On Efficiently Calculating Small Solutions of Systems of Polynomial ...

On Efficiently Calculating Small Solutionsof Systems of Polynomial EquationsLattice-Based Methods and Applications to CryptographyDissertationzur Erlangung des Doktorgradesder Naturwissenschaftender Fakultät für Mathematikder Ruhr-Universität Bochumvorgelegt vonDipl.-Math. Maike RitzenhofenJanuar 2010

2Reviewer:Prof. Dr. Alexander May (Ruhr-University of Bochum)Prof. Dr. Hans Ulrich Simon (Ruhr-University of Bochum)

Contents1 Introduction 52 Mathematical Background 112.1 General Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Algebraic Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Solving Systems of Modular Univariate Polynomial Equations 413.1 Solving Systems of Modular Univariate Polynomial Equations with a CommonModulus (SMUPE1) . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.2 Solving Systems of Modular Univariate Polynomial Equations with CoprimeModuli (SMUPE2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.2.1 Optimality of Our Bound for Solving SMUPE2 . . . . . . . . . . . 483.2.2 An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Basic Approaches for Solving Systems of Multivariate Polynomial Equations514.1 RSA with Related Messages and Implicit Relations . . . . . . . . . . . . . 524.2 The Problem of Implicit Factoring with Shared Least Significant Bits . . . 544.2.1 Implicit Factoring of Two RSA Moduli . . . . . . . . . . . . . . . . 554.2.2 Implicit Factoring of k RSA Moduli . . . . . . . . . . . . . . . . . . 584.2.3 Implicit Factoring of Balanced RSA Moduli . . . . . . . . . . . . . 594.2.4 A Counting Argument that Supports our Assumptions . . . . . . . 624.2.5 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624.3 The Problem of Implicit Factoring with Shared Most Significant Bits . . . 644.4 Some General Criteria for Solving Systems of Multivariate Polynomial Equationsvia Shortest Vector Problems . . . . . . . . . . . . . . . . . . . . . . 665 Solving Systems of Multivariate Polynomial Equations with Coppersmith’sMethod 735.1 Coppersmith’s Algorithm with Systems of Equations . . . . . . . . . . . . 735.2 Systems of Equations with a Common Modulus . . . . . . . . . . . . . . . 835.2.1 RSA with Related Messages and Implicit Relations . . . . . . . . . 853

4 CONTENTS5.2.2 RSA with Random Paddings . . . . . . . . . . . . . . . . . . . . . . 955.3 Systems of Equations with Coprime Moduli . . . . . . . . . . . . . . . . . 1045.3.1 Solving SMUPE2 via Systems . . . . . . . . . . . . . . . . . . . . . 1065.4 General Systems of Modular Equations . . . . . . . . . . . . . . . . . . . . 1146 Solving Systems of Multivariate Polynomial Equations over the Integers1176.1 Analyzing the Problem of Implicit Factoring . . . . . . . . . . . . . . . . . 1206.1.1 The Case of One Equation . . . . . . . . . . . . . . . . . . . . . . . 1226.1.2 The Case of More than One Equation . . . . . . . . . . . . . . . . . 1376.2 Open Problems and Future Work . . . . . . . . . . . . . . . . . . . . . . . 152Bibliography 155

Chapter 1IntroductionCryptology is an old science, its roots reaching back to the ancient Romans and Greeks.It can be divided into two branches, cryptography and cryptanalysis. Whereas the maininterest of cryptographers is to design new cryptosystems, cryptanalysts try to break them.The developments of both directions of cryptology are, of course, strongly related. Thedevelopment of a new cryptosystem offers new problems to attack, and a newly developedattack leads to the need to develop new cryptosystems.At its inception, cryptography stood mainly for enciphering and deciphering. One assumeda cryptosystem to be secure as long as no attack was known. In the cause of time, requirementsconcerning cryptosystems emerged. Different types of security models were defined,and one tried to prove the security of a cryptosystem on certain assumptions.Until 1976, there was only one type of cryptosystem known as symmetric cryptosystems.In a symmetric cryptosystem two communication partners, say Alice and Bob, have a commonsecret k. We call k the key. Using k and an encryption function E, Alice encryptsa message m as c := E k (m) and sends c to Bob. Bob obtains the message by using adecryption function D and computing m = D k (c). For a symmetric encryption scheme towork correctly, it has to verify m = D k (E k (m)). A third party, Eve, eavesdropping on thecommunication should find it difficult to obtain the message m or even useful informationon m from c without knowing the key k.A second type of cryptosystem known as asymmetric cryptosystems was introduced byWhitfield Diffie and Martin Hellman in 1976 [DH76]. They proposed a method of communicatingprivately without having to share a secret key beforehand. That is, they developeda way to exchange keys via an insecure channel.The development of the Diffie-Hellman key exchange protocol encouraged the developmentof asymmetric cryptosystems in the following years. The principle of an asymmetric cryptosystemworks as follows: In contrast to symmetric systems, only the receiver Bob hasto keep a secret sk. We call sk the secret key. Based on the secret key, Bob constructs apublic key pk. This key is published in a way that it is guaranteed that this public keybelongs to Bob. The key pk may be seen by anybody. When Alice wants to send a message5

6 CHAPTER 1. INTRODUCTIONto Bob, she takes Bob’s public key pk, encrypts the message as c := E pk (m) and sends cto Bob. Then Bob decrypts the message as m = D sk (c). Thus, he needs his secret key torecover m. As in symmetric cryptography, for an asymmetric encryption scheme to workcorrectly, it has to verify m = D sk (E pk (m)). The tuple (pk,sk) should form a pair of correspondingpublic and private keys. Furthermore, for a third party, Eve, eavesdropping onthe communication, it should be difficult to obtain the message m from c without knowingthe secret key sk.One of the main asymmetric cryptosystems was developed by Ron Rivest, Adi Shamir andLeonard Adleman in 1977 [RSA78]. It is still one of the most widely used asymmetriccryptosystems today.It works on the following principle. Bob chooses two large primes p and q of equal bitsizeand defines the value N := pq. Furthermore, he chooses e ∈ Z N such that e andϕ(N) = (p − 1) (q − 1) are coprime. Then he calculates d such that ed ≡ 1 (mod ϕ(N)).Subsequently, Bob publishes (N,e) as his public key and keeps (N,d) as his private key.The encryption function is defined as E e (m) := m e (mod N) for m ∈ Z N . The decryptionfunction is defined as D d (c) := c d (mod N). As ed ≡ 1 (mod ϕ(N)) the computationverifies D d (E e (m)) ≡ (m e ) d ≡ m (mod N). We denote the variant defined here by plainRSA. For security reasons, it is modified for practical use, e. g. by padding the message.The standard of RSA encryption is given in [RSA].The security of cryptosystems is proven on the assumption that an underlying problem isdifficult. In the case of RSA the underlying number theoretic problem is the so called RSAproblem: Let N = pq be the product of two large primes p and q, and let e be a positiveinteger such that gcd(e,ϕ(N)) = 1. Then given N, e and an element x, the challenge is todetermine the unique element y ∈ Z N such that y e ≡ x (mod N).The RSA problem is assumed to be difficult to solve. That is, we assume that there is noefficient algorithm that solves the problem. Indications for this are given by Ivan Damgårdand Maciej Koprowski [DK02]. They show that solving the RSA problem with genericgroup algorithms is intractable in groups of unknown order. However, the model they useis quite restrictive as it only allows for the use of multiplications.The problem of factoring is closely related to the RSA problem and is defined as follows:Let N = pq be the product of two large primes p and q. Given N, the challenge isto determine its factors p and q.So far, we have defined the problem of factoring only with respect to moduli which areproducts of two primes. We call these moduli RSA moduli. One can generalize the definitionto include arbitrary composite integers.It is easy to see that the difficulty of the RSA problem implies the difficulty of factoring.That is to say, if we can factor an RSA modulus N, we can use p and q to compute ϕ(N)and then d. Calculating x d then gives us the required element y. The opposite, however, isnot clear. Partial results are known in restricted models. On the one hand, Dan Boneh andRamarathnam Venkatesan [BV98] as well as Antoine Joux, David Naccache and Emmanuel

Thomé [JNT07] provide evidence against the equivalence of breaking the RSA problem andfactoring, whereas Daniel Brown [Bro06], Gregor Leander and Andy Rupp [LR06] as wellas Divesh Aggarwal and Ueli Maurer [AM09] give arguments in favor of the equivalence.The models used in any of the works are restrictive as the proofs are given with respectto straight line programs ([BV98, Bro06]) or generic ring algorithms ([LR06, AM09]).In [JNT07] the attacker is given additional sub exponential access to an oracle determininge-th roots of integers of the form x + c. Moreover, the works of [BV98, Bro06, LR06] onlyconsider a special version of the RSA problem with low exponents.There are, thus, two possible ways of attacking the RSA problem. One can either attackthe problem directly or attack the factorization problem. Hence, let us have a more detailedlook at the difficulty of the problem of factoring. On the one hand, Peter Shor’s algorithmfrom 1994 [Sho94] demonstrates that the factorization problem is polynomial time solvableon quantum Turing machines. On the other hand, it seems to be highly unclear whetherthese machines can ever be realized in practice. Furthermore, on classical Turing machinesonly super polynomial algorithms are known, the Quadratic Sieve [Pom84], the EllipticCurve Method [Len87] and eventually the Number Field Sieve [LHWL93].A different line of research to analyze the difficulty of factoring is an oracle-based approach.It was first studied at Eurocrypt 1985 by Ron Rivest and Adi Shamir [RS85], who showedthat N = pq can be factored given an oracle that provides an attacker with bits of one ofthe prime factors. The task is to factor in polynomial time by putting as few queries aspossible to the oracle. Ron Rivest and Adi Shamir showed that 2 log p queries suffice in3order to factor efficiently.At Eurocrypt 1992, Ueli Maurer [Mau92] allowed for an oracle that is able to answer anytype of questions by YES/NO answers. Using this powerful oracle, he showed that ǫ log poracle queries are sufficient for any ǫ > 0 in order to factor efficiently. This algorithm, however,is probabilistic. At Eurocrypt 1996, Don Coppersmith [Cop96a] in turn improved theRivest-Shamir oracle complexity to 1 log p queries. Don Coppersmith used this result to2break the Vanstone-Zuccherato ID-based cryptosystem [VZ95] that leaks half of the mostsignificant bits of one prime factor.In what follows we will further pursue this goal and try to attack RSA by either attackinginstances of the problem itself or by attacking instances of the factorization problem.Therefore, we transform a problem into a polynomial equation or a set of polynomialequations. Then we calculate the solutions or conditions on which the solutions can bedetermined. The main techniques we use to do so are based on lattices. A lattice is adiscrete Abelian subgroup of Z k .We use a given set of equations to define a lattice which contains the values we are searchingfor. If these values fulfill certain properties, e. g. correspond to a small basis vector,we can apply methods to analyze a lattice to determine our target values. We concentrateon a special method introduced by Don Coppersmith in 1996 to find small solutions of asingle equation [Cop96b, Cop96a] and analyze on which conditions we can generalize hisapproach to systems of equations. Hence, the main goal of this thesis is twofold. On the7

8 CHAPTER 1. INTRODUCTIONone hand we would like to apply lattice-based methods and attack special instances ofproblems related to RSA and factoring. On the other hand, we would like to improve thetheoretical knowledge of how to solve systems of multivariate equations with lattice-basedtechniques.We will now present the organization of the thesis in more detail.In Chapter 2 we give the mathematical background. It comprises three sections. Section 2.1deals with the notation and basic linear algebra. In Section 2.2 multivariate polynomialrings are introduced. Furthermore, some algebraic techniques to solve systems of multivariateequations are presented. In Section 2.3 we define lattices and show how they canbe used to determine solutions of a multivariate polynomial equation.Chapter 3 deals with modular univariate systems of equations. Systems of equations withone common modulus have already been analyzed in [CFPR96]. It is shown that in mostcases solutions of such systems can be determined efficiently with algebraic methods. Systemswith mutually coprime moduli have been analyzed by Johan Håstad in [Hås88]. As amain result we improve on the bound obtained using Johan Håstad’s approach combinedwith the techniques presented by Don Coppersmith. That is, we present a method to solvesystems of modular univariate equations with coprime moduli. The result is obtaineddue to special polynomial modeling. By this, we can determine larger solutions than onecould determine with the previously known methods. We obtain the following result. LetN 1 ,...,N k be mutually coprime moduli. For i = 1,...,k let f i (x) ≡ 0 (mod N i ) be anequation of degree δ i . Then we can determine all solutions x 0 such that |x 0 | ≤ X andf i (x 0 ) ≡ 0 (mod N i ) for all i = 1,...,k efficiently if X ≤ ∏ δN ii . This implies that anysolution can be determined if ∑ k 1i=1 δ i≥ 1.Moreover, we give an argument why the new bound is optimal for general systems by givingan example of a system for which the bound cannot be improved.A result with respect to our second goal, namely that of attacking specific problems, isthat we can apply the general technique to an RSA broadcast scenario. A passive attackercan determine a message m sent to k different users with coprime moduli N i and publickeys (N i ,e i ), i = 1,...,k if ∑ k 1i=1 e i≥ 1.The results presented in this chapter are joint work with Alexander May and publishedin [MR08].In the following chapters we deal with general multivariate systems of equations.In Chapter 4 we treat modular systems of equations with a common modulus. Their solutionsare determined by solving a shortest vector problem in a suitable lattice. As a maincontribution we introduce and analyze the problem of implicit factoring. This problem fitsinto the framework of oracle-based factoring. For a given composite number N 0 = p 0 q 0with q 0 being an α-bit prime, our target is to compute p 0 and q 0 . During the attack weare allowed to query an oracle which on each query answers with another RSA modulusN i = p i q i such that q i again is an α bit prime and p i and p 0 share t least significant bits.We show that with k oracle queries we can heuristically factor all the N i on condition that1

t ≥ k+1 α. In case of only one oracle query, the method is provable on the slightly strongerkconstraint that t > 2 (α + 1).This result is joint work with Alexander May and published in [MR09]. To our knowledge,it is the first result which shows that only implicit information is sufficient in order tofactor efficiently. This implies that already a weak form of an oracle is in itself sufficient toachieve a polynomial time factorization process. This gives further insight into the complexityof the underlying factorization problem.Chapter 5 divides into two parts. The contribution of Section 5.1 is of rather theoretical nature.We try to generalize the algorithm of Don Coppersmith to systems of equations. Wedenote this algorithm by Coppersmith’s algorithm. However, in the process of a straightforwardgeneralization of Coppersmith’s algorithm problems occur. One basic step in theoriginal algorithm is the construction of a sublattice with the same determinant as theoriginal one. This step does not necessarily work with a general system. Therefore, as amain result, we introduce the new notion of being determinant preserving and state anecessary and sufficient condition of this. This contributes to the theoretical understandingof Coppersmith’s algorithm.In the following two sections we apply the theoretical results to modular systems of polynomialequations and give examples of this. Section 5.2 deals with systems of equationswith one common modulus. We show how the necessary and sufficient conditions apply tosuch systems of equations. Subsequently, we use these observations with respect to RSAwith related messages and implicit relations as well as with respect to RSA with randompaddings.In RSA with related messages a set of k secret messages m 1 ,...,m k is encrypted with anRSA public key (N,e). That is, we get k encryptions c i ≡ m e i (mod N). Furthermore, wehave some implicit polynomial relation p(m 1 ,...,m k ) ≡ 0 (mod N). In this context, weapply the generalization of Coppersmith’s algorithm to equations in independent variables.If one considers only the condition on the size of the variables we get in this way, one couldhope to be able to determine more solutions than with a separate analysis of the equations.This, however, is not the case. We prove the equivalence of both approaches. This resultis quite plausible. However, we do not know of any proof of this in the literature publishedin this subject.Furthermore, we develop a general strategy on how to apply the generalization of Coppersmith’salgorithm to specific systems of independent equations with additional equationsproviding relations between the unknowns. Unfortunately, the construction is not generic.The problem of RSA with random paddings is defined as follows. For a user’s publickey (N,e) with N some n-bit number, a message m of α < n bits is encryptedas c i ≡ (2 α+τ v i + 2 τ m + w i ) e (mod N) for a random τ-bit number w i and a random(n − α − τ)-bit number v i and i = 1,...,k. The value k ∈ N denotes the number ofdifferent encryptions. The message m as well as the values v i and w i are secret and notknown to any attacker. Given two encryptions with different paddings, the message canbe determined by combining techniques presented in [Jut98, Cop96b, CFPR96].Usually, additional information obtained from additional encryptions enables us to de-9

Chapter 2Mathematical Background2.1 General NotationWe start by introducing the notation which we will use in the following chapters. Let Nbe the set of positive integers, N 0 := N ∪ {0} and Z be the ring of integers. For N ∈ N letZ N denote the ring Z/NZ. If p ∈ N is prime, let F p denote the field with p elements. Aring is denoted by R, and we implicitly assume R to be a commutative unit ring.Moreover, we implicitly assume all logarithms to be binary and denote them by log.Bold upper case letters denote matrices whereas bold lower case letters denote row vectors.Column vectors are given as the transposed of row vectors, namely, for a row vector v thecorresponding column vector is v T . The ordinary inner product of two vectors v and w isdenoted by (v,w).A set of l vectors v 1 ,...,v l is called linearly independent in some ring R iff the onlyR-linear combination of these vectors adding up to the zero vector is the zero linear combination.If a set of vectors is not linearly independent, it is called linearly dependent.For s,t ∈ N the matrix 0 s×t describes the s × t zero matrix. For any positive integer n then × n identity matrix is given by I n . The i-th unit vector is called e i .For a vector v the value (v) i denotes the i-th entry of v. For a matrix M the value (M) ijdenotes the entry in the i-th row and in the j-th column. Note that these values areelements of R. The value M i,· is the i-th row vector and M·,j the j-th column vector of M.By M −i,·, we denote the matrix constructed from M by deleting the i-th row. Analogously,M·,−j is constructed by deleting the j-th column of M and M −i,−j by deleting the i-th rowand the j-th column.Given a matrix M ∈ Z s×t , a row vector r ∈ Z 1×(t+1) and a column vector c T ∈ Z (s+1)×111

12 CHAPTER 2. MATHEMATICAL BACKGROUNDand two indices i, j such that (r) j = (c) i , let M +i(r),+j(c) T be the matrix⎛M +i(r),+j(c) :=⎜⎝⎞(M) 11 · · · (M) 1(j−1) (c) 1 (M) 1j · · · (M) 1t.. . ..(M) (i−1)1 · · · (M) (i−1)(j−1) (c) i−1 (M) (i−1)j · · · (M) (i−1)t(r) 1 · · · (r) j−1 (r) j (r) j+1 · · · (r) t+1.(M) i1 · · · (M) i(j−1) (c) i+1 (M) ij · · · (M) it⎟.. . .. ⎠(M) s1 · · · (M) s(j−1) (c) s+1 (M) sj · · · (M) stThat is, we get the new matrix by inserting r as i-th row and c T as j-th column into M.The matrices defined by inserting only a row vector r ∈ Z 1×t or a column vector c T ∈ Z s×1are denoted by M +i(r),· and M·,+j(c) respectively.Apart from these general operations on matrices, we will need some special matricesand their properties. Therefore, we will quote some theorems here. For more detailsregard [SW99].Let P always denote a permutation matrix, that is, in each row/column of P there isexactly one component of value one, whereas all other components are zero.Let A := A(x,a,b) be the matrix such that AM describes the matrix derived from M byaddition of x times row b to row a in M. The addition of x times column b to column a inM is then done by multiplying M with A from the right. Matrices of this form are calledelementary matrices.Let P (ij) be the permutation matrix which represents swapping the i-th and j-th row of amatrix M when multiplied to it from the left. Remark thatP (ij) = A(1,j,i)A(−1,i,j)A(1,j,i)D j ,where D j is a diagonal matrix with −1 on the j-th position and 1 on any other position.Thus, admitting a small change in the sign any permutation can be expressed viaelementary matrices.The matrices A, A T and P are unimodular, i. e. their determinant is of absolute value 1.Note that the product of two unimodular matrices is a unimodular matrix as well.Having introduced the notation necessary, we can now cite the first theorem.Theorem 2.1.1 ([SW99], Theorem 8.C.11)Let s,t ∈ N and M ∈ Z s×t be an s × t-matrix of rank r with coefficients in Z and let k :=min{s,t}. Then there are elementary matrices U 1 ,...,U p ∈ Z s×s and V 1 ,...,V q ∈ Z t×tsuch that U p · · ·U 1 MV 1 · · ·V q is a diagonal matrix D = Diag(a 1 ,...,a k ) ∈ Z s×t , wherea i |a i+1 for i = 1,...,r − 1 and a r+1 = ... = a k = 0.This theorem brings up a new definition.Definition 2.1.2The numbers a 1 ,...,a r of Theorem 2.1.1 are called elementary divisors.

2.1. GENERAL NOTATION 13Note that the elementary divisors are uniquely determined except for the sign. For notationalconvenience throughout this thesis we assume all elementary divisors to be positive.The proof of Theorem 2.1.1 in [SW99] already gives the construction of the elementarydivisors. As we are mainly interested in conditions on which all elementary divisors of amatrix are one, we will not give a proof of the general theorem here. Instead, we will provea variant of this theorem which is adapted to our needs. Therefore, we will permute theelementary divisors to the last rows.Further, note that in case of matrices with entries from a field, we can conclude easily thatif M is of rank k = t, then the transformation works without V 1 ,...,V q . We include asimilar observation for matrices with values in Z in our theorem. We will make use of thefollowing theorem in Section 5.1.Theorem 2.1.3Let m ∈ N 0 ,n ∈ N and M ∈ Z (m+n)×n , rank(M) = n. ThenAll elementary divisors of M are equal to 1 ⇔There exists a unimodular matrix U ∈ Z (m+n)×(m+n) such that UM =( 0m×nI n).In order to prove Theorem 2.1.3 we will use the two following lemmata. Recall that thegreatest common divisor of a vector is defined as the greatest common divisor of all itscomponents.Lemma 2.1.4Let r,t ∈ N, t ≤ r and v T ∈ Z r×1 with gcd(v) = 1. Then there exists a unimodulartransformation U ∈ Z r×r such that Uv T = (e t ) T .Proof: First, remark that gcd(v) = gcd((v) 1 ,...,(v) r ) = gcd(gcd((v) 1 ,...,(v) r−1 ), (v) r )= gcd(...gcd((v) 1 , (v) 2 ),...,(v) r ). The basic idea of the proof is to use the EuclideanAlgorithm to iteratively compute the greatest common divisors. Each step of the EuclideanAlgorithm induces a unimodular transformation which can be performed on v. In the end,we can combine these transformations and obtain U. As the greatest common divisor isone, Uv T then denotes a unit vector.Now let us look at the single steps in more detail. First, we compute the greatest commondivisor of (v) 1 and (v) 2 . We assume (v) 1 ≥ (v) 2 . If not, set U 20 := P (12) and regard(v 20 ) T := U 20 v T . In the first step of the Euclidean Algorithm, we divide (v 20 ) 1 by (v 20 ) 2with remainder. That is, we compute s 1 and r 1 ∈ Z such that (v 20 ) 1 = s 1 (v 20 ) 2 + r 1 .The inputs to the next step are (v 20 ) 2 and r 1 = (v 20 ) 1 (mod (v 20 ) 2 ). To transform v 20accordingly, set U 21 := P (12) A(−s 1 , 1, 2). Then (v 21 ) T := U 21 (v 20 ) T is a column vectorwith first entry (v 20 ) 2 , second entry r 1 and all other entries equal to the correspondingentries in v. Iterating this process until r k1 = 0 (a situation which we reach due to theconstruction of the Euclidean Algorithm), we getU 2k1 · · · ... · U 20} {{ }=:U 2 v T = (gcd((v) 1 , (v) 2 ), 0, (v) 3 ,...,(v) r ) T =: (v 3 ) T .

2.1. GENERAL NOTATION 15of g(M). Thus, all linear combinations of entries of M including the elementary divisorsare multiples of g(M) and, therefore, not equal to 1 and we are done.Thus, we only have to consider the case of g(M) := gcd(g 1 (M),...,g n+1 (M)) = 1. Westart by performing the elementary divisor algorithm. That is, we apply the algorithmwhich gives the construction of Theorem 2.1.1. Here it is not important how the algorithmworks exactly. We just have to know that in each step M is either multiplied from the leftwith a unimodular matrix U or from the right with a unimodular matrix V.Multiplications from the left only perform row operations on M. Consequently, all elementsin the j-th column of UM are divisible by g j (M) as they are linear combinations of elementsof M·,j which are divisible by g j (M). Therefore, the value of g j (M) cannot be decreasedby these operations.Multiplications from the right are either column permutations or additions of multiples ofone column to another. As permutations of columns only permute the greatest commondivisors, it is sufficient to consider additions of multiples of one column to another.We perform only one such addition in one step. This implies that only thegreatest common divisor of one column may be changed. We continue the process oftransformations, using other transformations in between as the algorithm requires untilthe greatest common divisor g j (M) of one column becomes 1. (This will happen asg(M) := gcd(g 1 (M),...,g n+1 (M)) = 1 and, thus, not all elements in the matrix share thesame common divisor.) We then permute the j-th column to the first position. Let U 1 andV 1 be the unimodular transformations used so far. Let M 1 := U 1 MV 1 . Then g 1 (M 1 ) = 1and g j (M 1 ) > 1 for j ≥ 2. By further row operations(using)Lemma 2.1.4 we get a unimodulartransformation U 2 such that U 2 M 1 = (e 1 ) T M 2 for some M 2 ∈ Z (m+n+1)×n withg j (M 2 ) = g j+1 (M 1 ) > 1. Now adding −(M 2 ) 1(j−1) -times the first column to the j-th onlychanges the component in the first row as all other entries in the first column are equal tozero. Let V(j) be the unimodular matrix performing this operation. Let V 2 = ∏ n+1j=2 V(j).Then⎛ ⎞1 0 · · · 0((e 1 ) T M 2)V 2 = ⎜ ⎟⎝0. M 3 ⎠ .0As (M 3 )·,j = ((M 2 )·,j ) −1,· we have g j (M 2 )|g j (M 3 ) for all j = 1,...,n. Moreover, M 3 is offull rank n as M 1 was.This implies that M 3 ∈ Z (m+n)×n fulfills the conditions of the hypothesis. Thus, thereare unimodular transformations U 3 ∈ Z (m+n)×(m+n) and V 3 ∈ Z n×n such that M 4 :=U 3 M 3 V 3 is a diagonal matrix with at least one diagonal element not equal to 1. Let⎛ ⎞ ⎛ ⎞1 0 · · · 01 0 · · · 0U 4 = ⎜ ⎟⎝0. U 3 ⎠ and V 4 = ⎜ ⎟⎝0. V 3 ⎠ .00

18 CHAPTER 2. MATHEMATICAL BACKGROUNDLet U 3 := (U 2 ) +(m+j)(e m+j ),+(m+j)(e m+j ) T . ThenU 3 U 1 M = U 3 M 1= (U 2 ) +(m+j)(e m+j ),+(m+j)(e m+j ) T (M 2) +(m+j)(c),+j(e m+j ) T= (M 3 ) +(m+j)(c),+j(e m+j ) T .Here c := (M 1 ) m+j,·. Consequently, c j = 1. In the last step, we want to eliminateall non-zero entries in the (m + j)-th row except for the one in the j-th column. Todo so, we subtract c i times the (m +i)-th from the (m +j)-th row, for i = 1,...,j −1,j + 1,...,m + n. Let A denote the unimodular transformation corresponding tothese operations. Then( )0A(M 3 ) +(m+j)(c),+j(e m+j ) = m×(n+1).TI n+1Thus, the theorem is proven.2. For all j ∈ {1,...,n + 1} it holds that g j (M) := gcd(M·,j ) > 1:Then we get a contradiction by Lemma 2.1.5.2.2 Algebraic MethodsIn this section basic notation, definitions and constructions from algebra are introduced.This thesis deals with problems that occur in the context of cryptography. An exampleis the problem of factoring: Given a composite integer N = pq, determine its factors pand q. This as well as variants of it will be introduced in the subsequent chapters. Hence,we need tools to describe such problems. First, we introduce polynomial rings. For moredetails consider for example [CLO97].Definition 2.2.1A monomial in x 1 ,...,x l is a product x i 11 x i 22 · ... · x i llwith i 1 ,...,i l ∈ N 0 . The valuedeg(x i 11 x i 22 · ... · x i ll ) = i 1 + ... + i l is called the total degree of x i 11 x i 22 · ... · x i ll , whereasdeg xj(x i 11 x i 22 ·... ·x i ll ) = i j is called the degree in x j . Let R be a ring. An R-linear combinationof monomials f(x 1 ,...,x l ) = ∑ (i 1 ,...,i l ) a (i 1 ,...,i l )x i 11 ...x i llwith a (i1 ,...,i l ) ∈ R is calleda polynomial. The set of all these polynomials is the polynomial ring R[x 1 ,...,x l ].Using this notation, the problem of factoring can be interpreted as the problem of findingnon-trivial solutions of the polynomial equation f(x 1 ,x 2 ) := N − x 1 x 2 = 0. This way,additional information can be added easily to the description of a problem. Instead ofdescribing a problem by a single polynomial equation, we describe it by a system of polynomialequations. Then a solution of the problem is given by a common solution of all ofthe equations.In general, however, it is not clear if a new equation also contains new information. Two

2.2. ALGEBRAIC METHODS 19equations f 1 (x 1 ,...,x l ) = 0 and f 2 (x 1 ,...,x l ) = 0 can either share the same set of solutions,share some solutions or the set of their solutions can be completely disjoint. Inthe two latter cases, we get additional information by taking two instead of one equation.However, in the first case taking two equations does not help to find the solution. We needa criterion to identify this case. We remark that two polynomials share exactly the sameset of solutions if one of the polynomials is an integer multiple of the other. For systemsof polynomials, this is captured by the following definition.Definition 2.2.2Let f 1 (x 1 ,...,x l ),...,f k (x 1 ,...,x l ) and g(x 1 ,...,x l ) ∈ R[x 1 ,...,x l ] be a set of polynomials.Let F := {f 1 (x 1 ,...,x l ),...,f k (x 1 ,...,x l )}. Then F is called linearly independentover R iffk∑a i f i (x 1 ,...,x l ) = 0 with a i ∈ R ⇒ a i = 0 for all i = 1,...,k . (2.2)i=1If condition (2.2) does not hold, then F is called linearly dependent over R.The polynomial g(x 1 ,...,x l ) is called linearly independent of F over R iffthere are no a i ∈ R such thatk∑a i f i (x 1 ,...,x l ) = g . (2.3)i=1If such an R-linear combination of elements of F exists, then g(x 1 ,...,x l ) is called linearlydependent of F over R.Note that if R is a field, the two notions of linear independence given above are equivalent.In a ring R which is not a field, however, a set of polynomials F ∪ {g} can be linearlydependent whereas g still is linearly independent of F over R. We will make use of thisdifference in Section 5.1.Now we have found a criterion whether an additional equation gives additional informationon the solutions. That is, if the additional equation is linearly independent of the previousones, we obtain further information using it. Unfortunately, this does not tell anythingwhether we can really determine the solutions. A major interest of this thesis is solvingsuch systems of equations. Special systems of equations which can be solved efficientlyare systems of dimension zero. We are going to define these systems now. Solving themalso forms an important step in the analyses in the method of Coppersmith which will bepresented in Section 2.3.Let us regard the following system of k ∈ N equations in l ∈ N variables over a field Ff 1 (x 1 ,...,x l ) = 0f k (x 1 ,...,x l ) = 0.. (2.4)

20 CHAPTER 2. MATHEMATICAL BACKGROUNDDefinition 2.2.3The system (2.4) is called system of dimension zero iff it has a finite number of solutionsin the algebraic closure ¯F of F.In our analyses we will often encounter systems of multivariate polynomial equations in Z,not in any field. For our analyses, however, we can consider them as equations over Q. Ifthe given system is zero dimensional when regarded as system in Q, then the number ofsolutions (in ¯Q) is finite. Thus, the number of solutions which are elements of Z is finiteas well. They can be determined by determining all solutions in the algebraic closure of Qand then just taking the ones in Z which we are searching for.In what follows we will discuss two methods how to determine the solutions of zero dimensionalsystems, namely, Groebner bases and resultants. First of all, we need to introducesome additional notation.If we consider e. g. division algorithms operating on polynomials, we need to decide whichmonomials to consider first. That is, we need an ordering of monomials.Definition 2.2.4A monomial ordering on a set of monomials x α = ∏ li=1 xα ii , α i ∈ N 0 , is a relation ≤ onN l 0 satisfying:1. ≤ is a total (or linear) ordering on N l 0, namely, it is reflexive (α ≤ α), transitive(α ≤ β,β ≤ γ ⇒ α ≤ γ) and antisymmetric (α ≤ β ≤ α ⇒ α = β).2. If α ≤ β and γ ∈ N l 0, then α + γ ≤ β + γ.3. ≤ is a well-ordering on N l 0, i. e. every non-empty subset of N l 0 has a smallest elementwith regard to ≤.We give some standard monomial orderings as well as other orderings which will come inuseful later.Example 2.2.5Let α = (α 1 ,...,α l ),β = (β 1 ,...,β l ) ∈ N l 0, l ∈ N and |α| := ∑ li=1 α i.1. Lexicographical orderingIt is α > lex β if the leftmost non-zero entry of α − β is positive, and α = β if α − βdenotes the zero vector. This definition implies x 1 > ... > x l . Allowing to permutethe variables, that is setting x α = ∏ li=1 xα iψ(i)with a permutation ψ, we obtain adifferent lexicographical ordering. Unless stated otherwise, we assume x 1 > ... > x l .2. Graded lexicographical orderingIt is α > grlex β if |α| > |β| or |α| = |β| and α > lex β. Further, α = grlex β if α = lex β.3. Graded reverse lexicographical orderingIt is α > grevlex β if |α| > |β| or |α| = |β| and in α − β ∈ Z l the rightmost non-zeroentry is negative.

2.2. ALGEBRAIC METHODS 214. Inverse graded lexicographical orderingIt is α ≥ invgl β if α ≤ grlex β. Note that although we call this construction ”ordering”,it actually is not an ordering according to our definition. We do not always have asmallest element in any non-empty set. However, we do have a largest element inany set as the graded lexicographical ordering fulfills the definition of a monomialordering. Furthermore, when using this ”ordering” we will only deal with finite setsof monomials. In those sets, we can determine a smallest element. This suffices forour applications.With regard to monomial orderings one can define certain distinguished monomials andterms in polynomials.Definition 2.2.6For α ∈ N l 0 and x = (x 1 ,...,x l ) let x α denote ∏ li=1 xα ii . Let f(x 1 ,...,x l ) = ∑ α c αx α bea non-zero polynomial in R[x 1 ,...,x l ]. Let ≤ be a monomial ordering. Let ᾱ denote themaximum of all α occurring in f.Then LM(f) := xᾱ is called the leading monomial of f, and LC(f) := cᾱ is called theleading coefficient of f. Together, LT(f) := cᾱxᾱ = LC(f)·LM(f) denotes the leadingterm of f.So far we have defined systems of equations of dimension zero. The system itself is describedby a set F of polynomials. We can add as many multiples hf, h ∈ R[x 1 ,...,x l ] ofpolynomials f ∈ F to F as they have at least the same solutions as f and, therefore, do notchange the set of common solutions. Furthermore, we can include any linear combination ofelements of F. By this, we get a more general description of the given system of equations.This is captured by the notion of an ideal.Definition 2.2.7Let I ⊆ R[x 1 ,...,x l ]. Then I is called an ideal if1. 0 ∈ I,2. If f,g ∈ I, then f − g ∈ I,3. If f ∈ I and h ∈ R[x 1 ,...,x l ], then hf ∈ I.For a given set of polynomials {g 1 ,...,g k } let 〈g 1 ,...g k 〉 := { ∑ ki=1 h ig i ,h i ∈ R[x 1 ,...,x l ]}denote the ideal defined by these polynomials.Further, if for any f,g ∈ R[x 1 ,...,x l ] the fact that fg ∈ I ⊂ R[x 1 ,...,x l ] implies f ∈ Ior g ∈ I, then I is called a prime ideal.Note that the set { ∑ f∈F h ff | h f ∈ R[x 1 ,...,x l ]} forms an ideal. We call it the idealinduced by F and denote it by 〈F〉. Thus, the solutions we are searching for correspondto the set of joint solutions of all polynomials in the ideal 〈F〉.

22 CHAPTER 2. MATHEMATICAL BACKGROUNDDefinition 2.2.8Let f 1 ,...,f k be polynomials in R[x 1 ,...,x l ]. Let I ⊆ R[x 1 ,...,x l ] be an ideal. Then thesetV (f 1 ,...,f k ) := {(a 1 ,...a l ) | f i (a 1 ,...,a l ) = 0 for all 1 ≤ i ≤ k}is called the affine variety of f 1 ,...,f k . Analogously, the setis called the variety of the ideal I.V (I) := {(a 1 ,...a l ) | f(a 1 ,...,a l ) = 0 for all f ∈ I}A variety is said to be of dimension zero if it comprises only finitely many elements. Avariety of dimension zero, thus, corresponds to a system of dimension zero.Starting with a system of dimension zero, let us have a look at how we can determine itssolutions. One method makes use of resultants. We recall their definition and some basicproperties here to see how they can be used.Definition 2.2.9Let f 1 (x 1 ,...,x l ) := ∑ mi=0 a i(x 2 ,...,x l )x i 1 and f 2 (x 1 ,...,x l ) := ∑ ni=0 b i(x 2 ,...,x l )x i 1 betwo polynomials in R[x 1 ,...,x l ]. Then the resultant of f 1 and f 2 with respect to x 1 isdefined as the determinant⎛⎞Res x1 (f 1 ,f 2 ) := det⎜⎝a ma m−1.a ma m−1...... a m. a m−1a 0a 0 ....a 0} {{ }n columnsb nb n−1.b nb n−1...... b n. b n−1b 0b 0 ....b 0} {{ }m columnsRemark that a i = a i (x 2 ,...,x l ) and b j = b j (x 2 ,...,x l ) denote polynomials in R[x 2 ,...,x l ].The resultant is a polynomial in R[x 2 ,...,x l ], that is, a polynomial in only l −1 variables.It has the following properties which we only quote from [CLO97].Lemma 2.2.10 ([CLO97], Section 3.6)Let f 1 (x 1 ,...,x l ) and f 2 (x 1 ,...,x l ) ∈ R[x 1 ,...,x l ] be two polynomials with positive degreein x 1 . Then1. Res x1 (f 1 ,f 2 ) is in the first elimination ideal 〈f 1 ,f 2 〉 ∩ R[x 2 ,...,x l ]..⎟⎠

2.2. ALGEBRAIC METHODS 232. Res x1 (f 1 ,f 2 ) = 0 iff f 1 and f 2 have a common factor in R[x 1 ,...,x l ] which haspositive degree in x 1 .3. If (¯x 1 ,..., ¯x l ) denotes a common zero of f 1 and f 2 , then alsoRes x1 (f 1 ,f 2 )(¯x 2 ,..., ¯x l ) = 0.These properties already indicate how we can make use of resultants to solve a givensystem of l polynomial equations in R[x 1 ,...,x l ]. Whenever we combine two equationsin l variables, we obtain a new equation in l − 1 variables. Therefore, if we combine allequations with the first one, we obtain l−1 new equations in l−1 variables. We can iteratethis process until we have only one equation in one variable. If R denotes a field or thering of integers Z, which is the case in most of our applications, we can solve the univariateequation. Plugging the result into a bivariate equation constructed one step before, thisequation becomes univariate. Then it can be solved as well. By successively substitutingall the values which we have obtained, we can determine the solutions of the given systemof equations. The following scheme illustrates the process of successively computing theresultants:⎫f 1 (x 1 , . . .,x l )f 2 (x 1 , . . .,x l ).f l (x 1 , . . .,x l )⎪⎬Res x1 (f 1 , f 2 ) =: f 12⎫⎪ ⎬· · ·⎪⎪⎭.Res x1 (f 1 , f l ) =: f ⎭1l}Res xl−1 (f (l−2)(l−1) , f (l−2)l ) =: f (l−1)l . (2.5)Problems during the computation might occur if one of the resultants becomes zero. This,however, violates the precondition that our system is of dimension zero.Remark that we have just considered systems of l equations in R[x 1 ,...,x l ]. We can, ofcourse, extend this method to systems of k ∈ N equations. Then it is k ≥ l as otherwise wewould not have a system of dimension zero. Computations can be performed analogously.However, resultants with value zero may occur. This does not pose any problems as thesystem is zero dimensional. This ensures that there will be at least l non-zero polynomialsin l variables. It might be necessary though to compute resultants using other pairs ofpolynomials.Let us have a look at the running time of computing roots of polynomials by successivelycomputing resultants. We again consider a zero dimensional system of l equations in lvariables. Let δ denote the maximum total degree occurring in any of the equations.Thus, the maximum total degree of any of the coefficients of x i 1 in any of the f j is also δ.Consequently, the resultant Res x1 (f 1 ,f j ) = f 1j is a polynomial of total degree smaller thanor equal to δ 2 . Iterating this process, the total degree of Res xl−1 (f (l−2)(l−1) ,f (l−2)l ) = f (l−1)lis smaller than or equal to δ 2l−1 . The major step in the resultant computation is thedeterminant calculation which has running time cubic in its dimension. That is, in thei-th iteration, the computation complexity is O((l − i)δ 3·2i ). By some rough estimatesthe general running time of determining the solutions is then O(l 2 δ 3·2l ). This is double

24 CHAPTER 2. MATHEMATICAL BACKGROUNDexponential in l and, thus, not efficient for a non-constant number of variables.Now we present the second method to solve systems of equations of dimension zero. Thismethod is not based on the system of polynomials F itself but on the ideal 〈F〉 definedby them. The same general ideal can be described in many different ways. Here we givea special description of an ideal. In what follows, we will see how this ”good description”helps to determine solutions of the equations.Definition 2.2.11Let I be an ideal. A finite subset G = {h 1 ,...,h κ } of I is called a Groebner basis if〈LT(h 1 ),...,LT(h κ )〉 = 〈LT(I)〉 .A minimal set with this property is called minimal Groebner basis.If not stated otherwise, we will compute Groebner bases with respect to lexicographical ordering.In the context of this work we often encounter systems of equations S = {g 1 ,...,g λ }which we would like to solve. When saying that we compute the Groebner basis of S, weimplicitly assume to construct the ideal I of S and then to compute its Groebner basis.Groebner bases have several advantageous properties compared to arbitrary bases of ideals.Here we concentrate on those properties that help us to determine solutions of asystem of equations. By a Groebner basis G of an ideal I ⊆ R[x 1 ,...,x l ] computedwith respect to lexicographical ordering we directly get the Groebner bases of the idealsI j := I ∩ R[x j+1 ,...,x l ], the so called j-th elimination ideals.Theorem 2.2.12 (Elimination Theorem)Let I ⊆ R[x 1 ,...,x l ] be an ideal and let G be a Groebner basis of I computed with respectto the lexicographical ordering such that x 1 > ... > x l . Then, for every 0 ≤ j < l, the setG j := G ∩ R[x j+1 ,...,x l ] (2.6)is a Groebner basis of the j-th elimination ideal I j := I ∩ R[x j+1 ,...,x l ].Proof: To prove this, we have to show that for all j = 0,...,l − 1 it is 〈LT(G j )〉 =〈LT(I j )〉.Let j ∈ {0,...,l − 1} be fixed. As all polynomials in G j are trivially also in I j , it is〈LT(G j )〉 ⊆ 〈LT(I j )〉.For the opposite inclusion let f ∈ I j . To show that LT(f) ∈ 〈LT(G j )〉 we have to showthat LT(h) divides LT(f) for some h ∈ G j . As f ∈ I and G is a Groebner basis of I, weknow that there is a polynomial g ∈ G such that LT(g) divides LT(f). As f ∈ I j , it followsthat LT(g) is a monomial in R[x j+1 ,...,x l ]. As G has been computed with respect to thelexicographical ordering with weights x 1 > ... > x l , any monomial which contains a powerof x i with i ≤ j is greater than all monomials not involving any of these variables. Thus,all monomials of g are elements of R[x j+1 ,...,x l ]. As a consequence, g ∈ R[x j+1 ,...,x l ]and, thus, g ∈ G j . This concludes the proof.

2.2. ALGEBRAIC METHODS 25The Elimination Theorem thereby helps us to structure the elements of an ideal I. Ifthe ideal I contains a univariate polynomial in x l , a univariate polynomial will also becontained in G. Analogously, if I contains a polynomial f in x j+1 ,...,x l , then a polynomialin x j+1 ,...,x l is also part of G. On the assumption that for all j = 0,...,l − 1 the setG j \ G j+1 is not empty, the Groebner basis directly gives us a sequence of polynomialsg 1 ,...,g l such that g j is a polynomial in x j ,...,x l . We can then calculate the solutions bysolving a system of equations of the following structure:g 1 (x 1 ,...,x l ) = 0. (2.7)g l−1 (x l−1 ,x l ) = 0g l (x l ) = 0.This system of equations can be solved easily. First, we calculate the solution ¯x l ofg l (x l ) = 0. This is a univariate equation over the integers and can be solved efficiently bystandard techniques like Newton iteration ([SB02], Chapter 5). Then we substitute x l by¯x l in g l−1 and obtain a univariate equation in x l−1 . We iterate this process until we havecalculated all solutions as solutions of univariate equations. Hence, the problem can besolved efficiently.To apply this method, however, we have to ensure that G j \ G j+1 ≠ ∅ for all values of j.This fact is implied by the zero dimensionality of V (I).There are various algorithms to compute Groebner bases of ideals which are adapted todifferent types of ideals or orderings. They differ with regard to efficiency. The originalalgorithm to compute a Groebner basis was given by Bruno Buchberger [Buc65, Buc06]. IfR is Noetherian, i. e. in any ascending chain of ideals the ideals are equal from some pointon, then by Buchberger’s algorithm a Groebner basis is computed in finitely many steps.The algorithm, however, includes several superfluous computations. In 1993, Jean-CharlesFaugère et al. developed an algorithm called FGLM to compute Groebner bases more efficiently[FGLM93]. With this algorithm it is further possible to switch between orders.Namely, the Groebner basis can be computed with respect to any order. A transformationis applied afterwards to get back to the lexicographical ordering we need in our application.This is helpful as Groebner bases with respect to graded orders often perform better.In 1999, Jean-Charles Faugère presented a different algorithm, F4 [Fau99], which is againbased on Buchberger’s algorithm but leaves out several unnecessary computations. Bythis, the algorithm becomes more efficient. Some years later, Jean-Charles Faugère againimproved on his algorithm. The new algorithm F5 [Fau02] eliminates all superfluous computationsbut imposes some additional constraints. These two algorithms are more adaptedto graded reverse lexicographical ordering. They are, thus, more efficient but do not includethe step of transforming a Groebner basis with respect to one ordering into a Groebnerbasis with respect to a different one. An elementary algorithm which provides exactly thisstep is the Groebner Walk by Stéphane Collart et al. [CKM97].

