Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
Cryptanalysis of RSA Factorization - Library(ISI Kolkata) - Indian ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 2: Mathematical Preliminaries 40<br />
lattice reduction on L, are algebraically independent. If so, then we can collect<br />
the root (x (0)<br />
1 ,...,x (0)<br />
t ) from f,r 1 ,r 2 ,...,r t−1 using the method <strong>of</strong> resultants. The<br />
reader may note that this method is heuristic, depending on the validity <strong>of</strong> algebraic<br />
independence assumption. However, in Eurocrypt 2007, Bauer and Joux [7]<br />
proposed a deterministic method for finding integer roots <strong>of</strong> a trivariate polynomial.<br />
But now, let us study a generalization <strong>of</strong> the above method.<br />
2.6.2 General Method by Jochemsz and May<br />
In Eurocrypt 2005, Blömer and May [10] presented a general technique for solving<br />
a bivariate integer polynomial. In Asiacrypt 2006, Jochemsz and May [65] generalized<br />
the same and proposed a method to find a small root (x (0)<br />
1 ,...,x (0)<br />
t ) <strong>of</strong> a<br />
polynomial f(x 1 ,...,x t ). In this section we discuss this generalized idea.<br />
Let d i be the maximal degree <strong>of</strong> x i in f for 1 ≤ i ≤ t. Let us define<br />
W = ||f(x 1 X 1 ,x 2 X 2 ,...,x t X t )|| ∞ , and<br />
R = WX d 1(m−1)<br />
1 X d 2(m−1)<br />
2 ···X dt(m−1)<br />
t .<br />
Let a 0 = f(0,0,...,0) and assume that a 0 ≠ 0. If a 0 = 0, then find<br />
some (y 1 ,...,y t ) such that f(y 1 ,...,y t ) ≠ 0, and define a new polynomial<br />
f 1 (x 1 ,x 2 ,...,x t ) = f(x 1 + y 1 ,x 2 + y 2 ,...,x t + y t ). Clearly, the constant term<br />
<strong>of</strong> the new polynomial f 1 is nonzero as f 1 (0,0,...,0) = f(y 1 ,y 2 ,...,y t ) ≠ 0, and<br />
one can find the roots <strong>of</strong> f 1 . Next, assume that gcd(a 0 ,R) = 1. If not, then using<br />
the idea <strong>of</strong> [28, Appendix A], we increase X i ,W such that gcd(a 0 ,R) = 1. Now<br />
we define f ′ (x 1 ,x 2 ,...,x t ) = a −1<br />
0 f (mod R), and start with the basic strategy.<br />
Basic Strategy<br />
Define the following sets for some positive integer m.<br />
S = ⋃ {x i 1<br />
1 x i 2<br />
2 ···x it<br />
t |x i 1<br />
1 x i 2<br />
2 ···x it<br />
t is a monomial <strong>of</strong> f m }, and<br />
M = ⋃ {x i 1<br />
1 x i 2<br />
2 ···x it<br />
t |x i 1<br />
1 x i 2<br />
2 ···x it<br />
t is a monomial <strong>of</strong> f m+1 }.<br />
Let l j be the largest exponent <strong>of</strong> x j that appears in the monomials <strong>of</strong> S.