Skip to main content
SpringerLink
Log in

Using LLL-Reduction for Solving RSA and Factorization Problems

  • Chapter
  • First Online:
The LLL Algorithm

Part of the book series: Information Security and Cryptography ((ISC))

Abstract

Twenty five years ago, Lenstra, Lenstra and Lovász presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature, they can either be interpreted as cryptanalytic results or as hardness/security results.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 249.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 249.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. R. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, Vol. 21(2), pp.120–126, 1978

    Article  MathSciNet  Google Scholar 

  2. D. Boneh, Venkatesan, Breaking RSA may not be equivalent to factoring, Advances in Cryptology – Eurocrypt ’98, Lecture Notes in Computer Science Vol. 1233, Springer, pp. 59–71, 1998

    Article  MathSciNet  Google Scholar 

  3. D. Brown, Breaking RSA May Be As Difficult As Factoring, Cryptology ePrint Archive Report 2005/380, 2005

    Google Scholar 

  4. G. Leander, A. Rupp, On the Equivalence of RSA and Factoring Regarding Generic Ring Algorithms, Advances in Cryptology – Asiacrypt 2006, Lecture Notes in Computer Science Vol. 4284, pp. 241–251, Springer, 2006

    Google Scholar 

  5. D. Boneh, Twenty years of attacks on the RSA cryptosystem, Notices of the AMS, 1999

    Google Scholar 

  6. S. Katzenbeisser, Recent Advances in RSA Cryptography, Advances in Information Security, Kluwer Academic Publishers, 2001

    MATH  Google Scholar 

  7. C. Pomerance, The Quadratic Sieve Factoring Algorithm, Advances in Cryptology – Eurocrypt 84, Lecture Notes in Computer Science, pp. 169–182, 1985

    Google Scholar 

  8. H. W. Lenstra, Factoring Integers with Elliptic Curves, Mathematische Annalen, Vol. 126, pp. 649–673, 1987

    Article  MathSciNet  Google Scholar 

  9. A.K. Lenstra, H.W. Lenstra, The Development of the Number Field Sieve, Springer, 1993

    Google Scholar 

  10. P.W. Shor, Algorithms for quantum computation: Discrete log and factoring, In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pages 124–134, 1994

    Google Scholar 

  11. D. Coppersmith, Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known, Advances in Cryptology – Eurocrypt ’96, Lecture Notes in Computer Science Vol. 1070, Springer, pp. 178–189, 1996

    Article  MathSciNet  Google Scholar 

  12. J. Håstad, Solving Simultaneous Modular Equations of Low Degree, Siam J. Computing, 1988

    Google Scholar 

  13. M. Girault, P. Toffin, B. Vallée, Computation of Approximate L-th Roots Modulo n and Application to Cryptography, Advances in Cryptology – Crypto 1988, Lecture Notes in Computer Science Vol. 403, pp. 100-117, 1988

    Article  Google Scholar 

  14. D. Coppersmith, Finding a Small Root of a Univariate Modular Equation, Advances in Cryptology – Eurocrypt ’96, Lecture Notes in Computer Science Vol. 1070, Springer, pp. 155–165, 1996

    Article  MathSciNet  Google Scholar 

  15. D. Coppersmith, Small solutions to polynomial equations and low exponent vulnerabilities, Journal of Cryptology, Vol. 10(4), pp. 223–260, 1997.

    Google Scholar 

  16. D. Coppersmith, Finding Small Solutions to Small Degree Polynomials, Cryptography and Lattice Conference (CaLC 2001), Lecture Notes in Computer Science Volume 2146, Springer, pp. 20–31, 2001.

