Multi-Round Passive Attacks on Server-Aided RSA ... - CiteSeerX

Multi-Round Passive Attacks on Server-Aided RSA Protocols Johannes Merkle Secunet Security Networks AG Mergenthalerallee 77 65760 Eschborn, Germany

[email protected] ABSTRACT

At Crypto'88, Matsumoto, Kato, and Imai presented two server-aided RSA protocols, RSA-S1 and RSA-S2, which speed up a clients RSA signature generation by interacting with a computationally strong but untrusted server. These protocolls are quite attractive by their eciency, but unfortunately they are susceptible to multi-round active attacks. Therefore, on Eurocrypt'92, P tzmann and Waidner suggested to renew the decomposition of the secret key after each signature generation. In this paper we show that in this case the non-binary version of RSA-S1 becomes totally insecure. Our experiments show that the secret key can be reconstructed very eciently by lattice reduction using the data obtained by the server during some executions of the protocol. On the other hand we show that if the decomposition of the secret key is slightly modi ed, our attacks become inecient. This modi cation does not signi cantly aect the eciency of the protocol. Furthermore, we present a very simple attack on the serveraided RSA protocol presented by Hong, Shin, Lee-Kwang and Yoon at ICISC'98. For the parameters suggested by the authors we can factor the modulus in only 237 steps. Categories and Subject Descriptors

E.3 [Data]: Data Enryption|Public Key Cryptosystems ; F.2.1 [Analysis of Algorithms and Problem Complexity]: Numerical Algorithms and Problems|Computations on Matrices General Terms

Algorithms, Security Keywords

Digital signatures, server aided secret computation, RSA, knapsack problem

1. INTRODUCTION

In many applications smart cards are required to generate RSA signatures. Due to the computational complexity of this operation and the limited computational abilities of todays smart cards this task can only be performed using specialized hardware, which signi cantly increases the costs.1 On the other hand, in most applications the smart card is connected to a computational more powerful server (e.g. a point-of-sale terminal) while generating the signature. The idea of [13] is to let the server perform the main part of the computation, without giving it enough information to reconstruct the secret key. This general concept is called server-aided secret computation and in the case of RSA signature generation the corresponding protocols are called server-aided RSA protocols.2 There have been several server aided RSA protocols proposed. The protocols in [17, 12, 3] are all variants of the protocols RSA-S1 and RSA-S2, proposed by Matsumoto, Kato and Imaih [13]. They use a random linear decomposition of the secret key, while the protocol in [6] is based on addition chains. In general, there are two kinds of attacks on server aided RSA protocols. Passive attacks only use the data obtained by the server during correct executions of the protocol. In contrast, active attacks use information obtained by a server deviating from the speci cation of the protocol. The protocol in [17] is as secure against passive attacks as RSA and some of the protocols in [13, 12] can be proven to be secure against one-round passive attacks in a restricted computational model [15]. On the other hand, many active attacks, such as [9, 2], are thwarted if the smart card checks the signature generated and only sends it to the server in case of correctness (see [3] or [11]). Since the public key e may be chosen to be a small number (e.g. e = 3) this countermeasure is quite ecient. However, even if the signature is checked, multi-round active attacks are still possible (see e.g. [4, 7]). Therefore, in [16] it was pointed out that chang1 Although the major prizing factor for smart cards is sales volume, the contribution of the chip embedded should not be underestimated: An IC with cryptocontroller costs approximately twice as much as an IC without [8]. 2 It should be noted that due to the relative slow I/O interface of smart cards the practical relevance of these protocols remains questionable. However, there may be applications, where a trade o between computation and communication complexity is required.

ing the secret decomposition after each signature generation would prevent all multi-round active attacks and the question was raised whether this countermeasure would allow new passive attacks. In this paper we demonstrate that the answer to this question is yes. We present a latticebased multi-round passive attack on the non-binary version of RSA-S1 in the case that the decomposition is randomly renewed after each signature generation. Our attack recovers the secret key using only the data given to the server during some executions of the protocol. For many parameters protecting against all known one-round attacks, our attack succeeds within a few days on a single workstation. In section 3 we present a new passive attack against the server-aided RSA protocol proposed by Hong, Shin, LeeKwang and Yoon [6]. Using the data, exchanged during two protocol executions, this attack drastically reduces the search space of an exhaustive search by cancelling out part of the information the secret key is hidden by. When using the parameters suggested by the authors, our attack factors the modulus in only 237 steps. 2.