26 CHAPTER 2. MATHEMATICAL BACKGROUNDUnfortunately, the running time of none of the algorithms to compute a Groebner basis iscompletely understood. An upper bound on the calculation of a Groebner basis of someideal I = 〈f 1 ,...,f k 〉 ⊆ F[x 1 ,...,x l ] with deg(f i ) ≤ δ is given by δ 2O(l) . This bound isproven to be strict in [MM82]. The worst case complexity of computing a Groebner basisis, thus, double exponential in the number of variables. For several other ideals of morepractical interest better bounds like δ O(l) have been shown [Laz83].Note that these bounds are only given for ideals in F[x 1 ,...,x l ] for a field F. This, however,does not pose any problems. Although we mainly have polynomials with coefficients inZ, we can take any field like Q comprising Z and perform the computations there. If thenumber of elements in the variety is finite, one can just choose the ones which are alsoelements of Z afterwards. Note that the set of solutions of a system of dimension zero canbe described as a set of solutions of a system of the structure given in (2.7). Namely, by asystem of equations in which each equation introduces a new variable. A univariate equationof degree δ has at most δ roots in ¯Q. Consequently, the number of solutions in ¯Q ispolynomial in the maximum total degree δ of polynomials in a Groebner basis. Therefore,for a constant number of variables, the correct solutions can be found efficiently. This isthe case in all our applications.Up to now we have considered systems of equations in R[x 1 ,...,x l ]. That is, all theequations are elements of the same polynomial ring. This includes the cases R = Z andR = Z N for some N ∈ N. Namely, we can analyze systems of modular equations. In thecontext of this thesis, however, we will also encounter systems of modular equations withdifferent moduli, such that f i (x 1 ,...,x l ) ≡ 0 (mod N i ), i = 1,...k, and gcd(N i ,N j ) = 1 ifi ≠ j. We have to apply different techniques to determine the solutions of such a system. Apossible way to combine these equations is by Chinese Remaindering which is described e. g.in [Hås88, Sho05]. The resulting polynomial can then be analyzed as a single polynomialin some polynomial ring.Theorem 2.2.13 (Chinese Remainder Theorem)Let k ∈ N. Let w ∈ N, w > 1. For i = 1,...,k let N i ∈ N be pairwise relativelyprime numbers, and let f i (x 1 ,...,x l ) ∈ Z Ni [x 1 ,...,x l ] be polynomials such that at mostw different monomials occur in any of the polynomials.Then there exists a unique polynomial f(x 1 ,...,x l ) modulo M := ∏ ki=1 N i such thatf(x 1 ,...,x l ) ≡ f i (x 1 ,...,x l ) (mod N i ). (2.8)The polynomial f(x 1 ,...,x l ) can be determined in time O(w log 2 M).Proof: Let M := ∏ ki=1 N i, M i := M N iand M ′ i be the inverse of M i modulo N i for i =1,...,k. The existence of such an inverse is guaranteed by gcd(M i ,N i ) = 1. Thenf(x 1 ,...,x l ) :=k∑M i M if ′ i (x 1 ,...,x l )i=1

2.3. LATTICES 27is the desired polynomial. If we look at f(x 1 ,...,x l ) modulo N j for j ∈ {1,...,k}, allsummands with index i ≠ j cancel out (as N j divides M i ) and M j M ′ jf j (x 1 ,...,x l ) ≡f j (x 1 ,...,x l ) (mod N j ).Now suppose that g(x 1 ,...,x l ) is another polynomial fulfilling the required conditions.Then this implies f(x 1 ,...,x l ) − g(x 1 ,...,x l ) ≡ 0 (mod N i ) for all i = 1,...,k, and,therefore, also f(x 1 ,...,x l ) ≡ g(x 1 ,...,x l ) (mod M).Multiplication modulo M and calculating the inverses by the Extended Euclidean Algorithmcan be performed in time O(log 2 M). Determining all coefficients of f then resultsin a running time of O(w log 2 M) for the complete algorithm.Note that in case of univariate polynomials f i (x) ∈ Z Ni [x] the maximum number of monomialsw corresponds to the maximum degree δ of any of the polynomials. More precisely,we have w ≤ δ + 1.2.3 LatticesProblems derived from public key encryption or factoring can often be described as multivariateequations in the secret parameters, sometimes modular, sometimes over the integers.Equations of this type can be linearized by introducing new unknowns for anyunknown monomial. If the unknowns are small enough, solutions can then be determinedwith methods used in the theory of lattices. Thus, we will give a brief introduction tolattices here. For a more thorough introduction we refer the reader to [MG02].For our purposes it is sufficient to consider only integer lattices. However, analogousdefinitions can be made over the reals.Definition 2.3.1Let d,n ∈ N, d ≤ n. Let v 1 ,...,v d ∈ Z n be linearly independent vectors. Then the set ofall integer linear combinations of the v i spans an integer lattice L, i.e.{ d∑}L := a i v i | a i ∈ Z .i=1⎛ ⎞v 1⎜ ⎟We call B = ⎝ . ⎠ a basis matrix of the lattice L, the value d denotes the dimensionv dor rank of the lattice. The lattice is said to have full rank if d = n. The determinantdet(L) of a lattice is the volume of the parallelepiped spanned by the basis vectors.If L has full rank, the determinant of L can be calculated as the absolute value of thedeterminant of its basis matrix B. Note that the determinant det(L) is invariant underunimodular basis transformations of B. Equivalently, a lattice L can be defined as adiscrete additive subgroup of Z n .Let us denote by ||v|| the Euclidean l 2 -norm of a vector v. Hadamard’s inequality [Mey00]relates the length of the basis vectors to the determinant.

28 CHAPTER 2. MATHEMATICAL BACKGROUNDLemma 2.3.2 (Hadamard)Let B =⎛⎜⎝⎞v 1⎟. ⎠ ∈ Z n×n ,n ∈ N, be an arbitrary non-singular matrix. Thenv ndet(B) ≤n∏||v i ||.i=1The successive minima λ i (L) of the lattice L are defined as the minimal radius of a ballcontaining i linearly independent lattice vectors of L. In a two-dimensional lattice L, basisvectors b 1 ,b 2 with lengths ||b 1 || = λ 1 (L) and ||b 2 || = λ 2 (L) are efficiently computable viaGaussian reduction.Theorem 2.3.3Let v 1 ,v 2 ∈ Z n be basis vectors of a two-dimensional lattice L. Then the Gauss-reducedlattice basis vectors b 1 ,b 2 can be determined in time O(log 2 (max{||v 1 ||, ||v 2 ||}). Furthermore,||b 1 || = λ 1 (L) and ||b 2 || = λ 2 (L).Information on Gaussian reduction and its running time can be found in [Mey00].A shortest vector of a lattice satisfies the Minkowski bound, which relates the length of ashortest vector to the determinant and dimension of the lattice.Lemma 2.3.4 (Minkowski [Min96])Let L be an integer lattice with basis matrix B ⊆ Z d×n . Then L contains a non-zero vectorv with||v|| = λ 1 (L) ≤ √ d det(L) 1 d .The question remains how to find these small lattice vectors.In 1982, Arjen K. Lenstra and Henrik W. Lenstra Jr. and László Lovász [LLL82] introduceda way to efficiently determine an approximate shortest vector. They compute a new basisfor the lattice in which several conditions are imposed on the vectors.First, recall the Gram-Schmidt orthogonalization process. Given a set of linearly independentvectors v 1 ,...,v d the orthogonalized vectors v1,...,v ∗ d ∗ are recursively definedby∑i−1vi ∗ := v i −j=1µ ij v ∗ j with µ ij = (v i,v ∗ j )(v ∗ j ,v∗ j ) .The construction given by Arjen K. Lenstra and Henrik W. Lenstra Jr. and László Lovászmodifies this technique. Iteratively sets of Gram-Schmidt orthogonalized vectors are computedand vectors are swapped if they do not fulfill some given conditions concerning theirlength. This results in a so called LLL-reduced basis.

2.3. LATTICES 29Theorem 2.3.5 (LLL [LLL82])Let L be a d-dimensional lattice with basis v 1 ,...,v d ∈ Z n . Then the LLL algorithmoutputs a reduced basis b 1 ,...,b d with the following properties:• |µ ij | ≤ 1 2for 1 ≤ j < i ≤ d,• ||b ∗ i + µ i(i−1)b i−1 ∗ || 2 ≥ δ||b ∗ i−1 ||2 for 1 < i ≤ d.The running time of this algorithm is O(d 4 n(d+log b max ) log b max ), where b max ∈ N denotesthe absolute value of the largest entry in the basis matrix. The value δ is chosen in ( 1 4 , 1],in the original work it is δ = 3 4 .The running time is the running time of the so-called L 2 algorithm, an efficient LLL versiondue to Phong Nguyen and Damien Stehlé [NS05].From the basic properties further conditions on LLL-reduced bases can be derived.Lemma 2.3.6Let b 1 ,...,b d be a basis output by the LLL algorithm. Then it holds that||b 1 || ≤ 2 d−14 det(L) 1 d .For a proof of the theorem and the lemma compare [LLL82].Another property of an LLL-reduced basis which is especially useful in multivariate settingsis given by the following lemma stated by Charanjit S. Jutla in [Jut98]:Lemma 2.3.7Let b 1 ,...,b d be a basis output by the LLL algorithm. Then for i ≤ d it holds that||b ∗ i || ≥ 2 − i−14( det(L)b d−imax)1i.The value b max denotes the largest absolute value in the basis matrix.The LLL algorithm only calculates an approximate shortest vector. There are other algorithmswith which we can deterministically compute a shortest vector of a lattice L. Theywork on the Gram-Schmidt orthogonalization of a given lattice basis and enumerate all latticevectors shorter than some bound A ≥ λ(L). Such algorithms were introduced by RaviKannan [Kan83] and Ulrich Fincke and Michael Pohst [FP83]. However, the running timeof these algorithms is exponential. Even given as input an LLL-reduced basis the runningtime of Fincke and Pohst’s algorithm is 2 O(d2) . The worst case complexity of Kannan’salgorithm is 2 d 2e +o(d) [HS07]. Here, d denotes the lattice dimension. We state these resultsignoring multiplicative factors which are polynomial in the size of the lattice basis. Duringthis thesis, we will use the LLL algorithm as it works well enough for our purposes. Thisway, we can develop algorithms with polynomial running time.

30 CHAPTER 2. MATHEMATICAL BACKGROUNDSmall solutions (¯x 1 ,..., ¯x l ) of linear modular multivariate equationsf(x 1 ,...,x l ) :=l∑a i x i ≡ 0 (mod N)i=1can be determined by shortest vector algorithms. The idea is to embed the given informationinto a lattice. That is, define a lattice as the set of solutions of f(x 1 ,...,x l ) ≡ 0(mod N). Then the set L := {(x 1 ,...,x l ) ∈ Z l | f(x 1 ,...,x l ) ≡ 0 (mod N)} is indeed alattice. First, as a subset of Z l , it is discrete and the addition of elements is associative.Second, as f is linear, it is f(0,...,0) ≡ 0 (mod N), thus, (0,...,0) ∈ L. Further, if(x 1 ,...,x l ) ∈ L, then f(x 1 ,...,x l ) ≡ 0 (mod N) ⇔ −f(x 1 ,...,x l ) ≡ 0 (mod N) f linear⇔f(−x 1 ,...,−x l ) ≡ 0 (mod N). Consequently, (−x 1 ,...,−x l ) ∈ L. Moreover, L isclosed under addition because if (x 1 ,...,x l ), (y 1 ,...,y l ) ∈ L, then f(x 1 ,...,x l ) ≡ 0 ≡f(y 1 ,...,y l ) (mod N) and, thus, f(x 1 +y 1 ,...,x l +y l ) f linear≡ f(x 1 ,...,x l )+f(y 1 ,...,y l ) ≡0 (mod N). Note that we require f to be a linear polynomial as lattices are linear structures.If the solution of f(x 1 ,...,x l ) ≡ 0 (mod N) we are searching for is small enough, it correspondsto a shortest vector in the lattice L. Without loss of generality we assume a lto be invertible modulo N. (Otherwise, we can determine a factor p of N, analyze thetwo equations f(x 1 ,...,x l ) ≡ 0 (mod p) and f(x 1 ,...,x l ) ≡ 0 (mod N ), and combine thepresults.) Let⎛⎞1 −a 1 a −1lB =...⎜.⎟⎝ 1 −a l−1 a −1 ⎠ .lNThen all integer linear combinations of the row vectors of B which we denote by 〈B〉form the lattice L. We will briefly show this. Let (x 1 ,...,x l ) ∈ L and t defined suchthat −a −1lf(x 1 ,...,x l ) = tN. Then (x 1 ,...,x l ) = (x 1 ,...,x l−1 , −t)B. Consequently,L ⊆ 〈B〉. Now, let b i = ((b i ) 1 ,...,(b i ) l ) denote the i-th row vector of B. Then fori = 1,...,l − 1 it is (b i ) i = 1, (b i ) l = −a i a −1land (b i ) j = 0 for all j /∈ {i,l}. It followsthat f((b i ) 1 ,...,(b i ) l ) ≡ a i − a i a −1la l ≡ 0 (mod N). It is (b l ) l = N and (b l ) j = 0 forj = 1,...,l−1. Then f((b l ) 1 ,...,(b l ) l ) ≡ 0 (mod N). Therefore, all b i belong to L. As fis linear, the same holds for all linear combinations of the basis vectors b i . This results in〈B〉 ⊆ L. Thus, 〈B〉 = L and, as the basis vectors b i are linearly independent, B is a basisof L. Then we can determine an approximate shortest vector of L by lattice reduction ofB as described previously.Let us consider on which conditions this method is going to work. Minkowski’s condition(2.3.4) states that the norm of a shortest vector is smaller than or equal to √ l det(L) 1 l .As B is an upper triangular matrix we can easily determine det(L) = N. Thus, we candetermine (x 1 ,...,x l ) if its norm is smaller than or equal to √ lN 1 l . Let X i denote anupper bound on |¯x i |, i. e. |¯x i | ≤ X i . We know that ||(¯x 1 ,..., ¯x l )|| ≤ ||(X 1 ,...,X l )|| ≤

2.3. LATTICES 31√l max{Xi }. This gives the stronger condition max{X i } l ≤ N. For unknowns of equalsize this is the same as ∏ li=1 X i ≤ N. If the sizes of the unknowns are imbalanced, thesame result can obtained by adding weights in the lattice basis. For more details consider[May06].If f is not a modular equation but an integer one, we can proceed analogously. The basismatrix B is then constructed as before but without the last row which corresponds to themodular reduction. As the basis matrix B is no longer a square matrix, the calculationof the bound becomes more complicated. An alternative is to choose a large coefficient inthe integer equation and regard it as a modular equation modulo exactly this coefficient.Then the analysis of the modular case can be reused.This technique can be generalized to non-linear equations f(x 1 ,...,x l ) = 0. For theanalysis we just insert a linearization step before defining the lattice. Then we can proceedanalogously. As an example on how linearization can be used in practice, let us havea look at Michael Wiener’s attack from 1990 [Wie90]. Michael Wiener used continuedfractions to determine the private RSA exponent d if its absolute value is smaller thanone fourth of the public modulus, i. e. |d| < N 1 4. The same bound can be achieved vialinearization [May06, Kat01].Example 2.3.8We analyze the RSA key equation ed ≡ 1 (mod ϕ(N)) for known values e and N, butunknown factorization of N = pq and unknown d. The factors p and q are of equal bitsizewith p < q. As we do not know the modulus in this case, we first write the equation as aninteger equationed − k(N − p − q + 1) − 1 = 0.Then we take the known value N as new modulus and linearize by setting x 1 := d andx 2 := k(p + q − 1) − 1. The resulting equation isf(x 1 ,x 2 ) := ex 1 + x 2 ≡ 0(mod N).Let d < 1 3 Nα . Then k(p + q − 1) − 1 < k · 3p < 3N 1 2 +α because k = ed−1 < e d e

32 CHAPTER 2. MATHEMATICAL BACKGROUNDWhen linearizing equations, however, a lot of information on the monomials gets lost. InExample 2.3.8 the variable x 1 corresponds to a single variable of the original equation, butx 2 is a function of several variables of total degree two.As an even worse example of loosing information take the simple equation f(x) = x 2 +x+A(mod N) for known values A and N. Let ¯x denote a root of f. By linearization we derivethe equation ˜f(x) = x 1 + x 2 + Ax 3 (mod N). From the above analysis we know that allsolutions (¯x 1 , ¯x 2 , ¯x 3 ) with |¯x 1 | ≤ X 1 , |¯x 2 | ≤ X 2 and |¯x 3 | ≤ X 3 can be determined whichfulfill X 1 X 2 X 3 < N. Let |¯x| ≤ N α . Then we can set X 1 = N 2α , X 2 = N α and X 3 = 1.The bound in this case is |¯x| ≤ N 1 3. However, we are only interested in solutions withx 1 = x 2 2. Thus, it is likely that the given bound can be improved if we take the additionalknowledge into account.The basis for these more elaborate analyses is an algorithm which Don Coppersmithpresented in 1996 [Cop96b, Cop97]. With the help of this algorithm and some furtherideas, Dan Boneh and Glenn Durfee improved Michael Wiener’s bound to the value of0.292 [BD99]. We will not look at their analysis in detail. However, the algorithm introducedby Don Coppersmith will be of use for the analyses we will do in the followingchapters.Therefore, we will present it in what follows. In the algorithm, lattice reduction methodsare used to solve multivariate modular and non-modular polynomial equations. The basicidea is to construct sufficiently many polynomials having the same root over the integers.Then a univariate polynomial with the correct solutions over the integers can be determinedby the methods presented in Section 2.2. Throughout this thesis we will refer tothis method as Coppersmith’s method or Coppersmith’s algorithm.The modular univariate variant of Coppersmith’s method can be stated as follows:Theorem 2.3.9 (Coppersmith [Cop97])Let f(x) be a monic polynomial of degree δ ∈ N in one variable modulo an integer Nof unknown factorization. Let X be a bound on the desired solution x 0 . If X < N 1 δ,then we can find all integers x 0 such that f(x 0 ) ≡ 0 (mod N) and |x 0 | ≤ X in timeO(δ 5 (δ + log N) log N).As the method introduced by Don Coppersmith will serve us as a basic tool in manyof our analyses, we will describe its major steps here. Generally, given a polynomialf(x) = ∑ δi=0 a ix i with a i ∈ Z, the algorithm to determine all values |x 0 | ≤ X such thatf(x 0 ) = 0 (mod N) consists of three steps:1. Building a lattice L such that a solution to the polynomial equation is induced by areduced basis of a sublattice L S .2. Determining an LLL-reduced basis of the sublattice L S and orthogonalizing it.3. Determining an equation with the same solutions valid over the integers and solvingit.

2.3. LATTICES 33We will now describe the steps in more detail.Building a lattice L.Let f(x) = ∑ δi=0 a ix i be the polynomial of which we would like to determine the rootsmodulo N. Let λ ∈ N, λ ≥ 2. For i = 0,...,δ − 1 and j = 1,...,λ − 1 we define thefollowing set of polynomials.f ij (x) = x i · f(x) j . (2.9)Throughout the thesis we will call the sets F of polynomials used to build the lattice shiftpolynomials. The monomials m such that mf(x) is a shift polynomial are denoted byshift monomials. The set Mon(F) is the set of monomials that occur in polynomials ofF.Note that if f(x 0 ) ≡ 0 (mod N), then f ij (x 0 ) ≡ 0 (mod N j ). With regard to gradedlexicographical ordering, the largest monomial occurring in the set of all f ij is x δλ−1 . Foreach polynomial f ij let f ij be the coefficient vector containing the respective coefficientsof the monomials (1,x,x 2 ,...,x δλ−1 ), i. e. the monomials are ordered from smallest tohighest degree. For example, the vector f 01 is defined as (a 0 ,a 1 ,...,a δ , 0,...,0).Let F c := ( Tf 01 ... f ) T(δ−1)(λ−1) and F m := Diag(N,...,N λ−1 ) be a diagonal matrixwith powers of N on the diagonal. The k-th value on the diagonal ⎛ of F m corresponds ⎞1to the k-th column vector f T ij of F c and equals N j . Let D = ⎝ ... ⎠ be aX −δλ+1diagonal matrix with the inverses of the monomials evaluated on the upper bounds on itsdiagonal.In practice all values are multiplied by the least common multiple of all denominators sothat all calculations can be performed with integer values. This multiplication does notinfluence the method. For ease of notation in the analysis, however, we work over therationals here.Then we define a lattice L via a basis matrix B as follows:B :=( ) D Fc. (2.10)0 F mFor the desired solution x 0 we have f(x 0 ) = y 0 N with y 0 ∈ Z. Let y be a variable denotingthis multiple of N. Further, we define the vectorsandThenv = (1,x,x 2 ,...,x δλ−1 , −y, −xy,...,−x δ−1 y, −y 2 ,...,−x δ−1 y λ−1 )v 0 = (1,x 0 ,x 2 0,...,x δλ−10 , −y 0 , −x 0 y 0 ,...,−x δ−10 y 0 , −y 2 0,...,−x δ−10 y λ−10 ).xδλ−1 02,...,v 0 B = (1, x 0X , x2 0X X δλ−1, 0,...,0) =: t 0 .This implies that all vectors related to roots of the polynomials f ij are part of the sublatticeL S of vectors with δ(λ − 1) zeros in the end. Thus, our aim is to determine a basis of thesublattice L S from which we can get an equation which can be solved over the integers.

34 CHAPTER 2. MATHEMATICAL BACKGROUNDDetermining a suitable basis.In a first step, we determine a basis of the sublattice. In order to do so, we transformthe given basis B into another basis B ′ of the same lattice. The basis B ′ should allowto extract a basis of the sublattice L S easily. Thus, we aim at constructing vectors withzeros in the last components. The other basis vectors restricted to these last componentsshould then form a basis of the lattice corresponding only to the last components. In thebest case they also form a basis of Z δ(λ−1) . Such a basis can be transformed to the basisof unit vectors. Thus, the determinant of the lattice only depends on the basis vectors ofthe sublattice.As a new basis of the sublattice we can use the basis vectors with zeros in the end shortenedto their first components. That is, we would like to transform the original basis to theform( )B ′ BS 0=, (2.11)∗ I δ(λ−1)where B S is a basis matrix of the sublattice we are looking for, and ∗ is some matrix withentries which are not important for our purposes.A lattice basis can be transformed to another basis of the same lattice by permutation ofbasis vectors or adding multiples of one basis vector to another basis vector. This is, thetransformations we are allowed to make are unimodular transformations. For conditionson which a basis can be transformed accordingly, compare Section 2.1. From now on weonly consider the basis B S of the sublattice. We perform LLL-reduction on B S to get anew LLL-reduced basis B R .Calculating the solution.Having a basis B R of the sublattice L S , we still need a further step in order to get anotherequation which we can use to determine the solution. Therefore, we quote the followinglemma.Lemma 2.3.10 (Coppersmith [Cop97])Let L be a lattice and B =⎛⎜⎝D = det(L) be its determinant. Then the following holds:⎞b 1⎟. ⎠ be an LLL-reduced basis matrix of L. Further, letb n(a) Any lattice element t with ||t|| < D 1 n2 −(n−1) 4 is an element of the hyperplane spannedby b 1 ,...,b n−1 .(b) Any lattice element t with ||t|| < ||b j ∗ || for all j = k + 1,...,n is an element of thespace spanned by b 1 ,...,b k .

2.3. LATTICES 35Proof:(a) First, note that by combining the conditions of an LLL-reduced basis B given inTheorem 2.3.5, we get ∣ ∣ ∣b ∗ i + µ i(i−1) b ∣ ∗i−1 ∣ 2 ≥ 3 ||b 4 i−1 ∗ || 2 ⇒ ||b ∗ i || 2 + 1 ||b 4 i−1 ∗ || 2 ≥3||b 4 i−1 ∗ || 2 ⇔ 2 ||b ∗ i || 2 ≥ ||b i−1 || 2 . As b ∗ 1 ,...,b ∗ n form an orthogonal basis, it isD = det(B) = ∏ ni=1 ||b i ∗ ||. Combining these two results, we obtainD ≤n∏i=1(√2) n−i||bn ∗ || = 2 n(n−1)4 ||b n ∗ || n⇒ ||b n ∗ || ≥ D 1 n 2− n−14 . (2.12)Hence, the precondition implies that ||t|| < ||b ∗ n ||.Now let us have a closer look at the vector t. As t ∈ L we can write t = ∑ ni=1 a ib iwith a i ∈ Z. As the vectors b 1 ,...,b n and b ∗ 1 ,...,b ∗ n span the same vector space,we can also write t = ∑ ni=1 c ib ∗ i with coefficients c i ∈ R. Note, however, thatc n = a n because b ∗ n = b n − ∑ n−1i=1 µ nib ∗ i . Consequently, it is ||t|| ≥ |a n | ||b ∗ n ||. Theinequality is only valid if a n = 0 as ||t|| < ||b ∗ n || as well. This concludes the proof.(b) From the preconditions we have ||t|| < ||b ∗ n ||. By the proof of part (a) this impliesthat t = ∑ n−1i=1 a ib i . That is, t is contained in the sublattice spanned by the firstn −1 basis vectors. Iteratively repeating the argumentation of part (a), we can provethat a i = 0 for all i = n − 1,...,k + 1. This results in the claim.To be able to apply Lemma 2.3.10 we orthogonalize B R . Let B ∗ R denote the orthogonalizedbasis.Now, let t S be the vector t 0 reduced to its first δλ components. Let n correspond to thedimension of the sublattice, namely n := δλ. If the vector is small enough, namely, ||t 0 || ≤det(L) n2 1 −(n−1) 4 , then t 0 will be part of the hyperplane spanned by all but the last basisvector b n . Consequently, t 0 is orthogonal to b ∗ n , i. e. 0 = (b ∗ n ,t 0 ) = ∑ δλ−1i=0 (b n ∗ x) i 0 i+1 .X iSubstituting∑x 0 by the variable x in this equation and multiplying with X δλ−1 , we getδλ−1i=0 (b n ∗ ) i+1 x i X δλ−1−i = 0. This is a univariate equation valid over the integers. It canbe solved by standard techniques like Newton iteration (e. g. [SB02], Chapter 5) or Sturmsequences ([McN07], Chapter 2).Conditions on the existence of a solution.As seen in the previous paragraphs a solution of the modular equation can be determinedon condition that the constructed target vector t 0 is small enough. Here we will determinewhich are the conditions thereof.By construction we have ||t 0 || ≤ √ δλ as |x 0 | ≤ X and, consequently, ( x 0) iX ≤ 1 for any i.Therefore, applying the above lemma we get the condition√δλ < det(L)1n 2− (n−1)4 . (2.13)

36 CHAPTER 2. MATHEMATICAL BACKGROUNDCalculating det(L) using the basis B, we derive det(L) = X − δλ(δλ−1)2 N δλ(λ−1)2 . Using thisand n = δλ, we get the condition√δλ < X− δλ−12 N λ−12 · 2 −(δλ−1) 4⇔ X < N λ−1δλ−1 · 2− 1 2 (δλ)− 1δλ−1 .To see what this condition implies, we can either plug in a specific value for λ or compute thelimit with respect to λ. In the first case, we obtain an exact bound and the correspondinglattice to compute it. In the latter case, the bound we obtain is asymptotic. Here thecondition asymptotically becomes X < N 1 δ. This bound is also obtained by directlyrequiringdet(L) > 1. (2.14)In the following, we will refer to this condition as simplified condition.Performing exact calculations, for a given value of ǫ > 0 we can determine a correspondingvalue λ(ǫ) such that we can calculate all solutions x 0 if X < N 1 δ −ǫ using a lattice constructedwith respect to λ > λ(ǫ).In the case of the example f(x) = x 2 + x + A (mod N), the asymptotic condition is|¯x| < N 1 2. This is significantly better than the old bound of |¯x| < N 1 3 we have obtainedvia linearization.Coppersmith’s method can be generalized to multivariate equations f(x 1 ,...,x l ) ≡ 0(mod N) easily. To define the coefficient vectors, an ordering of the occurring monomialshas to be defined. Apart from that, decisions have to be made on which polynomialsto take as shift polynomials.Shift polynomials in the multivariate case.A general strategy on how to choose shift polynomials to build a lattice is described by EllenJochemsz and Alexander May in [JM06]. The basic idea of this strategy is to determineall monomials occurring in powers of the original polynomial f. These monomials shouldform the set of all monomials which occur in the lattice construction. The shift monomialsare then defined to ensure this.We will describe the approach in more detail. The polynomial f is assumed to be monicand to have a non-zero constant term. Depending on a small value ǫ > 0, a positive integerλ is fixed. Then for k ∈ {0,...,λ + 1} and a value j the setsM k := ⋃0≤β≤t{ l ∏i=1x α ii x β j |l∏i=1x α iiis a monomial of f λand∏ li=1 xα iiis a monomial of fλ−k}LM(f)kare defined. The values of t and β are chosen with respect to the specific equation andsizes of the unknowns. The shifts derived from monomials with β > 0 are called extra

2.3. LATTICES 37shifts. Such extra shifts can also be applied to several variables.Then the shift polynomials are defined asf α1 ,...,α l(x 1 ,...,x l ) :=∏ li=1 xα iiLM(f) k fk (x 1 ,...,x l ) for k = 0,...,λ, andl∏i=1x α ii ∈ M k \ M k+1 .Geometrically, this can be interpreted as follows. To any monomial ∏ li=1 xα ii we can associatea point (α 1 ,...,α l ) ∈ Z l . Applying this correspondence, we can associate a set ofpoints to any polynomial f. We just take the points corresponding to the monomials off. The convex hull of this set is defined as the Newton polytope of f. We denote theNewton polytope by N(f). Then an enlarged and maybe shifted version of the Newtonpolytope gives rise to the definition of the shift monomials. The shift polynomials aredefined such that the set Mon(F) corresponds to the enlarged and shifted version of N(f).Having defined the shift polynomial set, we can proceed as in the univariate case. However,it is no longer sufficient to construct only one polynomial f n (x 1 ,...,x l ) ∈ Z[x 1 ,...,x l ]which is valid over the integers. We need to be able to determine the solution efficiently.A sufficient conditions of this is a zero dimensional system of at least l equations. Givensuch a system, we can determine the solutions by the techniques presented in Section 2.2.Note, however, that the system of equations we obtain is not necessarily of dimension zero.Therefore, the general method is heuristic. Sometimes even fewer equations suffice. Thiscan be seen in the practical experiments in Chapter 6.The bound obtained this way isl∏i=1X s ii< N s N, for{sj = ∑ ∏ li=1 xα ii ∈M 0α js N = ∑ λk=0 k (|M k| − |M k+1 |) .(2.15)Coppersmith’s method over the integers.In a similar manner Coppersmith’s method can be applied to multivariate polynomials overthe integers. Roots of univariate integer polynomials can be easily determined using e. g.Newton iteration. However, as soon as we have more than one unknown we need furtherequations to be able to determine the solutions efficiently. The system formed by theoriginal and the new equations should then be zero dimensional or have other propertiesthat allow to determine its solutions efficiently. In order to get further equations we canagain use Coppersmith’s algorithm [Cop96a, Cop97]. He described a provable method tosolve bivariate equations over the integers.Theorem 2.3.11 (Coppersmith [Cop97])Let f(x 1 ,x 2 ) be an irreducible polynomial over Z. Further, let X 1 ,X 2 be bounds on thedesired solution (¯x 1 , ¯x 2 ). The value W denotes the absolute value of the largest coefficientof f(x 1 X 1 ,x 2 X 2 ).

38 CHAPTER 2. MATHEMATICAL BACKGROUND1. Assume f(x 1 ,x 2 ) to be of degree δ ∈ N in each variable separately. If X 1 X 2 ≤ W 2 3δ,then we can find all integer pairs (¯x 1 , ¯x 2 ) such that f(¯x 1 , ¯x 2 ) = 0 and |¯x i | ≤ X i ,i = 1, 2, in time polynomial in log W, 2 δ .2. Suppose f(x 1 ,x 2 ) to be of total degree δ ∈ N. If X 1 X 2 ≤ W 1 δ, then we can findall integer pairs (¯x 1 , ¯x 2 ) such that f(¯x 1 , ¯x 2 ) = 0 and |¯x i | ≤ X i , i = 1, 2, in timepolynomial in log W, 2 δ .The proof of this theorem is similar to the proof of Theorem 2.3.9 in the univariate modularcase. However, the construction of a suitable basis matrix has to be slightly adopted.Before building a basis matrix, the set of shift polynomials has to be chosen. In thefirst case, the set of shift polynomials is defined as p ij (x 1 ,x 2 ) := x i 1x j 2f(x 1 ,x 2 ) with i,j =0,...,λ for a suitable λ ∈ N. In the second case, it is defined as p ij (x 1 ,x 2 ) := x i 1x j 2f(x 1 ,x 2 )such that i + j ≤ λ for a suitable λ ∈ N.Note that in the modular case the right side of the basis matrix B given in (2.10) consistsof two parts, one part corresponding to the polynomials by containing their coefficients,the second part corresponding to the moduli. In the integer case, however, there are nomoduli. Thus, we have to build the matrix using only the coefficient vectors of the polynomials.We present here one method to build a basis matrix in the integer case similar to the onein [BM05]. This is basically the method we will use for analyses in more complex cases inthe following chapters as well.Let F denote the set of all shift polynomials and Mon(F) the set of all monomials occurringin F. Let m be the monomial corresponding to the largest coefficient of f(x 1 X 1 ,x 2 X 2 ), |F|denote the number of shift monomials and m 1 ,...,m |F| be an ordering of all shift monomialssuch that the monomial m i m does not occur in the set of monomials of m j f(x 1 ,x 2 )for any j < i. Let w := |Mon(F)| be the number of monomials occurring in F and letm |F|+1 ,...,m w be an ordering of the monomials of Mon(F) \ {m 1 m,...,m |F| m}. Furthermore,let M i denote the evaluation of m i in the values (X 1 ,X 2 ) with i = |F| + 1,...,w.We set x := (m |F|+1 ,...,m w ,m 1 m,...,m |F| m). Let D := Diag(M −1−1|F|+1,...,Mw ). For anypolynomial p ij (x 1 ,x 2 ) let p ij denote the coefficient vector of the monomials in p ij orderedsuch that p ij x T = p ij (x 1 ,x 2 ). Let F be the matrix consisting of the coefficient vectors(p ij ) T for all p ij ∈ F. Using these definitions, we define the lattice L via a basis matrix⎛DB :=⎜⎝ 0F⎞⎟⎠m |F|+1.m wm 1 m.m |F| mLike in the modular case the basis matrix B is an upper triangular matrix. The diagonalvalues due to F, however, are no longer derived from any moduli but correspond to a.

2.3. LATTICES 39(preferably) large coefficient of a shift polynomial. Furthermore, we can no longer takeadvantage of powers of the initial polynomial f, but only multiply f with monomials toobtain shift polynomials.From this point on we can proceed in the same manner as in the modular case. We performlattice reduction on B. If the size conditions are fulfilled, we provably get a second equationg(x 1 ,x 2 ) in the two unknowns such that f and g form a system of dimension zero. Thentechniques like Groebner basis computations or calculation of a resultant presented inSection 2.2 can be used to determine the solution.In [BM05], Johannes Blömer and Alexander May generalize this approach. They givefurther constructions of shift polynomial sets and show that solving a modular univariatepolynomial equation with a composite modulus of unknown factorization can be reducedto solving a bivariate integer equation. The shift polynomial sets they use, however, arerequired to have a certain property. This property ensures that the newly determinedpolynomial is coprime to the initial one.In contrast to their construction, the monomial sets {m 1 m,...,m |F| m} and Mon(F) weuse may have any structure. This allows to compute better bounds. On the negative side,however, it might happen that a newly constructed polynomial is a multiple of the first oneor that both polynomials have a non-trivial common divisor. Then we do not get any newinformation from the new polynomial. This implies that the solution cannot be recoveredefficiently. However, in practice, the method usually works even without being provable sothat this can be used as a heuristic. In more general cases of more variables or systemsof equations a heuristic is usually needed anyway. Hence, in our analyses, we would haveto include a heuristic even in the bivariate case. We will use this technique to analyze theproblem of implicit factoring in Chapter 6. For the description of this problem, however,we need at least three variables.Other variants to build a basis matrix and their analyses can be found in [Cop97, Cor04,Cor07].An application of this method to the problem of factorization with partially known factorsis given by Don Coppersmith.Theorem 2.3.12 ([Cop97] Theorem 5)Let N be an n-bit composite number. Then we can find the factorization of N = pq inpolynomial time if we know the low order n bits of p.4Like in the modular case Coppersmith’s method can be generalized to multivariate equationsover the integers in k > 2 unknowns as well. However, to solve equations over theintegers in more than k > 2 variables we need to determine more than one additional equation.One sufficient condition to be able to determine the roots is that we can determinek − 1 new equations such that they, together with the original equation, form a system ofdimension zero. Then we can determine the solutions by successive resultant computationor the use of Groebner bases described in Section 2.2.

40 CHAPTER 2. MATHEMATICAL BACKGROUNDIn his work, Don Coppersmith includes the condition that suitable equations are generatedas a heuristic.In 2007, Aurélie Bauer and Antoine Joux [BJ07] showed how this condition can be provablyachieved in the case of three variables. The drawbacks of their method, however, are anincreased running time and smaller bounds on the size of the solutions which can bedetermined. A short description of their method is given in Chapter 6.Due to the worse bounds and the fact that the heuristic approach usually works well inpractice, we will stick to the heuristic methods in the subsequent chapters.Some examples of different attacks with Coppersmith’s method for which the heuristic ispractically verified are given in [BD99, JM06, JM07, HM08].However, different heuristics may be used as well. For example, Santanu Sarkar and SubhamoyMaitra do not get a system of dimension zero [SM09] when analyzing the problem ofimplicit factoring of two integers. Nevertheless, a Groebner basis of the set of polynomialequations reveals the solution. Additional information on this will be given in Section 6.1.

Chapter 3Solving Systems of Modular UnivariatePolynomial EquationsIn this chapter we deal with the problem of solving univariate equations or systems ofunivariate equations. Assume f(x) is an arbitrary univariate polynomial. Our aim isto determine all values x 0 such that f(x 0 ) = 0. If f(x) ∈ Z[x] is a polynomial over theintegers (or rationals or reals), its roots can efficiently be found by Newton iteration [SB02]or binary search.Let us now consider modular polynomials f(x) ∈ Z N [x], N ∈ N. If N is prime or a primepower, then again the equation f(x) ≡ 0 (mod N) can be solved using e. g. Berlekamp’salgorithm [Ber67, Ber70, BS96]. In its basic form, however, the algorithm has a complexityexponential in n, the number of factors of f(x). Mark van Hoeij improved the complexityto a polynomial time complexity in n by using lattice reduction [vH01]. The polynomialcomplexity bound for this algorithm is given in [BvHKS07]. Note that n is not necessarilypolynomial in the bitsize of N. In the sequel of this chapter we will without loss ofgenerality assume all given moduli to be composite.For arbitrary moduli the best result known so far was given by Don Coppersmith (Theorem2.3.9). We briefly recall the result here. Let δ := deg(f) be the degree of f. Thenall |x 0 | < N 1 δ such that f(x 0 ) ≡ 0 (mod N) can be determined in polynomial time inlog(N) and δ. In [Cop01], Don Coppersmith further argues that by this method thebound cannot be improved for general polynomials. Let N = q 3 for a prime q and setf(x) := x 3 + Dqx 2 + Eq 2 x with D,E ∈ Z. Any x 0 which is a multiple of q clearly solvesf(x 0 ) ≡ 0 (mod N). For ǫ > 0 the number of x 0 such that |x 0 | < N 1 3 +ǫ = qN ǫ andf(x 0 ) ≡ 0 (mod N) is about 2N ǫ . That is, we have exponentially many such values x 0and cannot hope to find them with Coppersmith’s algorithm as the number of small rootsis bounded by the lattice dimension. Furthermore, the running time of the algorithm ispolynomial in the lattice dimension as well. That is, we cannot even output exponentiallymany solutions in polynomial time.Sometimes, however, we get additional equations with the same solution. The questionarises what happens then. Does this information help to determine larger solutions aswell? Instead of one equation, let us now consider the following system of k ∈ N equations41

42 CHAPTER 3. SOLVING SMUPEwith a shared solution x 0 . We define the problem of solving systems of modular univariatepolynomial equations (SMUPE-problem).Definition 3.0.13 (SMUPE-problem)Let k ∈ N, δ 1 ,...,δ k ∈ N, and N 1 ,..., N k ∈ N. Suppose N 1 ≤ N 2 ≤ ... ≤ N k . Assumef 1 (x),...,f k (x) to be polynomials of degree δ 1 ,...,δ k in Z N1 [x],...,Z Nk [x], respectively.Letf 1 (x) ≡ 0 (mod N 1 )f 2 (x) ≡ 0 (mod N 2 ). (3.1)f k (x) ≡ 0 (mod N k )be a system of univariate polynomial equations.Let X < N 1 , X ∈ R. Find all common roots x 0 of (3.1) with size |x 0 | ≤ X.We would like to analyze up to which size of the unknown the solutions can be found inpolynomial time. This depends on the structure of the given set of equations. Without lossof generality we assume that for all N i and N j , i,j = 1,...,k, it is either N i = N j , or N iand N j are relatively prime. In any other case we can determine factors of N i and N j bycalculating their greatest common divisor gcd(N i ,N j ) = N ij . Then we can transform thegiven equation into equations modulo these factors by the Chinese Remainder Theorem(Theorem 2.2.13). More precisely, the equation f i (x) ≡ 0 (mod N i ) is equivalent to asystem f i1 (x) ≡ 0 (mod N ij ) and f i2 (x) ≡ 0 (mod N iN ij). Analogously, f j (x) ≡ 0 (mod N j )is equivalent to a system f j1 (x) ≡ 0 (mod N ij ) and f j2 (x) ≡ 0 (mod N jN ij). Putting theequations f i1 (x) ≡ 0 (mod N ij ),f i2 (x) ≡ 0 (mod N iN ij),f j1 (x) ≡ 0 (mod N ij ),f j2 (x) ≡ 0(mod N jN ij) into the system instead of f i (x) ≡ 0 (mod N i ) and f j (x) ≡ 0 (mod N j ), weobtain a system with equal or coprime moduli. If this system contains a prime modulusp, we can determine x 0 by regarding only the equation with this modulus. Therefore, westill assume all moduli to be composite.To better analyze the system, we distinguish the following two cases: The subsequentsection deals with systems of equations of which at least two share the same modulus. Thecase of mutually coprime moduli is analyzed in Section 3.2.3.1 Solving Systems of Modular Univariate PolynomialEquations with a Common Modulus (SMUPE1)Often two equations f 1 (x) ≡ 0 (mod N) and f 2 (x) ≡ 0 (mod N) are sufficient to determineall common solutions. Let us start with two examples where this is easy to see as the givensystems of two equations have a special structure. Both examples are derived from the

3.1. SOLVING SMUPE1 43context of RSA encryption. An unknown message m is encrypted by exponentiation by apublic exponent e to a known ciphertext c ≡ m e (mod N). Determining m corresponds tofinding the solutions of the equation f(x) := x e − c ≡ 0 (mod N). Combining more thanone of these equations with the same root can lead to easy algorithms to calculate m.Example 3.1.1 (G. Simmons [Sim83])Let e 1 ,e 2 ∈ N with gcd(e 1 ,e 2 ) = 1 and N ∈ N be composite. Let f 1 (x) := x e 1− m e 1andf 2 (x) := x e 2− m e 2be two polynomials in Z N [x]. Our aim is to find the common root mof f 1 (x) and f 2 (x). To achieve this, we compute integers u 1 , u 2 such that u 1 e 1 + u 2 e 2 = 1with the help of the Extended Euclidean Algorithm. This gives us m ≡ (m e 1) u 1(m e 2) u 2(mod N). The running time of this attack is polynomial in the bitlength of (e 1 ,e 2 ) as theExtended Euclidean Algorithm and exponentiation are.In practice such equations occur in a plain RSA scenario in which the same message mis sent to two users with coprime public exponents e 1 and e 2 and common public moduliN 1 = N 2 = N.In a different scenario, instead of sending the same message twice to different users, similarmessages can be sent to the same user.At the Crypto’95 rump session Matthew K. Franklin and Michael K. Reiter presented analgorithm to recover linearly related messages, both encrypted with the RSA public keye = 3 and N.Example 3.1.2 (Franklin, Reiter [FR95])Let m 1 and m 2 = m 1 + 1 be two unknown messages. And let c 1 ≡ m 3 1 (mod N) andc 2 ≡ m 3 2 (mod N) be their known RSA encryptions under the RSA public key (N, 3).Then the messages can be recovered by calculatingc 2 + 2c 1 − 1c 2 − c 1 + 2≡ (m 1 + 1) 3 + 2m 3 1 − 1(m 1 + 1) 3 − m 3 1 + 2≡ 3m3 1 + 3m 2 1 + 3m 1≡ m3m 2 1 (mod N)1 + 3m 1 + 3and m 2 ≡ m 1 + 1 (mod N).For any other affinely related messages m 1 and m 2 = αm 1 + β, α ∈ Z ∗ N ,β ∈ Z N encryptedunder the RSA public key (N, 3), the messages can be recovered in a similar way:β(c 2 + 2α 3 c 1 − β 3 )α(c 2 − α 3 c 1 + 2β 3 )≡ β((αm 1 + β) 3 + 2α 3 m 3 1 − β 3 )α((αm 1 + β) 3 − α 3 m 3 1 + 2β 3 )≡ 3α3 βm 3 1 + 3α 2 β 2 m 2 1 + 3αβ 3 m 13α 3 βm 2 1 + 3α 2 β 2 m 1 + 3αβ 3 ≡ m 1 (mod N)and m 2 ≡ αm 1 + β (mod N).This approach was generalized to other public exponents, more equations and relations ofdifferent degrees by Don Coppersmith, Matthew K. Franklin, Jacques Patarin and MichaelK. Reiter in [CFPR96].

44 CHAPTER 3. SOLVING SMUPEIn a first step, they relax the restriction on e and regard any two equations m e 1 ≡ c 1(mod N) and m e 2 ≡ c 2 (mod N). Following the approach described in Example 3.1.2, onecan construct two equations P(m 1 ) and Q(m 1 ) such that Q(m 1 ) ≡ m 1 P(m 1 ) (mod N) usingonly the publicly known parameters. This computation, however, is quite complicated.For larger exponents e, Don Coppersmith et al. pursue a different approach. Let againm e 1 ≡ c 1 (mod N) and m e 2 ≡ c 2 (mod N) be encryptions of two unknown messages m 1and m 2 related by a polynomial p(x) of degree deg(p) = δ such that m 2 = p(m 1 ). Wetransform these equations to m e 1 − c 1 ≡ 0 (mod N) and p e (m 1 ) − c 2 ≡ 0 (mod N). Thenm 1 is a common solution of the two equations f 1 (x) := x e − c 1 ≡ 0 (mod N) and f 2 (x) :=p e (x)−c 2 ≡ 0 (mod N). Consequently, f 1 (x) and f 2 (x) share a factor (x−m 1 ). Computingthe greatest common divisor gcd (f 1 (x),f 2 (x)) (mod N) reveals this factor if it is the onlycommon factor and the computation does not fail. We will comment on both problems inthe subsequent paragraph with respect to more general equations. The running time ofthis method is O(eδ log 2 (eδ) log 2 (N)).Further extending the problem, one might have an implicit relation p(m 1 ,m 2 ) = 0 betweenm 1 and m 2 instead of the explicit one m 2 = p(m 1 ). The given equations are then multivariateand the analysis becomes more complicated. We will refer to this in Section 4.1.Another interesting generalization will be the topic of the rest of this section. It is ageneralization from RSA polynomials to arbitrary univariate polynomials. Let f 1 (x) andf 2 (x) ∈ Z N [x] be polynomials of degree δ 1 and δ 2 , respectively. The goal is again to findall solutions x 0 such that f 1 (x 0 ) ≡ 0 ≡ f 2 (x 0 ) (mod N). This system can be solved in thesame manner as the RSA equations given before. Just compute gcd(f 1 (x),f 2 (x)) (mod N).If both polynomials share exactly one common root (with multiplicity one), a linear factorf(x) := αx + β is revealed. Thus, x 0 ≡ −βα −1 (mod N).However, two problems may occur during the computation of a greatest common divisor.First, the computation might be impossible. This happens whenever the leading coefficientc of a polynomial which is computed by the Euclidean Algorithm is not invertible in Z N .Then gcd(c,N) > 1, and we have found a divisor of N. Thus, we can split up the equationsNmodulo N into two equations modulo gcd(c,N) and by the Chinese Remaindergcd(c,N)Theorem. If the new moduli are prime, we can determine x 0 easily. Otherwise we canrestart the algorithm with smaller moduli. In the following we, therefore, assume that thegreatest common divisor computation always succeeds.Even if successful, the result of the greatest common divisor computation might be apolynomial g of degree δ g greater than 1. In this case we cannot compute all possiblesolutions of the system under consideration but only all solutions x 0 such that |x 0 | < N 1δg .These solutions x 0 can be determined by applying Coppersmith’s method to the greatestcommon divisor polynomial g. Then further equations with the same solution might helpto reveal a factor of smaller degree.