    Google Scholar 

  17. A. K. Lenstra, H. W. Lenstra, and L. Lovász, “Factoring polynomials with rational coefficients,” Mathematische Annalen, Vol. 261, pp. 513–534, 1982

    Article  Google Scholar 

  18. V. Shoup, OAEP Reconsidered, Advances in Cryptology – Crypto 2001, Lecture Notes in Computer Science Vol. 2139, Springer, pp. 239–259, 2001

    Article  MathSciNet  Google Scholar 

  19. R. Steinfeld, J. Pieprzyk, H. Wang, On the Provable Security of an Efficient RSA-Based Pseudorandom Generator, Advances in Cryptology – Asiacrypt 2006, Lecture Notes in Computer Science Vol. 4284, pp. 194–209, Springer, 2006

    Google Scholar 

  20. D. Boneh, G. Durfee, and N. Howgrave-Graham, Factoring N = p r q for large r, Advances in Cryptology – Crypto ’99, Lecture Notes in Computer Science Vol. 1666, Springer, pp. 326–337, 1999

    Article  MathSciNet  Google Scholar 

  21. A. May, Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring, Advances in Cryptology (Crypto 2004), Lecture Notes in Computer Science Volume 3152, pages 213–219, Springer, 2004

    Google Scholar 

  22. J.-S. Coron, A. May, Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring, Journal of Cryptology, 2007

    Google Scholar 

  23. D. Boneh, Finding smooth integers in short intervals using CRT decoding, STOC, pp. 265–272, 2000

    Google Scholar 

  24. M. Wiener, Cryptanalysis of short RSA secret exponents, IEEE Transactions on Information Theory, Vol. 36, pp. 553–558, 1990

    Article  MATH  MathSciNet  Google Scholar 

  25. D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0. 292, Advances in Cryptology – Eurocrypt’99, Lecture Notes in Computer Science Vol. 1592, Springer, pp. 1–11, 1999.

    Article  MathSciNet  Google Scholar 

  26. D. Boneh, G. Durfee, Cryptanalysis of RSA with private key d less than N 0. 292, IEEE Trans. on Information Theory, Vol. 46(4), pp. 1339–1349, 2000

    Article  MathSciNet  Google Scholar 

  27. E. Jochemsz, A. May, A Polynomial Time Attack on Standard RSA with Private CRT-Exponents Smaller than N 0. 073, Advances in Cryptology – Crypto 2007, Lecture Notes in Computer Science Vol. 4622, pp. 395–411, Springer, 2007

    Google Scholar 

  28. D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a small fraction of the private key bits, Advances in Cryptology – Asiacrypt ’98, Lecture Notes in Computer Science Vol. 1514, Springer, pp. 25–34, 1998

    Article  MathSciNet  Google Scholar 

  29. R. Steinfeld, Y. Zheng, On the Security of RSA with Primes Sharing Least-Significant Bits, Applicable Algebra in Engineering, Communication and Computing Vol. 15(3-4),pp. 179–200, 2004

    MathSciNet  Google Scholar 

  30. N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, Proceedings of Cryptography and Coding, Lecture Notes in Computer Science Vol. 1355, Springer, pp. 131–142, 1997

    Article  MathSciNet  Google Scholar 

  31. M. van Hoeij, Factoring Polynomials and 0-1 Vectors, Cryptography and Lattice Conference (CaLC 2001), Lecture Notes in Computer Science Vol. 2146, Springer, pp. 45–50, 2001

    Article  Google Scholar 

  32. M. van Hoeij, Factoring polynomials and the knapsack problem, J. Number Theory Vol. 95, pp. 167–189, 2002

    Article  MATH  MathSciNet  Google Scholar 

  33. J. Klüners, The van Hoeij algorithm for factoring polynomials, LLL+25 Conference in honour of the 25th birthday of the LLL algorithm, 2007

    Google Scholar 

  34. N. Howgrave-Graham, Approximate Integer Common Divisors, Cryptography and Lattice Conference (CaLC 2001), Lecture Notes in Computer Science Vol. 2146, Springer, pp. 51–66, 2001

    Article  MathSciNet  Google Scholar 

  35. A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, PhD thesis, University of Paderborn, 2003

    Google Scholar 

  36. J.-S. Coron, Finding Small Roots of Bivariate Integer Polynomial Equations Revisited, Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science Vol. 3027, Springer, 2005

