AIOL: An Improved Orthogonal Lattice Algorithm for the General Approximate Common Divisor Problem

Preprint

Article

AIOL: An Improved Orthogonal Lattice Algorithm for the General Approximate Common Divisor Problem

Altmetrics

Downloads

Views

Comments

A peer-reviewed article of this preprint also exists.

Yinxia Ran,Yun Pan,

Licheng Wang^*,Zhenfu Cao

Yinxia Ran,Yun Pan,

Licheng Wang^*,Zhenfu Cao

This version is not peer-reviewed

Submitted:

11 October 2023

Posted:

11 October 2023

You are already at the latest version

Alerts

Abstract

The security of several fully homomorphic encryption (FHE) schemes depends on the intractability assumption of the approximate common divisor (ACD) problem over integers. Subsequent efforts on solving the ACD problem as well as its variants were also developed during the past decade. In this paper, an improved orthogonal lattice (OL) based algorithm, AIOL, is proposed to solve the general approximate common divisor (GACD) problem. The conditions for ensuring the feasibility of AIOL are also presented. Compared to the Ding-Tao’s OL algorithm, the well-know LLL reduction is used only once in AIOL, and when the error vector r is recovered in AIOL, the possible difference between the restored and the true value of p is given. The experimental comparisons towards the Ding-Tao’s algorithm and ours are also provided for validating our improvements.

Keywords:

Subject: Computer Science and Mathematics - Computer Science

1. Introduction

Background. The approximate common divisor (ACD) problem was firstly studied by Howgrave-Graham [1]. Further interest in this problem was inspired by the proposal of fully homomorphic encryption (FHE) due to Van Dijk et al. [2], as well as cryptographic constructions proposed subsequently [3,4,5]. The security of these cryptosystems depends on the hardness assumption of the ACD problem and its variants.

The ACD problem is usually formulated in two ways: the problem of general approximate common divisor (GACD) and the problem of partial approximate common divisor (PACD). Both of them take as inputs polynomially many samples

x_{i} = p q_{i} + r_{i}

with sufficiently small but non-zero

r_{i}

, and aim to work out the hidden common divisorp, while the latter is given an additional exact sample

x_{0} = p q_{0}

(i.e.

r_{0} = 0

). Intuitively, the PACD problem is easier than GACD, considering that one can work out p directly if he/she knows the factorization of the additional sample

x_{0}

, whereas the capability of integer factorization has no direct impact on the GACD problem. However, Van Dijk et al. pointed out that at present there is no PACD algorithm that does not work for GACD [2]. And the usefulness of PACD has been demonstrated by a much more efficient construction of FHE scheme [3] of which the security is proved relied on PACD, rather than on GACD.

The original papers [1,2] presented a few possible lattice attacks on the GACD problem, including orthogonal lattices (OL) method, simultaneous diophantine approximation (SDA) method, and multivariate polynomial equations (MP) method. Further cryptanalytic work was done by [4,6,7,8,9,10,11,12,13,14]. Among these work, the OL algorithm due to Ding and Tao [8] is ingenious by using the well-know LLL algorithm for twice to accurately recover the error vector

r

. After mapping the given GACD instances into a lattice

L

, the first calling LLL is to find suitable

t - z (z = 1, 2)

short vectors

u_{i} (i = 1, 2, \dots, t - z)

for establishing the equations

U \cdot x = U \cdot r f o r U = [u_{1} | \dots | u_{t - z}],

(1)

where

u_{i} = (u_{i 1}, u_{i 2}, \dots, u_{i t}) .

Then, a new lattice

L^{'}

is constructed by using the base vectors of the solution space of (1), and the second calling LLL is to recover the error vector

r

accurately. With knowing

r

it is very easy to recover p even for a primary school student, say by using the extended Euclidean algorithm. According to Ding and Tao [8], it is an amazing thing that why the first calling LLL over

L

should give solutions for (1), and they claimed that a theoretical proof would be a very significant result. Another merit of the Ding-Tao’s method is that the setting on the related parameters is simple and this makes the implementation of OL attacks towards GACD-based cryptosystems very easy in practice. For example, the lower bound of the number of samples t depends only on

