Finding Small Roots of Univariate Modular Equations Revisited

An alternative technique for finding small roots of univaxiate modular equations is described. This approach is then compared with that taken in (Coppersmith, 1996), which links the concept of the dual lattice (see (Cassels, 1971)) to the LLL algorithm (see (Lenstra et al., 1982)). Timing results comparing both algorithms are given, and practical considerations axe discussed. This work has direct applications to several low exponent attacks on the RSA cryptographic scheme (see (Coppersmith, 1996)). 1 I n t r o d u c t i o n Let p ( x ) be a univariate modular polynomial of degree k; p ( x ) = x k + a k l x k l + . . . + a l x + ao ( m o d N ) . (1) It is assumed that p ( x ) is monic and irreducible, and that N is not prime, but hard to factorise. In this paper we describe a new method for finding all the small integer roots, Ixol < N 1 /k , of equation 1, and show the relationship between the approach taken here, and that taken in (Coppersmith, 1996). It will be proved, via a general result on dual lattices that these two algorithms are in fact equivalent, though the present approach may be preferred for computational efficiency. It has been shown in (Coppersmith, 1996) how finding small solutions to equation 1 can lead to various attacks on the RSA cryptographic scheme when using a small encrypting exponent. Since both approaches employ lattice basis reduction, the remainder of this section deals with the notation and technical results that will be required. Sections 2 and 3 give expositions of the algorithms in question, together with proofs of their validity; examples of both algorithms are shown in section 4. Section 5 proves a technical result about dual lattices with respect to the LLL algorithm, whilst section 6 shows that it is indeed this theory that links the two methods. Section 7 then discusses practical issues relating to the algorithms and gives relevant timing results. 1.1 N o t a t i o n For the sake of consistency, all the results stated in this paper will be with respect to the r o w s of the relevant matrices. We shall denote the i ' th row of a matr ix M by m~, and the i ' th element of a vector v by v~.