A NEW ATTACK ON RSA-S1

For the rest of the paper let N = pq be the RSA-modulus, (N ) = (p ? 1)(q ? 1) the order of the multiplicative group ZN , d the secret and e the public key. We assume that p ? 1 and q ? 1 both have large prime factors r and s. (This is an usual security requirement for RSA and holds for randomly chosen p and q with high probability.) 2.1 Description of RSA-S1

We brie y review the protocol RSA-S1. Assume that a client wants to sign a (hashed) message M using the help of a server. In the following let m, k and ` be the parameters of the protocols. Furthermore, for an integer z let wt(z) denote the hammingweight of z. 2.1.1 The protocol

In order to generate a signature the client and the server perform the following steps: 0.

The chooses f = (f1 ; : : : ; fm ) 2 [0; 2` ? 1]m with P wtclient i ) = k and d = (d1 ; : : : ; dm ) 2 [0; (N ) ? 1]m , i (fP so that i fi di = d mod (N ) holds.

1. The client sends n, d1 ; : : : ; dm and M to the server. 2. The server computes and returns to the client z1 ; : : : ; zm , where zi = M di mod N . Q 3. The client computes the signature S := i zifi mod N . Obviously, as long as the server follows the protocol the signature is correct, i.e. S = M d mod N . 2.1.2 Random decomposition of the secret key

We assume that, in order to prevent active attacks like [7], the decomposition (f ; d) of the secret key is renewed after each signature generation, i.e. that each signature generation starts with step 0. Thereby we assume that the decompositions are chosen in the following way: First f is chosen according to an arbitrary distribution and then

2 [0; (N ) ? 1]m with

dP is chosen uniformly from all x

fi xi = d mod (N ). This assumption is only needed to analyse our approach for solving the knapsack problem in the second step of the attack. 2.1.3 Choice of the parameters

In [16] it has been shown that using n; M; S and d the secret ?
key can be recovered in O(C log C ) steps with C := k`k . On the other hand, in [15] this attack has been shown to be optimal within the model of generic algorithms. Therefore, in our?k` analysis
of RSA-S1 we will consider parameters m; k; ` with k  264 . 2.2 Exploiting the renewal of the decomposition

Assume that the protocol has been executed several times. Then we have m X i=1

fi di =

m X i=1

fi0 d0i

(1)

modulo (N ) for each pair of decompositions (f ; d); (f 0 ; d0 ). The following arguments show that at least with probability 1=(k2` ) equation (1) holds over the integers as well. W.l.o.g. we may assume that the secret P key d is chosen from the intervall [1; (N ) ? 1]. Since mi=1 fi di  k2` (N ) we get m X i=1

fi di = d + j(N )

P

(2)

with j 2 [0; k2` ? 1]. Thus, mi=1 fi di can only take k2` dierent integer values. For j = 0; : : : ; k2` ? 1 let Pj be the probability that (2) holds. Then (1) holds over the integers with probability kX 2` ?1 j =0

2 ?1  kX 2 Pj = k12` : Pj  k12` j =0

`

2

Hence, with probability 1=(k2` ) two distinct decompositions yield a non-trivial knapsack problem with `-bit weights. We will now show how this knapsack problem can be solved eciently. 2.3 Solving the knapsack problem Our approach to solve the knapsack problem de ned by two decompositions (f ; d); (f 0 ; d0 ) ful lling (1) over the integers

is to reduce the lattice basis given by 0 a1 1 0 1 0 0 0 0 Kda1 1 . .. .. .. C B B .. C ... .. B B . . . C . C B C B a C B C B 0 1 0 0 0 Kd a m C m B C B b1 C CC B C B 0 0 1 0 0 ? Kd a = m +1 B C B B C B . . . . . ... CC B B .. .. .. .. C .. C B C B @ a2m A @ 0 b 0 0 1 0 ?Kdm A a2m+1 c


c c


c c 0 ` with c := (2 ? 1)=2 and a large constant K . The following analysis estimates the probability that the shortest vector of this lattice reveals the secret vectors f ; f 0 .