γ

, and the length of the short vector

v

depends only on t and

γ

Motivation and Contributions. With further experiments on the Ding-Tao’s algorithm, we find that the actual effect of the algorithm is better than they claimed. In particular, we realize that the conditions

ρ < η / 2

and

t \geq {(4 γ)}^{1 / 3}

could be relaxed and merged, and the second calling LLL could also be saved. Moreover, we find that even for failure executions of the Ding-Tao’s algorithm, there is a high probability that the recovered p differs from the actual value by only 1 or very small numbers. Therefore, our motivation in this work is to propose an improved OL algorithm to reduce both space and time costs for solving the GACD problem. Our main contributions are summarized as follows:

First, we modify the range of parameters $N, t$ and $∥ v ∥$ in the Ding-Tao’s algorithm, so that we need to build lattice and call LLL for only once, and the success rate for recovering p reaches $100 %$ , under the merged condition

$t \geq max \{4, \frac{5}{3} ⌈η - ρ - \sqrt{{(η - ρ)}^{2} - 1.2 (γ + ρ)}⌉\} .$

(2)

Note that (2) also implies $ρ \leq η + 0.6 - \sqrt{1.2 (η + γ + 3)}$ , no matter whether $ρ < η / 2$ holds.
Second, based on the above modification, we give a proof on why in our algorithm AIOL, the only once calling LLL will give us solutions for $(1)$ . This can be viewed as a theoretical answer towards the Ding-Tao’s amazing question;
Third, we give the possible differences between the recovered of p and the actual hidden common divisor when the error vector $r$ is recovered. Knowing these differences is in turn helpful for recovering p, and thus expanding the scope of OL attacks.

Roadmap. The remained contents are organized as follows: In Section 2, the formal definitions of the problems of GACD and PACD are given, and the lattice concepts and the LLL algorithm are introduced beriefly; In Section 3, the orthogonal lattice based approach, including our improvements, for GACD are explored and developed in detail; Experiments and comparisons as well as related discussions are presented in Section 4; Finally, concluding remarks are given in Section 5.

2. Preliminaries

Throughout this paper, we make the following agreeent on notations: Capital boldface letters denote matrices, e.g.

A

, while lowercase bold letters denote vectors e.g.

a

; Let

(\cdot, \cdot)

and

∥ \cdot ∥

be the inner product and the

l_{2}

Euclidean length respectively, and

A^{T}

denote the transpose of matrix

A

; The logarithmic notation log always takes 2 as the base, while

⌈ r ⌉

denotes the smallest integer not less r.

Definition 1

(ACD Distribution). Given

γ, η, ρ \in N

, let p be an η-bit odd integer, the ACD distribution,

D_{γ, ρ} (p)

, is an efficiently sampleable distribution define as follows:

D_{γ, ρ} (p) = {p q + r | q \overset{}{\leftarrow} Z \cap (0, 2^{γ} / p), r \overset{}{\leftarrow} Z \cap (- 2^{ρ}, 2^{ρ})} .

(3)

Definition 2

(GACD Problem). Given access to an ACD distribution

D_{γ, ρ} (p)

as a oracle, the objective of the general approximate common divisor (GACD) problem is to find p.

Definition 3

(PACD Problem). Given access to an ACD distribution

D_{γ, ρ} (p)

as a oracle, with the restriction that the first output of

D_{γ, ρ} (p)

x_{0} = p q_{0}

for some

q_{0} \overset{}{\leftarrow} Z \cap (0, 2^{γ} / p)

, the objective of the partial approximate common divisor (PACD) problem is to find p.

Remark 1.

Apparently, a PACD instance is a GACD by coincidence only with the probability that is negligible with respect to ρ.