3.2. SOLVING SMUPE2 453.2 Solving Systems of Modular Univariate PolynomialEquations with Coprime Moduli (SMUPE2)In Section 3.1 we have seen that given a system of modular equations a common solutioncan usually be determined from any two equations with equal moduli. Therefore, we nowassume that no pair of such equations occurs in our system, i. e. we focus on the analysisof univariate systems of equations with pairwise coprime moduli. Let us formally statethe problem of solving systems of modular univariate polynomial equations with mutuallycoprime moduli (SMUPE2-problem). It is a special case of Definition 3.0.13.Definition 3.2.1 (SMUPE2-problem)Let k ∈ N, δ 1 ,...,δ k ∈ N, and let N 1 ,..., N k ∈ N be mutually coprime composite numbersof unknown factorization. Suppose N 1 < N 2 < ... < N k . Assume f 1 (x),...,f k (x) to bepolynomials of degree δ 1 ,...,δ k in Z N1 [x],...,Z Nk [x], respectively. Letf 1 (x) ≡ 0 (mod N 1 )f 2 (x) ≡ 0 (mod N 2 ). (3.2)f k (x) ≡ 0 (mod N k )be a system of univariate polynomial equations.Let X < N 1 , X ∈ R. Find all common roots x 0 of (3.2) with size |x 0 | ≤ X.Solving SMUPE2 is, thus, equivalent to determining all common solutions up to a certainbound of a given system of modular univariate equations.Johan Håstad [Hås88] gave the following algorithm for solving the SMUPE2-problem.Let δ ∈ N be the maximum degree of all polynomials occurring in the system, i. e.δ := max i=1,...,k {δ i }. One first multiplies the given polynomials with x δ−δ ito adjust theirdegrees. Then one combines the resulting polynomials using the Chinese Remainder Theoremto a univariate polynomial f(x) with the same roots modulo ∏ ki=1 N i. Applying latticereduction methods, Johan Håstad derived k > δ(δ+1)2as a lower bound on the number ofpolynomials for efficiently finding all roots x 0 with |x 0 | < N 1 . As f(x) is a polynomial ofdegree δ, this bound can be easily improved to k ≥ δ by directly applying Coppersmith’slattice-based techniques [Cop97] to f(x) (see e.g. [Bon99]).An Approach with Better Polynomial ModelingWe give a different construction to combine all k polynomial equations into a single equationf(x) ≡ 0 (mod ∏ ki=1 N i) in [MR08]. Instead of multiplying the polynomials by powers of xlike in Håstad’s approach, we take powers of the polynomials f i (x) themselves. This resultsin the condition ∑ k 1i=1 δ i≥ 1 for solving the SMUPE2-problem for all x 0 with |x 0 | < N 1 .In case all polynomials share the same degree δ, this corresponds to the condition k ≥ δ.

46 CHAPTER 3. SOLVING SMUPEFor polynomials of different degrees, however, our new condition is superior. In particular,a few polynomials of low degree suffice to calculate all joint solutions.As an introductory example let us consider Coppersmith’s method (Theorem 2.3.9) for theδfirst equation f 1 (x) ≡ 0 (mod N 1 ) in (3.2). This way, only small roots x 0 with |x 0 | < N 11can be found in polynomial time. By regarding further equations, this bound can beimproved until all solutions can be found eventually.By Håstad’s algorithm in combination with Theorem 2.3.9 the condition k ≥ δ with δ :=max i=1,...,k {δ i } is sufficient to solve a system of equations efficiently. However, this conditionis clearly not optimal as the following trivial example shows. Let N 1 < ... < N 4 and takethe following equations:x 3 ≡ c 1 (mod N 1 )x 3 ≡ c 2 (mod N 2 )x 3 ≡ c 3 (mod N 3 )x 5 ≡ c 4 (mod N 4 ).Then k = 4 < 5 = δ, i.e. Håstad’s condition is not fulfilled. However, if we just take thefirst three equations, we are able to compute all common solutions smaller than N 1 . Thisindicates that we should take the proportion of higher and lower degrees of the polynomialsinto account. Let us now change the given example a little bit into a non-trivial one sothat no subsystem of the equations fulfills the sufficient condition:x 3 ≡ c 1 (mod N 1 )x 3 ≡ c 2 (mod N 2 )x 5 ≡ c 3 (mod N 3 )x 5 ≡ c 4 (mod N 4 ).The parameters k and δ as well as the N i remain the same. Can we still determine allsolutions? We notice that we can transform the first equation by squaring intox 6 ≡ 2c 1 x 3 − c 2 1 (mod N 2 1).Applying Theorem 2.3.9 to this equation, we can find all solutions x 0 for which |x 0 |

3.2. SOLVING SMUPE2 47x 0 with |x 0 | < N 1 = (N1) 6 1 6 ≤ (N1N 2 2N 2 3 N 4 ) 6. 1 Therefore, we can determine all solutions ofthe above system of equations, although the condition k ≥ δ is not fulfilled.In order to generalize our approach, we make the following crucial observation. Let f(x)be a polynomial of degree δ. Let f(x) ≡ 0 (mod N) for N ∈ N, and let m ∈ N. Theng(x) := f m (x) ≡ 0 (mod N m ). The solutions x 0 with |x 0 | < N of the two equations remainunchanged. Moreover, with Coppersmith’s Theorem 2.3.9 we can determine those solutionsx 0 for which the condition |x 0 | < N 1 δ ⇔ |x 0 | < (N m ) 1 mδ holds. Thus, Coppersmith’sbound is invariant under taking powers of the polynomial f(x).As opposed to our approach, in Håstad’s algorithm one does not take powers of the polynomialsbut multiplications of polynomials with powers of x. This increases the degree ofthe polynomial but leaves the modulus unchanged. Let f(x) be a polynomial of degree δwith f(x) ≡ 0 (mod N) for N ∈ N. Then with γ > δ the equation g(x) := x γ−δ f(x) ≡ 0(mod N) contains all the solutions x 0 of f(x) ≡ 0 (mod N) with |x 0 | < N. However,applying Coppersmith’s method to determine roots of g(x) we only get roots x 0 with|x 0 | < N 1 1γ < N δ. So obviously, Coppersmith’s bound is not invariant under multiplicationwith powers of x. This explains why we obtain a superior bound on the size of the roots.In the following analysis we will restrict ourselves to monic polynomials. If one of the givenpolynomials f i (x) is not monic, either the coefficient of the leading monomial is invertible,or we can find a factor of the modulus. In the first case, we transform the polynomial to amonic one by multiplication with the inverse of the leading coefficient. In the latter case,we can replace the modular equation f i (x) ≡ 0 (mod N) by two equations modulo the twofactors. For RSA moduli we even obtain the complete factorization, which in turn allowsfor efficiently solving this polynomial equation modulo the prime factors provided that thedegree δ i is polynomial in log(N).Theorem 3.2.2Let (f i ,δ i ,N i ),i = 1,...,k, be an instance of the SMUPE2-problem with monic f i . DefineM := ∏ kifor all x 0 withδi=1 N δ iin time O(δ 6 log 2 M).with δ := lcm{δ i ,i = 1,...,k}. Then the SMUPE2-problem can be solved|x 0 | < M 1 δProof: Let x 0 be a solution of the system of polynomial equations (3.2). Then x 0 is asolution ofδδf ii (x) ≡ 0δδ(mod N ii ) for all i = 1,...,k .All these equations have common degree δ and are monic. Combining them by ChineseRemaindering yields a polynomial f(x) of degree δ such that x 0 is a solution of f(x) ≡ 0(mod M) with M := ∏ kδi=1 N δ ii . Moreover, this polynomial is still monic. For the coefficienta δ of the monomial x δ δin f(x) it holds that a δ ≡ 1 (mod N ii ) for all i = 1,...,kand, therefore, a δ ≡ 1 (mod M).δ

48 CHAPTER 3. SOLVING SMUPEThe above step can be performed in time O(δ log 2 M) by Theorem 2.2.13. With Theorem2.3.9 all solutions x 0 of the above equation which fulfill |x 0 | ≤ M 1 δ = ( ∏ k δ ii ) 1 δ canbe found in time O(δ 5 (δ + log M) log M). Therefore, the result can be obtained in timeO(δ 6 log 2 M).i=1 N δTheorem 3.2.2 immediately gives us a sufficient condition on k and the δ i for solving theSMUPE2-problem for all x 0 ∈ Z N1 .Corollary 3.2.3The SMUPE2-problem can be solved for all x 0 ∈ Z N1 in time O(δ 6 log 2 M) provided thatk∑i=11δ i≥ 1. (3.3)Proof: Let x 0 be a common solution to all the equations. An application of Theorem 3.2.2gives us |x 0 | < M 1 δ := ( ∏ kδi=1 N δ iin time O(δ 6 log 2 M). As ( ∏ kcan be found.i ) 1 δ as an upper bound for all roots that can be computedδi=1 N δ ii ) 1 δ ≥ ∏ ki=1 N 1δ i∑ ki=1 1 δ i1 = N1 ≥ N 1 all solutions x 0 ∈ Z N1By this we get an algorithm to solve the SMUPE2-problem with running time polynomialin the bitsize of the N i , i = 1,...,k, if δ is polynomial in the bitsize of the N i .Remark 3.2.4The same result is obtained by applying Coppersmith’s method [Cop97] directly to thepolynomials f 1 (x),...,f k (x) instead of f(x). The polynomial modeling is then revealed inthe choice of shift polynomials. To do so, however, we need some further information onapplying Coppersmith’s algorithm to systems of equations. Therefore, the correspondingproof will be given in Section 5.3.1.Comparing this to the result due to Håstad and Coppersmith, we observe that in the caseδ := δ 1 = ... = δ k the sufficient condition is k ≥ δ with both methods. For different δ ihowever, our method is always superior. Taking e.g. the illustrating example with publicexponents (3, 3, 5, 5) from the beginning of this section, we see that our new condition1+ 1 + 1 + 1 = 16 ≥ 1 is fulfilled.3 3 5 5 15Moreover, our formula captures the intuition that equations of low degree δ i comprise moreinformation since they contribute to the sum in (3.3) with a larger term 1 δ ithan equationswith higher degree.3.2.1 Optimality of Our Bound for Solving SMUPE2In this section, we will see that the condition |x 0 | < M 1 δ for efficiently solving the SMUPE2-problem given in Theorem 3.2.2 is optimal if the moduli N i are prime powers. This impliesthat the condition cannot be improved in general, unless we make use of the structure of

3.2. SOLVING SMUPE2 49the moduli or of the specific polynomials occurring in the system. Thus, our argumentdoes not exclude the existence of superior conditions for special moduli, e.g. square-freeN i .The counting argument that we use is a generalization of the argument in [Cop01] tosystems of polynomial equations instead of a single equation.Let k ∈ N. Let p 1 ,...,p k be different prime numbers and δ 1 ,...,δ k ∈ N. We defineN 1 := p δ 11 ,...,N k := p δ kk. Suppose N 1 < ... < N k . Let us look at the following system ofpolynomial equations:f 1 (x) := x δ 1≡ 0 (mod N 1 )f 2 (x) := x δ 2≡ 0 (mod N 2 ). (3.4)f k (x) := x δ k≡ 0 (mod N k ).We would like to determine all solutions x 0 of this system with |x 0 | < N 1 = p δ 11 . Anapplication of Theorem 2.3.9 to a single equation f i (x) ≡ 0 (mod N i ) efficiently yields allsolutions x 0 with |x 0 | < (N i ) 1 δ i = p i . Furthermore, each multiple of p i is a solution off i (x) ≡ 0 (mod N i ). Thus, if x 0 is a multiple of ∏ ki=1 p i, then x 0 is a common zero of allthe polynomials.Let δ := lcm{δ i ,i = 1,...,k}. We apply the same method as in the proof of Theorem 3.2.2to the polynomial equations in system (3.4). Namely, we take their δ δ i-th powers andcombine them by Chinese Remaindering (Theorem 2.2.13). This gives us an equationf(x) ≡ x δ (mod M) with M := ∏ k δ ii = ∏ ki=1 pδ i with the same roots as in (3.4).We assume that M 1 δ < N 1 . Otherwise M 1 δ ≥ N 1 > |x 0 |, i. e. the condition of Theorem 3.2.2is fulfilled and there is nothing to be shown. Therefore, let ǫ > 0 such that M 1 δ +ǫ < N 1 .Suppose now we could calculate all simultaneous solutions x 0 of the system such that|x 0 | < M 1 δ +ǫ = ( ∏ ki=1 p i) 1+δǫ . Since we know that every integer multiple of ∏ ki=1 p i isa solution of (3.4), the number of roots is roughly 2( ∏ ki=1 p i) δǫ . This implies that wehave exponentially many roots x 0 with |x 0 | < M 1 δ +ǫ , which we cannot even output inpolynomial time. Consequently, there is no polynomial time algorithm that improves uponthe exponent in the condition |x 0 | < M 1 δ of Theorem 3.2.2.3.2.2 An Examplei=1 N δA typical example in which polynomially related messages occur is an RSA broadcastscenario. Assume a user wants to broadcast a message m to k different users using anRSA encryption scheme with public exponents e 1 ,...,e k and coprime public moduli N 1

50 CHAPTER 3. SOLVING SMUPEinstead of m. However, if the attacker gets to know the randomness, he can calculateF i (x) := f i (x + r i ) (mod N i ) and analyze the system of equations F i (x) ≡ 0 (mod N i ),i = 1,...,k. As degree, modulus and leading coefficient are the same for F i (x) and f i (x),the upper bound on m up to which m can be recovered efficiently also remains unchanged.More generally, taking polynomially related messages instead of linearly related ones, thedegree of F i (x), i = 1,...,k, changes from e i to e i γ i , where γ i is the degree of the knownpolynomial relation.Corollary 3.2.5Let k ∈ N, (N i ,e i ), i = 1,...,k, be RSA public keys with N 1 < N 2 < ... < N k andcoprime N i . Furthermore, let m ∈ Z N1 and let g i (x) ∈ Z[x] be polynomials of degreeγ i ∈ N with a iγi being the coefficient of x γ ifor i = 1,...,k. Let c 1 ,...,c k be the RSAencryptionsof g i (m) under the public key (N i ,e i ). Define δ i := e i γ i and M := ∏ kwith δ := lcm{δ i ,i = 1,...,k}.Then an adversary can recover the message m in time O(δ 6 log 2 M) provided thatk∑i=11δ i≥ 1.δi=1 N δ iiProof: Without loss of generality we assume that all a iγi are invertible modulo N i . (Otherwisegcd(a iγi ,N i ) and i Ngcd(a iγi ,N iwill give us the factorization of N) i for at least onei ∈ {1,...,k}. We can then compute m modulo the prime factors. This can be doneefficiently if δ i is polynomial in log(N i ) as explained in the introduction of this chapter.)We are looking for a solution m of f i (x) := g i (x) e i−c i ≡ 0 (mod N i ), i = 1,...,k. However,the polynomials f i (x) are not necessarily monic. Therefore, ( we) modify them slightly tobe able to apply Corollary 3.2.3. Let F i (x) := a −e iiγ gi i(x) e i− c i (mod Ni ), i = 1,...,k.Hence, F i (x) is a monic polynomial of degree δ i = e i γ i . The corollary then directly followsas an application of Corollary 3.2.3.

Chapter 4Basic Approaches for Solving Systemsof Multivariate Polynomial EquationsMany problems occurring in the context of cryptography cannot be described as polynomialequations in one unknown but comprise several unknowns. Take, for example, the problemof factoring, i. e. given N ∈ N which is the product of two large primes p and q, determinep and q. We can easily transfer the problem of finding p and q into the problem of findingthe non-trivial roots of a multivariate polynomial f: Define f(x,y) := N − xy ∈ Z[x,y].Then f(p,q) = 0.In a more general setting, we are not only given one equation but several ones. Thefollowing three chapters deal with the problem of solving systems of multivariate polynomialequations (SMPE-problem), either over the integers (SIMPE-problem) or as modularsystems (SMMPE-problem). The case of systems of modular equations can be dividedup further into systems with a common modulus (SMMPE1) and systems with mutuallycoprime moduli (SMMPE2). That is, we consider the following problems:Definition 4.0.6 (SIMPE-problem)Assume k ∈ N and f 1 (x 1 ,...,x l ),...,f k (x 1 ,...,x l ) to be polynomials of degree δ 1 ,...,δ kin Z[x 1 ,...,x l ], respectively. Letf 1 (x 1 ,...,x l ) = 0f 2 (x 1 ,...,x l ) = 0f k (x 1 ,...,x l ) = 0be a system of multivariate polynomial equations.. (4.1)Let X i ∈ R, i = 1,...,l. Find all common roots (¯x 1 ,..., ¯x l ) of (4.1) with size |¯x i | ≤ X i .and51

52 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPEDefinition 4.0.7 (SMMPE-problem)Assume k ∈ N, δ 1 ,...,δ k ∈ N, and let N 1 ,..., N k ∈ N. Let f 1 (x 1 ,...,x l ),...,f k (x 1 ,...,x l )be polynomials of degree δ 1 ,...,δ k in Z N1 [x 1 ,...,x l ],...,Z Nk [x 1 ,...,x l ], respectively. Letf 1 (x 1 ,...,x l ) ≡ 0 (mod N 1 )f 2 (x 1 ,...,x l ) ≡ 0 (mod N 2 ). (4.2)f k (x 1 ,...,x l ) ≡ 0 (mod N k )be a system of multivariate polynomial equations.Let X i < N i , X i ∈ R, i = 1,...,l. Find all common roots (¯x 1 ,..., ¯x l ) of (4.2) with size|¯x i | ≤ X i .If N 1 = ... = N k , then we denote the problem by SMMPE1; if the N i are mutually coprime,we assume N 1 < N 2 < ... < N k and refer to the problem as SMMPE2.Our goal is to analyze up to which size of the upper bounds X 1 ,...,X l we can determinethe solutions ¯x 1 ,..., ¯x l of either system of equations efficiently. In contrast to the univariatecase (comp. Chapter 3), there are no algorithms working in general for multivariateequations over the integers either. That is why we are interested in analyzing the integeras well as the modular case. The analysis will be divided into three parts.In the following two chapters we adapt Coppersmith’s algorithm to be used to analyzesystems of equations in the modular (Chapter 5) and in the integer case (Chapter 6). Therest of the current chapter deals with simpler approaches to solve systems of multivariateequations. Depending on the structure of the equations, a system can be modeled as alattice such that a short vector in this lattice directly reveals the solution. The resultis, thus, obtained by a simple lattice reduction. Before generally stating some criteria onwhich this analysis is useful, we treat the examples of related messages RSA [CFPR96]and implicit factoring [MR09].4.1 RSA with Related Messages and Implicit RelationsWe reconsider the problem of RSA with related messages. Assume two messages m 1 andm 2 are encrypted with respect to the same modulus N. The corresponding equations withsolutions (m 1 ,m 2 ) are f 1 (x 1 ) := x e 1 −c 1 ≡ 0 (mod N) and f 2 (x 2 ) := x e 2 −c 2 ≡ 0 (mod N).In Example 3.1.2 the relation between m 1 and m 2 was explicit, namely, m 2 ≡ p(m 1 )(mod N). Thus, the system could be transformed into a system of two univariate equationsf 1 (x 1 ) ≡ 0 (mod N) and f 2 (p(x 1 )) ≡ 0 (mod N).In [CFPR96] implicit polynomial relations p(m 1 ,m 2 ) ≡ 0 (mod N) are considered as well.With such relations it is no longer possible to just substitute x 2 by a polynomial in x 1 .Therefore, Don Coppersmith et al. add a further step in the method described in Example3.1.2. As m 2 can no longer be directly substituted in m e 2 − c 2 ≡ 0 (mod N), we regard

4.1. RSA WITH RELATED MESSAGES AND IMPLICIT RELATIONS 53a system of three polynomial equations in two unknowns x 1 and x 2 corresponding to thesolutions m 1 and m 2 :f 1 (x 1 ) ≡ x e 1 − c 1 (mod N)f 2 (x 2 ) ≡ x e 2 − c 2 (mod N)p(x 1 ,x 2 ) ≡ 0 (mod N).To get two polynomials in the same unknown, the resultant (compare Definition 2.2.9) off 1 (x 1 ) and p(x 1 ,x 2 ) with regard to x 1 is computed. This results in a polynomial r(x 2 ) inthe unknown x 2 . We now have two polynomials in one unknown like in case of explicitrelations, and (in most cases) we can compute gcd(r(x 2 ),f 2 (x 2 )) ≡ x 2 − m 2 (mod N),which gives us m 2 . Plugging this value into p(x 1 ,x 2 ), we get two polynomials p(x 1 ,m 2 )and f 1 (x 1 ) in the unknown x 1 and can proceed as before to determine m 1 .An alternative way to achieve this result is to compute a Groebner basis (compare Definition2.2.11) of F = {f 1 (x 1 ),f 2 (x 2 ),p(x 1 ,x 2 )}. In most cases the Groebner basis containsthe polynomials x 1 − m 1 and x 2 − m 2 . From these polynomials we can immediately deriveour solutions m 1 and m 2 . Both variants of the attack can theoretically be performed withequations of any degree. However, the complexity of the attack is polynomial in the degreeof the equations. Therefore, it is only efficient for equations of small degree. Commonlyused moduli like e = 3 or e = 2 16 + 1 fit into the framework of the attack.Resultant or Groebner basis computations can be applied to solve nearly any two equationswith the same modulus. This implies that it is usually sufficient to have two equationsf 1 (x) ≡ 0 (mod N) and f 2 (x) ≡ 0 (mod N) in order to recover the common solutions asexplained in Section 3.1.The problem of RSA with related messages can be generalized to an arbitrary numberof k messages. If the relations between these messages can be expressed explicitly suchthat m i only depends on m 1 ,...,m i−1 , we can restrict our considerations to the first twoequations and their common relation. Then we can perform the same analysis as describedabove. This gives us m 1 and m 2 . Iteratively, any further message m i , i = 3,...,k, can becalculated from m 1 ,...,m i−1 by its explicit description.A natural generalization, thus, includes only one implicit relation between the messages.Suppose we have the following system of k + 1 ∈ N equationsf 1 (x 1 ) := x e 1 − c 1 ≡ 0 (mod N)f k (x k ) := x e k − c k ≡ 0 (mod N).p(x 1 ,...,x k ) ≡ 0 (mod N).As before, in most cases we can either compute the Groebner basis of all polynomials andobtain the answer [x 1 − m 1 ,...,x k − m k ]. Or, we setg 0 (x 1 ,...,x k ) := p(x 1 ,...,x k )

54 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPEand iteratively computeg i (x i+1 ,...,x k ) := res xi (g i−1 (x i ,...,x k ),f i (x i )).After k iterations one gets g k−1 (x k ). Computing the greatest common divisor of g k−1 (x k )and f k (x k ) in most cases leads to gcd(g k−1 (x k ),f k (x k )) = x k − m k . Recursively, for i =k − 1,...,1, we can substitute x i+1 ,...,x k by m i+1 ,...,m k , and calculateto get m i until we have m 1 .gcd(g i−1 (x i ,m i+1 ,...,m k ),f i (x i )) = x i − m iThe techniques used to analyze this problem are basically the same techniques described inSection 2.2. The only difference is that the coefficients here are elements of Z N . Therefore,we have to use a definition and computation of Groebner bases adapted to coefficientsin any ring (compare [Pau07]). Then we can determine all solutions via Groebner basiscomputations if the Groebner basis contains univariate linear polynomials in the differentvariables. There are no constraints concerning the solutions we can determine. This is anadvantage of this method in contrast to the methods we will present in the following. Inthose methods, lattice reduction techniques are used. This leads to size constraints on thesolutions which we can determine this way.Practical problems, however, rarely correspond to systems of equations such that a Groebnerbasis directly reveals the solution. Instead, a Groebner basis computation leads to adifferent, usually simpler system which is still too complicated to derive solutions from.Note further that the complexity of Groebner basis computations is exponential in thenumber of variables. Hence, this approach is not efficient in general (compare Section 2.2).This is a drawback compared to the lattice-based methods we will use.We will analyze the problem of RSA with related messages with the help of Coppersmith’smethod in Chapter 5.2. Now, we will continue with an example of a non zero dimensionalsystem of which we can determine solutions of a certain size.4.2 The Problem of Implicit Factoring with Shared LeastSignificant BitsIn this section we again regard the problem of factoring, that is, given a composite integerN 0 = p 0 q 0 , compute p 0 and q 0 . As this problem seems to be difficult to solve in general,we use an additional oracle. In contrast to previous works like [RS85, Mau96, Cop96a], wehighly restrict the power of the oracle. Namely, we allow for an oracle that on input anRSA modulus N 0 = p 0 q 0 outputs another different RSA modulus N 1 = p 1 q 1 such that p 0and p 1 share their t least significant bits. Moreover, we assume for notational simplicitythat the bitsize of p 1 is equal to the bitsize of p 0 and the bitsize of q 1 is equal to the bitsizeof q 0 .Thus, as opposed to an oracle that explicitly outputs bits of the prime factor p 0 , we onlyhave an oracle that implicitly gives information about the bits of p 0 . Intuitively, since

4.2. THE PROBLEM OF IMPLICIT FACTORING 55N 1 is a hard to factor RSA modulus, it should not be possible to extract this implicitinformation. We show that this intuition is false. Namely, we show that the link of thefactorization problems N 0 and N 1 gives rise to an efficient factorization algorithm providedthat t is large enough.More precisely, let q 0 and q 1 be α-bit numbers. Then our lattice-based algorithm provablyfactors N 0 ,N 1 with N 0 ≠ N 1 in quadratic time whenever t > 2(α + 1). In order to give anumerical example: Let N 0 ,N 1 have 750-bit p 0 ,p 1 and 250-bit q 0 ,q 1 . Then the factorizationof N 0 ,N 1 can be efficiently found provided that p 0 ,p 1 share more than 502 least significantbits. The bound t > 2(α + 1) implies that our first result works only for imbalanced RSAmoduli. Namely, the prime factors p i have to have bitsizes larger than twice the bitsizes ofthe q i .Using more than one oracle query, we can further improve upon the bound on t. In caseof k queries, we obtain N 1 ,...,N k different RSA moduli such that all p i share the t leastsignificant bits. This gives rise to a lattice attack with a (k + 1)-dimensional lattice Lhaving a short vector q = (q 0 ,q 1 ,...,q k ) that immediately yields the factorization of allN 0 ,N 1 ,...,N k . For constant k, our algorithm runs in time polynomial in the bitsize ofthe RSA moduli. As opposed to our first result, in the general case we are not able toprove that our target vector q is a shortest vector in the lattice L. Thus, we leave thisas a heuristic assumption. This heuristic is supported by a counting argument and byexperimental results that demonstrate that we are almost always able to efficiently findthe factorization.Moreover, when putting k queries for RSA moduli with α-bit q i that share t least significantbits of the p i , we improve our bound to t ≥ k+1 α. Hence, for a larger number k of querieskour bound converges to t ≥ α, which means that the p i should at least coincide on α bits,where α is the bitsize of the q i . In case the two prime factors have the same bitsize, thisresult tells us that N 0 = p 0 q 0 ,...,N k = p 0 q k with the same p 0 can efficiently be factored,which is trivially true by greatest common divisor computations. On the other hand, ourresult is non-trivial whenever the bitsizes are not balanced.If we do not restrict ourselves to polynomial running time, then we can easily adapt ourmethod to factor balanced RSA moduli as well. All that we have to do is to determinea small quantity of the bits of q i by brute force search. Using these bits, we can applythe previous method in order to determine at least half of the bits of all q i . The completefactorization of all RSA moduli N i is then retrieved by the aforementioned lattice-basedalgorithm of Coppersmith [Cop96a].4.2.1 Implicit Factoring of Two RSA ModuliLet us start with the analysis of implicit factoring with only one oracle query. Assume thatwe are given two different RSA moduli N 0 = p 0 q 0 ,N 1 = p 1 q 1 , where p 0 , p 1 coincide on thet least significant bits. That is, p 0 = p + 2 t˜p 0 and p 1 = p + 2 t˜p 1 for a common value p thatis unknown to us. Can we use the information that the prime factors of N 0 and N 1 sharetheir t least significant bits without knowing these bits explicitly? That is, can we factorN 0 , N 1 given only implicit information about one of the factors?

56 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPEN 0 ˜p 0pq 0N 1 ˜p 1pq 1t bitsα bitsFigure 4.1: Illustration of N 0 and N 1 for implicit factoring in terms of bits.In this section, we will answer this question in the affirmative. We will show that there isan algorithm that recovers the factorization of N 0 and N 1 in quadratic time provided thatt is sufficiently large.We start with(p + 2 t˜p 0 )q 0 = N 0(p + 2 t˜p 1 )q 1 = N 1 .These two equations contain five unknowns p, ˜p 0 , ˜p 1 ,q 0 and q 1 . By reducing both equationsmodulo 2 t , we can eliminate the two unknowns ˜p 0 , ˜p 1 and obtainpq 0 ≡ N 0 (mod 2 t )pq 1 ≡ N 1 (mod 2 t ).Since q 0 , q 1 are odd, we can solve both equations for p. This leaves us with N 0q 0≡ N 1q 1(mod 2 t ), which we write in form of the linear equationThe set of solutions(N −10 N 1 )q 0 − q 1 ≡ 0 (mod 2 t ). (4.3)L = {(x 0 ,x 1 ) ∈ Z 2 | (N −10 N 1 )x 0 − x 1 ≡ 0 (mod 2 t )}forms an additive, discrete subgroup of Z 2 . Thus, L is a 2-dimensional integer lattice. Lis spanned by the row vectors of the basis matrix( ) 1 N−10 NB L :=10 2 t .This equivalence has been proven in Section 2.3. Notice that by equation (4.3), we have(q 0 ,q 1 ) ∈ L. If we were able to find this vector in L, then we could factor N 0 ,N 1 easily.Let us first provide some intuition on which condition the vector q = (q 0 ,q 1 ) is a shortvector in L. We know that an upper bound on the length of a shortest vector is given bythe Minkowski bound √ 2 det(L) 1 2 = √ 2 · 2 t 2.Since we assumed that q 0 ,q 1 are α-bit primes, we have q 0 ,q 1 ≤ 2 α . If α is sufficiently small,

4.2. THE PROBLEM OF IMPLICIT FACTORING 57then ||q|| is smaller than the Minkowski bound and, therefore, we can expect that q isamong the shortest vectors in L. This happens if||q|| ≤ √ 2 · 2 α ≤ √ 2 · 2 t 2 .So if t ≥ 2α we expect that q is a short vector in L. We can find a shortest vector in L usingGaussian reduction on the lattice basis B L in time O(log 2 (2 t )) = O(log 2 (min{N 0 ,N 1 })).Hence, on the heuristic assumption that q = (q 0 ,q 1 ) is a shortest vector in L, we can factorN 0 ,N 1 in quadratic time. On a slightly more restrictive condition, we can completelyremove the heuristic assumption.Theorem 4.2.1Let N 0 = p 0 q 0 ,N 1 = p 1 q 1 be two different RSA moduli with α-bit q i . Suppose that p 0 ,p 1share at least t > 2(α + 1) bits. Then N 0 and N 1 can be factored in quadratic time.Proof: LetB L =( ) 1 N−10 N 10 2 tbe the lattice basis defined as before.The basis matrix B L spans a lattice L with a shortest vector v that satisfies||v|| ≤ √ 2 det(L) 1 2 = 2t+12 .Performing Gaussian reduction on B L , we get an equivalent basis B =||b 1 || = λ 1 (L) and ||b 2 || = λ 2 (L).(b1)such thatb 2Our goal is to show that b 1 = ±q = ±(q 0 ,q 1 ) which is sufficient for factoring N 0 and N 1 .As L is of full rank, by Hadamard’s inequality we haveThis implies||b 1 || ||b 2 || ≥ det(L).||b 2 || ≥ det(L)||b 1 ||= det(L)λ 1 (L) .Substituting det(L) = 2 t and using λ 1 (L) ≤ 2 t+12 leads to||b 2 || ≥2t2 t+12= 2 t−12 .This implies for any lattice vector 0 ≠ v = a 1 b 1 + a 2 b 2 with ||v|| < 2 t−12 that a 2 = 0, asotherwise λ 2 (L) ≤ ||v|| < ||b 2 ||, which contradicts the optimality of b 2 from Theorem 2.3.3.Thus, every v ≠ 0 with ||v|| < 2 t−12 is a multiple of b 1 . Notice that q = (q 0 ,q 1 ) ∈ L fulfills||q|| = √ 2 · 2 α = 2 2α+12 . Consequently, we have ||q|| < ||b 2 || if2 2α+12 < 2 t−12 ⇔ 2(α + 1) < t .

58 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPETherefore, we get q = ab 1 with a ∈ Z \ {0}. Let b 1 = (b 11 ,b 12 ), then gcd(q 0 ,q 1 ) =gcd(ab 11 ,ab 12 ) ≥ a. But q 0 ,q 1 are primes and, without loss of generality, q 0 ≠ q 1 , sinceotherwise we can factor N 0 ,N 1 by computing gcd(N 0 ,N 1 ). Therefore, by the minimalityof b 1 , |a| = 1 and we obtain q = ±b 1 , which completes the factorization.The running time of the factorization is determined by the running time of the Gaussianreduction, which can be performed in O(t 2 ) = O(log 2 (min{N 0 ,N 1 })) steps.4.2.2 Implicit Factoring of k RSA ModuliThe approach from the previous section can be generalized to an arbitrary fixed number kof oracle queries. This gives us k + 1 different RSA moduliN 0 = (p + 2 t˜p 0 )q 0. (4.4)N k= (p + 2 t˜p k )q kwith α-bit q i .We transform the system of equations into a system of k + 1 equations modulo 2 tpq 0 − N 0 ≡ 0 (mod 2 t ).pq k − N k ≡ 0 (mod 2 t )in k + 2 variables.Analogous to the case of two equations, we solve each equation for p. This can be donebecause all the q i are odd. Thus, we get N 0q 0= N iq i(mod 2 t ) for i = 1,...,k. Writing thisas k linear equations gives us:N −10 N 1 q 0 − q 1 ≡ 0 (mod 2 t ).N −10 N k q 0 − q k ≡ 0 (mod 2 t ).With the same arguments as in the preceding section, the setL = {(x 0 ,x 1 ,...,x k ) ∈ Z k+1 | N −10 N i x 0 − x i ≡ 0 (mod 2 t ) for all i = 1,...,k}forms a lattice. This lattice L is spanned by the row vectors of the following basis matrix⎛B L =⎜⎝1 N0 −1 N 1 · · · N0 −1 ⎞N k0 2 t 0 · · · 00 0.......⎟....... 0 ⎠0 0 · · · 0 2 t.

4.2. THE PROBLEM OF IMPLICIT FACTORING 59Note that q = (q 0 ,q 1 ,...,q k ) ∈ L has norm ||q|| ≤ √ k + 1 · 2 α . We would like to have||q|| = λ 1 (L) as in Section 4.2.1. The length λ 1 (L) of a shortest vector in L is bounded byλ 1 (L) ≤ √ k + 1 · (det(L)) 1k+1 =√k + 1 · (2 tk ) 1k+1 .Thus, if q is indeed a shortest vector, then||q|| = √ k + 1 · 2 α < √ k + 1 · 2 t kk+1 . (4.5)This implies the condition t > k+1 α. We make the following heuristic assumption.kAssumption 4.2.2Let N 0 ,N 1 ,...,N k be as defined in equation (4.4) with t > k+1α.Further, let b k 1 be ashortest vector in L. Then b 1 = ±(q 0 ,q 1 ,...,q k ).Theorem 4.2.3Let N 0 ,...,N k be as defined in the system of equations (4.4) with t > k+1 α. UnderkAssumption 4.2.2, we can find the factorization of all N 0 ,N 1 ,...,N k in time polynomial in((k + 1) k+12 , max i {log N i }).We show the validity of Assumption 4.2.2 experimentally in Section 4.2.5.The running time is determined by the time to compute a shortest vector in L [Kan87,Hel85]. This implies that for any lattice L of rank k + 1 we can compute the factorizationof all N i in time polynomial in their bitsize if (k + 1) k+12 = poly(max i {log N i }), that is,especially, if the lattice has fixed rank k + 1.For large k, our bound converges to t ≥ α. This means that the amount t of commonleast significant bits has to be at least as large as the bitsize of the q i . In turn, this impliesthat our result only applies to RSA moduli with different bitsizes of p i and q i . On theother hand, this is the best result that we could hope for in our algorithm. Notice that weconstruct the values of the q i by solving equations modulo 2 t . Thus, we can fully recoverthe q i only if their bitsize α is smaller than t. In the subsequent section, we will overcomethis problem by avoiding the full recovery of all q i , which in turn leads to an algorithm forbalanced RSA moduli.Remark: All of our results still hold if 2 t is replaced by an arbitrary modulus M ≥ 2 t . Weused a power of two only to illustrate our results in terms of bits.4.2.3 Implicit Factoring of Balanced RSA ModuliWe slightly adapt the method from Section 4.2.2 in order to factor balanced n-bit integers,i. e. N i = p i q i such that p i and q i have bitsize n each. The modification mainly incorporates2a small brute force search on the most significant bits of the q i .Assume that we are given k + 1 RSA moduli as in (4.4). From these moduli we derive k

60 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPEp iq iN 0 ˜p 0 p ˜q 0 x 0N 1 ˜p 1 p ˜q 1 x 1t bitsβ bitsnbits 4Figure 4.2: Illustration of balanced N 0 and N 1 for implicit factoring in terms of bits.linear equations in k + 1 variables:N −10 N 1 q 0 − q 1 ≡ 0 (mod 2 t ).N −10 N k q 0 − q k ≡ 0 (mod 2 t ).The bitsize of the q i is now fixed to α = n, which is equal to the bitsize of the p 2 i, i. e. nowthe number t of bits on which the p i coincide has to satisfy t ≤ α. In the trivial case oft = α = n we can directly factor the N 2 i via greatest common divisor computations as thenp i = p for i = 0,...,k.Thus, we only consider t < n . With a slight modification of the method in Section 4.2.2,2we compute all q i (mod 2 t ). Since t < n, this does not give us the q 2 i directly, but onlytheir t least significant bits. But if t ≥ n , we can use Theorem 2.3.12 for finding the full4factorization of each N i in polynomial time. In order to minimize the time complexity, weassume t = n throughout this section.4To apply Theorem 4.2.3 of Section 4.2.2 the bitsize of the unknown part of the q i has to besmaller than k1t. Thus, we have to guess roughly · t = n bits for each q k+1 k+1 4(k+1) i. Sincewe consider k + 1 moduli, we have to guess a total number of n bits. Notice that this is4the same amount of bits as for guessing one half of the bits of one q j , which in turn allowsto efficiently find this q j using Theorem 2.3.12. With a total amount of n bits, however,4our algorithm will allow us to efficiently find all q i , i = 0,...,k.Let us describe our modification more precisely. We split q i (mod 2 n 4 ) into 2 β ˜q i + x i(mod 2 n 4 ). The number β depends on the number of oracle calls k such that the conditionβ < k · nknholds. Therefore, we choose β to be the largest integer smaller than . Thisk+1 4 4(k+1)implies that the x i ≤ 2 β are small enough to be determined analogously as in Section 4.2.2,nprovided that the ˜q i are known. In practice we can guess an amount of bits for4(k+1)determining each ˜q i , or we can find these bits by other means, e.g. by side-channel attacks.Suppose now that the ˜q i are given for each i. We obtain the following set of equations

4.2. THE PROBLEM OF IMPLICIT FACTORING 61N −10 N 1 x 0 − x 1 ≡ 2 β ( ˜q 1 − N −10 N 1 ˜q 0 ) (mod 2 n 4 ). (4.6)N −10 N k x 0 − x k ≡ 2 β ( ˜q k − N −10 N k ˜q 0 ) (mod 2 n 4 ).Let c i = 2 β (˜q i − N −10 N i ˜q 0 ), i = 1,...,k, denote the known right-hand terms. In contrastto Section 4.2.2, the equations (4.6) that we have to solve are inhomogeneous. Let us firstconsider the lattice L that consists of the homogeneous solutionsL = {(x 0 ,x 1 ,...,x k ) ∈ Z k+1 | N −10 N i x 0 − x i ≡ 0 (mod 2 n 4 ),i = 1,...,k}.L is spanned by the rows of the following basis matrix⎛B L =⎜⎝1 N0 −1 N 1 · · · N0 −1 N k0 2 n 4 0 · · · 00 0...... ... . .. . . 00 0 · · · 0 2 n 4Let l i ∈ Z such that N −10 N i x 0 + l i 2 n 4 = x i + c i . Then we let⎞.⎟⎠q ′ := (x 0 ,l 1 ,...,l k )B L = (x 0 ,x 1 + c 1 ,...,x k + c k ) ∈ L.Moreover, if we define the target vector c := (0,c 1 ,...,c k ), then the distance between q ′and c is||q ′ − c|| = ||(x 0 ,x 1 ,...,x k )|| ≤ √ k + 1 · 2 β ≤ √ k + 1 · 2 kn4(k+1) .This is the same bound that we achieved in Section 4.2.2 for the length of a shortest vectorin equation (4.5) in the case of t = n . So instead of solving a shortest vector problem, we4have to solve a closest vector problem in L with target vector c. Closest vectors can befound in polynomial time for fixed lattice dimension k + 1 (see Blömer [Blö00]). We makethe heuristic assumption that q ′ is indeed a closest vector to c in L.Assumption 4.2.4Let N 0 ,N 1 ,...,N k be as defined in equation (4.6) with β

62 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPE4.2.4 A Counting Argument that Supports our AssumptionsRecall that in Section 4.2.2, the lattice L consists of all solutions q = (q 0 ,q 1 ,...,q k ) of thesystem of equationsN −10 N 1 q 0 ≡ q 1 (mod 2 t ) (4.7).N −10 N k q 0 ≡ q k (mod 2 t ).As gcd(N0 −1 N i , 2 t ) = 1 for any i, the mapping f i : x ↦→ N0 −1 N i x (mod 2 t ) is bijective.Therefore, the value of q 0 uniquely determines the values of q i , i = 1,...,k.In total, the system of equations has as many solutions as there are values to choose q 0from, which is 2 t . Now suppose q 0 ≤ 2 ktk+1 . How many vectors q do we have such that√q i ≤ 2 ktktk+1 for all i = 0,...,k and, thus, ||q|| ≤ k + 1 · 2 k+1 ?Assume for each i = 1,...,k that the value q i is uniformly distributed in {0,...,2 t − 1}and that the distributions of q i and q j are independent if i ≠ j. Then the probability thatq i ≤ 2 ktk+1 is)Pr(q i ≤ 2 ktk+1 = 2 ktk+1= 2 − t2 t k+1 .Furthermore, the probability that q i ≤ 2 ktk+1 for all i = 1,...,k is) ) kPr(q 1 ≤ 2 ktk+1 ,...,qk ≤ 2 ktk+1 =(2 − tk+1 = 2− ktk+1 .Consequently, the expected number of vectors q such that q i ≤ 2 ktk+1 for all i = 0,...,kis 2 ktk+1 · 2− ktk+1 = 1. Therefore, we expect that only one lattice vector, namely q, is shortenough to satisfy the Minkowski bound. Hence, we expect that ±q is a unique shortestvector in L if its length is significantly below the bound √ k + 1 · 2 ktk+1 . This countingargument strongly supports our Assumption 4.2.2.Remark: In order to analyze Assumption 4.2.4 we can argue in a completely analogousmanner. The inhomogeneous character of the equations does not influence the fact thatthe q i are uniquely determined by q 0 .4.2.5 ExperimentsWe verified our assumptions in practice by running experiments on a Core2 Duo 1.66GHznotebook. The attacks were implemented using Magma 1 Version 2.11. Instead of taking alattice reduction algorithm which provably returns a basis with a shortest vector as firstbasis vector, we have used the LLL algorithm [LLL82], more precisely its L 2 version ofPhong Nguyen and Damien Stehlé [NS05], which is implemented in Magma. Although by1 http://magma.maths.usyd.edu.au/magma/

4.2. THE PROBLEM OF IMPLICIT FACTORING 63LLL-reduction the first basis vector only approximates a shortest vector in a lattice, forour lattice bases with dimensions up to 100 LLL-reduction was sufficient. In nearly allcases the first basis vector was equal to the vector ±q = ±(q 0 ,q 1 ,...,q k ), provided thatwe chose suitable attack parameters.First, we considered the case of imbalanced RSA moduli from Theorem 4.2.3. We choseN i = (p + 2 t˜p i )q i , i = 0,...,k, of bitsize n = 1000 with varying bitsizes of q i . For a fixedbitsize α of q i and a fixed number k of moduli, we slightly played with the parameter t ofcommon bits close to the bound t ≥ k+1 α in order to determine the minimal t for whichkour heuristic is valid.bitsize α number of bound number of successk+1of the q i moduli k + 1 α shared bits t ratek250 3 375 377 0%250 3 375 378 97%350 10 389 390 0%350 10 389 391 100%400 100 405 409 0%400 100 405 410 100%440 50 449 452 16%440 50 449 453 97%480 100 485 491 38%480 100 485 492 98%Table 4.1: Attack for imbalanced RSA moduliThe running time of all experiments was below 10 seconds.In Table 4.1, we called an experiment successful if the first basis vector b 1 in our LLLreducedbasis was of the form b 1 = ±q = ±(q 0 ,q 1 ,...,q k ), i.e. it satisfied Assumption4.2.2. There were some cases where other basis vectors were of the form ±q, but wedid not consider these cases as successful.As one can see by the experimental results, Assumption 4.2.2 only works smoothly whenour instances were a few extra bits beyond the bound of Theorem 4.2.3. This is not surprisingsince the counting argument from Section 4.2.4 tells us that we loose uniquenessof the shortest vector as we approach the theoretical bound. In practice, one could eitherslightly increase the number t of shared bits or the number k of oracle calls for making theattack work. Alternatively, one could also perform a small brute force search in a few bits.Analogously, we made experiments with balanced RSA moduli to verify Assumption 4.2.4.Instead of computing closest vectors directly, we used the well-known standard embeddingof a d-dimensional closest vector problem into an (d+1)-dimensional shortest vector problem([MG02], Chapter 4.1), where the shortest vector is of the form b 1 = (q ′ − c,c ′ ), c ′constant. Since c and c ′ are known, this directly yields q ′ and, therefore, the factorizationof all RSA moduli. For solving the shortest vector problem, we again used the LLL algo-

64 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPErithm.As before we called an experiment successful if b 1 was of the desired form, i.e. if Assumption4.2.4 held. In our experiments we used 1000-bit N i with a common share p of t = 250bits.number of bound bits known successnmoduli k + 1 ⌈ 4(k+1) i rate3 84 85 74%3 84 86 99%10 25 26 20%10 25 27 100%50 5 8 46%50 5 9 100%Table 4.2: Attack for balanced 1000-bit N i with 250 bits sharedAll of our experiments ran in less than 10 seconds. Here we assumed that we know therequired bits of each q i , i.e. the running time does not include the factor for a brute-forcesearch.Similar to the experimental results in the imbalanced RSA case, our heuristic Assumption4.2.4 works well in the balanced case, provided that we spend a few extra bits to thetheoretical bound in order to enforce uniqueness of the closest vector.4.3 The Problem of Implicit Factoring with Shared MostSignificant BitsIn [MR09] we have introduced the problem of implicit factoring with respect to shared leastsignificant bits. Jean-Charles Faugère, Raphaël Marinier and Guénaël Renault extendedthe analysis to the problem of implicit factoring with shared most significant bits [FMR09].This extension is not straightforward as the non-shared bits of the larger factor can nolonger be ignored. To see this, let us consider both variants of the factors in the case oftwo composite numbers N 0 and N 1 .Recall that in the case of shared least significant bits we regard the equations(2t˜p 0 + p ) q 0 = N 0 (4.8)(2t˜p 1 + p ) q 1 = N 1 .Solving them for p and combining them, we obtain the equationN 0 q 1 − N 1 q 0 − 2 t (˜p 0 − ˜p 1 )q 0 q 1 = 0. (4.9)

4.3. IMPLICIT FACTORING WITH SHARED MOST SIGNIFICANT BITS 65Then we take the equation modulo 2 t . By this, we can remove the unknowns ˜p 0 and ˜p 1 .The remaining equation is equivalent toN −10 N 1 q 0 ≡ q 1 (mod 2 t ).This linear equation can then be embedded into a lattice. If q 0 and q 1 are small enough(which is the case if t > 2(α+1) as we have seen in the previous section), we can determinethem as solutions of a shortest vector problem.In the case of shared most significant bits the situation changes. We are no longer able tojust remove ˜p 0 and ˜p 1 by a modulo operation. In the case of shared most significant bitsthe equations have the following shape:(˜p0 + 2 n−t−α p ) q 0 = N 0 (4.10)(˜p1 + 2 n−t−α p ) q 1 = N 1 .Analogously to the previous case, they can be solved for 2 n−t−α p and combined:N 1 q 0 − N 0 q 1 − (˜p 1 − ˜p 0 )q 0 q 1 = 0 (4.11)⇔ N 1 q 0 − N 0 q 1 = (˜p 1 − ˜p 0 ) q 0 q 1 .The variables ˜p 0 and ˜p 1 are still contained in the integer equation. However, they correspondto a monomial of size bounded by 2 n+α−t+1 . If this is still small enough, we canembed the integer equation into a lattice L and determine it by calculating a shortestvector. We define the lattice L via a basis matrix( ) ( )b1 2n−t+ 1 2 0 NB L := =1. (4.12)b 2 0 2 n−t+1 2 −N 0The vector q := (2 n−t+1 2q 0 , 2 n−t+1 2q 1 , (˜p 1 − ˜p 0 )q 0 q 1 ) = q 0 b 1 +q 1 b 2 is contained in the latticeL. If it is a shortest vector, it can be determined via lattice reduction. Jean-CharlesFaugère et al. show that q indeed is a shortest vector in L if t > 2(α + 1). This matchesthe bound we have obtained in the least significant bit case. The method can be extendedto more than two composite integers N i in a straightforward way. In order to obtain aresult, t ≥ k+1 α + 6 is required. Then the norm of the vector q fulfills the condition givenk √by the Gaussian heuristic, that is, ||q|| ≤the lattice. We get the additive constant of 6 as the lattice dimension is smaller than thenumber of entries in the vector. Under the heuristic that a vector fulfilling this bound isindeed a shortest vector, q can be determined by lattice reduction. Jean-Charles Faugèreet al. verify the heuristic experimentally.Hence, the results obtained in the case of shared most significant bits are about the sameddet(L) d, 1 where d denotes the dimension of2πeas in the case of shared least significant bits. The lattices used are sublattices of Z (k+2)(k+1)2instead of Z k+1 . This is due to the use of more combinations of the original equations. Foran illustration compare Figure 4.3. Each combination of two composite numbers N i and

66 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPE⎛⎝⎞1 N0 −1 N 1 N0 −1 N 20 2 t 0 ⎠0 0 2 tB L in [MR09]⎛⎝⎞2 n−t+1 2 0 0 N 1 N 2 00 2 n−t+1 2 0 −N 0 0 N 2⎠0 0 2 n−t+1 2 0 −N 0 −N 1B L in [FMR09]Figure 4.3: Comparison of the basis matrices B L used in the constructions of [MR09] and[FMR09] in case of k = 2.N j can be used as it introduces a new monomial (˜p i − ˜p j )q i q j . All the monomials can bedescribed as linear combinations of q i and q j . In contrast to that, we introduce the newmonomials q 1 ,...,q k as (modular) linear functions of q 0 . Hence, we only combine all N i ,i = 1,...,k, with N 0 . That is, we cannot add further equations. In the case of the latticeused by Jean-Charles Faugère et al., however, the additional combinations increase the sizeof the determinant of the lattice and the sublattice they use.Note that the analysis of the determinant gets more complicated due to the rectangularshape of the basis matrix in the most significant bit case. For further details on thecalculation of the bounds and the cases of more than two equations we refer the reader tothe original work [FMR09].4.4 Some General Criteria for Solving Systems of MultivariatePolynomial Equations via Shortest VectorProblemsIn the previous sections some specific problems and their analyses via systems of equationshave been presented. The problem of RSA with related messages can often be solved forany size of the unknowns by Groebner basis techniques (compare Section 4.1, for Groebnerbasis techniques consult Section 2.2). There is no need for lattice-based techniques in theanalysis.In what follows, we will only consider systems in which Groebner basis computations do nothelp to find the solutions. Two examples of such systems related to the problem of implicitfactoring were given in Sections 4.2 and 4.3. They were solved by embedding the solutionsinto a lattice. Then the solutions were determined by solving a shortest vector problem.Based on these examples we derive criteria on which we can apply similar techniques tosolve a system of equations by solving a shortest vector problem.The analysis will be divided into two parts, the analysis of modular systems of equationsand the analysis of systems of equations over the integers. Let us start with the modularcase. Here the analyses of common and coprime moduli coincide so that we do not have todistinguish these two subcases. Thus, let us recall the general SMMPE problem presented

4.4. SOLVING SMPE VIA SHORTEST VECTOR PROBLEMS 67in Definition 4.0.7. For given k ∈ N, δ 1 ,...,δ k ∈ N, and N 1 ,..., N k ∈ N the followingsystem of multivariate polynomial equations shall be solved for its solutions (¯x 1 ,..., ¯x l )such that |¯x i | ≤ X i ∈ R:f 1 (x 1 ,...,x l ) ≡ 0 (mod N 1 )f 2 (x 1 ,...,x l ) ≡ 0 (mod N 2 ). (4.13)f k (x 1 ,...,x l ) ≡ 0 (mod N k ).The polynomials f 1 (x 1 ,...,x l ) ∈ Z N1 [x 1 ,...,x l ],...,f k (x 1 ,...,x l ) ∈ Z Nk [x 1 ,...,x l ] are oftotal degree δ 1 ,...,δ k , respectively.In order to solve the system of equations, we follow the approaches used in the previoussections. Thus, we would like to transform the system of equations into a system of thefollowing structure:˜f 1 (x 1 ,...,x l ) := −c −11 (f 1 (x 1 ,...,x l ) − c 1 m 1 ) ≡ m 1 (mod N 1 )˜f 2 (x 1 ,...,x l ) := −c −12 (f 2 (x 1 ,...,x l ) − c 2 m 2 ) ≡ m 2 (mod N 2 ). (4.14)˜f k (x 1 ,...,x l ) := −c −1k(f k (x 1 ,...,x l ) − c k m k ) ≡ m k (mod N k ).The parameter m i := m i (x 1 ,...,x l ) denotes a specific monomial which occurs in the polynomialf i (x 1 ,...,x l ), the value c i the corresponding coefficient. Without loss of generalitywe assume the coefficients c i to be invertible modulo N i . If they are not, we can determinedivisors of the moduli N i . Then by the Chinese Remainder Theorem 2.2.13 we get two newequations f i1 ≡ 0 (mod N i1 ) and f i2 ≡ 0 (mod N i2 ) equivalent to the old one. Then wemodify the system by adding the system of the two new equations instead of the originalequation. The new system is equivalent to the previous one.In order to proceed analogously to the analysis in the examples, the monomials m 1 ,...,m kshould not correspond to any row in the lattice, but only be introduced by linear combinationsof these rows. For this property to hold, we require the set of monomials {m 1 ,...,m k }to be disjoint to the set of monomials M := Mon({ ˜f 1 ,..., ˜f k }) which occur in the modifiedpolynomials ˜f i . We enumerate the monomials of M as m k+1 ,...,m |M|+k . Using thisnotation, we rewrite the equations of system (4.14) as|M|∑(˜f i ) j m k+j ≡ m i (mod N i ), i = 1,...,k .j=1The vector ˜f i is the coefficient vector of ˜f i with respect to m k+1 ,...,m |M|+k . We define|M|∑L := {(m k+1 ,...,m |M|+k ,m 1 ,...,m k ) | (˜f i ) j m k+j ≡ m ij=1(mod N i ), i = 1,...,k}.

