17. Coppersmith attack

<sup>N</sup> <sup>¼</sup> <sup>1522868</sup>x2<sup>þ</sup>

and P<sup>2</sup>

coefficients.

32

3043147581359377738588710930551227419722971658953xþ

N ¼ ð Þ 1268x þ 13141666871354355315613715084104347742596620741

N ¼ ð Þ 9P31# þ 58P30# þ 41P29# þ g ð Þ 9P31# þ 125P30# þ 46P29# þ h

16. Lenstra-Lenstra-Lavász lattice reduction (LLL)

contained in the reference is given below.

OUTPUT: LLL-reduced basis

LLL-reduced, short, nearly orthogonal lattice basis, in time O d<sup>5</sup>

N ¼ ð Þ 9P31# þ 58P30# þ 11552313802126969246479999301689200142637563209 ∗

ð Þ 9P31# þ 125P30# þ 13141666871354355315613715084104347742596620741

N ¼ ð9P31# þ 58P30# þ 41P29# þ 83178932594916863170676664934419945962676779Þ ∗

The conversion to a decimal from the base primorial (Section 12) provides P<sup>1</sup>

P<sup>1</sup> ¼ ð Þ 37975227936943673922808872755445627854565536638199 <sup>10</sup> P<sup>2</sup> ¼ ð Þ 40094690950920881030683735292761468389214899724061 <sup>10</sup>

The (LLL) forms the basis of the Coppersmith attack (Section 15), and a brief explanation is given here with further reading and references for the reader. The Lenstra-Lenstra-Lavász (LLL) lattice basis reduction algorithm [13] calculates an

is the largest length of bi under the Euclidean norm, given a basis B ¼ f g b1; b2; …; bd with n-dimensional integer coordinates, for a lattice L (a discrete subgroup of R<sup>n</sup>

A thorough explanation is given by Bosma [14], and a summary of the example

with d≤ n and giving polynomial-time factorization of polynomials with rational

0 1 �1 10 0 01 2

Using the Lenstra-Lenstra-Lavász lattice reduction (LLL), the short vectors in a lattice can be found. This is used by the Coppersmith attack. Coppersmith's algorithm uses the LLL to construct polynomials with small coefficients that all have the same root modulo. When a linear combination is found to meet inequality conditions, standard factorization methods can find the solutions over integers.

3 7 5

INPUT: Let lattice basis b1, b2, b<sup>3</sup> ∈Z<sup>3</sup> be given by the columns of

2 6 4 n log <sup>3</sup>B � �, where B

2 6 4 )

3 7 5

1 �1 3 105 126

ð9P31# þ 125P30# þ 46P29# þ 273857017733028251413011637989228497546748161Þ

401183567090345342039152734187917869:

Modern Cryptography – Current Challenges and Solutions

N ¼ ð Þ 9P31# þ 58P30# þ e ð Þ 9P31# þ 125P30# þ f

151816659580901664885523419281115998823527019067345405631⋱

ð Þ 1201x þ 11552313802126969246479999301689200142637563209 , x ¼ p30#Þ

When d is small and e is large; via the Euler totient rule � �, the Wiener attack (Section 5) can be used. Conversely, when d is large, e is small. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of the secret key is available (Section 13) [15].

A small public exponent e, reduces the encryption time. Common choices for e are 3, 17 and 65537 2<sup>16</sup>þ<sup>1</sup> � � [16]. These are Fermat primes Fx : Fx <sup>¼</sup> <sup>2</sup><sup>2</sup><sup>x</sup> þ 1 and are chosen because the modular exponent derivation is faster. The Coppersmith method reduces the solving of modular polynomial equations to solving polynomial equations over integers.

Let F xð Þ¼ <sup>x</sup><sup>n</sup> <sup>þ</sup> an�<sup>1</sup>x<sup>n</sup> � <sup>1</sup> <sup>þ</sup> … <sup>þ</sup> <sup>a</sup>1<sup>x</sup> <sup>þ</sup> <sup>a</sup><sup>0</sup> and F xð Þ� <sup>0</sup> <sup>0</sup> mod M for an integer j j <sup>x</sup><sup>0</sup> , <sup>M</sup><sup>1</sup> <sup>n</sup>. Coppersmith can find the integer solution for x<sup>0</sup> by finding a different polynomial f related to F that has the root x<sup>0</sup> mod M but only has small coefficients. The small coefficients are constructed using the LLL (Section 14). Given F, the LLL constructs polynomials p1ð Þ x , p2ð Þ x , …pnð Þ x that all have same root x0mod Ma, a∈ Z: a depends on the degree of F and the size of x0. Any linear combination has the same root x0mod M<sup>a</sup>.

The next step is to use LLL to construct a linear combination f xð Þ¼ ∑cipi ð Þ x of the pi ð Þ <sup>x</sup> so that the inequality j j f xð Þ<sup>0</sup> , <sup>M</sup><sup>a</sup> holds. Then standard factorization provides the zeroes of f xð Þ over Z.

Let N be an integer and f ∈ Z½ � x be a monic polynomial of degree d, over integers such that <sup>x</sup><sup>d</sup> <sup>þ</sup> cn�<sup>1</sup>xd�<sup>1</sup> <sup>þ</sup> … <sup>þ</sup> <sup>c</sup>2x<sup>2</sup> <sup>þ</sup> <sup>c</sup>1<sup>x</sup> <sup>þ</sup> <sup>c</sup>0. Set <sup>X</sup> <sup>¼</sup> <sup>N</sup><sup>1</sup> <sup>d</sup>� <sup>∈</sup> for <sup>1</sup> <sup>d</sup> . ∈ . 0. Given ð Þ N; f then all integers x<sup>0</sup> , X : f xð Þ� <sup>0</sup> 0 mod N can now be found. All roots of f mod N, smaller than <sup>X</sup> <sup>¼</sup> <sup>N</sup><sup>1</sup> <sup>d</sup> can be found.
