CRYPTANALYSIS OF PARTIAL RSA MESSAGE

DISCLOSURE

By

NOR ZULAIKA BINTI AHMAD NASARUDIN

182698

BACHELOR OF SCIENCE IN MAJOR MATHEMATICS

DEPARTMENT OF MATHEMATICS
FACULTY OF SCIENCE
UNIVERSITI PUTRA MALAYSIA
 Abstract

CRYPTANALYSIS OF PARTIAL RSA MESSAGE DISCLOSURE

By

NOR ZULAIKA BINTI AHMAD NASARUDIN

Supervisor: Assoc. Prof. Dr. Muhammad Rezal bin Dato’ Kamel Ariffin

Department: Department of Mathematics

Faculty: Faculty of Science

In 1996, Don Coppersmith used the Lenstra, Lenstra and Lovasz (LLL) algorithm

to find small integer roots of polynomials. It was used on univariate modular

equations and he proved that the method would find small roots, if they existed,

in polynomial time. In this thesis we look at the LLL algorithm and how this can

be used to solve univariate modular equations. We talk briefly about cryptography

and public-key cryptosystems, and we will present some theory about lattices. We

will look in detail at Coppersmith’s method and show how it can be used to attack

RSA encryption with a low exponent. In the end, we give an example to illustrate

this attack.

i
 Abstrak

ANALISISKRIPTO PENDEDAHAN SEPARA MESEJ RSA

Oleh

NOR ZULAIKA BINTI AHMAD NASARUDIN

Penyelia: Prof. Madya Dr. Muhammad Rezal bin Dato’ Kamel Ariffin

Jabatan: Jabatan Matematik

Fakulti: Fakulti Sains

Pada tahun 1996, Don Coppersmith menggunakan algoritma Lenstra, Lenstra dan

Lovasz (LLL) untuk mencari punca integer kecil polinomial. Ia digunakan pada

persamaan modular univariat dan dia membuktikan bahawa kaedah itu akan men-

beri punca-punca kecil, jika punca ini wujud, dalam masa polinomial. Dalam

tesis ini kita akan melihat algoritma LLL dan penggunaan algoritma ini untuk

menyelesaikan persamaan modular univariat. Penerangan yang lebih mendalam

tentang kriptografi dan sistem kripto kunci awam, dan membentangkan beberapa

teori. Kita juga akan melihat secara terperinci kaedah Coppersmith dan menun-

jukkan bagaimana ia dapat digunakan untuk menyerang penyulitan RSA yang

menggunakan eksponen yang rendah. Akhirnya, kami memberikan contoh untuk

memperlihatkan serangan ini.

ii
 ACKNOWLEDGMENTS

First and foremost, praise to the almighty Allah s.w.t as I managed to complete this

Final Year Project Thesis which is titled Cryptanalysis of Partial RSA Message

Disclosure. Firstly, I am thankful to my supervisor, Assoc. Prof. Dr. Muhammad

Rezal bin Dato’ Kamel Ariffin, who encourage, supervise, guide and support me

a lot during two semesters session 2018/2019. I would like to express my sincere

gratitude to my supervisor for the continous support, for his patience, motivation,

enthusiasm and immense knowledge. His guidance helped me in all the time of

project and writing of this thesis.

Deepest thanks and appreciation to both of my parents, family and others for

their cooperation, encouragement, constructive suggestion and full of support for

me to complete this project. I would like to thank to all my friends and everyone

especially to my coursemates, Siti Fatimah Azzahra binti Azhari for her encour-

agement, insightful comments, and knowledge. Last but not least, my thanks to

all who directly or indirectly help me in this venture.

iii
 DECLARATION

I declare that the thesis is my original work except for quotations and citations

which have been duly acknowledged. I also declare that it has not been previ-

ously, and is not concurrently, submitted for any other degree at Universiti Putra

Malaysia or at any other institution.

NOR ZULAIKA BINTI AHMAD NASARUDIN

Date: 10th December 2018

iv
 TABLE OF CONTENTS

Page
ABSTRACT i
ABSTRAK ii
ACKNOWLEDGMENTS iii
APPROVAL iv
DECLARATION iv
LIST OF ABBREVIATIONS vi

CHAPTER
1 INTRODUCTION 1
1.1 Number Theory 1
1.1.1 Divisibility 1
1.1.2 Greatest Common Divisor 1
1.1.3 Euclidean Algorithm 1
1.1.4 Extended Euclidean Algorithm 3
1.1.5 Modular Arithmetic 4
1.2 Research Background 4
1.2.1 Cryptographic goals 4
1.2.2 Symmetric Key Cryptography 5
1.2.3 Asymmetric Key Cryptography 6
1.2.4 Selected Cryptographic One-Way Functions and Its Difficulty 6
1.3 RSA- An Asymmetric Cryptosystem (1978) 10
1.4 Problem Statement 13
1.5 Objective 13

2 LITERATURE REVIEW 14
2.1 Stereotyped Message 14
2.2 Fixed Padding Schemes in RSA 15
2.3 Coppersmith’s Method 16

3 METHODOLOGY 17
3.1 Useful Theorem 18
3.2 Lattice 19
3.3 LLL- lattice reduction algorithm 21
3.4 Coppersmith’s Method 22
3.5 Coppersmith’s Univariate Method 25

v
4 RESULT AND DISCUSSIONS 32
4.1 Strategies 32
4.2 Reconstructing Message with Partial Disclosure 33
4.3 Numerical Example for Stereotyped Messages 34
4.4 Numerical Example for Fixed Padding Message 37

CONCLUSIONS 38
REFERENCES 39
APPENDICES 40

vi
 LIST OF ABBREVIATIONS

AES Advanced Encryption Standard

gcd Greatest Common Divisor

LLL Lenstra-Lenstra-Lovasz lattice reduction algorithm

RSA Rivest-Shamir-Adleman Encryption

vii
 CHAPTER 1
INTRODUCTION

1.1 Number Theory

In this section, we present the necessary definitions and algorithms that will apply
for the next section, such as :

1.1.1 Divisibility

Definition 1.1.1
Let a,b ∈ Z and a 6= 0. We say a divides b if there exists k ∈ Z such that b = ak.
This is denoted by a | b.

