Lattices in Cryptography Lecture 4 Instructor: Chris Peikert

University of Michigan, Fall 2015 Coppersmith, Cryptanalysis Scribe: Jacob Alperin-Sheriff

1 Coppersmith’s Theorem
Today we prove the “full version” of Coppersmith’s Theorem, stated here.
Theorem 1.1. Let N be a positive integer and f (x) ∈ Z[x] be a monic, degree-d polynomial. There is an
algorithm that, given N and f , efficiently (i.e., in time polynomial in the bit length of the inputs) finds all
integers x0 such that f (x0 ) = 0 mod N and |x0 | ≤ B ≈ N 1/d .

In the theorem statement and what follows, for simplicity of analysis we use ≈ to hide factors which are
polynomial in d and N ε for some arbitrarily small constant ε > 0.1 The remainder of this section is dedicated
to the proof of the theorem.
Last time we considered adding multiples of N · xi to f (x), which preserves the roots of f (x) modulo N .
2
But this only let us obtain a bound of B ≈ N 2/d . To do better, we consider higher powers P of f (x) and N .
That is, our strategy will be to use LLL to efficiently find a nonzero polynomial h(x) = i hi xi ∈ Z[x] of
degree at most n = d(m + 1), for some positive integer m to be determined, such that:
1. Any mod-N root of f is a mod-N m root of h, i.e., if f (x0 ) = 0 mod N then h(x0 ) = 0 mod N m .
2. The polynomial h(Bx) is “short,” i.e., its coefficients hi B i are all less than N m /(n + 1) in magnitude.
From the second property it follows that if |x0 | ≤ B, then
X
|h(x0 )| ≤ |hi B i | < N m .
i

Therefore, by the first property, any small mod-N root of f is a root of h(x) over the integers (not modulo
anything). So, having found h(x), we can efficiently factor it over the integers and check whether each of its
small roots is indeed a root of f (x) modulo N .
To construct a lattice basis that lets us find such an h(x), the first helpful insight is that f (x0 ) = 0 mod N
implies f (x0 )k = 0 mod N k for any positive integer k. To create our lattice basis, we define n = d(m + 1)
polynomials gu,v (x) whose mod-N m roots will include all of the mod-N roots of f (x). Concretely,
gu,v (x) = N m−v f (x)v xu for u ∈ {0, . . . , d − 1}, v ∈ {0, . . . , m}.
We use two important facts about these polynomials. First, f (x) is monic and of degree d, so gu,v (x) has
leading coefficient N m−v and is of degree exactly u + vd. Second, if x0 is a mod-N root of f (x), then x0 is
a mod-N m root of gu,v (x) for all u, v, because N m divides N m−v f (x0 )v .
The basis vectors for our lattice are defined by the coefficients of gu,v (Bx) where, as above, B corresponds
to the bound on the absolute value of the roots. Specifically, the basis is B = [b0 , . . . , bn−1 ], where bu+vd
is the coefficient vector of gu,v (Bx) represented as a polynomial in x. Since gu,v (x) is of degree u + vd with
leading coefficient N m−v , and u + vd runs over {0, . . . , n − 1} as u, v run over their respective ranges, the
basis is triangular, with diagonal entries N m−v B u+vd . A simple calculation then reveals that
det(B) = B n(n−1)/2 · N dm(m+1)/2 .

Running the LLL algorithm on B yields a nonzero vector v ∈ L(B) of length

 1/n
kvk ≤ 2(n−1)/2 det(B)1/n = 2(n−1)/2 B n(n−1)/2 · N dm(m+1)/2
≤ (2B)n/2 · N m/2 .
1
This yields a true bound of B = N 1/d−ε , though with more work the theorem can be proved for B = N 1/d .

1
Setting B ≈ (N 1/d )m/(m+1) , which is N 1/d−ε for large enough (but still polynomially bounded) m, we can
ensure that (2B)n/2 < N m/2 /(n + 1) and therefore that kvk < N m /(n + 1), as required. Reading off the
entries of v as the coefficients of h(Bx) yields a satisfactory polynomial h(x).

2 Cryptanalysis of RSA Variants

One of the most interesting applications of Coppersmith’s algorithm is to attack variants of RSA.