The following theorem is a slight variation of a result from [5] and shows that if one extends our lattice basis by the additional vector a2m+2 := (0; : : : ; 0; K(N ))

and if 22m(`+1:0471)  rs then the shortest lattice vector almost always reveals f and f 0 . The proof is given in the appendix.

p Theorem 2.1. Let n; C be positive integers, K > C n + 1 and R be p a positive integer with distinct prime factors p ; : : : ; y 2 [0; C ]n n f0g let a be chosen pt > 2C n + 1. For xed n randomly from [0; R ? 1] so that 1

2

n X i=1

yi a i = 0

(3)

holds modulo R. Then at least with probability

p

n 21:0471n 1 ? 4 n +p 1
C 1

; pt

the shortest vector x0 of the lattice L generated by

0 b B .. B . B B bn B @ bn 1

+1

bn+2

1 0 1 0 0 Ka 1 C BB .. .. C ... C . . C C C B = C B 0 1 0 Kan C C B A A @ C=2


C=2 C=2 0 C 1

0






0

0

KR

satis es

?  x ? 2xCn 0

0

+1

bn+1


= (y ; : : : ; y ; 0; 0) n 1

with a suitable  2 Z.

Once a vector v with  v = (f1 ; : : : ; fm ; f10 ; : : : ; fm0 ) for  2 Z is found, the exact vectors f and f 0 can be determined by Q m checking the equation i=1 M vi di = S mod n for all  2 Z with kvk1 < 2` .

2.4 The attack

We give a summary of our attack. 1. Construct the lattice basis a1 ; : : : ; a2m+1 as de ned above using the data M; S; d1 ; : : : ; dm and M 0 ; S 0 ; d01 ; : : : ; d0m obtained during 2 executions of the protocol 2. Use ecient algorithms for lattice basis reduction (e.g. [10, 18, 19]) to compute a short lattice vector x0 . 3. Set v := x0 ? 21?` x02m+1 a2m+1 . 4. For satisfying kvk1 < 2` compute Qm allMv2idiZmod PmS~ v:= ~ N . If S = S output d :=  i=1 i=1 i di . The attack succeeds, if equation (1) holds over the integers,

x0 is the shortest lattice vector and theorem 2.1 applies.

By our analysis the rst condition holds with probability 1=(k2` ) and if 22m(`+1:0471)  rs theorem 2.1 applies with very high probability. Unfortunately, there is no ecient lattice reduction algorithm known that guarantees to nd the shortest vector in any lattice.3 On the other hand for large r and s one can see from the proof of theorem 2.1 that with high probability there is a large gap between the lengths of the shortest lattice vector and the second shortest and, therefore, the reduction algorithms mentioned are likely to nd the shortest vector.

2.5 Results

We have implemented our attack described on a workstation HP 9000/C200 with 256 MB memory. We chose a 1000 bit RSA modulus and parameters providing a security of 272 against the attacks of [16]. For lattice reduction we used the LLL-algorithm in the version of [18] and the pruned block reduction algorithm from [19]. In the following tables we list the average running times (in minutes) of our attack resulting from 20 experiments for each set of parameters. Using random p; q; d for each experiment two decompositions have been chosen randomly until (1) has held over the integers. The resulting basis (b1 ; b1 ; : : : ; b2m+1 ) has been reduced using rst the LLL algorithm [18] and then - if necessary - the pruned block reduction algorithm from [19]. Further we list our success rate, i.e. the rate of experiments that revealed the decompositions, and the expected workload (in hours) of the attack which is given by the average running time multiplied with k2` divided by the success rate.

Of course an attacker is not able to handle the additional vector a2m+2 as (N ) is unknown to her. But as we have seen in section 2.2 with probability at least 1=(k2` ) equation (1) holds over the integers too and thus, a2m+2 does not contribute to (f1 ; : : : ; fm ; f10 ; : : : ; fm0 ; 0; 0). Using theorem 2.1 we obtain that at least with probability

Our attacks can be thwarted by a slight modi cation of the decomposition step. In the following let c be a positive integer.

1 ? 4 2m + 1 22m(`+1:0471) k 2` rs the shortest vector of the lattice generated by a1 ; : : : ; a2m+1 reveals f and f 0 .

Assume that the decomposition step is carried out in the following way: First f 2 [0; 2` )m is chosen randomly with hammingweight k and gcd(fi0 ; (N )) = 1 for at least one 3 Ajtai [1] has given some evidence that such an algorithm might not exist unless P = NP.

p

2.6 A simple countermeasure

Table 1: The attack against RSA-S1 with 1000 bit modulus. m 25 32 38 42 48 56

k 28 26 26 26 26 26

` Time (min) Success (%) Workload (h) 11 0.2 100 180 10 0.5 100 210 9 0.8 100 180 8 1.4 100 150 7 3.4 70 270 6 17 10 4700

i0 . Then all di with i 6= i0 are chosen randomly and independently from [0; c(N )). Finally, we set

 

di0 := fi?0 1 d ?

