Using the Inhomogeneous Simultaneous Approximation Problem for Cryptographic Design.

Full text

Using the Inhomogeneous Simultaneous Approximation Problem
for Cryptographic Design
Frederik Armknecht1, Carsten Elsner2, and Martin Schmidt3
1Universit¨
at Mannheim, 68161 Mannheim, Germany, armknecht@informatik.uni-mannheim.de
2FHDW Hannover, 30173 Hannover, Germany,
carsten.elsner@fhdw.de
3Leibniz Universit¨
at Hannover, Institute of Applied Mathematics, 30167 Hannover, Germany,
mschmidt@ifam.uni-hannover.de
Abstract. Since the introduction of the concept of provable security, there has been the steady search for suitable
problems that can be used as a foundation for cryptographic schemes. Indeed, identifying such problems is a chal-
lenging task. First, it should be open and investigated for a long time to make its hardness assumption plausible.
Second, it should be easy to construct hard problem instances. Third, it should allow to build cryptographic ap-
plications on top of them. Not surprisingly, only a few problems are known today that satisfy all conditions, e. g.,
factorization, discrete logarithm, and lattice problems.
In this work, we introduce another candidate: the Inhomogeneous Simultaneous Approximation Problem (ISAP),
an old problem from the field of analytic number theory that dates back to the 19th century. Although the Simul-
taneous Approximation Problem (SAP) is already known in cryptography, it has mainly been considered in its
homogeneous instantiation for attacking schemes. We take a look at the hardness and applicability of ISAP, i. e., the
inhomogeneous variant, for designing schemes.
More precisely, we define a decisional problem related to ISAP, called DISAP, and show that it is NP-complete. With
respect to its hardness, we review existing approaches for computing a solution and give suggestions for the efficient
generation of hard instances. Regarding the applicability, we describe as a proof of concept a bit commitment
scheme where the hiding property is directly reducible to DISAP. An implementation confirms its usability in
principle (e. g., size of one commitment is slightly more than 6KB and execution time is in the milliseconds).
Keywords: Simultaneous Approximation Problem, Analytic Number Theory, Diophantine Approximation, Prov-
able Security, Commitment Scheme
1 Introduction
Motivation. The concept of provable security is one cornerstone of modern cryptography. The approach is
to prove the security of a cryptographic scheme by reducing its security (in the sense of complexity theory)
to another presumably hard problem. Consequently, there is a huge interest on finding appropriate problems.
To be appropriate, at least the following conditions need to be met:
1. The problem is well-investigated since a long time, making the hardness conjecture trust-worthy.
2. Hard-to-solve instances can be easily constructed.
3. One can build cryptographic schemes upon them.
Different strategies are imaginable. One could start with known hard problems and look for cryptographic
applications. Natural candidates are NP-complete problems, certainly meeting condition 1. However, it is not
always clear how to construct hard-instances (condition 2). As an example take the homomorphic encryption
scheme Polly Cracker by Fellows and Koblitz [5]. The security is based on the NP-complete problem of
solving systems of nonlinear equations. But according to the current state of knowledge, all its instantiations
(and variations like PollyTwo [34]) are either insecure, inefficient, or loose their homomorphic property
(e. g., see [6, 17]). Another strategy could be to have a cryptographic scheme in mind and to clearly formalize
the underlying problem. But then, only little may be known regarding conditions 1 and 2. It is often unclear
if and to what extent newly introduced problems are examined once they have been introduced. Summing

up, although a variety of problems4have been considered in the recent decades, only few of them fulfill
all three conditions. Mainly these are connected to factorization, discrete logarithm, lattices, pairings, or
error-correcting codes.
Observe that the first two, factorization and discrete logarithm, are probably the most established prob-
lems and belong both to algebraic number theory. Here, we would like to advert to analytic number theory,
more precisely to the field of diophantine analysis. The adjective ”diophantine” means that one is interested
in integral or rational solutions. This field emerged around 250 A. D. and had since then attracted the interest
of many important and influential mathematicians like Gauss or the Fields medal winners Roth, Baker, and
Faltings. Despite the enormous progress, diophantine analysis is still full of open (computational) problems.
As a representative, we investigate the Simultaneous Approximation Problem or more precisely its inho-
mogeneous variant: Given rational numbers αiand ηi,i= 1, ..., n, find integer values qand pisuch that
|qαi−pi−ηi|< ε. The most common variant is the homogeneous one, i. e., ηi= 0 for all i, whereas our con-
tribution is to consider for the first time the inhomogeneous variant, i. e., ηi6= 0, for cryptographic design.
To be in compliance with established notation, we refer to the homogenous Simultaneous Approximation
Problem simply by SAP and denote the inhomogenous variant by ISAP.
Related work. SAP is known in cryptography, but has mainly been considered for attacking cryptosystems,
e. g., knapsack systems (e. g., Shamir [30], Lagarias [13]), factorization and discrete logarithm (e. g., see
Schnorr [25], Seifert [29]), and RSA (e. g., see Wiener [35]).
Regarding the design of cryptosystems, we are only aware of very few works that base their security on
SAP or related problems. Isselhorst [10] presented a public-key scheme based on fractions. He showed that
the scheme could be broken in principle by solving an appropriate simultaneous approximation problem. He
proposed parameters for which he suspected that the algorithm of Lagarias [14] is not capable of finding a
solution. Nonetheless, the scheme was broken soon after by Stern and Toffin [31] using the LLL algorithm
[15] instead. Elsner and Schmidt [4] used continued fractions to design new S-boxes. In both cases, there was
no direct reduction of the security of the scheme to the hardness of solving (I)SAP. Regev [21] presented a
public key cryptosystem where the public key contains rational numbers aithat are close to integer multiples
of N/h where Nand hare some integers and his the secret key. Obviously, the ability of solving SAP would
allow for breaking the scheme. However, it is not clear if a reduction to SAP is possible as the public key
also includes explicitly an index i0such that ai0is an odd multiple of N/h. Van Dijk et al. [33] used the
Approximate Greatest Common Divisor (approximate GCD) Problem for constructing a fully homomorphic
encryption scheme. This problem is related to SAP in the following sense. In SAP, a set of rational numbers
αiand some bound B < 1is given and the task is to find integers qand pisuch that |q·αi−pi|< B for all
i. In approximate GCD, a set of integer values αiand some integer bound 1≤Bis given and the task is to
find integers qand pisuch that |αi−q·pi|< B for all i. The authors pointed out that their scheme could be
attacked by solving an appropriate SAP instance. In both works, solving SAP would allow for breaking the
scheme. However, it is unclear (as far as we can see) whether a a security reduction to SAP is possible. Apart
from that, to the best of our knowledge the usage of ISAP for cryptographic design has not been considered
so far. Here, we have to stress that our contribution is not the design of a specific scheme but rather to show
up the general hardness and applicability of ISAP.
We want to point out that there might be a relation between (I)SAP and some of the lattice-based prob-
lems as both can be tackled by the LLL algorithm in principle. However, we are not aware of any result
in this direction. Furthermore, the LLL algorithm applies to the homogeneous problem (SAP) only while
we consider the inhomogeneous variant (ISAP). Thus, we leave the investigation of the connection between
(I)SAP and lattice based problems as an open question and consider ISAP as a problem that has not been
used for cryptographic design so far.
4See the website www.ecrypt.eu.org/wiki/index.php/Hard_Problems_in_Cryptography for an overview.

