SOLVING SIMULTANEOUS MODULAR EQUATIONS OF LOW DEGREE

Johan Hastad*
MIT
Abstract: We consider the problem of solving systems of equations Pi (x)  0 (mod ni )
i = 1 : : :k where Pi are polynomials of degree d and the ni are distinct relatively prime
numbers and x < min(ni). We prove that if k > d(d2+1) we can recover x in polynomial
time provided min(ni ) > 2d . As a consequence the RSA cryptosystem used with a small
2

exponent is not a good choice to use as a public key cryptosystem in a large network. We
also show that a protocol by Broder and Dolev [4] is insecure if RSA with a small exponent
is used.
Warning: Essentially this paper has been published in SIAM Journal on Com-
puting and is hence subject to copyright restrictions. It is for personal use
only.
1. Introduction
Let us start with some cryptographic motivation. The RSA function [10] is dened
as f (x)  xe (mod n). Here n is usually taken of the form n = pq where p and q are two
large primes and e is an integer relatively prime to (p ? 1)(q ? 1). Using these parameters
the function is 1 ? 1 when restricted to 1  x  n; (x; n) = 1. Furthermore the function
is widely believed to be a trapdoor function i.e. given n and e it is easy to compute f (x)
and given f (x) it is also easy to recover x provided one has some secret information but
otherwise it is dicult to compute x. In this case the secret information is the factorization
of n.
The RSA function can be used to construct a deterministic Public Key Cryptosystem
(PKC) in the following way:
Each user B in a communication network chooses two large primes p and q and
multiplies them together and publishes the result nB together with a number eB which is
relatively prime to (p ? 1)(q ? 1). He keeps the factorization of nB as his private secret
information. If any user A in the system wants to send a secret message m to another user
B she retrieves B 's published information computes y  meB (mod nB ) and sends y to
B . B now obtains the original message using his secret information, while somebody who
does not know the secret information presumably faces an intractable computational task.
Public Key Cryptosystems are dierent and more complex objects than trapdoor
functions. The reason is that a PKC involves a protocol consisting of several steps. For
example the use of RSA in a PKC may present obstacles that did not occur when we
considered it as a trapdoor function. Several people (including Blum, Lieberherr and
Williams) have observed the following possible attack. Assume that 3 is chosen as the
exponent and that A wants to send the same message m to users U1; U2 and U3 . She will
compute and send yi  m3 (mod ni ) i = 1; 2; 3. If someone gains access to y1,y2 and
y3 then by using the fact that n1 ; n2 and n3 will be relatively prime he can combine the
* Supported by an IBM fellowship, partially supported by NSF grant DCR-8509905
1
messages by chinese remaindering to get m3 (mod n1n2 n3) and since m3 < n1n2 n3 he can
recover m. In general if the exponent is e the number of messages needed is e.
A natural question is therefore: Is there a better way to send the same message to
many people using this PKC?
A common heuristic tells us to use a \time stamp". Instead of sending the same
message m to everybody one attaches the time and thus sends the encryption of 2jtij m + ti
where 2jtij m is the shifted message and ti is the time when the message is sent to user Ui .
This time will be dierent for the dierent receivers. The previous attack then fails.
If we assume that the times ti are known to the cryptanalyst we are led to consider
the following computational problem (for e = 3).
Given (ai m + bi )3 (mod ni ) where all the ai and bi are known is it possible to recover
m in polynomial time?
We will prove in section 3 that the answer is YES if the number of similar messages
is at least 7. In fact we will prove this as a special case of our main result, which is: Given
a set of k polynomial equations
Pi (x)  0 (mod ni ) i = 1; : : :; k
each of degree  d, it is possible to recover all solutions in time polynomial in both k
and log ni if k > d(d + 1)=2 provided min(ni ) > 2d .2

Observe that the described attack does not work if the values of the ti are not known
to the cryptanalyst. Thus if for instance a random padding was used or if the time stamp
was unknown then the present attack will not work. However, this weakness seems severe
enough that if one uses RSA as a PKC then as a matter of prudence one should use a large
exponent or even better one should use a probabilistic encryption scheme [3],[7] based on
RSA. By [1],[3] this can be done with as much eciency as in the deterministic case.
The outline of the paper is as follows. In section 2 we state some results from geometry
of numbers which will be needed in later sections. In section 3 we state and prove our
main result and in section 4 we derive some cryptographic applications.