X

i6=i0





fi di mod (N ) + (N )

with a random  2 [0; c ? 1]. By this decomposition method the memory requirements are increased by m log c bits. On the other hand, for two decompositions (f ; d) and (f ; d) theP probalitity that (1) holds over the integers is at most 1=c, as fi di takes c dierent integer values as  varies over [0; c ? 1]. 3.

ATTACKING THE HSLY-PROTOCOL

In 1998, Hong, Shin, Lee-Kwang and Yoon proposed a new protocol for server-aided RSA computations [6]. The approach of this protocol was rather dierent from that of RSA-S1 and RSA-S2 and seemed to be quite promising by its eciency. Unfortunately, the protocol is not secure: Using the data exchanged during two executions of the protocol, it is possible to cancel out part of the secret information the private key is hidden by. As a consequence, for the parameters suggested by the authors the private key can be computed in only 237 steps. 3.1 Description of the HSLY-protocol

and u =

Qk 0 ? mod (N ). i ri 1

=1

In [6] it is stressed that the above precomputation is only performed once and not for every signature generation. 3.1.2 Signature generation

When the client wants to sign a message M , he contacts a server and they execute the following protocol. 1. The client chooses a random d1 , computes d2 := d ? d1 and t := t0 ? ud2 mod (N ) and sends M; N; t to the server. 2. The server returns Z := M t mod N . 3. The client computes zp := (


((Z
M R )rk0
M rk )rk0 ?1


)r10
M r1 mod p and 0 0 0 zq := (


((Z
M R )rk
M rk )rk?1


)r1
M r1 mod q : Then he computes p := d2 mod (p ? 1) + p (p ? 1) with random p 2 [0; q ? 2] and q := d2 mod (q ? 1)+ q (q ? 1) with random q 2 [0; p ? 2]. Finally, he sends p ; q to the server. 4. The server returns yp := M p mod N and yq := M q modN 5. The client computes S = wp yp zp + wq yq zq mod N . If S e = M mod N he outputs the signature S . In [6], the authors claimed that every passive has
? attack to search a space at least of size min(2bR +bR0 bRk 0 (3bR =2)k ; 2bR +2bR0 +1 ).4 Hence, they suggested to choose parameters, for which this value is at least 264 . As an example they suggested bR = 4, bR0 = 30 and k = 5.

We brie y review the HSLY-protocol. Again, we assume that r := (p ? 1)=2 and s := (q ? 1)=2 are primes. Let wp := q(q?1 mod p) and wq := p(p?1 mod q) and bR ; bR0 ; k with bR0 < log r; log s be the parameters of the protocol.

The following arguments show that an attacker does not need to determine R at all. Using the data obtained during two protocol executions, all ri can be cancelled out.

3.1.1 The precomputation stage

From the protocol we have

Before the rst execution of the protocol the client has to perfom the following computation. 1. The client chooses two random integers R and R0 of length bR and bR0 , respectively. Let a1 ; : : : ; al be the square and multiply addition chain of R. 2. The client chooses random r1 ; : : : ; rk 2 fa1 ; : : : ; alg (multiple selection of an ai is allowed) and a random segmentation r0 1 kr0 2 k : : : kr0 k = R0 , where k denotes concatenation. Then he sets ri0 := 2r0 i + 1 for i = 1; : : : ; k. 3. The client computes t0 := rk0 ?1 (


(r10 ?1 (d ? r1 ) ? r2 )


) ? rk ) ?R mod (N ) (4)

3.2 The attack

t0 = ud ?

k X i=1

ri

Yk 0 !? j =i

1

rj

? R mod (N ) :

Q Using t = t0 ? u(d ? d1 ) mod (N ) and u?1 = kj=1 rj0 mod (N ) we obtain d1 = u?1 (t + R) +

k iY ? X i=1

ri

1

j =1

rj0 mod (N ) :

[2] [2] [1] [1] [2] Now assume that the values t[1] ; d[1] 1 ; d2 ; p and t ; d1 ; d2 ; [2] p are the values of t; d1 ; d2 ; p in two executions of the 4 The estimations in [6] are not very accurate. The search spaces ?
of the attacks considered there have size 2bR +bR0 bRk?0 ?11 (3bR =2)k and 2bR +2bR0 +2k , respectively.