Contribution. In this paper, we put for the first time ISAP into the heart of a cryptosystem. Our contribu-
tions are as follows:
–Problem Description: We formalize the Decisional Inhomogeneous Simultaneous Approximation Prob-
lem (DISAP) and show that it is NP-complete.
–Instance Generation: We argue that increasing/decreasing certain parameters will probably increase the
hardness of the problem and formulate an accordant assumption. Furthermore, we investigate a related
computational problem and derive suggestions for concrete parameter ranges.
–Cryptographic Application: We demonstrate the usefulness of DISAP for cryptographic applications
by constructing a bit commitment scheme on it. The scheme is perfectly binding and computationally
hiding if hard DISAP instances are used.
Summing up, we demonstrate that DISAP might be a valuable addition to the existing set of established
problems in cryptography and hope to encourage further research on problems from analytic number theory
in general and DISAP in particular.
Organization. In Sec. 2, we present DISAP and discuss its hardness. In addition, we define and motivate
an appropriate hardness assumption, named DISAP assumption. In Sec. 3, we describe a bit commitment
scheme based on DISAP. Its security is proven in Sec. 4 under the DISAP assumption. In Sec. 5, we present
a concrete instantiation and give implementation results. Sec. 6 concludes the paper.
2 The Inhomogeneous Simultaneous Approximation Problem
2.1 Motivation and Definition
In this section we give a short introduction to the main terms of rational diophantine approximation and
motivate and define the Inhomogeneous Simultaneous Approximation Problem (ISAP). In the following, N
will denote the set of positive integers, Zthe ring of integers, Qthe field of rational numbers, and Rthe field
of the real numbers. We will distinguish between single values and vectors by putting the latter in bold.
In diophantine analysis the approximation of numbers α∈Rby rationals p/q ∈Qis a main topic.5One
of the most basic results is the approximation theorem of Dirichlet (1805–1859) [9, Theorem 185], which
states that for any α∈R\Qthere exist infinitely many co-prime numbers pand qsuch that




α−p
q



<1
q2⇐⇒ |qα −p|<1
q.(1)
If α∈Q, the number of solutions might be finite only. A theorem of Hurwitz (1859–1919) [9, Theorem
193] states that for every α∈R\Qthere exist infinitely many co-prime numbers pand qsuch that




α−p
q



<1
√5q2(2)
holds and that for any stronger approximation quality, the number of solutions might be finite only. Interest-
ingly, such approximations can be efficiently computed, using continued fractions
a0+1
a1+1
a2+1
· ·· +1
aN
(3)
5Nice introductions to this discipline can be found in [9, 18].

where the leading coefficient a0is an integer and all partial quotients ai(i= 1, . . . , N)are positive integers.
It can be shown that for N→ ∞ the above given expression converges to some real number αdepending on
all partial quotients ai. In that case we call the expression an infinite continued fraction, or simply continued
fraction. For α∈Q, the corresponding continued fraction is finite like in (3).
An important term is a convergent, which is a rational number. Given the partial quotients of the contin-
ued fraction, the corresponding convergents can easily be computed using the recurrence formulas (see [9,
Theorem 149])
p0=a0, p1=a1a0+ 1 , pn=anpn−1+pn−2(n≥2) ,(4)
q0= 1 , q1=a1, qn=anqn−1+qn−2(n≥2) .(5)
pn/qnis called the n-th convergent of the continued fraction. Observe that computing the n-th convergent
requires 2nadditions and multiplications of integers. It can be shown that (for irrational αor, if α∈Q,
n<N)
1
qn(qn+qn+1)≤