2.1 RSA Recap

The RSA function and cryptosystem (named after its inventors Rivest, Shamir and Adleman) is one of the
most widely used public-key encryption and digital signature schemes in practice.
It is important to differentiate between the RSA function and an RSA-based cryptosystem. The RSA
function is defined as follows. Let N = pq, where p and q are distinct very large primes (according to
current security recommendations, they should be at least 1,000 bits each). Let e be a public “encryption
exponent” such that gcd(e, ϕ(N )) = 1, where ϕ(N ) = |Z∗N | = (p − 1)(q − 1) is the totient function. The
RSA function fe,N : Z∗N → Z∗N is defined by the public values (N, e) as follows:

fe,N (x) := xe mod N.

It is conjectured that, given just N, e, and y = fe,N (x) for a uniformly random x ∈ Z∗N , it is computationally
infeasible to find x. However, one can efficiently invert the RSA function using some extra “trapdoor”
information. Let d be the “decryption exponent” defined by e · d = 1 mod ϕ(N ), which is efficiently
computable given the factorization of N . Then the inverse RSA function is defined as
−1
fe,N (y) := y d mod N.

This indeed inverts the function because, for y = fe,N (x) = xe mod N , we have

y d = (xe )d = (xe·d mod ϕ(N ) ) = x mod N,

where the first inequality holds because the order of the group Z∗N is ϕ(N ). It follows that fe,N is a bijection
(also called a permutation) on Z∗N .

2.2 Low-Exponent Attacks

Because exponentiation modulo huge integers is somewhat computationally expensive, many early proposals
advocated using encryption exponents as small as e = 3 with RSA, due to some significant efficiency
benefits.2 For example, using an encryption exponent of the form e = 2k + 1, one can compute xe using
only k + 1 modular multiplications via the standard “repeated squaring” method. Moreover, the basic RSA
function still appears to be hard to invert (on uniformly random y ∈ Z∗N ) for small e.
Like any other deterministic public-key encryption scheme, the RSA function itself is not a secure
cryptosystem. This is because if an attacker had a guess about the message in a ciphertext c (say, because the
number of possible messages was small), it could easily test whether its guess was correct by encrypting the
message and checking whether the resulting ciphertext matched c. Therefore, one needs to use a randomized
2
Note that one cannot use e = 2 (or any other even e) because it is never coprime with ϕ(N ), which is also even.

2
encryption algorithm. The most obvious way to randomize the RSA function is to append some “padding”
of random bits to the end of the message before encrypting. However, devising a secure padding scheme is
quite difficult and subtle, due to the existence of clever attacks using tools like LLL. Here we describe one
such attack: when e is small and the padding is not long enough, the attack efficiently recovers an encrypted
message M given just two encryptions of M with different paddings.3
We start with a simple “related-message attack,” which is interesting in its own right and will also be a key
component of the padding attack. Note that this attack is on the deterministic version of the RSA function.
Lemma 2.1. Let e = 3 and M1 , M2 ∈ Z∗N satisfy M1 = `(M2 ) mod N , where `(x) = ax + b for some
a, b 6= 0 is a known linear function. Then one can efficiently recover M1 , M2 from C1 = M1e mod N and
C2 = M2e mod N (and the other public information N, e, f ).4

Proof. Define polynomials g1 (x) = `(x)e − C1 , g2 (x) = xe − C2 ∈ ZN [x]. Notice that M2 is a root of
both g1 and g2 , and thus (x − M2 ) is a common divisor of g1 and g2 (here is where we need a 6= 0). If it is
in fact the greatest common divisor (i.e., the common divisor of largest degree), then we can find it using
Euclid’s algorithm.5 We show next that (x − M2 ) is indeed the greatest common divisor.
First observe that for any C ∈ Z∗N , the polynomial x3 − C has only one root modulo N , because the
RSA function is a bijection. As a result, we have g2 (x) = x3 − C2 = (x − M2 )(x2 + β1 x + β0 ), where the
quadratic term is irreducible, so gcd(g1 , g2 ) is either (x − M2 ) or g2 . Since b 6= 0, we have that g2 (x) - g1 (x),
and therefore the greatest common divisor is indeed x − M2 .

We now consider a potential padding method: to encrypt a message M , one appends m uniformly random
bits r ∈ {0, 1}m (for some publicly known value of m), and applies the RSA function:

C = fN,e (M kr).