2. Background from geometry of numbers.

The main tool in our algorithm will be the use of lattices and in this section we will
gather the relevant background information. A lattice L is dened to be the set of points
P
L = fy j y = ni=1 ai b~i ; ai 2Z g
where b~i are linearly independent vectors in Rn . The set b~i is called a basis for
the lattice and n is the dimension. The determinant of a lattice is dened to be the
absolute value of the determinant of the matrix with rows b~i . It is not hard to see that
the determinant is independent of the choice of basis. The length of the shortest nonzero
vector in the lattice is denoted by 1 . Let us recall the following well known fact:
Theorem: (Minkowski) 1  n (det(L)) n where n is Hermite's constant.
1 1
2

Hermite's constant is not known exactly for n > 8 but Minkowski,s convex body
theorem ([5], ix.7) implies that n  n. Lenstra et al. showed in [8] that it was possible to
2
nd a vector in L of length at most 2 n? 1 in polynomial time. From their proof we can
2
1

however derive a slightly better bound in the present case.

Theorem(LLL): Given a lattice L as a basis of integer vectorsn?of length at most B we
can nd a vector ~b in time O(n6(log B )3) which satises k~bk  2 (det(L)) n .
4
1 1

This gives an eective variant of Minkowski's theorem. Here k~bk is the euclidean
length of the vector ~b. The bound on the running time assumes that multiplication of r
bit numbers are done by classical arithmetic taking O(r2) steps. Using faster multiplica-
tion routines the bounds can be improved by a factor close to n log B . Armed with this
information we return to the original problem.

3. Main Theorem
Q
Let us start by xing some notation. Let N = ki=1 ni and n = min ni . Now we can
state the problem formally:
Problem: Given a set of k equations Pdj=0 aij xj  0 (mod ni ) , i = 1; : : :; k. Suppose
that the system have a solution x < n and the numbers ni are pairwise relatively prime.
Can we nd such a solution eciently?
Before we state our main result let us give the basic ideas. Dene uj < N to be the
chinese remaindering coecients i.e. uj  ij (mod ni ) (ij = 1 if i = j and 0 otherwise).
We can combine the equations to a single equation using the chinese remainder theorem.
P P P
0  dj=0 xj ki=1 ui aij  dj=0 xj cj (mod N )
One of the important parts of the entire paper is the following simple lemma.
Lemma 1: If jcj j < (d+1) N
nj and we have at least one nonzero cj then we can nd all x
P
satisfying x < n and j=0 cj xj  0 (mod N ) in time O((d log N )3).
d

Proof: If jcj j < (d+1)

N
nj then
Xd X
j c x j  jc jn
j
d
j
< N:
j j

Thus the condition

P d
j =0 j =0
P
c x  0 (mod N ) implies dj=0 cj xj = 0. In other words
j =0 j
j
x solves the equation over the integers and to prove the lemma we just need the fact that
we can solve polynomial equations over the integers quickly. Since we are in the special
case that we are looking for an integer solution we can proceed as follows. Find all linear
factors modulo a small prime. Now apply Hensel lifting to obtain these factors modulo a
large power of the prime and nally check if any of the roots is a root over the integers.
The estimate for the running time in the lemma is correct but not the best possible.
The condition of Lemma 1 is quite unlikely to be fullled when we start with a general
set of equations. In spite of this Lemma 1 will be one of our main tools for proving our
main result, which is as follows.
3
Theorem: Given a set of equations Pdj aij xj  0 (mod ni ), i = 1; 2; : : :; k where the
=0
moduli ni are pairwise relatively prime and gcd(haij idj ; ni) = 1 for all i. Then we can
=0
nd all x < n satisfying the equations in time O(d (log N )3 ) if 6