α−pn
qn


≤1
qnqn+1 ≤1
q2
n
(6)
holds (see [18, Chapter 10.2]). We note that from (6) it follows that the convergents satisfy inequality (1) of
Dirichlet’s theorem. Furthermore, it is proven that the convergents are the best rational approximations with
a bounded denominator, e. g., for α∈R, n > 1,0< q ≤qnand pn/qn6=p/q it holds (see [9, Theorem
181])




α−pn
qn



<



α−p
q



.(7)
It is useful to know that pnand qnare co-prime for all convergents.
The type of approximation in (1) is called homogeneous in contrast to the inhomogeneous case, for
which Kronecker (1828–1891) proved the following theorem (see [22, Chapter 10, Theorem 2.6]).
Theorem 1 (Kronecker’s Approximation Theorem). For each α∈R\Q,η∈R,n > 0and δ∈Rwith
δ > 0there are integers p, q with q > n such that
|qα −p−η|<1
2+1
√5+δ1
q.(8)
Thereby ηis called the inhomogeneity.
In the field of simultaneous diophantine approximation one considers more than one diophantine in-
equality at once and tries to approximate the given numbers αiwith fractions pi/q sharing a common de-
nominator. Again, the most basic result was proved by Dirichlet (see [9, Theorem 200]): There are infinitely
many solutions (q, p1, . . . , pn)to the system




αi−pi
q



<1
q1+1/n ,∀i∈ {1, . . . , n},(9)
in positive integers qand integers p1, . . . ,pnif at least one of the real numbers α1, . . . , αnis irrational.
An inhomogeneous generalization about the existence of simultaneous approximations was also proved by
Kronecker (see [9, Theorem 442]):
Theorem 2 (Kronecker’s Simultaneous Approximation Theorem). Let 1,α1,. . .,αnbe real numbers
that are linearly independent over Q. Furthermore, let η1, . . . , ηnbe arbitrary real numbers, ε > 0and
N∈N. Then there exists integers p1, . . . , pnand a natural number qwith q > N and
|qαi−pi−ηi|< ε ∀i∈ {1, . . . , n}.(10)

We remark that the one-dimensional theorems can all be proved in a constructive manner by using
continued fractions and convergents. However, as opposed to the one-dimensional case, no constructive
proofs are known for the simultaneous versions. This has lead to the formulation of a variety of related
problems, e. g. [14], for some it has been proven that they are NP-complete. Nevertheless, none of them have
been successfully used for cryptographic applications. The main goal of this paper is to actually remind of
these and to choose one concrete problem formulation and demonstrate a possible cryptographic application.
The considered basic problem is the following:
Definition 1 (Inhomogeneous Simultaneous Approximation Problem (ISAP)). An instance Iof the In-
homogeneous Simultaneous Approximation Problem (ISAP) consists of a vector α:= (α1, . . . , αn)∈
(Q∗)nof non-zero rational values, a vector η:= (η1, . . . , ηn)∈Qn, a positive real value ε∈R>0,
and a positive integer N∈N.
A tuple (q, p)where q∈N>0and p= (p1, . . . , pn)∈Znis a solution to Iif
|qαi−pi−ηi|< ε ∀i∈ {1, . . . , n}and q≤N . (11)
The value nis called the dimension, and εthe approximation quality. In the case that ηi= 0 for all
i, that is in the homogeneous case, we call the problem simply the Simultaneous Approximation Problem
(SAP).
Although the dimension nis implicitly given by the dimension of the vectors αand η, we note it explicitly
for reasons of clarity. Observe that we restrict to rational and integer values on purpose: Working in practice
with irrational numbers effectively means in most cases to approximate them anyway by rational numbers.
We formulate a decisional problem in the context of ISAP that we will eventually propose for cryptographic
design:
Definition 2 (Decisional ISAP (DISAP)). Let Ibe an ISAP-instance as explained in Def. 1. The Decisional
ISAP (DISAP) is to decide whether Ihas at least one solution.
Next, we show that the problem class of DISAP contains indeed hard instances, i. e., instances where no
efficient solving algorithms are known so far.
Theorem 3. DISAP is NP-complete.
Proof. We have to show that (i) DISAP is in NP, and (ii) every problem in NP is reducible to DISAP in
polynomial time. The first claim is trivial. Given an DISAP instance (α,η, N, n, ε)and a possible solution
(q, p), one can check in polynomial time (i.e., polynomial in the length of the input) whether (11) is fulfilled.
For the second claim, we make use of Lagarias’ result [14]. He showed that DSAP6is NP-complete (the
problem was named ”Good Simultaneous Approximation problem (GSA)” there). That is, any NP problem
can be reduced (in polynomial time) to an instance of DSAP. As any instance of DSAP is an instance of
DISAP as well, it follows directly that any NP problem can be reduced in polynomial time to an instance of
DISAP. ut
Still, it remains to clarify how to generate hard instances. It is plausible to assume that increasing the dimen-
sion nand/or chosing a sharper approximation quality ε, i.e., decreasing this value, can make the problem
only harder. This motivates the following assumption:
Definition 3 (DISAP Assumption). Consider a probabilistic polynomial-time (PPT) algorithm Gen that
on input N∈N>0,n∈N>0, and ε∈R>0generates an ISAP instance I:= (α,η, N, n, ε)where
∀i, j = 1, . . . , n : (αi, ηi)6= (αj, ηj)if i6=j. Let Idenote the set of all possible ISAP instances that can
6By DSAP, we refer to the straightforward restriction of DISAP to the homogenous case. In other words, a DSAP instance is a
DISAP instance where η=0.

