Lattices are regular arrangements of points in n-dimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra -Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist public-key cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.

We re-examine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the scheme. The semantic security is now based on a new decisional assumption, namely the hardness of deciding whether an element is a "small" e-th residue modulo N². We also

We modify the concept of LLL-reduction of lattice bases in the sense of Lenstra, Lenstra, Lov asz [LLL82] towards a faster reduction algorithm. We organize LLL-reduction in segments of the basis.

We address one of the most fundamental problems concerning the RSA cryptoscheme: Does the knowledge of the RSA public key/ secret key pair (e, d) yield the factorization of N = pq in polynomial time? It is well-known that there is a probabilistic polynomial time algorithm that on input (N, e, d) outputs the factors p and q. We present the first deterministic polynomial time algorithm that factors N provided that e, d #(N) and that the factors p, q are of the same bit-size. Our approach is an application of Coppersmith's technique for finding small roots of bivariate integer polynomials.

At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplification is analogous to the simplification brought by Howgrave-Graham to Coppersmith’s algorithm for finding small roots of univariate modular polynomial equations. As an application, we illustrate the new algorithm with the problem of finding the factors of n = pq if we are given the high order 1/4log 2 n bits of p.

25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.

Abstract. We describe some of the recent progress on lattice-based cryptography, starting from the seminal work of Ajtai, and ending with some recent constructions of very efficient cryptographic schemes. 1

Abstract. This paper generalizes several previous results on finding divisors in residue classes (Lenstra, Konyagin, Pomerance, Coppersmith, Howgrave-Graham, Nagaraj), finding divisors in intervals (Rivest, Shamir, Coppersmith, Howgrave-Graham), finding modular roots (Hastad, Vallée, Girault, Toffin, Coppersmith, Howgrave-Graham), finding high-power divisors (Boneh, Durfee, Howgrave-Graham), and finding codeword errors beyond half distance (Sudan, Guruswami, Goldreich, Ron, Boneh) into a unified algorithm that, given f and g, finds all rational numbers r such that f(r) and g(r) both have small height. 1.

Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values un of the ICG are given, one can recover the initial value u0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), vn+1 ≡ f(vn) modp, where f ∈ Fp[X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), xn+1 ≡ axn + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.

We present a new and flexible formulation of Coppersmith's method for finding small solutions of bivariate polynomials p(x, y) over the integers. Our approach allows to maximize the bound on the solutions of p(x, y) in a purely combinatorial way. We give various construction rules for di#erent shapes of p(x, y)'s Newton polygon. Our method has several applications. Most interestingly, we reduce the case of solving univariate polynomials f(x) modulo some composite number N of unknown factorization to the case of solving bivariate polynomials over the integers. Hence, our approach unifies both methods given by Coppersmith at Eurocrypt 1996.