Skip to main content
SpringerLink
Log in

Recent Progress on Coppersmith’s Lattice-Based Method: A Survey

  • Chapter
  • First Online:
Mathematical Modelling for Next-Generation Cryptography

Part of the book series: Mathematics for Industry ((MFI,volume 29))

Abstract

In 1996, Coppersmith proposed a lattice-based method to solve the small roots of a univariate modular equation in polynomial time. Since its invention, Coppersmith’s method has become an important tool in the cryptanalysis of RSA crypto algorithm and its variants. In 2006, Jochemsz and May introduced a general strategy to solve small roots of any form of multivariate modular equations in polynomial time. Based on Jochemsz–May’s strategy, for any given multivariate equations one can easily construct the desired lattices with triangular matrix basis. However, for some attacks, Jochemsz–May’s general strategy could not fully capture the algebraic structure of the target polynomials. Thus, some sophisticated techniques that can deeply exploit the algebraic relations have been proposed. In this paper, we give a survey of these recent approaches for lattice constructions, and also give small examples to show how these approaches work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. A. Bauer, D. Vergnaud, J. Zapalowicz, Inferring sequences produced by nonlinear pseudorandom number generators using Coppersmith’s methods, in PKC 2012 (2012), pp. 609–626

    Google Scholar 

  2. J. Blömer, A. May, New partial key exposure attacks on RSA, in CRYPTO 2003 (2003), pp. 27–43

    Google Scholar 

  3. D. Boneh, G. Durfee, Cryptanalysis of RSA with private key \(d\) less than \(N^{0.292}\). IEEE Trans. Inf. Theory 46(4), 1339–1349 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  4. D. Boneh, G. Durfee, Y. Frankel, An attack on RSA given a small fraction of the private key bits, in ASIACRYPT 1998 (1998), pp. 25–34

    Google Scholar 

  5. H. Cohn, N. Heninger, Approximate common divisors via lattices, in ANTS-X (2012)

    Google Scholar 

  6. D. Coppersmith, Finding a small root of a bivariate integer equation; factoring with high bits known, in EUROCRYPT 1996 (1996), pp. 178–189

    Google Scholar 

  7. D. Coppersmith, Finding a small root of a univariate modular equation, in EUROCRYPT 1996 (1996), pp. 155–165

    Google Scholar 

  8. J. Coron, A. May, Deterministic polynomial-time equivalence of computing the RSA secret key and factoring. J. Cryptol. 20(1), 39–50 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  9. J. Coron, A. Joux, I. Kizhvatov, D. Naccache, P. Paillier, Fault attacks on RSA signatures with partially unknown messages, in CHES 2009 (2009), pp. 444–456

    Google Scholar 

  10. J. Coron, D. Naccache, M. Tibouchi, Fault attacks against EMV signatures, in CT-RSA 2010 (2010), pp. 208–220

    Google Scholar 

  11. M.J. Coster, B.A. LaMacchia, A.M. Odlyzko, An improved low-density subset sum algorithm, in EUROCRYPT 1991 (1991), pp. 54–67

    Google Scholar 

  12. G. Durfee, P.Q. Nguyen, Cryptanalysis of the RSA schemes with short secret exponent from Asiacrypt’99, in ASIACRYPT 2000 (2000), pp. 14–29

    Google Scholar 

  13. M. Ernst, E. Jochemsz, A. May, B. de Weger, Partial key exposure attacks on RSA up to full size exponents, in EUROCRYPT 2005 (2005), pp. 371–384

    Google Scholar 

  14. P.A. Fouque, N. Guillermin, D. Leresteux, M. Tibouchi, J.C. Zapalowicz, Attacking RSA-CRT signatures with faults on montgomery multiplication. J. Cryptogr. Eng. 3(1), 59–72 (2013)

    Article  MATH  Google Scholar 

  15. M. Herrmann, Improved cryptanalysis of the multi-prime \(\phi \)-hiding assumption, in AFRICACRYPT 2011 (2011), pp. 92–99

    Google Scholar 

  16. M. Herrmann, Lattice-based cryptanalysis using unravelled linearization. Ph.D. thesis, der Ruhr-Universitat Bochum (2011), http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/HerrmannMathias/diss.pdf

  17. M. Herrmann, A. May, Solving linear equations modulo divisors: on factoring given any bits, in ASIACRYPT 2008 (2008), pp. 406–424

    Google Scholar 

  18. M. Herrmann, A. May, Attacking power generators using unravelled linearization: when do we output too much? in ASIACRYPT 2009 (2009), pp. 487–504

    Google Scholar 

  19. M. Herrmann, A. May, Maximizing small root bounds by linearization and applications to small secret exponent RSA, in PKC 2010 (2010), pp. 53–69

    Google Scholar 

  20. N. Howgrave-Graham, Finding small roots of univariate modular equations revisited, in Cryptography and Coding 1997 (1997), pp. 131–142