be generated by Gen. We define a predicate P:I → {0,1}on Isuch that P(I)=1if and only if Ihas a
solution. For an algorithm Awe define its advantage (with respect to Gen) as
AdvGen,A(N, n, ε) := |P r [I←Gen(N, n, ε), P (I) = 0 : A(I) = 0] −
P r[I←Gen(N, n, ε), P (I) = 1 : A(I) = 0]|
The decisional ISAP assumption (with respect to Gen) states that for any positive integer s∈N>0, being
eventually the security parameter, there exist thresholds N∗=N∗(s)∈N>0,n∗=n∗(s)∈N>0and
ε∗=ε∗(s)∈R>0such that AdvGen,A(N, n, ε)is negligible in sfor all PPT Aif N≥N∗,n≥n∗, and
0< ε ≤ε∗.
2.2 Possible Parameter Choices
As explained in the previous section, a promising strategy for creating hard instances is to choose values
N,nand εwhich are beyond certain thresholds. Unfortunately, as DISAP has not been considered directly
so far, nothing is known about concrete choices for these thresholds. However, some indication on possible
choices can be derived from the fact that a somewhat related problem has been investigated since long. The
key to this approach is the following Theorem.
Theorem 4. Assume an algorithm Athat is able to efficiently compute solutions (if existent) to ISAP-
instances (α,η, N, n, N −δ)where ηi=λi
µiwith 0< µi≤Nδ0and 0< δ0≤δ. Then, there exists
another algorithm Bwith the following property: Given (β, N, n)with β∈Qn, invoke Asuch that any
solution (q, p)returned by Aimplies values ˜q∈N>0and ˜p= (˜p1,...,˜pn)∈Qnsuch that




βi−˜pi
˜q



<1
˜q1+(δ−δ0)∀i∈ {1, . . . , n}.(12)
Here, the term ∆:= 1 + δ−δ0is called the approximation order.
Proof. Let (β, N, n)be given as defined above. At first, Bchooses some values 0< µi≤Nδ0and sets
αi:= βi/µi∈Q. Furthermore, some positive integers λi∈N>0are sampled according to some arbitrary
distribution and ηi:= λi/µiare defined. Then, Bhands the ISAP-instance (α,η, N, n, N −δ)to A. Assume
that Areturns a solution (q, p).Bsets ˜q:= qand ˜pi:= pi·µi+λiand outputs (˜q, ˜p).
We show now that (˜q, ˜p)meets condition (12). By assumption, the response (q , p)of Ais a solution to
the ISAP instance, i.e., |qαi−pi−ηi|< N −δfor i= 1, . . . , n. Because of µi≤Nδ0and q≤N, we have
1
Nδ=1
Nδ−δ0·Nδ0≤1
qδ−δ0·µi. Thus, one can show that




qαi−˜pi
µi



=|qαi−pi−ηi|<1
Nδ≤1
q(δ−δ0)·µi
(13)
˜q=q
=⇒



βi−˜pi
˜q



<1
˜q1+δ−δ0.(14)
Therefore, the output of Bindeed represents a solution to (12). ut
In the remainder of this section, we will derive parameter ranges where the problem explained above seems
to be hard according to the current state of knowledge. First, we explain the implications for DISAP. For
the sake of brevity, let us introduce some abbreviations here. By CISAP, we refer to the computational
counterpart to DISAP where the challenge is to compute a solution instead of deciding the existence of a
solution. Furthermore, let CSAP* denote the homogeneous variant of CISAP as expressed by Eq. (12), that
is where the approximation quality ε=q−∆depends on the solution q. Thus, if we derive parameters where
it seems that no solutions to CSAP* can be found, this includes the infeasability of finding solutions implied

by CISAP. As any solution of appropriate CISAP instances imply solutions to CSAP*, this excludes the
existence of efficient algorithms for CISAP (at least for the cases where some of the solutions to CSAP*
can be found via CISAP). On the other hand, the infeasability of CISAP is a necessary condition for the
hardness of DISAP. Therefore, adopting the parameters derived from CSAP* for DISAP and considering
instances as described in Th. 4 seems to be a promising starting point for creating presumably hard instances
of DISAP. We leave the determination of more appropriate values as an open question.
There are several algorithms in the literature to solve CSAP*. In the case of real algebraic and over Q
linear independent numbers 1, α1, . . . , αnand δ∗>0arbitrary, W. Schmidt shows in [24] that there are at
most finitely many (q, p)∈N×Znwith




αi−pi
q



<1
q1+1/n+δ∗∀i∈ {1, . . . , n}.(15)
Furthermore, with δ∗= 0, under these conditions the approximation order ∆= 1+1/n is the best possible.
There are a lot of generalizations of continued fractions for the simultaneous case, starting with the
work of Jacobi [11] which lead to the Jacobi-Perron-Algorithm (JPA) [20, 28, 26, 2, 8]. However, the JPA is
not able to compute solutions to such approximation quality as we will require in our proposed commitment
scheme (cf. Sec. 3). For example, in the case n= 2 only a system with an approximation quality of 2/q3/2is
attackable with the JPA (cf. [28]). In [28] it is also mentioned that the JPA is only able to solve systems with
significantly larger εin the arbitrary case (n≥3). In particular, the best affordable approximation quality
εincreases with the dimension n. Additionally, we want to mention Baldwin’s numerical experiments [1]
in which he computes the approximation exponent of the JPA in two dimensions – with ∆= 1.374 it is
significantly below the upper bound 1+1/2=1.5from theory.
There are some other relevant algorithms based on continued fraction generalizations, namely the ones
of G¨
uting, Brun, Selmer, and Just. The first three ones have comparable properties like the JPA (see [28, 3,
27, 32]). Just’s algorithm is much more worse concerning the approximation order (∆= 1 + 1/(2n(n+ 1)))
[12]. Thus, the above given considerations about the JPA can also be applied to these algorithms.
Another well known algorithm for solving simultaneous diophantine approximation problems is the
lattice-based LLL algorithm presented by Lenstra, Lenstra Jr. and Lovasz in [15]. The LLL algorithm is able
to find solutions nearly as good as the best possible. Indeed, they can compute solutions (q, p)such that




