Paper 2017/835

Coppersmith's lattices and ``focus groups'': an attack on small-exponent RSA

Stephen D. Miller, Bhargav Narayanan, and Ramarathnam Venkatesan


We present a principled technique for reducing the lattice and matrix size in some applications of Coppersmith's lattice method for finding roots of modular polynomial equations. Motivated by ideas from machine learning, it relies on extrapolating patterns from the actual behavior of Coppersmith's attack for smaller parameter sizes, which can be thought of as ``focus group'' testing. When applied to the small-exponent RSA problem, our technique reduces lattice dimensions and consequently running times, and hence can be applied to a wider range of exponents. Moreover, in many difficult examples our attack is not only faster but also more successful in recovering the RSA secret key. We include a discussion of subtleties concerning whether or not existing metrics (such as enabling condition bounds) are decisive in predicting the true efficacy of attacks based on Coppersmith's method. Finally, indications are given which suggest certain lattice basis reduction algorithms (such as Nguyen-Stehlé's L2) may be particularly well-suited for Coppersmith's method.

Note: 21 pages, 5 figures

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
lattice techniquesRSAcryptanalysisfactoring
Contact author(s)
miller @ math rutgers edu
2020-12-16: last of 3 revisions
2017-08-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Stephen D.  Miller and Bhargav Narayanan and Ramarathnam Venkatesan},
      title = {Coppersmith's lattices and ``focus groups'': an   attack on small-exponent RSA},
      howpublished = {Cryptology ePrint Archive, Paper 2017/835},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.