Definition 4

(

δ -

LLL reduction basis). Given a lattice basis

B = (b_{1}, \dots, b_{n})

, the corresponding Gram-Schmidt basis

B^{*} = (b_{1}^{*}, \dots, b_{n}^{*})

B

is a reduced basis if and only if the following two conditions are satisfied:

(1) (Size condition)

μ_{i, j} = \frac{(b_{i}, b_{j}^{*})}{{∥ b_{j}^{*} ∥}^{2}} \leq 1 / 2

, for all

1 \leq j < i \leq n

;

(2) (Lovász condition)

∥ b_{i}^{*} ∥^{2} \geq (δ - μ_{i, i - 1}^{2}) {∥ b_{i - 1}^{*} ∥}^{2}

, for all

1 < i \leq n

, where

1 / 4 < δ < 1

Definition 5

(Geometric Series Assumption [15]). Given Gram-Schmidt basis

(b_{1}^{*}, \dots, b_{n}^{*})

\frac{∥ b_{i}^{*} ∥}{∥ b_{1} ∥} = θ^{i - 1},

(4)

for

i = 1, 2, \dots, n

, where

3 / 4 \leq θ < 1

is called GSA constant.

The Geometric Series Assumption (GSA) means the length of Gram-Schmidt basis

∥ b_{i}^{*} ∥

with LLL reduction decays geometrically with quotient

θ

and indicates

∥ b_{i}^{*} ∥ \leq ∥ b_{1} ∥ (i = 1, 2, \dots, n) .

(5)

Theorem 1.

[16] Given a LLL reduction lattice basis

B = (b_{1}, \dots, b_{n})

(b_{1}^{*}, \dots, b_{n}^{*})

is the corresponding Gram-schmidt basis. The following results hold:

(1)

∥ b_{1} ∥ \leq α^{\frac{n - 1}{4}} | det {(B)}^{\frac{1}{n}} |

;

(2)

∥ b_{j}^{*} ∥ \leq α^{\frac{(i - j)}{2}} ∥ b_{i}^{*} ∥

, for

1 \leq j < i \leq n

;

(3)

∥ b_{j} ∥ \leq α^{\frac{(i - 1)}{2}} ∥ b_{i}^{*} ∥

, for

1 \leq j < i \leq n

;

where

α = \frac{1}{δ - \frac{1}{4}}

, δ is the parameter in the Definition 4.

3. Orthogonal Lattice (OL) based approach

3.1. The basic idea of OL algorithm

Nguyen and Stern [17] have demonstrated the usefulness of the orthogonal lattice in cryptanalysis, and this has been used in several ways to attack the ACD problem. The idea is to find

u = (u_{1}, u_{2}, \dots, u_{t}) \in L^{⊥} (q, r)

that is orthogonal to both

q = (q_{1}, q_{2}, \dots, q_{t})

and

r = (r_{1}, r_{2}, \dots, r_{t})

. Since

x_{i} = p q_{i} + r_{i}

x = (x_{1}, x_{2}, \dots, x_{t})

is orthogonal to

u

. The task is to find

t - 1

linearly independent vectors

u

shorter than any vector in

L^{⊥} (x)

to recover

q

r

and therefore p.

Based on the idea of Nguyen and Stern, the current idea is to find

t - z (z = 1, 2)

linearly independent vectors

u

only orthogonal to

q

. The core steps of the current OL algorithm include the following two steps:

First, find

t - z (z = 1, 2)

linearly independent vectors

u

orthogonal to

q

, that is,

\sum_{i = 1}^{t} u_{i} \cdot q_{i} = 0

(6)

then establish and solve indefinite equations (1).

Second, find small positive integer solutions to (15). At present, the common way to find the small solutions is to construct the lattice

L^{'}

with basis matrix

B = (\begin{matrix} d_{0} \\ d_{1} \\ ⋮ \\ d_{z} \end{matrix})

(7)

and then employ the LLL algorithm to reduce the basis matrix

B

, with the hope of that the first output is the vector

r

. However, at present, what can meet this expectation are experimental conditions, and there is still a lack of theory.

Let the general solution formula of (15) be

d = d_{0} + t_{1} d_{1} + \dots + d_{z}

(8)

where

d_{0}

is a special solution of (15),

t_{1}, \dots, t_{z}

are integers,

d_{1}, \dots, d_{z}

is a basis of integer solution space for the corresponding homogeneous linear equations.

Let

d^{'} \in L^{'}

, then

d^{'} = k_{0} d_{0} + k_{1} d_{1} + \dots + k_{z} d_{z}

(9)

where

k_{0}, k_{1}, \dots, k_{z}

are integers. Obviously, when

k_{0} = 1

, (9) = (8). Reduce the lattice

B

B^{'}

B^{'} = (\begin{matrix} d_{0}^{'} \\ d_{1}^{'} \\ ⋮ \\ d_{z}^{'} \end{matrix}) .

