Ansh Goel

2023B4A30920G

Mid-Semester Report

 Cryptanalysis of RSA with Private key Less d < N^0.292

Ansh Goel
March 25, 2025

Abstract
This report replicates the paper “ Cryptanalysis of RSA with Private key Less d < N^0.292 ”
by Dan Boneh and Glenn Durfee. We carefully study the wiener attack and the shortcomings
of the attack followed by strategically implying the LLL algorithm.Section IV. Building on
Wiener’s small exponent attacks, the paper introduces a novel lattice based framework
exploiting Coppersmith’s theorem to extend the vulnerability threshold from N^0.25 to
N^0.292. This report elaborates on the mathematical motivation, detailed lattice construction,
determinant estimates, and the heuristic justification underpinning the small inverse problem
solution. Section IV. Building on Wiener’s small exponent attacks, the paper introduces a
novel lattice based framework exploiting Coppersmith’s theorem to extend the vulnerability
threshold from N^0.25 to N^0.292. This report elaborates on the mathematical motivation,
detailed lattice construction, determinant estimates, and the heuristic justification
underpinning the small inverse problem solution.
‑
‑
‑
‑
 Contents
1.Introduction

2. Motivation and Historical Context

3. Detailed Overview of the Boneh–Durfee Method

3.1 RSA Fundamentals and Vulnerabilities
3.2 Wiener’s Continued Fraction Attack Revisited
3.3 Bivariate Small Root Problem

4. Lattice Theory and Small Roots Techniques

4.1 Lattice Definitions and Key Properties
4.2 LLL Algorithm
4.3 Howgrave Graham’s Theorem and Its Role

5. Constructing and Analyzing the Attack Lattice

5.1 Shifted Polynomial Families
5.2 Basis Matrix Assembly and Parameter Choices
5.3 Determinant Calculation and Heuristic Bounds

6. Extracting the Private Key

6.1 LLL Reduction to Obtain Short Vectors
6.2 Polynomial Resultant Computation
6.3 Root Finding and Key Recovery

7. Next Steps and Experimental Plan

‑
‑
‑
‑
1.Introduction

RSA encryption is based on the dif culty of factoring a large composite number N = p·q.
While large values of the private exponent d ensure security, small values of d make the
system susceptible to cryptanalytic attacks. The Boneh–Durfee approach re nes prior work by
targeting private exponents of size d < N^0.292 using advanced algebraic methods.

2. Motivation and Historical Context

2.1 Wiener’s Breakthrough (1990) : Michael Wiener introduced a method to break

RSA when the private exponent d is less than N^0.25. His continued-fraction method
approximates the ratio e/N and identi es convergence that lead to the correct value of
d. While successful for very small exponents, it fails for larger values of d, leaving
room for more powerful methods.

2.2 Coppersmith’s Contributions: Don Coppersmith developed techniques to nd

small roots of polynomial equations modulo integers, particularly for univariate and
bivariate polynomials. These techniques enabled a leap in cryptanalysis methods,
especially when used with lattice basis reduction algorithms. Boneh and Durfee
applied Coppersmith’s method to generalise Wiener’s idea for larger exponents.

3. Detailed Overview of the Boneh–Durfee Method

3.1 RSA Setup and Attack Goal: Given N = pq and public key (N, e), the private key d
satisfies ed ≡ 1 mod ϕ(N). The aim is to find d when it is known to be small. The identity ed −
kϕ(N) = 1 holds for some integer k. Assuming ϕ(N) ≈ N, both d and k are approximately of
size N^δ for some δ < 0.292.

3.2 Reformulation as a Small Inverse Problem The relation ed − kϕ(N) = 1 is rearranged

into a polynomial congruence. f(x, y) = x(N + y) + 1 − ey ≡ 0 mod e, where x ≈ k and y = d −
N^δ. The goal is to find small integer roots (x₀, y₀) within bounds |x|, |y| ≤ N^δ.