    Google Scholar 

  37. J.-S. Coron, Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach, Advances in Cryptology – Crypto 2007, Lecture Notes in Computer Science, Springer, 2007

    Google Scholar 

  38. P. Nguyen, D. Stehlé, Floating-Point LLL Revisited, Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science Vol. 3494, pp. 215–233, Springer, 2005

    Google Scholar 

  39. D. Stehlé, Floating-Point LLL: Theoretical and Practical Aspects, LLL+25 Conference in honour of the 25th birthday of the LLL algorithm, 2007

    Google Scholar 

  40. J. Håstad, M. Näslund, The security of all RSA and discrete log bits, Journal of the ACM Vol. 51(2), pp. 187–230, 2004

    Article  Google Scholar 

  41. M. Bellare, P. Rogaway, Optimal Asymmetric Encryption, Advances in Cryptology – Eurocrypt ’94, Lecture Notes in Computer Science Vol. 950, Springer, pp. 92–111, 1994

    MathSciNet  Google Scholar 

  42. G. Gentry, The Geometry of Provable Security: Some Proofs of Security in which Lattices Make a Surprise Appearance, LLL+25 Conference in honour of the 25th birthday of the LLL algorithm, 2007

    Google Scholar 

  43. E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP Is Secure under the RSA Assumption, Advances in Cryptology – Crypto 2001, Lecture Notes in Computer Science Vol. 2139, Springer, pp. 260–274, 2001

    Article  MathSciNet  Google Scholar 

  44. R. Fischlin, C.-P. Schnorr, Stronger Security Proofs for RSA and Rabin Bits, Journal of Cryptology Vol. 13(2), pp. 221–244, 2000

    Article  MathSciNet  Google Scholar 

  45. S. Micali, C.P. Schnorr, Efficient, Perfect Random Number Generators, Advances in Cryptology – Crypto 1988, Lecture Notes in Computer Science Vol. 403, pp. 173–198, Springer, 1988

    Google Scholar 

  46. D. Boneh, S. Halevi, N. Howgrave-Graham, The Modular Inversion Hidden Number Problem, Advances in Cryptology – Asiacrypt 2001, Lecture Notes in Computer Science Vol. 2248, Springer, pp. 36–51, 2001

    Article  MathSciNet  Google Scholar 

  47. M.K. Franklin, M. K. Reiter, A linear protocol failure for RSA with exponent three, Rump Session Crypto ’95, 1995

    Google Scholar 

  48. D. Coppersmith, M. K. Franklin, J. Patarin, and M. K. Reiter, Low-Exponent RSA with Related Messages, Advances in Cryptology – Eurocrypt ’96, Lecture Notes in Computer Science Vol. 1070, Springer, pp. 1–9, 1996

    Article  Google Scholar 

  49. A. May, M. Ritzenhofen, Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?, Practice and Theory in Public Key Cryptography – PKC 2008, Lecture Notes in Computer Science Vol. 4939, Springer, pp. 37–46, 2008

    Article  MathSciNet  Google Scholar 

  50. R. Rivest, A. Shamir, Efficient factoring based on partial information, Advances in Cryptology (Eurocrypt ’85), Lecture Notes in Computer Science Volume 219, pp. 81–95, Springer, 1985

    Google Scholar 

  51. D. Coppersmith, Factoring with a hint, IBM Research Report RC 19905, 1995

    Google Scholar 

  52. G.L. Miller, Riemann’s hypothesis and test for primality, STOC, pp. 234–239, 1975

    Google Scholar 

  53. J.-J. Quisquater, C. Couvreur, Fast decipherment algorithm for RSA public-key cryptosystem, Electronic Letters 18 (21), pp. 905–907, 1982

    Article  Google Scholar 

  54. D. Bleichenbacher, A. May, New Attacks on RSA with Small Secret CRT-Exponents, Practice and Theory in Public Key Cryptography – PKC 2006, Lecture Notes in Computer Science Vol. 3958, pp. 1–13, Springer, 2006

