Coppersmith method explained

The Coppersmith method, proposed by Don Coppersmith, is a method to find small integer zeroes of univariate or bivariate polynomials modulo a given integer. The method uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to find a polynomial that has the same zeroes as the target polynomial but smaller coefficients.

In cryptography, the Coppersmith method is mainly used in attacks on RSA when parts of the secret key are known and forms a base for Coppersmith's attack.

Approach

Coppersmith's approach is a reduction of solving modular polynomial equations to solving polynomials over the integers.

Let

F(x)=

	n+a
x
	n-1

x^n-1+\ldots+a_1x+a₀

and assume that

F(x_0)\equiv0\pmod{M}

for someinteger

|x_0|<M^1/n

.Coppersmith’s algorithm can be used to find this integer solution

x₀

Finding roots over is easy using, e.g., Newton's method, but such an algorithm does not work modulo a composite number . The idea behind Coppersmith’s method is to find a different polynomial related to that has the same root

x₀

modulo, but has only small coefficients. If the coefficients and

x₀

are small enough that

|f(x_0)|<M

over the integers, then we have

f(x₀₎=0

, so that

x₀

is a root of over and can be found easily. More generally, we can find a polynomial

f(x)

with the same root

x₀

modulo some power

M^a

of, satisfying

|f(x_0)|<M^a

, and solve for

x₀

as above.

Coppersmith's algorithm uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to construct the polynomial with small coefficients.Given, the algorithm constructs polynomials

p_1(x),p_2(x),...,p_n(x)

that all have the same root

x₀

modulo

M^a

, where is some integer chosen based on the degree of and the size of

x₀

.Any linear combination of these polynomials also has

x₀

as a root modulo

M^a

The next step is to use the LLL algorithm to construct a linear combination

f(x)=\sumc_ip_i(x)

of the

p_i(x)

so that the inequality

|f(x_0)|<M^a

holds.Now standard factorization methods can calculate the zeroes of

f(x)

over the integers.

Implementations

Coppersmith's method for univariate polynomials is implemented in

Magma as the function SmallRoots;
PARI/GP as the function zncoppersmith;
SageMath as the method small_roots.

References

Book: Coppersmith, D.. Advances in Cryptology — EUROCRYPT '96 . Finding a Small Root of a Univariate Modular Equation . Lecture Notes in Computer Science . 1070 . 155–165 . 1996 . 10.1007/3-540-68339-9_14. 978-3-540-61186-8 . free .
Book: Coppersmith, D. . Advances in Cryptology — EUROCRYPT '96 . Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known . Lecture Notes in Computer Science . 1070 . 178–189 . 1996 . 10.1007/3-540-68339-9_16. 978-3-540-61186-8 . free .
Book: Coron, J. S. . Advances in Cryptology - EUROCRYPT 2004 . Finding Small Roots of Bivariate Integer Polynomial Equations Revisited . Lecture Notes in Computer Science . 2004 . 3027. 492–505 . 10.1007/978-3-540-24676-3_29 . 978-3-540-21935-4 . https://iacr.org/archive/eurocrypt2004/30270487/bivariate.pdf.
Book: A. . Bauer . A. . Joux . Advances in Cryptology - EUROCRYPT 2007 . Toward a Rigorous Variation of Coppersmith's Algorithm on Three Variables . Lecture Notes in Computer Science . Antoine Joux . 4515 . 2007 . 361–378 . 10.1007/978-3-540-72540-4_21 . 978-3-540-72539-8 . free .
Book: Coron, J. S. . Advances in Cryptology - CRYPTO 2007 . Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach . Lecture Notes in Computer Science . 2007 . 4622 . 379–394 . 10.1007/978-3-540-74143-5_21 . 978-3-540-74142-8 . https://iacr.org/archive/crypto2007/46220372/46220372.pdf.