Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
Coppersmith method

The Coppersmith method, proposed by Don Coppersmith, is a method to find small integer zeroes of univariate or bivariate polynomials, or their small zeroes modulo a given integer. The method uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to find a polynomial that has the same zeroes as the target polynomial but smaller coefficients.

In cryptography, the Coppersmith method is mainly used in attacks on RSA when parts of the secret key are known and forms a base for Coppersmith's attack.

We don't have any images related to Coppersmith method yet.
We don't have any YouTube videos related to Coppersmith method yet.
We don't have any PDF documents related to Coppersmith method yet.
We don't have any Books related to Coppersmith method yet.
We don't have any archived web articles related to Coppersmith method yet.

Approach

Coppersmith's approach is a reduction of solving modular polynomial equations to solving polynomials over the integers.

Let F ( x ) = x n + a n − 1 x n − 1 + … + a 1 x + a 0 {\displaystyle F(x)=x^{n}+a_{n-1}x^{n-1}+\ldots +a_{1}x+a_{0}} and assume that F ( x 0 ) ≡ 0 ( mod M ) {\displaystyle F(x_{0})\equiv 0{\pmod {M}}} for some integer | x 0 | < M 1 / n {\displaystyle |x_{0}|<M^{1/n}} . Coppersmith’s algorithm can be used to find this integer solution x 0 {\displaystyle x_{0}} .

Finding roots over Q is easy using, e.g., Newton's method, but such an algorithm does not work modulo a composite number M. The idea behind Coppersmith’s method is to find a different polynomial f related to F that has the same root x 0 {\displaystyle x_{0}} modulo M, but has only small coefficients. If the coefficients and x 0 {\displaystyle x_{0}} are small enough that | f ( x 0 ) | < M {\displaystyle |f(x_{0})|<M} over the integers, then we have f ( x 0 ) = 0 {\displaystyle f(x_{0})=0} , so that x 0 {\displaystyle x_{0}} is a root of f over Q and can be found easily. More generally, we can find a polynomial f ( x ) {\displaystyle f(x)} with the same root x 0 {\displaystyle x_{0}} modulo some power M a {\displaystyle M^{a}} of M, satisfying | f ( x 0 ) | < M a {\displaystyle |f(x_{0})|<M^{a}} , and solve for x 0 {\displaystyle x_{0}} as above.

Coppersmith's algorithm uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to construct the polynomial f with small coefficients. Given F, the algorithm constructs polynomials p 1 ( x ) , p 2 ( x ) , … , p n ( x ) {\displaystyle p_{1}(x),p_{2}(x),\dots ,p_{n}(x)} that all have the same root x 0 {\displaystyle x_{0}} modulo M a {\displaystyle M^{a}} , where a is some integer chosen based on the degree of F and the size of x 0 {\displaystyle x_{0}} . Any linear combination of these polynomials also has x 0 {\displaystyle x_{0}} as a root modulo M a {\displaystyle M^{a}} .

The next step is to use the LLL algorithm to construct a linear combination f ( x ) = ∑ c i p i ( x ) {\displaystyle f(x)=\sum c_{i}p_{i}(x)} of the p i ( x ) {\displaystyle p_{i}(x)} so that the inequality | f ( x 0 ) | < M a {\displaystyle |f(x_{0})|<M^{a}} holds. Now standard factorization methods can calculate the zeroes of f ( x ) {\displaystyle f(x)} over the integers.

Implementations

Coppersmith's method for univariate polynomials is implemented in

  • Magma as the function SmallRoots;
  • PARI/GP as the function zncoppersmith;
  • SageMath as the method small_roots.