68 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPEThe set L forms a discrete additive subgroup of Z |M|+k . Thus, it defines a lattice. Notethat in the examples of the previous sections we could just take the set L = {(x 1 ,...,x l ) |f i (x 1 ,...,x l ) ≡ 0 (mod N i ), i = 1,...,k} as a lattice. This was possible as the equationswere linear. In this more general case we have to include a linearization step by taking themonomials instead of the variables as components of the vectors. The lattice L is spannedby the row vectors of the basis matrix⎛⎞1... ˜f 1 T ... ˜f T k1B L :=.N 1 ⎜⎟⎝... ⎠N kTo prove this, we proceed in the same manner as in Section 2.3. Let B L =⎛⎜⎝⎞b 1⎟.b |M|+kThen we have b j ∈ L with j = 1,...,|M| because (˜f i ) j ·1 ≡ (˜f i ) j (mod N i ) for i = 1,...,k,and b j ∈ L with j = |M| + 1,...,|M| + k because 0 ≡ N i (mod N i ) and 0 ≡ 0(mod N l ), l ≠ i. Hence, 〈B L 〉 ⊆ L.Now let (m k+1 ,...,m |M|+k ,m 1 ,...,m k ) ∈ L. Then the equation ∑ |M|j=1 (˜f i ) j m k+j ≡ m i(mod N i ) holds for i = 1,...,k. Consequently, there exists an integer n i ∈ Z such that∑ |M|j=1 (˜f i ) j m k+j +n i N i = m i . Then (m k+1 ,...,m |M|+k ,n 1 ,...,n k )B L = (m k+1 ,...,m |M|+k ,m 1 ,...,m k ) ∈ 〈B L 〉. Combining the two inclusions results in the claim L = 〈B L 〉.By construction we have ¯x := (m k+1 (¯x 1 ,..., ¯x l ),...,m |M|+k (¯x 1 ,..., ¯x l ),m 1 (¯x 1 ,..., ¯x l ),...,m k (¯x 1 ,..., ¯x l )) ∈ L. If ¯x was a shortest vector in L, we would be able to find it bylattice reduction. If, further, the solutions ¯x i could be written as rational functions ofthe monomials m 1 (¯x 1 ,..., ¯x l ),...,m |M|+k (¯x 1 ,..., ¯x l ), then we would be able to determinethe variables ¯x i . A necessary condition for ¯x to be a shortest vector in L is that||¯x|| ≤ √ 1|M| + k · det(L)|M|+k , i. e. ¯x has to be smaller than Minkowski’s bound given inDefinition 2.3.4.Note that the vector ¯x is not balanced. Thus, its size is determined by its largest entryand it is rather unlikely to be a shortest vector in L. Hence, we change the vectorto balance the sizes of its components. Therefore, we multiply its entries by suitableKfactors. Let K := lcm{m 1 (X 1 ,...,X l ),...,m |M|+k (X 1 ,...,X l )}, K i := andm i (X 1 ,...,X l )¯m i := m i (¯x 1 ,..., ¯x l ). We setȳ := (K k+1 ¯m k+1 ,...,K |M|+k ¯m |M|+k ,K 1 ¯m 1 ,...,K k ¯m k ).Then every component of ȳ is approximately of size K. If we were able to determine thesolutions using ¯x, we would still be able to do so using ȳ as the K i are known. However,⎠.

4.4. SOLVING SMPE VIA SHORTEST VECTOR PROBLEMS 69ȳ /∈ L. Thus, we define a modified lattice L y via a basis matrix B Ly :⎛⎞K k+1 . . . K 1˜f 1 T ... K k˜f T kKB Ly :=|M|+k .K 1 N 1 ⎜⎟⎝... ⎠K k N kLet l i ∈ Z, i = 1,...,k, denote the integers such that ∑ |M|j=1 (˜f i ) j K i m k+j +l i N i = K i m i . Thatis, l i = K i n i . Then ȳ = (m k+1 (¯x 1 ,..., ¯x l ),...,m |M|+k (¯x 1 ,..., ¯x l ),l 1 ,...,l k )B Ly ∈ L y . Thevector ȳ has norm ||ȳ|| ≤ √ |M| + k · K. As we would like ȳ to be a shortest vector inL y , we get the necessary condition ||ȳ|| ≤ √ |M| + k ·det(L y )|M|+k by Minkowski’s bound.Remark that due to the adaptation of the matrix det(L y ) ≥ det(L). It is det(L y ) =∏ |M|+k ∏j=1K kj i=1 N i. Thus, we have the condition:⎛ ⎞ 1|M|+k|M|+k√ ∏ k∏|M| + k ⎝ N i⎠ ≥√ |M| + k · KBased on this, we make the following heuristic assumption.j=1K ji=1⇔k∏i=1N i≥|M|+k∏j=11KK j.}{{}=m j (X 1 ,...,X l )Assumption 4.4.1Let N i , i = 1,...,k, and m j , j = 1,...,|M| + k, be defined as in the system of equations(4.14). Further, let b 1 be a shortest vector in L y . Then b 1 = ±ȳ.For a complete analysis we add another assumption.Assumption 4.4.2Let m 1 ,...,m |M|+k be defined with respect to the system of equations (4.14). Then thevalues ¯x 1 ,..., ¯x l can be uniquely determined using m 1 (¯x 1 ,..., ¯x l ),...,m |M|+k (¯x 1 ,..., ¯x l ).The results of the method described above can be summarized in the following theorem.Theorem 4.4.3Let the system of equations (4.13) be given. Further, let m j , j = 1,...,|M|+k, be definedas in the system of equations (4.14).Then on Assumptions 4.4.1 and 4.4.2 we can determine all solutions |¯x i | ≤ X i , i = 1,...,k,of system (4.13) in time polynomial in ((|M| + k) |M|+k2, max i {log(KN i )}) ifk∏i=1N i≥|M|+k∏j=1m j (X 1 ,...,X l ).

70 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPEThe running time is dominated by the computation of a shortest vector [Kan87, Hel85].Remark that the different equations which are used as input of the theorem have to beindependent of one another. If, for example, the same equation is added twice in thelattice, the heuristic fails.The SIMPE-problem can be analyzed in an analogous manner. However, some additionalproblems may occur. We give a sketch of the method to point out the problems andadditional conditions we require such that this approach still works. First, the system ofequationsis transformed into a system of equationsf 1 (x 1 ,...,x l ) = 0f 2 (x 1 ,...,x l ) = 0f k (x 1 ,...,x l ) = 0. (4.15)˜f 1 (x 1 ,...,x l ) := − (f 1 (x 1 ,...,x l ) − c 1 m 1 ) = c 1 m 1˜f 2 (x 1 ,...,x l ) := − (f 2 (x 1 ,...,x l ) − c 2 m 2 ) = c 2 m 2. (4.16)˜f k (x 1 ,...,x l ) := − (f k (x 1 ,...,x l ) − c k m k ) = c k m k .As all calculations are performed over the integers, we can no longer assume that thecoefficients c i are invertible. Hence, a natural adaptation would be to directly constructa lattice L I using the equations of system (4.16). Analogously to the modular case, thesolutions of system (4.16) (taking c i m i instead of m i ) form a lattice L I for which we cangive a basis B LI :⎛⎞B LI :=⎜⎝K k+1... K 1˜f T 1 ... K k˜f T kK |M|+kRemark that in this construction the values c 1 m 1 ,...,c k m k correspond to entries of ourtarget vector. As we intend to determine the target vector by calculating a shortest vectorin the lattice L I , we need these values to be small. Thus, for the method to work, we haveto make an additional claim: The coefficients c i have to be of small constant size.Furthermore, note that the lattice L I is not of full dimension. Any basis of this latticeis, thus, given by a rectangular matrix. For rectangular matrices determinant calculationsare more complicated than for square upper triangular matrices. Consequently, it is moredifficult to calculate bounds on the solutions in the integer case. Therefore, we can nolonger give a general bound here. It has to be calculated individually with respect to thespecific system of equations.⎟⎠ .

4.4. SOLVING SMPE VIA SHORTEST VECTOR PROBLEMS 71In general, the method presented in this chapter works as follows. First, we have totransform the given system of equations into a lattice in which our solution corresponds toa shortest vector v. Then we can determine the vector v by lattice reduction. The basiccondition on which the target vector v is a shortest vector is given by Assumption 4.4.1.This, however, is a rather strong requirement. Therefore, only very small solutions, if any,can be found. It would be advantageous if we could relax this condition. A method inwhich the target vector no longer has to be a shortest vector, but only smaller than somebasis vector has been given by Don Coppersmith in 1996 [Cop96b, Cop96a]. For someproblems this method allows to find larger solutions than the method presented in thischapter. We will use variants of it to solve systems of equations in the following chapters.

72 CHAPTER 4. BASIC APPROACHES FOR SOLVING SMPE

Chapter 5Solving Systems of MultivariatePolynomial Equations withCoppersmith’s MethodIn 1996, Don Coppersmith presented a lattice-based technique to solve multivariate polynomialequations over the integers as well as modular ones. A description of the technique,which we call Coppersmith’s method, is given in Section 2.3. The original work mainlyrefers to bivariate equations. Ellen Jochemsz and Alexander May show how to constructshift polynomial sets for multivariate equations in more variables in [JM06]. Directly applyingCoppersmith’s method with those shift polynomial sets, we can give upper boundson the unknowns in case of one equation. In the following sections we will make someprogress in generalizing these techniques to systems of multivariate equations.5.1 Coppersmith’s Algorithm with Systems of EquationsLet us briefly recall how Coppersmith’s method to find small solutions of multivariateequations works in case of one equation: First, a set of shift polynomials is chosen and alattice is defined using these shift polynomials. In a second step, a sublattice of vectorshaving zeros in the last components is determined. This sublattice is constructed to havethe same determinant as the original lattice. In( order)for this to hold, there has to exist a0unimodular transformation U such that UF = , where the matrix F is induced byIa given set F of shift polynomials. By Theorem 2.1.3 such a transformation U exists if theelementary divisors of F are all equal to one. In case of k = 1 (i. e. the system consists ofa single equation), which is described in the original work of Don Coppersmith [Cop96b],the condition can be verified easily. Let f be the polynomial the roots of which are to bedetermined. As f is monic, the vector corresponding to this polynomial contains an entryequal to 1. Consequently, each shift polynomial is monic as well as it is constructed bymultiplying f with some monomial. In the shift set, the shifts can be ordered by graded73

74 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSlexicographic ordering so that each polynomial introduces at least one new monomial,namely its leading monomial. It is at a position in which all previous vectors were of valuezero. Thus, the matrix F corresponding to the set of shift polynomials contains an uppertriangular submatrix with a diagonal of value one. Consequently, all elementary divisorsof F are equal to one and the required unimodular transformation U exists.The same holds for the analysis of a single multivariate polynomial equation using the shiftpolynomial set F as defined in [JM06]. There the polynomial to be analyzed is transformedinto a monic one in a first step. Then the shift polynomial set is calculated to consist ofshifted powers of the original polynomial. These polynomials are ordered in a way thateach shift polynomial introduces its leading monomial. Thus, the matrix F again containsan upper triangular submatrix having only ones on its diagonal. This implies that allelementary divisors of F are equal to one and a suitable unimodular transformation Uexists.For a general set of shift polynomials, however, this is not that easy to see.In what follows we will relate the condition of Theorem 2.1.3 to conditions on the set ofshift polynomials. Therefore, we introduce some additional notation.When constructing sets of shift polynomials, the goal is to include additional informationwith every additional polynomial. If a polynomial is an integer linear combination of thepolynomials already included, we do not gain anything by adding it to the shift polynomialset. Hence, the polynomials are constructed to be linearly independent. This is a necessarycondition on the existence of a suitable transformation of the lattice. To see why, assumeF to be the matrix induced by a linearly dependent set of shift polynomials F. Thenthere is a non-trivial linear combination of polynomials f ∈ F which adds up to the zeropolynomial. The same non-trivial linear combination of the corresponding vectors f T addsup to the zero vector. Thus, at least one elementary divisor of F is equal to 0 and therequired unimodular transformation of F does not exist.One might assume that linear independence immediately implies that the construction ofthe sublattice with the same determinant works. However, this is not the case as can beseen in the following example.Example 5.1.1Let N ∈ Z\{−1, 0, 1} and f(x 1 ,x 2 ) = x 1 x 2 +Nx 1 and g(x 1 ,x 2 ) = x 1 x 2 +Nx 2 ∈ Z[x 1 ,x 2 ] betwo bivariate polynomials over the integers. Both polynomials contain different monomials.Thus, they are linearly independent over the integers. Building a Coppersmith type basismatrix with the shift polynomial set F := {f,g}, we get⎛B := ⎝(X 1 X 2 ) −1 1 10 N 00 0 N⎞⎠x 1 x 2x 1x 2.In order to check whether we can determine a sublattice with the same determinant, weonly regard the submatrix F corresponding to the shift polynomial set. That is, we regardthe matrix consisting of the last two columns. First, we apply unimodular transformations

5.1. COPPERSMITH’S ALGORITHM WITH SYSTEMS OF EQUATIONS 75in order to transform the first column. We permute the first and second row and theneliminate the entry N in the first column. By this we obtain⎛ŨF := ⎝0 −N1 10 NHaving a look at the matrix ŨF, we can directly see that the elementary divisors are 1 andN. By Theorem ( 2.1.3, ) this implies that we do not get a unimodular transformation U such0that UF = . Instead of a second elementary divisor of value 1, we obtained one ofIvalue N. Looking at f(x 1 ,x 2 ) and g(x 1 ,x 2 ) modulo N, we observe that f(x 1 ,x 2 ) ≡ x 1 x 2 ≡g(x 1 ,x 2 ) (mod N), i. e. the two polynomials are linearly dependent, here even equal, inZ N [x 1 ,x 2 ].The observation made in the above example can be generalized easily. Instead of usingpolynomials which are linearly independent over the integers, we only use polynomialswhich are linearly independent over the integers as well as in any ring Z a with 1 ≠ a ∈ N.In contrast to the previously used condition, this one is not only an intuition, but provablyequivalent to the existence of a sublattice with the same determinant containing our targetvector. In the subsequent of this section, we will give conditions on which we can restrictthe number of potential moduli. At the moment, however, we use the general statement.Note that modularly dependent polynomials could still be used in the lattice construction.They do not cause the construction to fail, but do no longer allow for a direct computationof the determinant. That is, a priori computations give too large upper bounds. Inpractice, the determinant of the sublattice then is significantly smaller. In many examples,this implies that we do not obtain interesting bounds on possible solutions any more.Let l ∈ N and F be a set of polynomials in Z[x 1 ,...,x l ]. Without loss of generality weassume F to be ordered and denote the i-th polynomial in F by f i . Let w := |Mon(F)|and m 1 ,...,m w be an ordering of all monomials of Mon(F). Let f be the vector of thecoefficients of f such that (f) i is the coefficient of the monomial m i . Let F be the matrixwhose column vectors are f T for all f ∈ F.Definition 5.1.2The set of polynomials F ⊂ Z[x 1 ,...,x l ] is called a determinant preserving set if andonly if there exists a unimodular transformation U such that( )0(w−|F|)×|F|UF =.I |F|Note that any shift polynomial set G giving a good bound although it is not determinantpreserving corresponds to a smaller determinant preserving set F with the same bound.The set F can be constructed by appropriately removing polynomials from G. Therefore,we can restrict the analysis directly to determinant preserving shift polynomial sets.⎞⎠ .

76 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSRemark 5.1.3In the introduction of this section we have already shown that the shift polynomial setsDon Coppersmith [Cop96b] and Ellen Jochemsz and Alexander May [JM06] derive for one(multivariate) polynomial are determinant preserving.In Example 5.1.1 the elementary divisors of F are 1 and N. Therefore, we know that noappropriate unimodular transformation exists. The set {f,g} is, thus, not determinantpreserving.However, changing the example slightly by setting f 2 (x 1 ,x 2 ) = x 1 x 2 +Nx 1 and g 2 (x 1 ,x 2 ) =x 1 x 2 +Mx 2 with gcd(M,N) = 1, the situation changes. The last two columns of the basismatrix become⎛F 2 := ⎝1 1N 00 M⎞⎠x 1 x 2x 1x 2.Applying the same unimodular transformations, we get⎛ ⎞0 −NŨF 2 := ⎝ 1 1 ⎠ .0 MAs the greatest common divisor of M and N is 1, this can easily be transformed to⎛ ⎞0 0UŨF 2 := ⎝ 1 0 ⎠ .0 1Consequently, the set {f 2 ,g 2 } is determinant preserving. Compared to f and g, the newpolynomials are not linearly dependent modulo N or M or any other integer greater thanone either.We generalize this observation to obtain a criterion for determinant preserving sets.Theorem 5.1.4Let F be a determinant preserving set and F ∪ {g} ⊂ Z[x 1 ,...,x l ] linearly independentover the integers.Then G := F ∪ {g} is a determinant preserving set if and only if for all 1 ≠ a ∈ N thepolynomial g is linearly independent of F in Z a .Proof: Let F = {f 1 ,...,f |F| } be an enumeration of the shift polynomials.We prove this theorem by proving the contraposition:”The set G = F ∪ {g} is not determinant preserving if and only if there is an 1 ≠ a ∈ Nsuch that g ≡ ∑ |F|j=1 c jf j (mod a) with c j ∈ Z.”First, let us introduce some additional values. Let w F := |Mon(F)|, w g := |Mon(g) \Mon(F)|, and m wF +1,...,m wF +w gbe an enumeration of the monomials occurring in g,but not in F. Then let w := w F + w g denote the number of all monomials occurring inG. Note that the case of w g = 0 is also included in the following proof although the proofcould be simplified in this special case.

5.1. COPPERSMITH’S ALGORITHM WITH SYSTEMS OF EQUATIONS 77We start by proving "If there is 1 ≠ a ∈ N such that g ≡ ∑ |F|j=1 c jf j (mod a) with c j ∈ Z,then G = F ∪ {g} is not determinant preserving".Suppose there are 1 ≠ a ∈ N and c j ∈ Z a such that g ≡ ∑ |F|j=1 c jf j (mod a). Then it holdsthat g T ≡ ∑ |F|j=1 c jf T j (mod a). Here we define the vectors with respect to the orderingm 1 ,...,m w . This means, the last w g components of vectors corresponding to elements ofF are zero modulo a.( )0(w F −|F|)×|F|From the preconditions we know that there exists V such that VF =.I |F|Here, the columns of F are only taken with regard to the monomials m 1 ,...,m wF . Weextend this with regard to m 1 ,...,m w by adding w g zero rows to F and extending V as(U :=)V 0 w F ×w g0 wg×w .FI wgFor the ease of notation, we denote the extended version of F as well by F. Let G denote thematrix constructed by taking the matrix F and adding the vector g T as last column. If notstated otherwise, we are referring to vectors with regard to all the monomials m 1 ,...,m w .Then Ug T ≡ ∑ |F|j=1 c jUf T j (mod a) ≡ ∑ |F|j=1 c j(e w F −|F|+j ) T (mod a) with (e w F −|F|+j ) Tbeing the (w F − |F| + j)-th unit vector of length w. Consequently,⎛Ug T =⎜⎝0.0c 1.c |F|0.0⎞⎟⎠(mod a)and with appropriate z i ∈ Z⎛UG =⎜⎝az 10 (w F −|F|)×|F|.az (wF −|F|)c 1 + az (wF −|F|+1)I |F| .c |F| + az wFaz (wF +1)0 wg×|F| .az w⎞.⎟⎠

78 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSEliminating the entries c 1 to c |F| by column operations one can directly see that a divides allremaining values in the last column and, thus, the last elementary divisor of G. ApplyingTheorem 2.1.3, we derive that G is not determinant preserving.Now we prove "If the set G = F ∪ {g} is not determinant preserving, then there is an1 ≠ a ∈ Z such that g ≡ ∑ |F|j=1 c jf j (mod a) with c j ∈ Z".Suppose G = F ∪ {g} is not determinant preserving, that is, by Theorem 2.1.3, we eitherhave that the last elementary divisor of G is not equal to 1 or the number of elementarydivisors of G is smaller than |G|.First, we assume that at least one elementary divisor is equal to a ≠ 1. Our goal is to showthat there exist coefficients c 1 ,...,c |F| ∈ Z a such that g ≡ ∑ |F|j=1 c jf j (mod a). Therefore,we start by setting g ≡ ∑ |F|j=1 ˜c jf j + ˜r (mod a) (such a representation always exists, takefor example ˜r = g and ˜c j = 0). The aim is to change the coefficients ˜c j until we have ˜r ≡ 0(mod a).Let U again be the unimodular transformation such that UF = ⎝Then⎛⎞0 (w F −|F|)×|F|I |F|⎠.0 wg×|F|Ug T≡≡≡|F|∑j=1|F|∑j=1⎛⎜⎝˜c j Uf j T + U˜r T (mod a)˜c j (e w F −|F|+j ) T + U˜r T (mod a)(U˜r T ) 1.(U˜r T ) wF −|F|˜c 1 + (U˜r T ) wF −|F|+1.˜c |F| + (U˜r T ) wF(U˜r T ) wF +1.(U˜r T ) w⎞⎟⎠(mod a).By this we get gcd((U˜r T ) 1 ,...,(U˜r T ) wF −|F|, (U˜r T ) wF +1,...,(U˜r T ) w ) = a > 1.If gcd((U˜r T ) 1 ,...,(U˜r T ) wF −|F|, (U˜r T ) wF +1,...,(U˜r T ) w ) = b ≠ a held, we could performthe elementary divisor algorithm on UG, eliminate the j-th entries for j = w F − |F| +1,...,w F by column operations, then set the next diagonal entry to b and eliminate allfurther entries in this column by row operations. This implies that the last elementarydivisor is equal to b which contradicts the preconditions. Thus, (U˜r T ) j ≡ 0 (mod a) forj = 1,...,w F − |F|,w F + 1,...,w.

5.1. COPPERSMITH’S ALGORITHM WITH SYSTEMS OF EQUATIONS 79Further, we need that (U˜r T ) j ≡ 0 (mod a) for j = w F − |F| + 1,...,w F . Assume thatthis does not hold, i. e. we have (U˜r T ) wF −|F|+l ≡ d (mod a) for an index l ∈ {1,...,|F|}.Then define c l := ˜c l + d and r := ˜r − df l and c j := ˜c j for all j ≠ l.This implies ∑ |F|j=1 c jf j + r (mod a) ≡ ∑ |F|j=1,j≠l ˜c jf j + ˜c l f l + df l + ˜r − df l ≡ g (mod a).Following the same line of argumentation used before, we haveUg T≡≡≡|F|∑j=1|F|∑j=1⎛⎜⎝c j Uf j T + Ur T (mod a)c j (e w−|F|+j ) T + Ur T (mod a)(Ur T ) 1.(Ur T ) wF −|F|c 1 + (Ur T ) wF −|F|+1.c |F| + (Ur T ) wF(Ur T ) wF +1.(Ur T ) w⎞⎟⎠(mod a)with (Ur T ) j ≡ 0 (mod a) for j = 1,...,w F − |F|,w F + 1,...,w. Moreover, we have(Ur T ) wF −|F|+l ≡ (U˜r T ) wF −|F|+l −U(df l T ) wF −|F|+l ≡ d−(d(e w−|F|+l ) T ) wF −|F|+l ≡ d−d ≡ 0(mod a). Performing this translation of c l for all l ∈ {1,...,|F|} such that (Ur) T w F −|F|+l ≢0 (mod a), we get Ur T ≡ 0 w×1 (mod a) and, as U is unimodular and, thus, invertible, weget r T ≡ 0 w×1 (mod a). Therefore, g ≡ ∑ |F|j=1 c jf j (mod a), which concludes the proof.In case of G having only |F| elementary divisors, we know that there exist unimodular matricesU and V such that UGV = Diag(a 1 ,...,a |F| , 0). Thus, rank(G) = rank(UGV)

80 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSF \ {f}, then F is not determinant preserving". This is equivalent to "If F is determinantpreserving, then for all f ∈ F and all 1 ≠ a ∈ N the polynomial f is linearly independentof F \ {f} in Z a [x 1 ,...,x l ]".We show the opposite direction of the equivalence "If for all f ∈ F and all 1 ≠ a ∈ N thepolynomial f is linearly independent of F \ {f} in Z a [x 1 ,...,x l ], then F is determinantpreserving" by induction on the size of F using Theorem 5.1.4 in the inductive step.First assume |F| = 1. Then F = {f} for a non-zero polynomial f. Furthermore, thepositive greatest common divisor of the coefficients of f is equal to 1. In any other case,if gcd(f) = a > 1, then f ≡ 0 (mod a), i. e. we have linear dependence in Z a whichcontradicts the precondition. The claim then follows by Lemma 2.1.4, i. e. we have that{f} is determinant preserving.The hypothesis we use is as follows:For an n ∈ N and any set of polynomials F such that |F| = n it holds that if for all f ∈ Fand all 1 ≠ a ∈ N the polynomial f is linearly independent of F \ {f} in Z a , then F isdeterminant preserving.We continue with the inductive step. Let F be a set of polynomials fulfilling the preconditionwith |F| = n + 1. Choose an arbitrary g ∈ F. Then |F \ {g}| = n, and by theprecondition it holds for all f ∈ F \ {g} and all 1 ≠ a ∈ N that the polynomial f islinearly independent of F \ {f,g} in Z a . Therefore, F \ {g} is determinant preserving bythe hypothesis.From the preconditions we further get that for all 1 ≠ a ∈ N the polynomial g is linearlyindependent of F \ {g} in Z a [x 1 ,...,x l ]. In order to apply Theorem 5.1.4 we have to verifythe second precondition that the set F is linearly independent over the integers. Assumeon the contrary that there exist integers c j ∈ Z such that ∑ n+1j=1 c jf j = 0. Without lossof generality let g = f n+1 . Then c n+1 /∈ {−1, 0, 1}. If c n+1 = 0, then F \ {g} is notdeterminant preserving. If c n+1 = ±1, then it is g = ∑ nj=1 (±c j)f j over the integers and,consequently also modulo a for any a ∈ N. Both implications contradict the preconditions.Thus, it is ∑ nj=1 c jf j ≡ 0 (mod c n+1 ). Without loss of generality we have ī ∈ {1,...,n}such that f ī ∈ F \ {g} and gcd(c ī ,c n+1 ) = 1. (If not, either all c j share a common divisoror different c j have different common divisors with c n+1 . In the first case we can divide thewhole equation by this divisor, in the second case we can just take gcd(c j ,c n+1 ) for somearbitrary j as new modulus.)Therefore, we can rewrite the equation as f ī ≡ ∑ nj=1,j≠ī (−c−1 )cī j f j (mod c n+1 ), i. e. f ī isnot linearly independent of F \ {g,f ī } in Z cn+1 [x 1 ,...,x l ]. This is a contradiction to thepreconditions. Consequently, F is linearly independent over the integers.A direct application of Theorem 5.1.4 thus gives that F is determinant preserving. Thisconcludes the proof.Remark 5.1.6Note that a determinant preserving set only contains polynomials f ∈ Z[x 1 ,...,x l ] withrelatively prime coefficients. Any polynomial with a > 1 as greatest common divisor ofthe coefficients is the zero polynomial in Z a [x 1 ,...,x l ] and, therefore, linearly dependent

5.1. COPPERSMITH’S ALGORITHM WITH SYSTEMS OF EQUATIONS 81modulo a.The above theorem gives us a condition on which sets of polynomials can be used. However,to use this condition we have to check linear independence for any a ∈ N \ {1} which, ofcourse, cannot be done efficiently. Therefore, we would like to have only a selection ofintegers which we have to check. However, there is no such selection in general as thefollowing example shows.Example 5.1.7Let⎛B := ⎝−2 −33 24 1By a unimodular transformation U the matrix B can be transformed into⎛ ⎞1 0UB := ⎝ 0 5 ⎠ .0 0Thus, the elementary divisors of B are 1 and 5. Regarding the column vectors, we see that⎛ ⎞−3⎛ ⎞−2⎝ 21⎠ = 4⎝34⎠ (mod 5).That is, we do have a modular relation modulo 5 between the two column vectors. Themodulus 5, however, does not have any obvious relation to the matrix and its entries.Nevertheless, we do not have to check for all moduli 1 ≠ a ∈ N. An upper bound on the( √|F| ) |F|,number of potential moduli is given by · |cmax | where F ⊂ Z[x1 ,...,x l ] is theshift polynomial set we consider, and c max is the largest coefficient which occurs in F.This can be seen as follows. Let again F be the matrix induced by F. Combining theproofs of Theorem 5.1.4 and Theorem 2.1.3, we know that any potential modulus is anelementary divisor of F. Therefore, to calculate an upper bound on the size of the potentialmoduli, we determine an upper bound on the size of the largest elementary divisor. LetU denote the unimodular transformation such that UF is the matrix with the elementarydivisors on its diagonal and all other entries being equal to zero. Let UF ˜ denote the matrixUF without its zero rows. Then UF ˜ is an |F| × |F| submatrix of UF. Moreover, det( UF) ˜is the product of the elementary divisors. Let ˜F denote an |F| × |F| submatrix of F withlinearly independent rows. Then det( UF) ˜ ≤ det(˜F). Furthermore,⎞⎠ .|F|∏∣ ∣ ∣∣ ∣∣(√ |F|det(˜F) ≤ ∣∣(˜F) i,·∣≤ |F| · |cmax |).i=1

82 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSThus, we obtain an upper bound on the largest elementary divisor and, consequently, on( √|F| ) |F|.the largest potential modulus by · |cmax |Unfortunately, all these moduli still cannot be tested efficiently. Whereas we require thealgorithms to have running time polynomial in the bitsize of c max , the upper bound on thenumber of moduli we have to check is only polynomial in c max . That is, it is exponentialin log(c max ).In contrast to the matrix B given in the above example, the matrices we construct usingCoppersmith’s method have some special properties. While constructing the shift polynomialset, the polynomials are built in a way that every new polynomial introduces at leastone new monomial. The part of the basis matrix corresponding to the shift polynomialsis, thus, a matrix comprised of an upper triangular matrix and additional rows. Luckily,this property enables us to further restrict the number of moduli we have to check.Lemma 5.1.8Let F := {f 1 ,...,f |F| } ⊂ Z[x 1 ,...,x l ] be an ordered set of polynomials constructed suchthat Mon(f j ) \ ( ∪ j−1i=1 Mon(f i) ) ≠ ∅ which is not determinant preserving. Let F be thematrix induced by this set as before. Then there are 1 ≠ a ∈ C, ¯f ∈ F and cf ∈ Z suchthat ¯f ≡ ∑ f∈F\{ ¯f} c ff (mod a). Here, C denotes the set of all coefficients of monomialsin Mon(F) and divisors of them.Proof: From the precondition using Theorem 5.1.5 it follows that there are ¯f ∈ F,c f ∈ Z for all f ∈ F \ { ¯f}, and 1 ≠ a ∈ N such that ∑ f∈F\{ ¯f} c ff ≡ ¯f (mod a). Letw := |Mon(F)| and let m 1 ,...,m |Mon(F)| be an enumeration of the monomials of Mon(F)corresponding to the construction of F. Let h be the largest index such that the monomialm h occurs in the equation with non-zero coefficient. Due to the upper triangular structure,this monomial only occurs in one of the polynomials in the equation. (Otherwise, assume itoccurs in two polynomials f i and f j with j > i. Then f j must introduce another monomialm 2 corresponding to a row index greater than h, which contradicts the choice of h.) Letc(m h ) be the coefficient of m h . Then for the equation to hold we require a|c(m h ). Thus,a ∈ C which implies the claim.This lemma will be quite helpful in the following analyses as the polynomials we dealwith have coefficients which are mostly products of only two primes. This can be seen inSection 6.1.But, of course, we then have to construct a shift polynomial set in a way that it has therequired structure.Before we turn to the analysis of various systems of equations, we will extend the definitionof being determinant preserving. So far we have dealt with polynomial sets F ⊂Z[x 1 ,...,x l ] to which the definition can be applied. In practice, we also have polynomialequations ˜f(x 1 ,...,x l ) ≡ 0 (mod N). That is, we would like to determine solutions moduloan integer N. That is, the polynomial ˜f(x1 ,...,x l ) is a polynomial in Z N [x 1 ,...,x l ].

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 83To include various modular equations with equal or different moduli into our set, let ˜Fdenote the set of all shift polynomials and their corresponding moduli. Elements of ˜F aredenoted by tuples ( ˜f(x 1 ,...,x l ),N). Each polynomial ˜f(x 1 ,...,x l ) ∈ Z N [x 1 ,...,x l ] can bewritten as a polynomial in a polynomial ring over the integers with one more unknown. Thecorresponding integer polynomial is f(x 1 ,...,x l ,t) := ˜f(x 1 ,...,x l ) − tN ∈ Z[x 1 ,...,x l ,t].We call the polynomial f the integer polynomial induced by ˜f. Accordingly, we define theset F to consist of all integer polynomials f induced by polynomials ˜f ∈ ˜F. The set Fis then called the polynomial set induced by ˜F. Note that for each polynomial in ˜F onenew variable is adjoint to the polynomial ring. Thus, F ⊂ Z[x 1 ,...,x l ,t 1 ,...,t | ˜F|]. Withthis notation we can now extend the definition of determinant preserving sets to modularpolynomials.Definition 5.1.9Let the set of polynomials ˜F consist of tuples of polynomials and their correspondingmoduli. Then the set ˜F is called a determinant preserving set if and only if the setF ⊂ Z[x 1 ,...,x l ,t 1 ,...,t | ˜F|] induced by ˜F is determinant preserving.With this definition we can derive similar conditions like the one of Lemma 5.1.8 for systemsof modular polynomial equations. As these conditions differ depending on the relation ofthe moduli to each other, they will be presented in the corresponding sections.5.2 Systems of Equations with a Common ModulusIn this section we analyze systems of modular multivariate polynomial equations with acommon modulus N, namely, we refer to a special case of the SMMPE problem. In analogyto the univariate case, we define the problem of solving systems of modular multivariatepolynomial equations with a common modulus (SMMPE1-problem).Definition 5.2.1 (SMMPE1-problem)Let k ∈ N, δ 1 ,...,δ k ∈ N, and N ∈ N. Assume f 1 (x 1 ,...,x l ),...,f k (x 1 ,...,x l ) to bepolynomials of degree δ 1 ,...,δ k in Z N [x 1 ,...,x l ], respectively. Letf 1 (x 1 ,...,x l ) ≡ 0 (mod N)f 2 (x 1 ,...,x l ) ≡ 0 (mod N)f k (x 1 ,...,x l ) ≡ 0 (mod N)be a system of multivariate polynomial equations.. (5.1)Let X i < N, X i ∈ R, i = 1,...,l. Find all common roots (¯x 1 ,..., ¯x l ) of (5.1) with size|¯x i | ≤ X i .The analysis of modular systems is simpler than in the integer case. Let ˜F be a set ofshift polynomials and their respective moduli used to apply Coppersmith’s method 2.3.9.

84 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSThen all f ∈ ˜F are polynomials of the form mf i (x 1 ,...,x l ) λ with m ∈ Z N [x 1 ,...,x l ] beingsome monomial and λ ∈ N. Thus, the solution we are searching for is a solution of f ≡ 0(mod N λ ) for all f ∈ ˜F.Let F be the set of integer polynomials induced by ˜F. From these polynomials a basismatrix is constructed. The last columns of this basis matrix correspond to the shift polynomials.Let us again denote this matrix by F as it is done in Section 2.3. It consists ofan upper part F c corresponding to the coefficients of the polynomials and a lower part F mcorresponding to the moduli. The matrix F m , thus, forms a diagonal matrix with entrieswhich are powers of N.In the analysis in Section 5.1 we have seen additional conditions which allow for a simplerverification if F is determinant preserving. Namely, if F consists of some upper triangularmatrix and some arbitrary matrix, the check becomes easier. In this example the uppertriangular part of F is given by F m . The matrix F m is not only upper triangular, but evena diagonal matrix with the moduli as values on the diagonal. The moduli are always powersN λ for a value of λ ∈ N. Therefore, the only way to have linear dependence of vectors ofF is to have dependence modulo N or a divisor of N. Note that linear dependence moduloN λ with λ > 1 implies linear dependence modulo N. Hence, it is sufficient to test formodular dependence with regard to N and its divisors.Lemma 5.2.2Let ˜F ⊂ Z[x 1 ,...,x l ] × N be an ordered set of polynomials and corresponding moduliwhich is not determinant preserving. All moduli occurring in ˜F are powers of N. Let Fbe the integer polynomial set induced by ˜F, and F be the matrix induced by F as before.Then there are ¯f ∈ F and c f ∈ Z such that ¯f ≡ ∑ f∈F\{ ¯f} c ff (mod a), where a|N anda > 1.Proof: We regard the polynomials f ∈ F ⊂ Z[x 1 ,...,x l ,t 1 ,...,t |F| ] induced by polynomials˜f ∈ ˜F. From the precondition using Theorem 5.1.5 it follows that there are ¯f ∈ F,c f ∈ Z for all f ∈ F \ { ¯f}, and 1 ≠ a ∈ N such that ∑ f∈F\{ ¯f} c ff ≡ ¯f (mod a). Byconstruction there is a monomial t j which occurs only in ¯f. Its coefficient is N λ for someλ ∈ N as it corresponds to the modulus. Then for the equation to hold we require a|N λwhich implies the claim.In many practical examples we take moduli N which are products of two unknown primesp and q. Consequently, we can only test for linear dependence modulo N, but not moduloits divisors. Nevertheless, this does not pose any problems. Linear dependence modulo por q implies that we get p or q as elementary divisor of the matrix. Thus, a way to breakthe system would be to take some set of polynomials which is not determinant preserving,to build up the corresponding matrix, and to calculate its elementary divisors. This canbe done quite efficiently (compare [Lüb02]). Then, given p or q, the system from which wederived the equations is broken anyway.In the following examples we, therefore, assume that we do not get any factors of themoduli as elementary divisors. This assumption was valid in all our examples.

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 855.2.1 RSA with Related Messages and Implicit RelationsWe recall the problem of RSA with related messages and implicit relations presented inSection 4.1. A set of k secret messages m 1 ,...,m k is encrypted with an RSA public key(N,e). Each encryption corresponds to an equation f i (x i ) := x e i − c i ≡ 0 (mod N) with asolution m i . Furthermore, the messages are related by some implicit polynomial relationp(x 1 ,...,x k ) such that p(m 1 ,...,m k ) ≡ 0 (mod N). We have already seen how we candetermine all solutions of the system (Section 4.1) by computing a Groebner basis. Now wewill show a method to determine certain roots if Groebner basis computations do not help.For ease of analysis we start with the case of k = 2 and a simple lattice basis. The casesk > 2 or more complex lattice bases can be treated analogously. Moreover, we assume toget a relation p to be valid over the integers. That is, we regard the following problem:f 1 (x 1 ) ≡ 0 (mod N)f 2 (x 2 ) ≡ 0 (mod N) (5.2)p(x 1 ,x 2 ) = 0.Let X i < N, X i ∈ R, i = 1, 2. Find all common roots (m 1 ,m 2 ) such that |m i | ≤ X i .Thus, we look at the SMMPE1-problem with a simple system of multivariate equations.For i ∈ {1, 2} let us first regard f i (x i ) ≡ 0 (mod N) separately. We deal with a modularunivariate equation. We can determine its solutions |m i | ≤ X i if X i < N 1 e in polynomialtime according to Theorem 2.3.9. The initial lattice basis used is⎛ ⎞( ) DB i i i1 0 −c iF= ci = ⎝10 1 ⎠X . (5.3)0 F e mi0 0 NAs the polynomials f i (x i ) only consist of the monomials x e i and 1, we just put f i intothe shift polynomial set. Then the bound can directly be computed using the simplifiedcondition det(B i ) > 1 given in equation (2.14).In a first step to combine the analyses, we combine the basis matrices. That is, at themoment we ignore the additional information we get by the additional polynomial p, butonly consider the original problem. We set⎛⎞1 0 0 −c 1 −c 210 0 1 0X1e 1B =0 0 0 1⎜X (5.4)2e ⎟⎝ 0 0 0 N 0 ⎠0 0 0 0 Nas initial basis matrix for a lattice L to determine solutions of both equations f i (x i ) ≡ 0(mod N) in one analysis. We apply the simplified condition to this and obtaindet(B) > 1 ⇔ det(B 1 ) det(B 2 ) > 1.