(Upon decryption, the pad bits are ignored.) Mathematically, this corresponds with transforming M to
2m · M + r for uniformly random r ∈ {0, . . . , 2m − 1}. Note that M must be short enough, and m small
enough, so that the result can be interpreted as an element of Z∗N and unambiguously represents M .
The following theorem shows that if the pad length is too short (as determined by the size of e), then it is
possible to efficiently recover the message M from two distinct encryptions of it. Notice that for e = 3, a
pad length of n/9 ≈ 2,000/9 ≈ 222 is large enough to prevent any repeated pad values with overwhelming
probability, yet it stil provides essentially no security.
Theorem 2.2. Let N have bit length n, and let m ≤ bn/e2 c for e = 3 be the bit length of the pad. Given
two encryptions C1 , C2 of the same message M with arbitrary distinct pads r1 , r2 ∈ {0, . . . , 2m − 1}, one
can efficiently recover M .

Proof. We have M1 = 2m · M + r1 and M2 = 2m · M + r2 for some distinct r1 , r2 ∈ {0, . . . , 2m − 1}. We

define two bivariate polynomials g1 (x, y), g2 (x, y) ∈ ZN [x] as

g1 (x, y) = xe − C1 = xe − M1e
g2 (x, y) = (x + y)e − C2 = (x + y)e − M2e
3
In real-life applications it is quite common to encrypt the same message more than once, e.g., via common protocol headers or
retransmission.
4
It turns out that theorem is “usually” true even for e > 3, but there are rare exceptions.
5
Strictly speaking, Euclid’s algorithm would normally require ZN to be a field, which it is not. However, if Euclid’s algorithm
fails in this setting then it reveals the factorization of N as a side effect, which lets us compute the decryption exponent and the
messages.

3
Essentially, x represents the unknown message, and y represents the unknown pads. Since g1 is independent
of y, we have that (x = M1 , y = ?) is a root of g1 for any value of y. Similarly, (x = M1 , y = r2 − r1 ) is a
root of g2 .
To take the next step, we need a concept called the resultant of two polynomials in a variable x, which is
defined as the product of all the differences between their respective roots:
Y
resx (p(x), q(x)) = (x0 − x1 ).
p(x0 )=q(x1 )=0

In our setting, we treat the bivariate polynomials gi (x, y) as polynomials in x whose coefficients are
polynomials in y (i.e., elements of ZN [y]), which is why resx (g1 , g2 ) is a polynomial in y.
We use a few important facts about the resultant. First, it is clear that resx (p(x), q(x)) = 0 when p, q
have a common root. Second, resx (p, q) = det(Sp,q ), where Sp,q is a square (deg p + deg q)-dimensional
matrix called the Sylvester matrix, whose entries are made up of various shifts of the coefficient vectors of p
and q. Therefore, the resultant can be computed efficiently. Finally, in our setting the x-coefficients of g1
are degree-0 polynomials in y, while the x-coefficients of g2 are polynomials of degree at most e in y. By
definition of the Sylvester matrix, the resultant h(y) = resx (g1 , g2 ) has degree at most e2 in y.
2
We claim that ∆ = r2 − r1 6= 0, which has absolute value |∆| ≤ 2m < N 1/e , is a root of the resultant
h(y) = resx (g1 , g2 ). This is because the univariate polynomials g1 (x, ∆) and g2 (x, ∆) have a common root
x = M1 .
Armed with this information, our attack proceeds as follows. We construct the polynomials g1 , g2 , and
compute the resultant h(y) = resx (g1 , g2 ). Then deg(h(y)) ≤ e2 , and we know that h(y) has ∆ = r2 − r1 6=
2
0 as a root modulo N . We run Coppersmith’s algorithm on h(y), and since |∆| ≤ 2m < N 1/e , we get a
polynomial-length list containing ∆. Trying each element of the list as a candidate ∆, we have a known
(candidate) linear function `(x) = x − ∆ such that M1 = `(M2 ), and we can run the related message attack
from Lemma 2.1.6 One of these runs involves the correct value of ∆ and thus reveals M1 , M2 , and we can
confirm which run does so by re-encrypting and checking against C1 , C2 .

The above is just one of countless Coppersmith-style attacks against variants of RSA and problems
related to factoring, such as:

• Small decryption exponent d: so far the best known attack recovers d if it is less than N 0.292 . This
uses a bivariate version of Coppersmith that lacks a rigorous proof of correctness, but seems to work
well in practice. Important open questions are whether d < N 1/2−ε is attackable (the conjecture is
that it should be), and whether there are rigorously provable variants of Coppersmith for bivariate or
multivariate polynomials.
• Partial secret key exposure: when certain bits of d or the factors p, q of N are exposed, it is often
possible to recover them completely.

6
Note that we have rigorously proved Lemma 2.1 only for the case e = 3, but the attack will work as long as the algorithm from
the lemma actually succeeds.