## Cryptology ePrint Archive: Report 2017/835

Coppersmith's lattices and focus groups'': an attack on small-exponent RSA

Stephen D. Miller and Bhargav Narayanan and Ramarathnam Venkatesan

Abstract: We present a principled technique for reducing the lattice and matrix size in some applications of Coppersmith's lattice method for finding roots of modular polynomial equations. Motivated by ideas from machine learning, it relies on extrapolating patterns from the actual behavior of Coppersmith's attack for smaller parameter sizes, which can be thought of as focus group'' testing. When applied to the small-exponent RSA problem, our technique reduces lattice dimensions and consequently running times, and hence can be applied to a wider range of exponents. Moreover, in many difficult examples our attack is not only faster but also more successful in recovering the RSA secret key. We include a discussion of subtleties concerning whether or not existing metrics (such as enabling condition bounds) are decisive in predicting the true efficacy of attacks based on Coppersmith's method. Finally, indications are given which suggest certain lattice basis reduction algorithms (such as Nguyen-Stehlé's L2) may be particularly well-suited for Coppersmith's method.

Category / Keywords: public-key cryptography / lattice techniques, RSA, cryptanalysis, factoring

Date: received 30 Aug 2017, last revised 24 May 2020

Contact author: miller at math rutgers edu

Available format(s): PDF | BibTeX Citation

Note: 20 pages, 5 figures

Short URL: ia.cr/2017/835

[ Cryptology ePrint archive ]