d(d+1) d d
N >n 2 (d + 1)(d+1) :
( +2)( +1)
2 4

Q
As before N = ki=1 ni, n = min ni , d is the degree of the equations and k is the
number of equations. By gcd(haij idj=0 ; ni) we mean the greatest common divisor of all
d + 2 numbers.
Proof: The idea is to use Lemma 1. However as we remarked it is quite unlikely that it
will apply to our equations directly. However we have an extra degree of freedom. We can
multiply the equation by an arbitrary constant S and we still get a valid equation. Using
this trick we will be able to make the coecients small. Thus we want to make Sci (mod
N ) less than ni (Nd+1) in absolute value. Set up the following lattice L of dimension d + 2:
~b1 = (c0;nc1 ; n2c2 : : : ;nd cd ; (d+1)
1
)
~b2 = (N; 0; 0;: : : ; 0; 0)
~b3 = ( 0;nN; 0;: : : ; 0; 0)
~b4 = ( 0; 0;n2 N;: : : ; 0; 0)
.
.
.
~bd+2 = ( 0; 0; 0;: : : ;nd N; 0)
LetPus see why this lattice is relevant to our purposes. Look at a generic vector
~ d+2 ~
S b1 + i=2 si bi . Call the ith coordinate di . From the denition it follows that di is
divisible by ni?1 and ndi?i  Sci?1 (mod N ). Thus if we nd a vector ~b 2 L satisfying
1

k~bk < dN+1 we know that jdi j < dN+1 and we get the desired bound for Sci (mod N ). The
last coordinate is there to prevent S = N which would make di = 0 for i = 1; : : :; d + 1.
We have only one term in the expansion of the determinant and we get
dd
n
Det(L) = (d +N1) :
( +1)
d+1 2

Using the theorem of LLL in section 2 we know that we can nd a vector ~b in L that
satises dd
kbk  2 ( d +N1 ) d
d n
( +1)
d+1
~ +1
4
2 1
+2

As observed above to get the desired bound for the coecients we need k~bk < N
d+1 and
thus we need dd
2 ( d +N1 ) d < d N
d n
( +1)
d+1
+1 2 1
4 +2
+1
4
 Raising both sides to the d + 2 power and rearranging we see that this is equivalent to the
condition in the theorem.
To nish the proof we need to prove that we have at least one nonzero coecient.
Since k~bk < dN+1 we see by looking at the last coordinate that the coecient S multiplying
~b1 satises jS j < N . Further we know that S 6= 0 since all nonzero vectors with S = 0 are
of length at least N . This means that there is an ni such that S 6 0 (mod ni ). Look at
the equation modulo this ni . Using that gcd(haij idj=0 ; ni) = 1 we see that the equation is
nontrivial. The bottleneck in the computation is the lattice computation and this gives
the running time of the algorithm.
Remark: One interesting open question is whether we can solve the problem with fewer
equations. It does not seem possible to use this line of attack with substantially fewer
equations. To see this one might argue as follows:
The probability that jcj j < (d+1)
N
nj for j = 0; 1; : : :; d for a xed S is approximately
n?d(d+1)=2 and this would indicate that we should have nd(d+1)=2 dierent S to choose
between and therefore need at least d(d + 1)=2 equations.
4. Cryptographic Applications
We get some immediate applications of the main theorem.
Application 1: Sending linearly related messages using RSA with low exponent e is
insecure. Sending more than e(e2+1) messages enables an adversary to recover the messages
e e
provided that the moduli ni satisfy ni > 2 (e + 1)(e+1) .
( +2)( +1)
4

Proof: Suppose we are given the encryption of k linearly dependent messages. We expand
the eth power and we get k equations of degree e with the dierent moduli used ni . We
now apply the main theorem. We need to verify that the conditions of the main theorem
are satised. If one of the gcd conditions is not satised we can factor one of the ni and
that way obtain the message. Finally

Y k
N = n n
dd
Y ( +1)
2 +1

ni > 2
e e
( +1)( +2)
4 (e + 1)(e+1)n
d(d+1)
2
i 1
i=1 i=2

and hence we can apply our main theorem.

If one is prepared to do computation which is exponential in the number of equations
one can attack the cryptosystem also given exactly e(e2+1) messages. The way to proceed
is to use almost thee same lattice. The only dierence is to replace the last coordinate of
the rst vector
e
by 2 . Now the algorithm of LLL nds
+2
4
e
a vector in the lattice of length at
most N 2 . This implies in particular that ci < N 2 n?i . Now it is no longer possible
+2
4
+2
4

to conclude that x solves the equation over

e
the integers but we know ethat the right hand
side is a multiple of N not exceeding e2 N and hence we try all e2 possibilities.
+2
4
+2
4

5
 Another way of encrypting messages was proposed by Rabin [9]. He uses f (x)  x2
(mod n) where also here n is chosen to be a specic composite number for each user. Using
the same methods we get:
Application 2: Sending linearly related messages using the Rabin encryption function is
insecure. If 3 such messages are sent it is possible to retrieve the message in polynomial
time.

