Interpolation of Functions Related to the Integer Factoring Problem

Interpolation of Functions Related to the IntegerFactoring Problem

Clemens Adelmann1 and Arne Winterhof2

1 Institut fur Analysis und Algebra, Technische Universitat Braunschweig,Pockelsstraße 14, D-38106 Braunschweig, Germany.

E-Mail: [email protected] Johann Radon Institute for Computational and Applied Mathematics,

Altenberger Straße 69, A-4040 Linz, Austria.E-Mail: [email protected]

Abstract. The security of the RSA public key cryptosystem depends onthe intractability of the integer factoring problem. This paper shall givesome theoretical support to the assumption of hardness of this numbertheoretic problem.We obtain lower bounds on degree, weight, and additive complexityof polynomials interpolating functions related to the integer factoringproblem, including Euler’s totient function, the divisor sum functions,Carmichael’s function, and the RSA-function.These investigations are motivated by earlier results of the same flavouron the interpolation of discrete logarithm and Diffie-Hellman mapping.

Keywords: polynomials, degree, weight, additive complexity, factoring problem,RSA-problem, Euler’s totient function, divisor sum function, Carmichael’s func-tion.

1 Introduction

Computationally difficult number theoretic problems like the discrete logarithmproblem or the integer factoring problem play a fundamental role in public keycryptography. The Diffie-Hellman key exchange depends on the intractabilityof the discrete logarithm problem and the RSA cryptosystem is based on thehardness of the integer factoring problem (see e. g. [27, Chapter 3]).

In the monograph [40] (or its predecessor [38]) and the series of papers[2–4, 8, 10, 14–26, 30–32, 37, 43–45] several results on discrete logarithm problemand Diffie-Hellman problem supporting the assumption of their hardness wereproven. In particular, it was shown that there are no low degree or sparse in-terpolation polynomials of discrete logarithm and Diffie-Hellman mapping for alarge set of given data. In the present paper we prove analog results for func-tions related to the integer factoring problem. We restrict ourselves to the caseof factoring ’RSA-integers’ N = pq with two odd primes p < q.

2 Clemens Adelmann and Arne Winterhof

In Section 3 we investigate real and integer interpolation polynomials ofmappings allowing to factor N , including Euler’s totient function

ϕ(pq) = (p− 1)(q − 1),

Carmichael’s function

λ(pq) =ϕ(pq)

gcd(p− 1, q − 1),

and divisor sum functions

σn(pq) = (pn + 1)(qn + 1)

with a small positive integer n, and ’factoring functions’

ψn,m(pq) = pnqm

with small different nonnegative integers n and m.In Section 4 we prove a lower bound on degree and weight of an integer

polynomial representing the RSA-function

f(x) ≡ xd mod pq, x ∈ S,

for a subset S of Z∗pq = 1 ≤ x < pq : gcd(x, pq) = 1 and some integer d withgcd(d, (p− 1)(q − 1)) = 1.

We collect some auxiliary results on polynomials in the next section.

2 Preliminaries

A proof of the following useful relation between the number of zeros and thedegree of a multivariate polynomial, which extends the well-known relation forunivariate polynomials, can be found in [11, Lemma 6.44.].

Lemma 1. Let D be an integral domain, n ∈ N, S ⊆ D, and f ∈ D[X1, . . . , Xn]be a polynomial of total degree d, with at least N zeros in Sn. If f is not the zeropolynomial, then we have

d ≥ N

|S|n−1.

The additive complexity C±(f) of a polynomial f(X) is the smallest numberof ’+’ and ’−’ signs necessary to write down this polynomial. In [33, 34] thenumber of different zeros of a real polynomial was estimated in terms of itsadditive complexity.

Lemma 2. For a nonzero polynomial f(X) ∈ R[X] having N different real zeroswe have

C±(f) ≥(

15

log(N))1/2

,

where log(N) is the binary logarithm.

Interpolation of Functions Related to the Integer Factoring Problem 3

In [35, 36] the following improvement was obtained for integer polynomials.

