Abstract
At Eurocrypt’ 96, Coppersmith presented a novel application of lattice reduction to find small roots of a univariate modular polynomial equation. This led to rigorous polynomial attacks against RSA with low public exponent, in some particular settings such as encryption of stereotyped messages, random padding, or broadcast applications à la Haståd. Theoretically, these are the most powerful known attacks against low-exponent RSA. However, the practical behavior of Coppersmith’s method was unclear. On the one hand, the method requires reductions of high-dimensional lattices with huge entries, which could be out of reach. On the other hand, it is well-known that lattice reduction algorithms output better results than theoretically expected, which might allow better bounds than those given by Coppersmith’s theorems. In this paper, we present extensive experiments with Coppersmith’s method, and discuss various trade-offs together with practical improvements. Overall, practice meets theory. The warning is clear: one should be very cautious when using the low-exponent RSA encryption scheme, or one should use larger exponents
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto’ 97, volume 1294 of LNCS, pages 235–248. Springer-Verlag, 1997.
D. Boneh. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS, 1998. To appear. Available at http://theory.stanford.edu/~dabo/.
D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. In Proc. of Eurocrypt’ 98, volume 1233 of LNCS, pages 59–71. Springer-Verlag, 1998.
D. Coppersmith. Finding a small root of a bivariate integer equation; factoring with high bits known. In Proc. of Eurocrypt’ 96, volume 1070 of LNCS, pages 178–189. Springer-Verlag, 1996.
D. Coppersmith. Finding a small root of a univariate modular equation. In Proc. of Eurocrypt’ 96, volume 1070 of LNCS, pages 155–165. Springer-Verlag, 1996.
D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. of Cryptology, 10(4):233–260, 1997.
D. Coppersmith, M. Franklin, J. Patarin, and M. Reiter. Low-exponent RSA with related messages. In Proc. of Eurocrypt’ 96, volume 1070 of LNCS, pages 1–9. Springer-Verlag, 1996.
J. Hastad. Solving simultaneous modular equations of low degree. SIAM J. Comput., 17(2):336–341, April 1988.
N. Howgrave-Graham. Finding small roots of univariate modular equations revisited. In Cryptography and Coding, volume 1355 of LNCS, pages 131–142. Springer-Verlag, 1997.
C. S. Jutla. On finding small solutions of modular multivariate polynomial equations. In Proc. of Eurocrypt’ 98, volume 1233 of LNCS, pages 158–170. Springer-Verlag, 1998.
D. Knuth. The Art of Computer Programming vol. 2: Seminumerical Algorithms. Addison-Wesley, 1981. Section 4.6.1.
A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261:515–534, 1982.
R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.
C.-P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201–224, 1987.
H. Shimizu. On the improvement of the Håstad bound. In 1996 IEICE Fall Conference, volume A-162, 1996. In Japanese.
V. Shoup. Number Theory C++ Library (NTL) version 3.1. Can be obtained at http://www.cs.wisc.edu/~shoup/ntl/.
B. Vallée, M. Girault, and P. Toffin. How to guess ℓ-th roots modulo n by reducing lattice bases. In Proc. of AAECC-6, volume 357 of LNCS, pages 427–442. Springer-Verlag, 1988.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coupé, C., Nguyenhttp, P., Stern, J. (1999). The Effectiveness of Lattice Attacks Against Low-Exponent RSA. In: Public Key Cryptography. PKC 1999. Lecture Notes in Computer Science, vol 1560. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-49162-7_16
Download citation
DOI: https://doi.org/10.1007/3-540-49162-7_16
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-65644-9
Online ISBN: 978-3-540-49162-0
eBook Packages: Springer Book Archive