1.1.2 Greatest Common Divisor

The greatest common divisor (gcd ) for two integers a and b is the largest integer
dividing a and b.
Example 1.1.2
gcd(4,6) = 2
gcd(8,12) = 4
Definition 1.1.2
We say two integers a and b are relatively prime or co-prime if gcd(a,b)=1.

1.1.3 Euclidean Algorithm

This is a method to find gcd (a,b) and a >b.

Theorem 1.1.3.1
Let (a,b) be a positive integers with a ≥ b.The following algorithm computes
gcd(a,b) in a finite number of steps. In fact it takes 2 log2 (b) + 1 times.
Step 1
Let r0 = a and r1 = b.

Step 2
Set i =1.

Step 3
Divide r i−1 by r i to get quotient q i and remainder r i + 1. Initially; divide r 0 =a
by r 1 = b. Determine the remainder. We will have a= bq1 + r2 , 0≤ r2 ≤ b.

Step 4
If r 2 = 0 , then gcd(a,b) = b.
If r 2 = 0 , continue by dividing b with r 2 . We will have

b= r2 q2 + r3 , 0≤ r3 ≤ r2 .

Step 5
If r 3 = 0 , gcd(a,b) = r 2 , else do

r2 = r3 q3 + r4
..
.

rt−2 = rt−1 qt−1 + rt , 0 ≤ rt ≤ rt − 1.

rt−1 = rt qt + 0

So gcd(a,b) =rt

2
Example 1.1.3
Compute gcd (1015,231)

1015= 231(4) + 91
231= 91(2) + 49
91= 49(1) + 42
49= 42(1) + 7
42= 7(6) + 0

Thus, the gcd(1015,231) = 7.

1.1.4 Extended Euclidean Algorithm

Algorithm 1.1.
The following is an efficient algorithm to find the solution for ax + by = gcd(a,b).
Step 1
Divide b into a

a = bq1 +r1
b = bq2 +r2 rt = r2 q3 + r3
..
.
rt−2 = rt−1 qt−1 + rt
rt−1 = rt qt + 0

Step 2
Set x0 = 0,x1 = 1, and xj = -qj − 1 xj − 1 + xj − 2 .
Set y0 = 0,y1 = 1, and yj = -qj − 1 xj − 1 + xj − 2 .
j =1, ..., t − 1
Then axn + byn = gcd(a,b).
By using this algorithm, we can solve congruence problem and find the multiplica-
tive inverse of certain congruences.
3
1.1.5 Modular Arithmetic

1.1.5.1 Congruence

Definiton 1.1.5.1
Let a, b, n  Z and n 6= 0. We say a ≡ b (mod n) if a−b
n = k  Z.

1.2 Research Background

Cryptography is a development of systems for transforming text to conceal its

meaning.There are many reasons why people want to communicate privately. As
an example, when you want to buy something online on the internet, you do not
want your credit card number being revealed or end up in the wrong hands.More
precisely cryptography is the mathematical art of secret writing and is about the
prevention and detection of cheating and other malicious activities. In cryptogra-
phy , encryption is the process of transforming information (referred to as plain-
text) using an algorithm into unreadable information (called ciphertext) to those
possessing special knowledge, usually referred to as a key.

1.2.1 Cryptographic goals

There are four main goal of the cryptography as to protect private communication
between two entities :

1. Confidentiality: Protecting information from being disclosed to unauthorized

parties.

2. Integrity: To be able to detect alteration of data.

3. Non-Repudiation: To prevent an entity from denying previous commitment

or actions.

4. Authentication: To be able to identify entities in communication.

4
There are two types of cryptosystems :

1. Symmetric-key cryptosystem (Secret key cryptosystem).

2. Asymmetric-key cryptosystem (Public key cryptosystem).

1.2.2 Symmetric Key Cryptography

In symmetric key cryptosystem, encryption and decryption algorithm uses the

same key for conversion of plaintext to ciphertext.

Figure 1 : Symmetric Encryption

This is the simplest kind of encryption that involves only one secret key to cipher
and decipher information. Symmetric encryption uses a secret key that can either
be a number, a word or a string of random letters. It is a blended with the
plain text of a message to change the content in a particular way. The sender
and the recipient should know the secret key that is used to encrypt and decrypt
all the messages. Thus, the major problem in symmetric key cryptography is
key distribution. This is because the key must be shared secretly to exchange
information in a secure manner.

5
1.2.3 Asymmetric Key Cryptography

In asymmetric key cryptography a pair of keys namely public-key and secret-key

(or private key) is used for encryption and decryption process. Whitfield Diffie,
Martin Hellman and Ralph Merkle introduced the concept of Asymmetric-key
Cryptosystem. Although different, the pair of keys are linked with mathematical
function. The public key is used to encrypt plaintext or to verify digital signature
and private key is used to decrypt ciphertext or to create digital signature.
In 1976, Whitfield Diffie and Martin Hellman came up with a new idea that lead
to a revolution in the field of cryptography [7]. They designed a protocol, in which
two people can agree on a common secret key over an insecure channel like the
internet. This key exchange protocol is named the Diffie-Hellman key exchange.
The basic principle in their protocol is the use of a one-way function.