3.3 Shifted Polynomial Construction To find small roots of f(x, y), one constructs a set of
polynomials by multiplying f with monomials x^i y^j. The result is a structured family of
polynomials vanishing at the root (x₀, y₀) modulo e, forming the basis for lattice construction.
fi
fi
fi
fi
4. Lattice Theory and Small Roots Techniques

4.1 Lattices and Determinants : A lattice in ℝⁿ is a discrete grid formed by all integer
combinations of a finite set of basis vectors. For cryptanalysis, lattices are constructed using
the coefficients of the shifted polynomials derived from the RSA relation.
The determinant of a lattice, denoted det(Λ), measures the volume of the fundamental
parallelepiped spanned by its basis vectors. This value is crucial in estimating the size of the
shortest vector that can be obtained through lattice reduction techniques like LLL. A smaller
determinant generally implies a tighter bound on how short the LLL-reduced vector can be.
In the RSA attack context, constructing a lattice with appropriately chosen basis
polynomials ensures that its short vectors (after LLL reduction) correspond to
polynomials that vanish at the unknown root (x₀, y₀), thus revealing useful
information about the private key.

4.2 The LLL Algorithm : The Lenstra–Lenstra–Lovász (LLL) algorithm is a polynomial-

time algorithm for lattice basis reduction. Given a basis, LLL outputs a new basis with short,
nearly orthogonal vectors. This is essential because the shortest vector in the lattice often
encodes the hidden small root of the modular polynomial equation derived from RSA.
In our case, for a lattice of dimension m, LLL provides a bound on the norm of the
shortest vector:

∥b1∥ ≤ 2(m−1)/4⋅(detΛ)1/m

This bound helps us compare whether the shortest vector from the lattice (representing
a candidate polynomial) is small enough to satisfy Howgrave-Graham’s theorem
conditions and hence yields correct roots.

4.3 Howgrave–Graham’s Theorem: This theorem provides suf cient conditions under
which a modular root of a polynomial is also an integer root. It states that if a bivariate
polynomial f(x, y) vanishes modulo e and its coef cients are suf ciently small (in a norm
sense), then its small root (x₀, y₀) is a genuine integer solution.

Boneh and Durfee apply this result to the lattice-based attack by constructing polynomials
whose norms fall within the required threshold. If the polynomial norm is below the modulus
divided by the product of bounds on x and y, the solution extracted from it is guaranteed to be
correct.
‑
fi
fi
fi
5. Constructing and Analyzing the Attack Lattice

5.1 Shifted Polynomial Families:To form a lattice suitable for small root nding,
the base polynomial f(x,y) is multiplied by monomials x^i y^j producing a family of
shifted polynomials. Each shifted polynomial still vanishes at the unknown root (x₀, y₀), but
has different coef cients.

These polynomials are also scaled by powers of e (e.g., e^{m - i} to ensure the lattice
consists of integer vectors. By choosing all monomials up to a certain total degree, the
attacker constructs a suf ciently rich lattice that embeds the root structure.

5.2 Basis Matrix Construction : To build a lattice suitable for LLL reduction, the
attacker constructs a basis matrix from the shifted polynomials. Each polynomial is expressed
in terms of its monomials—such as x^a y^b—and the corresponding coef cients become
entries in a matrix row. The set of all such rows forms the basis matrix.

The number of monomials included determines the number of columns in the matrix, while the
number of shifted polynomials determines the number of rows. For parameters m (number of
x-shifts) and t (maximum degree in y), the resulting lattice dimension is typically around (mt)
× (number of monomials), often symmetric for well-chosen parameters.

Each coef cient is scaled by an appropriate power of e to ensure the matrix entries are
integers. This scaling preserves the root structure while aligning the setup with the integer
lattice framework. The monomials are ordered consistently (e.g., by degree-lexicographic
order) so that each row aligns properly in the matrix.

The constructed basis matrix thus embeds the small root (x₀, y₀) structure in its short vectors.
If the lattice is well-constructed, LLL reduction will yield vectors corresponding to
polynomials that vanish at (x₀, y₀), enabling subsequent recovery of the RSA private key.

5.3 Determinant Estimation and Heuristics: Boneh and Durfee estimate the
determinant of the constructed lattice to understand how the LLL-reduced basis will behave.
The heuristic estimation is based on the observation that for most choices of m and t (the
lattice parameters), the determinant grows as: det(Λ) ≈ e^{(number of monomials)}.
However, since e is roughly of size N, the determinant can also be related to N, giving an
approximate expression such as: det(Λ) ≈ N^{(m²)/(2t)} · e^{−(m²)/(2t)}.