αi−pi
q


≤c(n)
q1+1/n ∀i∈ {1, . . . , n},(16)
whereas the αihave to be rationals and c(n)∈ O(2n)(see [15], [19, Chapter 6, Theorem 8]). Thus, by
choosing small enumerators for the upper bound, e.g., = 1 in our construction, one can construct instances
that seem to fall outside of the parameter ranges that can be solved by LLL.
We conclude with the theoretical work of Lagarias. In [14] he proved that the problem of computing a
denominator qsuch that
|αiq−pi| ≤ s1/s2,1≤q≤N , i = 1,...,n, (17)
for given positive integers N, s1, s2and rational numbers αi=ai/biis in P for fixed dimension n. We
remark that this technique has an exponential runtime in the dimension n. Thus, increasing nis a simple
method for excluding the applicability of Lagarias’ algorithm.
Summing up, no efficient algorithms are known for solving CSAP* with an approximation order of
∆≥1 + 1/n if the dimension is high enough. In Sec. 5, we will use this observation for proposing
some concrete parameters. More precisely, we will construct instances as explained in Th. 4 where the
approximation quality and the dimension are too high for all algorithms mentioned above. Regarding the
upper bound N, one has to take care that it is big enough for excluding brute force approaches. We will
set N:= 2sin our construction where srepresents the security parameter. Observe that in our scheme,

we construct instances that have only one unique solution. Hence, it will not be possible to look for other
solutions that might be easier to find. In this context we would like to refer to the results by R¨
ossner and
Seifert [23]: They showed that approximating the best solution is almost NP-hard. Thus, approximating the
unique solution qseems to be not an option either.
3 A Bit Commitment Scheme based on DISAP
In this section, we present a bit commitment scheme based on DISAP. In the commitment phase, the com-
mitter generates an instance of DISAP with a given dimension and approximation quality. The crucial aspect
here is that the problem instance is constructed backwards. That is the committer first starts with the solution
(q, p)that is connected to the message and then generates a problem instance (α,η)from it where (q, p)is
the unique solution. Observe that the generation procedure allows for choosing the parameters outside the
range that is feasible for the algorithms described in Sec. 2.2 in the normal direction and ensures that the
instances are of the form as described in Th. 4. For this purpose, we strongly make use of the inhomogene-
ity η. Regarding the security, the commitment scheme is computationally hiding if the DISAP assumption
holds. Furthermore, as only one solution exists, the scheme is perfectly binding.
Setup Phase. In the setup phase, an algorithm
P:= (N, ε, n, µ)←Setup(s)(18)
is executed. The purpose of this algorithm is to fix in dependence of a security parameter sthe bound
N, the approximation quality ε, the dimension n, and an upper bound µon the denominators of ηfor
DISAP instances that will be used in the other phases of the commitment scheme. Starting from the DISAP
assumption (Def. 3), these are chosen such that N≥N∗(s),ε≤ε∗(s)and n≥n∗(s)where N∗(s),
ε∗(s), and n∗(s)are the thresholds conjectured in the DISAP assumption (Def. 3). More precisely, we will
fix N:= 2sto avoid brute force guessing attacks. The bound µwill be set as described in Th. 4. We will
discuss concrete parameter choices later in Sec. 5.
Commitment Phase. In this phase, the committer generates a commitment for a message m∈ {0,1}. The
commitment algorithm has the following format:
((α,η),(q, p)) ←CommitP(m)(19)
where (α,η, N, n, ε)specifies an instance of DISAP as defined in Def. 1 and (q, p)is a solution to this
instance. The tuple (α,η)represents the commitment to the message mwhich is made public. The tuple
(q, p)represents the opening information and is kept secret. The value qis constructed in such a way that
its least significant bit (LSB) is equal to the message m.
The commitment algorithm is depicted in Alg. 1. During an execution, a series of values are generated
that have to fulfill certain conditions. For the sake of clarity, we separated in the description of Alg. 1 the
value generation and the testing of the parameters. In real implementations, one would group this steps
together to reduce the number of trials. For example, if parameter generation fails for one index i, one could
retry other values for this index but still use the values generated for indices j < i. We have to point out that
it is not mathematically guaranteed that all conditions can be met. However, this was straightaway the case
in almost all of our simulations (see Sec. 5 for details). Furthermore, in all other cases a small number of
repetitions was sufficient to find values that fulfill the conditions.
Finally, some words on the conditions themselves. The condition 1
√ε< di(Eq. (20)) is introduced to
achieve the claimed approximation quality with the given solution. The other part of the same inequality,
di< bi, is used to guarantee that the approximation ci/didoes not give q·ai/biagain. The last conditions,
given in Eq. (21), ensures that the value qis uniquely determined, making the scheme perfectly binding.

