At Eurocrypt ‘96, Coppersmith presented a novel application of lattice reduction to find small roots of a univariate modular polynomial equation. This led to rigorous polynomial attacks against RSA with low public exponent, in some particular settings such as encryption of stereotyped messages, random padding, or broadcast applications à la Haståd. Theoretically, these are the most powerful known attacks against low-exponent RSA. However, the practical behavior of Coppersmith’s method was unclear. On the one hand, the method requires reductions of high-dimensional lattices with huge entries, which could be out of reach. On the other hand, it is well-known that lattice reduction algorithms output better results than theoretically expected, which might allow better bounds than those given by Coppersmith’s theorems. In this paper, we present extensive experiments with Coppersmith’s method, and discuss various trade-offs together with practical improvements. Overall, practice meets theory. The warning is clear: one should be very cautious when using the low-exponent RSA encryption scheme, or one should use larger exponents.
CITATION STYLE
Coupé, C., Nguyen, P., & Stern, J. (1999). The effectiveness of lattice attacks against low-exponent RSA. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 1560, pp. 204–218). Springer Verlag. https://doi.org/10.1007/3-540-49162-7_16
Mendeley helps you to discover research relevant for your work.