    Google Scholar 

  55. J. Blömer, A. May, New Partial Key Exposure Attacks on RSA, Advances in Cryptology – Crypto 2003, Lecture Notes in Computer Science Vol. 2729, pp. 27–43, Springer, 2003

    Google Scholar 

  56. M. Ernst, E. Jochemsz, A. May, B. de Weger, Partial Key Exposure Attacks on RSA up to Full Size Exponents, Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science Vol. 3494, pp. 371–386, Springer, 2005

    Google Scholar 

  57. N. Howgrave-Graham, Computational Mathematics Inspired by RSA, PhD thesis, University of Bath, 1998

    Google Scholar 

  58. C. Jutla, On finding small solutions of modular multivariate polynomial equations, Advances in Cryptology – Eurocrypt ’98, Lecture Notes in Computer Science Vol. 1403, Springer, pp. 158–170, 1998

    Article  MathSciNet  Google Scholar 

  59. D. Bernstein, Reducing lattice bases to find small-height values of univariate polynomials. Algorithmic number theory, 2004

    Google Scholar 

  60. A. Bauer, A. Joux, Toward a rigorous variation of Coppersmith’s algorithm on three variables, Advances in Cryptology – Eurocrypt 2007, Lecture Notes in Computer Science, Springer, 2007

    Google Scholar 

  61. J. Blömer, A. May, A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers, Advances in Cryptology – Eurocrypt 2005, Lecture Notes in Computer Science Vol. 3494, pp. 251–267, Springer, 2005

    Google Scholar 

  62. G. Durfee, P. Nguyen, Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99, Advances in Cryptology – Asiacrypt 2000, Lecture Notes in Computer Science Vol. 1976, Springer, pp. 14–29, 2000

    Article  MathSciNet  Google Scholar 

  63. J. Blömer, A. May, Low Secret Exponent RSA Revisited, Cryptography and Lattice Conference (CaLC 2001), Lecture Notes in Computer Science Volume 2146, Springer, pp. 4–19, 2001.

    Google Scholar 

  64. B. de Weger, Cryptanalysis of RSA with small prime difference, Applicable Algebra in Engineering, Communication and Computing ,Vol. 13(1), Springer, pp. 17–28, 2002

    Google Scholar 

  65. M.J. Hinek, Another Look at Small RSA Exponents, Topics in Cryptology – CT-RSA 2006, Lecture Notes in Computer Science Vol. 3860, pp. 82–98, 2006

    Article  MathSciNet  Google Scholar 

  66. A. May, Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q, Practice and Theory in Public Key Cryptography – PKC 2004, Lecture Notes in Computer Science Vol. 2947, Springer, pp. 218–230, 2004

    Article  MathSciNet  Google Scholar 

  67. N. Kunihiro, K. Kurosawa, Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi’s RSA, Practice and Theory in Public Key Cryptography – PKC 2007, Lecture Notes in Computer Science, Springer, 2007

    Google Scholar 

  68. A. May, Cryptanalysis of Unbalanced RSA with Small CRT-Exponent, Advances in Cryptology – Crypto 2002, Lecture Notes in Computer Science Vol. 2442, Springer, pp. 242–256, 2002

    Article  MathSciNet  Google Scholar 

  69. H.-M. Sun, M.J. Hinek, and M.-E. Wu, An Approach Towards Rebalanced RSA-CRT with Short Public Exponent, revised version of [70], online available at http://www.cacr.math.uwaterloo.ca/techreports/2005/cacr2005-35.pdf

  70. H.-M. Sun, M.-E. Wu, An Approach Towards Rebalanced RSA-CRT with Short Public Exponent, Cryptology ePrint Archive: Report 2005/053, online available at http://eprint.iacr.org/2005/053

  71. S.D. Galbraith, C. Heneghan, and J.F. McKee, Tunable Balancing of RSA, Proceedings of ACISP 2005, Lecture Notes in Computer Science Vol. 3574, pp. 280–292, 2005

