How to guess ℓ-th roots modulo n by reducing lattice bases

Abstract

In numerous problems of computational number theory, there often arise polynomial equations or inequations modulo a number n. When n is a power of a prime number, polynomial-time algorithms, either deterministic or probabilistic, allow one to solve these problems. The same is true, via the Chinese remainder theorem, when the factorisation of n is known. A natural and important question is the following one: Is the task of solving polynomial equations or inequations modulo n as difficult as the factorisation of n? We show here that, even if the factorisation of n is unknown, we can solve in polynomial probabilistic time polynomial inequations or polynomial equations modulo n provided we are given a sufficiently good initial approximation of a solution. Our main tool is lattices that we use after a linearisation of the problem; we study a particular kind of lattice, which generalize that of Frieze et al, and the solution of our problem relies on the geometrical regularity of these lattices. Our results are both algorithmical and structural: On the one hand, we exhibit an algorithm, based on lattice reduction ideas, which reconstructs truncated roots of polynomials, and we extend here some previous results, only obtained in the linear case by Frieze et al. This algorithm has numerous practical applications, since the security of many cryptographic schemes is based on the difficulty of solving polynomial equations or inequations modulo n. We first deduce that it is easy to break higher-degree versions of Okamoto's recent cryptosystem and we extend, in this way, previous attacks of Brickell and Shamir. We also obtain new results about the predictability of the RSA pseudo-random generator. On the other hand, we establish, for any ℓ, new theoretical results about the comparative distribution of ℓ-th powers and their ℓ-th roots, and we can prove, in the case ℓ=2, a very natural property about this distribution. These results can be seen as extensions, in a slightly different way, of a previous theorem of Blum.