Lemma 3. For a nonzero polynomial f(X) ∈ Z[X] having N different rationalzeros we have

log(N) = O(C±(f) log(C±(f))).

The weight w(f) of a polynomial f is the number of its nonzero coefficients.For polynomials over a finite field Fq of q elements we have the following lowerbound on the weight (see [40, Lemma 2.5]).

Lemma 4. Let f(X) ∈ Fq[X] be a nonzero polynomial of degree at most q − 2with N different zeros in F∗q . Then we have

w(f) ≥ q − 1q − 1−N

.

Obviously, for any univariate polynomial f we have

C±(f) ≤ w(f)− 1 ≤ deg(f).

3 Interpolation of Factoring Functions

For example, the knowledge of the value

ϕ(N) = (p− 1)(q − 1)

of Euler’s totient function at an integer N = pq with unknown primes p and qis sufficient to determine p and q by solving the quadratic equation

X2 + (ϕ(N)−N − 1)X +N = 0. (1)

In general, let g(X) and h(X) be (known) real rational functions, such that theproduct g(X)h(N/X) is not constant. Then from the knowledge of the values inN = pq of a function f with the property

f(N) = g(p)h(q) = g(p)h(N/p)

we can determine the unknown factors p and q of N by solving an algebraicequation which is derived from

g(X)h(N/X) = f(N) (2)

by clearing denominators and negative powers of X.If we could interpolate the function f by a polynomial of low degree or low

additive complexity and the degree of the algebraic equation derived from (2)were small, then we could efficiently factorize N . Hence, it becomes importantto prove lower bounds on degree and additive complexity of such interpolationpolynomials.

First we prove lower bounds on degree and additive complexity of a realpolynomial with some special prescribed values.


Proposition 1. For M ≥ 3 let

0 < a1 < a2 < . . . < aM

be a set of ordered reals,

g : a1, a2, . . . , aM−1 → R,

h : a2, a3, . . . , aM → R,

real valued functions, and G the unique interpolation polynomial of g of degreeat most M − 2. Let f ∈ R[X] be a polynomial satisfying

f(aiaj) = g(ai)h(aj), 1 ≤ i < j ≤M.

If there exist 1 ≤ i < j ≤M − 1 such that

G

(aiaj

aM

)h(aM ) 6= g(ai)h(aj) (3)

then we havedeg(f) ≥M − 1,

C±(f) ≥(

15

log(M − 1))1/2

− C±(G)− 1,

and if f(aMX)− h(aM )G(X) ∈ Q[X] and a1, . . . , aM−1 ∈ Q then we have

C±(f) + C±(G) = Ω

(log(M)

log log(M)

).

Proof. The polynomial

F (X) = f(aMX)−G(X)h(aM ) (4)

is not identically zero by (3) and has zeros at a1, . . . , aM−1. So we have

max(deg(f),M − 2) ≥ max(deg(f),deg(G)) ≥ deg(F ) ≥M − 1

by Lemma 1 and thus deg(f) ≥M − 1. By Lemma 2 and observing that

C±(F ) ≤ C±(f) + C±(G) + 1

we obtain our second assertion. The third assertion follows by Lemma 3 if wemultiply (4) with the least common denominator of the coefficients of F .

Condition (3) in Proposition 1 is necessary and natural. For example, if thegiven values are

g(ai) = h(ai) = ani , i = 1, . . . ,M,


with M ≥ n + 2, they determine the interpolation polynomial f(X) = Xn ofdegree n ≤ M − 2 having additive complexity 0. However, the interpolationpolynomial of g is G(X) = Xn and we have

G

(aiaj

aM

)h(aM ) = an

i anj = g(ai)h(aj), 1 ≤ i < j ≤M − 1,

contradicting (3).On the other hand, if g and h are polynomials of small degree with respect

to M , then (3) being not valid implies that g(X)h(Y ) = g(XY/aM )h(aM ) byLemma 1. Hence, for each fixed curve Y = N/X the polynomial g(X)h(N/X)is constant and (2) cannot be used to determine the factorization of N .