Algorithm 1 The commitment algorithm CommitP
Input: P= (N, ε, n, µ)with approximation quality ε, dimension n, and upper bound µ; a message m∈ {0,1}
Output: A commitment on m
1: //Map the message
2: Extend m∈ {0,1}to a s-bit value q, that is [q]2= (rs−1,...,r1, m)with ri
$
← {0,1}.[q]2denotes the bit representation of
q. This implies 0≤q < 2s=: N.
3: //Generate rational numbers αi:= ai
bi
4: for i= 1,...,ndo
5: Choose co-prime integers aiand biwhere biis odd, co-prime to q, and less than or equal to µ.
6: Set αi:= ai
bi.
7: end for
8: //Generate approximations ci
diof q·ai
bi
9: Use continued fractions to find an approximation of ci
diof q·ai
bisuch that
1
√ε< di< bi.(20)
10: If (20) is not satisfiable, restart at line 3.
11: //Check additional condition
12: Beside the conditions given above, we require the existence of an index i∗∈ {1,...,n}with
N < bi∗and √2bi∗< di∗.(21)
13: If (21) is not satisfiable, restart at line 3.
14: //Generate pand η
15: for i= 1,...,ndo
16: Choose pi∈Zarbitrary
17: Set ηi:= ci
di−pi
18: end for
19: return A (public) commitment (α,η)to mand (secret) opening information (q, p)
Opening Phase. To open the commitment, the committer sends the solution (q, p)to the verifier. The
verifier runs the algorithm
out ←VerifyP((α,η),(q, p)) (22)
where out ∈ {accept,⊥}. The verifier accepts if out = accept and rejects otherwise. The algorithm
VerifyPoutputs accept if and only if
1. |qαi−pi−ηi| ≤ εfor all i∈ {1, . . . , n}
2. There exists an index i∗∈ {1, . . . , n}such that N < bi∗and √2bi∗< di∗(see Eq. (21)). Observe that
the values biare part of the commitment and the values dican be computed from ηiand piby using that
ciand diare co-prime (see Sec. 2.1).
Correctness. The correctness of the scheme follows directly from condition 1
√ε< di(see Eq. (20)) given
in Alg. 1. For any i∈ {1, . . . , n}, it holds that
|qαi−pi−ηi|=



qαi−pi−ci
di−pi



=



qαi−ci
di



(6)
≤1
d2
i
(20)
< ε . (23)

4 Security
4.1 Binding Property
In this section, we prove that qis uniquely determined by the commitment (α,η). Thus, the scheme is
perfectly binding.
Theorem 5 (Perfectly binding). The commitment scheme is perfectly binding.
Proof. Assume two solutions (q, p)and (q0,p0). (21) ensures the existence of an index i∗such that N < bi∗
and √2bi∗< di∗. We omit the index i∗in the following. By definition it holds that η=c
d−pand η=c0
d0−p0
for some appropriate integers c, d, c0, d0and in particular c
d−c0
d0∈Z. Therefore, there exists an integer z∈Z
such that c
d−c0
d0=z⇐⇒ cd0−c0d=zdd0.(24)
It follows that cd0−c0d≡0 (mod d),cd0≡0 (mod d), and d0≡0 (mod d). The latter holds as cand d
are co-prime (see Sec. 2.1). Analogously, one shows that d≡0 (mod d0). As both dand d0are positive, we
get d=d0. Now recall that the fractions c
dand c0
dare both approximations of q·a
band q0·a
b, respectively,
stemming from continued fractions. With (6) we have


q·a
b−c
d

<1
d2and 



q0·a
b−c0
d



<1
d2(25)
and in particular


q−q0a
b−z

<2
d2⇐⇒ 
q−q0a−z·b
<2b
d2.(26)
Recall that √2b < d by Eq. (21). Thus, the right hand side of (26) is strictly less than 1while the left hand
side is an integer value. This immediately implies that (q−q0)a−z·b= 0. As aand bare co-prime, it
follows that
q−q0≡0 (mod b).(27)
With 0≤q, q0< N , we have −N < q −q0< N . By Eq. (21), it holds that b > N. Thus, (27) actually
implies q−q0= 0 ⇔q=q0.ut
4.2 Hiding Property
In this section, we prove that the commitment scheme is computationally hiding. Recall that this means that
no efficient algorithm exists that can decide for a given commitment (α,η)if it commits to m= 0 or to
m= 1.
Theorem 6 (Hiding). Let Gen denote the algorithm that generates DISAP instances as explained in Alg. 1
and let Gen∗denote the algorithm that first invokes Gen and then replaces αby 2α. If the DISAP assumption
(Def. 3) holds with respect to Gen∗, the commitment scheme is computationally hiding.
Proof. Recall that the DISAP assumption tells that it is hard to decide whether a given instance has a
solution or not. Furthermore, by definition the committed message equals to the least significant bit of q,
for short: LSB(q). Thus, breaking the hiding property is equivalent to deciding the LSB of q. Let I∗:=
(2α,η, N, n, ε)where I:= (α,η, N , n, ε)is the instance generated by Gen. Observe as only the values α
are changed, instance I∗fulfills all conditions derived in Sec. 2.2 if this is the case for I. We show now that
the LSB of qis equal to 0 if and only if I∗has a solution.
Assume that LSB of qis zero. That is we can write q= 2q∗and one sees easily that it holds for all
i= 1, . . . , n:
|q·αi−pi−ηi|< ε ⇔ |(2q∗)·αi−pi−ηi|< ε ⇔ |q∗·(2αi)−pi−ηi|< ε (28)