This determinant estimate plays a critical role when combined with the LLL bound, which
tells us the size of the shortest vector in the lattice. If the bound is smaller than a certain
threshold determined by Howgrave-Graham’s theorem, then one can expect to recover the true
integer root from the lattice.

Furthermore, the success of the method relies on a balance between the size of the lattice
(controlled by parameters m and t), the size of the root (controlled by δ), and the determinant.
Boneh and Durfee heuristically argue that if δ < 0.292, then the shortest vector produced by
the LLL algorithm will correspond to a polynomial that vanishes at the root, thus enabling key
recovery. The choice of parameters is critical to ensuring that this balance holds.
fi
fi
fi
fi
fi
 6 Extracting the Private Key
6.1 LLL Reduction to Obtain Short Vectors: Once the basis matrix has been
assembled using the shifted polynomial family, the next step is to apply the LLL (Lenstra–
Lenstra–Lovász) algorithm. The goal of this reduction step is to extract one or more short
vectors from the lattice. These vectors correspond to polynomials with small coef cients,
which are likely to vanish at the unknown root (x0 ,y0 ), where x0 =k and y0 = d−Nδ.

Purpose of LLL in the Attack

In this cryptanalytic context, the LLL algorithm serves a dual purpose:

• It transforms the high-dimensional lattice basis into one where the shortest vectors appear
rst.

• These short vectors correspond to polynomials that are "small" in norm and thus, by
Howgrave–Graham’s theorem, are likely to vanish at the small integer solution (x0 ,y0 ).

Output of LLL: Root-Vanishing Polynomials

After reduction, the attacker examines the rst few vectors of the reduced basis. Each
vector corresponds to a polynomial with integer coef cients and total degree bounded by the
chosen lattice parameters. These polynomials, say g1 (x,y),g2 (x,y),…, are constructed to
satisfy the condition:

gi (x0 ,y0 )=0

for all i, assuming the lattice was properly constructed and the root lies within the
bounded region.

The shortness of these vectors is what makes the root-extraction feasible. Thanks to
LLL’s guarantee:

∥b1 ∥≤2(n−1)/4⋅(detΛ)1/n
we can ensure that the resulting polynomials are small enough in norm to apply Howgrave–
Graham’s conditions.

6.2 Resultant Computation

After obtaining two or more reduced polynomials—typically denoted as g₁(x, y) and g₂(x, y)
—from the LLL-reduced lattice basis, the next step involves eliminating one of the variables
to simplify root recovery. This is achieved using the resultant, a powerful algebraic tool from
elimination theory.

What is a Resultant?

Given two bivariate polynomials g₁(x, y) and g₂(x, y), the resultant with respect to variable y,
denoted as Resᵧ(g₁, g₂), is a univariate polynomial in x. It is constructed such that:

Resᵧ(g₁, g₂)(x) = 0 if and only if the system g₁(x, y) = 0 and g₂(x, y) = 0 has a common
solution for some y.
fi
fi
fi
fi
 This allows one to eliminate y and reduce the bivariate root- nding problem to a univariate
one.

Application in Boneh–Durfee Attack

In the context of the Boneh–Durfee attack:

• The polynomials g₁ and g₂ are carefully chosen so that they vanish at (x₀, y₀), the hidden
small root corresponding to the private key.

• The resultant Resᵧ(g₁, g₂) becomes a univariate polynomial in x, and it vanishes at x₀ = k.

This univariate polynomial typically has small degree and can be solved ef ciently using
standard root- nding techniques over the integers.

Why It Works

The effectiveness of the resultant method in this attack relies on:

• The algebraic independence of the reduced polynomials g₁ and g₂: they must not be scalar
multiples or structurally redundant.

• The quality of the LLL-reduced basis: better reductions yield more independent and
useful short vectors.

• The fact that both polynomials vanish at the same unknown point (x₀, y₀), which
guarantees that their resultant vanishes at x₀.

Computational Steps

1. Represent both g₁(x, y) and g₂(x, y) as polynomials in y, with coef cients that are
polynomials in x.

2. Construct the Sylvester matrix from these polynomials.

3. Compute the determinant of this matrix to obtain the resultant Resᵧ(g₁, g₂).

4. Factor or numerically solve this resultant polynomial to recover x₀.

Once x₀ = k is found, the next step is to backtrack and nd the corresponding d, completing
the RSA key recovery.

