Coppersmith's lattices and "focus groups": an attack on small-exponent RSA
This work addresses a computational bottleneck in cryptographic attacks for security researchers, offering incremental improvements to existing methods.
The authors tackled the problem of reducing lattice and matrix sizes in Coppersmith's method for solving modular polynomial equations, specifically applied to small-exponent RSA, resulting in reduced lattice dimensions and running times, enabling attacks on a wider range of exponents and improving success rates in recovering RSA secret keys.
We present a principled technique for reducing the lattice and matrix size in some applications of Coppersmith's lattice method for finding roots of modular polynomial equations. Motivated by ideas from machine learning, it relies on extrapolating patterns from the actual behavior of Coppersmith's attack for smaller parameter sizes, which can be thought of as "focus group" testing. When applied to the small-exponent RSA problem, our technique reduces lattice dimensions and consequently running times, and hence can be applied to a wider range of exponents. Moreover, in many difficult examples our attack is not only faster but also more successful in recovering the RSA secret key. We include a discussion of subtleties concerning whether or not existing metrics (such as enabling condition bounds) are decisive in predicting the true efficacy of attacks based on Coppersmith's method. Finally, indications are given which suggest certain lattice basis reduction algorithms (such as Nguyen-Stehlé's L2) may be particularly well-suited for Coppersmith's method.