(10)

To facilitate finding

r

, consider the explicit vectors

d_{0}^{'}, d_{1}^{'}, \dots, d_{z}^{'}

. It’s easy to deduce that only one of them is the solution to (15).

Let

d_{i}^{'}

is the solution to (15), and if

d_{i}^{'} = d_{0}^{'}

, then

d_{0}^{'}

is probably equal to

r

. With this in mind, Ding and Tao [8] found the conditions that the algorithm can work well (theoretically not proved):

ρ < \frac{η}{2} a n d t \geq {(4 γ)}^{1 / 3} .

(11)

In addition, if

d_{i}^{'} \neq d_{0}

, we find an interesting thing that the recovery value

p^{'}

is only 1 or a very small number different from the true value p in many cases of our experiment. And our experiments lead to the following general conclusions between p and

p^{'}

Let

d_{i}^{'} = (u_{i 1}, u_{i 2}, \dots, u_{i t}) \neq d_{0}^{'}, d_{r u} = gcd (r_{1} - u_{i 1}, r_{2} - u_{i 2}, \dots, r_{t} - u_{i t}),

then

p^{'} - p = d_{r u},

(12)

where

p^{'}

is the recovered value of p. So, if

d_{i}^{'} \neq d_{0}

, using vector

d_{i}^{'}

p^{'}

can be restored. And since

d_{r u}

is bounded, p can be restored by

p^{'}

In summary, one of the outputs

d_{1}, \dots, d_{z}

generated by the LLL algorithm can be used to recover

r

under the appropriate conditions.

3.2. Our Proposal

In this part, an improved OL algorithm, AIOL, is described in detail.

Algorithm 1: AIOL: An improved OL algorithm for GACD

Input: The GACD parameters

γ, η, ρ \in N

, and t ACD samples

{x_{1}, \dots, x_{t}} \overset{$}{\leftarrow} D_{γ, ρ} (p)

, with t satisfying

t \geq max \{4, ⌈\frac{5}{3} (η - ρ - \sqrt{{(η - ρ)}^{2} - 1.2 (γ + ρ)})⌉\} .

(13)

Output: The approximate greatest common divisor p.

1. Randomly choose

N \in (2^{γ + η - 1}, 2^{γ + η})

. And then constract a lattice

L

with the basis

B = (\begin{matrix} 1 & x_{1} \\ 1 & x_{2} \\ ⋱ & ⋮ \\ 1 & x_{t} \\ N \end{matrix}) .

(14)

2. Reduce lattice

L

by calling the LLL algorithm with

δ = 3 / 4

. Let the reduced basis be

V = [v_{1} | \dots | v_{t + 1}]

, where

v_{i} = (u_{i 1}, \dots, u_{i t}, v_{i (t + 1)}), (i = 1, 2, \dots, t + 1) .

3. Collect short vectors from

V

so that

∥ v_{i} ∥ < 2^{η - ρ - 2 - log \sqrt{t}}

(i = 1, 2, \dots, t - z)

, where

z = 1, 2

. And then, solve the following Diophantine equations with t unknowns

r_{1}, \dots, r_{t}

\sum_{j = 1}^{t} u_{i j} \cdot r_{i} = \sum_{j = 1}^{t} u_{i j} \cdot x_{i} (i = 1, \dots, t - z) .

(15)

4. Rewrite the integer solutions of (15) as follows:

d = d_{0} + t_{1} d_{1} + \dots + t_{z} d_{z},

(16)

where

d_{0}

is a special solution of the Diophantine equations,

t_{1}, \dots, t_{z}

are integers,

d_{1}, \dots, d_{z}

is a basis of integer solution space for the corresponding homogeneous linear equations.

5. Let

r = d_{0}

6. Compute

p = gcd (x_{1} - r_{1}, x_{2} - r_{2})

Through the proof in the next section, it can be seen that when the condition

{(η - ρ)}^{2} \geq 1.2 (γ + ρ)

(17)

or equivelently

ρ \leq η + 0.6 - \sqrt{1.2 (η + γ + 3)}

(18)

holds, the algorithm AIOL will successfully recover p.

