TY - GEN
T1 - Rounding and chaining LLL
T2 - 17th IACR International Conference on Practice and Theory in Public-Key Cryptography, PKC 2014
AU - Bi, Jingguo
AU - Coron, Jean Sébastien
AU - Faugère, Jean Charles
AU - Nguyen, Phong Q.
AU - Renault, Guénaël
AU - Zeitoun, Rina
PY - 2014/1/1
Y1 - 2014/1/1
N2 - In a seminal work at EUROCRYPT '96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an LLL reduction of a high-dimensional matrix with extra-large coefficients. We present in this paper the first significant speedups over Coppersmith's algorithm. The first speedup is based on a special property of the matrices used by Coppersmith's algorithm, which allows us to provably speed up the LLL reduction by rounding, and which can also be used to improve the complexity analysis of Coppersmith's original algorithm. The exact speedup depends on the LLL algorithm used: for instance, the speedup is asymptotically quadratic in the bit-size of the small-root bound if one uses the Nguyen-Stehlé L 2 algorithm. The second speedup is heuristic and applies whenever one wants to enlarge the root size of Coppersmith's algorithm by exhaustive search. Instead of performing several LLL reductions independently, we exploit hidden relationships between these matrices so that the LLL reductions can be somewhat chained to decrease the global running time. When both speedups are combined, the new algorithm is in practice hundreds of times faster for typical parameters.
AB - In a seminal work at EUROCRYPT '96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an LLL reduction of a high-dimensional matrix with extra-large coefficients. We present in this paper the first significant speedups over Coppersmith's algorithm. The first speedup is based on a special property of the matrices used by Coppersmith's algorithm, which allows us to provably speed up the LLL reduction by rounding, and which can also be used to improve the complexity analysis of Coppersmith's original algorithm. The exact speedup depends on the LLL algorithm used: for instance, the speedup is asymptotically quadratic in the bit-size of the small-root bound if one uses the Nguyen-Stehlé L 2 algorithm. The second speedup is heuristic and applies whenever one wants to enlarge the root size of Coppersmith's algorithm by exhaustive search. Instead of performing several LLL reductions independently, we exploit hidden relationships between these matrices so that the LLL reductions can be somewhat chained to decrease the global running time. When both speedups are combined, the new algorithm is in practice hundreds of times faster for typical parameters.
KW - Complexity
KW - Coppersmith's Algorithm
KW - LLL
KW - RSA
KW - Small Roots of Polynomial Equations
KW - Speedup
UR - https://www.scopus.com/pages/publications/84958536409
U2 - 10.1007/978-3-642-54631-0_11
DO - 10.1007/978-3-642-54631-0_11
M3 - Conference contribution
AN - SCOPUS:84958536409
SN - 9783642546303
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 185
EP - 202
BT - Public-Key Cryptography, PKC 2014 - 17th International Conference on Practice and Theory in Public-Key Cryptography, Proceedings
PB - Springer Verlag
Y2 - 26 March 2014 through 28 March 2014
ER -