On the Optimality of Lattices for the Coppersmith Technique

We investigate the Coppersmith technique [7] for finding solutions of a univariate modular equation within a range given by range parameter U. This paper provides a way to analyze a general type of limitation of the lattice construction. Our analysis bounds the possible range of U from above that is asymptotically equal to the bound given by the original result of Coppersmith. To show our result, we establish a framework for the technique by following the reformulation of Howgrave-Graham [14], and derive a condition for the technique to work. We then provide a way to analyze a bound of U for achieving the condition. Technically, we show that (i) the original result of Coppersmith achieves an optimal bound for U when constructing a lattice in a standard way. We then show evidence supporting that (ii) a non-standard lattice construction is generally difficult. We also report on computer experiments demonstrating the tightness of our analysis. Some of the detailed arguments are omitted due to the space limit; see the full-version [1].

[1]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[2]  Santanu Sarkar,et al.  A New Class of Weak Encryption Exponents in RSA , 2008, INDOCRYPT.

[3]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[4]  Tatsuski Okamoto,et al.  A Fast Signature Scheme Based on Quadratic Inequalities , 1985, 1985 IEEE Symposium on Security and Privacy.

[5]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[6]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[7]  Yoshinori Aono,et al.  A New Lattice Construction for Partial Key Exposure Attack for RSA , 2009, Public Key Cryptography.

[8]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[9]  Noboru Kunihiro,et al.  Solving Generalized Small Inverse Problems , 2010, ACISP.

[10]  Noboru Kunihiro,et al.  On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree , 2012, ISC.

[11]  Johannes Blömer,et al.  A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers , 2005, EUROCRYPT.

[12]  Antoine Joux,et al.  Factoring pq2 with Quadratic Forms: Nice Cryptanalyses , 2009, ASIACRYPT.

[13]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[14]  Patrizia M. Gianni,et al.  Square-free algorithms in positive characteristic , 2005, Applicable Algebra in Engineering, Communication and Computing.

[15]  G. Pólya,et al.  Problems and theorems in analysis , 1983 .

[16]  Yu. A. Brychkov,et al.  Integrals and series , 1992 .

[17]  Brigitte Vallée,et al.  How to Break Okamoto's Cryptosystem by Reducing Lattice Bases , 1988, EUROCRYPT.

[18]  Antoine Joux,et al.  Fault Attacks on RSA Signatures with Partially Unknown Messages , 2009, CHES.

[19]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[20]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[21]  Victor Shoup,et al.  OAEP Reconsidered , 2002, Journal of Cryptology.

[22]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[23]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[24]  Damien Stehlé,et al.  LLL on the Average , 2006, ANTS.

[25]  C. A. Rogers The Number of Lattice Points in a Set , 1956 .

[26]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[27]  Yoshinori Aono,et al.  Minkowski Sum Based Lattice Construction for Multivariate Simultaneous Coppersmith's Technique and Applications to RSA , 2013, ACISP.

[28]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[29]  S. Konyagin,et al.  On polynomial congruences , 1994 .

[30]  Dan Boneh,et al.  Finding smooth integers in short intervals using CRT decoding , 2000, STOC '00.

[31]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[32]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[33]  Johan Håstad,et al.  Solving Simultaneous Modular Equations of Low Degree , 1988, SIAM J. Comput..