Proposition 1 provides lower bounds on degree and additive complexity ofreal polynomials f interpolating several well-known functions, as generalizationsof Euler’s totient function

ϕn(pq) = (pn − 1)(qn − 1), n 6= 0, (5)

and generalized divisor sums

σn(pq) = (pn + 1)(qn + 1), n 6= 0, (6)

but also ’factoring functions’ ψn,m of the form

ψn,m(pq) = pnqm, n 6= m, (7)

where n and m are nonnegative integers and p and q are primes with p < q.

Theorem 1. For M ≥ 3 let p1 < p2 < . . . < pM be a set of primes and F afunction of the form (5), (6), or (7). Let f ∈ R[X] be a polynomial satisfying

f(pipj) = F (pipj), 1 ≤ i < j ≤M.

Then we havedeg(f) ≥M − 1

and

C±(f) ≥(

15

log (M − 1))1/2

− 2.

Proof. Since the functions

hn(X) =(( a

X

)n

− 1)

(Xn − 1), a > 0, n = 1, 2, . . . ,

are decreasing for x >√a we have for all 1 ≤ i < j < k ≤M ,((

pipj

pk

)n

− 1)

(pnk − 1) < (pn

i − 1)(pnj − 1)


and (3) is satisfied in case of generalizations of Euler’s totient function. Since

hn(X) =(( a

X

)n

+ 1)

(Xn + 1), a > 0, n = 1, 2, . . . ,

are increasing for x >√a we have((

pipj

pk

)n

+ 1)

(pnk + 1) > (pn

i + 1)(pnj + 1)

and (3) is satisfied in case of generalized divisor sums. Trivially, we have(pipj

pk

)n

pmk 6= pn

i pmj

for all n 6= m and (3) is satisfied in case of ’factoring functions’. Now the Theo-rem follows by Proposition 1.

Proposition 1 does not apply to the Carmichael function

λ(N) =ϕ(N)

gcd(p− 1, q − 1), N = pq,

with two odd primes p 6= q, which can also be used to factorize N .

We first study how λ can be used to factor N .

Proposition 2. Let N = pq be a product of two unknown odd primes p < qand put ∆ = bN/λ(N)c. Then either ∆ = p or p and q are the solutions of thequadratic equation

X2 + (∆λ(N)−N − 1)X +N = 0.

Proof. Put g = gcd(p− 1, q − 1). Then we have

N

λ(N)− 2gp− 1

< g <N

λ(N)− 2gq − 1

.

If g = p − 1, then we have N/λ(N) = p + p/(q − 1), such that ∆ = p. Ifg ≤ (p− 1)/2, then the above inequalities give N/λ(N)− 1 < g < N/λ(N) andthus ∆ = g. Hence in this case we have

ϕ(N) = ∆λ(N)

and can determine p and q from the quadratic equation (1).

Next we prove an analog of Theorem 1 for the Carmichael function. Let τ(x)denote the number of positive divisors of an integer x.


Theorem 2. For M ≥ 3 let p1 < p2 < . . . < pM be a set of primes andf ∈ R[X] be a polynomial satisfying

f(pipj) =(pi − 1)(pj − 1)

gcd(pi − 1, pj − 1), 1 ≤ i < j ≤M.

Put T = min1≤i≤M τ(pi − 1). Then we have

deg(f) ≥ M − 1T

and

C±(f) ≥(

15

log(M − 1T

))1/2

− 2.

Proof. Choose 1 ≤ k ≤M with

τ(pk − 1) = min1≤i≤M

τ(pi − 1).

For each divisor d of pk − 1 we define a polynomial

Fd(X) = f(pkX)− (X − 1)(pk − 1)d

.

Then each pi with 1 ≤ i ≤M and i 6= k is a zero of at least one Fd. These poly-nomials are not identically zero. Otherwise, for three different primes pi, pj , pk,Fd(pipj/pk) = 0 yields a monic quadratic equation in pk with constant term pipj ,and the only possible integral solutions pk have to be divisors of pipj , which isimpossible by assumption. Now the result follows analogously to the proof ofProposition 1 by the pigeon hole principle.