6.3 Root Finding and Key Recovery

Once the resultant polynomial in one variable typically in x is obtained from the previous step,
the task of extracting the RSA private key reduces to solving a univariate polynomial equation
over the integers.

Univariate Root Finding

Standard integer root- nding algorithms are applied to the resultant polynomial Resᵧ(g₁, g₂)
(x). Since the resultant is designed to vanish at the true small root x₀ = k, one expects at least
one integer root to correspond to the actual value of k.
fi
fi
fi
fi
fi
fi
 Techniques for nding roots include:

• Factoring the polynomial using integer root- nding algorithms

• Applying Newton's method or other numerical techniques when appropriate

• Using symbolic computation tools to test small integer candidates ef ciently

In practice, the degree of the resultant polynomial is not very large (due to lattice dimension
limitations), which makes root- nding computationally feasible.

Back Substitution to Recover d

After obtaining the correct value of k = x₀, the RSA private exponent d is computed using the
known relationships between the public and private keys. Recall that: ed ≡ 1 (mod φ(N))
⇒ ed − kφ(N) = 1

Since e and k are known, one can solve for φ(N): φ(N) = (ed − 1)/k

With φ(N) approximated, one can then attempt to factor N by solving for p and q using the
identities: φ(N) = (p − 1)(q − 1) = N − (p + q) + 1

This results in a quadratic in terms of p (or q), which can be solved using the quadratic
formula.

7 Next Steps and Experimental Plan

To validate and explore the practical ef cacy of the Boneh–Durfee attack, the next phase of this study
will involve implementation and empirical testing. The goal is to test the real-world feasibility of
recovering RSA private keys for different values of d, speci cally when d < N^0.292.

Planned Experimental Steps:

1. Synthetic Key Generation: Generate RSA key pairs (N, e, d) with known parameters such
that d satis es the bound d < N^0.292. This allows precise control over the test environment.

2. Polynomial Construction and Lattice Setup: Construct the bivariate polynomial f(x, y) = 1
+ x(y·m + 1) − a, based on the structure discussed in Boneh–Durfee. Create shifted polynomial
families for various t and m values.

3. Basis Matrix and LLL Reduction: Implement the basis construction for the lattice using
symbolic algebra tools. Apply the LLL algorithm to reduce the basis and extract short vectors.

4. Polynomial Extraction and Resultant Calculation: Use short vectors from the LLL output
to form candidate polynomials. Compute resultants to reduce the system to a univariate
polynomial.

5. Root Finding and d Recovery: Solve the univariate polynomial, extract candidate values for
d, and verify correctness by comparing against the known d.

6. Performance Analysis: Evaluate success rates, time complexity, and robustness of the
method. Study the impact of lattice dimension, polynomial degree, and other parameters.

Tools and Environment:

fi
‑
fi
fi
fi
fi
fi
fi
 • Programming language: Python or SageMath for symbolic and numeric computations

• Libraries: SymPy, NTL, or fpylll for LLL and algebraic operations

• Hardware: Standard laptop with multi-core CPU for testing practical runtimes

Challenges and Risks:

• Parameter tuning for lattice basis that balances dimension and vector shortness

• Numerical instability in resultant calculation

• Heuristic nature of the attack implies non-guaranteed success in edge cases

Expected Outcome: The experiments will help validate the theoretical bounds proposed by
Boneh and Durfee. If successful, the study will demonstrate practical attacks on RSA when d
is below the 0.292N threshold, highlighting the importance of avoiding small private
exponents.

References
1. Boneh, D., & Durfee, G. (2000). Cryptanalysis of RSA with Private Key d Less Than
N^0.292. IEEE Transactions on Information Theory, 46(4), 1339–1349. https://doi.org/
10.1109/18.850663

2. Wiener, M. J. (1990). Cryptanalysis of Short RSA Secret Exponents. IEEE

Transactions on Information Theory, 36(3), 553–558. https://doi.org/10.1109/18.54902

3. Coppersmith, D. (1997). Small Solutions to Polynomial Equations, and Low Exponent

RSA Vulnerabilities. Journal of Cryptology, 10(4), 233–260.