1.2.4 Selected Cryptographic One-Way Functions and Its Difficulty

A one-way function that have a trapdoor is used to build a secure public key
cryptosystem. It is a mathematical function that is significantly easier to compute
in one direction (the forward direction) than in the opposite direction (the inverse
direction). By having a trapdoor, it allows the computation of the inverse to be
easier. Example of this problem is Discrete Log Problem,Diffie-Hellman Problem
and Decisional Diffie-Hellman.

6
1.2.5 Discrete Log Problem
Definition 1.2.5.1
Let g ∈ Z be a primitive root, p be a prime. The DLP is the problem of finding
an exponent e such that

g x ≡ h (mod p)

The value of x is called the discrete log of h to the base g and is denoted by
logg (h) DLP is a hard problem if there exists a negligible function ε(n) such that
the probability, Pr to solve the DLP is given by

Pr(Dlog = 1) ≤ ε(n)

1.2.6 Diffie-Hellman Key Exchange

Definition 1.2.6.1
1. Public Parameter Creation
A trusted party chooses and publishes a large prime p and an integer g having a
large order in Zp .
2. Private Computation
- Alice will choose a secret random integer a and computes A0 ≡ g a (mod p).
- Bob also will choose a secret random integer b and computes B 0 ≡ g b (mod p).
3. Public Key Exchange
- Alice sends A to Bob.
- Bob sends B to Alice.
4. Private Computation
- Alice computes B a (mod p)
- Bob computes Ab (mod p)

7
5. Shared Secret Key will work as follow :

A0 ≡ B a ≡ (g b )a ≡ (g a )b ≡ Ab ≡ B 0 (mod p)

1.2.7 Diffie-Hellman Problem

Definition 1.2.7.1
Let g ∈ Z be a prime number and d be an integer. The Diffie-Hellman Problem
(DHP) is the problem of computing the value of g ab (mod p) m the known values
of g a (mod p) and g b (mod p).

1.2.8 Decisional Diffie-Hellman

Definition 1.2.8.1

1. Let p be a prime and g ∈ Zp a primitive root.

2. Choose random x1 , x2 from Zp .

3. Compute the value h1 ≡ g x 1 (mod p), h2 ≡ g x 2 (mod p) and

h3 ≡ g x 1 x2 (mod p).

4. Choose random z from Zp and compute the value of h4 ≡ g z (mod p).

5. The adversary is given the tuple G1 =(g, p, h1 1, h2 , h3 ) and G2 = (g, p, h1 , h2 , h4 .

6. The output is 1 if the adversary is able to determine either G1 or G2 is

correct, otherwise 0.

8
Basically, Eve is an eavesdropper, watches what is sent between Alice and Bob,
but she does not alter the contents of their communications. Eve will be facing
a dilemma in which she knows the value A and B, so she knows the values of g a
(mod p) and g b (mod p). For the known values of g and p, if Eve can solve the
DLP, then she able to find a and b. For further discussion regarding the DHKE
along the concepts of DLP,DHP and DDH refer to [6].

Then, in 1978, Ron Rivest, Adi Shamir and Leonard Adleman came up with a very
elegant solution for the key exchange problem [1].They invented the first public
key cryptosystem,called the RSA scheme regarding to the discovery of Diffie and
Hellman.

Figure 3 : Asymmetric Encryption

9
1.3 RSA- An Asymmetric Cryptosystem (1978)

In 1978, Ron Rivest,Adi Shamir and Leonard Adleman were the three researchers
that invented the first public-key cryptosystem called the RSA Cryptosystem as a
solution for the key exchange problem [1]. RSA uses two different keys; public key
for encryption and private key for decryption of messages. Below is the detailed
initial schemes of the RSA Cryptosystem :

Algorithm 1 Key Generation Algorithm

1: INPUT: The size n of the prime numbers.
2: OUTPUT: A public key tuple (e, N ) and a private key tuple (p, q, d).
3: Generate two random and distinct n-bit strong primes (p, q).
4: Compute N = pq and φ(N )= (p − 1)(q − 1).
5: Choose random e such that gcd(e, ø(N ))=1.
6: Compute integer d such that ed ≡ 1 (mod N ).
7: Return the public key tuple (e, N ) and a private key pair (p, q, d)

Algorithm 2 RSA Encryption

1: INPUT : The public key pair (N, e) and the message mZN .
2: OUTPUT : The ciphertext c.
3: Compute c ≡ me (mod N ).

Algorithm 3 RSA Decryption

1: INPUT :The private key d and the ciphertext c..
2: OUTPUT : The message m.
3: Compute m ≡ cd (mod N ).

10
Theorem 1.1 : Euler’s Theorem
If gcd (a, N ) = 1, then aφ(N ) ≡ 1 (mod N ), where φ is Euler’s totient function.
Proof:
Let a1 , a2 , · · · , aφ ( N ) ∈ Z+ less than and relatively prime to N .
Consider aa1 , aa2 , · · · , aaφ ( N ) are permutation of φ(N) integers ai modulo N . For
some k, aai ≡ ak mod N since for each i, aai is also relatively prime to N . Since

aai ≡ aaj (mod N )

ai ≡ aj (mod N )

hence,

a1 a2 , · · · , aφ ( N ) ≡ (aa1 )(aa2 ) · · · (aaφ ( N ) ) (mod N )

a1 a2 · · · aφ ( N ) ≡ aφ(N ) a1 a1 a2 · · · aφ ( N ) (mod N )

aφ(N ) ≡ 1 (mod N ) 

Proposition 1.1
Let p, q be distinct primes and N = pq,φ(N ) = (p − 1)(q − 1), gcd(e, φ(N ) = 1
and d is the multiplicative inverse of e such that ed ≡ 1 (mod φ(N )). Then the
congruence relation y ≡ xe (mod N ) has the unique solution x ≡ y d (mod N ).
Proof:
Notice first that

cd ≡ (me )d (mod N ) ≡ m1+kφ(n) (mod N )

≡ m.(mφ(n) )k (mod N )

≡ m.1k (mod N )

≡ m (mod N ). 

