Minkowski Sum Based Lattice Construction for Multivariate Simultaneous Coppersmith's Technique and Applications to RSA

We investigate a lattice construction method for the Coppersmith technique for finding small solutions of a modular equation. We consider its variant for simultaneous equations and propose a method to construct a lattice by combining lattices for solving single equations. As applications, we consider a new RSA cryptanalyses. Our algorithm can factor an RSA modulus from l ≥ 2 pairs of RSA public exponents with the common modulus corresponding to secret exponents smaller than N (9l−5)/(12l+4), which improves on the previously best known result by Sarkar and Maitra. For partial key exposure situation, we also can factor the modulus if β− δ/2+1/4 < (3l−1)(3l+1), where β and δ are bit-lengths / logN of the secret exponent and its exposed LSBs, respectively.