86 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSThis condition is, of course, fulfilled if the basic conditionsdet(B 1 ) > 1 and det(B 2 ) > 1 (5.5)hold. Thus, a sufficient condition that we can determine the solutions (m 1 ,m 2 ) usingthe lattice basis B given in (5.4) in Coppersmith’s method is that we can determine itseparately using the lattice bases B 1 and B 2 described in (5.3), i. e. condition (5.5) holds.As the equations f 1 (x 1 ) ≡ 0 (mod N) and f 2 (x 2 ) ≡ 0 (mod N) do not share any variables,condition (5.5) ought to be necessary as well. However, just regarding the determinant,this is obviously not the case. If e. g. | det(B 1 )| ≫ 1, then | det(B 2 )| could be smallerthan one without violating condition (5.5) anyway. To see why Coppersmith’s methodfails under these preconditions, we look at it in more detail. By failure in this case wemean that we do not get any further equations containing the variable x 2 . Thus, weare only able to determine m 1 , but not m 2 . Note, however, that we can calculate m 2by substituting x 1 by m 1 in p(x 1 ,x 2 ) and then determining the roots of the univariatepolynomial p(m 1 ,x 2 ) ∈ Z[x 2 ] over the integers. This works in this case as only one messageis missing. In case of k > 2, however, we could fail to determine more than one message. Inorder to develop a general strategy which can be applied to those cases as well, we continuewith our example without taking p into account.Let us now assume | det(B)| > 1 but | det(B 2 )| ≤ 1. The latter implies X2 e ≥ N. We startwith the basis B as basis of our lattice. In order to get a basis of the sublattice, the basismatrix B is transformed into⎛⎞c1 1 c 20 0X1e X2e 0 − N 0 0 0X 1e UB =0 0 − N 0 0X2⎜e (5.6)1⎝ 0 0 1 0 ⎟X1e ⎠10 0 0 1X2eby a unimodular transformation U. Let L S denote the sublattice of vectors with zeros intheir last two components. Then a basis B S of L S is given by the first three rows of B.When considering vectors in L S , we regard them as vectors with only three components asthe other components are zero anyway. Recall that L S contains the vector t S := (1, me 1X e 1, me 2X e 2)with norm ||t S || ≤ √ 3 ∈ O(1).Subsequently, we perform LLL-reduction on B S and orthogonalize it. We denote the resultingmatrix by B ∗ R . Let b ∗ 1 ,b ∗ 2 ,b ∗ 3 be the rows of B ∗ R . Due to the lower bound onthe absolute value of the determinant, the vector t S is at least orthogonal to b ∗ 3 . Thatis, by construction we have ||t S || < ||b ∗ i || for at least i = 3. It might also hold for furtherbasis vectors. Each such vector b ∗ i is orthogonal to t S . Using this condition, we get a newnon-modular equation (b i ∗ ) 1 + (b i ∗ ) 2 · me 1X e 1+ (b i ∗ ) 3 · me 2X e 2= 0. The solutions m 1 and m 2 are,thus, integer solutions of the equation (b ∗ i ) 1 + (b ∗ i ) 2 · xe 1+ (b ∗ X1e i ) 3 · xe 2= 0.X2eWe will show in the following paragraph that (b ∗ i ) 3 = 0 for all b ∗ i orthogonal to t S . This

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 87implies that we only get additional information in x 1 and still cannot determine a solutionof f 2 (x 2 ). Looking at the basis matrix, we can easily see that the vector v := (0, 0, − N X e 2)also is a vector in L S . From the condition X2 e ≥ N we derive | − N | ≤ 1 and, thus,X2e||v|| ≤ 1. We even have ||v|| ≤ ||t s ||. Therefore, v is a vector in the same hyperplane ast S is. Consequently, any vector b ∗ i orthogonal to that hyperplane is also orthogonal to v.Hence, we get the condition (b i ∗ ) 1 · 0 + (b i ∗ ) 2 · 0 − (b i ∗ ) 3 · NX e 2= 0. This implies (b ∗ i ) 3 = 0.We generalize this observation to an arbitrary number of k equations and show that combiningshift monomial sets does not improve the bound.Theorem 5.2.3Let k ∈ N and f i (x i ) ≡ 0 (mod N), i = 1,...,k, be polynomials of degree δ i . Let ¯x idenote a root of f i , i. e. f i (¯x i ) ≡ 0 (mod N). Let X i ∈ R be a bound on the solution¯x i , namely |¯x i | ≤ X i . Then the following holds: If all solutions (¯x 1 ,..., ¯x k ) ∈ Z k N can bedetermined applying Coppersmith’s method to one lattice built with regard to a combinedshift polynomial set F = ∪ k i=1F i , where F i ⊂ Z N [x i ] denotes a shift polynomial set withrespect to f i , then we can determine the solutions using separate lattices with regard toF i as well. Furthermore, X i < N 1 δ i for all i.Proof: First recall that Theorem 2.3.9 states that for any i the equation f i (¯x i ) ≡ 0(mod N) can be solved if |¯x i | ≤ X i < N 1 δ i . The shift polynomial set used for the analysis isF i ⊆ Z N [x i ]. Let F := ∪ k i=1F i . The set Mon(F) denotes the set of all monomials occurringin F. We denote by w i := |Mon(F i )| and by w := |Mon(F)| the number of monomialsoccurring in F i and F, respectively. We will show that if all solutions (¯x 1 ,..., ¯x k ) ∈ Z k Ncan be determined applying Coppersmith’s method with shift polynomial set F, then theycan be determined applying Coppersmith’s method to each polynomial f i separately usingF i . This results in the claim.Without loss of generality we assume all f ∈ F to be monic. If they are not, we can eitherinvert the leading coefficient modulo N or compute a divisor of N. By Theorem 2.3.9 it isf i ∈ F i . Let( DB i i iF= ci0 F m⎛)= ⎝1 0 ... 0 f i0 ∗ ... ∗0 ˜Dii˜Fc0iF m⎞⎠ (5.7)denote a basis matrix of the lattice L i constructed with regard to F i to obtain this bound.In the second representation of the initial basis matrix B i , the row corresponding to themonomial 1 is explicitly named so that the matrix ˜D i equals D i without its first row andcolumn. The matrix ˜F ciequals Fc i without its first row. The value f i0 ∈ Z N denotesthe constant term of f i . The values ∗ correspond to the constant terms of the other shiftpolynomials. They might also be equal to zero. A basis of the lattice L constructed with

88 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSregard to F is given by⎛B =⎜⎝1 0 ... 0 f 10 ∗ ... ∗ ... f k0 ∗ ... ∗˜D 1 1˜Fc......˜D kk˜FcF m1...F mk⎞. (5.8)⎟⎠Non-included values are equal to zero.We use this notation to prove the claim by contraposition. We show ”If X i > N 1 δ i for somei ∈ {1,...,k} (that is, if we cannot determine ¯x i via Coppersmith’s algorithm using thelattice L i ), then we cannot determine ¯x i using Coppersmith’s algorithm with basis matrixB either”.Without loss of generality we assume X 1 > N 1δ 1 . (In any other case we simply permutethe polynomials in the shift polynomial set.)The sets F i are determinant preserving by construction. As each set contains a differentvariable x i , their union F is determinant preserving as well. For a proof let us assumethe contrary. Then there is a subset S ⊆ F with S ∩ F i ≠ ∅ for at least two indicesi ∈ {1,...,k} such that ∑ f∈S c ff ≡ 0 (mod N) and c f ≠ 0. For i ∈ {1,...,k} withF i ∩ S ≠ ∅ let ¯f i denote the polynomial of maximal degree in x i . Let x ∆ ii denote themonomial of maximum degree. The polynomial ¯fi is unique as any polynomial in F i (ifthe polynomials are ordered appropriately) introduces a new monomial. Therefore, noother polynomial in F i ∩ S contains the monomial x ∆ ii . Furthermore, polynomials in F jwith j ≠ i do not contain monomials in x i . Consequently, ¯fi ∈ S is the only polynomialin which the monomial x ∆ ii occurs. For the linear dependence relation to hold, we needto have c ¯fi ≡ 0 (mod N). This contradicts the assumption that ¯f i ∈ S. Thus, F isdeterminant preserving. This implies that there exists a unimodular transformation of Bto ( )BS 0. (5.9)∗ I |F|The matrix ∗ is a matrix with arbitrary values which are not important for our analysis.We denote by L S the lattice spanned by the basis vectors of B S . Let us look at B S in moredetail. Recall that large vectors of the LLL-reduced and orthogonalized version of B S areorthogonal to some target vector t. This gives rise to additional equations in the unknowns.Our goal is to show that these vectors have a special structure so that the induced equationsdo not contain monomials in x 1 . Then we cannot get further information on ¯x 1 and are,therefore, unable to determine it this way. Due to the structure of B we can look at thematrix( 1 )˜B 1 = ˜D1 ˜Fc1(5.10)0 F m

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 89separately. What we do here is taking the second until (w 1 )-th and the (w + 1)-th until(w + |F 1 |)-th basis vector. These basis vectors only have non-zero entries in the seconduntil (w 1 )-th and the (w + 1)-th until (w + |F 1 |)-th columns. Therefore, it suffices toregard those. Operations on the rows of ˜B 1 do not influence any other columns. As thepolynomials in F 1 are monic and each new polynomial introduces a new monomial withcoefficient one, ˜Fc1contains a diagonal with values one. The values below this diagonalare equal to zero. The rows corresponding to the ones can be permuted with the rows ofF m 1 . Then, we have transformed ˜B 1 to⎛⎜⎝˜D 1 u˜F c1u0 F m1˜D 1 l˜F c1l⎞⎟⎠ . (5.11)Here, ˜D1 l denotes the lower |F 1 | rows of ˜D1 and ˜D 1 1u its upper part. Analogously, ˜Fc l1 1denotes the lower |F 1 | rows of ˜Fc and ˜Fc u its upper part. The last |F 1 | columns form arectangular matrix. Its last |F 1 | rows form an upper triangular matrix with value one onthe diagonal. To conclude, we use these last rows to eliminate all further values. Thus, byfurther transformations, we get ( )1 BS 0. (5.12)∗ I |F1 |Note that each row vector is (w 1 − 1 + |F 1 |)-dimensional as the first column, which correspondsto constant terms, is not included. We are interested in the values in B 1 S becausethey correspond to row vectors in B S as it is⎛⎞∗ ∗1B S B S = ⎜⎟⎝ 0 ... ⎠ . (5.13)A row of ( 1B S 0 ) ( )is constructed in one of two ways. Either it originates from a row of1 ˜D1 u˜Fc or it originates from a row of ( 0 F ) 1um . For d = 1,...,δ 1 − 1 let ũ d :=1(0,...,0, , 0,...,0,cX1d 1 ,...,c |F1 |) = 1 e d + ∑ |F 1 |X1d i=1 c ie w1−1+i denote a row in the first case.In this case all non-zero values c i have to be eliminated. Let u d := (0,...,0,N, 0,...,0) =Ne w1−1+d , d = 1,...,|F 1 |, denote a row vector in the second case. Here only the value Nhas to be eliminated.The question is what happens in the elimination step. The rows used for elimination are1of type ṽ w1 −1+d := (0,...,0, , 0,...,0, 1,a (d)w 1 +d ,...,a(d) w 1 +|F 1 | ) = 1e δ1−1+d +X δ 1 −1+d1B SkX δ 1 −1+d1e w1−1+d + ∑ |F 1 |−1j=da (d)w 1 +j ew 1+j for d = 1,...,|F 1 | with a (d)w 1 +j ∈ Z. In a first step, wetransform these vectors by eliminating the a (d)w 1 +j . We set v w 1 −1+|F 1 | := ṽ w1 −1+|F 1 | anditeratively define v w1 −1+d := ṽ w1 −1+d − a (d)w 1 +d v w 1 −1+(d+1) for d = |F 1 | − 1,...,1. Thus,

90 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSv w1 −1+d := ∑ |F 1 | (−1) j−d ∏ js=d+1 a(s−1)j=dX δ 1 −1+j1w 1 +s−1e δ 1−1+j + e w 1−1+d .We start by modifying the vectors u d . To eliminate N, one has to compute ˜b δ1 −1+d :=u d − Nv w1 −1+d, d = 1,...,|F 1 |, and gets a vector with zeros as last |F 1 | values becauseit is w 1 − 1 ≥ |F 1 | + δ 1 − 1. The first values, thus, give a row vector in B 1 S , namely∑ |F1 | (−1) j−d+1 N ∏ js=d+1 a(s−1)j=d−NX δ 1 −1+d1X δ 1 −1+j1w 1 +s−1e δ 1−1+j . Note that the (δ 1 −1+d)-th component of ˜b δ1 −1+d is. It has absolute value smaller than one because due to the preconditions we haveX1 d ≥ X δ 11 > N if d ≥ δ 1 . Successively substracting appropriate multiples of ˜b δ1 −1+j,j =d + 1,...,|F 1 |, from ˜b δ1 −1+d, we get a vector b δ1 −1+d such that alle entries are smallerthan one. Consequently, an upper bound on the norm of b δ1 −1+d is given by √ |F 1 | + 1.To eliminate the last entries of ũ d , we subtract c j -times v w1 −1+j from ũ d . This resultsin ˜b d := 1 e d + ∑ |F 1 |X1d j=1 −c j(∑|F1 | (−1) j−d ∏ js=d+1 a(s−1) w 1 +s−1j=d X δ 1 −1+j1)e δ 1−1+j with d = 1,...,δ 1 − 1. Asw 1 −1 ≥ |F 1 |+δ 1 −1, the last |F 1 | values in this vector are zero. Its first entries, thus, givea row vector in B 1 S . We use the vectors b δ1 −1+d for further reducing the other entries anddenote the result by b d . As before all non-zero values in the reduced vector b d are smallerthan one. There are at most |F 1 | + 1 non-zero values in b d . Hence, ||b d || ≤ √ |F 1 | + 1.Overall,(BS10 ) =⎛⎜⎝b 1.b δ1 −1+|F 1 |⎞⎟⎠ . (5.14)Recall that when applying Coppersmith’s technique with regard to the lattice L usingthe basis B, the target vector is defined as t := (1, x 1X 1,..., xδ 1 +|F 1 |−11, xX δ 1 +|F 1 |−12X 2,..., xδ k +|F k |−1k).1X δ k +|F k |−1kThe target vector is of size ||t|| ≤ √ w. As each polynomial introduces at least one newmonomial, we have w = |Mon(F)| ≥ |F| ≥ |F 1 | + 1. Let B ∗ denote an LLL-reducedand orthogonalized basis of the sublattice L S . If ||b ∗ i || > ||t|| for an index i, then also||b ∗ i || > ||b d|| for all b d . The vectors b d are δ 1 − 1 + |F 1 | vectors in a vector subspace ofdimension δ 1 − 1 + |F 1 |. As the determinant of ˜B1 is not equal to zero, the vectors arelinearly independent and form a basis of this vector subspace. Another basis of this vectorsubspace is given by the set {e 2 ,...,e δ 1+|F 1 | }. Thus, if b ∗ i is orthogonal to all b d , it is alsoorthogonal to e i for i = 2,...,δ 1 + |F 1 |. Consequently, (b ∗ i ) d = 0 with d = 2,...,δ 1 + |F 1 |.The values (b ∗ i ) d correspond to the second until w 1 -th component of a vector in the originallattice L S . Therefore, any equation we get by applying Coppersmith’s method will notcontain any monomial in x 1 . This implies that we cannot determine ¯x 1 which concludesthe proof.In the analysis of a system of independent equations, i. e. equations not sharing anyvariables, it is useless to construct a lattice like the lattice L to combine the analyses of theequations. This matches the results we have expected beforehand. Another option wouldbe to shift the single polynomials by monomials in other variables. Advantage could then

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 91be taken of shared monomials. The shared monomial of smallest degree when shifting f 1and f 2 is the monomial x e 1x e 2. We obtain this monomial by the shift polynomials x e 1f 2 andx e 2f 1 . However, it is x e 1f 2 − c 1 f 2 − x e 2f 1 + c 2 f 1 ≡ f 1 f 2 − f 1 f 2 ≡ 0 (mod N). Hence, a shiftpolynomial set including the shifts {x e 1f 2 ,f 2 ,x e 2f 1 ,f 1 } is not determinant preserving. Atleast one of the polynomials has to be excluded from the shift polynomial set. Then the2 N 3 . Without thecontribution of the shift polynomial set to the determinant is X −2e1 X −2e”mixed” shifts the bound is X1 −e X2 −e N 2 > 1. As X1 −2e X2 −2e N 3 > 1 implies X1 −e X2 −e N 2 > 1all solutions that can be calculated with the former approach can also be calculated withthe latter. Hence, it is better only to include the shifts polynomials f 1 and f 2 in the shiftpolynomial set.Same results hold for higher degree shift monomials leading to the same dependencies.Thus, multiplication by monomials in other variables does not help to obtain a betterbound. This again meets our expectations as the polynomials are independent.So why did we consider these shared lattices at all? Adding a single equation in bothvariables to the lattice can significantly improve the bound. To see this, let us return tothe system of equations (5.2). We assume that ¯x 1 ≤ ¯x 2 and, thus, X 1 ≤ X 2 . Supposep(x 1 ,x 2 ) contains the monomial x e 2 and only one monomial x i 11 x i 22 not occurring in f 1 orf 2 . Further, let i 2 < e. The idea is to substitute x e 2 by the new monomial and build upthe corresponding lattice L. Then more powers of X1 −1 but less powers of X2 −1 appearin the determinant. To see if this helps to improve our analysis, we apply the simplifiedcondition (2.14) to our construction. That is, we require | det(L)| > 1 and, as X1 −1 > X2 −1 ,the bound is improved. It is then better adapted to the different sizes of the unknowns.As substitution becomes more difficult when monomials reappear due to shifts, we do notexplicitly perform the substitution but add further columns in the lattice. Let us continuewith the example to see how the technique is used. Let p(x 1 ,x 2 ) = x e 2 +p 1 x e−21 x 2 +p 0 withp 1 ,p 0 ∈ Z. We define a new lattice L p by a basis matrix which includes p:⎛1 0 0 p 0 −c 1 −c 210 0 0 1 0X1e 10 0 pB p =X e−21 X 1 0 02 ⎜0 0 0 1 0 1⎝ 0 0 0 0 N 00 0 0 0 0 N⎞. (5.15)⎟⎠Remark that the structure of B p is different to what we have seen so far. It combinescolumn vectors used in the modular and in the integer case. If one compares it to B, thecolumn corresponding to the diagonal entry 1 is replaced by the column corresponding toX2ethe new equation p(x 1 ,x 2 ) = 0. We no longer have to introduce the monomial explicitly inthe diagonal matrix but get it ”for free” with the help of p. However, as p includes anothernew monomial, this has to be added on the diagonal.

92 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSWith unimodular transformations B p can be transformed to⎛ c1 10 0 0 −cX e 2 − p 010 − N 0 0 0 0X1e 10 0 0 0 −p X e−21 X 12 ⎜0 0 0 1 0 1⎝ 10 0 0 1 0X1e0 0 0 0 0 N⎞. (5.16)⎟⎠Without loss of generality we can assume N and p 1 to be coprime. (Otherwise we cancompute a divisor of N which compromises the RSA public key (N,e).) Therefore, thereis a unimodular transformation of B p into( ) (Bp ) S 0. (5.17)∗ I 3Further applying Coppersmith’s method, we get an additional equation in the unknownsif the condition | det(L p )| > 1 is fulfilled. (For a better understanding we again use thesimplified condition.) It is det(L p ) = X1 −2e+2 X2 −1 N 2 > 1 ⇔ X1 2e−2 X 2 < N 2 .Note that the target vector here is (t p ) S = (1, xe 1, xe−2X1e 1 x 2). Furthermore, remark thatX e−21 X 2plugging a solution m 1 into p(x 1 ,x 2 ) gives an equation in only one unknown x 2 over theintegers. The solution of the second unknown m 2 can, thus, be of any size if m 1 is smallenough. This is exactly what the determinant condition gives. Assume for example thatm 2 is of full size, i. e. X 2 = N. The condition then becomes X 1 < N 12e−2 .With respect to our initial problem, we have not improved the bounds this way. If weregard f 1 separately, the upper bound on X 1 is N 1 e, which is better than N 12e−2 . Usingp(m 1 ,x 2 ), any solutions m 2 ∈ Z N can then be determined. However, using additional shifts,the condition can be improved further. We will show this with regard to a more generalsetting. The above example should only illustrate the general method. For instance, ifk > 2, and if we have only one additional polynomial p denoting an implicit relationof the messages m 1 ,...,m k , the technique might be useful. Namely, we can use p onlyto determine one message of arbitrary size provided that the other messages are givenbeforehand. This implies that all other messages have to fulfill the condition X i < N 1 e.Building a lattice with the original equations and the implicit relation, however, mightallow to calculate different solutions. That is, more than one message may be of size largerthan N 1 e if there are other messages which are significantly smaller.In what follows we will give an algorithm to change a lattice basis and apply Coppersmith’salgorithm when given a set of k independent equations f i (x i ) ≡ 0 (mod N) of degree δ i ,i = 1,...,k, and a set of κ < k implicit relations p i (x 1 ,...,x k ) = 0, i = 1,...,κ. Themajor steps of the algorithm are as follows:1. For each p i determine the most costly monomial not yet introduced and denote it bym i .

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 932. Determine a determinant preserving shift polynomial set F with shifts of f 1 ,...,f kthat uses many m i and powers of them.3. Construct a standard lattice basis B with regard to the shift polynomial set F.4. Substitute columns of D by columns corresponding to shifts of p i .5. Perform Coppersmith’s method with the given basis matrix.We elaborate on the steps of the algorithm.Determine costly monomialsRecall from the example that the implicit relations are used to eliminate monomials and,if necessary, replace them by others. For each polynomial p i (x 1 ,...,x k ) we have to decidewhich monomial it shall introduce in the lattice. Further, we have to distinguish usefulfrom non-useful replacements.The contribution of a monomial m(x 1 ,...,x k ) to D and, thereby, to the determinant ofthe lattice is M −1 , where M := m(X 1 ,...,X k ) denotes the evaluation of m on the upperbounds of the unknowns. For the rest of this paragraph when talking about ”larger” or”smaller” monomials we think of larger or smaller with respect to the absolute values ofthe monomials if evaluated at (X 1 ,...,X k ). Given a single polynomial p 1 , it is, therefore,best to choose m 1 as the largest monomial of p 1 . When regarding more than one polynomial,we have to take into account that different polynomials might share monomials. Forexample, the same monomial should not be introduced by more than one polynomial. Auseful replacement can then be performed in the following way:Let P := {p 1 ,...,p κ } and M := Mon(P) denote the set of all monomials in P. Fori = 1,...,κ perform the following steps:Define m i to be the largest monomial in M and set ˜p i to be the corresponding polynomial.If there is more than one polynomial in which m i occurs, then we look at the othermonomials in both polynomials. Let p and q denote these two polynomials. Further, letM p := Mon(p) \ Mon(q) and M q := Mon(q) \ Mon(p). Suppose the largest monomial inM p is greater than the largest monomial in M q . Then choose ˜p i to be the polynomial q.If there are more than two polynomials, compare them successively. This leads to a uniquechoice of ˜p i as this comparison is transitive.Redefine P := P \ {˜p i } and M := Mon(P) \ {m 1 ,...,m i }.In the end, we have defined a sequence m 1 ,...,m κ to be introduced, and ordered the polynomials˜p 1 ,..., ˜p κ to correspond to this.Determine a basic shift polynomial setUnfortunately, there is no good generic method to determine a shift polynomial set givenany set of polynomial equations f i (x 1 ,...,x k ) ≡ 0 (mod N), i = 1,...,k. Most times,better bounds can be achieved if the choice of shift polynomials is adapted to the specificset of polynomial equations and additional relations p i (x 1 ,...,x k ) = 0, i = 1,...,κ. Nevertheless,we will give two basic approaches here. Note that we define the shift polynomialset only with respect to the polynomial equations f i (x 1 ,...,x k ) ≡ 0 (mod N), the implicit

94 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSrelations are only included after the lattice basis has been constructed. Then they are usedto increase the value of the determinant and, hence, improve the bound.We distinguish two cases with respect to the monomials which occur in the polynomialsf i . Case 1 denotes that the polynomials f i share most of the variables and many monomials,whereas case 2 denotes that only a few monomials occur in two different polynomials.Furthermore, there are variables only occurring in some of the polynomials. The exampleof RSA with related messages falls into this category.In the ( first case, we define the shift polynomial set as follows. For λ ∈ N let M :=Mon ( ∑ ki=1 f i)). λ The general idea is to follow the construction by Ellen Jochemsz andAlexander May [JM06]. Like them, we assume without loss of generality all polynomialsf i to be monic. Furthermore, we assume that all monomials which occur in f j 1i also occurin f j 2i provided that j 2 ≥ j 1 .For any monomial which shall occur, a polynomial by which it is introduced is defined.When doing so, a polynomial power as large as possible is used. This is because any polynomialpower fi l in the shift polynomial set contributes a power N l to the determinant.Recall that the intention is to have a large determinant as a large determinant implies abetter bound. For each monomial m we search for a power as large as possible of a leadingmonomial LM(f i ) which divides m. In contrast to the approach in the case of one polynomial,we have to take into account which of the polynomials f i to take. For i = 1,...,kand l = 0,...,λ + 1 we define the set of monomialsM il := {m | m ∈ M andmLM(f i ) l is monomial of f λ−li }.The union of M il for equal values of l is denoted by M l := ∪ k i=1M il . Thus, a monomialm in M l \ M l+1 can be introduced by a shift polynomial of the formmLM(f if) i. l Now, weldefine the polynomialsg m (x 1 ,...,x k ) :=mLM(f i ) lfl i, l = 0,...,λ, i = 1,...,k andm ∈ M il \ ( M l+1 ∪ ( ∪ i−1j=0 M jl)).We set F to be the set of all polynomials g m .In the second case, the joint shift polynomial set F is defined by joining the shift polynomialsets F i of the polynomials f i shifted individually, exactly following the standardapproach by Ellen Jochemsz and Alexander May [JM06]. For a general system of equations,both approaches can be combined in an appropriate manner.Construct a lattice basisGiven a shift polynomial set, the construction of a lattice basis is straightforward and canbe performed as in Section 2.3.

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 95Substitute columns of the basisFor each m λ ii , i ∈ {1,...,κ}, and for all entries m in D, check if m i divides the monomial m.If yes, check if { m p i (x 1 ,...,x k )}∪F is still determinant preserving. If yes, then substitutem λ iithe column of D by the coefficient vector ofmfurther monomials occurring in mm λ iim λ iip i (x 1 ,...,x k ). If necessary, introducep i (x 1 ,...,x k ) on the diagonal. That is, add anotherrow and column for each new monomial. As the monomials m i are ordered such that theirsize decreases, substitutions in monomials occurring only due to other substitutions arecovered by this approach.Perform Coppersmith’s methodHaving constructed a lattice basis B, we can now proceed as described in Section 2.3. Theupper bounds on the sizes of the unknowns can be determined with the folklore analysisand depend on the determinant of B.The algorithm described here gives a method to analyze any modular multivariate systemof equations with the same modulus and additional integer relations. The method usedto introduce new columns is a variant of the unraveled linearization technique presentedby Mathias Herrmann and Alexander May in [HM09] to analyze pseudo random numbergenerators. In unraveled linearization new monomials are directly substituted, whereaswe introduce new polynomials in the lattice. For integer relations, however, this does notmake a difference. In case of modular relations all sharing the same modulus, unraveledlinearization can be performed analogously, whereas there is no obvious way to include themodular relations in the lattice without introducing a new monomial. However, if powersof modular polynomials occur in the shift polynomial set, direct substitutions are no longerpossible with unraveled linearization either. The method of unraveled linearization, too, isadapted to the special shape of the polynomials and the implicit relations. Unfortunately,this implies that the algorithm in this form cannot be automated. In practical analyseshuman interaction is required.5.2.2 RSA with Random PaddingsAnother example of a system of equations with a common modulus can be derived fromRSA with random paddings. Let (N, 3) be a user’s public key, where N is an n-bit number.A message m of α < n bits is then encrypted as c ≡ (2 α+τ v + 2 τ m + w) 3 (mod N) fora random τ-bit number w and a random (n − α − τ)-bit number v. The message m aswell as the values v and w are secret and not known to any attacker. At first sight thisproblem seems to be easier than the example given in the previous subsection as therelations between two different RSA encrypted messages are explicit, linear and monic.The relations, however, are no longer completely known but include further (relativelysmall) unknowns.The case of two such encryptions of the same message with different paddings is described

96 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSand analyzed in [Jut98]. Letf 1 (m) := ( 2 α+τ v 1 + 2 τ m + w 1) 3− c1 ≡ 0 (mod N)and f 2 (m) := ( 2 α+τ v 2 + 2 τ m + w 2) 3− c2 ≡ 0 (mod N)be the polynomial equations derived from two different encryptions of the same messagem with paddings (v 1 ,w 1 ) and (v 2 ,w 2 ). Setm 1 = 2 α+τ v 1 + 2 τ m + w 1and m 2 = 2 α+τ v 2 + 2 τ m + w 2 .Charanjit S. Jutla aims at using the technique applied by Don Coppersmith et al. [CFPR96]described in Section 3.1 to solve RSA with affinely related messages and known relations.In contrast to the example given there, however, in this case we have further unknownsfrom the unknown paddings. Therefore, in order to determine these unknowns, set v 12 :=v 2 − v 1 , w 12 := w 2 − w 1 and ∆ 12 := 2 α+τ v 12 + w 12 . With this notation it follows thatm 2 ≡ m 1 + ∆ 12 (mod N). To define a system of equations, we replace the values byvariables. Let x represent m 1 , t i represent v i , u i represent w i and ρ 12 := 2 α+τ t 12 + u 12 =2 α+τ (t 2 − t 1 ) + (u 2 − u 1 ) correspond to ∆ 12 .Thus, we regard the following system of equationsg 1 (x) := x 3 − c 1 ≡ 0 (mod N)and g 12 (x,ρ 12 ) := (x + ρ 12 ) 3 − c 2 ≡ 0 (mod N).To eliminate the unknown x, Charanjit S. Jutla computes the resultant of the two polynomialswith respect to x in Z N , namely res 12 (ρ 12 ) := Res x (g 1 (x),g 12 (x,ρ 12 )). Resubstitutingρ 12 , one gets a bivariate polynomial r 12 in (t 12 ,u 12 ) with small roots v 2 − v 1 and w 2 − w 1modulo N. Applying Coppersmith’s method to r 12 (t 12 ,u 12 ), the roots can be found as longas the unknowns are small enough. The product of the unknowns ought to be bounded byN 1 9, i. e. the total padding must be smaller than one ninth of the bitsize of N. This resultcan be obtained by applying a generalization of Coppersmith’s original method and usinga generalized lower triangle to build up the shift polynomial set [JM06]. Subsequently, wecan substitute ρ 12 by the solution ∆ 12 := 2 α+τ (v 2 − v 1 ) + (w 2 − w 1 ) in g 12 . Then g 1 (x) ≡ 0(mod N) and g 12 (x, ∆ 12 ) ≡ 0 (mod N) denote two equations derived from RSA encryptionwith known relation. Such a system can be solved by the method of Don Coppersmith,Matthew Franklin, Jacques Patarin and Michael Reiter [CFPR96] presented in Section 3.1.Now let us consider what happens if we get another encryption of the same message witha different padding. Intuitively, an additional equation implies additional information andthe bound should improve. This is trivially the case as we no longer have to require that|(v 2 − v 1 )(w 2 − w 1 )| is smaller than N 1 9. Letf 3 (m) := ( 2 α+τ v 3 + 2 τ m + w 3) 3− c3 ≡ 0 (mod N)denote the equation derived from new encryption of the message m. Then, analogously tothe combination of f 1 and f 2 presented above, we can also combine f 3 with either f 1 or f 2 .

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 97We obtain the analogue conditions |(v 3 − v i )(w 3 − w i )| < N 1 9, i = 1, 2. Thus, if any of theproducts of the unknowns is smaller than N 1 9, the message m can be determined. That is,we require the following condition:min{|(v 2 − v 1 )(w 2 − w 1 )|, |(v 3 − v } {{ } 1 )(w 3 − w 1 )|, |(v } {{ } 3 − v 2 )(w } {{ } 3 − w 2 )|} < N 1 9 .} {{ }=:v 13 =:w 13 =:v 23 =:w 23The question now is if we can improve on this result using lattice-based techniques likeCoppersmith’s method. Unfortunately, there are strong arguments that this is not the case.First of all, we combine f 1 and f 3 in the same manner as we have combined f 1 and f 2 to geta polynomial g 13 (x) := (x+ρ 13 ) 3 −c 3 . Here ρ 13 := 2 α+τ (t 3 − t } {{ } 1 )+(u 3 − u 1 ). The variables} {{ }=:t 13 =:u 13t i and u i again correspond to the target values v i and w i , respectively. We would like toeliminate the variable x as it corresponds to a large value and compute the resultant ofg 1 and g 13 to get a polynomial res 13 (ρ 13 ) := Res x (g 1 (x),g 13 (x,ρ 13 )). By resubstituting ρ 13 ,we get the bivariate polynomial r 13 (t 13 ,u 13 ) of maximum total degree nine. Note that thevariables t 12 and t 13 as well as the variables u 12 and u 13 are pairwise independent as theyare derived from independent variables. Consequently, the bounds we obtain for a jointshift polynomial set will not improve on the bound we obtain for separate shift polynomialsets. Explanations for this have been given in Subsection 5.2.1 for a system of univariateequations in independent variables. The argumentation given in the proof of Theorem 5.2.3analogously works in case of more than one variable. Thus, we get the conditionThis implies|(v 2 − v 1 )(w 2 − w 1 )(v 3 − v 1 )(w 3 − w 1 )| < N 2 9 .min{|(v 2 − v 1 )(w 2 − w 1 )|, |(v 3 − v 1 )(w 3 − w 1 )|} < N 1 9 ,the condition we have already obtained using the trivial analysis.So far we have combined g 1 and g 12 as well as g 1 and g 13 . A third alternative is to combineg 12 and g 13 . Note that Res x (g 12 (x,ρ 12 ),g 13 (x,ρ 13 )) is a polynomial in ρ 13 −ρ 12 of maximumdegree nine. Resubstituting both variables results in the polynomial r 23 ((t 3 − t } {{ } 2 ), (u 3 − u 2 )) } {{ }=:t 23 =:u 23likewise of maximum total degree nine. If t 23 and u 23 were independent of t 12 , t 13 , u 12 andu 13 , we could again follow the argumentation given for two equations and the bound wouldnot improve. The variables t 23 and u 23 , however, depend on t 12 , t 13 , u 12 and u 13 in a trivialway: It is t 23 = t 3 −t 2 = t 3 −t 1 +t 1 −t 2 = t 13 −t 12 and, analogously u 23 = u 13 −u 12 . Thus,ρ 23 = ρ 13 −ρ 12 . These are integer relations we might again use to eliminate variables in theconstruction of the lattice basis . We define the polynomial r(ρ 12 ,ρ 13 ,ρ 23 ) := −ρ 23 +ρ 13 −ρ 12corresponding to the relation −ρ 23 + ρ 13 − ρ 12 = 0.The question is if this relation helps to improve the bound. Unfortunately, we can givestrong arguments that it does not. To see why this is the case, we look at possible lattice

98 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSconstructions. We pursue two different approaches to choose a shift polynomial set. Thenwe argue why these shift polynomial sets do not help to improve the bound. As thelattice constructions we consider are relatively general, we can exclude many at first sightpromising shift polynomial sets. Note however, that we do not prove that no better latticeconstruction exists.The first shift polynomial set is based on shifts of r 12 (ρ 12 ),r 13 (ρ 13 ) and r 23 (ρ 23 ). Then, likein the previous section, we use the known relation r between the unknowns to introducesome of the monomials which occur in the shift polynomial set. As usual, let D denotethe left part of the basis matrix we use in Coppersmith’s algorithm. Adding a multiple ofthe relation r in the shift polynomial set only influences the determinant of the lattice bychanging the set of monomials which have to be introduced. That is, the elements on thediagonal of D are changed. This implies that the bound can only be improved if more orlarger monomials can be eliminated from D than have to be introduced. However, this isnot the case as we show by a counting argument.The second shift polynomial set is constructed with respect to the polynomials r 12 (ρ 12 ),r 13 (ρ 13 ) and r 23 (ρ 12 ,ρ 13 ). That is, we use the known relation to describe r 23 directly as apolynomial in the unknowns ρ 12 and ρ 13 .We determine the maximum total degree of a monomial in the shift polynomial set. Weassume all monomials with degree l = 3λ,λ ∈ N, of small enough degree to occur in theshift polynomial set. This is a sensible assumption due to the structure of r 23 .Then we calculate the maximum number max r of shifts of each polynomial that can beincluded in the shift polynomial set. By this, we maximize the number of factors N l wecan obtain in the determinant of our lattice.On the other hand, we determine the maximum number max d of polynomials that form adeterminant preserving set. An upper bound for this is given by the number of monomialsthat occur in F. Then we compare the number of potential shift polynomials to theupper bound on the size of a determinant preserving shift polynomial set. With growingmaximum total degree, we observe that max d and max r are of approximately the same size.More precisely, max d − max r = o(l 2 ), whereas max d = Ω(l 2 ) and max r = Ω(l 2 ). Thus, ifwe take all possible shifts of one of the polynomials, we cannot add any further shifts toour shift polynomial set. Otherwise, the set would not remain determinant preserving.Consequently, we may assume that adding shifts of a second polynomial does not help toimprove the bound. Shifts of a second polynomial can only be included if shifts of the firstpolynomial are left out.We will now describe the two variants in detail.Approach 1The first variant is to build up the lattice as before. Then we can add shifts of theinteger polynomial r(ρ 12 ,ρ 13 ,ρ 23 ) := −ρ 23 + ρ 13 − ρ 12 . By this additional relation we caneliminate monomials as in the previous section. During the elimination process, however,we introduce more new monomials than we can eliminate old ones without getting furtherpositive factors in the determinant. Let us have a look at a simple basis matrix constructed

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 99with the shift polynomial set {r 12 ,r 13 ,r 23 }. Furthermore, let us assume v i = 0 for i = 1, 2, 3.Then we can omit the variables t ij . Instead, we can work with ρ ij = u ij . We setr⎛12 r 13 r 23⎞1 (c 1 − c 2 ) 3 (c 1 − c 3 ) 3 (c 2 − c 3 ) 3ρ 3 12 3c 2 1 + 21c 1 c 2 + 3c 2 2ρ 6 12 3(c 1 − c 2 )ρ 9 12 1ρ 3 13 3c 2 1 + 21c 1 c 3 + 3c 2 3ρ 6 13 D 3(c 1 − c 3 )ρ 9 13 1=: B. (5.18)ρ 3 23 3c 2 2 + 21c 2 c 3 + 3c 2 3ρ 6 23 3(c 2 − c 3 )ρ 9 23 1⎜ N⎟⎝N⎠NLet R ij denote an upper bound on the absolute value of ρ ij . The matrixD := Diag(1,R −312 ,R −612 ,R −912 ,R −313 ,R −613 ,R −913 ,R −323 ,R −623 ,R −923 )is the diagonal matrix corresponding to the monomials that occur in the shift polynomialset. Now we would like to use the relation r to reduce the number of entries on thediagonal of D. We choose to eliminate ρ 23 . As the problem is symmetric in ρ 12 ,ρ 13 and ρ 23(disrespecting signs) the argumentation is the same for any other variable. The relation ris linear, the monomials which occur in the shift polynomial set are of degrees 3, 6 and 9.Hence, in order to eliminate powers of ρ 23 , we have to multiply r by further monomials. Toeliminate ρ 3 23, we use the shift polynomial ρ 2 23r(ρ 12 ,ρ 13 ,ρ 23 ) = −ρ 3 23 + ρ 13 ρ 2 23 − ρ 12 ρ 2 23. Thisshift polynomial introduces two new monomials ρ 13 ρ 2 23 and ρ 12 ρ 2 23. Recall that a usefulnew set of shift polynomials should enlarge the size of the determinant. The contributionof each monomial to the determinant is the inverse of the monomial evaluated at theupper bounds of the unknowns. This implies that the factor R23 −3 in the determinant isreplaced by a factor of R12 −1 R13 −1 R23 −4 . As a single replacement this cannot be useful asR12 −1 R13 −1 R23 −4 < R23 −3 . We can do better by using further shifts of the polynomial r. Thatis, we add the set {ρ 2 23r,ρ 23 ρ 13 r,ρ 23 ρ 12 r,ρ 2 13r,ρ 13 ρ 12 r,ρ 2 12r} to the shift polynomial set. Byadequately ordering the six polynomials, we can use them to introduce six monomials.Note that the monomials ρ 3 12 and ρ 3 13 already exist in the lattice. However, there are tenmonomials of degree 3 in ρ 12 ,ρ 13 and ρ 23 , namely, ρ i 1212 ρ i 1313 ρ i 2323 such that i 12 = 0,...,3,i 13 =0,...,3 − i 12 and i 23 = 3 − i 12 − i 13 . Thus, we obtain two new monomials.In the case of higher degree monomials, similar substitutions can be made. However, thedifference between the number of monomials which can be introduced by a polynomial inthe shift polynomial set and the total number of monomials of this degree which we get

100 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSincreases with the degree. Thus, we have to introduce even more new monomials. Supposethat we would like to substitute ρ l 23 for an integer l which is divisible by 3. Only introducingthe monomial by the shift ρ23 l−1 r results in two new monomials ρ23 l−1 ρ 13 and ρ23 l−1 ρ 12 . Hence,for the determinant to become larger, we need R −2(l−1)23 R12 −1 R13 −1 > R23 −l ⇔ 1 > R23 l−2 R 12 R 13 ,which is never fulfilled. Successively adding more shifts leads to a similar condition. Eachshift polynomial used to introduce one already existing monomial also contains anothermonomial not yet contained in the set of monomials. Thus, when eliminating one valuefrom the determinant, we have to introduce a different one.Alternatively,∑we can introduce all possible monomials by shifts of r. Altogether, there arel ∑ l−ii=0 j=0 1 = 1 2 l2 + 3l +1 monomials of total degree l in ρ 2 12,ρ 13 and ρ 23 . The monomialsρ l 12 and ρ l 13 have already been introduced by shifts of r 12 and r 13 , respectively. Any othermonomial has to be introduced by a shift of r. The number of shifts of r to give monomialsof total degree l is limited by the number 1 2 l2 + 1 l of monomials of total degree l − 12with which we can shift r. Consequently, in total ( 12 l2 + 3l + 1) − ( 12 2 l2 + 1l) − 2 = l − 12monomials of degree l have to be introduced anew. A basis matrix corresponding to thisis given byr 12 r 13 r 23⎛1 (c 1 − c 2 ) 3 (c 1 − c 3 ) 3 (c 2 − c 3 ) 3 ⎞ρ 3 12 3c 2 1 + 21c 1 c 2 + 3c 2 2ρ 6 12 3(c 1 − c 2 )ρ 9 12 1ρ 2 12ρ 13. 0ρ 12 ρ 8 13ρ 3 13 3c 2 1 + 21c 1 c 3 + 3c 2 3ρ 6 13˜D R 3(c 1 − c 3 )ρ 9 13 1=: ρ 2 ˜B .12ρ 23. 0ρ 13 ρ 8 23ρ 3 23 3c 2 2 + 21c 2 c 3 + 3c 2 3ρ 6 23 3(c 2 − c 3 )ρ 9 23 1⎜N⎟⎝N⎠NThe matrix˜D := Diag(1,R −312 ,R −612 ,R −912 ,R −212 R −113 ,R −112 R −213 ,R −512 R 13 ,...,R −112 R −813 ,R −313 ,R −613 ,R −913 )is the diagonal matrix corresponding to the monomials that occur in the new shift polynomialset. The matrix R is the matrix induced by the coefficient vectors of the polynomials

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 101( )ρ 2 12r,ρ 12 ρ 13 r,...,ρ 2 23r,ρ 5 12r,...,ρ 5 23r,ρ 8 12r,...,ρ 8 Ru23r. Note that R = , where RR l islan upper triangular matrix with value one on its diagonal. That is because the diagonalentries correspond to monomials introduced by the shifts of r. Due to this structure, it isdet(R l ) = 1. Thus, det(˜B) = det( ˜D) det(R l )N 3 = det( ˜D)N 3 .In order for the substitution to give a better bound, the new determinant ought to belarger than the previous one. The condition for this is det( ˜D) > det(D). This is equivalentto R23 18 > R12R 5413 54 ⇔ R 23 > R12R 3 13. 3 Asymptotically, the number of monomials whichhave to be introduced increases and the condition gets even worse. The reason for thiscan be seen easily. Let ρ l 23 for some l ∈ N denote the monomial that shall be substituted.Then, as argued above, l − 1 monomials of degree l have to be newly introduced. Multiplyingthese monomials gives a monomial of total degree l 2 − l. Thus, the determinantgets larger provided that R23 −l < R −l 1212 R −l 1313 R −l 2323 with l 12 + l 13 + l 23 = l 2 − l. If l 23 ≥ l,this condition cannot be fulfilled. Hence, l 23 < l. Then the condition is equivalent toR l−l 2323 > R l 1212 R l 1313 . It is l 12 + l 13 = l 2 l>2− l − l 23 ≥ 2l − l 23 > 2(l − l 23 ). Further, l 12 andl 13 are greater than l − l 23 each. This can be seen as follows. Assume the contrary, i. e.l 13 ≤ l −l 23 . (The case of l 12 ≤ l −l 23 can be treated analogously.) Then, on the one hand,l 12 = l 2 − l − l 23 − l 13 ≥ l 2 − 2l. On the other hand, it is l 2 − l − l 23 = l(l − 2) + l − l 23 .Consequently, the product we consider consists of at least l − 2 monomials not comprisingany power of ρ 23 . If we take the highest powers of ρ 12 possible in these monomials, theysum up to ∑ li=3 i = 1 2 l2 + 1l − 3. To get the highest power in ρ 2 12 we assume the last twomonomials to be ρ12 l−1 ρ 23 and ρ12 l−2 ρ 13 ρ 23 . This implies l 12 < 1 2 l2 + 5 l − 6. Combining the2two conditions, we get l 2 − 2l ≤ l 12 < 1 2 l2 + 5 l − 6. This can only be fulfilled if l < 8.2Hence, if the value of l increases, the influence of monomials of degree 3 and 6 on the sizeof the determinant will be compensated for by higher degree monomials. That is to say,the substitution does not help to improve the bound we can obtain asymptotically.Consequently, any of these conditions can only be fulfilled provided that the weaker conditionR 23 > R 12 R 13 holds as well. Note, however, that |ρ 23 | = |ρ 12 − ρ 13 | ≤ |ρ 12 | + |ρ 13 | ≤2 max{|ρ 12 |, |ρ 13 |} log(N)≥512≤ |ρ 12 ρ 13 |. Thus, an upper bound R 23 such that R 23 > R 12 R 13would not fit to the problem. Consequently, this approach should not be pursued.Approach 2As a second variant, we can directly substitute ρ 23 = ρ 13 − ρ 12 in r 23 . For notationalconvenience, we denote by r 23 the original polynomial in t 23 and u 23 , whereas we denote by˜r 23 the polynomial r 23 (t 13 − t 12 ,u 13 − u 12 ) as polynomial in t 13 ,t 12 ,u 13 and u 12 . Then weconstruct a lattice with respect to r 12 ,r 13 and ˜r 23 . Remark that all monomials which occurin ˜r l 23 for an l ∈ N already include all monomials which occur in r l 12 or r l 13. Hence, to get agood bound, we can take the folklore shifts of ˜r 23 and add as many shifts of the two otherpolynomials as possible. These additional shifts only help to increase the bound withoutany additional costs. However, we can only take shifts such that the shift polynomial setremains determinant preserving.Note that as long as we take all possible shifts of ˜r 23 and the same shifts of r 1ι for a fixed

102 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSι ∈ {1, 2}, we will obtain the original condition R 1ι R 23 ≤ N 9. 2 Thus, for this approach towork, we have to be able to add most of the shifts of r 1ι and a number of shifts of r 1(3−ι)which does not disappear asymptotically. Unfortunately, there is no such determinantpreserving shift polynomial set. This can be seen as follows. Of a fixed degree δ, thereare exactly δ + 1 monomials in the variables ρ 12 and ρ 13 . Thus, the number of differentmonomials which occur if we include ˜r 23 up to the power of l ∈ N (and shifts of lowerpowers of ˜r 23 ) in our shift polynomial set is ∑ 3lk=0 (3k + 1) = 27 2 l2 + 15 l +1. The analogous2shifts of r 12 and r 13 do not introduce further monomials. The coefficient vectors of theshift polynomials are, thus, vectors in Z 272 l2 + 152 l+1 (if we ignore the moduli).We look at how many shift polynomials we can maximally include in our shift monomialset. To start, we determine the number of shift polynomials of ˜r 23 . The polynomial ˜r 23 l−1 isshifted by all monomials of degree 0, 3, 6 and all but one of degree 9. Any other polynomial˜r 23 i with i = 1,...,l − 2 is also shifted by these monomials. Further, it is shifted by allmonomials of degree 12, 15,...,9(l − i) which are not divisible by the leading monomial(e. g. ρ 9 12 if using graded lexicographical ordering with ρ 12 > ρ 13 ). There are nine suchmonomials of each degree. The number of the polynomials in the shift set is, thus,∑l−1(21 + (i − 1)27) = 272 l2 − 392 l + 6.i=1Let us assume we could add the same shifts of r 12 ,r 13 . Then the number of shift polynomialsis 3 ( 272 l2 − 39l + 6) . The coefficient vectors of these shift polynomials form a set of23 ( 272 l2 − 39l + 6) vectors in Z 272 l2 + 152 l+1 (again ignoring the moduli). Hence, at least2( 27n d := 32 l2 − 39 ) ( 272 l + 6 −2 l2 + 15 )2 l + 1 = 27l 2 − 66l + 17vectors linearly depend on the others provided that this value is positive. Returning tothe polynomials, n d polynomials are linearly dependent of the set of the other polynomialsmodulo N and cannot be included in our lattice construction.On condition that l > 5 it is27l 2 − 66l + 17 > 272 l2 + 15 2 l + 1.This implies that we cannot include any of the shifts of e. g. r 13 in the shift polynomial set.Hence, the bound cannot get better than the original one. Note that this condition doesnot state anything about which shifts we can take. It might be that we can include shiftsof r 12 as well as of r 13 . Their total number, however, may not be larger than the totalnumber of shifts which could be taken of one of the polynomials. Thus, the contributionof powers of N on the determinant will not increase. Then the only way to improve thebound is by using significantly less monomials.In case of l = 3 we cannot exclude 69 but only 62 shift polynomials by these roughestimations. In case of l = 2 we cannot even exclude any of the shift polynomials this way.