HSLY-protocol. Since u; R and all the ri ; ri0 are constant we obtain [2] ?1 (t[1] ? t[2] ) mod (N ) : (5) d[1] 1 ? d1 = u Furthermore, we have p[i] = d2[i] mod p ? 1 for i = 1; 2 and thus, [2] [1] [2] p[1] ? p[2] + v(t[1] ? t[2] ) = d[1] 2 ? d 2 + d1 ? d1 = 0 mod p ? 1 ; ? 1 with v := u mod (N ). Now our attack is obvious. For all x1 ; x2 ; : : : ; xk with Q the total binary length bR0 and random X 2 Z set v0 := ki=1 (2xi + [1] [2] 1) and compute the gcd of X p ?p +v0(t[1] ?t[2] ) ? 1 and N . Since X is a random integer X p ?p +v0 (t[1] ?t[2]) 6= 1 mod q holds with overwhelming probability. On the other hand, if (x1 ; : : : ; xk ) equals (r0 1 ; : : : ; r0 k ) up to permutation then v0 = u?1 mod (N ) and thus the gcd reveals p. This happens with probability approximately [1]

2?bR0 bR0 ? 1

[2]

!?

1

k! : k?1 For the parameters bR = 4, bR0 = 30 and k = 5 assumed by the authors, this is 2?37;6 . 4.

REFERENCES

[1] M. Ajtai. The shortest vector problem in L2 is NP{hard for randomized reductions (extended abstract). In Proceedings 30nd Ann. ACM Symp. on Theory of Computing (STOC), pages 10{19, 1998. [2] R. J. Anderson. Attack on server assisted authentication protocols. Electronics Letters, 28(15):1473, 1992. [3] P. Beguin and J. J. Quisquater. Fast server-aided RSA signatures secure against active attacks. In Advances in Cryptology - Proceedings of Crypto'95, volume 963 of LNCS, pages 57{69. Springer Verlag, 1995. [4] J. Burns and C. Mitchell. Parameter selection for server-aided RSA computation schemes. IEEE Transactions on Computers, 43(2):163{174, 1994. [5] M. Coster, A. Joux, B. LaMacchia, A. Odlyzko, C. Schnorr, and J. Stern. Improved low{density subset sum algorithms. Computational Complexity, 2:111{128, 1992. [6] S. Hong, J. Shin, H. Lee-Kwang, and H. Yoon. A new approach to server-aided secret computation. In Proceedings of the 1st International Conference on Information Security and Cryptology - ICISC'98, pages 33{45. DongKwang Publishing Company, 1998. [7] G. Horng. An active attack on protocols for server-aided RSA signature computation. Information Processing Letters, 65:71{73, 1998. [8] In neon Technologies. Private Communication, 2000.

[9] S. Kawamura and A. Shimbo. Performance analysis of server-aided secret computation protocols for the RSA cryptosystem. The Transactions of the IEICE, E73(7):1073{1080, 1990. [10] A. Lenstra, H. Lenstra, Jr., and L. Lovasz. Factoring polynomials with rational coecients. Math. Ann., 261:515{534, 1982. [11] C. H. Lim and P. J. Lee. Security and performance of server-aided RSA computation protocolls. In Advances in Cryptology - Proceedings of Crypto'95, volume 963 of LNCS, pages 70{83, Berlin, 1995. Springer Verlag. [12] T. Matsumoto, H. Imai, C. S. Laih, and S. M. Yen. On veri able implicit asking protocols for RSA computation. In Advances in Cryptology - Proceedings of Auscrypt'92, volume 718 of LNCS, pages 296{307, Berlin, 1993. Springer Verlag. [13] T. Matsumoto, K. Kato, and H. Imai. Speeding up computation with insecure auxiliary devices. In Advances in Cryptology - Proceedings of Crypto'88, volume 403 of LNCS, pages 497{506, Berlin, 1989. Springer Verlag. [14] J. Mazo and A. Odlyzko. Lattice points in high-dimensional spheres. Monatsh. Math., 110(1):47{61, 1990. [15] J. Merkle and R. Werchner. On the security of server-aided RSA protocols. In Proceedings of the rst International Workshop on Practice and Theory in Public Key Cryptography - PKC'98, volume 1431 of LNCS, pages 99{116. Springer Verlag, 1998. [16] B. P tzmann and M. Waidner. Attacks on protocols for server-aided RSA computation. In Advances in Cryptology - Proceedings of Eurocrypt'92, volume 658 of LNCS, pages 153{162, Berlin, 1993. Springer Verlag. [17] J. J. Quisquater and M. De Soete. Speeding up smart card RSA computation with insecure coprocessors. In Proceedings of Smart Card 2000, pages 191{197. North Holland, 1991. [18] C. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming, 66:181{199, 1994. [19] C. Schnorr and H. Horner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Advances in Cryptology { Proceedings of Eurocrypt'95, volume 921 of LNCS, pages 1{12, Berlin, 1995. Springer Verlag. APPENDIX A. PROOF OF THEOREM 2.1 In the following let y denote (y1 ; : : : ; yn ; 0; 0).

