A variant of Coppersmith s Algorithm with Improved Complexity and Efficient Exhaustive Search

Transcription

1 A variant of Coppersmith s Algorithm with Improved Complexity and Effiient Exhaustive Searh Jean-Sébastien Coron 1, Jean-Charles Faugère 2, Guénaël Renault 2, and Rina Zeitoun 2,3 1 University of Luxembourg jean-sebastienoron@unilu 2 UPMC, Université Paris 6, INRIA, Centre Paris-Roquenourt, PolSys Projet-team, CNRS, UMR 7606, LIP6 4 plae Jussieu, Paris, Cedex 05, Frane jean-harlesfaugere@inriafr guenaelrenault@lip6fr 3 Oberthur Tehnologies 420 rue d Estienne d Orves, CS 40008, Colombes, Frane rzeitoun@oberthurom Abstrat Coppersmith desribed at Eurorypt 96 a polynomial-time algorithm for finding small roots of univariate modular equations, based on lattie redution In this paper we desribe the first improvement of the asymptoti omplexity of Coppersmith s algorithm Our method onsists in taking advantage of Coppersmith s matrix struture, in order to apply LLL algorithm on a matrix whose elements are smaller than those of Coppersmith s original matrix Using the L 2 algorithm, the asymptoti omplexity of our method is O(log 6+ε N) for any ε > 0, instead of O(log 8+ε N) previously Furthermore, we devise a method that allows to speed up the exhaustive searh whih is usually performed to reah Coppersmith s theoretial bound Our approah takes advantage of the LLL performed to test one guess, to redue omplexity of the LLL performed for the next guess Experimental results onfirm that it leads to a onsiderable performane improvement Keywords: Coppersmith s Method, LLL, Strutured Matrix 1 Introdution The famous Diophantine problem of finding integer roots of polynomial equations is known to be hard in general In ryptology, many seurity assumptions are based on the ability to solve speifi diophantine equations At Eurorypt 96, Coppersmith used lattie redution to design a method that allows to retrieve small integer roots [1], with many appliations in ryptology, espeially regarding RSA Namely, for polynomials of the form: p(x) = x δ + a δ 1 x δ 1 ++a 0 0 mod N where N has an unknown fatorization, Coppersmith proved that one an find any root x 0 satisfying x 0 < N 1/δ in polynomial time The tehnique he designed was latter simplified by Howgrave-Graham in [2] Both methods have the same asymptotial omplexity, but sine the latter one holds a more natural approah and is easier to implement, it is ommonly adopted The method onsists in building a lattie whih ontains polynomials that admit x 0 as a root modulo N l, where l is a parameter related to the dimension of the lattie This lattie is then redued using the well-known LLL algorithm [3] or an analogous algorithm with improved omplexity [4, 5] Sine the first resulting polynomial h(x 0 ) 0 mod N l is provided with small oeffiients, it is suh that h(x 0 ) equals to zero over the integers The solution x 0 an therefore be retrieved by solving h(x) using a lassial method for fatoring polynomials over finite fields (eg Berlekamp s algorithm) The omplexity of the method

2 2 depends almost exlusively on the LLL omplexity Namely, if we use the L 2 algorithm whih is an improved version of the LLL algorithm due to Nguyen and Stehlé [4], the omplexity of the method is O(ω 5+ε log B + ω 4+ε log 2 B) where ω is the dimension of the lattie and the bit-size of the elements is bounded by log B = O(log 2 N) Coppersmith s method brought forth many appliations in ryptology, espeially regarding RSA ryptosystem Namely, it has been used to fatorize N = pq with partial knowledge of p [6] or to fatorize modulus of the form N = p r q with large r [7] It has also been used for ryptanalysis of RSA with fixed pattern padding [8], with small seret CRT-exponents [9] or with d < N 029 [10] As mentioned previously, the suess of Coppersmith s methods in [1] and [2], depends on the size of the solution More preisely, the largest the dimension of the lattie, the losest to N 1/δ the solution x 0 an be In order to reah the bound x 0 < N 1/δ, one would need to use a lattie of huge dimension Thus, the omputation would beome prohibitive Therefore in pratie, one uses latties of reasonable dimension, whih allows to retrieve most part of the solution x 0 Exhaustive searh is performed to retrieve the other part α 0 The exhaustive searh onsists in testing all possible polynomials, eah polynomial orresponding to one possible guess for α 0 For eah guess, one builds a lattie assoiated to the polynomial aording to [2], and one applies LLL to redue it The solution x 0 will be found for the right guess α 0, ie for the orret polynomial In this paper, we propose a variant of Coppersmith s approah that allows to improve the asymptotial omplexity of the method Our approah onsists in applying LLL on a matrix ontaining smaller elements than in the original matrix This is done by taking the integer quotient of all elements by a partiular value Then, one translates the obtained information bak into the original matrix This allows to obtain an LLL-redued matrix at redued ost, namely the bit-size of the elements is bounded by log B = O(log N) instead of log B = O(log 2 N) We further exhibit a new approah to arry out the exhaustive searh whih onsists in taking advantage of the LLL performed to test one guess, to redue omplexity of the LLL performed for the next guess Namely, we show that matries assoiated to both guesses are linked by a speifi transformation, whih allows to report the obtained information from one to the other We also ombine this method with the previous one, by trunating matries before applying LLL This new approah is heuristi and provides a onsiderable speed up Namely, for polynomials of the form p(x) = x 2 + ax + b 0 mod N and log 2 (N) = 2048 the new method performs more than 1000 times faster than the original one The paper is organized as follows: Setion 2 gives an overview of the main priniples in Coppersmith s algorithm (we use Howgrave-Graham s variant [2]) Setion 3 desribes a method to redue omplexity of the LLL omputation performed in [2] A new heuristi approah to arry out exhaustive searh is exhibited in Setion 4 Experimental results are presented in Setion 5 They validate the effiieny of both improvements Eventually, in Setion 6, we onlude our researh 2 Coppersmith s Algorithm We first reall Coppersmith s algorithm We use the Howgrave-Graham variant [2] whih is equivalent to Coppersmith s method [1] sine it has the same omplexity as Coppersmith s

3 method and has a more natural approah Thus, in the sequel, by Coppersmith s matrix, we mean the matrix depited in [2] Theorem 1 (Coppersmith) Let p(x) be a moni polynomial of degree δ in one variable modulo an integer N of unknown fatorization Let X be suh that X N 1/δ One an find all integers x 0 with p(x 0 ) = 0 mod N and x 0 X, in time polynomial in (log N, 2 δ ) The method is depited hereafter Given a parameter l 1, we onsider the polynomials: q ik (x) = x i N l k p k (x) mod N l with 0 i < δ for all 0 k < l, and i = 0 for k = l We have: q ik (x 0 ) = 0 mod N l Let h(x) be a linear ombination of the q ik (x) Thusly, h(x) is suh that h(x 0 ) = 0 mod N l The ore idea of the method onsists in noting that if the solution x 0 and the oeffiient of h(x) are suffiiently small, ie they are suh that h(x 0 ) < N l, then h(x 0 ) holds over the integers and it an be solved using a lassial method for fatoring polynomials over finite fields (eg Berlekamp s algorithm) Beforehand, we need to reall the following lemma Lemma 1 (Howgrave-Graham) Let h(x) Z[x] be the sum of at most ω monomials Assume that h(x 0 ) = 0 mod N l where x 0 X and h(xx) < N l / ω Then h(x 0 ) = 0 over the integers Proof We have: h(x 0 ) = h i x i 0 = ( hi X i x ) 0 i X ( h i X i x ) 0 i h i X i X ω h(xx) < N l Sine h(x 0 ) = 0 mod N l, this gives h(x 0 ) = 0 We onsider the matrix M of dimension ω = δ l + 1 whose row vetors are the oeffiients of the polynomials q ik (xx) For p(x) = x 2 + ax + b and l = 1, we have: N 0 0 M = 0 NX 0 b ax X 2 The matrix M is triangular and diagonal elements of the matrix M are given by: X δ k+i N l k for 0 i < δ for all 0 k < l, and i = 0 for k = l Therefore the determinant of the matrix is given by: det M = X ω (ω 1)/2 N δ l (l+1)/2 We aknowledge the following theorem: 3

4 4 Theorem 2 (LLL) Let L be a lattie spanned by (u 1,, u ω ) Z n, where the Eulidean norm of eah vetor is bounded by B The LLL algorithm, given (u 1,, u ω ), finds in time O(ω 5 n log 3 B) a vetor b 1 suh that: b 1 2 (ω 1)/4 det(l) 1/ω Remark 1 In order to obtain a better omplexity, one an use enhaned versions of LLL whih ahieve the same bound on b 1 but with improved omplexity Namely, the L 2 algorithm due to Nguyen and Stehlé [4], terminates in time O(ω 5+ε log B + ω 4+ε log 2 B) and the L 1 algorithm from Novoin, Stehlé and Villard [5] has a omplexity O(ω 5+ε log B + ω 1+u+ε log 1+ε B) where u = 2376 is a valid exponent for matrix multipliation Coppersmith s method onsists in applying the LLL algorithm (or an equivalent) on the matrix M with dimension ω = δ l + 1 Aording to Theorem 2, the first resulting polynomial h(xx) is suh that: h(xx) 2 (ω 1)/4 (det M) 1/ω = 2 (ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) In order to fulfill the ondition h(xx) < N l / ω and negleting the term ω and 2 (ω 1)/4, we have the following inequality whih yields a ondition on the bound X: whih gives: X δ l/2 N δ l (l+1)/(2δl+2) < N l X δ l/2 < N (δ l2 +2l δ l)/(2δl+2) Therefore we get the following upper-bound on X: More preisely we get: where X < N (δ l+2 δ)/(δ (δ l+1)) X < N 1/δ ε, ε = 1 δ δ l + 2 δ δ (δ l + 1) = δ 1 δ (δ l + 1) 1 δ l + 1 = 1 ω By taking ω = log N, the LLL algorithm is applied on a lattie of dimension ω = l δ + 1 and the bit-size of the elements is bounded by log B = O(l log N) = O(log 2 N) The root x 0 an be reovered by applying the previous algorithm in a onstant number of intervals In the sequel, we give the asymptoti omplexity of the method and we denote by Õ(logk N) the omplexity O(log k+ε N), for any ε > 0 Using the L 2 algorithm with omplexity O(ω 5+ε log B+ω 4+ε log 2 B) the asymptoti omplexity of the algorithm is therefore: Õ(log 8 N) Using the L 1 algorithm with omplexity O(ω 5+ε log B + ω 1+u+ε log 1+ε B) the asymptoti omplexity is therefore: Õ(log 7 N) In the sequel we propose a method that redues the asymptoti omplexity of Coppersmith s method

5 5 3 A variant of Coppersmith s Algorithm with Improved Complexity The general idea of the improvement onsists in applying LLL on a matrix with shorter elements More preisely, we apply LLL on Coppersmith s matrix where only the most signifiant bits of all oeffiients are onsidered To this end, the method is omposed by two stages In a first step, one makes sure that all the oeffiients in M are smaller than a partiular value by performing modular redutions In a seond step, one trunates oeffiients in M, then one applies LLL on this trunated matrix Finally, one translates the obtained information bak into the matrix M The resulted matrix will be LLL-redued 31 The New Method In the sequel, we highlight the two stages of the method Then we justify our hoies and exhibit a proof validating them First step: It onsists in making sure that all the oeffiients in M are less than N l+1 Thereby, in a given olumn one should redue all oeffiients with the oeffiient on the diagonal More preisely, this an be done by reduing the elements in turn, starting from the bottom right and ending by the top left of the matrix M, row after row Seond step: It onsists in LLL-reduing the matrix M at low ost by onsidering a trunated matrix To this end, one takes the integer quotient of all the matrix oeffiients by an integer that will be determined later We denote by M = M this trunated matrix Thus, one applies LLL on M and one obtains an LLL-redued matrix M R We denote by U the unimodular matrix suh that U M = M R Eventually, applying the unimodular matrix U to the matrix M gives an LLL-redued matrix M R We now prove the onsisteny of both steps For the first step, we onsider Coppersmith s bound on X: X < N 1/δ 1/ω As mentioned previously the diagonal elements in M are: d ik = X δ k+i N l k, for 0 i < δ for all 0 k < l, and i = 0 for k = l Therefore, for all suh i, k, we have: N l 1 X δ l d ik X δ 1 N l N l+1 (1) As a onsequene, all diagonal elements of matrix M lie between N l 1 and N l+1 Thus, by reduing all oeffiients in M with the oeffiient on the diagonal, one makes sure that all oeffiients in M are less than N l+1

6 6 For the seond step, one must ensure that taking the integer quotient of all matrix oeffiients by, leaves the matrix invertible Using (1), one knows that the smallest diagonal oeffiient of M is X δ l = X ω 1 Therefore, by taking X ω 1 all diagonal elements of M are lower-bounded by 1, whih ensures that det(m ) 0 Eventually, one shows the following proposition: Proposition 1 Let M = M be the matrix ontaining the integer quotient by of oeffiients in matrix M, and U be the unimodular matrix suh that U M = M R By multiplying matrix U with matrix M, the first vetor of the resulting matrix M R [1] has a norm bounded by ( 2 (ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) 1 + 2ω 2 ω 2 ) X ω 1 In order to prove this proposition, one first needs to exhibit a bound on the first vetor M R [1] in the LLL-redued matrix M R, as depited in the following Lemma Lemma 2 The first vetor M R [1] obtained by applying LLL on M is suh that: M R [1] 2(ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) (2) Proof Sine elements in matrix M are the integer quotient by of elements in matrix M, and sine M and M are triangular matries, one has the relation det M det M ω (3) Furthermore, the first vetor M R [1] has a norm bounded by 2 (ω 1)/4 (det M ) 1/ω Therefore, using inequality (3) one gets the bound: M R [1] 2(ω 1)/4 (det M) 1/ω Moreover, substituting (det M) 1/ω by X (ω 1)/2 N δ l (l+1)/(2δl+2) in previous equation, allows to retrieve bound (2) With the aim of proving Proposition 1 one also needs to have a bound on the matrix norm M 1, as depited in the following Lemma Lemma 3 The matrix norm of M 1 is upper-bounded as follows M 1 < ω 2ω 2 X ω 1

7 7 Proof see proof in Annex One an now prove Proposition 1 Proof The matrix M an be deomposed as M = M + R where all elements in R are upper-bounded by Therefore one has the relation U M = U M + U R Using the fat that U M = M R, and onsidering only the first vetor U[1] of the matrix U, one gets the following equation U[1] M = M R [1] = M R [1] + U[1] R Moreover, still using U M = M R, the vetor U[1] an be rewritten U[1] = M R [1] M 1, whih leads to the equation: M R [1] = M R [1] + M R [1] M 1 R (4) Furthermore, applying Lemma 2 whih provides an upper-bound (2) for M R [1], and using the triangular inequality, one gets the following relation: ( M R [1] 2 (ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) 1 + M 1 ) R As the norm of matrix R is upper-bounded by ω, and again, using the triangular inequality, one obtains M R [1] 2 (ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) ( 1 + ω M 1 ) Moreover, using Lemma 3, one has the following upper-bound for the value (M ) 1 : M 1 < ω 2ω 2 X ω 1 Our previous inequality beomes ( M R [1] 2 (ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) 1 + 2ω 2 ω 2 ) X ω 1 whih onludes the proof On one side, the larger the integer, the smaller the elements in M, and onsequently, the less ostly the LLL-redution of M One an see on the other side that, the smaller the integer, the smaller the upper-bound on the norm of the first vetor M R [1] More preisely, one needs to find a first vetor that is upper-bounded by N l / ω so that the orresponding polynomial h(x 0 ) holds over the integers Ideally, one would like to hold a value so that the orresponding bound on X remains the same as before, ie X < N 1/δ 1/ω In the following, we show that there exists suh a value whih enables to find, with redued omplexity, a short vetor bounded by N l / ω with X < N 1/δ 1/ω More preisely, we show that taking = Xω ω is a good trade-off

8 8 Proposition 2 Let M be suh that M = M with = Xω ω, and U be the unimodular matrix suh that U M = M R By multiplying matrix U with matrix M, the first vetor of the resulting matrix M R has a norm bounded by N l / ω, for X < N 1/δ 1/ω Proof By taking = Xω 1, and using Proposition 1, one gets the bound 2 2 ω ( ) M R [1] 2 (ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) 1 + ω2 2 ω+2 From the ondition M R [1] N l / ω, and sine for all ω 1 we have relation whih indues a bound for X: 2 (ω+3)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2) N l ω ω2 < 1, one gets a 2 ω+2 The fators ω and 2 (ω+3)/4 may, as in Setion 2, be omitted sine they have little effet on subsequent bound As a onsequene, performing the same alulations as in Setion 2 allows to retrieve the bound X < N 1/δ 1/ω Therefore, when onsidering a solution x 0 bounded by X < N 1/δ 1/ω, the first vetor obtained by applying the unimodular matrix U to the matrix M, has a norm bounded by N l / ω Sine this vetor has a norm bounded by N l / ω, using Lemma 1 the orresponding polynomial equation h(x) is suh that h(x 0 ) = 0 over integers As a onsequene, one an solve it and retrieve the solution x 0 Thus, we have the following Corollary: Corollary 1 Let p(x) be a polynomial of degree δ in one variable modulo an integer N of unknown fatorization Let X be suh that X N 1/δ By performing the approah desribed in Setion 31, one an find all integers x 0 with p(x 0 ) = 0 mod N and x 0 X, in time polynomial in (log N, 2 δ ) Eventually, the overall method is depited in Algorithm 1 In the sequel, we show that following this approah allows to derease the asymptotial omplexity of the method by a non-negligible fator 32 The Asymptoti Complexity Aordingly to our method, it is suffiient to apply the LLL algorithm on a lattie of dimension ω = l δ + 1 and with elements bounded by N l+1 = N l+1 N l+1 < Xω 1 N l 1 < N 2 instead of N l+1 Therefore, the elements have a bit-size bounded by log B = O(log N) instead of O(log 2 N) Using the L 2 algorithm with omplexity O(ω 5+ε log B+ω 4+ε log 2 B) the asymptoti

9 9 Algorithm 1 Solving p(x) 0 mod N Input: Polynomial equation p(x) 0 mod N, upper-bound X on x 0, dimension ω, divisor = Xω ω Construt Coppersmith matrix M of dimension ω assoiated to p(x) Perform modular redutions on M using diagonal elements M := M M R, U := LLL(M ) M R := U M First polynomial in M R provides the solution x 0 return x 0 omplexity of the algorithm is therefore Õ(log6 N) Using the L 1 algorithm with omplexity O(ω 5+ε log B+ω 1+u+ε log 1+ε B) with u = 2376, the asymptoti omplexity is again Õ(log6 N) We notie that both asymptoti omplexities are similar This is due to the fat that the L 1 algorithm was designed in suh a way that it is quasi-linear in the bit-length log B of the entries It leads to the following theorem: Theorem 3 The asymptoti omplexity of Algorithm 1 for finding small roots of p(x) 0 mod N using L 2 or L 1 algorithms is Õ(log6 N) We reall that omplexities with the original method were Õ(log8 N) using the L 2 algorithm and Õ(log7 N) using the L 1 algorithm In the sequel, we devise a method that allows to speed up the exhaustive searh whih is usually performed to reah Coppersmith s theoretial bound 4 Effiient Exhaustive Searh Aording to Coppersmith s Theorem (see Setion 2), one an retrieve the solution x 0 if x 0 < X = N 1/δ 1/ω When the solution is lose to N 1/δ, it is well known that in pratie the bound X < N 1/δ should not be reahed by taking a very large ω, ie by using a very large dimension Indeed, it is better to use a lattie of reasonable dimension and to perform exhaustive searh on most signifiant bits of x until finding the solution x 0 This is done by writing x 0 = 2 k α 0 + x 0 and onsidering α polynomials p α (x ), where α is suh that 0 α X 2 k, and we have: p α (x ) = p(2 k α + x ) For the ase α = α 0, the solution x 0 satisfies x 0 < 2k = X = N 1/δ 1/ω and it has a orret size for LLL to find it using a lattie of dimension ω (where ω is relatively small) For eah polynomial p α, one performs LLL on the orresponding Coppersmith s matrix (see Setion 2) The solution x 0 is then found for the right value α 0, ie for the right polynomial p α0 In Setion 41, we desribe a method that allows to take advantage of the LLL performed for the ase α = i to redue omplexity of the LLL performed for the ase α = i + 1 More preisely,

10 10 one onsiders matries whih are equivalent to Coppersmith s matries One uses the fat that for different instanes α = 0,, i those matries an be linked one to another by the relation M i = M i 1 P = = M 0 P i where P is a well-known strutured matrix Our method onsists in LLL-reduing M 0, whih gives M0 R Then, instead of LLL-reduing M 1 = M 0 P, we apply LLL on M0 R P We expet this matrix to be almost redued already sine it is the produt of an LLL-redued matrix M0 R with a matrix P ontaining small oeffiients This gives matrix M1 R Next step onsists in applying LLL on M 1 R P instead of M 2 = M 0 P 2 Thus, we perform this proess inrementally, until the solution x 0 is found, ie until α = α 0 Thereafter, in Setion 42 we ombine this improvement with the trunation approah desribed in Setion 3 41 Exploiting Relations Between Matries We start by highlighting the following proposition that gives a relation between two matrix instanes for the ase α = i and α = i + 1 Proposition 3 We denote by M i the matrix used to solve the polynomial p i (x ) = p(2 k i+x ) for the ase α = i Let P denote the lower triangular Pasal matrix defined as follows: P s,t = ( ) s t s, t = 0,, ω 1 The matrix M i+1 = M i P is a suitable matrix to solve the polynomial p i+1 (x ) for the ase α = i + 1 Proof In Coppersmith s method, the matrix M i represents the following ω polynomials : M i ( 1, x X, ( ) x 2,, X ( ) ) x ω 1 T X All those polynomials would admit x 0 as a solution modulo N l if α = α 0 = i For the ase α = i + 1, one tries to solve the polynomial p i+1 (x ) = p(2 k (i + 1) + x ) = p(2 k i + x + 2 k ) = p i (x + 2 k ) = p i (x + X ) Therefore, for the ase α = i+1, the polynomials are the same as for the ase α = i, but written in a different basis, ie the basis (1, x +X X, ( x +X X ) 2,, ( x +X X ) ω 1 ) Thus, the polynomials are the following: M i ( 1, x + X X, ( x + X ) 2,, X ( x + X ) ) ω 1 T (5) X

11 Yet, we need to return to the original representation of the polynomials, ie in the basis (1, x X, ( x X ) 2,, ( x X ) ω 1 ) To this end, we use the following property regarding the lower triangular Pasal matrix P : 1 1 x +X x ( X ) 2 ( X ) x +X x 2 X = P X (6) ( ) ω 1 x +X X ( ) x ω 1 X Therefore, ombining (5) and (6) allows to get the following equivalene: 1 1 x +X x ( X ) 2 ( X ) x +X x 2 M i X = M i P X ( ) ω 1 x +X X ( ) x ω 1 X As a onsequene, the matrix M i+1 = M i P is a suitable matrix to solve the polynomial p i+1 (x ) sine it ontains ω polynomials that would admit x 0 as a solution modulo N l if α = α 0 = i + 1 Remark: The matrix M i+1 onsidered here is not idential to the matrix that would have been used in Coppersmith s method However, one an show that both matries are linked by row linear ombinations Now that we hold a relation between matries M i and M i+1, we enlighten the ore idea of the method in the following proposition: 11 Proposition 4 The multipliation of the redued matrix M R i by the Pasal matrix P M i+1 = M R i P gives a matrix M i+1 to test the ase α = i + 1 This matrix ontains vetors whose norms are lose to vetor norms of the LLL-redued matrix Mi R Namely, for all 1 j ω we have: M i+1 [j] < ω 2 ω M R i [j] In partiular, for the ase i = α 0 the first vetor of Mi+1 has a norm bounded by 2 ω N l Proof The appliation of LLL on matrix M i provides matries U i and M R i suh that U i M i = M R i

12 12 Therefore, one has U i M i P = M R i P Furthermore, using Proposition 3, one gets the following relation: U i M i+1 = M R i P (7) Sine matrix U i is unimodular, the matrix produt U i M i+1 remains a basis of the lattie spawned by the original matrix M i+1 Therefore, using equality 7, one dedues that matrix M i+1 = Mi R P yields the same lattie as M i+1 and an be used to solve the polynomial p i+1 (x ) Eventually, sine matrix M i+1 is the produt of Mi R with a matrix P omposed of relatively short elements, the elements in M i+1 remain lose to those in the redued matrix Mi R Indeed, the largest element in P is ( ω 1) ω 1 whih is less than 2 ω 1 More preisely, the maximal norm of 2 olumn vetors in P is equal to: ω 1 2 ( 2 2 ) ω 1 2 ( ) (ω 1) < 2 2ω 1 < 2 ω Therefore the norm of eah vetor of Mi+1 is at most enlarged by a fator ω 2 ω ompared to the norm of the orresponding vetor in Mi R, ie for all 1 j ω we have M i+1 [j] < ω 2 ω Mi R[j] In partiular, for i = α 0, sine the first vetor of Mi R has a norm bounded by N l / ω, the norm of the first vetor of Mi R P is bounded by 2 ω N l whih is relatively lose to N l / ω As a onsequene of Proposition 4, one an use matrix M i+1 to test the ase α = i + 1 We expet the LLL-redution of Mi+1 to be less ostly than the one of M i+1 sine it ontains elements relatively lose to the ones in the LLL-redued matrix Mi R Thus, one an use this property iteratively to elaborate a new method whih onsists in LLL-reduing M 0 for the ase α = 0 (using the method desribed in Setion 3) This gives a redued matrix M0 R Then, one performs a multipliation by P and an LLL-redution of M1 = M0 R P, whih gives M 1 R Then, we multiply M1 R by P, and perform LLL on M 2 = M1 R P, whih gives M 2 R We then reiterate this proess until the solution x 0 is found, ie until α = α 0 The method is depited in Algorithm 2 In Setion 3 we depited a method whih onsisted in trunating the matrix before applying LLL In the sequel, we outline a heuristi approah whih onsists in performing similar trunations during the improved sheme of the exhaustive searh desribed in Setion Combining Coppersmith s Algorithm Variant and Improved Exhaustive Searh: A Heuristi Approah During the exhaustive searh desribed in Setion 41, we perform the LLL algorithm on the matrix M i+1 = Mi R P for 0 i α 0 1 In the sequel we analyze the properties of the matrix M i+1 We enlighten that one an trunate elements in matrix M i+1 for all i and apply LLL on the trunated matrix M i+1, as performed in Setion 3 However, as disussed below,

13 13 Algorithm 2 Solving p(x) 0 mod N with exhaustive searh on α Input: Equation p(x) 0 mod N, upper-bound X on x 0, dimension ω, divisor := Xω ω Construt Coppersmith matrix M 0 of dimension ω assoiated to p 0(x ) = p(x ) Perform modular redutions on M 0 using diagonal elements M 0 := M 0 M 0 R, U 0 := LLL(M 0) M0 R := U 0 M 0 α := 0 Construt lower triangular Pasal Matrix P while First polynomial in Mα R does not provide the solution x 0 do M α+1 := Mα R P Mα+1 R := LLL( M α+1) α := α + 1 end while x 0 := X α + x 0 return x 0 this approah is heuristi Indeed, in order to prove the onsisteny of trunation method in Setion 3, two lemmas (Lemma 2 and 3) were required In our ase, one annot apply those lemmas straightforwardly sine matrix M i+1 does not have the same properties as matrix M 0 (onsidered in Setion 3) However, in order to justify our method, we will assume the following assumption that is onfirmed in pratie Assumption 1 a) We denote by M i+1 the matrix where the elements are the integer quotients of elements in M i+1 by One has the following bounds on the determinant of M i+1 for all i: 1 2 1/ω det M i+1 ω det M i+1 2 1/ω det M i+1 ω b) For all i, the matrix norm of ( M i+1 ) 1 is upper-bounded as follows: ( M i+1 ) 1 < 1 ω X ω β, where β is a parameter that lies between 0 and 1, as disussed in the sequel Disussion on Assumption 1a: For the first matrix M 0, one an say that det M 0 det M 0 / ω sine M 0 is upper triangular (see Lemma 2) However for i 0, matrix M i+1 is not triangular, and the trunation by ould have a onsiderable effet on the determinant of M i+1 Yet, we emphasize in Assumption 1a that the trunation by affets M i+1 and M 0 in a quasi-similar way regarding determinants Disussion on Assumption 1b: In pratie, one an see that elements in the LLL-redued matrix Mi R are balaned Based on this fat, one aknowledges that the smallest element in matrix M i+1 lies in the last olumn Indeed, the produt Mi R by P affets and inreases the bit-size of elements in all olumns of Mi R apart from the last one that remains untouhed sine last olumn of P is (0, 0,, 0, 1) T Moreover, using Coppersmith s matries properties, one knows

14 14 that elements in last olumn of Mi R are all divisible by X ω 1 Therefore, the smallest element in M i+1 is larger than X ω 1 As a onsequene, one an expet that elements in ( M i+1 ) 1 are likely to be smaller than a value lose to 1/X ω 1 In pratie, the elements are far smaller than 1/X ω 1 and the bound is rather 1/(ω X ω β ) where 0 < β 1 In Assumption 1b, the value β is left unspeified We will see in Setion 5 a suitable instantiation of the parameter β Under Assumption 1a, by taking ( det M i+1 ) 1/ω /2 1/ω2, we have det M i+1 > 0 and the trunated matrix M i+1 remains invertible As before, one applies LLL on M i+1 We obtain an LLL-redued matrix M i+1 R We denote by U i+1 the unimodular matrix suh that U i+1 M i+1 = M i+1 R Thus, one needs to justify the following proposition whih enlightens that applying the unimodular matrix U i+1 to the matrix M i+1 gives an LLL-redued matrix Mi+1 R In partiular, under Assumption 1, for α = α 0 one gives a norm upper-bound on the the first vetor Mα R 0 [1] resulting from the appliation of the unimodular matrix U α0 to the matrix M α0 Proposition 5 Let M α0 be suh that M Mα0 α0 = and U α0 be the unimodular matrix suh that U α0 M α0 = M α R 0 Under Assumption 1, by multiplying matrix U α0 with matrix M α0, the first vetor of the resulting matrix Mα R 0 has a norm bounded by ) 2 (ω 1) ω 2 X (ω 1)/2 N (1 δ l (l+1)/(2δl+2) + X ω β Proof If we follow the proof of Proposition 1 until equation (4), one gets the following relation: U α0 Mα0 = M R α 0 + M R α 0 ( M α 0 ) 1 R α0 (8) Sine Pasal matrix P has determinant equal to 1, and sine the LLL-redution of a matrix does not hange the absolute value of its determinant we have: det M R α 0 = det M α0 = det M α = det M 0 (9) Furthermore, using Assumption 1a and relation (9) one gets: det M R α 0 21/ω det M R α 0 ω 21/ω det M 0 ω As a onsequene, the first vetor M R α0 [1] has a norm bounded by: M R α 0 [1] 2 (ω 1)/4 det M R α 0 1/ω 2 (ω 1)/4 21/ω2 (det M 0 ) 1/ω Sine the determinant of M 0 ie equal to X (ω 1)/2 N δ l (l+1)/(2δl+2), one gets: M R α 0 [1] 2(1/ω2 )+(ω 1)/4 X (ω 1)/2 N δ l (l+1)/(2δl+2)

15 Combining relation (8) with previous inequality, and using the triangular inequality, one has the following: ( U α0 [1] M α0 = Mα R 0 [1] 2 (ω 1) ω 2 X (ω 1)/2 N δ l (l+1)/(2δl+2) 1 + ( M ) α 0 ) 1 R α0 As the norm of matrix R α0 is upper-bounded by ω, and again, using the triangular inequality, one obtains ( Mα R 0 [1] 2 (ω 1) ω 2 X (ω 1)/2 N δ l (l+1)/(2δl+2) 1 + ω ( M ) α 0 ) 1 Furthermore, using Assumption 1b one has ( M α 0 ) 1 ω X ω β Finally, one gets ) Mα R 0 [1] 2 (ω 1) ω 2 X (ω 1)/2 N (1 δ l (l+1)/(2δl+2) + X ω β whih onludes the proof As explained earlier, one has to find a trade-off for the value whih allows to find, with redued-omplexity, a short vetor bounded by N l / ω Ideally, one would like to hold a value so that the orresponding bound on X remains the same as before, ie X < N 1/δ 1/ω In the following, we show that taking = X ω β is a good trade-off Proposition 6 Let M α0 be suh that M α0 = Mα0 with = X ω β, 0 < β 1 and U α0 be the unimodular matrix suh that U α0 M α0 = M R α 0 Under Assumption 1, by multiplying matrix U α0 with matrix M α0, the first vetor of the resulting matrix M R α 0 has a norm bounded by N l / ω for X < N 1/δ 1/ω Proof By taking = X ω β and using Proposition 5, one gets the bound M R α 0 [1] 2 (ω 1) ω 2 +1 X (ω 1)/2 N δ l (l+1)/(2δl+2) From the ondition M R α 0 [1] N l / ω, one gets a relation whih indues a bound for X: 2 (ω+3) ω 2 X (ω 1)/2 N δ l (l+1)/(2δl+2) N l ω 15 The fators ω and 2 (ω+3) ω 2 may, as in Setion 2, be omitted sine they have little effet on subsequent bound As a onsequene, performing the same alulations as in Setion 2 allows to retrieve the bound X < N 1/δ 1/ω Therefore, when onsidering a solution x 0 bounded by X < N 1/δ 1/ω, the first vetor obtained by applying the unimodular matrix U α0 to the matrix M α0, has a norm bounded by N l / ω

16 16 Sine this first vetor has a norm bounded by N l / ω, the orresponding polynomial h is suh that h(x 0 ) = 0 over integers Therefore, one an solve it and retrieve the solution x 0 As a onsequene, eah LLL-redution applied to matrix M i+1 in while loop of Algorithm 2 an be performed on a trunated matrix M i+1, with = X ω β It results in Algorithm 3 Algorithm 3 Solving p(x) with exhaustive searh on α and variant of Coppersmith s Algorithm Input: Equation p(x) 0 mod N, upper-bound X on x 0, dimension ω, divisors 1 := Xω ω and 2 := X ω β Construt Coppersmith matrix M 0 of dimension ω assoiated to p 0(x ) = p(x ) Perform modular redutions on M 0 using diagonal elements M 0 := M0 1 M 0 R, U 0 := LLL(M 0) M0 R := U 0 M 0 α := 0 Construt lower triangular Pasal Matrix P while First polynomial in Mα R does not provide the solution x 0 do M α+1 := M α R P M α+1 Mα+1 := 2 M R α+1, U α+1 := LLL( M α+1) M R α+1 := U α+1 Mα+1 α := α + 1 end while x 0 := X α + x 0 return x 0 5 Experimental results We have implemented the methods using Howgrave-Graham s variant, on Magma Software V219-5 for N being 1024-bit and 2048-bit moduli We used polynomials of the form p(x) = x 2 + ax + b 0 mod N with degree δ = 2 Aording to Coppersmith s Theorem (see Setion 2), one an retrieve the solution x 0 if x 0 < X = N 1/2 More preisely, Coppersmith s method allows to find the solution x 0 if x 0 < X = N 1/2 1/ω We have performed several tests depending on the dimension ω Results are depited in Table 1 for the ase log 2 (N) = 1024 and in Table 2 for the ase log 2 (N) = 2048 In both tables, the bit-size of Coppersmith s theoreti upperbound X = N 1/2 is given in last olumn We have noted the bit-size of the bound X assoiated to a dimension ω for whih the solution x 0 is found in pratie We give orresponding timings for different appliations: Time for LLL exeution on original Coppersmith s matrix M 0 (never performed in our method) Time for LLL exeution on trunated Coppersmith s matrix (applied to redue M 0 only) Time for LLL exeution on trunated quasi LLL-redued matrix (applied on M i for i = 1,, α 0 during exhaustive searh) Time for the multipliation with the unimodular matrix (U i M i performed for i = 1,, α 0 during exhaustive searh after eah LLL-omputation of matrix M i)

17 We hoose to set the divisor 2 to the value X ω (1/δ), ie to set the parameter β to 1/δ Experimentally, we onjeture that it is a good trade off (see disussion on Table 4) It is worth notiing that sine the value is not signifiant in itself, one an trunate matries at negligible ost by taking := 2 log 2 () and performing shifts of log 2 () bits 17 Table 1 Timings (in seonds if not speified) as a funtion of the dimension for log 2 (N) = 1024 log 2 (X ) log 2 (X) = 512 Dimension N/A Original Method New Method LLL (M 0) N/A Total Timing (days) 1286 d 267 d 168 d 139 d 131 d 169 d N/A Trunated LLL (M 0) N/A Trunated Exhaus LLL ( M i) N/A Multipliation Unimodular N/A Total Timing (hours) 233 h 36 h 21 h 16 h 12 h 19 h N/A Table 2 Timings (in seonds if not speified) as a funtion of the dimension for log 2 (N) = 2048 log 2 (X ) log 2 (X) = 1024 Dimension N/A Original Method New Method LLL (M 0) N/A Total Timing (years) 5584 y 538 y 236 y 102 y 79 y 82 y N/A Trunated LLL (M 0) N/A Trunated Exhaus LLL ( M i) N/A Multipliation Unimodular N/A Total Timing (days) 3355 d 267 d 117 d 37 d 26 d 28 d N/A As depited in Tables 1 and 2, by inreasing the dimension, one an retrieve solutions x 0 that get ever loser to X = N 1/2 However, beyond a ertain point, it is not profitable to inrease the dimension sine an exhaustive searh would end up faster In our ase, the best dimension to use is depited in bold on both tables Indeed, one an see that using a larger dimension allows to find a solution whih is one bit longer only, for LLL-exeutions that take more than twie as muh time As a onsequene, for log 2 (N) = 1024, the best trade-off is to use latties of dimension 77, and perform an exhaustive searh on = 8 bits The exhaustive searh then takes (2 8 1)( ) 12 hours, whih is about 262 times faster than the original method whih takes days More generally, performing a single LLL-exeution takes 150 seonds when trunating the matrix, ompared to 4332 seonds using the original method In the same way, for log 2 (N) = 2048, the best trade-

18 18 off is to use latties of dimension 91, and perform an exhaustive searh on = 12 bits The exhaustive searh then takes (2 12 1)( ) 26 days, whih is about 1109 times faster than the original method whih takes years More generally, performing a single LLL-exeution takes 1200 seonds when trunating the matrix, ompared to seonds using the original method As depited in Table 3, the larger the modulus N, the more signifiant the speed-up Table 3 Global exhaustive searh timing using original/new methods for log 2 (N) = 1024 and 2048 log 2 (N) = 512 log 2 (N) = 1024 log 2 (N) = 1536 log 2 (N) = 2048 Original method 47 minutes 131 days 1085 days 79 years New method 52 seonds 12 hours 52 hours 26 days Speed up Furthermore, we emphasize that Assumption 1 is onfirmed in 100% of the ases in pratie We give in Table 4, bounds afforded in Assumption 1 and bounds obtained in pratie, for the ase log 2 (N) = 1024 and ω = 77 One an see that pratial bounds are always ontained within hypothetial bounds More preisely, for Assumption 1a, there is a fator 2 22 between pratial and hypothetial bounds The fator is more onsiderable for Assumption 1b, where it is up to This indues that one ould use a larger value for 2 (ie a smaller value for β) However, experimental tests yield that the benefit would remain small Table 4 Bounds obtained in Assumption 1 and in pratie (100% of ases) for log 2 (N) = 1024 and ω = 77 Assumption Pratie Assumption 1a: ω det M i+1 det M i+1 [ ω, 2 ω ] [2 99, 2 99 ] Assumption 1b: ( M i+1) 1 X ω (1/δ) 1 ω Eventually, in order to visualize what happens in pratie, we have depited in Figures 1 and 2 the norm of eah row vetors in different matries for the ase log 2 (N) = 1024 with dimension ω = 77 In Figure 1, we give the norm of eah row vetor in the original Coppersmith s matrix M 0 and in the redued matrix M0 R Namely, the norm of vetors in M 0 (resp in M0 R) lies between and (resp between and ) We reall that matrix M 0 is never redued in our method In Figure 2, we give the norm of eah row vetor in four different matries that are proessed in our method: the first trunated matrix M 0, the redued matrix M 0 R, the next trunated matries M i and the redued matries M i R One an see that elements of all four matries are far smaller than elements in original matries (Figure 1) The vetors norm lies around in M 0 (resp around 2700 in M 0 R ) and it ranges up to in M i (resp to in M i R ) It is worth noting that elements in matrix M i are smaller than the ones in M 0 R beause the divisor is taken larger for the ase α > 0 (ie we take 2 > 1 ) It is also interesting to notie that elements in M i are lose to elements in M R i

19 19 This allows to illustrate part of Proposition 4 whih yields that matrix already M i is almost redued Redued Coppersmith Matrix M R 0 Original Coppersmith Matrix M Redued Trunated Matrix M R i Trunated Matrix M i Redued Trunated Matrix M R 0 Trunated Matrix M 0 log2 of vetors norm log2 of vetors norm Index of vetor Index of vetor Fig 1 Norm of vetors in Original Method Fig 2 Norm of vetors in New Method 6 Conlusion This artile brings two improvements that allow to redue time to find small solutions to polynomial equations In a first stage, we show that it is not neessary to apply LLL on the original Coppersmith s matrix, but onsidering a matrix where elements are trunated is suffiient This allows to divide the asymptoti omplexity of the method by a fator O(log 2 N) using the L 2 algorithm In a seond phase, we exhibit a new approah to arry out the exhaustive searh It enables to onsiderably speed up its proessing Experimental results yield that some omputations that were ompletely prohibitive with the original approah are made ahievable Referenes 1 D Coppersmith Finding a small root of a univariate modular equation In Maurer [11], pages Howgrave-Graham Finding small roots of univariate modular equations revisited In Cryptography and Coding, 1355/1997: , AK Lenstra, HW Lenstra, and L Lovasz Fatoring Polynomials with rational oeffiients Math Ann, pages , P Nguyen and D Stehlé Floating-point LLL revisited In R Cramer, editor, Advanes in Cryptology EUROCRYPT 2005, volume 3494 of LNCS, pages Springer, P Novoin, D Stehlé, and G Villard An LLL-Redution Algorithm with Quasi-linear Time Complexity In Symposium on Theory of Computing, D Coppersmith Finding a small root of a bivariate integer equation; fatoring with high bits known In Maurer [11], pages D Boneh, G Durfee, and NA Howgrave-Graham Fatoring N = p r q for large r In MJ Wiener, editor, Advanes in Cryptology CRYPTO 99, volume 1666 of LNCS Springer, É Brier, C Clavier, J-S Coron, and D Naahe Cryptanalysis of RSA Signatures with Fixed-Pattern Padding In J Kilian, editor, Advanes in Cryptology CRYPTO 2001, volume 2139 of LNCS, pages Springer, 2001

20 20 9 D Bleihenbaher and A May New attaks on RSA with Small Seret CRT-Exponents In Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, Publi Key Cryptography PKC 2006, volume 3958 of LNCS Springer, D Boneh and G Durfee Cryptanalysis of RSA with private key d less than N In J Stern, editor, Advanes in Cryptology EUROCRYPT 99, volume 1592 of LNCS Springer, U Maurer, editor Advanes in Cryptology EUROCRYPT 96, volume 1070 of LNCS Springer, 1996 A Proof of Lemma 3 Proof We denote by M i,j 1 (resp M i,j ) the element in M (resp M 1 ) situated at the i-th row and j-th olumn We start by showing that, for all i suh that 2 i ω, we have the inequality M 1 < M (10) Indeed, from the relation M 1 M = Id and sine both matries are lower triangular, one an write the following equation: M 1 1 M i 1,i 1 + M 1 M 1 = 0 Therefore one has M 1 M 1 1 = M i 1,i 1 M 1 (11) Moreover, sine the first step of the method onsisted of suessive modular redutions with diagonal elements of M, in a given olumn, all elements are smaller than the diagonal element Besides, the same is true for M Therefore, for all j > i one has the relation 0 M j,i < M, or equivalently, 0 M j,i M < 1 (12) Therefore, ombining (11) and (12), one gets the relation M 1 < M 1 leads to (10) M 1 M i 1,i 1 0 whih We now show by reurrene on j that, for all i suh that 3 i ω and for all j suh that j i 2, one has the following relation: 2 i j 2 M 1 < M 1 i,j < 2 i j 2 M 1 (13) Base ase: For j = i 2, one would like to show that M 1 < M 1 2 < M 1 (14) From the relation M 1 M = Id and sine both matries are lower triangular, one an write the following equation: M 1 2 M i 2,i 2 + M 1 1 M i 1,i 2 + M 1 M 2 = 0

21 21 Therefore one has the relation 1 M i 1,i 2 M 1 M 2 1 = M i 2,i 2 M 1 M 2 M i 2,i 2 Moreover, using (10) and (12), one gets and from (12) one gets 0 M 1 1 M i 1,i 2 M i 2,i 2 M 1 M i 2,i 2 < M 1, < M 1 M 2 0 Therefore, umulating these two inequalities, one retrieves relation (14) Indutive step: We assume that j i 2 and that the following relation is true for all k suh that j + 1 k i 2 We show that (13) is onfirmed when k = j 2 i k 2 M 1 < M 1 i,k < 2i k 2 M 1 (15) Using the fat that M 1 M = Id, one an write the following equation: M 1 i,j M j,j+m 1 i,j+1 M j+1,j+m 1 i,j+2 M j+2,j + + M 1 2 M i 2,j+M 1 1 M i 1,j+M 1 M i,j = 0 Therefore one has i,j = M i,j+1 1 M j+1,j M 1 + M 1 i,j+2 M j+2,j M j,j + + M 2 1 M i 2,j + M 1 1 M i 1,j + M 1 M i,j M j,j M j,j M j,j M j,j (16) Following the same argumentation as for the base ase, one dedues a relation for the last two elements in (16): M 1 < M 1 1 M i 1,j M j,j + M 1 M j,j M i,j < M 1 (17) Moreover, the assumption (15) is separately appliable to all the other elements in (16), whih gives: u=i j 3 ( u=0 2 u ) M 1 < M i,j+1 1 M j+1,j M j,j + + M 1 2 M i 2,j M j,j u=i j 3 < ( 2 u ) M 1 (18) Eventually, from (17) and (18), one gets the relation (13), whih onludes the indutive proof of relation (13) Sine the value j that maximize bounds in (13) is j = 0, one has the relation u=0 2 i 2 M 1 < M 1 i,j < 2 i 2 M 1 (19)

22 22 Furthermore, sine M is triangular, one gets for all i ω M 1 = 1 M Besides, the smallest diagonal element in M is M ω,ω = Xδ l Consequently the largest element in M 1 is met for i = ω and is equal to M 1 ω,ω = Therefore, using (19) and (20) one gets the following relation Eventually, one gets the final bound (20) Xδ l 2ω 2 X δ l < M i,j 1 < 2ω 2 X δ l (21) whih onludes the proof M 1 < ω 2ω 2 X δ l,