    Google Scholar 

  21. N. Howgrave-Graham, Approximate integer common divisors, in CaLC 2001 (2001), pp. 51–66

    Google Scholar 

  22. Z. Huang, L. Hu, J. Xu, Attacking RSA with a composed decryption exponent using unravelled linearization, in Inscrypt 2014 (2014), pp. 207–219

    Google Scholar 

  23. E. Jochemsz, A. May, A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants, in ASIACRYPT 2006 (2006), pp. 267–282

    Google Scholar 

  24. E. Jochemsz, A. May, A polynomial time attack on RSA with private CRT-exponents smaller than \(N^{0.073}\), in CRYPTO 2007 (2006), pp. 395–411

    Google Scholar 

  25. T. Kleinjung, K. Aoki, J. Franke, A.K. Lenstra, E. Thomé, J.W. Bos, P. Gaudry, A. Kruppa, P.L. Montgomery, D.A. Osvik, H.J.J. te Riele, A. Timofeev, P. Zimmermann, Factorization of a 768-bit RSA modulus, in CRYPTO 2010 (2010), pp. 333–350

    Google Scholar 

  26. N. Kunihiro, On optimal bounds of small inverse problems and approximate GCD problmes with higher degree, in ISC 2012 (2012), pp. 55–69

    Google Scholar 

  27. N. Kunihiro, K. Kurosawa, Deterministic polynomial time equivalence between factoring and key-recovery attack on Takagi’s RSA, in PKC 2007 (2007), pp. 412–425

    Google Scholar 

  28. N. Kunihiro, N. Shinohara, T. Izu, A unified framework for small secret exponent attack on RSA. IEICE Trans. 97-A(6), 1285–1295 (2014)

    Google Scholar 

  29. J.C. Lagarias, A.M. Odlyzko, Solving low-density subset sum problems. J. ACM 32(1), 229–246 (1985)

    Google Scholar 

  30. A.K. Lenstra, H.W. Lenstra, L. Lovász, Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  31. A.K. Lenstra, E. Tromer, A. Shamir, W. Kortsmit, B. Dodson, J.P. Hughes, P.C. Leyland, Factoring estimates for a 1024-bit RSA modulus, in ASIACRYPT 2003 (2003), pp. 55–74

    Google Scholar 

  32. Y. Lu, R. Zhang, D. Lin, Factoring RSA modulus with known bits from both \(p\) and \(q\): a lattice method, in NSS 2013 (2013), pp. 393–404

    Google Scholar 

  33. Y. Lu, R. Zhang, D. Lin, Factoring multi-power RSA modulus \(N=p^rq\) with partial known bits, in ACISP 2013 (2013), pp. 57–71

    Google Scholar 

  34. Y. Lu, R. Zhang, D. Lin, New partial key exposure attacks on CRT-RSA with large public exponents, in ACNS 2014 (2014), pp. 151–162

    Google Scholar 

  35. Y. Lu, R. Zhang, L. Peng, D. Lin, Solving linear equations modulo unknown divisors: revisited, in ASIACRYPT 2015, Part I (2015), pp. 189–213

    Google Scholar 

  36. A. May, New RSA vulnerabilities using lattice reduction methods. Ph.D. thesis, University of Paderborn (2003), http://ubdata.uni-paderborn.de/ediss/17/2003/may/disserta.pdf

  37. A. May, Secret exponent attacks on RSA-type schemes with moduli \(N=p^rq\), in PKC 2004 (2004), pp. 218–230

    Google Scholar 

  38. A. May, Computing the RSA secret key is deterministic polynomial time equivalent to factoring, in CRYPTO 2004 (2004), pp. 213–219

    Google Scholar 

  39. A. May, M. Ritzenhofen, Implicit factoring: on polynomial time factoring given only an implicit hint, in Proceedings of the PKC 2009 (2009), pp. 1–14

    Google Scholar 

  40. A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996), pp. 118–122

    Book  MATH  Google Scholar 

  41. P.Q. Nguyen, B. Vallée (eds.), The LLL Algorithm - Survey and Applications. Information Security and Cryptography (Springer, Heidelberg, 2010)

    Google Scholar 

  42. L. Peng, L. Hu, J. Xu, Z. Huang, Y. Xie, Further improvement of factoring RSA moduli with implicit hint, in AFRICACRYPT 2014 (2014), pp. 165–177

    Google Scholar 

  43. L. Peng, L. Hu, Y. Lu, H. Wei, An improved analysis on three variants of the RSA cryptosystem. To appear in Inscrypt (2016)

    Google Scholar 

  44. L. Peng, L. Hu, Y. Lu, J. Xu, Z. Huang, Cryptanalysis of dual RSA. Des. Codes Cryptogr. (2016). doi:10.1007/s10623-016-0196-5

