On the Optimality of Lattices for the Coppersmith Technique

  • Yoshinori Aono
  • Manindra Agrawal
  • Takakazu Satoh
  • Osamu Watanabe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)


We investigate the Coppersmith technique [7] for finding solutions of a univariate modular equation within a range given by range parameter U. This paper provides a way to analyze a general type of limitation of the lattice construction. Our analysis bounds the possible range of U from above that is asymptotically equal to the bound given by the original result of Coppersmith. To show our result, we establish a framework for the technique by following the reformulation of Howgrave-Graham [14], and derive a condition for the technique to work. We then provide a way to analyze a bound of U for achieving the condition. Technically, we show that (i) the original result of Coppersmith achieves an optimal bound for U when constructing a lattice in a standard way. We then show evidence supporting that (ii) a non-standard lattice construction is generally difficult. We also report on computer experiments demonstrating the tightness of our analysis. Some of the detailed arguments are omitted due to the space limit; see the full-version [1].


Lattice Coppersmith technique Univariate equation Impossibility result RSA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aono, Y., Agrawal, M., Satoh, T., Watanabe, O.: On the optimality of lattices for the Coppersmith technique. Cryptology ePrint Archive, 2012/134Google Scholar
  2. 2.
    Aono, Y.: A New Lattice Construction for Partial Key Exposure Attack for RSA. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 34–53. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with Private Key d Less than N 0.292. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 1–11. Springer, Heidelberg (1999)Google Scholar
  4. 4.
    Blömer, J., May, A.: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Blömer, J., May, A.: A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 251–267. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Castagnos, G., Joux, A., Laguillaumie, F., Nguyen, P.Q.: Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 469–486. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  8. 8.
    Coppersmith, D.: Finding Small Solutions to Small Degree Polynomials. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 20–31. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault Attacks on RSA Signatures with Partially Unknown Messages. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 444–456. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial Key Exposure Attacks on RSA up to Full Size Exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Gama, N., Nguyen, P.Q.: Predicting Lattice Reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Gianni, P., Trager, B.: Square-free algorithms in positive characteristic. Applicable Algebra in Engineering, Communication and Computing 7(1), 1–14 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Håstad, J.: Solving simultaneous modular equations of low degree. SIAM Journal on Computing 17(2), 336–341 (1988)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  15. 15.
    Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Kunihiro, N.: Solving Generalized Small Inverse Problems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 248–263. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  17. 17.
    Konyagin, S.V., Steger, T.: On polynomial congruences. Mathematical Notes 55(6), 596–600 (1994)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    Milne, J.S.: Étale cohomology. Princeton Math. Series, vol. 33. Princeton Univ. Press (1980)Google Scholar
  20. 20.
    Nguyên, P.Q., Stehlé, D.: LLL on the Average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Nguyen, P.Q., Vallée, B.: The LLL Algorithm: Survey and Applications. Springer, Heidelberg (2009)Google Scholar
  22. 22.
    Okamoto, T., Shiraishi, A.: A fast signature scheme based on quadratic inequalities. In: Proc. of the Symposium on Security and Privacy, pp. 123–132. IEEE (1985)Google Scholar
  23. 23.
    Pólya, G., Szegő, G.: Problems and Theorems in Analysis, vol. II. Springer (1976)Google Scholar
  24. 24.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–128 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  25. 25.
    Shoup, V.: OAEP Reconsidered. Journal of Cryptology 15(4), 223–249 (2002), MathSciNetzbMATHCrossRefGoogle Scholar
  26. 26.
    Vallée, B., Girault, M., Toffin, P.: How to Break Okamoto’s Cryptosystem by Reducing Lattice Bases. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 281–291. Springer, Heidelberg (1988)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yoshinori Aono
    • 1
  • Manindra Agrawal
    • 2
  • Takakazu Satoh
    • 3
  • Osamu Watanabe
    • 4
  1. 1.National Institute of Information and Communications TechnologyTokyoJapan
  2. 2.Department of Computer Science and EngineeringIndian Institute of TechnologyKanpurIndia
  3. 3.Department of MathematicsTokyo Institute of TechnologyTokyoJapan
  4. 4.Department of Mathematical and Computing SciencesTokyo Institute of TechnologyTokyoJapan

Personalised recommendations