Paper 2010/263

Lattice Reduction and Polynomial Solving

Raphaël Marinier

Abstract

In this paper, we suggest a generalization of Coppersmith's method for finding integer roots of a multivariate polynomial. Our generalization allows finding integer solutions of a system of $k$ multivariate polynomial equations. We then apply our method to the so-called implicit factoring problem, which constitutes the main contribution of this paper. The problem is as follows: let $N_1=p_1{q}_1$ and $N_2=p_2{q}_2$ be two RSA moduli of same bit-size, where $q_1,q_2$ are $\alpha$-bit primes. We are given the \emph{implicit} information that $p_1$ and $p_2$ share $t$ most significant bits. We present a novel and rigorous lattice-based method that leads to the factorization of $N_1$ and $N_2$ in polynomial time as soon as $t\ge 2\alpha +3$. Subsequently, we heuristically generalize the method to $k$ RSA moduli $N_i=p_i{q}_i$ where the $p_i$'s all share $t$ most significant bits (MSBs) and obtain an improved bound on $$ that converges to $$ as $$ tends to infinity. This paper extends the work of May and Ritzenhofen in \cite{DBLP:conf/pkc/MayR09}, where similar results were obtained when the $$'s share least significant bits (LSBs). In \cite{sarkar2009further}, Sarkar and Maitra describe an alternative but heuristic method for only two RSA moduli, when the $$'s share LSBs and/or MSBs, or bits in the middle. In the case of shared MSBs or bits in the middle and two RSA moduli, they get better experimental results in some cases, but we use much lower (at least 23 times lower) lattice dimensions. Our results rely on the following surprisingly simple algebraic relation in which the shared MSBs of p_1$$p_2$$q_1 N_2 - q_2 N_1 = q_1 q_2 (p_2 - p_1)$$N_i$'s.