Faster Algorithms for Approximate Common Divisors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers

  • Yuanmi Chen
  • Phong Q. Nguyen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


At EUROCRYPT ’10, van Dijk et al. presented simple fully- homomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by Howgrave-Graham. There are two versions for these problems: the partial version (PACD) and the general version (GACD). The seemingly easier problem PACD was recently used by Coron et al. at CRYPTO ’11 to build a more efficient variant of the FHE scheme by van Dijk et al.. We present a new PACD algorithm whose running time is essentially the “square root” of that of exhaustive search, which was the best attack in practice. This allows us to experimentally break the FHE challenges proposed by Coron et al. Our PACD algorithm directly gives rise to a new GACD algorithm, which is exponentially faster than exhaustive search. Interestingly, our main technique can also be applied to other settings, such as noisy factoring and attacking low-exponent RSA.


Exhaustive Search Product Tree Homomorphic Encryption Univariate Polynomial Cryptology ePrint Archive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than \(N^{\mbox{0.292}}\). IEEE Transactions on Information Theory 46(4), 1339 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Bostan, A., Gaudry, P., Schost, E.: Linear recurrences with polynomial coefficients and application to integer factorization and Cartier-Manin operator. SIAM Journal on Computing 36(6), 1777–1806 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. Cryptology ePrint Archive, Report 2011/344 (2011),
  4. 4.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better Lattice Security Estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Chen, Y., Nguyen, P.Q.: Faster Algorithms for Approximate Common Divisors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers. Cryptology ePrint Archive, Report 2011/436 (2011),
  6. 6.
    Cohn, H., Heninger, N.: Approximate common divisors via lattices. Cryptology ePrint Archive, Report 2011/437 (2011)Google Scholar
  7. 7.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  8. 8.
    Coron, J.-S., Joux, A., Mandal, A., Naccache, D., Tibouchi, M.: Cryptanalysis of the RSA Subgroup Assumption from TCC 2005. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 147–155. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully Homomorphic Encryption over the Integers with Shorter Public Keys. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011)Google Scholar
  10. 10.
    Coron, J.-S., Naccache, D., Tibouchi, M.: Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. Cryptology ePrint Archive, Report 2011/440 (2011),
  11. 11.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proc. STOC 2009, pp. 169–178. ACM (2009)Google Scholar
  12. 12.
    Gentry, C., Halevi, S.: Public challenges for fully-homomorphic encryption. The implementation is described in [12] (2010),
  13. 13.
    Gentry, C., Halevi, S.: Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. Cryptology ePrint Archive, Report 2011/279 (2011),
  14. 14.
    Gentry, C., Halevi, S.: Implementing Gentry’s Fully-Homomorphic Encryption Scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Groth, J.: Cryptography in Subgroups of \({\mathbb{Z}_n^*}\). In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 50–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Harvey, D., Roche, D.S.: An in-place truncated fourier transform and applications to polynomial multiplication. In: Proc. ISSAC 2010, pp. 325–329. ACM (2010)Google Scholar
  17. 17.
    Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Mateer, T.: Fast Fourier Transform Algorithms with Applications. PhD thesis, Clemson University (2008)Google Scholar
  19. 19.
    May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: [21] (2010)Google Scholar
  20. 20.
    Montgomery, P.L.: An FFT Extension of the Elliptic Curve Method of Factorization. PhD thesis, University of California Los Angeles (1992)Google Scholar
  21. 21.
    Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS–RSME (2009)Google Scholar
  22. 22.
    Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)Google Scholar
  23. 23.
    Pollard, J.M.: Theorems on factorization and primality testing. Proc. Cambridge Philos. Soc. 76, 521–528 (1974)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Qiao, G., Lam, K.-Y.: RSA Signature Algorithm for Microcontroller Implementation. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 353–356. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Roche, D.S.: Space- and time-efficient polynomial multiplication. In: Proc. ISSAC 2009, pp. 295–302. ACM (2009)Google Scholar
  26. 26.
    Shoup, V.: Number Theory C++ Library (NTL) version 5.4.1,
  27. 27.
    Stinson, D.R.: Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem. Math. Comput. 71(237), 379–391 (2002)MathSciNetzbMATHGoogle Scholar
  28. 28.
    Strassen, V.: Einige Resultate über Berechnungskomplexität. Jber. Deutsch. Math.-Verein. 78(1), 1–8 (1976/1977)MathSciNetzbMATHGoogle Scholar
  29. 29.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully Homomorphic Encryption over the Integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    von Zur Gathen, J., Gerhard, J.: Modern computer algebra, 2nd edn. Cambridge University Press (2003)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Yuanmi Chen
    • 1
  • Phong Q. Nguyen
    • 2
  1. 1.Dept. InformatiqueENSParisFrance
  2. 2.Institute for Advanced StudyINRIA, France and Tsinghua UniversityChina

Personalised recommendations