Coppersmith method

The Coppersmith method, proposed by Don Coppersmith, is a method to find small integer zeroes of univariate or bivariate polynomials modulo a given integer. The method uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to find a polynomial that has the same zeroes as the target polynomial but smaller coefficients.

In cryptography, the Coppersmith method is mainly used in attacks on RSA when parts of the secret key are known and forms a base for Coppersmith's attack.

Approach

Coppersmith’s approach is a reduction of solving modular polynomial equations to solving polynomials over the integers.

Let $F(x) = x^n+a_{n-1}x^{n-1}+\ldots +a_1x+a_0$ and assume that $F(x_0)\equiv 0 \pmod{M}$ for some integer $|x_0|< M^{1/n}$ . Coppersmith’s algorithm can be used to find this integer solution $x_0$ .

Finding roots over Q is easy using e.g. Newton's method but these algorithms do not work modulo a composite number M. The idea behind Coppersmith’s method is to find a different polynomial $F_2$ related to F that has the same $x_0$ as a solution and has only small coefficients. If the coefficients and $x_0$ are so small that $F_2(x_0) < M$ over the integers, then $x_0$ is a root of F over Q and can easily be found.

Coppersmith's algorithm uses LLL to construct the polynomial $F_2$ with small coefficients. Given F, the algorithm constructs polynomials $p_1(x), p_2(x), \dots, p_n(x)$ that have the same zero $x_0$ modulo $M^a$ , where a is some integer chosen dependent on the degree of F and the size of $x_0$ . Any linear combination of these polynomials has zero $x_0$ modulo $M^a$ .

The next step is to use the LLL algorithm to construct a linear combination $F_2(x)=\sum c_ip_i(x)$ of the $p_i$ so that the inequality $|F_2(x)| < M^a$ holds. Now standard factorization methods can calculate the zeroes of $F_2(x)$ over the integers.

References

D. Coppersmith (1996). "Finding a Small Root of a Univariate Modular Equation". Lecture Notes in Computer Science 1070: 155–165. doi:10.1007/3-540-68339-9_14.
D. Coppersmith (1996). "Finding a Small Root of a Bivariate Integer Equation; Factoring with high bits known". Lecture Notes in Computer Science 1070: 178–189. doi:10.1007/3-540-68339-9_16.
Bauer, A.; Joux, A. (2007). "Toward a Rigorous Variation of Coppersmith’s Algorithm on Three Variables". Lecture Notes in Computer Science 4515: 361–378. doi:10.1007/978-3-540-72540-4_21.

This article is issued from Wikipedia - version of the Friday, February 19, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.

Coppersmith method

Approach

See also

References