3.3. The proof of AIOL algorithm

Lemma 1.

For ∀

v \in L

, if

∥ v ∥ < 2^{η - ρ - 2 - l o g \sqrt{t}}

, then the equation (15) holds.

Proof.

Let

v = (u_{1}, u_{2}, \dots, u_{t}, \sum_{i = 1}^{t} u_{i} x_{i} + u_{t + 1} N)

M = 2^{η - ρ - 2 - log \sqrt{t}}

, then

∥ v ∥ = \sqrt{\sum_{i = 1}^{t} u_{i}^{2} + {(\sum_{i = 1}^{t} u_{i} x_{i} + u_{t + 1} N)}^{2}} < M .

(19)

Thus

| u_{i} | < M, |\sum_{i = 1}^{t} u_{i} x_{i} + u_{t + 1} N| < M (1 \leq i \leq t) .

(20)

Since

2^{γ + η - 1} \leq N \leq 2^{γ + η},

\begin{matrix} \begin{matrix} |\sum_{i = 1}^{t} u_{i} x_{i}| & \leq 2^{γ} \sqrt{t} \cdot ∥ u ∥ \\ \leq 2^{γ} \sqrt{t} \cdot ∥ v ∥ \\ \leq 2^{γ} \sqrt{t} \cdot 2^{η - ρ - 2 - log \sqrt{t}} \\ = 2^{γ + η - ρ - 2} < N / 2 . \end{matrix} \end{matrix}

(21)

Therefore, there is no modular N operation and

u_{t + 1} = 0

. So

v = (u_{1}, u_{2}, \dots, u_{t}, \sum_{i = 1}^{t} u_{i} x_{i})

We also have

|\sum_{i = 1}^{t} u_{i} r_{i}| \leq 2^{ρ} \sqrt{t} \cdot ∥ v ∥ \leq 2^{η - 2} .

(22)

To prove that (6) holds, suppose

|\sum_{i = 1}^{t} u_{i} q_{i}| \neq 0

, so

p |\sum_{i = 1}^{t} u_{i} q_{i}| \geq p \geq 2^{η - 1}

(23)

|\sum_{i = 1}^{t} u_{i} x_{i}| = |p \sum_{i = 1}^{t} u_{i} q_{i} + \sum_{i = 1}^{t} u_{i} r_{i}| \geq p |\sum_{i = 1}^{t} u_{i} q_{i}| - |\sum_{i = 1}^{t} u_{i} r_{i}| \geq 2^{η - 1} - 2^{η - 2} = 2^{η - 2},

(24)

but

|\sum_{i = 1}^{t} u_{i} x_{i} + u_{t + 1} N| = |\sum_{i = 1}^{t} u_{i} x_{i}| < M = 2^{η - ρ - 2 - log \sqrt{t}} < 2^{η - 2} .

(25)

This is a contradiction. The equations (6) and (15) hold. Then Lemma 1 holds. □

Lemma 2.

If the number t of samples satisfies

{(4 / 3)}^{(3 t - 2) / 4} \cdot 2^{(γ + η) / (t + 1)} \leq 2^{η - ρ - 2 - log \sqrt{t}},

(26)

then LLL reduction basis vectors is valid for the construction of equation (15).

Proof.

For the

(t - 1)

-th LLL reduction basis vector

v_{t - 1}

, whose length can be estimated

\begin{matrix} \begin{matrix} ∥ v_{t - 1} ∥ & \leq α^{(t - 1) / 2} ∥ v_{t}^{*} ∥ \\ = {(4 / 3)}^{(t - 1) / 2} ∥ v_{t}^{*} ∥ (α = 4 / 3) \\ \leq {(4 / 3)}^{(t - 1) / 2} ∥ v_{1} ∥ (b y (5)) \\ \leq {(4 / 3)}^{(t - 1) / 2} \cdot {(4 / 3)}^{t / 4} \cdot {| B |}^{1 / (t + 1)} (b y T h e o r e m 1) \\ \leq {(4 / 3)}^{(3 t - 2) / 4} \cdot 2^{(γ + η) / (t + 1)} . \end{matrix} \end{matrix}

(27)

According to Lemma 1, equation (15) holds when (26) is true. □

Based on the above two lemmas, the following theorem can be obtained.

