Cryptographic applications of capacity theory: On the optimality of Coppersmith's method for univariate polynomials

TL;DR

This paper establishes the optimality of Coppersmith's method for univariate polynomials using capacity theory, proving no better auxiliary polynomials can find roots of size beyond a certain bound, independent of lattice algorithms.

Contribution

It introduces a novel connection between capacity theory and Coppersmith's method, proving the method's bounds are fundamentally optimal and ruling out superpolynomial improvements.

Findings

Coppersmith's bound is proven to be optimal for univariate polynomials.

No auxiliary polynomial of the used type can find roots larger than N^{1/d+ε}.

Results extend to binomial polynomial constructions, ruling out improvements unless N has small prime factors.

Abstract

We draw a new connection between Coppersmith's method for finding small solutions to polynomial congruences modulo integers and the capacity theory of adelic subsets of algebraic curves. Coppersmith's method uses lattice basis reduction to construct an auxiliary polynomial that vanishes at the desired solutions. Capacity theory provides a toolkit for proving when polynomials with certain boundedness properties do or do not exist. Using capacity theory, we prove that Coppersmith's bound for univariate polynomials is optimal in the sense that there are \emph{no} auxiliary polynomials of the type he used that would allow finding roots of size $N^{1/d+\epsilon}$ for monic degree-$d$ polynomials modulo $N$. Our results rule out the existence of polynomials of any degree and do not rely on lattice algorithms, thus eliminating the possibility of even superpolynomial-time improvements to Coppersmith's bound. We extend this result to constructions of auxiliary polynomials using binomial polynomials, and rule out the existence of any auxiliary polynomial of this form that would find solutions of size $N^{1/d+\epsilon}$ unless $N$ has a very small prime factor.