Remark. The dependence of the result on T may indicate that factoringintegers N = pq is easier if p−1 and q−1 are smooth which fits to the expectedrunning time of Pollard’s p − 1 factoring algorithm. On the other hand theexpected running time of the (in general faster) number field sieve does notdepend on the factorization of p− 1 and q − 1.

4 Interpolation of the RSA-Function

The RSA problem is the following: Given a positive integer N that is a productof two distinct odd primes p and q, a positive integer e such that gcd(e, (p −1)(q − 1)) = 1, and an integer c, find an integer m such that me ≡ c mod N . Inother words, if d is an (unknown) integer with ed ≡ 1 mod (p−1)(q−1) then wehave to evaluate the mapping f(x) = xd in c. The following result excludes theexistence of very simple interpolation polynomials of this mapping in the caseof low public exponent e.


Theorem 3. Let N = pq be the product of two odd primes with p < q. Chooseintegers d, e > 1 such that ed ≡ 1 mod (p − 1)(q − 1). Let S ⊆ Z∗N be a setof size s ≥ 2. If f(X) =

∑mi=0 aiX

i ∈ Z[X] is a polynomial with degree m <(q − 1)/e and gcd(a0, . . . , am, N) = 1 which satisfies

f(x) ≡ xd mod N for all x ∈ S,

then we have

deg(f) ≥ max(

s

e(p− 1),s1/2

e

)and w(f) ≥

(s

(p− 1)(q − 1)− s

)1/e

.

Proof. Put F (X) = f(X)e −X. Since s ≥ 2 and e > 1 the interpolation polyno-mial f(X) is not constant and we have

deg(F ) = edeg(f).

For n ≥ 1 let Zn(F ) denote the number of different zeros of F mod n lying in Z∗n.We have Zpq(F ) = Zp(F )Zq(F ) by the Chinese Remainder Theorem. From ourconditions on f we infer that deg(F ) < q − 1. Thus

s ≤ Zp(F )Zq(F ) ≤ (p− 1)Zq(F ) ≤ (p− 1) deg(F ) = e(p− 1) deg(f).

If s < (p− 1)2 then we may assume deg(F ) = edeg(f) < p− 1 and get

s ≤ Zp(F )Zq(F ) ≤ (deg(F ))2 = (edeg(f))2.

By Lemma 4 and the same arguments we get

w(F ) ≥ q − 1q − 1− Zq(F )

≥ q − 1q − 1− s/(p− 1)

=(p− 1)(q − 1)

(p− 1)(q − 1)− s,

and the last statement is a consequence of w(F ) ≤ (w(f))e + 1.

If d is small then e has to be large and the lower bounds become very weak.In this case the attack of [42] for small d (see also [5, Section 3]) solves the RSA-problem. It should be also mentioned that for low public exponents e attacks onRSA are known [6, 7, 13].

5 Some Related Results

In [1] it was shown that if the discrete logarithm problem in Z∗N can be solvedin polynomial time, then N can be factored in polynomial time, and the Diffie-Hellman problem in Z∗N is at least as difficult as the problem of factoring N .Most of the results on the discrete logarithm and the Diffie-Hellman mappingmodulo a prime in [40] can be extended to composite moduli. Such results canalso be regarded as complexity lower bounds on functions related to the factoringproblem of the same flavour as in this paper.


The linear complexity of several sequences related to the factoring problemincluding RSA-generator, Blum-Blum-Shub-generator, and two prime generatorwas investigated in [4, 9, 12, 39].

Finally, we mention that an analog of Theorem 3 for the LUC cryptosystemcan be easily proven, where instead of monomial Xd Dickson polynomials areused (see [28, 29, 41]).

Acknowledgments

Parts of this paper were written during a visit of the first author to RICAM. Hewishes to thank the Austrian Academy of Sciences for hospitality and financialsupport. The second author is supported by the Austrian Academy of Sciencesand by the Austrian Science Fund (FWF) grant S8313.We wish to thank Tanja Lange for helpful discussions.

