# Two variable polynomial congruences and capacity theory

@inproceedings{Chinburg2021TwoVP, title={Two variable polynomial congruences and capacity theory}, author={Ted Chinburg and Brett Hemenway Falk and Nadia Heninger and Zachary Scherr}, year={2021} }

Coppersmith’s method [8] uses lattice basis reduction to find small solutions of polynomial congruences. This method and its variants have been used to solve a number of problems across cryptography, including attacks against low public exponent RSA [8], demonstrating the insecurity of small private exponent RSA [2], factoring with partial knowledge [8], and the approximate integer common divisor problem [11, 15, 7]. This paper is the second in a series relating Coppersmith’s method to adelic…

## References

SHOWING 1-10 OF 15 REFERENCES

### Cryptographic Applications of Capacity Theory: On the Optimality of Coppersmith's Method for Univariate Polynomials

- Mathematics, Computer ScienceASIACRYPT
- 2016

Using capacity theory, it is proved that Coppersmith's bound for univariate polynomials is optimal in the sense that there are no auxiliary polynomial of the type he used that would allow finding roots of size of size N^{1/d+\epsilon}$ for monic degree-$d polynmials modulo $N$.

### Approximate Integer Common Divisors

- Computer Science, MathematicsCaLC
- 2001

As an application of the partial approximate common divisor algorithm, it is shown that a cryptosystem proposed by Okamoto actually leaks the private information directly from the public information in polynomial time.

### Approximate common divisors via lattices

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

This work analyzes the multivariate generalization of Howgrave-Graham's algorithm for the approximate common divisor problem and develops a corresponding lattice-based list decoding algorithm for Parvaresh-Vardy and Guruswami-Rudra codes, which are multivariate extensions of Reed-Solomon codes.

### Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities

- Mathematics, Computer ScienceJournal of Cryptology
- 1997

It is shown how to find sufficiently small integer solutions to a polynomial in a single variable modulo N, and to a Poole's inequality in two variables over the integers.

### Finding Small Roots of Univariate Modular Equations Revisited

- Computer Science, MathematicsIMACC
- 1997

An alternative technique for finding small roots of univariate modular equations is described and it is compared with that taken in (Coppersmith, 1996), which links the concept of the dual lattice to the LLL algorithm.

### On Bounded Distance Decoding with Predicate: Breaking the "Lattice Barrier" for the Hidden Number Problem

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work formalizes lattice problems augmented with a predicate distinguishing a target vector and gives algorithms for solving instances of these problems and demonstrates that their algorithms succeed in recovering the signing key for instances that were previously believed to be unsolvable using lattice approaches.

### On Ideal Lattices and Learning with Errors over Rings

- Computer Science, MathematicsJACM
- 2013

The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.

### Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

- Computer Science, MathematicsCRYPTO
- 1996

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.…

### Cryptanalysis of RSA with private key d less than N0.292

- Computer Science, MathematicsIEEE Trans. Inf. Theory
- 1999

We show that if the private exponent d used in the RSA (Rivest-Shamir-Adleman (1978)) public-key cryptosystem is less than N/sup 0.292/ then the system is insecure. This is the first improvement over…

### Fully Homomorphic Encryption over the Integers

- Mathematics, Computer ScienceEUROCRYPT
- 2010

A fully homomorphic encryption scheme, using only elementary modular arithmetic, that reduces the security of the scheme to finding an approximate integer gcd, and investigates the hardness of this task, building on earlier work of Howgrave-Graham.