International Association for Cryptologic Research (IACR)
Abstract
We investigate a lattice construction method for the Coppersmith technique
for finding small solutions of a modular equation.
We consider its variant for simultaneous equations
and propose a method to construct a lattice
by combining lattices for solving single equations.
As applications,
we consider
a new RSA cryptanalyses.
Our algorithm can factor an RSA modulus from ℓ≥2 pairs of RSA public exponents with the common modulus
corresponding to secret exponents smaller than N(9ℓ−5)/(12ℓ+4),
which improves on the previously best known result by Sarkar and Maitra.
For partial key exposure situation,
we also can factor the modulus if
β−δ/2+1/4<(3ℓ−1)(3ℓ+1),
where β and δ are bit-lengths /logN of the secret exponent and its exposed LSBs,
respectively