We givePa brief outline of the proof. First of all, note that if x0 = i bi then X 2x0 x0 ? n+1 bn+1 = i bi : C i6=n+1

Hence, it suces to bound the p probability that there is a lattice vector shorter than (pC=2) n + 1 and linear independent from y and bn+1 by 4 n + 1 C n 21:0471n =(p1


pt). In the rst step, we show that every x 2 Zn+2 that is p shorter than (C=2) n + 1 and linear independent from y and bn+1 is contained in the lattice L only with probability (p1


pt)?1 . In the second step, using arguments from [14] we bound the number of vectors x 2 Zn+2 shorter p than p (C=2) n + 1 with xn+1 2 (C=2)Z and xn+2 2 K Z by 4 n + 1 C n 21:0471n . Since xn+1 2 (C=2)Z and xn+2 2 K Z are necessary conditions for x 2 L the theorem then follows. Since y is not zero and yi  C for all i we have p kx0 k2  ky ? bn+1 k2 < (C=2) n + 1 :

(6)

p

Fix a vector x 2 Zn+2 that is shorter than (C=2) n + 1 and linear independent from y and bn+1 . Then z := x ? (2xn+1 =C p )bn+1 is linear independent from y and shorter than Cp n + 1. If x is contained in the lattice L then by (C=2) n + 1 < K it must have a zero entry in the last position and thus, z satis es X zi ai = 0 (7) i

modulo R. On the other hand, the linear independence of z from y implies yj =zi 6= yi =zj for at leastp one pair i; j . Then since p1 is prime and greater than 2C 2 n + 1 > zi yj + zj yi the linear independence must hold modulo p1 as well, and thus, the probabilities for (7) and (3) holding modulo p1 are independent. Since p1 is prime and coprime to p2 ; : : : ; pt for a chosen randomly ful lling (3) modulo R equation (7) holds modulo p1 with probability 1=p1 . Analogously, for all i = 2; : : : ; t equation (7) holds modulo pi with probability 1=pi . Altogether, wepget that every vector x 2 Zn+2 that is shorter than (C=2) n + 1 and linear independent from y and bn+1 is contained in the lattice only with probability (p1


pt)?1 .

We now bound the number of vectors x 2 Zn+2 shorter than p (C=2) n + p1 with xn+1 2 (C=2)Z and xn+2 2 K Z: Since K > (C=2) n + 1 we can assume xn+2 = 0, i.e. we p only have to count the vectors v 2 Zpn with kvk2 < (C=2) n + 1 and multiply this number by 2 n + 1. In [14] it is shown that for all  > 0 the number of ndimensional integer vectors x with kxk2  pn are bounded by es n f (s )n , where s is de ned by dsd ln f (s ) = ? P ?sk2 . with f (s) := 1 k=?1 e From [14] we know that and

1

lim s  + ln f (s ) ? 2 ln(2e) = 0 !1 





1 d d s  + ln f (s ) ? 2 ln(2e) < 0 : For   1 we obtain s  + ln f (s )  21 ln(2e) + 

with  := s1 + ln f (s1 ) ? 21 ln(2e). Thus, we can p bound the number of vectors v 2 Zn with kvk2 < (C=2) n + 1 by m p  1 1+ 2 e  e C n 2n(log +(1+) log e?1=2) : (C=2)n n + n A numerical calculation yields  log e < 10?8 . pHence, the number of vectors x 2 Zn+2 shorter than (C=2) n + 1 with xn+1 2 (C=2)Z and xn+2 2 K Z is bounded by p p 2 e(n + 1) C n 21:0471n < 4 n + 1 cn 21:0471n : This proves the theorem.