Cryptographic Applications of Capacity Theory: On the Optimality of Coppersmith's Method for Univariate Polynomials

We draw a new connection between Coppersmith's method for finding small solutions to polynomial congruences modulo integers and the capacity theory of adelic subsets of algebraic curves. Coppersmith's method uses lattice basis reduction to construct an auxiliary polynomial that vanishes at the desired solutions. Capacity theory provides a toolkit for proving when polynomials with certain boundedness properties do or do not exist. Using capacity theory, we prove that Coppersmith's bound for univariate polynomials is optimal in the sense that there are \emph{no} auxiliary polynomials of the type he used that would allow finding roots of size $N^{1/d+\epsilon}$ for monic degree-$d$ polynomials modulo $N$. Our results rule out the existence of polynomials of any degree and do not rely on lattice algorithms, thus eliminating the possibility of even superpolynomial-time improvements to Coppersmith's bound. We extend this result to constructions of auxiliary polynomials using binomial polynomials, and rule out the existence of any auxiliary polynomial of this form that would find solutions of size $N^{1/d+\epsilon}$ unless $N$ has a very small prime factor.

[1]  Robert Rumely,et al.  Capacity theory on algebraic curves , 1989 .

[2]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[3]  Osamu Watanabe,et al.  On the Optimality of Lattices for the Coppersmith Technique , 2012, ACISP.

[4]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[5]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[6]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[7]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[8]  G. Szegö,et al.  On algebraic equations with integral coefficients whose roots belong to a given point set , 1955 .

[9]  D. Cantor,et al.  A new algorithm for factoring polynomials over finite fields , 1981 .

[10]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[11]  Charanjit S. Jutla,et al.  On Finding Small Solutions of Modular Multivariate Polynomial Equations , 1998, EUROCRYPT.

[12]  Johan Håstad,et al.  The Security of All RSA and Discrete Log Bits , 1998 .

[13]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[14]  Helger Lipmaa,et al.  An Oblivious Transfer Protocol with Log-Squared Communication , 2005, ISC.

[15]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[16]  David G. Cantor,et al.  On an extension of the definition of transfinite diameter and some applications. , 1980 .

[17]  Rafail Ostrovsky,et al.  A Survey of Single-Database Private Information Retrieval: Techniques and Applications , 2007, Public Key Cryptography.

[18]  Yan-Cheng Chang,et al.  Single Database Private Information Retrieval with Logarithmic Communication , 2004, ACISP.

[19]  Ted Chinburg,et al.  Capacity theory on varieties , 1991 .

[20]  Robert Rumely,et al.  Existence of the sectional capacity , 2000 .

[21]  Jacques Stern,et al.  A new public key cryptosystem based on higher residues , 1998, CCS '98.

[22]  E. Berlekamp Factoring polynomials over finite fields , 1967 .

[23]  J. Rosser,et al.  Approximate formulas for some functions of prime numbers , 1962 .

[24]  Josef Pieprzyk,et al.  Advances in Cryptology - ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7-11, 2008. Proceedings , 2008, ASIACRYPT.

[25]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[26]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[27]  Ted Chinburg,et al.  Finite Morphisms to Projective Space and Capacity Theory , 2012, 1201.0678.

[28]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[29]  Robert Rumely Capacity Theory With Local Rationality: The Strong Fekete-szego Theorem on Curves , 2014 .

[30]  Claus-Peter Schnorr,et al.  Stronger Security Proofs for RSA and Rabin Bits , 1997, EUROCRYPT.

[31]  Josh Benaloh,et al.  Dense Probabilistic Encryption , 1999 .

[32]  Ron Steinfeld,et al.  On the Provable Security of an Efficient RSA-Based Pseudorandom Generator , 2006, ASIACRYPT.

[33]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[34]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[35]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.