Binary Independence Model: Difference between revisions
en>Lezhao |
en>Addbot m Bot: Migrating 1 interwiki links, now provided by Wikidata on d:q3531721 |
||
Line 1: | Line 1: | ||
{{Multiple issues|cleanup =January 2010|refimprove =January 2010| | |||
{{expert-subject|Mathematics|date=January 2010}} | |||
}} | |||
The '''Coppersmith method''', proposed by [[Don Coppersmith]], is a method to find small integer [[Root of a function|roots]] of [[polynomial]] equations. These polynomials can be univariate or bivariate. In [[cryptography]] the algorithm is mainly used in attacks on [[RSA (algorithm)|RSA]] when parts of the [[public key cryptography|secret key]] are known. | |||
The method uses the [[LLL algorithm]] <ref>Lattice Basis Reduction Algorithms (http://www.farcaster.com/papers/sm-thesis/node7.html)</ref> to find a | |||
polynomial that has the roots of the target polynomial as roots and has small coefficients. | |||
Coppersmith’s method is based on lattice reduction. A [[lattice (group)|lattice]] ''L'' is a subgroup of <math>\mathbf{R}^n</math>. | |||
Also there exists a ''k'' such that <math>L = \mathbf{Z}b_1\oplus \ldots \oplus \mathbf{Z}b_k</math>, where | |||
<math>B=(b_1,b_2,\ldots ,b_k)</math> is a basis of ''L''. The LLL algorithm computes a basis | |||
<math>(b_1^*,b_2^*,\dots ,b_k^*)</math> of short vectors. | |||
If ''k=n'', the determinant of the lattice is given by det(''L'')=det(''B''); in general <math>\mathrm{det}(L)\le \prod||b_i^*||</math>. | |||
For any LLL reduced basis <math>(b_1^*,b_2^*,\dots ,b_k^*)</math> it holds that | |||
<math>||b_k^*||\ge (\mathrm{det}(L))^{1/k}\cdot 2^{(1-k)/4}</math>, see.<ref>A. Bauer and A. Joux, Toward a Rigorous Variation of Coppersmith’s Algorithm on Three Variables, Springer, LNCS 4515, 2007</ref> | |||
Let <math>F(x) = x^n+a_{n-1}x^{n-1}+\ldots +a_1x+a_0</math> and assume that <math>F(x_0)\equiv 0 \mod M</math> for some | |||
integer <math>|x_0|< M^{1/n}</math>. | |||
Coppersmith’s algorithm can be used to find this integer solution <math>x_0</math>. | |||
Finding roots over '''Q''' is easy using e.g. [[Newton's method]] but these algorithms do not work modulo a composite number ''M''. The idea behind Coppersmith’s method is to find a different polynomial <math>F_2</math> related to ''F'' that has the same <math>x_0</math> as a solution and has only small coefficients. If the coefficients and <math>x_0</math> are so small that <math>F_2(x_0) < M</math> over the integers, then | |||
<math>x_0</math> is a root of ''F'' over '''Q''' and can easily be found. | |||
==How to find small roots using Coppersmith's method== | |||
Coppersmith’s approach is a reduction of solving modular polynomial equations to solving polynomials over the integers. | |||
Coppersmith's algorithm uses LLL to construct the polynomial <math>F_2</math> with small coefficients. | |||
Given ''F'', the algorithm constructs polynomials <math>p_1(x),p_2(x),\dots ,p_n(x)</math> that have the same <math>x_0</math> as root modulo <math>M^a</math>, where ''a'' is some integer chosen dependent on the degree of ''F'' and the size of <math>x_0</math>. | |||
Any linear combination of these polynomials has <math>x_0</math> as root modulo <math>M^a</math>. | |||
The next step is to use the LLL algorithm to construct a linear combination <math>F_2(x)=\sum c_ip_i(x)</math> | |||
of the <math>p_i</math> so that the inequality <math>|F_2(x)| < M^a</math> holds. | |||
Now standard factorization methods can calculate the roots of <math>F_2(x)</math> over the integers. | |||
==See also== | |||
[[Coppersmith's Attack]] | |||
==References== | |||
<references/> | |||
{{DEFAULTSORT:Coppersmith Method}} | |||
[[Category:Asymmetric-key algorithms]] |
Revision as of 01:34, 21 March 2013
The Coppersmith method, proposed by Don Coppersmith, is a method to find small integer roots of polynomial equations. These polynomials can be univariate or bivariate. In cryptography the algorithm is mainly used in attacks on RSA when parts of the secret key are known.
The method uses the LLL algorithm [1] to find a polynomial that has the roots of the target polynomial as roots and has small coefficients.
Coppersmith’s method is based on lattice reduction. A lattice L is a subgroup of . Also there exists a k such that , where is a basis of L. The LLL algorithm computes a basis of short vectors. If k=n, the determinant of the lattice is given by det(L)=det(B); in general .
For any LLL reduced basis it holds that , see.[2]
Let and assume that for some integer . Coppersmith’s algorithm can be used to find this integer solution .
Finding roots over Q is easy using e.g. Newton's method but these algorithms do not work modulo a composite number M. The idea behind Coppersmith’s method is to find a different polynomial related to F that has the same as a solution and has only small coefficients. If the coefficients and are so small that over the integers, then is a root of F over Q and can easily be found.
How to find small roots using Coppersmith's method
Coppersmith’s approach is a reduction of solving modular polynomial equations to solving polynomials over the integers. Coppersmith's algorithm uses LLL to construct the polynomial with small coefficients.
Given F, the algorithm constructs polynomials that have the same as root modulo , where a is some integer chosen dependent on the degree of F and the size of . Any linear combination of these polynomials has as root modulo .
The next step is to use the LLL algorithm to construct a linear combination of the so that the inequality holds. Now standard factorization methods can calculate the roots of over the integers.
See also
References
- ↑ Lattice Basis Reduction Algorithms (http://www.farcaster.com/papers/sm-thesis/node7.html)
- ↑ A. Bauer and A. Joux, Toward a Rigorous Variation of Coppersmith’s Algorithm on Three Variables, Springer, LNCS 4515, 2007