Abstract
In a seminal work at EUROCRYPT ’96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an LLL reduction of a high-dimensional matrix with extra-large coefficients. We present in this paper the first significant speedups over Coppersmith’s algorithm. The first speedup is based on a special property of the matrices used by Coppersmith’s algorithm, which allows us to provably speed up the LLL reduction by rounding, and which can also be used to improve the complexity analysis of Coppersmith’s original algorithm. The exact speedup depends on the LLL algorithm used: for instance, the speedup is asymptotically quadratic in the bit-size of the small-root bound if one uses the Nguyen-Stehlé L2 algorithm. The second speedup is heuristic and applies whenever one wants to enlarge the root size of Coppersmith’s algorithm by exhaustive search. Instead of performing several LLL reductions independently, we exploit hidden relationships between these matrices so that the LLL reductions can be somewhat chained to decrease the global running time. When both speedups are combined, the new algorithm is in practice hundreds of times faster for typical parameters.
During the preparation of this paper, J. Bi and P. Q. Nguyen were supported in part by NSFC’s Key Project Grant 61133013, China’s 973 Program, Grant 2013CB834205, and J. Bi was also supported by NSFC Grant 61272035 and China Postdoctoral Science Foundation Grant 2013M542417. Part of this work was also supported by the HPAC grant (ANR-11-BS02-013) and by the EXACTA grant (ANR-09-BLAN-0371-01) of the French National Research Agency.
Chapter PDF
Similar content being viewed by others
References
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than N0.292. IEEE Transactions on Information Theory 46(4), 1339 (2000)
Buchmann, J.: Reducing lattice bases by means of approximations. In: Huang, M.-D.A., Adleman, L.M. (eds.) ANTS 1994. LNCS, vol. 877, pp. 160–168. Springer, Heidelberg (1994)
Cadé, D., Pujol, X., Stehlé, D.: FPLLL library, version 3.0 (September 2008), http://perso.ens-lyon.fr/damien.stehle
Cohen, H.: A course in computational algebraic number theory. Graduate Texts in Mathematics, vol. 138. Springer, Berlin (1993)
Cohn, H., Heninger, N.: Approximate common divisors via lattices. IACR Cryptology ePrint Archive 2011:437 (2011)
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997); Journal version [7,6]
Coron, J.-S.: Finding small roots of bivariate integer polynomial equations: A direct approach. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 379–394. Springer, Heidelberg (2007)
Coupé, C., Nguyên, P.Q., Stern, J.: The effectiveness of lattice attacks against low-exponent RSA. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 204–218. Springer, Heidelberg (1999)
Daudé, H., Vallée, B.: An upper bound on the average number of iterations of the lll algorithm. Theor. Comput. Sci. 123(1), 95–115 (1994)
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)
May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: [19] (2010)
Najafi, H., Jafari, M., Damen, M.-O.: On adaptive lattice reduction over correlated fading channels. IEEE Transactions on Communications 59(5), 1224–1227 (2011)
Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS–RSME (2009)
Nguyên, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)
Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. of Computing 39(3), 874–903 (2009)
Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer (2010)
Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity: extended abstract. In: Proc. STOC 2011, pp. 403–412. ACM (2011)
Shoup, V.: Number Theory C++ Library (NTL) version 5.4.1, http://www.shoup.net/ntl/
Shoup, V.: OAEP reconsidered. J. Cryptology 15(4), 223–249 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 International Association for Cryptologic Research
About this paper
Cite this paper
Bi, J., Coron, JS., Faugère, JC., Nguyen, P.Q., Renault, G., Zeitoun, R. (2014). Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences. In: Krawczyk, H. (eds) Public-Key Cryptography – PKC 2014. PKC 2014. Lecture Notes in Computer Science, vol 8383. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54631-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-54631-0_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54630-3
Online ISBN: 978-3-642-54631-0
eBook Packages: Computer ScienceComputer Science (R0)