11
Example 1.1 The RSA Encryption and RSA Decryption can be implemented as
follows :

Algorithm 4 RSA Key Creation

1: Bob chooses two secret primes p = 31 and q = 23. Bob computes his public
modulus
N = p.q = 31.23 = 713
2: Bob chooses a public encryption exponent e = 223 with that property that
gcd (e,(p−1)(q−1)) = gcd(223,660) = 1

Algorithm 5 RSA Encryption

1: Alice wishes to send Bob the message m = 439 satisfying 1 ≤ m <N.
2: She computes c ≡ me (mod N ) ≡ 439223 (mod 713) ≡ 284.
3: Alice send the ciphertext, c = 284 to Bob.

Algorithm 6 RSA Decryption

1: Bob receives the ciphertext 284 from Alice.
2: Bob knows ,(p − 1)(q − 1)) =31.23 = 713, so he can solve
ed ≡ 1 (mod (p − 1)(q − 1)).
3: Bob computes 223.d ≡ 1 (mod 713), and if find that d = 367
4: Bob takes ciphertext c = 284 and computes cd (mod N ), 28436≡ 284
(mod 713).

The value that he computes in Alice’s message m = 284.

12
1.4 Problem Statement

• Is it possible to recover full message encrypted by RSA if we know some part

of it ?

• Is it possible to recover full message of a specific constructed padding scheme

encrypted by RSA ?

1.5 Objective

• To investigate if knowing a part of messages, we can find the part of unknown,

x0 to discover full message.

• To prove that knowing a part of bit of message, we can discover full message.

13
 CHAPTER 2
LITERATURE REVIEW

2.1 Stereotyped Message

When you open a new account in a bank , your bank will normally send you a pin
number usually in the form:

Your pin number is ****

So, this situation occurs in the case of so-called stereotyped messages

(consisting a fixed known string and unknown number/string). Suppose the mes-
sages are encrypted by RSA. The unknown number **** may consist of the words
”very secret”. In this section, if the unknown number **** is chosen to be small,
then it can be easily recovered.

So when encrypting a plain text m, one should be careful about the size of it.
Unfortunately, is not the only one, specially when we use a small public exponent.
If the public exponent is sufficiently small, there is a risk that the ciphertext will
satisfy c = me < N. Knowing this, all Eve has to do is to calculate the e-th root
of c over the integers. So plain texts m such that m < N 1/e cannot be used. This
is relevant because RSA is often used to share a key to use in a symmetric key
cryptosystem.
2.2 Fixed Padding Schemes in RSA

One simple proposal for κ − bit RSA moduli take a κ0 bit message and pad it by
putting (κ − κ0 − 1) ones to left-hand side of it.This will brings a short message
to full length. This padding scheme is sometimes called fixed padding scheme
Suppose short message ( for example, 128-bit AES keys K ) are being encrypted
using this padding scheme with κ= 1024. Then

m = 21024 − 2128 + K

Suppose our encryption exponent is e = 3. Then the ciphertext is

c ≡ m3 (mod N )

NOTE: If the cryptanalyst can intercept the ciphertext , then the cryptanalyst
only need to find the value for K. In this case, we know that K is a solution to the
polynomial

F (x) = (21024 − 2128 + x)3 − c ≡ 0 (mod N )

128 1
This is a polynomial of degree 3 with a root modulo N of size at most N 1024 = N 8 .
So Coppersmith’s method finds the solution K in polynomial time.

15
2.3 Coppersmith’s Method

In 1996, Coppersmith method was proposed by Don Coppersmith, which is a

method to find small integer zeroes of univariate or bivariate polynomials modulo
a given integer. The method uses the Lenstra-Lenstra-Lovsz lattice basis reduction
algorithm (LLL) to find a polynomial that has the same zeroes as the target
polynomial but smaller coefficients.
In cryptography, the Coppersmith method is mainly used in attacks on RSA when
parts of the secret key are known and forms a base for Coppersmith’s attack as
mentioned in previous section.
Coppersmiths approach is a reduction of solving modular polynomial equations to
solving polynomials over the integers [4].
Let

F (x) = xn + an−1 xn−1 + . . . + a1 x + a0

and assume that

F (x0 ) ≡ 0 (mod N )

for some integer

|x0 | < N 1/n .

Coppersmith’s algorithm can be used to find this integer solution x0 .

16
 CHAPTER 3
METHODOLOGY

We will use the following definition , theorems and mathematical tools :

Definition 3.1
A non-zero polynomial is called monic if its leading coefficient is 1.
Example 3.1
1. x2 + 30x − 15 is a monic polynomial.
2. 5x2 + 26x − 13 is not a monic polynomial.
Definition 3.2
A monomial is an expression in algebra that contains one term including :
1. Numbers
2. Whole numbers and variables that are multiplied together.
3. Variables that are multiplied together.
Example 3.2
1. Numbers that are monomials : 32 and 1000.
2. Combinations of numbers and variables that are monomials : 2y 2 and 32x3 y.
3. Variables that are monomials : xy and j.
Definition 3.3
A univariate polynomial is an expression that consists only one variable of the
form pn xn + pn− 1 xn−1 + · · · + p0 where p0 , p1 , · · · , pn are the coefficients of the
polynomials and n is the degree of polynomial.