  45. R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  46. S. Sarkar, Small secret exponent attack on RSA variant with modulus \(N=p^rq\). Des. Codes Cryptogr. 73(2), 383–392 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  47. S. Sarkar, Revisiting prime power RSA. Discret. Appl. Math. 203, 127–133 (2016)

    Google Scholar 

  48. S. Sarkar, S. Maitra, Partial key exposure attack on CRT-RSA, in ACNS 2009 (2009), pp. 473–484

    Google Scholar 

  49. S. Sarkar, S. Maitra, Approximate integer common divisor problem relates to implicit factorization. IEEE Trans. Inf. Theory 57(6), 4002–4013 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  50. P.W. Shor, Algorithms for quantum computation: discrete log and factoring, in FOCS 1994 (1994), pp. 124–134

    Google Scholar 

  51. H. Sun, M. Wu, W. Ting, M.J. Hinek, Dual RSA and its security analysis. IEEE Trans. Inf. Theory 53(8), 2922–2933 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  52. A. Takayasu, N. Kunihiro, Better lattice constructions for solving multivariate linear equations modulo unknown divisors, in ACISP 2013 (2013), pp. 118–135

    Google Scholar 

  53. A. Takayasu, N. Kunihiro, Cryptanalysis of RSA with multiple small secret exponents, in ACISP 2014 (2014), pp. 176–191

    Google Scholar 

  54. A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA: achieving the Boneh-Durfee bound, in SAC 2014 (2014), pp. 345–362

    Google Scholar 

  55. A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: better cryptanalysis to full size encryption exponents, in ACNS 2015 (2015), pp. 518–537

    Google Scholar 

  56. A. Takayasu, N. Kunihiro, Partial key exposure attacks on RSA with multiple exponent pairs, in ACISP 2016 (2016), pp. 243–257

    Google Scholar 

  57. A. Takayasu, N. Kunihiro, How to generalize RSA cryptanalysis, in PKC 2016, Part II (2016), pp. 67–97

    Google Scholar 

  58. A. Takayasu, N. Kunihiro, Partial key exposure attacks on CRT-RSA: general improvement for the exposed least significant bits, in ISC 2016 (2016), pp. 35–47

    Google Scholar 

  59. A. Takayasu, N. Kunihiro, Small secret exponent attacks on RSA with unbalanced prime factors, in ISITA 2016 (2016), pp. 236–240

    Google Scholar 

  60. A. Takayasu, N. Kunihiro, A tool kit for partial key exposure attacks on RSA. To appear in CT-RSA 2017 (2017)

    Google Scholar 

  61. A. Takayasu, N. Kunihiro, General bounds for small inverse problems and its applications to multi-prime RSA. IEICE Trans. 100-A(1), 50–61 (2017)

    Google Scholar 

  62. A. Takayasu, Y. Lu, L. Peng, Small CRT-exponent RSA revisited. To appear in EUROCRYPT 2017 (2017)

    Google Scholar 

  63. K. Tosu, N. Kunihiro, Optimal bounds for multi-prime \(\phi \)-hiding assumption, in ACISP 2012 (2012), pp. 1–14

    Google Scholar 

  64. M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in EUROCRYPT 2010 (2010), pp. 24–43

    Google Scholar 

  65. M.J. Wiener, Cryptanalysis of short RSA secret exponents. IEEE Trans. Inf. Theory 36(3), 553–558 (1990)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Frontier Sciences, University of Tokyo, 5-1-5 Kashiwanoha, Kashiwa-shi, Chiba, 277-8561, Japan

    Yao Lu & Noboru Kunihiro

  2. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Liqiang Peng

Authors
  1. Yao Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liqiang Peng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Noboru Kunihiro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yao Lu .

Editor information

Editors and Affiliations

  1. Kyushu University, Fukuoka, Japan

    Tsuyoshi Takagi

  2. Kyushu University, Fukuoka, Japan

    Masato Wakayama

  3. Tokyo Institute of Technology, Tokyo, Japan

    Keisuke Tanaka

  4. The University of Tokyo, Kashiwa, Japan

    Noboru Kunihiro

  5. University of the Ryukyus, Nakagami-gun, Japan

    Kazufumi Kimoto

  6. Institute of Mathematics for Industry, Kyushu University, Fukuoka, Japan

    Dung Hoang Duong

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Singapore Pte Ltd.

About this chapter

Cite this chapter

Lu, Y., Peng, L., Kunihiro, N. (2018). Recent Progress on Coppersmith’s Lattice-Based Method: A Survey. In: Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Kimoto, K., Duong, D. (eds) Mathematical Modelling for Next-Generation Cryptography. Mathematics for Industry, vol 29. Springer, Singapore. https://doi.org/10.1007/978-981-10-5065-7_16

Download citation

  • DOI: https://doi.org/10.1007/978-981-10-5065-7_16

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-10-5064-0

  • Online ISBN: 978-981-10-5065-7

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation