Binary Independence Model

Template:Multiple issues

The Coppersmith method, proposed by Don Coppersmith, is a method to find small integer roots of polynomial equations. These polynomials can be univariate or bivariate. In cryptography the algorithm is mainly used in attacks on RSA when parts of the secret key are known.

The method uses the LLL algorithm ^[1] to find a polynomial that has the roots of the target polynomial as roots and has small coefficients.

Coppersmith’s method is based on lattice reduction. A lattice L is a subgroup of ${\displaystyle {\mathbf{R}}^n}$. Also there exists a k such that ${\displaystyle L=\mathbf{Z}{b}_1\oplus \dots \oplus \mathbf{Z}{b}_k}$, where ${\displaystyle B=(b_1,b_2,\dots ,b_k)}$ is a basis of L. The LLL algorithm computes a basis ${\displaystyle (b_1^{*},b_2^{*},\dots ,b_k^{*})}$ of short vectors. If k=n, the determinant of the lattice is given by det(L)=det(B); in general ${\displaystyle \mathrm{d}\mathrm{e}\mathrm{t}(L)\le \prod \left|\right|b_i^{*}\left|\right|}$.

For any LLL reduced basis ${\displaystyle (b_1^{*},b_2^{*},\dots ,b_k^{*})}$ it holds that ${\displaystyle \left|\right|b_k^{*}\left|\right|\ge (\mathrm{d}\mathrm{e}\mathrm{t}(L){)}^{1/k}\cdot 2^{(1-k)/4}}$, see.^[2]

Let ${\displaystyle F(x)=x^n+a_{n-1}{x}^{n-1}+\dots +a_{1}x+a_0}$ and assume that ${\displaystyle F(x_0)\equiv 0modM}$ for some integer ${\displaystyle \left|x_0\right|<M^{1/n}}$. Coppersmith’s algorithm can be used to find this integer solution ${\displaystyle x_0}$.

Finding roots over Q is easy using e.g. Newton's method but these algorithms do not work modulo a composite number M. The idea behind Coppersmith’s method is to find a different polynomial ${\displaystyle F_2}$ related to F that has the same ${\displaystyle x_0}$ as a solution and has only small coefficients. If the coefficients and ${\displaystyle x_0}$ are so small that ${\displaystyle F_2(x_0)<M}$ over the integers, then ${\displaystyle x_0}$ is a root of F over Q and can easily be found.

How to find small roots using Coppersmith's method

Coppersmith’s approach is a reduction of solving modular polynomial equations to solving polynomials over the integers. Coppersmith's algorithm uses LLL to construct the polynomial ${\displaystyle F_2}$ with small coefficients.

Given F, the algorithm constructs polynomials ${\displaystyle p_1(x),p_2(x),\dots ,p_n(x)}$ that have the same ${\displaystyle x_0}$ as root modulo ${\displaystyle M^a}$, where a is some integer chosen dependent on the degree of F and the size of ${\displaystyle x_0}$. Any linear combination of these polynomials has ${\displaystyle x_0}$ as root modulo ${\displaystyle M^a}$.

The next step is to use the LLL algorithm to construct a linear combination ${\displaystyle F_2(x)=\sum c_i{p}_i(x)}$ of the ${\displaystyle p_i}$ so that the inequality ${\displaystyle |F_2(x)|<M^a}$ holds. Now standard factorization methods can calculate the roots of ${\displaystyle F_2(x)}$ over the integers.

See also

Coppersmith's Attack

References