Broder and Dolev proposed a protocol for ipping a coin in a distributed system [4].
Two of their essential ingredients were Shamir's method of sharing a secret [11] and the
use of a deterministic PKC. The secret they use is the constant coecient of a polynomial
of degree t over a nite eld. The secret is distributed by evaluating the polynomial at a
given set of points. It is easy to see that t + 1 pieces each consisting of the value of the
polynomial at a point are enough to get the secret back while t pieces are not sucient
to determine the polynomial. Broder and Dolev claim that t pieces are insucient to nd
the secret even in the presence of the encryption of other pieces. This is not correct if the
cryptosystem used is RSA with small exponent. This is because when knowing t pieces
the secret enters linearly in the remaining pieces and hence we can use Application 1.
Application 3: The protocol by Broder and Dolev is insecure if RSA with small exponent
is used.
Of course if other cryptosystems are used then this attack does not work. A dierent
type of attack on the Broder-Dolev protocol has been proposed by Benny Chor [6]. This
attack just relies on the protocol and not on the cryptosystem. A provably secure protocol
has been designed by Awerbuch et.al. [2]. For further discussion of coin ipping protocols
see [2] and [4].
Finally we remark that there does not seem to be any way to extend the above attack
to RSA with large exponent. The reason is that the integers involved are too big even to
write down. There is still a large amount of structure present and it would be interesting
to investigate whether this structure could be exploited to yield a successful cryptanalytic
attack on RSA with large exponent.
Acknowledgments: I would like to thank Silvio Micali, Sha Goldwasser and Benny
Chor for suggesting the problem, listening to early solutions and suggesting improvements
and simplications. They also pointed out the incorrectness in the proof of Broder and
Dolev. I am also very grateful to Ron Rivest for greatly simplifying the proof and nally
I would like to thank Je Lagarias for many helpful comments.
References:
[1] Alexi W., Chor B., Goldreich O. and Schnorr C.P. \RSA/Rabin Bits are 21 + poly(1logN )
Secure" Proceedings of 25th Annual IEEE Symposium on Foundations of Computer
Science, 1984, 449-457. Also this volume.
[2] Awerbuch B., Chor B., Blum M., Goldwasser S., and Micali S. \Fair Coin Flip in a
Byzantine Environment" , manuscript in preparation.
6
 [3] Blum M. and Goldwasser S. \An ecient Probabilistic Public Key Encryption Scheme
which Hides all Partial Information" Advances in Cryptology: Proceedings of CRYPTO
84 (Blakeley G.R. and Chaum D. eds.) Lecture Notes in Computer Science 196,
Springer Verlag, 1985 pp 289-299.
[4] Broder A.Z. and Dolev D. \Flipping Coins in Many Pockets" Proceedings of 25th
Annual IEEE Symposium on Foundations of Computer Science, 1984, 157-170.
[5] Cassels J.W.S. \An Introduction to the Geometry of Numbers" Springer Verlag, Hei-
delberg 1971.
[6] Chor B. , Personal Communication 1985.
[7] Goldwasser S. and Micali S. \Probabilistic Encryption" Journal of Computer and
System Sciences 28, 1984, 270-299.
[8] Lenstra A.K. ,Lenstra H.W. and Lovasz L. \Factoring Polynomials with Integer Co-
ecients" Matematische Annalen 261 (1982) 513-534.
[9] Rabin M.O, \Digital Signatures and Public Key Functions as Intractable as Factor-
ization" MIT/LCS/TR-212, 1979.
[10] Rivest R.L., Shamir A. and Adleman L. \A Method for Obtaining Digital Signatures
and Public Key Cryptosystems" Communications of ACM 21-2 February 1978.
[11] Shamir A. \ How to Share a Secret", Communications of ACM 22 November 1979,
612-613.