Theorem 2.

When GACD parameters satisfy (17) or (18) and the number of samples satisfy (13), then we construct the equation (15) to be true.

Proof.

From the condition (26), the length of LLL reduction basis vectors satisfies Lemma 2, then LLL reduction basis vectors is valid for the constrction of the equation (15). Combined the above two lemmas, we simiplify the inequation and ignore some small terms to get the following bound of sample numbers t. The specific process is as follows: take the logarithm base 2 on both sides of (26) to obtain:

\frac{3 t - 2}{4} log \frac{4}{3} + \frac{γ + η}{t + 1} \leq η - ρ - 2 - log \sqrt{t} .

(28)

Remove some smaller items of (28),

log \frac{4}{3} \approx 0.4

, we have

0.3 t + \frac{γ + η}{t + 1} \leq η - ρ,

(29)

Sort out the formula (29), we get

0.3 t^{2} - (η - ρ - 0.3) t + (γ + η) \leq 0,

(30)

then

0.3 t^{2} - (η - ρ) t + (γ + η) \leq 0,

(31)

By solving the inequality (31), we can get

t \geq \frac{5}{3} (η - ρ - \sqrt{{(η - ρ)}^{2} - 1.2 (γ + ρ)}) .

(32)

In summary, when conditions (18) and (32) hold, the algorithm can recover p successfully. Note that the condition

t \geq 4

comes from the third step of AIOL where we need to collect at least 2 short vectors for building the required Diophantine equations. Then the condition (13) is true. Hence,Theorem 2 holds. □

4. Experiments and Comparisons

In this section, we conduct experiments towards our algorithm AIOL, as well as the Ding-Tao’s algorithm. The experimental environment is specified as below: Intel(R) Core (TM) Processor i5-1235U CPU (1.30 GHz) with 16 GB of memory, Windows 10 OS, and Maple 2021 coding language.

The experiments are organized as two steps. Firstly, to test the effects on relaxation on conditions of

ρ

and t, we adopt the following settings on the related parameters:

Fix $η = 160$ ;
Let $γ = 300, 400, 500, 1000, 1500, 2000$ respectively;
For each case of setting on $γ$ , running the Ding-Tao’s algorithm and our AIOL algorithm for 100 times for different $ρ$ (resp. t) around the upper (resp. lower) bound of $ρ$ (resp. t) given by the Ding-Tao’s condition (11) and our condition (13,18), respectively.
Then, for each case, collect the success rate for recovering the hidden common divisor p, as well as the maximal $ρ$ (resp. the minimal t) that enables the related algorithms work. These results are summaried in Table 1, where the symbol ’–’ indicates that in this case the related failed to work out.

From Table 1, we can see that:

The overall success rate of our algorithm is 100%, which is observably higher than that of in the Ding-Tao’s algorithm, under the same settings on $η, γ$ and a similar scale of t. Moreover, even for bigger settings on $ρ$ in AIOL, the success rates are still higher than those of obtained by the Ding-Tao’s algorithm for the smaller settings on $ρ$ . 1
The condition on $ρ$ given by the Ding-Tao’s condition (11) is irrelevant, considering for $γ = 300$ and $γ = 1000$ , the maximal values of $ρ$ for ensuring the Ding-Tao’s a high success rate are 103 and 30, respectively. They are respectively either observably bigger or smaller than the given bound $79 < η / 2$ .
The condition on $ρ$ given by AIOL is relaxed to the case of $ρ > η / 2$ . And this condition is tight in the sense that for all these cases, the the maximal values of $ρ$ for ensuring AIOL success are almost same with the bound given by (18).
The condition on t given by the Ding-Tao’s condition (11) is rigorous in the sense that for even small t, our tests on the Ding-Tao’s algorithm failed, whereas the condition on t given by (13) in AIOL is loose since for even small t, our algorithm still works well. At present, we have no idea to give a tight bound on choicing t for the AIOL algorithm.