References

1. E. Bach, Discrete logarithms and factoring, Report No. UCB/CSD-84-186, Com-puter Science Division (EECS), University of California, Berkeley, California, 1984.

2. N. Brandstatter, T. Lange, and A. Winterhof, Interpolation of the discrete loga-rithm in finite fields of characteristic two by Boolean functions (Extended abstract),Workshop on Coding and Cryptography (WCC) 2005, 47–54.

3. N. Brandstatter and A. Winterhof, Approximation of the discrete logarithm infinite fields of even characteristic by real polynomials, Preprint 2004.

4. N. Brandstatter and A. Winterhof, Some notes on the two-prime generator, IEEETrans. Inform. Theory., to appear.

5. D. Boneh, Twenty years of attacks on the RSA cryptosystem, Notices Amer. Math.Soc. 46 (1999), 203–213.

6. D. Boneh and R. Venkatesan, Breaking RSA may not be equivalent to factoring(extended abstract), Advances in cryptology—EUROCRYPT ’98 (Espoo), LectureNotes in Comput. Sci. 1403, Springer, Berlin, 1998, 59–71.

7. D. Coppersmith, Finding a small root of univariate modular equation, Advances incryptology—EUROCRYPT ’96 (Saragossa, 1996), Lecture Notes in Comput. Sci.1070, Springer, Berlin, 1996, 155–165,.

8. D. Coppersmith and I. Shparlinski, On polynomial approximation of the discretelogarithm and the Diffie-Hellman mapping, J. Cryptology 13 (2000), 339–360.

9. C. Ding, Linear complexity of generalized cyclotomic binary sequences of order 2,Finite Fields Appl. 3 (1997), 159–174.

10. C. Ding and T. Helleseth, On cyclotomic generator of order r, Inform. Process.Lett. 66 (1998), 21–25.

11. J. von zur Gathen and J. Gerhard, Modern Computer Algebra, Cambridge Univer-sity Press, New York, 1999.

12. F. Griffin and I. Shparlinski, On the linear complexity profile of the power gener-ator, IEEE Trans. Inform. Theory 46 (2000), 2159–2162.

13. J. Hastad, Solving simultaneous modular equations of low degree, SIAM J. Com-put. 17 (1988), 336–341.


14. E. Kiltz and A. Winterhof, Lower bounds on weight and degree of bivariate polyno-mials related to the Diffie-Hellman mapping, Bull. Austral. Math. Soc. 69 (2004),305–315.

15. E. Kiltz and A. Winterhof, Polynomial interpolation of cryptographic functionsrelated to Diffie-Hellman and discrete logarithm problem, Discrete Appl. Math., toappear.

16. S. Konyagin, T. Lange, and I. Shparlinski, Linear complexity of the discrete loga-rithm, Des. Codes Cryptogr. 28 (2003), 135–146.

17. T. Lange and A. Winterhof, Polynomial interpolation of the elliptic curve andXTR discrete logarithm, Proceedings of the 8th Annual International Computingand Combinatorics Conference (COCOON’02) (Singapore, 2002), Springer, 2002,137-143.

18. T. Lange and A. Winterhof, Incomplete character sums over finite fields and theirapplication to the interpolation of the discrete logarithm by Boolean functions,Acta Arith. 101 (2002), 223–229.

19. T. Lange and A. Winterhof, Interpolation of the discrete logarithm in Fq byBoolean functions and by polynomials in several variables modulo a divisor ofq− 1, International Workshop on Coding and Cryptography (WCC 2001) (Paris),Discrete Appl. Math. 128 (2003), 193–206.

20. T. Lange and A. Winterhof, Interpolation of the elliptic curve Diffie-Hellman map-ping, Lecture Notes in Comput. Sci. 2643, Springer, Berlin, 2003, 51–60.

21. E. El Mahassni and I. Shparlinski, Polynomial representations of the Diffie-Hellmanmapping, Bull. Austral. Math. Soc. 63 (2001), 467–473.