Thus, if qis a solution to Iwith LSB(q)=0, then there exists a solution to I∗.
Contrariwise, assume that I∗has a solution q∗. Then, with (28) it follows that q= 2q∗is a solution to I.
Moreover, as we have shown in Theorem 5, qis the only unique solution. Thus, the existence of a solution
q∗implies that the LSB of the solution of Iis equal to zero. ut
Remark 1. It may occur that the fraction ηi=ci/di−picannot be cancelled down. In this case, ηihas
denominator diand ciis known up to an integer multiple of pi. This may be used to mount a naive attack
running over all possible ciusing the fact that αi=ai/bias well ci/diare known. However, by choosing pi
from the same range as qiit can be seen that this attack has the same complexity as a brute force attack on q.
5 A Concrete Instantiation and Implementation
In this section we want to fix some values for the thresholds ε∗and n∗. Due to our discussion of the algo-
rithmic landscape in Sec. 2.2 and because of q−(1+1/2) ≤q−(1+1/n)for all n≥2, we know that there exists
no algorithm with a runtime polynomial in nthat given (β, N, n), finds integers ˜qand ˜psuch that




βi−˜pi
˜q



<1
˜q1+δ−δ0(29)
with δ−δ0= 1/2. We set ε∗:= N−δ= 2−δs and mention the upper bound on µiof µ∗:= Nδ0= 2δ0s.
In [14] it is stated that the used algorithm of Lenstra Jr. [16] has a runtime that grows exponentially in the
dimension. This motivates us to set n∗:= log (s).Observe that the effort of the commitment scheme grows
linearly with n. Thus, increasing nin the case of need induces only a linear overhead.
Looking back to Alg. 1, we set ε:= ε∗and n:= n∗in the following as concrete parameters. Next, we
compute the size of a commitment and thereby get a hint how to choose δ0. Due to the fact that the sizes of
aiand pido not effect the proofs of binding and hiding in Sec. 4 we are free in the choice of their bounds.
Thus, we choose aiand piequally distributed from the same interval as q, namely [0,2s). Only for the biwe
have to pay attention that bi≤µholds.
The commitment consists of the quantities αand η. The αi:= ai/birequire s+δ0sbits because ai∈
[0,2s)and bi∈[0, µ) = h0,2δ0s. Moreover, the denominators diof the second part ηof the commitment
require δ0sbits due to 0< di< bi<2δ0s(see condition (20) in Alg. 1). Finally we consider the expanded
numerators ci−pidi∈[−pidi, ci]and note that we need s+δ0sbits for the negative range because pidi<
2sbi<2s+δ0sand 2sbits for the positive range (ci< qai<22s). Subsuming ηirequires 3s+ 2δ0sbits
leading to a complete commitment size of
|(α,η)|2=ns+δ0s+n3s+ 2δ0s=ns 4+3δ0.
Because of δ0>1we have the lower bound of 7ns bits for the commitment size. We see that we minimize
the commitment size by minimizing δ0with respect to δ0>1. By setting δ0:= 1 + δ00 with δ00 >0we get
|(α,η)|2= 7ns + 3nsδ00, leading to (3ns)−1as a minimal choice for δ00.
We implemented the scheme7and made about 106test runs on a AMD Athlon X2 Dual-Core QL-62
with 2 GHz per core with n= 7, s = 128 and minimal δ00 = (3 ·128 ·7)−1. This gives a commitment size of
6273 bit. The algorithm restarts the computation of the commitment on an average of 3.0579 times in order
to satisfy (21) (cf. line 13 in Alg. 1). The maximal number of restarts to compute a single commitment was
23. Condition (20) was always fulfilled. Furthermore, all operations are really cheap in software – leading
to running times in the milliseconds not measurable in seconds.
7We used the GNU MP (http://gmplib.org/) and MPFR [7] library for arbitrary large integers and arbitrary precise
floating point arithmetic.

6 Future Work and Conclusions
In this work, we focused on one particular problem from analytic number theory, namely the Decisional
Inhomogeneous Simultaneous Approximation Problem (DISAP). The problem is NP-complete and one can
efficiently generate presumably hard instances. Observe that the difficulty can be easily increased, e.g.,
by raising the dimension n. As a proof of concept, we constructed a bit commitment scheme on DISAP.
However, other schemes would have been imaginable.
For example, observe that if qis known, the enumerators pcan be directly computed. Thus, one could
modify the commitment scheme to get a stream cipher where qwould be the secret key and pithe individual
plaintexts. Whenever the sender wants to encrypt a plaintext pi, he computes the other values αi, etc. as
described and uses the tuple (αi, ηi)as ciphertext for the current plaintext block. Observe that the values αi
and ci/dican be precomputed for accelerating the scheme. Although we did not check it in detail, we are
optimistic that a proof of security should be possible that is similar to the proof given in this paper, at least
for the known-ciphertext scenario. The development of other schemes might be interesting as well, e. g.,
authentication schemes giving a proof of knowledge on q.
Despite DISAP, other problems and results from analytic number theory might be worth to be inves-
tigated as well. For example, one can easily transform a rational number from its binary representation to
continued fractions and vice versa. But only little is known on the relations between changes in one represen-
tation and the corresponding changes in the other representation. This ”fragility” might be used to construct
a collision-resistant compression function. Furthermore, several results exist on the periodicity of certain
representations. The construction of bitstream generators based on these might be an interesting question.
Concluding, we think that the established discipline of analytic number theory contains many interesting
open problems and results that only wait to be (re-)discovered for cryptographic applications. We hope to
encourage further research into this direction.
References
1. P. R. Baldwin. A convergence exponent for multidimensional continued-fraction algorithms. Journal of Statistical Physics,
66(5/6):1507–1526, 1992.
2. L. Bernstein. The Jacobi-Perron algorithm, it’s theory and application, volume 207 of Lecture Notes in Mathematics. Springer
Verlag, Berlin, Heidelberg, New York, 1971.
3. A. J. Brentjes. Multi-dimensional continued fraction algorithms. Mathematical Centre Tracts, 145, 1981.
4. C. Elsner and M. Schmidt. KronCrypt - a new symmetric cryptosystem based on Kronecker’s approximation theorem. Cryp-
tology ePrint Archive, Report 2009/416, 2009. http://eprint.iacr.org/.
5. M. Fellows and N. Koblitz. Combinatorial cryptosystems galore! Contemporary Mathematics, 168:51–61, 1993.
6. C. Fontaine and F. Galand. A survey of homomorphic encryption for nonspecialists. EURASIP J. Inf. Secur., 2007(1):1–15,
2007.
7. Laurent Fousse, Guillaume Hanrot, Vincent Lef`
evre, Patrick P´
elissier, and Paul Zimmermann. MPFR: A multiple-precision
binary floating-point library with correct rounding. ACM Trans. Math. Softw., 33(2):13, 2007.
8. R. G¨
artner. Zur Geometrie des Jacobi-Perron Algorithmus. Arch. Math., 39:134–146, 1982.
9. G. H. Hardy and E. M. Wright. An introduction to the theory of numbers. Clarendon Press, Oxford, 3rd ed. edition, 1954.
10. H. Isselhorst. The use of fractions in public-key cryptosystems. In EUROCRYPT, pages 47–55, 1989.
11. C. G. J. Jacobi. Allgemeine Theorie der kettenbruch¨
ahnlichen Algorithmen, in welchen jede Zahl aus drei vorhergehenden
gebildet wird. Journal f¨
ur die reine und angewandte Mathematik (Crelle’s Journal), 69:29–64, 1868.
12. B. Just. Generalizing the continued fraction algorithm to arbitrary dimensions, 1992.
13. J. C. Lagarias. Knapsack public key cryptosystems and diophantine approximation. In CRYPTO, pages 3–23, 1983.
14. J. C. Lagarias. The computational complexity of simultaneous diophantine approximation problems. SIAM J. Comput.,
14(1):196–209, 1985.
15. A. K. Lenstra, H. W. Lenstra Jr., and L. Lovasz. Factoring polynomials with rational coefficients. Mathematische Annalen,
261:515–534, 1982.
16. H. W. Lenstra Jr. Integer programming with a fixed number of variables. Mathematics of Operations Research, 8(4):538–548,
Nov. 1983.
17. F. Levy-dit-Vehel, M. Marinari, L. Perret, and C. Traverso. Gr ¨
obner Bases, Coding Theory, and Cryptography, chapter A
Survey on Polly Cracker systems. RISC Book Series. Springer, Heidelberg, 2009.
18. Hua Loo Keng. Introduction to number theory. Springer Verlag, Berlin, Heidelberg, New York, fifth edition, 1982.

19. P. Q. Nguyen and B. Valle, editors. The LLL Algorithm. Survey and Applications. Information Security and Cryptography.
Springer, 2010.
20. O. Perron. Grundlagen f¨
ur eine Theorie des Jacobischen Kettenbruchalgorithmus. Math. Ann., 64:1–76, 1907.
21. Oded Regev. New lattice-based cryptographic constructions. J. ACM, 51(6):899–942, 2004.
22. G. J. Rieger. Zahlentheorie. Vandenhoeck & Ruprecht, G¨
ottingen, 1976.
23. C. R¨
ossner and J.-P. Seifert. Approximating good simultaneous diophantine approximations is almost NP-hard. In Wojciech
Penczek and Andrzej Szalas, editors, MFCS, volume 1113 of Lecture Notes in Computer Science, pages 494–505. Springer,
1996.
24. W. Schmidt. Diophantine approximations. Springer-Verlag, Berlin, 1980.
25. C.-P. Schnorr. Factoring integers and computing discrete logarithms via diophantine approximations. In EUROCRYPT, pages
281–293, 1991.
26. F. Schweiger. The metrical theory of Jacobi-Perron algorithm, volume 334 of Lecture Notes in Mathematics. Springer Verlag,
Berlin, Heidelberg, New York, 1973.
27. F. Schweiger. Multidimensional continued fractions. Oxford University Press, 2000.
28. F. Schweiger. Was leisten mehrdimensionale Kettenbr¨
uche? Mathematische Semesterberichte, 53:231–244, 2006.
29. J.-P. Seifert. Using fewer qubits in Shor’s factorization algorithm via simultaneous diophantine approximation. In CT-RSA
2001: Proceedings of the 2001 Conference on Topics in Cryptology, pages 319–327, London, UK, 2001. Springer-Verlag.
30. A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In SFCS ’82: Proceedings
of the 23rd Annual Symposium on Foundations of Computer Science, pages 145–152, Washington, DC, USA, 1982. IEEE
Computer Society.
31. J. Stern and P. Toffin. Cryptanalysis of a public-key cryptosystem based on approximations by rational numbers. In EURO-
CRYPT, pages 313–317, 1990.
32. C. Szekeres. Multidimensional continued fractions. Ann. Univ. Sci. Budap. E¨
ot¨
os, Sect. Math., 13:113–140, 1980.
33. Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. In
EUROCRYPT, pages 24–43, 2010.
34. L. Van Ly. Polly two : A new algebraic polynomial-based public-key scheme. Appl. Algebra Eng. Commun. Comput., 17(3–
4):267–283, 2006.
35. M. J. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory, 36:553–558, 1990.