Secondly, to test the scalability, as well as the speed, we adopt the settings according to experiments given by Ding and Tao in [8]. That is,

Fix $η = 1000$ and $ρ = 450$ ;
Let $γ = 5000, 10000, 15000, 20000$ respectively;
In Ding-Tao’s algorithm, let $t = 18, 40, 59, 85$ respectively, according to what was given in [8], while in our algorithm AIOL, t is set to $10, 20, 29, 38$ respectively – calculated according to the condition given by (13).
Then, for each case, we run Ding-Tao’s algorithm and our algorithm respectively, and then collect the running time for getting correct results in Table 2. (Note that for conveniences doing comparisons, partial data on the running time in Ding-Tao’s paper [8] is referenced here.)

From Table 2, we can see that:

Both our algorithm AIOL and the Ding-Tao’s algorithm have good performance in scalability in the parameter $γ$ . Moreover, the AIOL algorithm can find the correct solutions with even smaller t, this in turn means less space cost for storing the ACD samples.
With the sample computational environments (i.e. MAPLE coding on an Intel i5 CPU with 1.30 GHz clocks), our AIOL algorithm runs much quicker than the Ding-Tao’s algorithm, under the same settings on $γ, η$ and $ρ$ .
Ding-Tao’s tests given in [8] (i.e. MAGMA coding on two Quad-Core Intel Processor Q9400 CPUs with 2.66 GHz clocks) are much quicker than our tests on both AIOL and the Ding-Tao’s algorithm. We think that this might be mainly attributed to the differences of computational environments.

5. Conclusions

The interest in the general approximate common divisor (GACD) problem is excited by the possibility of building fully homomorphic encryptions over integers, though many such kind of cryptographic constructions were broken. In fact, from an even abstract point, the GACD problem can be viewed as a learning-with-error (LWE) version of the greatest common divisor (GCD) problem over the 1-dimension lattice

Z

. Although we know that all lattice problems are easy for low dimensions, more efforts are still needed to tackle the GACD problem. In this paper, an improved orthogonal lattice algorithm, AIOL, is proposed for solving GACD. Compared with the Ding-Tao’s OL method, the parameter conditions for suit for AIOL is relaxed, and the experiments show that the success rate of AIOL is enhanced observably.

Author Contributions

Conceptualization, Ran Y., Wang L. and Cao Z.; Methodology, Ran Y., Wang L. and Cao Z.; Validation, Pan Y. and Wang L.; Writing—original draft preparation, Ran Y.; Writing—review and editing, Ran Y., Wang L.; Code implementation, Ran Y. and Wang L.; Supervision and project administration, Pan Y.

Funding

This research is partially supported by the National Natural Science Foundation of China (NSFC) (62272040).

Conflicts of Interest

The authors declare no conflict of interest.

