predictability of the RSA pseudo-random generator.

On the other hand, we establish, for any ℓ, new theoretical results about the comparative distribution of ℓ-th powers and their ℓ-th roots, and we can prove, in the case ℓ=2, a very natural property about this distribution. These results can be seen as extensions, in a slightly different way, of a previous theorem of Blum.

## Preview

Unable to display preview. Download preview PDF.

## 5. Bibliographic References

- [1]L. Babai: On Lovasz's lattice reduction and the nearest lattice point problem,
*Combinatorica*6, pp 1–14.Google Scholar - [2]M. Blum: How to exchange (secret) keys,
*ACM transactions on Computer systems*, 1, 2, may 83, pp 175–193.Google Scholar - [3]E. Brickell, J. Delaurentis: An attack on a signature scheme proposed by Okamoto and Shiraishi,
*Proc of Crypto'85*, pp 1–4.Google Scholar - [4]A. Frieze, J. Hastad, R. Kannan, J.C. Lagarias, A. Shamir: Reconstructing truncated variables satisfying linear congruences, to appear in
*SIAM Journal of Computing*Google Scholar - [5]A.K. Lenstra, H.W. Lenstra, L. Lovasz: Factoring polynomials with integer coefficients,
*Mathematische Annalen*, 261, (1982) pp 513–534Google Scholar - [6]T. Okamoto, A. Shiraishi: A fast signature scheme based on quadratic inequalities,
*Proc of the 1985 Symposium on Security and Privacy*, April 1985, Oakland, CA.Google Scholar - [7]T. Okamoto: Fast public-key cryptosystem using congruent polynomial equations,
*Electronics Letters*, 1986, 22, pp 581–582.Google Scholar - [8]T. Okamoto: Modification of a public-key cryptosystem,
*Electronics Letters*, 1987, 23, pp 814–815.Google Scholar - [9]A. Shamir: Private communications to Okamoto, August and October 1986, (quoted in Okamoto [8]).Google Scholar
- [10]B. Vallée, M. Girault, Ph. Toffin: How to break Okamoto's cryptosystems by reducing lattice bases,
*Proceedings of Eurocrypt'87*, Lecture notes in Computer Science.Google Scholar - [11]B. Vallée: Quasi-uniform algorithms for finding small quadratic residues and application to integer factorisation, or Factorisation entière par génération quasi-uniforme de petits résidus quadratiques, preprints of Département de Mathématiques de l'Université de Caen.Google Scholar