Topic
Coppersmith method
About: Coppersmith method is a research topic. Over the lifetime, 4 publications have been published within this topic receiving 38 citations.
Papers
1 Mar 1999
TL;DR: Extensive experiments with Coppersmith's lattice reduction method are presented, and various trade-offs together with practical improvements are discussed, indicating that one should be very cautious when using the low-exponent RSA encryption scheme, or one should use larger exponents.
Abstract: At Eurocrypt '96, Coppersmith presented a novel application of lattice reduction to find small roots of a univariate modular polynomial equation. This led to rigorous polynomial attacks against RSA with low public exponent, in some particular settings such as encryption of stereotyped messages, random padding, or broadcast applications a la Hastad. Theoretically, these are the most powerful known attacks against low-exponent RSA. However, the practical behavior of Coppersmith's method was unclear. On the one hand, the method requires reductions of high-dimensional lattices with huge entries, which could be out of reach. On the other hand, it is well-known that lattice reduction algorithms output better results than theoretically expected, which might allow better bounds than those given by Coppersmith's theorems. In this paper, we present extensive experiments with Coppersmith's method, and discuss various trade-offs together with practical improvements. Overall, practice meets theory. The warning is clear: one should be very cautious when using the low-exponent RSA encryption scheme, or one should use larger exponents.
20 citations
31 Mar 2008
TL;DR: This work shows that the RSA public key system is insecure if delta < 1-alpha/2, and its result is deterministic polynomial time and an extension of Coppersmith's result on a factorization.
Abstract: Let (n = pq, e) be an RSA public key with private exponent d = ndelta, where p and q are large primes of the same bit size. Suppose that po ges radicn be an approximation of p with |p - po| les 1/8nalpha, alpha les 1/2. Using continued fractions, we show that the system is insecure if delta < 1-alpha/2. Our result is deterministic polynomial time and an extension of Coppersmith's result on a factorization.
19 citations
TL;DR: A generalized version of the index calculus method for the discrete logarithm problem in F q, when q = p n , p is a small prime and n → ∞ is studied, shows that the best upper limit for the interval coincides with the one for the original version.
Abstract: We study a generalized version of the index calculus method for the discrete logarithm problem in F q , when q = p n , p is a small prime and n → ∞ The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one We show theoretically that the algorithm has the same asymptotic running time as the original version The analysis shows that the best upper limit for the interval coincides with the one for the original version The lower limit for the interval remains a free variable of the process We provide experimental results that indicate practical values for that bound We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database
11 citations
TL;DR: An algorithm that recovers a decomposition of an integer N as sum of two squares from an approximation to one of the summands based on Coppersmith's linearization technique, which allows approximation errors up to N^1/^4.
1 citations
Related Topics (5)
Performance Metrics
| Year | Papers |
|---|---|
| 2014 | 1 |
| 2008 | 1 |
| 2001 | 1 |
| 1999 | 1 |