5.2. SYSTEMS OF EQUATIONS WITH A COMMON MODULUS 103Actual computations, however, give 5 polynomials which have to be excluded. The boundsobtained with the lattices constructed in the case of l = 2, however, are worse than thebound of N 1 9.Thus, we return to the former approach. That is, we use the polynomials r 12 ,r 13 and r 23with their basic shifts to construct a lattice basis to use with Coppersmith’s method. Thisway, we can determine ∆ ij and, thereby, also m, if |(v j − v i )(w j − w i )| < N 1 9 for any pairi,j.The analysis can be generalized to an arbitrary number of equations in a straightforwardmanner. The condition we obtain is the same. That is, the difference of two paddings hasto be smaller than N 1 9 for at least one pair of paddings.In the case of RSA encryption with a different public exponent e, the value N 1 9 has to besubstituted by N 1e 2 in all steps of the analysis. The bounds get worse. The running timeof the algorithm depends on the running time of Coppersmith’s method and the numberof possible choices of pairs. Both running times are polynomial in e. Thus, for constantvalues of e the attack is feasible if |(v i − v j )(w i − w j )| < N 1e 2 .We have seen in our example that combining equations does not help to improve the bound.The reason for this is the independence of the variables ρ ij we can include in one lattice.The main variable occurring in all of the equations is the variable x. It corresponds to theunknown message m. In our analysis, we have eliminated x in the first step by computingresultants with respect to x. If we do not do this, but directly perform Coppersmith’salgorithm on one of the original equations, we obtain rather small upper bounds M suchthat we can determine all m such that |m| < M. In this approach taking more than oneof the original polynomials and shifting them to obtain shared monomials would allow fora larger value of M. However, the bounds we obtain by any of those analyses are stilltoo small as in practice m has nearly full size. Thus, the above approach in which m iseliminated beforehand is better suited to the problem.Recapitulating the examples of systems of modular equations with the same modulus, weobserve the following: Additional equations in the same variables help to improve certainbounds in case of small lattices provided that the additional equations help to reduce thenumber of unknown monomials. By additional integer equations the bounds can also beimproved. In asymptotically large systems, however, care has to be taken not to introducetoo many shifts and, thus, destroy the property that the given system is determinant preserving.Unfortunately, the choice of shift polynomials strongly depends on the originalsystem of equations. Thus, we cannot give a general strategy and bound working for anarbitrary system.For some specific systems of equations like the ones derived from RSA with randompaddings, there are even indications that the known bounds cannot be improved. A reasonfor this may be the fact that we try to reuse additional information twice. Recall that in afirst step, we have computed the resultant of two polynomials. That is, we have includedadditional information in the new polynomial. In a second step, we aim at getting advantageby combining two such polynomials. However, we have given arguments that this

104 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSdoes not help further. Unfortunately, these arguments can only be given with respect tospecific systems of equations. Thus, human interaction is required in these analyses.5.3 Systems of Equations with Coprime ModuliLet us again deal with systems of modular multivariate equations. However, in contrast tothe previous section we now assume the moduli to be coprime, that is, we analyze Systemsof Modular Multivariate Polynomial Equations with Mutually Coprime Moduli (SMMPE2-problem).Definition 5.3.1 (SMMPE2-problem)Let k ∈ N, δ 1 ,...,δ k ∈ N, and N 1 ,...,N k ∈ N mutually coprime with N 1 < ... < N k .Suppose that f i (x 1 ,...,x l ) are polynomials of degree δ i in Z Ni [x 1 ,...,x l ], i = 1,...,k,respectively. Letf 1 (x 1 ,...,x l ) ≡ 0 (mod N 1 )f 2 (x 1 ,...,x l ) ≡ 0 (mod N 2 ). (5.19)f k (x 1 ,...,x l ) ≡ 0 (mod N k )be a system of multivariate polynomial equations.Let X i < N i , X i ∈ R, i = 1,...,l. Find all common roots (¯x 1 ,..., ¯x l ) of (5.19) with size|¯x i | ≤ X i .The analysis of system (5.19) is similar to the analysis of system (5.1) with one sharedmodulus. When considering linear independence, however, we have to take the differentmoduli into account.Let ˜F be the set of shift polynomials used to apply Coppersmith’s method (Theorem 2.3.9).i (x 1 ,...,x l ) with aThen all (f,N) ∈ ˜F consist of a polynomial f of the form m ∏ ki=1 fλ imonomial m ∈ Z N [x 1 ,...,x l ], λ i ∈ N 0 , and a modulus N = ∏ ki=1 Nλ ii ∈ N. The solutionwe are searching for is a solution of f(x 1 ,...,x l ) ≡ 0 (mod N) for all (f,N) ∈ ˜F.Using these polynomials, a basis matrix is constructed. We again use the notation as withsystems with the same modulus. The last columns of the basis matrix corresponding tothe shift polynomials are denoted by F. It consists of an upper part F c corresponding tothe coefficients in the polynomials and a lower part F m corresponding to the moduli. Thematrix F m again forms a diagonal matrix. The values on its diagonal are of type ∏ ki=1 Nλ iiwith λ i ∈ N 0 . We call them diagonal values.To obtain linear dependence of column vectors of F modulo an integer a > 1, we againhave to eliminate the values occurring in F m as they only occur in one column. Thus, theycannot be eliminated by linear combination of columns but have to be eliminated by themodular operation.In contrast to the system in the previous section, however, the diagonal values do not

5.3. SYSTEMS OF EQUATIONS WITH COPRIME MODULI 105necessarily share a common divisor. Therefore, we have to check for linear independencemodulo a for all a ≠ 1 dividing more than one of the diagonal values. Namely, we have tocheck for linear independence modulo the N i and their divisors. As the N i are coprime bydefinition this implies that for a fixed value of j we only have to check the set of columnscorresponding to polynomials with λ j > 0 for linear independence modulo N j and itsdivisors.Lemma 5.3.2Let ˜F ⊂ Z[x 1 ,...,x l ] × N be an ordered set of polynomials and corresponding moduliwhich is not determinant preserving. Let F be the integer polynomial set induced by ˜F.Let F be the matrix induced by F as before. Then there are ¯f ∈ F and c f ∈ Z such that¯f ≡ ∑ f∈F\{ ¯f} c ff (mod a) where a|N for some modulus N occurring in ˜F and a > 1.Proof: We regard the polynomials f ∈ F, the set induced by ˜F, as polynomials inZ[x 1 ,...,x l ,t 1 ,...,t |F| ]. From the precondition using Theorem 5.1.5 it follows that thereare ¯f ∈ F, c f ∈ Z for all f ∈ F \ { ¯f} and 1 ≠ a ∈ N such that ∑ f∈F\{ ¯f} c ff ≡ ¯f (mod a).By construction there is a monomial t j which occurs only in ¯f. Its coefficient correspondsto the modulus N of the respective polynomial equation. Then for the linear dependencyrelation to hold we require a|N which implies the claim.In many practical examples we take moduli N which are products of two unknown primesp and q. Thus, we can only test for modular dependence modulo N. Like in Section 5.2we, therefore, assume that we do not get the factors of the moduli as elementary divisors.Otherwise, this would be a way to determine the factorization of N. This assumption wastrue in all our examples.Note that the analysis of systems of equations with mutually coprime moduli is thus easierthan the analysis of systems of equations with the same modulus. From Lemma 5.3.2we have that modular dependence only has to be checked with respect to the differentmoduli N i and their divisors. A set of polynomials P ⊆ F modularly dependent modulo adivisor a of N i will only include shift polynomials which are multiples of f i . This is becauseany other shift polynomial f ∈ F will include a term Nt such that t only occurs in thispolynomial (as it is constructed by transforming ˜f to f) and gcd(N,a) = 1. Consequently,the coefficient of t would not be 0 (mod a). This observation simplifies the analysis as wecan take arbitrary shifts of f λ ii (x 1 ,...,x l ), i = 1,...,k, λ i ∈ N, without taking care ofshared monomials. Only if we consider products of the polynomials as well, we have to bemore careful.We start the analysis of systems with mutually coprime moduli by returning to the caseof univariate equations.

106 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONS5.3.1 Directly Applying Coppersmith’s Lattice-Based Techniquesto a System of Equations to Solve SMUPE2Let us recall the SMUPE2-problem which has been presented in Chapter 3: Letf 1 (x) ≡ 0 (mod N 1 )f 2 (x) ≡ 0 (mod N 2 ).f k (x) ≡ 0 (mod N k )be a system of univariate polynomial equations. Here, N 1 < N 2 < ... < N k are pairwisecoprime composite numbers of unknown factorization and f 1 (x),...,f k (x) are polynomialsof degree δ 1 ,...,δ k in Z N1 [x],...,Z Nk [x], respectively.Let X < N 1 , X ∈ R. The aim is to find all common roots x 0 of these equations with size|x 0 | ≤ X. In order to be able to calculate all roots, we would like to have X = 1N 2 1.This problem is a special case of the general problem of solving systems of equations withmutually coprime moduli as we are restricted to one variable.In Chapter 3, Corollary 3.2.3, we have shown that if ∑ ki=11δ i≥ 1, then we can determineall x 0 ∈ Z N1 which are solutions of the system. To obtain this result, we have combined thepolynomials f 1 ,...,f k to one polynomial f with the same solutions modulo some productN of powers of the original moduli. The equation f(x) ≡ 0 (mod N) could then be solvedprovably by a direct application of Coppersmith’s algorithm.Now we will analyze the problem differently. We will directly apply Coppersmith’s algorithmto the system of equations. This implies that we first have to define a suitable setof shift polynomials. This choice also gives a general insight into applying Coppersmith’salgorithm to systems of modular equations with pairwise coprime moduli.We will give a different proof of the bound given in Corollary 3.2.3.Proof of Corollary 3.2.3: In a first step, we define a set of shift polynomials and correspondingmoduli ˜F to use with Coppersmith’s algorithm. Then we show that it isdeterminant preserving and prove that we get a new equation with zero x 0 , which is validover the integers, if |x 0 | ≤ X = 1 2 N1−ǫ 1 for an ǫ > 0. Then we will extend the result tox 0 ∈ Z N1 .Let ǫ > 0, δ := lcm(δ 1 ,...,δ k ) and λ ∈ N such that λ ≥ max { k−1+ǫ, 7 ǫδ δ}.Recall that in order to achieve a large bound on the unknown we essentially need manypowers of N i and few powers of X −1 in the determinant of our lattice. As the lattice basisis constructed such that it is described by an upper triangular basis matrix, we requiremany powers of N i and few powers of X −1 on the diagonal of the lattice basis.Recall further that a monomial X −l occurs on the diagonal if x l is a monomial in anypolynomial in F. To obtain a good ratio of powers of X −1 and N i , we simply reuse theparameter λ given by Coppersmith. This leads to the bound given above. We limit thedegree of X −i to λδ. Additionally, we would like to have as many powers of N i as possible

5.3. SYSTEMS OF EQUATIONS WITH COPRIME MODULI 107contributing to the determinant. For any polynomial f i (x) we have f i (x) ≡ 0 (mod N i ).Thus, f j i (x) ≡ 0 (mod Nj i ) for any j ∈ N. Therefore, whenever introducing a new monomialwe take the largest power of f i (x) with which it is possible to do so. We define˜F := {(x h f i (x) j ,N j i ) | i = 1,...,k; 0 ≤ h < δ i and 1 ≤ j < λ δ δ i}.This set is determinant preserving. To prove this, let F denote the set of integer polynomialsinduced by ˜F and assume the contrary. Then, by Lemma 5.3.2 there are ¯f ∈ Fand coefficients c f ∈ Z not all equal to zero and 1 ≠ a ∈ N such that ∑ f∈F\{ ¯f} c ff ≡ ¯f(mod a). Furthermore, a divides one of the moduli, i. e. a|N i for some index i. Due toour construction the moduli are either powers of the same value N i or coprime to it. Consequently,linear dependence may only occur in a set of polynomials constructed with thesame index i. Without loss of generality we assume this index to be 1. For any other index,we can argue analogously. Let ˜F 1 := {(x h f 1 (x) j ,N1) j | 0 ≤ h < δ 1 and 1 ≤ j < λ δδ 1} andlet F 1 be induced by this set. Thus, ∑ f∈F 1 \{ ¯f} c ff − ¯f ≡ 0 (mod a) with a|N 1 . Orderingthe polynomials in F 1 by their degree in x, however, one can see that each polynomialintroduces a new monomial. Thus, it cannot be dependent on the other polynomials. Thiscontradicts the assumption. Hence, ˜F is determinant preserving.To determine a solution, we apply Coppersmith’s method with shift polynomial set ˜F.We denote the lattice constructed with respect to ˜F by L. In order to calculate theupper bound X up to which size we can determine the unknown x 0 , we calculate thedeterminant of our lattice L. Its basic structure is det(L) = X ∏ −sx ki=1 Ns ii . This isbecause the part induced by the shift polynomials set contributes with powers of the moduli,whereas from the part corresponding to the monomials we get powers of X −1 . It isD = Diag(1,X −1 ,...,X −(δλ−1) ). Thus,For 1 ≤ i ≤ k we haveConsequently,s x =δλ−1∑i=0λ δ −1 δ∑ is i = δ ii=1i =i =(δλ)(δλ − 1)2( )λδ λ δ δ i− 1∏det(L) = X −((δλ)(δλ−1) 2 ) k Ni=12..(λδ(λδ δ )i−1)2i .Note that √ δλ denotes an upper bound on the size of the target vector. Using equation(2.13), we, therefore, get the following condition:⎛(√ ⎜∏δλ ≤ ⎝X −((δλ)(δλ−1) 2 ) k λδ(λ δ ) ⎞ 1δ i−1)δλ2⎟N ⎠ 2 − δλ−14 .i=1i

108 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSThis is equivalent to the conditionX ≤ 2 −1 2 (δλ)− 1δλ−1k∏i=1λ δ −1δ iδλ−1Ni .As δλ ≥ 7 we can conclude (δλ) − 1δλ−1 ≥ 7− 1 6 ≥ 8 −1 6 = 2 −1 2.Further, as λ ≥ k−1+ǫ ⇔ ǫ ≥ k−1 and ∑ k 1ǫδ δλ−1 i=1 δ i≥ 1, it holds thatConsequently,k∑ λ δ δ i− 1i=1δλ − 1===≥≥2 −1 2 (δλ)− 1δλ−1(k∑ 1− 1 − )1δ iδ i δλ − 1k∑ 1− 1 k∑(1 − 1 )δ i δλ − 1 δ ii=1i=1i=1i=1k∑ 1− k − ∑ ki=1δ i δλ − 1k∑i=1k∑i=1k∏i=11− k − 1δ i δλ − 11δ i− ǫ.1δ iλ δ −1δ iδλ−1Ni ≥ 1 ∑ k2 N i=1 1 −ǫ δ i1≥1 2 N1−ǫ 1 .For X = 1 2 N1−ǫ 1 we can, thus, determine f(x) with Coppersmith’s algorithm such thatf(x) = 0 over the integers. This requires time polynomial in δ, max{log(N i )} and 1.ǫIn order to determine all solutions x 0 ∈ Z N1 , we have to redo the algorithm. Settinge. g. ǫ = 1log N 1we can recover all x 0 in the interval [− 1N 4 1, 1N 4 1]. To cover a complete setof representatives (mod N 1 ), we additionally need to cover e. g. the interval [ 1N 4 1, 3N 4 1].Therefore, we repeat the above algorithm with a set of polynomial equations ˜f i (x+ ¯x) ≡ 0(mod N i ), i = 1,...,k centered at ¯x := ⌊ 1N 2 1⌋. The computation of the new polynomialsis polynomial in δ i ≤ δ. Thus, we can determine any solution x 0 of our given system intime polynomial in k,δ and max{log(N i )}.The construction described here shows an easy way to construct a shift polynomial setbased on a set of univariate modular equations. This set seems to be a good choice aswe recalculate the same bounds we have obtained in the proof of Corollary 3.2.3 by using

5.3. SYSTEMS OF EQUATIONS WITH COPRIME MODULI 109the Chinese Remainder Theorem 2.2.13. Moreover, we have argued in Section 3.2.1 thatthis bound is optimal for general problems. With the Chinese Remainder Theorem theoptimality is quite intuitive. First, the polynomials are taken to powers. The bound onthe zero we can obtain when analyzing a single polynomial is not influenced by this. Thenthe Chinese Remainder Theorem is applied. It gives a good construction to obtain onepolynomial of common degree. Thus, the degree remains, as modulus we get the productof the single moduli. Coppersmith’s algorithm, which is then applied to this polynomial,is believed to be optimal as we have explained in the introduction of Section 3.Using the method presented above, however, the optimality is not obvious as the choice ofa ”good” set of shifts for systems of equations is not that clear. Let us consider possiblechanges of the shift polynomial set ˜F. As the value of λ is optimized afterwards, we do notneed to think about including shifts of higher powers of f i (x). Another idea to increase thedeterminant is to add further shift polynomials, e. g. products of polynomials f i (x)f l (x) ofsmall enough degree. They do not introduce new monomials on the diagonal but contributewith powers of the N i . Adding such products to ˜F and thereby to F, however, smashesthe property of being determinant preserving of F (and thus ˜F) as can be seen in thefollowing lemma.Lemma 5.3.3Let ˜F := {(x h f i (x) j ,N j i ) | i = 1,...,k; 0 ≤ h < δ i and 1 ≤ j < λ δ δ i} and ˜f :=x ∏ h ki=1 fλ ii (x) with λ i ∈ N for at least two indices i and λ i = 0 for all other indices.Furthermore, let deg ˜f < δλ. Then the set ˜F n := ˜F ∪ {( ˜f, ∏ ki=1 Nλ ii )} is not determinantpreserving.Before proving this, we give an auxiliary lemma.Lemma 5.3.4Let λ 1 ,N 1 ∈ N. Let f(x),f 1 (x) ∈ Z N1 [x] be polynomials such thatf(x) ≡ f λ 11 (x) · g(x) (mod N 1 ),where g(x) ∈ Z N1 [x] is a polynomial of degree δ g := deg(g) = deg(f) − λ 1 deg(f 1 ) ≥ 1. Letδ f := deg(f) and deg(f 1 ) =: δ 1 . Furthermore, let c f be the leading coefficient of f(x).Then h(x) := f(x)−c f x δ f −⌊ δ f⌋δ δ 1 1 f ⌊ δ f⌋ δ 11 (x) ∈ Z N1 [x] is a polynomial of degree δ h := deg(h) λ 1 δ 1 ⇔ δ fδ 1> λ 1 . As λ 1⌋δ δ 1 1 f ⌊ δ f⌋ δ 1

110 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSis an integer, even ⌊ δ fδ 1⌋ ≥ λ 1 holds. Therefore, f λ 11 (x)|x δ f −⌊ δ f1 (x). Consequently,f λ 11 (x)|h(x), i. e. h(x) ≡ f λ 11 (x)·g h (x) (mod N 1 ) for a non-zero polynomial g h (x) or h(x) ≡0 (mod N 1 ).⌋δ δ 1 1 f ⌊ δ f⌋ δ 1Now we can give the proof of Lemma 5.3.3:Proof: Let F n be the integer polynomial set induced by ˜F n . To show that ˜F n is notdeterminant preserving, we will show that F n is not determinant preserving. Let f :=˜f − t ∏ ki=1 Nλ ii be the integer polynomial induced by ˜f. Without loss of generality weassume λ 1 > 0. (If not, enumerate the (f i ,N i ) differently. This can be done as this proofdoes not depend on the fact that the N i are ordered according to their size.) We willshow that f is linearly dependent on F modulo N 1 . Then, by Theorem 5.1.5, F n is notdeterminant preserving.Let δ 1 := deg(f 1 ) and δ f := deg(f). By construction we have f(x) ≡ ˜f(x) ≡ f λ 11 (x) · g(x)(mod N 1 ) with δ g := deg(g) = δ f − λ 1 δ 1 > 0.By iteratively applying Lemma 5.3.4 on f, we get a sequence f = h 1 ,h 2 ,...,h ν ∈ Z N1 [x]of polynomials of decreasing degree. It is finite as the degree decreases in each step.Let ν be defined such that h ν ≡ 0, but h ν−1 ≢ 0. Further, for i = 1,...,ν − 1, it is⌋δ δ 1 1 f ⌊deg(h i ) ⌋h i (x) ≡ h i+1 (x) + c hi x deg(h i)−⌊ deg(h i ) δ 11 (x) (mod N 1 ). Successively substituting theh i (x), we get∑ν−1f(x) ≡ c hi x deg(h i)−⌊ deg(h i ) ⌋δ δ 1 1 f ⌊deg(h i ) ⌋ δ 11 (x) (mod N 1 ).i=1This shows that F n is not determinant preserving.Remark that in the above proof the representation of f as a linear combination of polynomialsin F only includes polynomials of the form x h f j 1(x) with j ≥ λ 1 . Thus, with thesame proof we get a more specific version of Lemma 5.3.3.Lemma 5.3.5Let ˜F 1,λ1 := {(x h f 1 (x) j ,N1) j | 0 ≤ h < δ i and λ 1 ≤ j < λ δ δ i} and ˜f := x ∏ h ki=1 fλ ii (x) withλ 1 ,λ ι ∈ N with ι ≠ 1 and λ i ∈ N 0 for all other indices. Furthermore, let deg ˜f < δλ. Thenthe set ˜F n := ˜F 1,λ1 ∪ {( ˜f, ∏ ki=1 Nλ ii )} is not determinant preserving.We have seen that we cannot include any further polynomial in the shift polynomial set˜F = {(x h f i (x) j ,N j i ) | i = 1,...,k; 0 ≤ h < δ i and 1 ≤ j < λ δ δ i}in order to improve the bound. Nevertheless, a completely different choice of ˜F, not includingall the polynomials we have used so far, might lead to an improved bound. Therefore,we have to check which bounds can be obtained if we use different shift polynomial sets.Let us assume that any shift polynomial set under consideration contains all monomialsx i with i ≤ δ, where δ is the maximum degree of a polynomial in ˜F. This is a sensible

5.3. SYSTEMS OF EQUATIONS WITH COPRIME MODULI 111assumption as the bound obtained with Coppersmith’s method for univariate polynomialsonly depends on the degree of the original polynomial and not on its sparseness. The lackof monomials does not influence the asymptotic behavior.A direct analysis shows that any arbitrary determinant preserving shift polynomial set canbe substituted by a shift polynomial set which is a subset of our original set ˜F.Lemma 5.3.6Let λ,δ ∈ N. Let˜G 1 ⊆ {(x h k∏i=1f λ ii (x),k∏i=1N λ ii ) | i = 1,...,k;h,λ i ∈ N 0 such thatk∑λ i δ i + h < δλ}i=1be a determinant preserving shift polynomial set. Let Mon( ˜G 1 ) include all monomials upto the maximum degree of a polynomial in ˜F. Then there exists another determinantpreserving shift polynomial set˜G 2 ⊆ ˜F := {(x h f i (x) j ,N j i ) | i = 1,...,k; 0 ≤ h < δ i and 1 ≤ j < λ δ δ i}with which we obtain at least the same upper bound X on the size of the solution we candetermine.Proof: Let G 1 be the integer polynomial set induced by ˜G 1 .Let (˜g,N) ∈ ˜G 1 such that ˜g isthe polynomial of smallest degree which is a product of at least two different polynomialsf i (x), 1 ≤ i ≤ k. Then ˜g can be written as ˜g(x) = x ∏ h ki=1 fλ ii (x) and N g := ∏ ki=1 Nλ ii withλ i ∈ N for at least two indices i and λ i = 0 for all other indices. Furthermore, deg(˜g) < δλ.Without loss of generality we assume λ 1 > 0. (If not, enumerate the f i differently.) Letg(x) be the integer polynomial induced by ˜g(x), that is g(x,t) := ˜g(x) − tN g .We would like to substitute ˜g by a polynomial or a set of polynomials belonging to ˜F. Inorder to do so, we proceed in two major steps: First, we show that there exist polynomialswhich we can take for the substitution, i. e. polynomials which are not yet in G 1 . Thenwe show that these polynomials either keep or improve the bound, but do not worsenit. The proof of this consists of two steps. On the one hand, we show that the positivecontribution, i. e. the contribution of powers of N i to the determinant, is equal to thecontribution when using g. On the other hand, we need to have that the negative contribution,i. e. the contribution of powers of X −1 to the determinant, is smaller than or equalto the contribution when using g. This is already given by the assumption that Mon( ˜G 1 )contains all monomials. Hence, no further monomials can be introduced by substitutingthe polynomial. Thus, the value of the determinant can only increase and, consequently,the same holds for the bound.We now prove the first claim. Let ˜F 1,λ1 denote the set of all polynomials in F which aredivisible by f λ 11 (x) as in Lemma 5.3.5. By Lemma 5.3.5 we have that ˜F 1,λ1 ∪ {˜g} is notdeterminant preserving. Consequently, as (˜g,N g ) ∈ ˜G 1 there exists (˜g 1 ,N g1 ) ∈ ˜F 1,λ1 \ ˜G 1with ˜g 1 (x) ≡ f λ 11 (x)g r1 (x) (mod N λ 11 ). Analogously, for all other i such that λ i > 0 there

112 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSexist polynomials ˜g i (x) ≡ f λ ii (x)g ri (x) (mod N λ ii ) which are not contained in ˜G 1 . We thensubstitute (˜g,N g ) by the set {(˜g i ,N λ ii ) | λ i > 0}.Now we consider the influence of this substitution on the determinant of the lattice. Thecontribution of N i to the determinant using ˜g is N g := ∏ ki=1 Nλ ii . That is, for each λ i > 0,we get a factor of N λ ii in the determinant. For each of the ˜g i , the contribution to thedeterminant is N λ ii . The product of these contributions is, thus, ∏ ki=1 Nλ ii . Hence, thesubstitution does not change the power of N i occurring in the determinant.Moreover, as ˜F is determinant preserving, ˜G 2 ⊆ ˜F is determinant preserving as well.We have seen that a shift polynomial set which is a subset of ˜F can be used to analyzesystems of modular univariate equations with coprime moduli. As we have assumed thesets to contain all monomials up to a certain degree anyway, it is best to take as manypolynomials as possible. This implies that the bound using ˜F is better than the boundtaking a subset. Therefore, on the assumption that any useful shift polynomial set includesall monomials up to a certain degree, we conclude in the univariate case:Theorem 5.3.7The following two analyses of the SMUPE2 problem give the same bounds:1. Combining the equations by the Chinese Remainder Theorem to a polynomial f(x)and applying Coppersmith’s algorithm to f(x).2. Defining a good shift polynomial set like ˜F for the system of equations and applyingCoppersmith’s algorithm to this.Both analyses can be performed in time polynomial in δ, k and max{log(N i )}.Proof: By the proof of Corollary 3.2.3 given in this section we get that any bound obtainedwith method (1) can also be obtained directly using a suitable shift polynomial set. Forthe converse, assume we are given a shift polynomial set ˜F 1 which gives a good bound. ByLemma 5.3.6 we get a second shift polynomial set ˜F 2 ⊂ ˜F which gives the same (or even abetter) bound. As the polynomials in ˜F contain all monomials, the shift polynomial set ˜Fgives a better bound than any of its subsets. Taking these shifts, however, is equivalent tocombining the original polynomials by the Chinese Remainder Theorem and shifting theresulting polynomial f up to a power f λ .The running time of method (1) is polynomial in δ and log M by Theorem 3.2.2. Thevalue M is defined as M := ∏ k δ ii . Hence, the running time is polynomial in δ, kand max{log(N i )}. Regarding the second method, we directly get the running time by theproof of Corollary 3.2.3 given in this section. This concludes the proof.i=1 N δWe are interested in generalizing the observations made during the analysis of the SMUPE2-problem to systems of multivariate equations. The analysis gets more complicated as wecan no longer assume the shift polynomial set to contain all monomials. It would be avast overload to assume that a polynomial contains all monomials up to a certain degree.There may even be variables which do not occur in all of the equations. Nevertheless, as

5.3. SYSTEMS OF EQUATIONS WITH COPRIME MODULI 113a first approach we return to the method used in Section 3.2. We combine the given setof equations by the Chinese Remainder Theorem and obtain a polynomial f. Then wepursue the standard analysis of a single multivariate modular equation f(x 1 ,...,x l ) ≡ 0(mod N) given in [JM06]. That is, we take the monomials of the Newton polytope to shiftthe powers of f.The same result can again be obtained by an analysis using a corresponding shift polynomialset. The proof in this case is analogous to the proof of Corollary 3.2.3 in Section 5.3.1.Unfortunately, an analogue to Lemma 5.3.6 would no longer be interesting as the underlyingassumption is too strong in the multivariate case.The following example shows that the bounds we obtain by analyzing the polynomial finstead of the system of equations are far from optimal.2x 21N(f 2 )N( ˜f 1 )N(f 1 )00 1 2 3x 1Figure 5.1: Newton polytopes of f 1 ,f 2 and ˜f 1 of Example 5.3.8.Example 5.3.8Letf 1 (x 1 ,x 2 ) := x 2 1 + x 1 + 1 ≡ 0 (mod N 1 )f 2 (x 1 ,x 2 ) := x 2 1x 2 + x 2 + 1 ≡ 0 (mod N 2 )be a system of equations with the solution (¯x 1 , ¯x 2 ). As f 1 (x 1 ,x 2 ) is a univariate equationin Z N1 [x 1 ], we know from Theorem 2.3.9 that we can determine all solutions ¯x 1 suchthat |¯x 1 | < N 1 21 . Substituting the value x 1 by ¯x 1 in f 2 , we get the equation f 2 (¯x 1 ,x 2 ) =(¯x 2 1 + 1)x 2 + 1 ≡ 0 (mod N 2 ), which is linear in x 2 . Thus, we can determine all solutions¯x 2 ∈ Z N2 such that f 2 (¯x 1 , ¯x 2 ) ≡ 0 (mod N 2 ).Consequently, in a combined analysis via Coppersmith’s method we would expect to obtainthe condition X 1 X 2 < N 1 21 N 2 , where X i denotes an upper bound on the size of |¯x i |, i = 1, 2.We apply the Chinese Remainder Theorem to combine f 1 and f 2 . Let f(x 1 ,x 2 ) = (N2−1(mod N 1 ))N 2 f 1 (x 1 ,x 2 ) + (N1 −1 (mod N 2 ))N 1 f 2 (x 1 ,x 2 ) ≡ 0 (mod N 1 N 2 ) denote the resultingpolynomial equation. The bound we obtain if we analyze the polynomial f withstandard shift polynomial sets using Coppersmith’s method, however, is worse than thetrivial bound. The Newton polytope of the polynomial f is a rectangle. Thus, applyingthe basic strategy of [JM06] for generalized rectangles we obtain the boundX 3 1X 3 22 < N 1 N 2 .

114 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONSHence, directly applying the Chinese Remainder Theorem to a system of multivariateequations will not generally lead to good bounds. Having a look at the Newton polytopesof f 1 and f 2 , this is not really surprising. The Newton polytope of f 1 forms aline on the x-axis whereas the Newton polytope of f 2 is a triangle which leaves outthe x-axis. The only monomial which is shared by both polynomials is, thus, the constantterm. Consequently, by combining the two polynomials via Chinese Remaindering,we get several superfluous monomials. To overcome these difficulties, we aim at constructingpolynomials which share many monomials. Let us consider the polynomial˜f 1 (x 1 ,x 2 ) := x 2 f 1 (x 1 ,x 2 ) = x 2 1x 2 + x 1 x 2 − x 2 . Its Newton polytope is contained in theNewton polytope of f 2 . By the Chinese Remainder Theorem we combine ˜f 1 and f 2 andget g(x 1 ,x 2 ) ≡ (N2 −1 (mod N 1 ))N 2 ˜f1 (x 1 ,x 2 )+(N1 −1 (mod N 2 ))N 1 f 2 (x 1 ,x 2 ). To determinethe roots of g (mod N 1 N 2 ) we can again use Coppersmith’s method with the basic strategyof [JM06]. The Newton polytope is a generalized triangle. Therefore, we obtain the boundX 2 1X 2 < N 1 N 2 . (5.20)This bound corresponds to the one we have expected beforehand. More precisely, X 1 < N 1 21and X 2 < N 2 imply X 2 1X 2 < N 1 N 2 . The opposite implication, however, does not hold.This is quite natural as f 2 comprises both unknowns. A separate analysis using this polynomialwould, thus, allow to solve for any value |¯x 1 | ≤ X 1 as long as X 2 1X 2 < N 2 . This isthe result we also obtain by the analysis of f 2 (x 1 ,x 2 ) ≡ 0 (mod N 2 ).A general approach to solve systems of multivariate equations with coprime moduli, consequently,has to be adapted to the specific system of equations. The following basic strategywill be quite helpful. First, transform the original polynomials (by powering or multiplications)such that the new polynomials have a shared Newton polytope. Then combinethe equations by the Chinese Remainder Theorem to a polynomial g and determine itssolutions with standard Coppersmith techniques.5.4 General Systems of Modular EquationsIn the previous sections of this chapter systems of modular equations either all sharing thesame modulus or all having mutually coprime moduli were analyzed. These techniques canbe combined to solve any system of modular equations. For arbitrary N 1 ≤ ... ≤ N k ∈ Nwe are given the following system of equations:f 1 (x 1 ,...,x l ) ≡ 0 (mod N 1 )f 2 (x 1 ,...,x l ) ≡ 0 (mod N 2 ). (5.21)f k (x 1 ,...,x l ) ≡ 0 (mod N k ).Without loss of generality we assume that all moduli are indeed equal or coprime. If not,we can compute their greatest common divisor. Then we can apply the Chinese Remainder

5.4. GENERAL SYSTEMS OF MODULAR EQUATIONS 115Theorem and substitute equations by a system of isomorphic ones. This can be performediteratively until we have a system of equations which fulfills the requirement.Then we can arrange the equations by common or mutually coprime moduli. For anygroup of equations which share the same modulus, we test by Groebner basis computationif the resulting system contains a linear univariate polynomial. If yes, we determine thecorresponding solutions ¯x i of x i and substitute them in all equations. By this, we get asystem of equations in less variables.As a next step, we choose possibly helpful sets of equations with mutually coprime moduliand apply the techniques from the previous section.An alternative way to analyze the given system is to directly define a combined shiftpolynomial set ˜F and then apply Coppersmith’s method with this shift polynomial set.Note however, that the choice of shift polynomials has to be made extremely carefully.Whereas any shifts of polynomials with coprime moduli can be taken and the set remainsdeterminant preserving, shifts of polynomials with common moduli have to be taken verycarefully. A possible choice is to let them introduce different monomials.The bounds we obtain this way strongly depend on the specific system of equations andthe choice of the special subsystems we choose to analyze. Therefore, we cannot state anygeneral bounds here.

116 CHAPTER 5. SYSTEMS OF MULTIVARIATE POLYNOMIAL EQUATIONS

Chapter 6Solving Systems of MultivariatePolynomial Equations over the IntegersIn the previous chapter we have seen how to adapt Coppersmith’s method to analyzesystems of modular multivariate equations. The equations to describe specific problems,however, can also be integer equations. One possible way to analyze them is to regardthem as modular equations. An integer equation can be transformed into a modular oneby taking one of its coefficients as modulus. However, information gets lost this way. Incase of a single equation we may loose information on the relation of the unknowns. In caseof a system of equations even more problems may occur. In the worst case, by the modularoperation, we could eliminate the only variable which occurs in more than one equation.Therefore, we should adapt our analyses to systems of non-modular equations. To do so,we analyze Systems of Integer Multivariate Polynomial Equations (SIMPE-problem) inthis chapter.Definition 6.0.1 (SIMPE-problem)Let k ∈ N, δ 1 ,...,δ k ∈ N. Assume f 1 (x 1 ,...,x l ),...,f k (x 1 ,...,x l ) to be polynomials ofdegree δ 1 ,...,δ k in Z[x 1 ,...,x l ], respectively. Letf 1 (x 1 ,...,x l ) = 0f 2 (x 1 ,...,x l ) = 0f k (x 1 ,...,x l ) = 0be a system of multivariate polynomial equations.. (6.1)Let X i ∈ R, i = 1,...,l. Find all common roots (¯x 1 ,..., ¯x l ) of (6.1) with size |¯x i | ≤ X i .All the systems of polynomial equations we have considered in the previous chapters canbe interpreted as special cases of this system. Any modular equation f(x 1 ,...,x l ) ≡ 0(mod N) can be written as an equation f(x 1 ,...,x l ) − t f N = 0 valid over the integers.Thus, any system of modular equations can be transformed into a system of equations117

118 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSvalid over the integers. The SIMPE-problem, however, includes further problems whichare directly given as systems of integer polynomial equations. Our final goal is to determinebounds X i such that we can compute all solutions smaller than these bounds.We would like to calculate the solutions using Coppersmith’s method. As the SIMPEproblemis the most general instance of a system of equations we would like to solve, itsanalysis is the most difficult one. Let F denote a shift polynomial set constructed usingthe polynomial equations given in (6.1), and let F be the matrix the columns of whichcorrespond to the polynomials in F. Recall that in the modular case the matrix F consistsof an upper part F c corresponding to the coefficients of the polynomials and a lower partF m corresponding to the moduli. The matrix F m is a diagonal matrix. Thus, F is anupper triangular matrix in the modular case.However, as the polynomials we are considering now are valid over the integers, the matrixF can be of any shape. Given an arbitrary shift polynomial set, we do no longer have atriangular structure. To see this, letf 1 (x 1 ,x 2 ) := −2x 1 x 2 + 3x 3 1 + 4x 2 2 = 0 (6.2)f 2 (x 1 ,x 2 ) := −3x 1 x 2 + 2x 3 1 + x 2 2 = 0be a system of equations with the solution (¯x 1 , ¯x 2 ) = (−2, 2). Let F := {f 1 ,f 2 } denote theshift polynomial set used to analyze the system of equations. The matrix F correspondingto this shift polynomial set is⎛ ⎞−2 −3F := ⎝ 3 2 ⎠ . (6.3)4 1As F does not have a triangular structure, determinant calculations, and, consequently,calculations of bounds get complicated. Even if we manage to calculate the determinantof the lattice, we will have to check if it is also the determinant of the sublattice.We have already analyzed the matrix F in Example 5.1.7. From that analysis we know thatF is not determinant preserving as f 1 and f 2 are modularly dependent modulo 5. Recallthat in order to check if an arbitrary shift polynomial set F is determinant preserving, wehave to check if the polynomials in F are linear independent modulo N for any positiveinteger 1 < N

to construct the shift polynomial set in a way that a new monomial is introduced witheach new polynomial. Then we obtain a simpler condition (Lemma 5.1.8). That is, whilebuilding a shift polynomial set with respect to a system of integer polynomial equations,we have to concentrate on two aspects: On the one hand, we always have to check if theset we define really is determinant preserving. On the other hand, we have to constructthe shift polynomial set in a way that gives us a good bound.Before we develop new strategies, let us present an existing method which comprises ananalysis of a special system of equations over the integers. Aurélie Bauer and Antoine Jouxhave shown how to provably determine small solutions of a trivariate integer polynomialequation p 1 (x 1 ,x 2 ,x 3 ) = 0 [BJ07, Bau08]. Their analysis consists of two basic steps.First, they determine a polynomial p 2 (x 1 ,x 2 ,x 3 ) by Coppersmith’s basic method. Byconstruction, the polynomial p 2 (x 1 ,x 2 ,x 3 ) is coprime to p 1 (x 1 ,x 2 ,x 3 ). In the second stepof their analysis they determine a third polynomial p 3 (x 1 ,x 2 ,x 3 ) using p 1 and p 2 such thatthe systemp i (x 1 ,x 2 ,x 3 ) = 0, i = 1, 2, 3, (6.4)is zero dimensional. In order to determine p 3 , they apply Coppersmith’s method using ashift polynomial set F which they derive from p 1 and p 2 . Let us briefly summarize theconstruction of p 3 .To prove the zero dimensionality of system (6.4), the polynomial p 3 is constructed such thatp 3 /∈ I = 〈p 1 ,p 2 〉. If p 1 and p 2 are coprime and I is prime, this condition is sufficient. Toconstruct p 3 , a minimal Groebner basis G = {q 1 ,...,q r } of I is calculated. The polynomialsq 1 ,...,q r are then shifted by monomials from sets S 1 ,...,S r , respectively. Let F :={m i q i | m i ∈ S i and m i LM(q i ) ≠ m j LM(q j ) for some j < i} denote the shift polynomialset determined this way, and let M denote the set of monomials which occur in F. Wewould like to describe any polynomial p ∈ I of bounded degree as a linear combination ofpolynomials of F. We know p = f 1 q 1 + ...f r q r with polynomials f i . Thus, we require theset S i to be a generating set of monomials to generate the polynomials f i . This is capturedby the notion of admissibility.Definition 6.0.2Let (S 1 ,...,S r ,M) denote non-empty sets of monomials in Z[x 1 ,x 2 ,x 3 ]. Then the tuple(S 1 ,...,S r ,M) is called admissible for an ideal I with the Groebner basis {q 1 ,...,q r } if:1. For all (m 1 ,...,m r ) ∈ S 1 × ... × S r the polynomial m 1 q 1 + ... + m r q r only containsmonomials of M.2. For any polynomial g containing only monomials of M which can be written asg = f 1 q 1 + ... + f r q r it holds that f i only consists of monomials of S i for all i.Aurélie Bauer and Antoine Joux impose admissibility as a condition on (S 1 ,...,S r ,M)in their construction and build the sets accordingly. This, however, is not yet enough toprove the zero dimensionality of system (6.4). In order to be able to construct the setsS i by polynomial division no new monomials may be introduced by the division process.This property is ensured by using a set M and an order < which are compatible.119

120 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSDefinition 6.0.3The tuple (M,

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 121p 0 and p i are subsequent. Moreover, we assume q 0 and q i to be α-bit numbers.In Section 4.2 we have shown that we can determine the vector q = (q 0 ,q 1 ,...,q k ) by aheuristic lattice attack using a (k+1)-dimensional lattice L in polynomial time if t > k+1α.kThe condition there is, however, that the factors p 0 and p i share their least significant bits.The case of shared most significant bits has been treated in Section 4.3. In that heuristiclattice attack a lattice of size quadratic in the number of oracle queries k is used. The boundobtained is (disregarding a small constant) the same as in the case of shared least significantbits. Both analyses use lattices in which we can extract the factors q = (q 0 ,q 1 ,...,q k ) froma short vector.Using the more advanced technique by Coppersmith and regarding integer equations, wecan partly obtain better bounds. Furthermore, Coppersmith’s method allows for a moregeneral analysis, independent of the position of the subsequent non-shared bits. We startwith a system of equations we get by putting k oracle queries. This gives us k +1 differentRSA moduliN 0= ( p l + 2 tp ˜p 0 + 2 n−α−t+tp p m)q0. (6.5)N k= ( p l + 2 tp ˜p k + 2 n−α−t+tp p m)qkwith α-bit q i .This is equivalent to2 tp ˜p 0 q 0 − N 0 = − ( p l + 2 n−α−t+tp p m)q0.2 tp ˜p k q k − N k = − ( p l + 2 n−α−t+tp p m)qk .We transform the system of equations into a system of k integer equations. For i = 1,...,kwe multiply the i-th equation with q 0 , the 0-th equation with q i and combine these twoequations. Then we obtain2 tp ˜p 0 q 0 q 1 − N 0 q 1 = 2 tp ˜p 1 q 0 q 1 − N 1 q 0.2 tp ˜p 0 q 0 q k − N 0 q k = 2 tp ˜p k q 0 q k − N k q 0 .Hence, we derive the following system of equations:2 tp (˜p 1 − ˜p 0 )} {{ }q 0 q 1 + N 0 q }{{} 1 −N 1 q }{{} 0 = 0y 1 x 1 x 02 tp (˜p k − ˜p 0 ) q} {{ } 0 q k + N 0 q k −N }{{} k q 0 = 0. }{{}y kx k x 0.

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 123we get that t is a multiple of b ∗ 1 if||t|| < det(L S ) 1 2 2− 1 4 . (6.7)The determinant of the sublattice is det(L S ) = det(L) = det(B) = X −20 X −11 Y −11 N 0 .Condition (6.7) is fulfilled if2 1 2 < 2 1 2 (−3α−(n−α−t)+n)−1 4⇔ 2α + 6 4 < t .As α and t are integers as they describe numbers of bits, we require2α + 1 < t .This is essentially the bound we got via the modular analysis (Theorem 4.2.1). A resultlike this was to be expected. Both during the modular analysis as well as in this simplelattice construction the problem was linearized. Thus, algebraic relations between differentmonomials were not taken into account.Hence, we conclude, if 2α + 1 < t, the vector t is orthogonal to b ∗ 2 and we get anotherequation in the unknowns, namely,f n (x 0 ,x 1 ,y 1 ) := x 0x 1 y 1X 0 X 1 Y 1(b ∗ 2) 1 + x 0X 0(b ∗ 2) 2 = 0.However, we are not yet finished. We have two equations in three unknowns which doesnot necessarily imply that we can solve the system of equations. As the greatest commondivisor of both equations is one, we can eliminate one of the variables. That is, we get oneequation in two unknowns.Let us consider an example of two 256-bit RSA-moduli with 140 shared bits of the larger196-bit factor.Example 6.1.1LetN 0 = (2 56 · 812673540453457095612765286246825237797002 + 66763130916719055)·55353788004451507= 3241479081396338383767602816098777307849166574844502255653955136311902508989 ,N 1 = (2 56 · 812673540453457095612765286246825237797002 + 71789524880268405)·224075567809535399= 13121708412226537409254487715048399315004981583420160875601531613923194589523 .

124 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSThe polynomial to be analyzed is then f 1 (x 0 ,x 1 ,y 1 ) := x 0 x 1 y 1 + N 0 x 1 − N 1 x 0 with root(q 0 ,q 1 , ˜p 1 − ˜p 0 ) =(55353788004451507, 224075567809535399, 71789524880268405 − 66763130916719055).Applying Coppersmith’s method as described above, we get as second polynomial thepolynomial:g 1 (x 0 , x 1 , y 1 ) = 55353788004451507 · x 0 x 1 y 1− 726336265706615736574927467890451722267082924402083780587407483511268708781079485733814225762 · x 0+ 179428145892477125692523897640244876466976922437960430777077159679479524226168234746077644916 · x 1 .The polynomial g 1 is by construction not a multiple of f 1 (x 0 ,x 1 ,y 1 ), but shares the sameroots. In order to recover a solution, we compute a Groebner basis of {f 1 ,g 1 } with respectto lexicographic ordering. The Groebner basis is{h 1 ,h 2 ,h 3 } := {x 0 x 1 y 1 − 278229945885165475351297676370450x 1 ,224075567809535399x 0 − 55353788004451507x 1 ,55353788004451507x 2 1y 1 − 62344533105834761034062392288028515403475112559550x 1 }.Having a look at the second polynomial of the Groebner basis, namely, h 2 (x 0 ,x 1 ,y 1 ) =224075567809535399x 0 −55353788004451507x 1 , we remark that h 2 (x 0 ,x 1 ,y 1 ) = q 1 x 0 −q 0 x 1 .Thus, we get both factorizations by using the coefficients of h 2 (x 0 ,x 1 ,y 1 ).Remark that in this example we do not even need to compute a Groebner basis as thevalue q 0 is also a coefficient of the polynomial g 1 .Note that the variety V (h 1 ,h 2 ,h 3 ) is not zero dimensional. Therefore, we cannot apply thefolklore heuristic from [JM06]. Nevertheless, we have seen in Example 6.1.1 that we candetermine the solution (q 0 ,q 1 , ˜p 1 − ˜p 0 ).Our experiments showed that similar observations generally hold in this setting. A descriptionof the experiments will be given at the end of this section. Based on these observations,we introduce the following heuristic.Assumption 6.1.2Let F denote a shift polynomial set which is constructed with respect to a polynomialf ∈ Z[x 0 ,x 1 ,y 1 ]. Assume {f,g 1 ,...,g λ } is the set of polynomials in Z[x 0 ,x 1 ,y 1 ] we get byapplying Coppersmith’s method with the shift polynomial set F. Let GB := {h 1 ,...,h κ }be a Groebner basis of {f,g 1 ,...,g λ }. Then GB contains a polynomial h(x 0 ,x 1 ,y 1 ) suchthat the factors q 0 and q 1 can be determined as gcd(c,N i ), i = 0, 1, for appropriate coefficientsc of h.

