|
|
| Line 1: |
Line 1: |
| {{Multiple issues|cleanup =January 2010|refimprove =January 2010|
| | My name is Nathaniel (28 years old) and my hobbies are Fantasy Football and Archery.<br><br>Feel free to visit my website [http://hypezz.com/profile/kigzsj Popular mountain bike sizing.] |
| {{expert-subject|Mathematics|date=January 2010}}
| |
| }}
| |
| | |
| The '''Coppersmith method''', proposed by [[Don Coppersmith]], is a method to find small integer [[Root of a function|roots]] of [[polynomial]] equations. These polynomials can be univariate or bivariate. In [[cryptography]] the algorithm is mainly used in attacks on [[RSA (algorithm)|RSA]] when parts of the [[public key cryptography|secret key]] are known.
| |
| | |
| The method uses the [[LLL algorithm]] <ref>Lattice Basis Reduction Algorithms (http://www.farcaster.com/papers/sm-thesis/node7.html)</ref> to find a
| |
| polynomial that has the roots of the target polynomial as roots and has small coefficients.
| |
| | |
| Coppersmith’s method is based on lattice reduction. A [[lattice (group)|lattice]] ''L'' is a subgroup of <math>\mathbf{R}^n</math>.
| |
| Also there exists a ''k'' such that <math>L = \mathbf{Z}b_1\oplus \ldots \oplus \mathbf{Z}b_k</math>, where
| |
| <math>B=(b_1,b_2,\ldots ,b_k)</math> is a basis of ''L''. The LLL algorithm computes a basis
| |
| <math>(b_1^*,b_2^*,\dots ,b_k^*)</math> of short vectors.
| |
| If ''k=n'', the determinant of the lattice is given by det(''L'')=det(''B''); in general <math>\mathrm{det}(L)\le \prod||b_i^*||</math>.
| |
|
| |
| For any LLL reduced basis <math>(b_1^*,b_2^*,\dots ,b_k^*)</math> it holds that
| |
| <math>||b_k^*||\ge (\mathrm{det}(L))^{1/k}\cdot 2^{(1-k)/4}</math>, see.<ref>A. Bauer and A. Joux, Toward a Rigorous Variation of Coppersmith’s Algorithm on Three Variables, Springer, LNCS 4515, 2007</ref>
| |
| | |
| Let <math>F(x) = x^n+a_{n-1}x^{n-1}+\ldots +a_1x+a_0</math> and assume that <math>F(x_0)\equiv 0 \mod M</math> for some
| |
| integer <math>|x_0|< M^{1/n}</math>.
| |
| Coppersmith’s algorithm can be used to find this integer solution <math>x_0</math>.
| |
| | |
| Finding roots over '''Q''' is easy using e.g. [[Newton's method]] but these algorithms do not work modulo a composite number ''M''. The idea behind Coppersmith’s method is to find a different polynomial <math>F_2</math> related to ''F'' that has the same <math>x_0</math> as a solution and has only small coefficients. If the coefficients and <math>x_0</math> are so small that <math>F_2(x_0) < M</math> over the integers, then
| |
| <math>x_0</math> is a root of ''F'' over '''Q''' and can easily be found.
| |
| | |
| ==How to find small roots using Coppersmith's method==
| |
| | |
| Coppersmith’s approach is a reduction of solving modular polynomial equations to solving polynomials over the integers.
| |
| Coppersmith's algorithm uses LLL to construct the polynomial <math>F_2</math> with small coefficients.
| |
| | |
| Given ''F'', the algorithm constructs polynomials <math>p_1(x),p_2(x),\dots ,p_n(x)</math> that have the same <math>x_0</math> as root modulo <math>M^a</math>, where ''a'' is some integer chosen dependent on the degree of ''F'' and the size of <math>x_0</math>.
| |
| Any linear combination of these polynomials has <math>x_0</math> as root modulo <math>M^a</math>.
| |
| | |
| The next step is to use the LLL algorithm to construct a linear combination <math>F_2(x)=\sum c_ip_i(x)</math>
| |
| of the <math>p_i</math> so that the inequality <math>|F_2(x)| < M^a</math> holds.
| |
| Now standard factorization methods can calculate the roots of <math>F_2(x)</math> over the integers.
| |
| | |
| ==See also==
| |
| [[Coppersmith's Attack]]
| |
| | |
| ==References==
| |
| <references/>
| |
| | |
| {{DEFAULTSORT:Coppersmith Method}}
| |
| [[Category:Asymmetric-key algorithms]]
| |
My name is Nathaniel (28 years old) and my hobbies are Fantasy Football and Archery.
Feel free to visit my website Popular mountain bike sizing.