Coppersmith's lattices and "focus groups": an attack on small-exponent RSA

TL;DR

This paper introduces a new technique inspired by machine learning to optimize Coppersmith's lattice method, making small-exponent RSA attacks faster and more effective by reducing lattice size and improving success rates.

Contribution

The authors develop a pattern extrapolation approach to reduce lattice dimensions in Coppersmith's attack, enhancing efficiency and success in small-exponent RSA cryptanalysis.

Findings

Reduced lattice sizes lead to faster attack computations.

The new method improves success rates in recovering RSA keys.

Certain lattice reduction algorithms are better suited for Coppersmith's method.

Abstract

We present a principled technique for reducing the lattice and matrix size in some applications of Coppersmith's lattice method for finding roots of modular polynomial equations. Motivated by ideas from machine learning, it relies on extrapolating patterns from the actual behavior of Coppersmith's attack for smaller parameter sizes, which can be thought of as "focus group" testing. When applied to the small-exponent RSA problem, our technique reduces lattice dimensions and consequently running times, and hence can be applied to a wider range of exponents. Moreover, in many difficult examples our attack is not only faster but also more successful in recovering the RSA secret key. We include a discussion of subtleties concerning whether or not existing metrics (such as enabling condition bounds) are decisive in predicting the true efficacy of attacks based on Coppersmith's method. Finally, indications are given which suggest certain lattice basis reduction algorithms (such as Nguyen-Stehl\'e's L2) may be particularly well-suited for Coppersmith's method.