    Google Scholar 

  72. S.D. Galbraith, C. Heneghan, and J.F. McKee, Tunable Balancing of RSA, full version of [71], online available at http://www.isg.rhul.ac.uk/∼sdg/full-tunable-rsa.pdf

  73. E. Jochemsz, A. May, A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants, Advances in Cryptology – Asiacrypt 2006, Lecture Notes in Computer Science Vol. 4284, pp. 267–282, Springer, 2006

    Google Scholar 

  74. D. Boneh, Simplified OAEP for the RSA and Rabin Functions, Advances in Cryptology – Crypto 2001, Lecture Notes in Computer Science Vol. 2139, pp. 275–291, Springer, 2001

    Google Scholar 

  75. C. Crépeau, A. Slakmon, Simple Backdoors for RSA Key Generation, Topics in Cryptology – CT-RSA 2003, Lecture Notes in Computer Science Vol. 2612, pp. 403–416, Springer, 2003

    Google Scholar 

  76. B. Santoso, N. Kunihiro, N. Kanayama, K. Ohta, Factorization of Square-Free Integers with High Bits Known, Progress in Cryptology, VIETCRYPT 2006, Lecture Notes in Computer Science Vol. 4341, pp. 115–130, 2006

    Article  Google Scholar 

  77. M. Herrmann, A. May, Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits, Advances in Cryptology – Asiacrypt 2008, Lecture Notes in Computer Science, Springer, 2008

    Google Scholar 

  78. C.P. Schnorr, Factoring Integers and Computing Discrete Logarithms via Diophantine Approximations, Advances in Cryptology – Eurocrypt 1991, Lecture Notes in Computer Science, pp. 281–293, Springer, 1991

    Google Scholar 

  79. S.V. Konyagin, T. Steger, On polynomial congruences, Mathematical Notes Vol. 55(6), pp. 596–600, 1994

    Article  MathSciNet  Google Scholar 

  80. D. Bleichenbacher, P.G. Nguyen, Noisy Polynomial Interpolation and Noisy Chinese Remaindering, Advances in Cryptology – Eurocrypt 2000, Lecture Notes in Computer Science, pp. 53–69, Springer, 2000

    Google Scholar 

  81. J. Blömer, A. May, A Generalized Wiener Attack on RSA, Practice and Theory in Public Key Cryptography – PKC 2004, Lecture Notes in Computer Science Vol. 2947, pp. 1–13, Springer, 2004

    Google Scholar 

  82. D. Boneh, G. Durfee, Y. Frankel, Exposing an RSA Private Key Given a Small Fraction of its Bits, Full version of the work from Asiacrypt’98, available at http://crypto.stanford.edu/∼dabo/abstracts/bits{ _}of{ _}d.html, 1998

  83. A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse, and J. M. Pollard, The number field sieve, In Proceedings of the 22nd Annual ACM Symposium on the Theory of Computation, pages 564–572, 1990

    Google Scholar 

Download references

Acknowledgements

The author thanks Mathias Herrmann, Ellen Jochemsz, Phong Nguyen, Maike Ritzenhofen, and Damien Stehlé for comments and discussions.

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Faculty of Mathematics, Ruhr-University Bochum, Bochum, Germany

    Alexander May

Authors
  1. Alexander May
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander May .

Editor information

Editors and Affiliations

  1. Dépt. Mathématiques et d'Informatique, Ecole Normale Supérieure, rue d'Ulm 45, Paris CX 05, 75230, France

    Phong Q. Nguyen

  2. Dept. Informatique, Université de Caen, Caen CX, 14032, France

    Brigitte Vallée

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

May, A. (2009). Using LLL-Reduction for Solving RSA and Factorization Problems. In: Nguyen, P., Vallée, B. (eds) The LLL Algorithm. Information Security and Cryptography. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02295-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-02295-1_10

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-02294-4

  • Online ISBN: 978-3-642-02295-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation