Approximate common divisors via lattices

We analyze the multivariate generalization of Howgrave-Graham’s algorithm for the approximate common divisor problem. In the m-variable case with modulus N and approximate common divisor of size N^beta, this improves the size of the error tolerated from N^(beta^2) to N^(beta^((m+1)/m)), under a commonly used heuristic assumption. This gives a more detailed analysis of the hardness assumption underlying the recent fully homomorphic cryptosystem of van Dijk, Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the suggested parameters, a 2^(n^epsilon) approximation algorithm with epsilon<2/3 for lattice basis reduction in n dimensions could be used to break these parameters. We have implemented our algorithm, and it performs better in practice than the theoretical analysis suggests. Our results fit into a broader context of analogies between cryptanalysis and coding theory. The multivariate approximate common divisor problem is the number-theoretic analogue of multivariate polynomial reconstruction, and we develop a corresponding lattice-based algorithm for the latter problem. In particular, it specializes to a lattice-based list decoding algorithm for Parvaresh-Vardy and Guruswami-Rudra codes, which are multivariate extensions of Reed-Solomon codes. This yields a new proof of the list decoding radii for these codes.

💡 Research Summary

The paper studies a multivariate extension of Howgrave‑Graham’s algorithm for the Approximate Common Divisor (ACD) problem and shows how lattice reduction can dramatically increase the tolerated error size. In the single‑variable case the algorithm can recover a hidden divisor p≈N^β when the perturbations r satisfy |r|≤N^{β²}. The authors prove that with m independent near‑multiples a_i = p·q_i + r_i of the same divisor p, the error bound improves to |r_i|≤N^{β^{(m+1)/m}} (up to lower‑order factors). This result is formalized in Theorem 1, which requires the product of the error bounds X_i to be less than N^{β·(m+1)/m}(1+o(1)). The analysis relies on constructing a lattice of dimension at most β·log N, applying LLL (or a stronger BKZ) to obtain m short, algebraically independent vectors that correspond to polynomials having the r_i as roots, and then solving the resulting system. An “algebraic independence hypothesis” is needed, but the authors argue it holds for generic inputs and is supported by experiments.

The paper also treats the “general” ACD problem where the exact multiple N is unknown. Theorem 2 shows a similar bound with a constant C_m≈1−log m/m, again under the same independence hypothesis.

A major contribution is the explicit connection between the integer ACD problem and noisy multivariate polynomial reconstruction. Given m polynomials g_i(z) evaluated at n points with some corrupted values, the task of recovering the original polynomials is shown to be equivalent to finding a large approximate common divisor of a polynomial N(z) and a set of approximations f_i(z). Theorem 3 gives the polynomial analogue of Theorem 1, and Theorem 4 applies this to Parvaresh‑Vardy and Guruswami‑Rudra codes, providing a lattice‑based proof of their list‑decoding radii. In the polynomial setting the lattice reduction is more effective, allowing the independence hypothesis to be avoided for certain code constructions.

From a cryptographic perspective, the authors analyze the security assumption underlying the fully homomorphic encryption scheme of van Dijk, Gentry, Halevi, and Vaikuntanathan. They observe that if lattice reduction could achieve an approximation factor 2^{(dim L)^ε} with ε<2/3 for the specific lattices arising in the ACD problem, the suggested parameters of the scheme would be broken. Thus the hardness of the multivariate ACD problem directly translates into concrete security margins for the scheme.

The authors implement their algorithm and report that it performs significantly better in practice than the theoretical bounds predict. The error tolerance is larger, and the running time improves by orders of magnitude when the number of samples m grows, making the approach practical for both cryptographic attacks and coding‑theoretic decoding.

In summary, the paper provides (1) a rigorous multivariate lattice‑based analysis of the Approximate Common Divisor problem, (2) a bridge between integer ACD and noisy multivariate polynomial reconstruction, (3) new lattice‑based proofs of list‑decoding radii for advanced algebraic codes, and (4) concrete implications for the security of fully homomorphic encryption. The work highlights how advances in lattice reduction directly affect both cryptanalysis and coding theory, and it opens avenues for future research on improving lattice algorithms or applying the multivariate ACD framework to other cryptographic primitives.