Английская Википедия:Coppersmith method
The Coppersmith method, proposed by Don Coppersmith, is a method to find small integer zeroes of univariate or bivariate polynomials modulo a given integer. The method uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to find a polynomial that has the same zeroes as the target polynomial but smaller coefficients.
In cryptography, the Coppersmith method is mainly used in attacks on RSA when parts of the secret key are known and forms a base for Coppersmith's attack.
Approach
Coppersmith's approach is a reduction of solving modular polynomial equations to solving polynomials over the integers.
Let <math>F(x) = x^n+a_{n-1}x^{n-1}+\ldots +a_1x+a_0</math> and assume that <math>F(x_0)\equiv 0 \pmod{M}</math> for some integer <math>|x_0|< M^{1/n}</math>. Coppersmith’s algorithm can be used to find this integer solution <math>x_0</math>.
Finding roots over Шаблон:Mvar is easy using, e.g., Newton's method, but such an algorithm does not work modulo a composite number Шаблон:Mvar. The idea behind Coppersmith’s method is to find a different polynomial Шаблон:Mvar related to Шаблон:Mvar that has the same root <math>x_0</math> modulo Шаблон:Mvar, but has only small coefficients. If the coefficients and <math>x_0</math> are small enough that <math>|f(x_0)| < M</math> over the integers, then we have <math>f(x_0) = 0</math>, so that <math>x_0</math> is a root of Шаблон:Mvar over Шаблон:Mvar and can be found easily. More generally, we can find a polynomial <math>f(x)</math> with the same root <math>x_0</math> modulo some power <math>M^a</math> of Шаблон:Mvar, satisfying <math>|f(x_0)| < M^a</math>, and solve for <math>x_0</math> as above.
Coppersmith's algorithm uses the Lenstra–Lenstra–Lovász lattice basis reduction algorithm (LLL) to construct the polynomial Шаблон:Mvar with small coefficients. Given Шаблон:Mvar, the algorithm constructs polynomials <math>p_1(x), p_2(x), \dots, p_n(x)</math> that all have the same root <math>x_0</math> modulo <math>M^a</math>, where Шаблон:Mvar is some integer chosen based on the degree of Шаблон:Mvar and the size of <math>x_0</math>. Any linear combination of these polynomials also has <math>x_0</math> as a root modulo <math>M^a</math>.
The next step is to use the LLL algorithm to construct a linear combination <math>f(x)=\sum c_ip_i(x)</math> of the <math>p_i(x)</math> so that the inequality <math>|f(x_0)| < M^a</math> holds. Now standard factorization methods can calculate the zeroes of <math>f(x)</math> over the integers.
Implementations
Coppersmith's method for univariate polynomials is implemented in
- Magma as the function
SmallRoots; - PARI/GP as the function
zncoppersmith; - SageMath as the method
small_roots.
References