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 125A similar heuristic is also used by Santanu Sarkar and Subhamoy Maitra in [SM09] whodid related analyses independently. We will elaborate on this in what follows.Now, let us consider which shifts to use to define F. The polynomial f 1 (x 0 ,x 1 ,y 1 ) =2 tp x 0 x 1 y 1 + N 0 x 1 − N 1 x 0 we regard here does not have any constant term. To apply thefolklore techniques of analysis presented in [JM06] we would have to substitute e. g. x 0 byx 0 − 1 to introduce a constant term. This is the approach Santanu Sarkar and SubhamoyMaitra followed. We will not directly define a standard shift polynomial set, but use adifferent approach.For l ∈ N we denote by M l (f 1 ) the set of monomials occurring in f1. l For any monomialm ∈ M l (f 1 ) multiples mf 1 (x 0 ,x 1 ,y 1 ) do not contain monomials occurring in any powerf1 λ for λ ≤ l. This is because x 0 and x 1 are of the same total degree, namely one, andx 0 x 1 y 1 contains another variable y 1 , i. e. has degree one in this variable. Therefore, we canregard the shift polynomial sets separately as there are no monomials which occur in twoshift polynomial sets with different indices l. Furthermore, by increasing the number ofshifts, we get higher powers of N 0 in the determinant but also higher powers of X0 −1 ,X1−1and Y1 −1 . Their ratio, however, remains constant. Thus, we suppose that using suchpolynomials mf 1 (x 0 ,x 1 ,y 1 ), with m ∈ M l (f 1 ), as shift polynomials to build a lattice andto apply Coppersmith’s method results in the same bound for any l. This intuition provescorrect as can be seen in the proof of the following theorem. That is, the condition is thesame using the simplest lattice construction as well as sets of standard shifts. The reasonto look at this shift polynomial set anyway is that it can be used for extensions. This isalso the motivation to give the proof with respect to any l ∈ N, otherwise a fixed value ofl would be sufficient.Theorem 6.1.3Suppose Assumption 6.1.2 holds. Let N 0 ,N 1 ∈ N be of size 2 n and f 1 (x 0 ,x 1 ,y 1 ) =2 tp x 0 x 1 y 1 + N 0 x 1 − N 1 x 0 ∈ Z[x 0 ,x 1 ,y 1 ]. Let X i = 2 α , i = 0, 1, Y 1 = 2 n−t−α be bounds onthe absolute value of the solutions q 0 and q 1 , ˜p 1 − ˜p 0 , respectively. Then in time polynomialin n we can determine all integer solutions (q 0 ,q 1 , ˜p 1 − ˜p 0 ) such that |q i | ≤ X i and|˜p 1 − ˜p 0 | ≤ Y 1 if2α + 1 < t .Proof: Let l ∈ N. Let M l (f 1 ) = {x i 0x j 1y k 1 | k = 0,...,l;i = k,...,l and j = l + k − i}be the set of all shift monomials. We take all polynomials mf 1 (x 0 ,x 1 ,y 1 ) for m ∈ M l (f 1 )to construct the lattice. That is, we set F := {mf 1 (x 0 ,x 1 ,y 1 ) | m ∈ M l (f 1 )}. Letn l := |M l (f 1 )| be the number of monomials used as shifts. Thenn l =l∑ l∑1 =k=0 i=kl∑(l − k + 1) = 1 2 l2 + 3 2 l + 1.k=0Let M l (f 1 ) = {m 1 ,...,m nl } be an enumeration of the monomials of M l (f 1 ) such thatm i > grlex m j if i < j, and let g 1i (x 0 ,x 1 ,y 1 ) := m i f 1 (x 0 ,x 1 ,y 1 ). Then for every polynomialg 1i the monomial x 1 m i is not contained in the set of monomials of all g 1j with j < i.

126 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS⎛B =⎜⎝⎞(X 0 X 1 Y 1 ) −2 0 0 2 tp 0 00 (X 0 ) −2 (X 1 Y 1 ) −1 0 −N 1 2 tp 00 0 (X 0 ) −2 0 −N 1 00 0 0 N 0 0 2 tp⎟0 0 0 0 N 0 −N 1⎠0 0 0 0 0 N 0Figure 6.1: A lattice basis matrix in the case of l = 1.x 2 0x 2 1y 2 1x 2 0x 1 y 1x 2 0x 0 x 2 1y 1x 0 x 1x 2 1.This can be proven by contradiction. Assume that there exists j < i such that x 1 m i is amonomial of g 1j . Then x 1 m i ∈ {x 1 m j ,x 0 m j ,x 0 x 1 y 1 m j }. If x 1 m i = x 1 m j , then m i = m jand, consequently, i = j, which is a contradiction. If x 1 m i = x 0 m j , then the degree ofx 0 in m i is positive and m j = m i x 1 x −10 . This implies that deg(m i ) = deg(m j ) and due tothe ordering m i > grlex m j . Therefore, i < j, a contradiction. If x 1 m i = x 0 x 1 y 1 m j , thendeg(m i ) > deg(m j ) and, thus, we again get the contradiction i < j.This observation can be used to build an upper triangular basis matrix B of a lattice L.Such a lattice can then be analyzed easier as e. g. the determinant computation is simplythe multiplication of the diagonal elements of B.The idea of the construction of B is to let the last rows correspond to the monomialsx 1 m i ,i = 1,...,n l , and the first rows correspond to all other monomials in any order. Anexample of a basis matrix B in the case of l = 1 is given in Figure 6.1.Now we describe the construction more formally. Let r l be the number of monomialsoccurring in the set of shift polynomials and m nl +1,...,m rl be an enumeration of all themonomials which are not contained in x 1 m 1 ,...,x 1 m nl . The monomials m nl +1,...,m rlcan be ordered in any way. For consistency we assume that they are ordered such thatm i > grlex m j if i < j. We set x := (m nl +1,...,m rl ,x 1 m 1 ,...,x 1 m nl ).Furthermore, let M i denote the evaluation of m i in the values (X 0 ,X 1 ,Y 1 ). Let D :=Diag(Mn −1l +1,...,Mr −1l). Let f denote the coefficient vector of f(x 0 ,x 1 ,y 1 ) ordered suchthat fx T = f(x 0 ,x 1 ,y 1 ). Let F be the matrix consisting of the coefficient vectors (g 1i ) Tfor i = 1,...,n l . That is, F denotes the matrix induced by F. Using these definitions, wedefine a lattice L via the basis matrix⎛DB =⎜⎝ 0F⎞⎟⎠m nl +1.m rl.x 1 m 1.x 1 m nlWe apply Coppersmith’s algorithm to this lattice. Then we get a second polynomial,1rcoprime to f 1 , on condition that det(L) l −n l 2 − r l −n l −14 > √ r l − n l .We calculate the determinant of our lattice L. Recall that B is an upper triangular matrix

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 127by construction. Thus, the matrix F can be divided into an (r l ( − n l ))× n l matrix F 1F1and an upper triangular n l × n l matrix F 2 . More precisely, F = . It holds thatF 2det(L) = P 1 ·P 2 , where P 1 denotes the product of the diagonal entries of D and P 2 denotesthe product of the diagonal entries of F 2 . The elements on the diagonal of F 2 correspondto monomials of type x 1 m i , i = 1,...,n l . Hence, all values on the diagonal of F are equalto N 0 . Their number is n l = 1 2 l2 + 3l + 1. Consequently, we have P 2 2 = N 1 2 l2 + 3 2 l+10 ≈2 n(1 2 l2 + 3 l+1) 2 .In order to evaluate P 1 , we need to describe the monomials m nl +1,...,m rl explicitly. Theset of all monomials occurring in the shift polynomials is exactlyM l+1 (f 1 ) = {x i 0x j 1y k 1 | k = 0,...,l + 1;i = k,...,l + 1 and j = l + 1 + k − i}.The set M := {x 1 m 1 ,...,x 1 m nl } can be described asM = {x i 0x j 1y k 1 | k = 0,...,l;i = k,...,l and j = l + 1 + k − i}.The powers of any of X0 −1 ,X1 −1 and Y1 −1 occurring on the diagonal of D correspond tothe powers of the variables x 0 ,x 1 ,y 1 occurring in monomials in the set M l+1 (f 1 ) \ M. Lets 0 and s 1 denote the powers of X0 −1 and X1 −1 , respectively, and let u denote the power ofY1 −1 . Then we haveThis givess 0 =s 1 =u =∑l+1∑l+1i −k=0 i=k= l 2 + 3l + 2,l∑k=0l∑i (6.8)i=k∑l+1∑l+1(l + 1 + k − i) −k=0 i=k= 1 2 l2 + 3 2 l + 1,∑l+1∑l+1k −k=0 i=k= 1 2 l2 + 3 2 l + 1.l∑k=0 i=kl∑k=0 i=kl∑(l + k − i + 1) (6.9)l∑k (6.10)P 1 = X −(l2 +3l+2)0 X −(1 2 l2 + 3 2 l+1)1 Y −(1 2 l2 + 3 2 l+1)1 .Using the calculations of P 1 ,P 2 and X 0 = X 1 = 2 α , Y 1 = 2 n−α−t as well as N 0 ≥ 2 n−1 , weobtaindet(L) ≥ 2 −α(3 2 l2 + 9 2 l+3)−(n−α−t)(1 2 l2 + 3 2 l+1)+n(1 2 l2 + 3 2 l+1)−(1 2 l2 + 3 2 l+1)

128 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS= 2 t(1 2 l2 + 3 2 l+1)−α(l2 +3l+2)−( 1 2 l2 + 3 2 l+1) .In order to apply the condition given in Lemma 2.3.10, we have to determine the dimensionr of the sublattice L S in Coppersmith’s method. As the last n l entries of the target vectorare zeros, it is r = r l − n l . We have r l = |M l+1 (f 1 )| = ∑ l+1 ∑ l+1k=0 i=k 1 = 1 2 l2 + 5l + 3. 2Consequently,( 1r =2 l2 + 5 ) ( 12 l + 3 −2 l2 + 3 )2 l + 1 = l + 2.All components of the target vector t are smaller than 1 so that ||t|| ≤ √ l + 2. Therefore,we get the following condition on the existence of a second equation:⇔ l + 22log (l + 2) +√l + 2 4, it is 2α + 1 < t.On the heuristic Assumption 6.1.2 this implies that we are able to determine the solution(q 0 ,q 1 , ˜p 1 − ˜p 0 ). As we can use the construction with l = 5, we have a fixed number ofcomponents in the basis vectors and a fixed lattice dimension so that the running timeof the LLL algorithm 2.3.5 only depends on the size of the largest values in the lattice,which is determined by n. Thus, the attack works in time polynomial in n. This provesthe theorem.Remark that we get essentially the same lower bound on t with this method as we haveobtained with the modular approach (Theorem 4.2.1). Ignoring the bit which has to beadded, this bound is illustrated by the function g(α) = 2α in Figure 6.2 in comparison tofurther bounds. This way, it corresponds to the result of the modular analysis.Sometimes better bounds can be achieved via so called extra shifts, i. e. instead of regardingpolynomials mf 1 such that m ∈ M l (f 1 ), we take different monomials m. The question nowis how to choose the monomials m appropriately. As we would like to have a large determinant,a ”good” polynomial in the shift polynomial set is a polynomial which introducesa large term on the determinant. Thus, we would like to have a polynomial with a newmonomial with a large coefficient, and as few other new monomials as possible. Therefore,we take shifts which transform monomials of one polynomial into other monomials whichalready exist. Take a look at the monomials of f 1 (x 0 ,x 1 ,y 1 ). They are x 0 ,x 1 and x 0 x 1 y 1 .Multiplying x 0 by x 1 y 1 results in x 0 x 1 y 1 , and, analogously, x 1 · (x 0 y 1 ) = x 0 x 1 y 1 . Thus, apromising approach seems to be to choose m ∈ {(x 0 y 1 ) a (x 1 y 1 ) b ,a,b = 0,...,l} =: E l (f 1 )as the following example shows.< t .

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 129Example 6.1.4Let l = 1 and use mf 1 (x 0 ,x 1 ,y 1 ) with m ∈ E 1 (f 1 ) as set of shift polynomials. That is,F := {x 0 x 1 y 2 1f 1 ,x 0 y 1 f 1 ,x 1 y 1 f 1 ,f 1 }. Then we define B as follows:⎛(X0 2X2 1 Y 3⎞1 )−1 0 0 0 2 tp 0 0 00 (X0 2X 1Y1 2)−10 0 −N 1 2 tp 0 00 0 (X0 2Y 1) −1 0 0 −N 1 0 0B :=0 0 0 (X 0 ) −1 0 0 0 −N 10 0 0 0 N 0 0 2 tp 0⎜ 0 0 0 0 0 N 0 −N 1 2 tp⎟⎝ 0 0 0 0 0 0 N 0 0 ⎠0 0 0 0 0 0 0 N 0x 2 0 x2 1 y3 1x 2 0 x 1y 2 1x 2 0 y 1x 0x 0 x 2 1 y2 1x 0 x 1 y 1x 2 1 y 1x 1The matrix B is a basis matrix of a lattice L with determinant det(L) = X0 −7 X1 −3 Y1 −6 N0 4 ≥2 −10α 2 −6(n−α−t) 2 4(n−1) for X 0 = X 1 = 2 α , Y 1 = 2 (n−α−t) and N 0 ,N 1 ≥ 2 n−1 .Let again t := sB = ( q2 0 q2 1 (˜p 1−˜p 0 ) 3X 2 0 X2 1 Y 31, q2 0 q 1(˜p 1 −˜p 0 ) 2X 2 0 X 1Y 21, q2 0 (˜p 1−˜p 0 )X 2 0 Y 1, q 0X 0, 0, 0, 0, 0) with s := (q 2 0q 2 1(˜p 1 −˜p 0 ) 3 ,q 2 0q 1 (˜p 1 − ˜p 0 ) 2 ,q 2 0(˜p 1 − ˜p 0 ),q 0 ,q 0 q 2 1(˜p 1 − ˜p 0 ) 2 ,q 0 q 1 (˜p 1 − ˜p 0 ),q 2 1(˜p 1 − ˜p 0 ),q 1 ) denote ourtarget vector. It is ||t|| ≤ √ 4 = 2. Thus, by Lemma 2.3.10, we get another equation in theunknowns not being a multiple of the original one if||t|| ≤ 2 < ( 2 −10α 2 −6(n−α−t) 2 4(n−1)) 142 −3 4⇔ 10α + 6(n − α − t) + 7 < 4(n − 1)4α + 2n + 11⇔ < t .6A natural upper bound on t is given by the fact that the number of shared bits of onefactor has to be smaller than the total number of bits of this factor, which implies that wehave4α + 2n + 11t ≤ n − α ⇒ ≤ n − α6⇔ α ≤ 2n 5 − 1110 .Consequently, the attack described in this example can only be applied to imbalancedmoduli with α ≤ 2n − 11 . We again have a lattice of constant size. Thus, the running time5 10is only influenced by the size n of the largest value in the matrix. Hence, the attack canbe performed in time polynomial in n.Comparing the lower bound 4α+2n+116< t of Example 6.1.4 to the lower bound 2α + 1 < tof Theorem 6.1.3, we have4α + 2n + 116< 2α + 1⇔ n 4 + 5 8 < α .

130 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSThat is, for factors q i of bitsize α in the range from approximately n to 2n we obtain better4 5results using this simple set of new shift polynomials. The result is illustrated in Figure 6.2as function e.Analogously, we can apply Coppersmith’s method with the shift polynomial set F :={mf 1 (x 0 ,x 1 ,y 1 ) | m ∈ E l (f 1 )} for any l ∈ N. The analysis is straightforward. We obtainbetter results by combining the basic approach of Theorem 6.1.3 with further shifts bymonomials m ∈ E l (f 1 ). Therefore, we do not give the analysis with respect to this shiftpolynomial set F here. We only remark that the bound we obtain regarding the limitl → ∞ only depends on n. Namely, it is f(α) := n < t. This bound is illustrated in2Figure 6.2.In the following theorem we will give the bound obtained by a combined analysis. That is,we will use shifts in monomials of M l (f 1 ) and in monomials of E l (f 1 ) as well as combinationsof those shifts. Shifts in monomials m ∈ E l (f 1 ) are called extra shifts. Note that in contrastto what is usually done, we do not use extra shifts in single variables here but extra shiftsin special monomials.Theorem 6.1.5Suppose Assumption 6.1.2 holds. Let N 0 ,N 1 ∈ N be n-bit numbers and f 1 (x 0 ,x 1 ,y 1 ) =2 tp x 0 x 1 y 1 + N 0 x 1 − N 1 x 0 ∈ Z[x 0 ,x 1 ,y 1 ]. Let X i = 2 α , i = 0, 1, Y 1 = 2 n−t−α be bounds onthe solutions q 0 and q 1 , ˜p 1 − ˜p 0 , respectively. Then for all ǫ > 0 there is l(ǫ) such that wecan determine all integer solutions (q 0 ,q 1 , ˜p 1 − ˜p 0 ) with |q i | ≤ X i and |˜p 1 − ˜p 0 | ≤ Y 1 in timepolynomial in n,l(ǫ) if(2α 1 − α )+ 3 n 2 < t − ǫ.Proof: Let l ∈ N,τ ∈ R such that τl ∈ N. Let S l,τl (f 1 ) := {x i+a0 x j+b1 y1 a+b+k | k =0,...,l;i = k,...,l;j = l + k − i;a = 0,...,τl and b = 0,...,τl} be the set of all shiftmonomials. We take all polynomials mf 1 (x 0 ,x 1 ,y 1 ) for m ∈ S l,τl (f 1 ) to construct thelattice. That is, we set F := {mf 1 (x 0 ,x 1 ,y 1 ) | m ∈ S l,τl (f 1 )}. Let n l := |S l,τl (f 1 )| bethe number of monomials used as shifts. For ease of the analysis we now write S l,τl (f 1 ) ={x i 0x j 1y1 k | k = 0,...,l + 2τl;i = max{0,k − τl},...,min{l + τl,l + k} and j = l + k − i}.Then∑τl∑k+ln l = 1 +k=0i=02τl+l∑∑l+τlk=τl+1 i=k−τl1 = τ 2 l 2 + 2τl + 3 2 l + 1 + 1 2 l2 + 2τl 2 .Let S l,τl (f 1 ) = {m 1 ,...,m nl } be an enumeration of the monomials of S l,τl (f 1 ) such thatm i > grlex m j if i < j, and let g 1i (x 0 ,x 1 ,y 1 ) := m i f 1 (x 0 ,x 1 ,y 1 ). Then, as in the proof ofTheorem 6.1.3, for every polynomial g 1i the monomial x 1 m i is not contained in the set ofmonomials of all g 1j with j < i. We now proceed analogously to that proof and constructan upper triangular basis matrix B of a lattice L to which we can apply Coppersmith’smethod.Recall the notation used: Let r l be the number of monomials occurring in the set ofshift polynomials and m nl +1,...,m rl be an enumeration of all these monomials whichare not contained in {x 1 m 1 ,...,x 1 m nl }. Let the monomials m nl +1,...,m rl be ordered

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 131such that m i > grlex m j if i < j. We set x := (m nl +1,...,m rl ,x 1 m 1 ,...,x 1 m nl ). Furthermore,let M i denote the evaluation of m i in the values (X 0 ,X 1 ,Y 1 ). Let D :=Diag(Mn −1l +1,...,Mr −1l). Again, let f denote the coefficient vector of f(x 0 ,x 1 ,y 1 ) orderedsuch that fx T = f(x 0 ,x 1 ,y 1 ). Let F be the matrix consisting of the coefficient vectors(g 1i ) T = (m i f 1 ) T for i = 1,...,n l .Then we define the lattice L via a basis matrix⎛B =⎜⎝D0F⎞⎟⎠m nl +1.m rlx 1 m 1.x 1 m nlWe apply Coppersmith’s algorithm to this lattice. By this method we get a coprime second1rpolynomial provided that det(L) l −n l · 2 − r l −n l −14 > √ r l − n l .Therefore, we determine the determinant of our lattice like in Theorem 6.1.3. It holdsthat det(L) = P 1 · P 2 , where P 1 denotes the product of the diagonal entries of D, and P 2denotes the product of( the diagonal ) entries of F 2 . Again F 2 is the upper triangular n l ×n lF1matrix such that F = . All contributions we derive from diagonal entries of FF 2 are2equal to N 0 . Their number is n l = τ 2 l 2 + 2τl + 3l + 1 + 1 2 2 l2 + 2τl 2 . Consequently, we haveP 2 = N τ2 l 2 +2τl+ 3 2 l+1+1 2 l2 +2τl 20 .In order to evaluate P 1 , we need to describe the monomials m nl +1,...,m rl explicitly. Theset of all monomials occurring in the shift polynomials is exactlyS l+1,τl (f 1 ) := {x i 0x j 1y k 1 | k = 0,...,l+1+2τl;i = max{0,k−τl},...,min{l+1+τl,l+1+k}and j = l + 1 + k − i}.The set M := {x 1 m 1 ,...,x 1 m nl } can be described asM = {x i 0x j 1y k 1 | k = 0,...,l + 2τl;i = max{0,k − τl},...,min{l + τl,l + k}and j = l + 1 + k − i}.The number of powers of any of X0 −1 ,X1 −1 and Y1 −1 occurring on the diagonal of D equalsthe number of powers of the variables x 0 ,x 1 ,y 1 occurring in monomials in S l+1,τl (f 1 ) \ M,respectively. Let s 0 and s 1 denote the powers of X0 −1 and X1 −1 , respectively, and u denote

132 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSthe power of Y −11 . Then we haves 0 =∑τlk=0−( τl ∑k=0l+1+k∑i=0i +∑l+ki +i=02τl+l+1∑k=τl+12τl+l∑k=τl+1l+1+τl∑i=k−τl∑l+τli=k−τl= 2 + 3l + l 2 + 7 2 τl + 3τl2 + 3 2 τ2 l 2 ,i (6.11)i)s 1 =∑τlk=0−( τl ∑k=0l+1+k∑i=0(l + 1 + k − i) +∑l+k(l + 1 + k − i) +i=02τl+l+1∑k=τl+12τl+l∑k=τl+1l+1+τl∑i=k−τl∑l+τli=k−τl(l + 1 + k − i) (6.12)(l + 1 + k − i))= 1 + 3 2 l + 1 2 l2 + 3 2 τl + τl2 + 1 2 τ2 l 2 ,u =∑τlk=0−( τl ∑k=0l+1+k∑i=0k +∑l+kk +i=02τl+l+1∑k=τl+12τl+l∑k=τl+1l+1+τl∑i=k−τl∑l+τli=k−τlk (6.13)k)This gives= 1 + 3 2 l + 1 2 l2 + 3τl + 2τl 2 + 2τ 2 l 2 .P 2 = X −(2+3l+l2 + 7 2 τl+3τl2 + 3 2 τ2 l 2 )0 X −(1+3 2 l+1 2 l2 + 3 2 τl+τl2 + 1 2 τ2 l 2 )1 Y −(1+3 2 l+1 2 l2 +3τl+2τl 2 +2τ 2 l 2 )1 .Substituting P 1 ,P 2 and X 0 = X 1 = 2 α , Y 1 = 2 n−α−t as well as N 0 ≥ 2 n−1 in det(L), we getdet(L) ≥2 −α(3+9 2 l+3 2 l2 +5τl+4τl 2 +2τ 2 l 2 )−(n−α−t)(1+ 3 2 l+1 2 l2 +3τl+2τl 2 +2τ 2 l 2 )+(n−1)(τ 2 l 2 +2τl+ 3 2 l+1+1 2 l2 +2τl 2 )= 2 t(1+3 2 l+1 2 l2 +3τl+2τl 2 +2τ 2 l 2 )−α(2τl 2 +2τl+l 2 +3l+2)−n(τ 2 l 2 +τl)−(τ 2 l 2 +2τl+ 3 2 l+1+1 2 l2 +2τl 2 ) .In order to apply the condition given in Lemma 2.3.10, we have to determine the dimensionr of the sublattice L S in Coppersmith’s method. It is r l = |S l+1,τl (f 1 )| = ∑ τl ∑ l+1+ki=01 +∑ 2τl+l+1k=τl+1∑ l+1+τli=k−τl 1 = 4τl + 3 + τ2 l 2 + 2τl 2 + 1 2 l2 + 5 2l. Consequently,r = r l − n l=(4τl + 3 + τ 2 l 2 + 2τl 2 + 1 2 l2 + 5 )2 l −(τ 2 l 2 + 2τl + 3 2 l + 1 + 1 )2 l2 + 2τl 2= 2τl + l + 2.k=0

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 133All components of the target vector t are smaller than or equal to 1 so that ||t|| ≤√2τl + l + 2. Therefore, we get the following condition on the existence of a second equation:√2τl + l + 2 < 2− 2τl+l+14·(2 t(1+3 2 l+1 2 l2 +3τl+2τl 2 +2τ 2 l 2 )−α(2τl 2 +2τl+l 2 +3l+2)−n(τ 2 l 2 +τl)−(τ 2 l 2 +2τl+ 3 2 l+1+1 2 l2 +2τl 2 ) ) 12τl+l+2⇔ 2τl + l + 2(2τl + l + 1)(2τl + l + 2)log (2τl + l + 2) +24+(τ 2 l 2 + 2τl + 3 2 l + 1 + 1 )2 l2 + 2τl 2(2τl + l + 2) (2τl + l + 1)< t − α (2τl + l + 2) (l + 1) − n ( τ 2 l 2 + τl ) .2As2 ( τ 2 l 2 + 2τl + 3l + 1 + 1 2 2 l2 + 2τl 2)2τ 2 l 2 + 2τl= 1 −4τ 2 l 2 + 4τl 2 + 6τl + l 2 + 3l + 2 4τ 2 l 2 + 4τl 2 + 6τl + l 2 + 3l + 2we use the slightly stronger constraint⇐2(l + 1)2τl + l + 1 α + 2τl (τl + 1)(2τl + l + 2) (2τl + l + 1) n + 3 log (2τl + l + 2)+2 2τl + l + 1} {{ }=:h(α,n,l,τ)< t . (6.14)This implies that for fixed l and τ we can factor the integers N i if t is greater thanh(α,n,l,τ). Remark that the result of Theorem 6.1.3 is exactly this result in the case ofτ = 0.It is¯h(α,n,τ) := lim h(α,n,l,τ) = 12τ2 + 3 + 8τα + 12τ + 4α + 4τ 2 n.l→∞ 8τ 2 + 8τ + 2Let ǫ > 0. Then there is l(ǫ) such that for l > l(ǫ) condition (6.14) simplifies to12τ 2 + 3 + 8τα + 12τ + 4α + 4τ 2 n8τ 2 + 8τ + 2< t − ǫ. (6.15)The optimal value τ opt of τ, such that the lower bound on the number of shared bits¯h(α,n,τ opt ) is as small as possible, is τ opt =α for α ≠ n . Substituting this value in then−2α 2function, we can determine the lower bound on t asThis is equivalent to¯h(α,n,τ opt ) =4αn + 3n − 4α22n(2α 1 − α )+ 3 n 2< t − ǫ.< t − ǫ. (6.16)

134 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS1000800bge600tf400h2000200 400 600 800 1000αFigure 6.2: b : t < n − α, e : t > 4α+2n+11 , f : t > n, g : t > 2α, h : t >6 22α ( 1 − n) α +32Bounds on the number t of shared bits, dependent on the bitsize α of the smaller factorwith n = 1000.On the heuristic Assumption 6.1.2 this implies that we are able to determine the solutionand proves the bound. The running time of the algorithm is dominated by the runningtime of the LLL-reduction, which is polynomial in the lattice dimension and the size ofthe largest values in the lattice. The former is polynomial in l(ǫ), the latter in n. Thisconcludes the proof.Remark that the condition 4αn+3n−4α2 < t−ǫ implies 4αn+3n−4α2 ≤ n−α, α ≠ n as t ≤ n−α2n2n2by definition. Thus, α < 3n − √ n 2 +12n. This condition implies that α < 1 n. Therefore,4 4 2Theorem 6.1.5 can only be applied to composite numbers with imbalanced factors.In order to obtain better bounds, we have used monomials of f1 l as shift monomials. Incontrast to our first analysis, they are useful here as further monomials reoccur in shiftedpolynomials if the shifts we use are a combination of those shifts and extra shifts.Furthermore, note that the motivating Example 6.1.4 is not included in our analysis.However, this does not pose any problems as the bound for valid values of α gets betteralready in the case of l = τ = 1.In Figure 6.2, a comparison of the various bounds is given.

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 135theoretical experimental theoretical theoretical experimental asymptoticα result result result of bound with result with bound ofof [SM09] of [SM09] modular l = 4, τ = 1 2 in l = 4, τ = 1 2in integerapproach integer approach integer approach approach230 505 434 460 391 390 356240 521 446 480 402 401 367250 525 454 500 413 413 377260 530 472 520 425 423 387270 534 479 540 436 434 396Table 6.1: Lower bounds on t for special values of α with n = 1000To verify our heuristic assumptions in practice, we have run experiments on a Core2 Duo1.66GHz notebook. The attacks were implemented using Magma 1 Version 2.11. As inSection 4.2, we have used the implementation of L 2 by Phong Nguyen and Damien Stehlé[NS05], which is implemented in Magma. We performed experiments using 1000-bit moduliN i with various bitsizes of the q i and several values of t p . We set l = 4 and τ = 1 2 . Thenthe heuristic was valid for all t > h(α,n,l,τ) in our experiments. Sometimes an attack wasalso successful although t was a few bits smaller than the theoretical bound. The boundsobtained for some values of α are given in columns five and six of Table 6.1.Santanu Sarkar and Subhamoy Maitra independently used an integer approach to analyzethe problem of implicit factoring with one oracle call [SM09]. They regard the samepolynomial f 1 (x 0 ,x 1 ,y 1 ) = 2 tp x 0 x 1 y 1 − N 1 x 0 + N 0 x 1 . However, instead of adapting theshifts to a polynomial without a constant term, they substitute x 0 by x 0 − 1 and use thefolklore analysis given in [JM06] to determine the roots of ˆf1 (x 0 ,x 1 ,y 1 ) = 2 tp x 0 x 1 y 1 −2 tp x 1 y 1 −N 1 x 0 +N 1 +N 0 x 1 . By this, they get the following result: The factorization of N 0and N 1 can be efficiently determined if the heuristic given in Assumption 6.1.2 holds and−4 α2 − α − t) (n − α − t)2− 2α(n − + 4 α 5(n − α − t)+ − 1 < 0 (6.17)n2 n 2 4n 2 n 3nas well as3(n − α − t)1 − − 2 α ≥ 0. (6.18)2n nIn order to compare it to our result, we transform the above inequalities into conditionson t: Then the first inequality (6.17) becomes3α − 7n 3 − 4√ −6αn + 4n 23inequality (6.18) can be transformed into1 http://magma.maths.usyd.edu.au/magma/< t < 3α − 7n 3 + 4√ −6αn + 4n 2, (6.19)313 n + 1 α ≤ t. (6.20)3

136 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS1000800bg600stf400h200S0200 400 600 800 1000αFigure 6.3: b : t < n − α, f : t > n 2 , g : t > 2α, h : t > 2α ( 1 − α n)+32Upper bound S and lower bound s on t given in equations (6.19) and (6.20), compare[SM09].Comparison of the results of [SM09] with our modular and integer ones for k = 1 withn = 1000.A comparison of these results to ours is given in Table 6.1. We give lower bounds on t forsome values of α. The values of α which are considered were also analyzed in the work ofSantanu Sarkar and Subhamoy Maitra.A general comparison between the different conditions on t can be seen in Figure 6.3.It is⇔13 n + 1 3 α < 4αn + 3n − 4α 22n5n − √n 2 + 108n< α < 5n + √ n 2 + 108n1212.This implies that our bound is better in case of α ≤ 5n−√ n 2 +108n12. This includes most ofthe possible values of α. The bound obtained in [SM09] is better in the remaining cases.However, the advantage is only slight. Moreover, this is exactly the region in which theexperiments in [SM09] do not correspond to their theoretical result but give worse bounds.

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 1376.1.2 The Case of More than One EquationHaving analyzed the problem of implicit factoring with one oracle call, we extend the analysisto more oracle calls. In the modular case the bounds we have obtained improved themore oracle calls were made. We hope to obtain a similar result here as more informationis given by more oracle calls. As in the previous section we start with the equationf 1 (x 0 ,x 1 ,y 1 ) := 2 tp x 0 x 1 y 1 + N 0 x 1 − N 1 x 0 = 0, which we derived from the two moduli N 0and N 1 . By construction of f 1 , we know that f 1 (q 0 ,q 1 , ˜p 1 − ˜p 0 ) = 0. By any further oraclecall we obtain another equation f i (x 0 ,x i ,y i ) := 2 tp x 0 x i y i + N 0 x i − N i x 0 = 0 with solutions(q 0 ,q i , ˜p i − ˜p 0 ), i = 2,...,k, where k is the number of oracle calls.Our goal is as follows. Given the polynomial equations f 1 (x 0 ,x 1 ,y 1 ) := 2 tp x 0 x 1 y 1 +N 0 x 1 −N 1 x 0 = 0,...,f k (x 0 ,x k ,y k ) := 2 tp x 0 x k y k + N 0 x k − N k x 0 = 0, determine conditions suchthat we can find (q 0 ,q 1 ,...,q k , ˜p 1 − ˜p 0 ,..., ˜p k − ˜p 0 ) efficiently by Coppersmith’s method.Let again X i = 2 α and Y i = 2 n−α−t denote the upper bounds on the absolute values of thesolutions q i and ˜p i − ˜p 0 , respectively. Like in the case of one equation we introduce thefollowing heuristic.Assumption 6.1.6Let F denote a shift polynomial set which is constructed with respect to some polynomialsf 1 ,...,f k ∈ Z[x 0 ,...,x k ,y 1 ,...,y k ]. Assume that the set {f 1 ,...,f k ,g 1 ,...,g λ } ⊂Z[x 0 ,...,x k ,y 1 ,...,y k ] is the set of polynomials we get by applying Coppersmith’s methodwith the shift polynomial set F. Let GB := {h 1 ,...,h κ } be a Groebner basis of {f 1 ,...,f k ,g 1 ,...,g λ }. Then the factors q 0 , q 1 ,...,q k can be efficiently determined from GB.Using this heuristic and the simplest shift polynomial set possible, we can again recalculatethe bound k+1 α < t by applying Coppersmith’s method. This is the bound we havekobtained by the modular analysis (Theorem 4.2.3).Theorem 6.1.7Assume k ∈ N to be fixed. As before let f i (x 0 ,x i ,y i ) := 2 tp x 0 x i y i + N 0 x i − N i x 0 withi = 1,...,k. Furthermore, suppose F := {f i (x 0 ,x i ,y i ) | i ∈ {1,...,k}}. Then, by Coppersmith’smethod with shift polynomial set F, all common roots (x 0 ,x 1 ,...,x k ,y 1 ,...,y k ) =(q 0 ,q 1 ,...,q k , ˜p 1 − ˜p 0 ,..., ˜p k − ˜p 0 ) with |q i | ≤ 2 α and |˜p i − ˜p 0 | ≤ 2 n−α−t can be determinedefficiently ifk + 1k α + δ k < tfor a small integer δ k and if Assumption 6.1.6 holds.Proof: The proof is analogous to the proof in the case of only one equation f 1 (x 0 ,x 1 ,y 1 ) =0. The only difference is that we extend our lattice basis. That is, we add the information

138 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSwe get by the further equations f i (x 0 ,x i ,y i ) = 0, i = 2,...,k. Thus, we set⎛(X 0 X 1 Y 1 ) −1 0 0 2 tp 0⎞0 0 0 0 N 0 0... 0 0 0... 00 (X 0 X k Y k ) −1 0 0 2 tpB :=0 0 (X 0 ) −1 −N 1 ... −N k0 0 0 N⎜0 0⎟⎝ 0 0 0 0... 0 ⎠The matrix B is a basis matrix of a lattice L containing the vectort = (q 0 q 1 (˜p 1 − ˜p 0 ),...,q 0 q k (˜p k − ˜p 0 ),q 0 ,q 1 ,...,q k )B= ( q 0q 1 (˜p 1 − ˜p 0 ),..., q 0q k (˜p k − ˜p 0 ), q 0, 0,...,0),X 0 X 1 Y 1 X 0 X k Y k X 0x 0 x 1 y 1.x 0 x k y kx 0 .x 1.x kwhich is our target vector. The vector t is part of a sublattice L S of L such that the last kentries in vectors of L S are zero. Let B S be a basis matrix of the lattice L S . According toLemma 2.3.10, we get a new equation f n (x 0 ,...,x k ,y 1 ,...,y k ) = 0 with the same solutionsif||t|| < det(L S ) 1k+1 2− k 4 . (6.21)The determinant of the sublattice isdet(L S ) = det(L) = det(B) = X −(k+1)0Therefore, using N i ≥ 2 n−1 , condition (6.21) becomesk∏i=1(X−1i)Y −1i Nk0 .(k + 1) 1 2< 2 1k+1 (−(2k+1)α−k(n−α−t)+k(n−1))− k 4⇔ k + 1 (k + 1) log (k + 1)α + + k + 1 + 1 < t ,k 2k 4As α and t are integers as they describe numbers of bits, we requirek + 1k α + δ k < t ,(k+1) log(k+1)where δ k is the first integer larger than + k+1 + 1.2k 4The computation complexity is dominated by the complexity of the LLL-reduction. As thelattice under consideration is of constant dimension, the running time is polynomial in thebitsize of the values in B. That is, it is polynomial in n. Let GB denote a Groebner basisof {f n ,f 1 ,...,f k }. It can be computed efficiently for fixed values of k as we are dealingwith polynomials of maximum degree 3 in 2k+1 variables. If Assumption 6.1.6 holds, thenwe can efficiently determine the values q 0 , q 1 ,...,q k from GB and the claim follows.

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 139The above result is rather obvious. When we analyzed the problem of implicit factoringwith a modular approach in Section 4.2, the equations were linearized in order to use themin the description of a lattice. Here, using Coppersmith’s method with {f 1 ,...,f k } as shiftpolynomial set, we do essentially the same. Instead of eliminating the non-linear monomialby the modular operation, we use it as a separate element. As we do not take its structureand relation to other monomials into account, we treat it like an additional variable. Thatis, we implicitly linearize the given problem. Thus, we obtain essentially the same boundas before.bitsize α number of bound number of successk+1of the q i moduli k + 1 α shared bits t ratek250 3 375 377 33%250 3 375 378 75%350 10 389 390 0%350 10 389 391 100%400 100 405 409 0%400 100 405 410 95%440 50 449 452 0%440 50 449 453 80%480 100 485 491 33%480 100 485 492 90%Table 6.2: Attack for imbalanced RSA moduli using Coppersmith’s methodAgain, we have verified the heuristic given in Assumption 6.1.6 in practice by runningexperiments on a Core2 Duo 1.66GHz notebook. The attacks were implemented usingMagma 2 Version 2.11 using the implementation of L 2 by Nguyen and Stehlé [NS05]. Weperformed experiments for 1000-bit moduli N i with various bitsizes of the q i . We havetested for the same parameter sets as in Section 4.2. The results are presented in Table 6.2.In the previous section we have seen that we could easily improve the first bound by usingspecial shift polynomials in Coppersmith’s method. We would like to do this with respectto systems of equations as well. However, we have to choose the shift polynomial setscarefully. Otherwise we do not have a determinant preserving set and, therefore, cannotcalculate the correct bounds. Then the real bounds are worse than predicted. Sufficientcriteria of being determinant preserving have been described in Section 5.1.As we do not have any general strategy to apply Coppersmith’s method in case of morethan one equation, we now restrict to the case of k = 2. By this, we can better see whathappens if more equations are used. Further, we can observe how the criteria on systemsof equations we determined in Section 5 influence the analysis.2 http://magma.maths.usyd.edu.au/magma/

140 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSAs a first approach, we just shift both polynomials separately with the same shifts wehave used to obtain the bound of Theorem 6.1.5. This is possible as a set of this kindremains determinant preserving. Each new shift gives new monomials. The only monomialsoccurring in shifts of f 1 as well as in shifts of f i , i = 2,...,k, are powers of x 0 . The numberof these monomials, however, does not influence the bound asymptotically. The boundswe get are essentially the same we had in the case of only one equation as the followinglemma shows. The only difference is a small additional constant.Lemma 6.1.8Let k = 2 and suppose Assumption 6.1.6 holds. Let N 0 ,N 1 ,N 2 ∈ N be of size 2 n . Furthermore,for ι = 1, 2 let f ι (x 0 ,x ι ,y ι ) = 2 tp x 0 x ι y ι + N 0 x ι − N ι x 0 ∈ Z[x 0 ,x 1 ,x 2 ,y 1 ,y 2 ]. AssumeX i = 2 α , i = 0, 1, 2, Y i = 2 n−t−α , i = 1, 2, are bounds on the absolute values of the solutionsq 0 ,q 1 and q 2 , ˜p 1 − ˜p 0 and ˜p 2 − ˜p 0 , respectively. Then for all ǫ > 0 there exists l(ǫ) such thatwe can determine all integer solutions (q 0 ,q 1 ,q 2 , ˜p 1 − ˜p 0 , ˜p 2 − ˜p 0 ) such that |q i | ≤ X i and|˜p i − ˜p 0 | ≤ Y i in time polynomial in n,l(ǫ) if(2α 1 − α )+ 2 < t − ǫ.nProof: The proof proceeds analogously to the proof of Theorem 6.1.5. We consider thepolynomials f 1 and f 2 separately and take optimized shift sets for each of the polynomials.For a better understanding we repeat some important steps of the proof of Theorem 6.1.5and point out the differences which occur due to the use of two polynomials. Let l ∈N,τ ∈ R such that τl ∈ N. We again construct the lattice by shifting f ι , ι := 1, 2,with all monomials in the set S l,τl (f ι ) = {x i 0x j ιyιk | k = 0,...,l + 2τl;i = max{0,k −2τl},...,min{l + τl,l + k} and j = l + k − i}. Let n l (f ι ) := |S l,τl (f ι )| be the number ofmonomials used as shifts of f ι . Then the total number of shift polynomials isn l := n l (f 1 )+n l (f 2 ) = 2(τ 2 l 2 + 2τl + 3 2 l + 1 + 1 )2 l2 + 2τl 2 = 2τ 2 l 2 +4τl+3l+2+l 2 +4τl 2 .We enumerate the monomials like in the proof of Theorem 6.1.5 and build a lattice basisB such that we can determine the determinant of the lattice easily. Then we use Coppersmith’salgorithm with this lattice basis and, by this, obtain conditions on the sizes of theunknowns.Here we just present the basic steps of the determinant calculation. This will give us thebound. We reuse results of the proof of Theorem 6.1.5.The powers of any of X0 −1 ,X1 −1 ,X2 −1 ,Y1 −1 and Y2 −1 occurring on the diagonal of B are thepowers of the variables occurring in (S l+1,τl (f 1 ) \ M(f 1 )) ∪ (S l+1,τl (f 2 ) \ M(f 2 )). Here, theset M(f ι ) := {x i 0x j ιyι k | k = 0,...,l+2τl;i = max{0,k−τl},...,min{l+τl,k+l} and j =l + 1 + k − i} denotes the set of all monomials introduced by the shift polynomials withrespect to f ι . However, the two sets (S l+1,τl (f 1 ) \ M(f 1 )) and (S l+1,τl (f 2 ) \ M(f 2 )) are notdisjoint. Monomials which occur in both sets may only contain the shared variable x 0 .Therefore, the only monomial in both sets is x l+10 .Let s 0 , s 1 and s 2 denote the powers of X0 −1 , X1 −1 and X2 −1 , respectively, and u 1 and u 2

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 141denote the powers of Y1 −1 and Y2 −1 . As the polynomials have been regarded separately, thetotal number of powers of X1 −1 is exactly the total number of powers of X1 −1 in the proofof Theorem 6.1.5. The value of s 2 equals s 1 . The same observations hold for u 1 and u 2 .Thus,s 1 = s 2 = 1 + 3 2 l + 1 2 l2 + 3 2 τl + τl2 + 1 2 τ2 l 2 , (6.22)u 1 = u 2 = 1 + 3 2 l + 1 2 l2 + 3τl + 2τl 2 + 2τ 2 l 2 . (6.23)In contrast to the other variables, we have to double the number of powers of X0 −1 determinedin Theorem 6.1.5 as this variable occurs in both equations. To calculate s 0 , we thenhave to subtract l + 1, which is the power of X0 −1 in the shared monomial. This impliess 0 = 2(2 + 3l + l 2 + 7 2 τl + 3τl2 + 3 )2 τ2 l 2 − (l + 1)= 3 + 5l + 2l 2 + 7τl + 6τl 2 + 3τ 2 l 2 . (6.24)Using these values and substituting X 0 = X 1 = X 2 = 2 α , Y 1 = Y 2 = 2 n−α−t as well asN 0 ≥ 2 n−1 , we obtaindet(L) ≥2 t(2+3l+l2 +6τl+4τl 2 +4τ 2 l 2 )−α(4τl 2 +4τl+2l 2 +5l+3)−n(2τ 2 l 2 +2τl)−(2τ 2 l 2 +4τl+3l+2+l 2 +4τl 2 ) .The dimension of the lattice in this case is r l = |S l+1,τl (f 1 ) ∪ S l+1,τl (f 2 )| = |S l+1,τl (f 1 )| +|S l+1,τl (f 2 )| −1 = 2 ( 4τl + 3 + τ 2 l 2 + 2τl 2 + 1 2 l2 + 5 2 l) −1 = 8τl +5+2τ 2 l 2 +4τl 2 +l 2 +5l.Consequently, the size of the sublattice isr = r l − n l= ( 8τl + 5 + 2τ 2 l 2 + 4τl 2 + l 2 + 5l ) − ( 2τ 2 l 2 + 4τl + 3l + 2 + l 2 + 4τl 2)= 4τl + 2l + 3.All components of the target vector t are smaller than 1 so that ||t|| ≤ √ 4τl + 2l + 3.Therefore, we get the following condition on the existence of a third equation:√4τl + 2l + 3 < 2− 4τl+2l+24·(2 t(2+3l+l2 +6τl+4τl 2 +4τ 2 l 2 )−α(4τl 2 +4τl+2l 2 +5l+3)−n(2τ 2 l 2 +2τl)−(2τ 2 l 2 +4τl+3l+2+l 2 +4τl 2 ) ) 14τl+2l+3⇔4τl + 2l + 32log (4τl + 2l + 3) ++ ( 2τ 2 l 2 + 4τl + 3l + 2 + l 2 + 4τl 2)(4τl + 2l + 3)(4τl + 2l + 2)4< t (2τl + l + 2) (2τl + l + 1) − α (4τl + 2l + 3) (l + 1) − n ( 2τ 2 l 2 + 2τl ) .