References

N. Howgrave-Graham. Approximate integer common divisors. Cryptography and Lattices. Springer Berlin Heidelberg, 2001: 51–66.
M. Van Dijk, C.Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in: H. Gilbert (ed.), Advances in Cryptology–EUROCRYPT 2010, Lecture Notes in Comput. Sci. Springer, Berlin, Heidelberg, 2010, 6110: 24–43.
J. S. Coron, A. Mandal, D. Naccache, M. Tibouchi, Fully homomorphic encryption over the integers with shorter public keys, in: P. Rogaway (ed.), Advances in Cryptology-CRYPTO 2011, Lecture Notes in Comput. Sci, Springer, Berlin, Heidelberg, 2011, 6841: 487–504.
J. S. Coron, D. Naccache, M. Tibouchi. Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. In D. Pointcheval and T. Johansson (ed.), EUROCRYPT’12, Springer LNCS, 2012, 7237: 446–464.
J. H. Cheon, D. Stehlé. Fully Homomorphic Encryption over the Integers Revisited. In E. Oswald and M. Fischlin (eds.), EUROCRYPT’15, Springer LNCS, 2015, 9056: 513-536.
Y. Chen, P. Q. Nguyen. Faster algorithms for approximate common divisors: Breaking fully homomorphic encryption challenges over the integers. Advances in Cryptology-EUROCRYPT 2012. Springer Berlin Heidelberg, 2012: 502–519.
H. Cohn, N. Heninger. Approximate common divisors via lattices. In proceedings of ANTS X, vol. 1 of The Open Book Series, 2013: 271–293.
J. Ding, C. Tao. A New Algorithm for Solving the General Approximate Common Divisors Problem and Cryptanalysis of the FHE Based on the GACD problem. Cryptology ePrint Archive, Report 2014/042, 2014.
S. Gebregiyorgis. Algorithms for the Elliptic Curve Discrete Logarithm Problem and the Approximate Common Divisor Problem. PhD thesis, The University of Auckland, Auckland, New Zealand, 2016.
S. Galbraith, S. Gebregiyorgis, S. Murphy. Algorithms for the approximate common divisor problem. LMS Journal of Computation and Mathematics. 19(A), 2016.: 58-72. [CrossRef]
Xiaoling Yu, Yuntao Wang, Chungen Xu, Tsuyoshi Takagi. Studying the Bounds on Required Samples Numbers for Solving the General Approximate Common Divisors Problem. 2018 5th International Conference on Information Science and Control Engineering. [CrossRef]
J. Xu, S. Sarkar, L. Hu, Revisiting orthogonal lattice attacks on approximate common divisor problems and their applications. Cryptology ePrint Archive, 2018.
J. H. Cheon, W. Cho, M. Hhan, Algorithms for CRT-variant of approximate greatest common divisor problem. Journal of Mathematical Cryptology, 2020, 14(1): 397–413. [CrossRef]
W. Cho, J. Kim, C. Lee. Extension of simultaneous Diophantine approximation algorithm for partial approximate common divisor variants. IET Information Security, 2021, 15(6): 417–427. [CrossRef]
Claus-Peter Schnorr. Lattice reduction by random sampling and birthday methods. In STACS 2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27–March 1, Proceedings, 2003: 145-156.
J. Hoffstein, J. Pipher, and J. H. Silverman. An Introduction to Mathematical Cryptography. Springer Publishing Company, 2nd edition, 2014.
P. Q. Nguyen and Jacques Stern. The Two Faces of Lattices in Cryptology. In J. Silverman (ed.), Cryptography and Lattices, Springer LNCS 2146, 2001: 146–180.

1	Intuitively, the bigger $ρ$ , the more errors involved in the given ACD samples, and this in turn means the harder for solving the given GACD instances.

Table 1. Experiments and Comparisons: Conditions on

ρ, t

and Success rate (

η = 160

Table 1. Experiments and Comparisons: Conditions on

ρ, t

and Success rate (

η = 160

$γ$	Ding-Tao					AIOL
$γ$	$ρ$ (11)	$ρ_{max}$	t (11)	$t_{m i n}$	succ %	$ρ$ (18)	$ρ_{max}$	t (13)	$t_{min}$	succ %
300	79	103	11	11	$82 %$	137	137	35	17	$100 %$
400	79	91	12	12	$87 %$	134	134	34	19	$100 %$
500	79	80	13	13	$90 %$	131	132	39	23	$100 %$
1000	79	30	16	16	$89 %$	122	123	54	33	$100 %$
1500	79	–	19	–	–	115	115	60	40	$100 %$
2000	79	–	21	–	–	109	109	72	46	$100 %$

Table 2. Experiments and Comparisons: Scalability and Speed (

η = 1000

Table 2. Experiments and Comparisons: Scalability and Speed (

η = 1000

$γ$	Ding-Tao				AIOL
$γ$	$ρ$	t	time (s)¹	time (s)²	$ρ$	$t ()$	time (s)²
5000	450	18	2.386	207.09	450	10	40.15
10000	450	40	91.447	7436.85	450	20	1162.34
15000	450	59	749.179	61767.34	450	29	3793.10
20000	450	85	4245.879	141303.98	450	38	32651.77

¹ Running time in MAGMA according to [8]. ² Running time in MAPLE according to our experiments.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.

MDPI Initiatives

Important Links

Choose an area of interest and we will send you notifications of new preprints at your preferred frequency.

Disclaimer

AIOL: An Improved Orthogonal Lattice Algorithm for the General Approximate Common Divisor Problem

Abstract

1. Introduction

2. Preliminaries

3. Orthogonal Lattice (OL) based approach

3.1. The basic idea of OL algorithm

3.2. Our Proposal

3.3. The proof of AIOL algorithm

4. Experiments and Comparisons

5. Conclusions

Author Contributions

Funding

Conflicts of Interest

References

MDPI Initiatives

Important Links

Subscribe