Advertisement

Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach

  • Jean-Sébastien Coron
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)

Abstract

Coppersmith described at Eurocrypt 96 an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction. A simpler algorithm was later proposed in [9], but it was asymptotically less efficient than Coppersmith’s algorithm. In this paper, we describe an analogous simplification but with the same asymptotic complexity as Coppersmith. We illustrate our new algorithm with the problem of factoring RSA moduli with high-order bits known; in practical experiments our method is several orders of magnitude faster than [9].

Keywords

Coppersmith’s theorem lattice reduction cryptanalysis 

References

  1. 1.
    Bleichenbacher, D., May, A.: New Attacks on RSA with Small Secret CRT-Exponents. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Blomer, J., May, A.: A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 251–267. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    Boneh, D., Durfee, G.: Crypanalysis of RSA with private key d less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, Springer, Heidelberg (1999)Google Scholar
  4. 4.
    Boneh, D., Durfee, G., Howgrave-Graham, N.A.: Factoring n = p r q for large r. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, Springer, Heidelberg (1999)Google Scholar
  5. 5.
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent vulnerabilities. J. of Cryptology 10(4), 233–260 (1997)zbMATHCrossRefGoogle Scholar
  8. 8.
    Coppersmith, D.: Finding small solutions to small degree polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Coron, J.S.: Finding Small Roots of Bivariate Polynomial Equations Revisited. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Coron, J.S., May, A.: Deterministic Polynomial-Time Equivalence of Computing the RSA Secret Key and Factoring. Journal of Cryptology 20(1) (2007)Google Scholar
  11. 11.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Hafner, J., McCurley, K.: Asymptotically fast triangularization of matrices over rings. SIAM J. Comput. 20, 1068–1083 (1991)zbMATHCrossRefGoogle Scholar
  13. 13.
    Howgrave-Graham, N.A.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  14. 14.
    Howgrave-Graham, N.A.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Howgrave-Graham, N.A.: Computational Mathematics Inspired by RSA. PhD thesis, University of Bath (1998)Google Scholar
  16. 16.
    Jochemz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, Springer, Heidelberg (2006)Google Scholar
  17. 17.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  18. 18.
    May, A.: Cryptanalysis of Unbalanced RSA with Small CRT-Exponent. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 242–256. Springer, Heidelberg (2002)Google Scholar
  19. 19.
    May, A.: Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 213–219. Springer, Heidelberg (2004)Google Scholar
  20. 20.
    May, A.: Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 218–230. Springer, Heidelberg (2004)Google Scholar
  21. 21.
    Nguyen, P.Q., Stehlé, D.: Floating-Point LLL Revisited. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Shoup, V.: Number Theory C++ Library (NTL) version 5.4. Available at http://www.shoup.net
  23. 23.
    Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, Springer, Heidelberg (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  1. 1.University of Luxembourg 

Personalised recommendations