Example 3.3
1. 2x3 + 3x2 − 24
2. x2 + x − 5

17
Definition 3.4
A multivariate polynomial is a polynomial that consists of two or more variables.
Example 3.4
1. 2x3 + 3y 2 − 24
2. y 2 + xy − 5x + 3

3.1 Useful Theorem

Theorem 3.1.1: (Howgrave-Graham)

Let F (x) be a univariate polynomial with n monomials. Further, let m be a posi-
tive integer. Suppose that:
1) F (x0 ) = 0 (mod bm ) where |x0 | < X.
bm .
2) ||F (xX)|| < √ n

Then F (x) = 0 holds over the integers.

Proof : (See [4])

18
3.2 Lattice

In 1996 Coppersmith described how to use the LLL algorithm on lattice bases to
be able to find small roots of polynomials. Coppersmith makes a matrix that will
span a lattice, and this matrix consists among other things of the coefficients to our
polynomial. After the matrix get the appropriate form we use the LLL algorithm
on it to get a LLL reduced basis. We use this basis to create a new polynomial,
that we can solve and have the same small roots as the original polynomial. This
can be used to attack RSA cryptosystems with a low exponent.
Definition 3.1.1
A vector space V is a subset of Rm with the property that

α1 v1 + α1 v2 ∈ V for all v1 , v2 ∈ V and all α1 , α2 ∈ R.

Equivalently, a vector space is a subset of Rm that is closed under addition and

under scalar multiplication by elements of R.
Definition 3.1.2
Let v1 , v2 , · · · , vk ∈ V . A linear combination of v1 , v2 , · · · , vk ∈ V is any vector
of the form

w = α1 v1 + α2 v2 + · · · + αk with α1 , · · · , αk ∈ R.

The collection of all such linear combinations,


α1 v1 + · · · + αk vk : α1 , · · · , αk ∈ R ,


is called the span of v1 + · · · + vk .

19
Definition 3.1.3
Independence. A set of vectors v1 , v2 , · · · , vk ∈ V is (linearly) independent if
the only way to get

α1 v1 + α2 v2 + · · · + αk with α1 , · · · , αk = 0

is to have α1 = α2 = · · · = αk = 0.
Defintion 3.1.4
A basis for V is a set of linearly independent vectors v1 , · · · , vn that span V .
This is equivalent to saying that every vector w ∈ V can be written in the form

w = α1 v1 + α2 v2 + · · · + αn vn .

for a unique choice of α1 , · · · , αn ∈ R.

Definition 3.1.6
Base (singular) is one of the element containing in the basis, vi .

Definition 3.1.7
Let n and m be positive integers. A subset L of the m-dimensional real vector
space Rm is called a lattice if there exists a finite set of vectors {bi } ⊆ Rm such
that:

n
X n
nX 
L= Zbi = ri bi : ri ∈ Z(1 ≤ i ≤ n)
i=1 i=1

We say that such a set b1 , · · · , bn ; is a basis if it spans L and is Z-linearly
independent. We call n the rank of L, and m the dimension. The lattice is a
full-rank lattice if n = m. Given a n × m matrix B, we can define

L = L(B) = xB|x ∈ Zn


20
3.3 LLL- lattice reduction algorithm

The Lenstra-Lenstra-Lovasz , lattice basis reduction algorithm is a step by step

calculus that to find the reduced basis in lattices in polynomial time. The lattice
is left unchanged but the row vectors of its new basis become smaller according to
the following definitions :
Definition 3.2.1
Let L be a lattice with a basis B. The LLL algorithm applied to find the reduced
basis in lattices.

1. |vij | ≤ 12 f or1 ≤ j < i ≤ n.

2. |b∗i + uii − 1 b∗i − 1 | ≥ 34 |b∗i |2 f or1 < i ≤ n.

where || denotes as the ordinary Euclidean length.

We will not dig into the internals of LLL here, see Chris Peikert’s course for
detailed explanations of the algorithm [2].

21
3.4 Coppersmith’s Method

In 1996 , Coppersmith was the first researcher who used LLL-algorithm to at-
tack the RSA by introducing a method to find the small roots of univariate and
multivariate modular polynomial equations[3]. Supposed we assigned the unknown
values of d, k, p + q − 1 with variables x, y, z respectively from the public key/secret
key that satisfies ed = 1 + kφ(N ), we would obtain a polynomial

f (x, y, z) = ex − y(N − z) − 1

with the root (x0 , y0 , z0 ) = (d, k, p + q − 1) over the integers.

By finding the roots, it is equivalent to the factorization of N but the equation

f (x, y, z) = 0 is not a modular polynomial equation but rather an equation over
the integers. To come around with this problem, we simply choose one of the
unknown parameters in f (x, y, z) as the modulus and suppose we choose either N
or e, we obtained the following modular polynomial equations, respectively:

fN (x, yz) = ex + yz − 1 and fe (y, z) = y(N − z) + 1

such that polynomial fN has the root (d, k(p+q −1)) modulo N and polynomialfe
has the root (k, p + q − 1) modulo e. We observe that the parameter k is bounded
by

ed−1 < e d < d.

k = φ(N ) φ(N )

Hence, if we choose d to be a small secret value ,then k is automatically small

and small values of d can speed up the RSA decryption/signature process.Then ,
the new formulation of Coppersmiths method solve modular polynomial equation
when the factorization of the modulus N is unknown.

22
First notice the problem of decrypting an RSA-encrypted message c = me (mod N )
is the problem of finding the unique positive root x0 = m < N of the polynomial

fN (x) = xe − c (mod N )

We could find the roots of f )N (x) modulo p and modulo q if we knew the factors
pand q by using the Chinese Remainder Theorem. However, the attack of recover-
ing the value of m in polynomial time whenever m < N ( 1/e) yields a simple idea
how to solve modular univariate polynomial equations by:
Reduce the root finding problem in modular equations to the case of root finding
in equations over the integer.
Thus, Coppersmith is a small method to find small integer roots of polynomial
equation.If we know the factorization of the modulus, it is easy for us to find the
solutions to the modular equations. Otherwise, it can be difcult.

Theorem 3.4.1 (A.May, 2003)

Let N be an integer of unknown factorization, which has a divisor b ≥ N β . Fur-
thermore, let fb (x) be an univariate, monic polynomial of degree δ. Then we can
find all solutions x0 for the equation fb (x0 ) = 0 (mod b) with

β2
|x0 | ≤ 21 N δ −

in time polynomial in (log N, δ, 1 ).

Proof : (See [4,5]).

23
Next, the following theorem is a direct implication of Theorem 2.2.1 ,as we can
easily remove the terms 12 and  from the upper bound on x0 by a simple brute-force
search.

Theorem 3.4.2 (A.May, 2003)

Let N be an integer of unknown factorization, which has a divisor b ≥ N β . Let
fb (x) be an univariate, monic polynomial of degree δ. Furthermore, let cN be a
function that is upper-bounded by polynomial in log N . Then we can find all
solutions x0 for the equation fb (x0 ) = 0 (mod b) with

β2
|x0 | ≤ cN N δ

in time polynomial in (log N ,δ).

Proof :
1 shows that we
An application of Theorem 3.1 with the parameter choice  = logN
can find all roots x0 with

β 2
|x0 | ≤ 14 N δ

in time polynomial in log N and δ.

β2
In order to find all roots that are of size at most cN N δ in absolute value, we
β2 β2 β2
divide the interval [ - cN N δ , cN N δ ] into 4cN subintervals of size 12 N δ centered
at some xi . For each subinterval with center xi , we apply the algorithm of Theorem
3.1 to the polynomial fb (x−xi ) and output the roots in this subinterval. 

24
For completeness reasons and since it is one of the most interesting cases of Cop-
persmiths method, we explicitly state the special case b = N and cN = 1, which
is given in the work of Coppersmith [4,5].

Theorem 3.3 (A.May, 2003)

Let N be an integer of unknown factorization.Furthermore, let fN (x) be an uni-
variate, monic polynomial of degree δ. Then we can find all solutions x0 for the
equation fN (x0 ) = 0 (mod N ) with

1
|x0 | ≤ N δ

in time polynomial in (log N ,δ).

Proof : (See [4,5])

3.5 Coppersmith’s Univariate Method

We will go through Coppersmith’s method for solving univariate polynomials

modulo a composite integer. We want to find small integer roots x0 of a monic
integer polynomial with degree δ in one variable:

p(x) = xδ + pδ − 1 xδ−1 + · · · + p2 x2 + p1 x + p0 = (mod N ).

where |x0 | < X . We get the following modular equation

p(x0 ) = 0 (mod N );

where N is a large composite integer of unknown factorization.

25
For finding a small root x0 , given a monic univariate modular polynomial equation:

p(x) = xδ + pδ − 1 x(δ−1) + · · · + p2 x2 + p1 x + p0 = 0 (mod N )

we will do as follow observations :

Obeservation 1
Based on the size of the desired root x0 , establish a suitable upper bound X and
then build a (δ + 2)×(δ + 2) of matrix M such that;

 
1 0 0 · · · 0 p0 
 
 0 X1 0 ··· 0 p 
 1
 
0
 2
0 X · · · 0 p2 

M =
 
.
. . . . . . . . . . . . . . . . .

 
 
0 0 0 ··· X δ pδ 
 
 
0 0 0 ··· 0 N

By calculating the det(M ) using the upper triangular of M

det (M ) = (1)(X 1 )(X 2 ) · · · (X δ )N = N X δ(δ+1)/2

we set that det(M ) > α > 0 and

N X δ(δ+1)/2 > α

X δ(δ+1)/2 > αN −1

X > αN −2/δ(δ+1)

This shows that if we directly apply positive integers in the matrix M instead of
rational numbers, we cannot identify our x0 as the upper bound X > 0. Since X
is not bounded by some values, we can take the value of X up to a higher number
and computing it would be meaningless and time consuming.

26
Observation 2
We will improvise our matrix M by taking the diagonal elements by 1, X −1 , X −2 , · · · , X −δ , N .
Establish a suitable upper bound X on the size of the desired root x0 ,and then
build a (δ + 2)×(δ + 2) of matrix M if

 
1 0 0 ··· 0 p0 
 
 0 X −1 0 ··· 0 p1 
 
 
0 0 X −2 ··· 0 p2 
 
M = 
 .. 
. . . . . .
 ... . . . . . . .

 
0
 0 0 · · · X −δ pδ  
 
0 0 0 ··· 0 N

By calculating the det(M ) using the upper triangular of M

det (M ) = (1)(X −1 )(X −2 ) · · · (X −δ )N = N X −δ(δ+1)/2

and assuming det(M ) > α > 0, we have following :

N X −δ(δ+1)/2 > α

X −δ(δ+1)/2 > αN −1

X < αN −2/δ(δ+1)

< N 1/δ

Now, we can be see that X is bounded by the value of N 1/δ .

27
Disscusion :

1) Suppose p(x0 ) = y0 N for unknown integers x0 and y0 with |x0 | < X.

2) Consider the row vector r consisting of powers of x0 and y0

r= (1, x0 , x20 , · · · , xδ0 −1 , −y0 ).

3) Consider the row vector

x x x
rM = [(1, ( 0 ), ( 0 )2 , · · · , ( 0 )δ , p0 + p1 x0 + p2 x20 + · · · + p0 xδ0 − y0 N ]
X X X
= (1, x0 , x20 , · · · , xδ0 −1 , xδ0 , 0).

=s

where the vector s is an element of the lattice spanned by the rows of M .

By using lattice basis reduction techniques, we might find that s is among the
shorter vectors of this lattice such that

|s| < |det(M )|1/(δ+2)

Remark :
One problem with this heuristic approach is that, although the entries ri of the
vector r are supposed to represent powers of x0 , there is no way (within the lattice
structure) to enforce that relationship, for example, to enforce the requirement
ri + 1 /ri = rj + 1 /rj. A second related problem is that we have many unknowns ri
and only one relation p(x0 ) = y0 N . Each unknown ri contributes a factor X −i to
det(M ), and the lone relation p(x0 ) = y0 N contributes a factor N . The resulting
imbalance, and the requirement det(M )> 1, lead to the stringent requirement
X δ(δ+1)/2 < N [3, page 238].

28
Observation 3

For finding x0 , it will be sufficiently to find a polynomial G(x) with the same
root x0 modulo M but with sufficiently small coefficients. Coppersmiths’s method
consider the d + 1 polynomials Gi (x) = N xi for 0≤ i < d and F (x).They all have
the solution x = x0 modulo N .
Define the lattice L with the basis corresponding to the polynomials. Therefore,
the basis matrix for the lattice L is
 
N 0 ··· 0 0
 
 
 0 NX
 ··· 0 0 

. .. .. 
M = .
. . . 

 
0 0 ··· NXd−1 0
 

 
a0 a1 X · · · ad − 1 X d−1 Xd

Every element in this lattice is a row vector that can represent as a polynomial
F (x) such that F (x) ≡ 0 (mod N ).

By calculating the det(M ) using the upper triangular of M

det (M ) = (N )(N X), · · · , (N X δ−1 )(X δ ) = N δ X δ(δ+1)/2

29
Theorem 3.5.1
Let the notation be as above and let G(x) be the polynomial corresponding to
the first vector in the LLL-reduced basis for L. Set c1 (d) = 2−1/2 (d + 1)−1/d .
If X < c1 (d)N 2/d(d+1) < N 1/d then any root x0 of F (x) modulo N such that
|x0 | ≤ X satisfies G(x0 ) = 0 in Z.

Proof :
Recall that b1 satisfies

||b1 || ≤ 2(n−1)/4 det(M )1/n = 2d/4 N d/(d+1) X d/2 .

For b1 to satisfy the conditions of Howgrave-Grahams theorem, it is sufficient that

√
2d/4 N d/(d+1) X d/2 < N/ d + 1

This can be witten as

√
d + 12d/4 X d/2 < N 1/(d+1)

which is equivalent to the condition in the statement of the Theorem 3.5.1. 

Thus, based on the Theorem, we noticed that

X < c1 (d)N 2/d(d+1) < N 1/d

is approximate to the bound of the observation 2 which is the matrix M can be

apply to run the LLL algorithm since the elements consists of integers and X is
bounded by the value of N 1/d .

30
Observation 4
The method in the previous observation allows one to find small roots of modular
polynomials, but it can be improved further.
Looking at the proof of Theorem 3.5.1, we can see that the requirement for
success is essentially M d X d(d+1)/2 = det(M ) < N d+1 (more precisely it is
√
2d/4 N d/(d+1) X d/2 < N/ d + 1).
There are two strategies to extend the utility of the method (i.e., to allow bigger
values for X). The first is to increase the dimension n by adding rows to L that
contribute less than N to the determinant. The second is to increase the power
ofN on the right hand side. One can increase the dimension without increasing the
power of N by using the so-called x-shift polynomials xF (x), x2 F (x), · · · , xk F (x).

Theorem 3.5.1 (Coppersmith)


Let 0 <  < min 0.18, 1/d . Let F (x) be a monic polynomial of degree d with
one or more small roots x0 modulo N such that |x0 | < 21 N 1/d− . Then x0 can be
found in time bounded by a polynomial in d, 1 and log(N ).

Proof : (See[3]).
So, we can see that the bound for unknown parameter on any trivial polynomial
p(x) = xδ + pδ − 1 xδ−1 + · · · + p2 x2 + p1 x + p0 = (mod N ) has been increased
2
from N 2/d +d to N 1/d . This gives more space for cryptanalysis to manoeuvre.

31
 CHAPTER 4
RESULT AND DISCUSSIONS

4.1 Strategies

We will look in detail at Coppersmith’s method and show how it can be used to
attack RSA encryption with a low exponent.
Suppose that m = M + x for some known part, M of the message and some
1
unknown part, x ≤ N e . Can we still recover m? So, this situation occurs in the
case of so-called stereotyped messages : Assume we already know a part M of the
message which is always the same.
exampleMcanbe”Y ourpinnumberis ∗ ∗ ∗ ∗”. Let the plaintext m consist of two
pieces, x and M . The first piece M is known and is the fixed part of the message.
1
The second unknown piece x is the secret password, and the length of x ≤ N e .
So the ciphertext, c is given by

c = me = (M + x)e (mod N )

We try to write this as a polynomial with x as the unknown, and we assume that
if we know M, c and N .

32
4.2 Reconstructing Message with Partial Disclosure

Assume that if we know M, c and N , we can immediately yields the following

result
Theorem 4.2.1:
Let (N,e) be an RSA public key. Furthermore, let c := (M +x0 )e mod N be an
RSA encrypted message with known M and unknown x0 , where

|x0 | ≤ N1/e

Then we can find x 0 in time polynomial in log N and e.

Proof:
Define

fN (x ):= (M + x )e −c

which is an univariate monic polynomial of degree e with the small root x0 ,

|x0 | ≤ N1/e modulo N. 

For simplicity of the discussion, we consider the first case which is of the form

m=M+x

C ≡ me (mod N )

Based on the Theorem 4.1, if we want to find x0 so that

f (x0 ) = (M + x)e = 0 (mod N ) (4.1)

33
If we can solve this polynomial (4.1) for x0 , then we will have recovered the secret
message x. Thus, by solving the modular cubic polynomial equation and then
find the original plaintext message M. The idea of this theorem is to find small
solutions to the modular polynomial equation. Hence, if we know M (part of fixed
message), c and N we can apply the present results to the polynomial.

4.3 Numerical Example for Stereotyped Messages

We present a small example to show how to use Coppersmith’s LLL-reduction

technique to find the solution x of the modular polynomial equation.
If we know M (part of fixed message), c and N we can apply the present results
to the polynomial.

f (x) ≡ (B + x)3 − C

Thus , let

N = pq

= 2837.5923

= 16803551

Suppose a Bank wishes to send the following messages to Bob :

Your pin number is ****

where **** denotes a four-digits number. The message is the form of

m=M +x

where M = 2830 and 0≤ x ≤ 10000.

34
To stop anyone (i.e Eve), except Bob , to read the message and get the Pin Number,
the Bank actually sends the following cipher-text message to Bob:

c ≡ (m + x)3

≡ 22833790253 (mod 18603551)

So, if Eve, the cryptanalyst, she can perform the following step to know what is
the x?
STEP 1: Form a polynomial f (x) :

f (x) ≡ (M + x)3 − c

≡ M 3 + 3M 2 + 3M x2 + x3 − c

≡ x3 + 3M x2 + 3M 2 x + (M 3 − c)

≡ x 3 + a2 x 2 + a1 x + a0 (mod N )

where

f (x) ≡ x3 + 8490x2 + 24026700x + 22650619005

STEP 2 : We know that and let X = 10 and form a lattice

a2 ≡ 8490 (4.2)

a1 ≡ 24026700 (4.3)

a0 ≡ 22650619005 (4.4)

35
  
N 0 0 0 
 
 0 NX 0 0 
A=
 

0 0 NX 2 0 
 
 
2
a0 a1 X a2 X a3 X 3

STEP 3 : Then use the lattice reduction algorithm LLL to generate a new basis,
the first row of which is

(−571291, 3441340, 2362900, 1982000)

STEP 4 : The polynomial corresponding to this vector is

G(x) = −571291 + 3441340x + 2362900x2 + 1982000x3

Running Newton’s root-finding method on G(x) gives the solution x0 = 7.

As the only integer solution to the equation G(x) = 0 is x = 7, so Eve concludes
that Bob’s pin number is 7.

36
4.4 Numerical Example for Fixed Padding Message

Let N = 8873554201508804632335361 (which is a 103 bit integer) and suppose Bob

is sending 10-bit keys K to Alice using the padding scheme m = 2100 −210 +K. Sup-
pose we have intercepted the ciphertext c = 8090574557775662005354455491076
and wish to find K .
STEP 1: Let X = 210 . We write

F (x) = (x + 2100 − 210 )3 − c

= x 3 + a2 x 2 + a1 x + a0

STEP 2 : Define

 
N 0 0 0 
 
 0 NX 0 0 
A=
 

0
 0 NX2 0  
 
2
a0 a1 X a2 X a3 X 3

STEP 3 : Performing lattice reduction and taking the first row vector gives the
polynominal with factorisation

(x − 987)(920735567540915376297 + 726745175435904508x + 277605904865853x2 ).

One can verify that the message is K = 978

37
 CONCLUSIONS

We have shown the application of lattice basis reduction and algorithms for find-
ing solutions to univariate modular polynomial equations p(x) = 0 (mod N ). We
used the coefficients of p(x) to build a lattice containing a short vector based on
the unknown x0 . By applying the LLL algorithm, finding small roots of modular
polynomial equations can be done. Then, we showed several applications on RSA
namely the stereotyped message and fixed padding message.

We believe that other applications will arise and we hope that, along with the
simple implementations presented, they can motivate the reader to further explore
the existing attacks on RSA and to think how can improve them. One topic that
deserves to have more study is the variants of RSA. They present exciting new
possibilities but their security has not yet been as analysed .

38
 REFERENCES

1. Rivest, R., Shamir, A., Adleman, L.: A Method for obtaining digital sig-
natures and public-key cryptosystems. Communications of the ACM 21(2),
120 − 126.

2. Chris Peikert Lattices in Cryptography, Georgia Tech, Fall 2013: Lecture

2,3.

3. D. Coppersmith, Small solutions to polynomial equations and low exponent

vulnerabilities, Journal of Cryptology, Vol. 10(4), pp. 223 − 260, 1997.

4. A. May, New RSA Vulnerabilities Using Lattice Reduction Methods, PhD

thesis, University of Paderborn, 2003.

5. D. Coppersmith, ”Finding a Small Root of a Univariate Modular Equation”,

Advances in Cryptology - Eurocrypt’96, Lecture Notes in Computer Science
Vol.1070, Springer-Verlag, pp 155-165, 1996.

6. R. Cramer, V. Shoup, A Practical Public Key Cryptosystem Provably Se-

cure against Adaptive Chosen Ciphertext Attack, Advances in Cryptology
Crypto 98, Lecture Notes in Computer Science Vol. 1462, Springer-Verlag,
pp. 1325, 1998.

7. W. Diffie, M. Hellman,”New Directions in Cryptography”, IEEE Transac-

tions on Information Theory Vol.22, pp. 644-654, 1976.

8. J. Hoffstein, J. Pipher, J. H. Silverman, ”An Introduction to Mathematical

Cryptography”, Springer Publishing Company, pp.63-67, 2008.

39
 APPENDIX A

Example 1

40
Example 2

41
Example 3

42