142 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSAs(4τl+2l+3)(4τl+2l+2)4+ (2τ 2 l 2 + 4τl + 3l + 2 + l 2 + 4τl 2 )(2τl + l + 2) (2τl + l + 1)we use the slightly stronger constraint≤ 1 + 1 = 2,((4τl + 2l + 3) (l + 1) 2τ 2(2τl + l + 2) (2τl + l + 1) α + l 2 + 2τl )4τl+2l+3(2τl + l + 2) (2τl + l + 1) n + 2 + 2log (4τl + 2l + 3)< t .(2τl + l + 2)(2τl + l + 1)} {{ }=:h(α,n,l,τ)This implies that for fixed l and τ we can factor the N i if t is greater than h(α,n,l,τ).It is¯h(α,n,τ) := lim h(α,n,l,τ) = 8τ2 + 8τ + 2 + 4τα + 2α + 2τ 2 n.l→∞ 4τ 2 + 4τ + 1Let ǫ > 0. For l > l(ǫ) the condition h(α,n,l,τ) < t simplifies to8τ 2 + 8τ + 2 + 4τα + 2α + 2τ 2 n4τ 2 + 4τ + 1< t − ǫ. (6.25)The optimal value τ opt of τ, such that the lower bound on the number of shared bits¯h(α,n,τ opt ) is as small as possible, is τ opt =α for α ≠ n . Using this value in then−2α 2function, we can determine the lower bound on t as¯h(α,n,τ opt ) =2n + 2αn − 2α2n< t − ǫ.This is equivalent to(¯h(α,n,τ opt ) = 2α 1 − α )+ 2 < t − ǫ. (6.26)nOn the heuristic Assumption 6.1.6, this implies that we are able to determine the solutionand proves the lemma. The running time is dominated by the running time of the LLLreduction,which is polynomial in n and l(ǫ).Defining the shift polynomial sets of f i and f j , i ≠ j, independently, we have seen thatit does not make a difference if we take one or two polynomials. The bound we obtainis asymptotically the same, except for a small constant. The same property holds if weuse more equations. That is, a result analogue to that of Theorem 6.1.5 can be obtainedwith k oracle calls as well. Theorem and proof can be given completely analogously toLemma 6.1.8 using k instead of 2 equations. However, as this phenomenon could alreadybe seen with two equations we have only presented that proof. For practical analyses,combining equations this way does not help. Therefore, one would only combine twomoduli N i , and analyze the equation derived from these moduli. By combining equations,only the lattice dimension increases without any improvement with respect to the bound.Consequently, we need to pursue different approaches in order to take advantage of havingmore than one equation. We again restrict our considerations to two equations to get

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 143a better insight into this approach. Intuitively, we ought to construct shift polynomialsets comprising more common monomials. The key idea is to use x 2 and y 2 in the shiftmonomials applied to f 1 and x 1 and y 1 in the shift monomials applied to f 2 . By this, moremonomials occur several times in various of the shift polynomials. These monomials haveto occur on the diagonal only once. Then we can reuse them for other shift polynomials. Bythis, the value of the determinant should increase. Thus, the bound should be improved.The choice of such a set of shift polynomials, however, has to be made extremely carefullyin order to keep the set determinant preserving.Let us consider an at first sight tempting approach. We shift f 1 by x 2 y 2 and f 2 by x 1 y 1such that the monomial of highest degree is the same monomial x 0 x 1 x 2 y 1 y 2 in both newpolynomials. Furthermore, the new polynomials already contain the leading monomialsx 0 x 1 y 1 of f 1 and x 0 x 2 y 2 of f 2 . Thus, setting F := {x 2 y 2 f 1 ,x 1 y 1 f 2 ,f 1 ,f 2 } we hope to obtaina good bound.Example 6.1.9Let F := {x 2 y 2 f 1 (x 0 ,x 1 ,y 1 ),x 1 y 1 f 2 (x 0 ,x 2 ,y 2 ),f 2 (x 0 ,x 2 ,y 2 ),f 1 (x 0 ,x 1 ,y 1 )} denote a set ofshift polynomials. Let us enumerate the monomials which occur in F as x 0 x 1 x 2 y 1 y 2 ,x 0 x 2 y 2 , x 0 x 1 y 1 , x 0 , x 1 x 2 y 2 , x 1 x 2 y 1 , x 2 , x 1 . Let B denote a lattice basis constructed to applyCoppersmith’s method. In the construction, the column vectors f T to build F are definedwith respect to the above enumeration of monomials. Then the value N 0 occurs four timeson the diagonal of F. The product of the diagonal elements of D is (X0X 4 1X 2 2Y 2 1 2 Y2 2 ) −1 .Applying the simplified condition det(B) > 1, this leads to the bound α < t. This resultis achieved only with infinitely many moduli using the modular analysis (Theorem 4.2.5).Unfortunately, the bound is not correct as the set F is not determinant preserving: Wehave that 2 tp x 1 y 1 f 2 − 2 tp x 2 y 2 f 1 + N 2 f 1 − N 1 f 2 ≡ 0 (mod N 0 ). Thus, the determinant ofthe sublattice differs by a factor of N 0 from the one we expected.If we take only three of the polynomials, e. g. if we define the shift polynomial set F ′ :={x 2 y 2 f 1 (x 0 ,x 1 ,y 1 ),f 1 (x 0 ,x 1 ,y 1 ),f 2 (x 0 ,x 2 ,y 2 )}, then we obtain the following bound:α + n 4 < t .Here we again used the simplified condition. This bound does not change if we chooseanother subset of F with cardinality 3.Let us compare the bound α + n < t to the one obtained in the modular case as well as in4Theorem 6.1.7 with k = 2. On the one hand, α+ n ≤ 3α ⇔ n ≤ α. That is, the new lower4 2 2bound on t is smaller for α having more than half the bitsize of n. On the other hand, αdenotes the size of the smaller factor. Moreover, due to t ≤ n − α, we have the conditionα + n ≤ n − α ⇔ α ≤ 3 n. Consequently, the bound given in Example 6.1.9 is worse than4 8the bound 3 α < t for any possible value of α and large enough values of n. We have to2search for other, more useful sets of shift polynomials instead.Let us consider a different example.

144 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS⎛⎞0 0 0 0 0 0 0 0 0 −N 1 0 0 0 0 0 0 00 −N 2 0 0 0 0 0 2 tp 0 0 0 0 0 0 0 0 02 tp 0 0 2 tp 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 −N 10 0 0 0 0 0 0 0 −N 2 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 2 tp −N 1 0 0 0 0 0 00 0 −N 1 0 0 0 0 0 0 0 0 2 tp 0 0 0 0 00 0 0 0 −N 1 0 0 0 0 0 0 0 0 0 0 0 00 0 0 −N 2 0 0 0 0 0 0 2 tp 0 0 0 0 0 00 2 tp 2 tp 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 2 tp 0 0 −N 2 0 0 0 0 0−N 1 0 0 0 2 tp 0 0 0 0 0 0 0 0 0 0 0 0N 0 0 0 0 0 0 2 tp 0 0 0 0 0 0 0 0 0 00 N 0 0 0 0 2 tp 0 0 0 0 0 0 0 0 0 0 00 0 N 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 N 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 N 0 −N 2 −N 1 N 0 0 0 0 0 0 0 2 tp 2 tp 00 0 0 0 0 N 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 N 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 −N 2 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 N 0 0 0 0 0 −N 2 0 −N 1 00 0 0 0 0 0 0 0 0 N 0 0 0 −N 1 0 −N 2 0 2 tp0 0 0 0 0 0 0 0 0 0 N 0 0 2 tp 0 0 0 00 0 0 0 0 0 0 0 0 0 0 N 0 0 2 tp 0 0 00 0 0 0 0 0 0 0 0 0 0 0 N 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 N 0 0 0 0⎜ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N 0 0 0⎟⎝ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N 0 0 ⎠0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N 0Figure 6.4: The matrix F induced by the shift polynomial set F given in Example 6.1.10.Example 6.1.10We define our shift polynomial set asF := {x 0 x 1 x 2 y 2 1y 2 f 1 ,x 0 x 1 x 2 y 1 y 2 2f 2 ,x 0 x 2 2y 3 2f 1 ,x 0 x 2 1y 3 1f 2 ,x 0 x 2 y 1 y 2 f 1 ,x 1 x 2 y 1 y 2 f 2 ,x 1 x 2 y 1 y 2 f 1 ,x 0 x 1 y 1 y 2 f 2 ,x 0 y 2 f 2 ,x 0 y 1 f 1 ,x 0 x 1 y 2 1f 1 ,x 0 x 2 y 2 2f 2 ,x 1 y 1 f 1 ,x 2 y 2 f 2 ,x 1 y 1 f 2 ,x 2 y 2 f 1 ,f 1 }.The bound corresponding to these shift polynomials if we apply the simplified condition isThis bound is valid if37 α + 1128 n < t .37 α + 1128 n ≤ n − α ⇔ α ≤ 1740 n.In comparison to the original bound from the modular analysis 3 α < t, the new bound is2smaller whenever 3α + 11n< 3α ⇔ 11 n ≤ α. Thus, the new bound improves the old one7 28 2 30if 11n< α < 17n.30 40Compared to the asymptotic bound, however, this bound is still worse, i. e. 2α ( 1 − n) α +3< 23α + 11 n for all positive values of α.7 28

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 145This approach is rather arbitrary. To construct the shift polynomial set, we have startedby shifting both polynomials by monomials of the form (x 0 y 1 ) i 1(x 0 y 2 ) i 2(x 1 y 1 ) j 1(x 2 y 2 ) j 2.We fixed 6 as an upper bound on the maximum total degree of the shift monomials.Additionally, we excluded all shifts that either introduced too many new monomials orwere linearly dependent of the others. Therefore, F is determinant preserving. Moreover,we know from experiments that the attack works. However, there is no obvious reason whyto choose exactly these shifts. Exchanging some of the polynomials in the shift polynomialset may even lead to the same bound. Furthermore, there is no simple generalization tomore shift polynomials. However, we need a way to generalize the method as with fixedlattice dimension we cannot beat the asymptotic bound obtained with one equation. In anygeneralization, however, we have to cope with one major problem: Whenever the degreeof the shift monomials increases, we have to take care that we do not include shifts whichare linearly dependent of the others modulo some coefficient.As we do not see a good generalization of the previous approach, we pursue a differentone. We aim at reducing the number of variables in order to simplify the problem. Inthis process, we have to ensure that the polynomials still share some variables. If not, acombined analysis does not improve the bound compared to separate analyses. We setg 1 (u 1 ,u 2 ,z 1 ,z 2 ) := y 2 f 1 (x 0 ,x 1 ,y 1 ) = 2 tp x 0 y }{{} 1 x 1 y 2 +N }{{} 0 x 1 y 2 −N }{{} 1 x 0 y }{{} 2=:u 1 =:z 1 =:z 1=:u 2,g 2 (u 1 ,u 2 ,z 1 ,z 2 ) := y 1 f 2 (x 0 ,x 2 ,y 2 ) = 2 tp x 0 y }{{} 2 x 2 y 1 +N }{{} 0 x 2 y 1 −N }{{} 2 x 0 y }{{} 1=:u 2 =:z 2 =:z 2=:u 1.(6.27)Common roots of the polynomials g 1 and g 2 are given by ū 1 = q 0 (˜p 1 − ˜p 0 ), ū 2 = q 0 (˜p 2 − ˜p 0 ),¯z 1 = q 1 (˜p 2 − ˜p 0 ) and ¯z 2 = q 2 (˜p 1 − ˜p 0 ). Hence, the upper bounds on the solutions we aresearching for are given by |ū i | ≤ 2 α+n−α−t = 2 n−t =: U i , and, analogously, |¯z i | ≤ 2 n−t =: Z i ,i = 1, 2. Note that these bounds are independent of α. Thus, by Coppersmith’s methodwe are able to determine all solutions fulfilling these bounds if t > ψ(n) for some functionψ(n). Using this technique, we can obtain quite good bounds for small dimensional lattices.For some values of α these bounds are better compared to other bounds obtained so far.However, these explicit bounds do not beat the general asymptotic bound either.Example 6.1.11Let the shift polynomial set be defined as F := {u 2 z 2 g 1 ,u 1 g 1 ,u 2 g 2 ,z 1 g 2 ,g 1 ,g 2 }. With an

146 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSappropriate enumeration of the monomials in F we define a basis B of a lattice L:⎛⎞2 tp u 1 u 2 z 1 z 22 tpu 2 1z 1D −N 1 2 tpu 2 2z 2−N 1 −N 2 u 1 u 2−N 2u 1−N 1u 2N 02 tp(6.28)u 2 z 1 z 2N 0 −N 2 2 tpu 1 z 1N 02 tpu 2 z 2⎜N 0 ⎟ z 1 z 2⎝N 0⎠ z 1N 0 z 2Here, D := Diag((U 1 U 2 Z 1 Z 2 ) −1 , (U1Z 2 1 ) −1 , (U2Z 2 2 ) −1 , (U 1 U 2 ) −1 , (U 1 ) −1 , (U 2 ) −1 ). We calculateconditions on the parameters on which we can determine the solution (ū 1 ,ū 2 , ¯z 1 , ¯z 2 )using the lattice L. First, note that F is determinant preserving. This can be seeneasily when regarding the matrix. As any shift polynomial introduces a new monomialwith coefficient N 0 , modular dependence only has to be checked modulo N 0 : Leta 1 u 2 z 2 g 1 + a 2 u 1 g 1 + a 3 u 2 g 2 + a 4 z 1 g 2 + a 5 g 1 + a 6 g 2 ≡ 0 (mod N 0 ). Coefficientwise comparisongives a 6 2 tp ≡ 0 (mod N 0 ) (as coefficient of u 2 z 2 ), a 5 (−N 1 ) ≡ 0 (mod N 0 ) (as coefficientof u 2 ), a 4 2 tp ≡ 0 (mod N 0 ) (as coefficient of u 2 z 1 z 2 ), a 1 2 tp ≡ 0 (mod N 0 ) (as coefficient ofu 1 u 2 z 1 z 2 ), and a 2 2 tp ≡ 0 (mod N 0 ) (as coefficient of u 2 1z 1 ). Thus, a 1 ≡ a 2 ≡ a 4 ≡ a 5 ≡a 6 ≡ 0 (mod N 0 ). Using these results and −N 1 a 2 − N 2 a 3 ≡ 0 (mod N 0 ) (coefficient ofu 1 u 2 ), we additionally obtain a 3 ≡ 0 (mod N 0 ). Thus, the polynomials of F are linearlyindependent modulo N 0 .Consequently, F is determinant preserving and we can directly use the determinant of Lto calculate conditions on which we can determine the solutions.It is det(L) = U1 −5 U2 −5 Z1 −2 Z2 −2 N0 6 = 2 −14(n−t)+6n . We again use the simplified conditiondet(L) > 1 and obtain47 n < t . (6.29)This condition can be fulfilled by parameter sets with 4n < n −α, thus, whenever α < 3n.7 7Now we would like to compare this bound to the ones we have obtained with the latticeconstructions given in the previous examples. It is 4n ≤ 3α + 11n⇔ 5 n ≤ α and7 7 28 124n ≤ 3α ⇔ 8 n ≤ α. Thus, for a small range of larger values of α, the new construction7 2 21improves the bounds obtained in Theorem 6.1.7 and Example 6.1.10.Like in the case of Theorem 6.1.7, we have successfully checked the validity of Assumption6.1.6 with respect to the previous examples. Apart from a few negative examples witha parameter t being tight to the bound, Assumption 6.1.6 could be verified.A general comparison of the bounds we have obtained in the various examples is givenin Figure 6.5. The overall best results obtained non-asymptotically so far are 3 2 α < t if

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 1471000bg800de600ft400h2000200 400 600 800 1000αFigure 6.5: b : t < n − α, d : t > α + n 4 , e : t > 3 7 α + 1128 n f : t > 4 7 n, g : t > 3 2 α,h : t > 2α ( 1 − α n)+ 2Bounds on the number t of bits to be shared in the larger factor depending on α in the caseof two equations and n = 1000.α < 11n,3α + 11 11n < t if n ≤ α < 5 n, and 4n < t if 5n ≤ α < 3 n. The first result is30 7 28 30 12 7 12 7represented by function g, the second result by function e, and the third result by functionf. Furthermore, the bound calculated in Example 6.1.9 is given by the function d. Forcomparison, the asymptotic bound t > 2α ( 1 − n) α + 2 is also given by function h. Weremark that the explicit bounds are quite good in comparison to the bounds obtained withequally low dimensional lattices in case of one equation.Nevertheless, we are not able to beat the asymptotic bound this way, except for smallvalues of α. In the following paragraphs, we will give an intuition why we cannot obtaina good asymptotic bound with the modified polynomials g 1 and g 2 . We use a countingargument to illustrate this.Let F denote a shift polynomial set built using g 1 and g 2 , and let δ denote the maximumtotal degree of a monomial occurring in F. As the polynomials g 1 and g 2 have maximumtotal degree 2, this implies that the maximum total degree of a shift monomial is δ − 2.First, assume that we can take all monomials of degree less or equal to δ − 2 as shiftmonomials for both polynomials. If F remained determinant preserving, this would be asensible strategy as all single variables occur as monomials in either g 1 or g 2 .

148 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSThe number of all monomials m := u i 11 u i 22 z j 11 z j 22 ∈ Z[u 1 ,u 2 ,z 1 ,z 2 ] with deg(m) ≤ δ − 2 iss :=∑δ−2i 1 =0δ−2−i∑ 1i 2 =0δ−2−i∑ 1 −i 2j 1 =0δ−2−i 1 −i 2 −j∑ 1j 2 =01 = 1 24 δ4 + 1 12 δ3 − 124 δ2 − 1 12 δ .Hence, as we can shift each polynomial by each monomial, the number of elements of F isbounded by 2s. Let us regard the polynomials f ∈ F as elements of the polynomial ringZ N0 [u 1 ,u 2 ,z 1 ,z 2 ]. We set F N0 := {f (mod N 0 ) | f ∈ F}. To get a rough estimate howmany of these polynomials can be linearly independent modulo N 0 , we calculate an upperbound s M on the number of monomials |Mon(F N0 )|. For any monomial m := u i 11 u i 22 z j 11 z j 2Mon(F N0 ) one of the following conditions holds:If deg(m) = δ, then m can only be obtained by multiplying the leading monomial of eitherg 1 or g 2 with a monomial of degree δ − 2. Thus, either i 1 ≥ 1 and j 1 ≥ 1 or i 2 ≥ 1 andj 2 ≥ 1.If deg(m) < δ, then either i 1 ≥ 1 or i 2 ≥ 1. This is because the monomials of g 1 (mod N 0 )are u 1 z 1 and u 2 , and, analogously, the monomials of g 2 (mod N 0 ) are u 2 z 2 and u 1 . Hence,s M =++++∑δ−1j 1 =1∑δ−2j 1 =1∑δ−1j 2 =1∑δ−1i 1 =1∑δ−1i 2 =1δ−j∑ 1i 1 =1δ−1−j∑ 1j 2 =1δ−i 1 −j∑ 1i 2 =01 (j 2 = δ − i 1 − i 2 − j 1 )1 (i 1 = 0,i 2 = δ − j 1 − j 2 )δ−j∑ 21 (j 1 = 0,i 1 = δ − i 2 − j 2 )i 2 =1δ−1−i∑ 1i 2 =0δ−1−i∑ 2j 1 =0δ−1−i∑ 1 −i 2j 1 =0δ−1−i 2 −j∑ 1j 2 =0δ−1−i 1 −i 2 −j∑ 1j 2 =01 (i 1 = 0)= 1 24 δ4 + 5 12 δ3 + 2324 δ2 − 2912 δ + 1.In this description the first three summands correspond to monomials of degree δ, whereasthe last two summands correspond to monomials of smaller degree.For fixed values of δ, a determinant preserving shift polynomial set F can contain at mosts M polynomials. Any further polynomial f will linearly depend on F modulo N 0 . That is,the additional polynomial f does not give a useful contribution to the determinant of thesublattice. If F is of size 2s, then at least2s − s M = 1 24 δ4 − 1 4 δ3 − 2524 δ2 + 9 4 δ − 112 ∈

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 149do not contribute to the determinant due to linear dependence modulo N 0 . Note that incase that the value 2s − s M is negative, we cannot exclude any shift polynomials with thisargument. However, for all δ > 8, it is 2s − s M > 0.Asymptotically, we obtain 2s − s M = 1 24 δ4 + o(δ 4 ). This value is equal to the asymptoticvalue of s. This implies that the number of shift polynomials we can use is also s, thenumber of shifts we can maximally construct using only one polynomial. Consequently,even if shifting in both polynomials, we can only use as many shifts of both polynomialsas we could construct shifts of one polynomial.However, regarding a single polynomial, g i contains as many variables as f i , namely three.That is, we do no longer have the advantage of having less variables which we had withtwo polynomials. Moreover, the total sizes of the unknowns are smaller in f i than in g i .Thus, better than considering only one polynomial g i is to use the original polynomial f i .Returning to the original polynomials, the question is whether we can argue similarly asin case of the modified polynomials g i . More precisely, can we give an argument why wecannot improve the bounds? We answer this question in the affirmative. Now let F denotea shift polynomial set built using f 1 and f 2 , and let δ denote the maximum total degreeof a monomial occurring in F. As both polynomials have maximum total degree 3, thisimplies that the maximum total degree of a shift monomial used to construct an elementof F is δ − 3. Let f ∈ F be constructed as mf 1 or mf 2 , where m is a product of powers ofx 0 , x 1 , x 2 , x 0 x 1 y 1 , x 0 x 2 y 2 , x 0 y 1 , x 1 y 1 , x 0 y 2 and x 2 y 2 . That means, the monomial m can bedescribed as m = x i 00 x i 11 x i 22 y j 11 y j 22 such that i 0 +i 1 +i 2 +j 1 +j 2 ≤ δ−3 and i 0 +i 1 +i 2 ≥ j 1 +j 2 .Thus, the maximum number s of all such monomials m is given ass =+++⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ−32 ⌋−j 2∑j 1 =0j 2∑i 2 =0j 2∑i 2 =0j 1∑i 1 =0δ−3−j 2 −2j∑ 1i 2 =j 2 +1δ−3−j 2 −2j∑ 1i 2 =j 2 +1= 3640 δ5 − 1192 δ3 + 11920 δ .δ−3−j 1 −2j∑ 2i 1 =j 1 +1δ−3−i 1 −i 2 −j 1 −j∑ 21i 0 =j 1 −i 1 +j 2 −i 2j 1∑i 1 =0δ−3−i 2 −j 1 −j∑ 2i 1 =j 1 +1δ−3−i 1 −i 2 −j 1 −j∑ 21i 0 =j 2 −i 2δ−3−i 1 −i 2 −j 1 −j∑ 21i 0 =j 1 −i 1δ−3−i 1 −i 2 −j 1 −j∑ 2Hence, the number of elements of F is bounded by 2s. Again, let us regard them aselements of Z N0 [x 0 ,x 1 ,x 2 ,y 1 ,y 2 ]. We set F N0 := {f (mod N 0 ) | f ∈ F}. Then we calculatean upper bound s M on the number of monomials |Mon(F N0 )|. For any monomial m :=x i 00 x i 11 x i 22 y j 11 y j 22 ∈ Mon(F N0 ) one of the following conditions holds:i 0 =01

150 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERSIf deg(m) = δ, then m is derived from the multiplication of some monomial of degree δ −3with the leading monomial of either f 1 or f 2 . Thus, either i 0 ,i 1 ≥ 1 and j 1 ≥ 1 or i 0 ,i 2 ≥ 1and j 2 ≥ 1.If deg(m) < δ, then i 0 ≥ 1. Using this, we calculate the number s M of monomials whichoccur in F. The first four sums correspond to monomials of degree smaller than or equalto δ − 2. Monomials of degree δ − 1 do not occur. We get the latter eight sums frommonomials of degree δ, the first four corresponding to monomials with i 0 ,i 1 and j 1 ≥ 1,the others to the remaining monomials.s M =+++++++++⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋ ∑j 2 =0⌊ δ−32 ⌋ ∑j 2 =0⌊ δ 2 ⌋−1 ∑j 2 =0⌊ δ 2 ⌋−1 ∑j 2 =0⌊ δ 2 ⌋−1 ∑j 2 =0⌊ δ 2 ⌋−1 ∑j 2 =0⌊ δ 2 ⌋ ∑j 2 =1⌊ δ 2 ⌋ ∑j 2 =1⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ−32 ⌋−j 2∑j 1 =0⌊ δ 2 ⌋−j 2∑j 1 =1⌊ δ 2 ⌋−j 2∑j 1 =1⌊ δ 2 ⌋−j 2∑j 1 =1⌊ δ 2 ⌋−j 2∑j 2 −1∑i 2 =1j 1 =1δ−1−j∑ 2δ−2j∑ 2i 1 =0j 2 −1∑i 2 =0j 2 −1∑i 2 =0j 1 −1∑i 1 =0δ−2−j 2 −2j∑ 1i 2 =j 2δ−3−j 2 −2j∑ 1j 2 −1∑i 2 =0j 2 −1∑i 2 =0δ−j 2 −2j∑ 1i 2 =j 2δ−j 2 −2j∑ 1δ−1−i 2 −j 2i 2 =j 2 i 1 =0δ−2−j 1 −2j∑ 2δ−2−i 1 −i 2 −j 1 −j∑ 21i 0 =j 1 −i 1 +j 2 −i 2∑i 1 =j 1δ−2−i 1 −i 2 −j 1 −j 2j 1 −1∑i 1 =0∑i 2 =j 2δ−3−i 2 −j 1 −j 2j 1 −1∑i 1 =1δ−j 1 −2j∑ 2i 0 =j 2 −i 21δ−2−i 1 −i 2 −j 1 −j∑ 21i 0 =j 1 −i 1∑δ−2−i 1 −i 2 −j 1 −j 2i 1 =j 1 i 0 =11 (i 0 = δ − i 1 − i 2 − j 1 − j 2 )i 1 =j 11 (i 0 = δ − i 1 − i 2 − j 1 − j 2 )j 1 −1∑i 1 =1i 2 =j 2δ−1−i 2 −j 1 −j 21 (i 0 = δ − i 1 − i 2 − j 1 − j 2 )∑i 1 =j 11 (i 0 = δ − i 1 − i 2 − j 1 − j 2 )1 (j 1 = 0,i 0 = δ − i 1 − i 2 − j 2 )∑1 (j 1 = 0,i 0 = δ − i 1 − i 2 − j 2 )1

6.1. ANALYZING THE PROBLEM OF IMPLICIT FACTORING 151++⌊ δ 2 ⌋ ∑j 2 =1⌊ δ 2 ⌋ ∑j 2 =1⌊ δ 2 ⌋−j 2∑j 1 =1⌊ δ 2 ⌋−j 2∑j 1 =1j 2 −1∑i 2 =1δ−j 2 −2j∑ 11 (i 1 = 0,i 0 = δ − i 1 − i 2 − j 1 − j 2 )i 2 =j 21 (i 1 = 0,i 0 = δ − i 1 − i 2 − j 1 − j 2 )= 3640 δ5 + 7192 δ4 + 29192 δ3 − 127192 δ2 + 6011920 δ + 7128 .For fixed values of δ, the shift polynomial set F can contain at most s M polynomialswhich are linearly independent modulo N 0 . Any further polynomial will not give a helpfulcontribution to the determinant of the sublattice. If F is of size 2s, then at least2s − s M = 3640 δ5 − 7192 δ4 − 31192 δ3 + 127192 δ2 − 5991920 δ − 7128polynomials are linearly dependent of the others modulo N 0 . Asymptotically, we obtain2s − s M = 3640 δ5 + o(δ 5 ). Like in the previous case, this is equal to the asymptotic valueof s. Thus, the number of shift polynomials we can use is also s, the maximum numberof shift polynomials we can build using only one polynomial. Consequently, the absolutenumber of shift polynomials in a determinant preserving shift polynomial set has to besmaller than the maximum number of possible shifts in one polynomial.We remark that the argumentation works similarly using all possible monomials of degreeδ − 3 to construct the shift polynomial set. The same observations can be made withrespect to other shift polynomial sets. However, for this type of polynomials we alreadyknow a good shift polynomial set to analyze only one equation. Thus, we have used anaturally generalized version of this set to construct F.These results indicate that we cannot improve the asymptotic bound obtained with onlyone polynomial by using additional ones. Note, however, that we do not have to use thesame shift monomials for both polynomials. A shift polynomial set consisting of s shiftpolynomials including shifts of f 1 and of f 2 might still give a better bound than a shiftpolynomial set containing only shifts of f 1 . However, a bound usually gets better if lessmonomials have to be introduced. As less monomials also imply more linear dependences,we do not see a way how to construct such shift polynomial sets based on f 1 and f 2 .A reason for this behavior is probably the structure of the polynomials we examine. Recallthat if we regard the polynomials modulo N 0 , we deal with polynomials in only two monomials.More precisely, we consider polynomial equations 2 tp x 0 x i y i − N i x 0 ≡ 0 (mod N 0 ).A solution of this equation is given by (x 0 ,x i ,y i ) = (q 0 ,q i , ˜p i − ˜p 0 ). As q 0 divides N 0 , wesearch for solutions of the modular equation 2 tp x i y i − N i ≡ 0 (mod p 0 ). Regarding theequations this way, two equations with different indices i only contain independent variables.This observation supports the claim that we cannot use the shared variables in ouranalyses.Note that we do not prove that it is impossible to obtain better bounds than t − ǫ >

152 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS2α ( 1 − n) α +3, but that we give arguments to support this claim. A rigorous result is a2goal in future work.6.2 Open Problems and Future WorkIn 2007, Aurélie Bauer and Antoine Joux presented a way to use Coppersmith’s algorithmwith several integer polynomials. The shift polynomial set F they use is determinant preservingby construction. However, the shift polynomials cannot directly be constructedby multiplying the given polynomials by monomials. Instead, it has to be checked if theideal I induced by these polynomials is prime. If not, a prime ideal has to be constructedby decomposition of I in prime ideals. Then a prime ideal corresponding to the originalpolynomials has to be chosen. Subsequently, a Groebner basis of this prime ideal has tobe computed.In this chapter we have analyzed how to use Coppersmith’s algorithm with a shift polynomialset F directly constructed from the integer polynomials. This allows for simplerconstructions of shift polynomial sets. However, not all shift polynomial sets constructedthis way can be used. Instead, further criteria have to be checked. Namely, arbitrary shiftpolynomial sets are not necessarily determinant preserving. We have given some criteriato guarantee that a shift polynomial set is determinant preserving. These criteria do notdirectly lead to a general strategy though.Therefore, in Section 6.1 we have drawn our attention to the problem of implicit factoringand analyzed how to apply Coppersmith’s method with regard to these specific polynomials.We have stated some good bounds obtained with small dimensional lattices. However,we could not give a general strategy to calculate a bound on basis of more polynomials.On the contrary, we have given arguments why a better bound cannot be obtained if weuse two polynomials instead of one polynomial. It remains as an open problem to proveor disprove the existence of an attack for a wider range of parameters. That is, a goal forfuture research is either to extend the arguments to a rigorous proof or to show how toachieve a better bound.Moreover, it would be interesting to give a better explanation of the behavior we haveobserved with respect to the problem of implicit factoring. Probably the structure of thepolynomials plays an important role. Recall that the polynomials consist of only twomonomials modulo N 0 . Moreover, the integer polynomial equations imply two modularpolynomial equations in independent variables. These observations support the claim thatwe cannot use the shared variables in our analyses.Therefore, based on the results in the case of the specific example of implicit factoring, itwould be interesting to determine criteria whether an additional equation can be used toimprove the bounds or not.On a more general scale, a main target is to develop a generic strategy how to apply

6.2. OPEN PROBLEMS AND FUTURE WORK 153Coppersmith’s algorithm to a system of integer polynomial equations. The method shouldbe direct. That is, one should be able to construct a shift polynomial set directly fromthe initial polynomials. Moreover, the set determined this way ought to be determinantpreserving and, thereby, allow for a simple calculation of the bounds.Approaching this problem from the opposite direction, a major goal is to give impossibilityresults. Counting arguments like the ones given in the previous section should beelaborated on to give impossibility results. Then they should be generalized to work witharbitrary sets of polynomials.In the end, given a set of polynomial equations in Z[x 1 ,...,x l ], one should directly be ableto determine values X 1 ,...,X l such that solutions |¯x i | ≤ X i can be found efficiently, butsolutions |¯x i | > X i cannot.

154 CHAPTER 6. MULTIVARIATE EQUATIONS OVER THE INTEGERS

Bibliography[AM09][Bau08][BD99][Ber67][Ber70][BJ07][Blö00][BM05][Bon99][Bro06]Divesh Aggarwal and Ueli M. Maurer. Breaking RSA Generically Is Equivalentto Factoring. In Antoine Joux, editor, EUROCRYPT, volume 5479 of LectureNotes in Computer Science, pages 36–53. Springer, 2009.Aurélie Bauer. Vers une Géneralisation Rigoureuse des Méthodes de Coppersmithpour la Recherche de Petites Racines de Polynômes, Dissertation. 2008.Dan Boneh and Glenn Durfee. Cryptanalysis of RSA with Private Key d Lessthan N 0.292 . In Jacques Stern, editor, EUROCRYPT, volume 1592 of LectureNotes in Computer Science, pages 1–11. Springer, 1999.Elwyn R. Berlekamp. Factoring Polynomials Over Finite Fields. Bell SystemTech. J., 46:1849–1853, 1967.Elwyn R. Berlekamp. Factoring Polynomials Over Large Finite Fields. Math.of Computation, 24:713–735, 1970.Aurélie Bauer and Antoine Joux. Toward a Rigorous Variation of Coppersmith’sAlgorithm on Three Variables. In Moni Naor, editor, EUROCRYPT,volume 4515 of Lecture Notes in Computer Science, pages 361–378. Springer,2007.Johannes Blömer. Closest Vectors, Successive Minima, and Dual HKZ-Basesof Lattices. In Ugo Montanari, José D. P. Rolim, and Emo Welzl, editors,ICALP, volume 1853 of Lecture Notes in Computer Science, pages 248–259.Springer, 2000.Johannes Blömer and Alexander May. A Tool Kit for Finding Small Roots ofBivariate Polynomials over the Integers. In Cramer [Cra05], pages 251–267.Dan Boneh. Twenty Years of Attacks on the RSA Cryptosystem. In Notices ofthe American Mathematical Society (AMS), volume 46, No. 2, pages 203–213,1999.Daniel R. L. Brown. Breaking RSA May Be as Difficult as Factoring. InCryptology ePrint Archive, Report 2005/380, 2006.155

156 BIBLIOGRAPHY[BS96][Buc65][Buc06][BV98]Eric Bach and Jeffrey Shallit. Algorithmic Number Theory, volume 1. TheMIT press, 1996.Bruno Buchberger. Ein Algorithmus zum Auffinden der Basiselemente desRestklassenringes nach einem nulldimensionalen Polynomideal (An Algorithmfor Finding the Basis Elements in the Residue Class Ring Modulo a Zero DimensionalPolynomial Ideal). PhD thesis, Mathematical Institute, Universityof Innsbruck, Austria, 1965.Bruno Buchberger. Bruno Buchberger’s PhD thesis 1965: An Algorithm forFinding the Basis Elements of the Residue Class Ring of a Zero DimensionalPolynomial Ideal. J. Symb. Comput., 41(3-4):475–511, 2006.Dan Boneh and Ramarathnam Venkatesan. Breaking RSA May Not Be Equivalentto Factoring. In Nyberg [Nyb98], pages 59–71.[BvHKS07] Karim Belabas, Mark van Hoeij, Jürgen Klüners, and Allan Steel. FactoringPolynomials over Global fields. preprint, to appear in Journal de Theorie desNombres de Bordeaux, 2007.[CFPR96] Don Coppersmith, Matthew K. Franklin, Jacques Patarin, and Michael K.Reiter. Low-Exponent RSA with Related Messages. In Maurer [Mau96], pages1–9.[CKM97][CLO97][Cop96a][Cop96b][Cop97][Cop01][Cor04]Stéphane Collart, Michael Kalkbrener, and Daniel Mall. Converting Baseswith the Gröbner Walk. J. Symb. Comput., 24(3/4):465–469, 1997.David Cox, John Little, and Donald O’Shea. Ideals, Varieties and Algorithms,An Introduction to computational Algebraic Geometry and Commutative Algebra,Second Edition. Springer-Verlag, 1997.Don Coppersmith. Finding a Small Root of a Bivariate Integer Equation;Factoring with High Bits Known. In Maurer [Mau96], pages 178–189.Don Coppersmith. Finding a Small Root of a Univariate Modular Equation.In Maurer [Mau96], pages 155–165.Don Coppersmith. Small Solutions to Polynomial Equations, and Low ExponentRSA Vulnerabilities. J. Cryptology, 10(4):233–260, 1997.Don Coppersmith. Finding Small Solutions to Small Degree Polynomials. InSilverman [Sil01], pages 20–31.Jean-Sébastien Coron. Finding Small Roots of Bivariate Integer PolynomialEquations Revisited. In Christian Cachin and Jan Camenisch, editors, EURO-CRYPT, volume 3027 of Lecture Notes in Computer Science, pages 492–505.Springer, 2004.

BIBLIOGRAPHY 157[Cor07][Cra05][DBL83][DH76][DK02][Fau99][Fau02]Jean-Sébastien Coron. Finding Small Roots of Bivariate Integer PolynomialEquations: A Direct Approach. In Menezes [Men07], pages 379–394.Ronald Cramer, editor. Advances in Cryptology - EUROCRYPT 2005, 24thAnnual International Conference on the Theory and Applications of CryptographicTechniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume3494 of Lecture Notes in Computer Science. Springer, 2005.Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing,25-27 April 1983, Boston, Massachusetts, USA. ACM, 1983.Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography.IEEE Transactions on Information Theory, IT-22(6):644–654, 1976.Ivan Damgård and Maciej Koprowski. Generic Lower Bounds for Root Extractionand Signature Schemes in General Groups. In Lars R. Knudsen, editor,EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, pages 256–271. Springer, 2002.Jean-Charles Faugère. A New Efficient Algorithm for Computing GröbnerBases (F4). Journal of Pure and Applied Algebra, 139(1–3):61–88, 1999.Jean-Charles Faugère. A New Efficient Algorithm for Computing GröbnerBases without Reduction to Zero (F5). In T. Mora, editor, Proceedings ofthe 2002 International Symposium on Symbolic and Algebraic ComputationISSAC, pages 75–83, 2002.[FGLM93] Jean-Charles Faugère, Patrizia M. Gianni, Daniel Lazard, and Teo Mora. EfficientComputation of Zero-Dimensional Gröbner Bases by Change of Ordering.J. Symb. Comput., 16(4):329–344, 1993.[FMR09][FP83][FR95][Hås88][Hel85]Jean-Charles Faugère, Raphaël Marinier, and Guénaël Renault. Implicit Factoringwith Shared Most Significant Bits. preprint, personal communication,2009.Ulrich Fincke and Michael Pohst. A Procedure for Determining AlgebraicIntegers of Given Norm. In van Hulzen [vH83], pages 194–202.Matthew K. Franklin and Michael K. Reiter. A Linear Protocol Failure forRSA with Exponent Three. In Presented at CRYPTO Rump Session, 1995.Johan Håstad. Solving Simultaneous Modular Equations of Low Degree. SIAMJ. Comput., 17(2):336–341, 1988.Bettina Helfrich. Algorithms to Construct Minkowski Reduced and HermiteReduced Lattice Bases. Theor. Comput. Sci., 41:125–139, 1985.

158 BIBLIOGRAPHY[HM08][HM09][HS07][JM06][JM07][JNT07][Jut98][Kan83][Kan87][Kat01][Laz83][LC06][Len87]Mathias Herrmann and Alexander May. Solving Linear Equations Modulo Divisors:On Factoring Given Any Bits. In Josef Pieprzyk, editor, ASIACRYPT,volume 5350 of Lecture Notes in Computer Science, pages 406–424. Springer,2008.Mathias Herrmann and Alexander May. Attacking Power Generators UsingUnravelled Linearization: When Do We Output Too Much? In Mitsuru Matsui,editor, ASIACRYPT, volume 5912 of Lecture Notes in Computer Science,pages 487–504. Springer, 2009.Guillaume Hanrot and Damien Stehlé. Improved Analysis of Kannan’s ShortestLattice Vector Algorithm. In Menezes [Men07], pages 170–186.Ellen Jochemsz and Alexander May. A Strategy for Finding Roots of MultivariatePolynomials with New Applications in Attacking RSA Variants. In Laiand Chen [LC06], pages 267–282.Ellen Jochemsz and Alexander May. A Polynomial Time Attack on RSA withPrivate CRT-Exponents Smaller Than N 0.073 . In Menezes [Men07], pages395–411.Antoine Joux, David Naccache, and Emmanuel Thomé. When e-th RootsBecome Easier Than Factoring. In ASIACRYPT, pages 13–28, 2007.Charanjit S. Jutla. On Finding Small Solutions of Modular Multivariate PolynomialEquations. In Nyberg [Nyb98], pages 158–170.Ravi Kannan. Improved Algorithms for Integer Programming and RelatedLattice Problems. In STOC [DBL83], pages 193–206.Ravi Kannan. Minkowski’s Convex Body Theorem and Integer Programming.In Math. Oper. Res. [DBL83], pages 415–440.Stefan Katzenbeisser. Recent Advances in RSA Cryptography. Advances inInformation Security 3. Springer US, 2001.Daniel Lazard. Gröbner-Bases, Gaussian Elimination and Resolution of Systemsof Algebraic Equations. In van Hulzen [vH83], pages 146–156.Xuejia Lai and Kefei Chen, editors. Advances in Cryptology - ASIACRYPT2006, 12th International Conference on the Theory and Application of Cryptologyand Information Security, Shanghai, China, December 3-7, 2006, Proceedings,volume 4284 of Lecture Notes in Computer Science. Springer, 2006.Hendrik W. Lenstra. Factoring Integers with Elliptic Curves. The Annals ofMathematics, 126(3):649–673, 1987.

BIBLIOGRAPHY 159[LHWL93] Arjen K. Lenstra and Jr. Hendrik W. Lenstra, editors. The Development of theNumber Field Sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1993.[LLL82][LR06][Lüb02][Mau92][Mau96]Arjen K. Lenstra, Hendrik W. Lenstra Jr., and László Lovász. FactoringPolynomials with Rational Coefficients. Mathematische Annalen, 261(4):515–534, 1982.Gregor Leander and Andy Rupp. On the Equivalence of RSA and FactoringRegarding Generic Ring Algorithms. In Lai and Chen [LC06], pages 241–251.Frank Lübeck. On the Computation of Elementary Divisors of Integer Matrices.J. Symb. Comput., 33(1):57–65, 2002.Ueli M. Maurer. Factoring with an Oracle. In Rainer A. Rueppel, editor,EUROCRYPT, volume 658 of Lecture Notes in Computer Science, pages 429–436. Springer, 1992.Ueli M. Maurer, editor. Advances in Cryptology - EUROCRYPT ’96, InternationalConference on the Theory and Application of Cryptographic Techniques,Saragossa, Spain, May 12-16, 1996, Proceeding, volume 1070 of Lecture Notesin Computer Science. Springer, 1996.[May06] Alexander May. Skript zur Vorlesung Public Key Kryptanalyse. Wintersemester2005/06.[McN07] John M. McNamee. Numerical Methods for Roots of Polynomials, Part 1,volume 14. Elsevier: Studies in Computational Mathematics, 2007.[Men07][Mey00][MG02]Alfred Menezes, editor. Advances in Cryptology - CRYPTO 2007, 27th AnnualInternational Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings, volume 4622 of Lecture Notes in Computer Science.Springer, 2007.Carl D. Meyer. Matrix Analysis and Applied Linear Algebra. Cambridge UniversityPress, 2000.Daniele Micciancio and Shafi Goldwasser. Complexity of Lattice Problems:a Cryptographic Perspective, volume 671 of The Kluwer International Seriesin Engineering and Computer Science. Kluwer Academic Publishers, Boston,Massachusetts, March 2002.[Min96] Hermann Minkowski. Geometrie der Zahlen. Teubner-Verlag, 1896.[MM82]Ernst W. Mayr and Albert R. Meyer. The Complexity of the Word Problemsfor Commutative Semigroups and Polynomial Ideals. Advances in Mathematics,46(3):305–329, 1982.

160 BIBLIOGRAPHY[MR08][MR09][NS05][Nyb98][Pau07][Pom84][RS85][RSA][RSA78][SB02][Sho94][Sho05]Alexander May and Maike Ritzenhofen. Solving Systems of Modular Equationsin One Variable: How Many RSA-Encrypted Messages Does Eve Need toKnow? In Ronald Cramer, editor, Public Key Cryptography, volume 4939 ofLecture Notes in Computer Science, pages 37–46. Springer, 2008.Alexander May and Maike Ritzenhofen. Implicit Factoring: On PolynomialTime Factoring Given Only an Implicit Hint. In Stanislaw Jarecki and GeneTsudik, editors, Public Key Cryptography, volume 5443 of Lecture Notes inComputer Science, pages 1–14. Springer, 2009.Phong Q. Nguyen and Damien Stehlé. Floating-Point LLL Revisited. InCramer [Cra05], pages 215–233.Kaisa Nyberg, editor. Advances in Cryptology - EUROCRYPT ’98, InternationalConference on the Theory and Application of Cryptographic Techniques,Espoo, Finland, May 31 - June 4, 1998, Proceeding, volume 1403 of LectureNotes in Computer Science. Springer, 1998.Franz Pauer. Gröbner Bases with Coefficients in Rings. J. Symb. Comput.,42(11-12):1003–1011, 2007.Carl Pomerance. The Quadratic Sieve Factoring Algorithm. In Thomas Beth,Norbert Cot, and Ingemar Ingemarsson, editors, EUROCRYPT, volume 209of Lecture Notes in Computer Science, pages 169–182. Springer, 1984.Ronald L. Rivest and Adi Shamir. Efficient Factoring Based on Partial Information.In Franz Pichler, editor, EUROCRYPT, volume 219 of Lecture Notesin Computer Science, pages 31–34. Springer, 1985.RSA Laboratories. PKCS #1 v2.1: RSA Cryptography Standard.Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A Method forObtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM,21(2):120–126, 1978.Josef Stoer and Roland Bulirsch. Introduction to Numerical Analysis. Springer-Verlag, New York and Berlin, 2002.Peter W. Shor. Polynominal Time Algorithms for Discrete Logarithms andFactoring on a Quantum Computer. In Leonard M. Adleman and Ming-Deh A.Huang, editors, ANTS, volume 877 of Lecture Notes in Computer Science, page289. Springer, 1994.Victor Shoup. A Computational Introduction to Number Theory and Algebra.Cambridge University Press, 2005.

BIBLIOGRAPHY 161[Sil01][Sim83][SM09][SW99][vH83][vH01][VZ95][Wie90]Joseph H. Silverman, editor. Cryptography and Lattices, International Conference,CaLC 2001, Providence, RI, USA, March 29-30, 2001, Revised Papers,volume 2146 of Lecture Notes in Computer Science. Springer, 2001.Gustave J. Simmons. A "Weak" Privacy Protocol Using the RSA CryptoAlgorithm. Cryptologia, 7(2):180–182, 1983.Santanu Sarkar and Subhamoy Maitra. Further Results on Implicit Factoringin Polynomial Time. Advances in Mathematics of Communication, 3(2):205–217, 2009.Uwe Storch and Hartmut Wiebe. Lehrbuch der Mathematik, Band II: LineareAlgebra . Spektrum Akademischer Verlag, 1999.J. A. van Hulzen, editor. Computer Algebra, EUROCAL ’83, European ComputerAlgebra Conference, London, England, March 28-30, 1983, Proceedings,volume 162 of Lecture Notes in Computer Science. Springer, 1983.Mark van Hoeij. Factoring Polynomials and 0-1 Vectors. In Silverman [Sil01],pages 45–50.Scott A. Vanstone and Robert J. Zuccherato. Short RSA Keys and TheirGeneration. J. Cryptology, 8(2):101–114, 1995.Michael J. Wiener. Cryptanalysis of Short RSA Secret Exponents. IEEETransactions on Information Theory, 36(3):553–558, 1990.

AcknowledgmentsFirst of all, I would like to thank my supervisor Prof. Dr. Alexander May for giving me theopportunity to write this thesis, for inviting me to accompany him when he took up a newposition in Bochum and, in particular, for the many and inspiring scientific discussions andthe constant support at all stages of the thesis. Furthermore, I would like to say thank youto Prof. Dr. Hans Ulrich Simon for agreeing to act as co-referee. Moreover, I am gratefulto Dr. Olivier Brunat for suggesting I should have a look at elementary divisors.I have greatly enjoyed my time working at the Technical University of Darmstadt and atthe Ruhr-University of Bochum. Thanks to the group of CDC in Darmstadt as well as thegroup of CITS and the other chairs of the HGI in Bochum who contributed to this. Inparticular, I would like to thank Christina Lindenberg and Roberto Samarone dos SantosAraújo for making me feel so welcome and for a great time sharing the office in Darmstadt.Thank you to Mathias Herrmann for more than two years of shared office time in Bochum,for discussing many scientific ideas or problems, but also for other discussions. Further,thank you, Mathias, for the thorough proofreading of my thesis, the helpful advice givenon many occasions and for somehow managing to find enjoyment in tackling those littleproblems which to me just seemed annoying. Furthermore, I would like to thank AlexanderMeurer and Enrico Thomae for proofreading a part of this thesis and for their helpfulremarks. A special thanks to Christian Stinner for a very detailed proofreading althoughhe had many other duties in the same period of time. Thank you, Christian, for your manyhelpful comments and for your encouragement.Moreover, I would like to say thank you to my family and friends who have encouraged,supported and distracted me over the past years. Thank you to my parents and my brotherfor their constant support at all times, for their love and understanding.Thank you to all the friends who have been there at one time or another and who contributedto so many enjoyable moments. In particular, I would like to thank Christianefor a longlasting friendship which has overcome all the changes in our lives, and for theopportunity to share our problems and frustrations as they arose. Although we were neverreally able to understand what the exact scientific problem of the other was, this helpedme a lot. Thank you, Sarah, for all our intense discussions on nearly any topic (exceptfor mathematics, maybe), for always being there in spite of any physical distance. Thankyou, Tina, for so many true comments at exactly the right moments, for always joining inwhen it was once again time ”to drink some more tea” and for all those comforting laps of”jogging”.Thank you to all the people who made the past few years the way they were!