HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Jingguo Bi 1, 2 Jean-Sébastien Coron 3 Jean-Charles Faugère 4 Phong Q. Nguyen 1, 2 Guénaël Renault 4 Rina Zeitoun 4, 5
1 Institute for Advanced Study [Tsinghua]
2 CRYPT - Cryptanalyse
LIAMA - Laboratoire Franco-Chinois d'Informatique, d'Automatique et de Mathématiques Appliquées, Inria Paris-Rocquencourt
3 Uni.lu - Université du Luxembourg
4 PolSys - Polynomial Systems
LIP6 - Laboratoire d'Informatique de Paris 6, Inria Paris-Rocquencourt
5 Oberthur Card Systems - Puteaux
Abstract : In a seminal work at EUROCRYPT '96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time: this has found many applications in public-key cryptanalysis and in a few security proofs. However, the running time of the algorithm is a high-degree polynomial, which limits experiments: the bottleneck is an LLL reduction of a high-dimensional matrix with extra-large coefficients. We present in this paper the first significant speedups over Coppersmith's algorithm. The first speedup is based on a special property of the matrices used by Coppersmith's algorithm, which allows us to provably speed up the LLL reduction by rounding, and which can also be used to improve the complexity analysis of Coppersmith's original algorithm. The exact speedup depends on the LLL algorithm used: for instance, the speedup is asymptotically quadratic in the bit-size of the small-root bound if one uses the Nguyen-Stehlé L2 algorithm. The second speedup is heuristic and applies whenever one wants to enlarge the root size of Coppersmith's algorithm by exhaustive search. Instead of performing several LLL reductions independently, we exploit hidden relationships between these matrices so that the LLL reductions can be somewhat chained to decrease the global running time. When both speedups are combined, the new algorithm is in practice hundreds of times faster for typical parameters.
Keywords : RSA LLL Small Roots of Polynomial Equations Coppersmith's Algorithm
Document type :
Conference papers
Complete list of metadata

Cited literature [20 references]  Display  Hide  Download
https://hal.inria.fr/hal-00926902
Contributor : Guénaël Renault Connect in order to contact the contributor
Submitted on : Friday, January 10, 2014 - 2:28:31 PM
Last modification on : Friday, January 21, 2022 - 3:22:23 AM
Long-term archiving on: : Thursday, April 10, 2014 - 11:30:08 PM

File

Vignette du document
PKC14_Copp.pdf
Files produced by the author(s)

Identifiers

Collections

CNRS | INRIA | LIAMA | LIP6 | UPMC | CIRAD | INRA | INRIA2 | SORBONNE-UNIVERSITE | SU-SCIENCES | INRAE | SU-TI

Citation

Jingguo Bi, Jean-Sébastien Coron, Jean-Charles Faugère, Phong Q. Nguyen, Guénaël Renault, et al.. Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences. PKC 2014 - 17th IACR International Conference on Practice and Theory of Public-Key Cryptography, Mar 2014, Buenos Aires, Argentina. pp.185-202, ⟨10.1007/978-3-642-54631-0_11⟩. ⟨hal-00926902⟩

Export

BibTeX TEI DC DCterms EndNote Datacite

Share

Metrics

Record views

667

Files downloads

423

 

Contact                    Legal Notice                    Personal Data