22. W. Meidl and A. Winterhof, Lower bounds on the linear complexity of the discretelogarithm in finite fields, IEEE Trans. Inform. Theory 47 (2001), 2807–2811.

23. W. Meidl and A. Winterhof, A polynomial representation of the Diffie-Hellmanmapping, Appl. Algebra Engrg. Comm. Comput. 13 (2002), 313–318.

24. G.C. Meletiou, Explicit form for the discrete logarithm over the field GF(p, k),Arch. Math. (Brno) 29 (1993), 25–28.

25. G.C. Meletiou, Explicit form for the discrete logarithm over the field GF(p, k), Bul.Inst. Politeh. Iasi. Sect. I. Mat. Mec. Teor. Fiz. 41(45) (1995), 1–4.

26. G. Meletiou and G.L. Mullen, A note on discrete logarithms in finite fields, Appl.Algebra Engrg. Comm. Comput. 3 (1992), 75–78.

27. A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of applied cryp-tography. With a foreword by Ronald L. Rivest, CRC Press Series on DiscreteMathematics and its Applications, CRC Press, Boca Raton, FL, 1997.

28. W.B. Muller and W. Nobauer, Some remarks on public-key cryptosystems, StudiaSci. Math. Hungar. 16 (1981) 71–76.

29. W.B. Muller and R. Nobauer, Cryptanalysis of the Dickson-scheme, Lecture Notesin Comput. Sci. 219 (1985) 50–61.

30. G.L. Mullen and D. White, A polynomial representation for logarithms in GF(q),Acta Arith. 47 (1986), 255–261.

31. H. Niederreiter, A short proof for explicit formulas for discrete logarithms in finitefields, Appl. Algebra Engrg. Comm. Comput. 1 (1990), 55–57.

32. H. Niederreiter and A. Winterhof, Incomplete character sums and polynomial in-terpolation of the discrete logarithm, Finite Fields Appl. 8 (2002), 184–192.

33. J.-J. Risler, Hovansky’s theorem and complexity theory. Ordered fields and realalgebraic geometry (Boulder, Colo., 1983), Rocky Mountain J. Math. 14 (1984),851–853.

34. J.-J. Risler, Additive complexity and zeros of real polynomials, SIAM J. Comput.14 (1985), 178–183.


35. J.M. Rojas, Additive complexity and p-adic roots of polynomials, Lecture Notes inComput. Sci. 2369, Springer, Berlin, 2002, 506–516.

36. J.M. Rojas, Arithmetic multivariate Descartes’ rule, Amer. J. Math. 126 (2004),1–30.

37. T. Satoh, On degrees of polynomial interpolations related to elliptic curve cryptog-raphy (Extended abstract), Workshop on Coding and Cryptography (WCC) 2005,55–61.

38. I. Shparlinski, Number theoretic methods in cryptography. Complexity lower bounds,Progress in Computer Science and Applied Logic, 17, Birkhauser, Basel, 1999.

39. I. Shparlinski, On the linear complexity of the power generator, Des. Codes Cryp-togr. 23 (2001), 5–10.

40. I. Shparlinski, Cryptographic applications of analytic number theory. Complexitylower bounds and pseudorandomness, Progress in Computer Science and AppliedLogic, 22, Birkhauser, Basel, 2003.

41. P. Smith and M. Lennon, LUC: a new public key system, in: Proceedings of theNinth IFIP Int. Symp. on Computer Security, North Holland, 1993, 103–117.

42. M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Trans. Inform.Theory 36 (1990), 553–558.

43. A. Winterhof, A note on the interpolation of the Diffie-Hellman mapping, Bull.Austral. Math. Soc. 64 (2001), 475–477.

44. A. Winterhof, Polynomial interpolation of the discrete logarithm, Des. Codes Cryp-togr. 25 (2002), 63–72.

45. A. Winterhof, A note on the linear complexity profile of the discrete logarithm infinite fields, Progress Comp. Sci. Appl. Logic 23 (2004), 359–367.

Documents

Interpolation of Functions Related to the Integer Factoring Problem