An Improved Coppersmith Algorithm Based on Block Preprocessing

Abstract

Since Coppersmith proposed the use of the LLL algorithm to solve univariate modular polynomial equations at EUROCRYPT’96, it has sparked a fervent research interest in lattice analysis among cryptographers. Despite its polynomial-time nature, the LLL algorithm exhibits a high-order polynomial upper bound in terms of theoretical complexity, particularly with longer computation times when applied to high-dimensional lattices. In addressing this issue, we propose an improved algorithm based on block preprocessing, building on the original Coppersmith algorithm and thus providing proof of correctness for this algorithm. This approach effectively reduces the solution time of the algorithm, offering a maximum improvement of 8.1% compared to the original Coppersmith algorithm. Additionally, we demonstrate the compatibility of our algorithm with the rounding algorithm proposed at PKC 2014. The combined utilization of these approaches further enhances the efficiency of our algorithm. The experimental results show that the combined algorithm achieves a maximum improvement of 22.4% in solution time compared to the original Coppersmith algorithm. It also outperforms the standalone rounding algorithm with a maximum improvement of 12.1%. When compared to the improved Coppersmith algorithm based on row common factor extraction, our proposed algorithm demonstrates comparable or even superior performance in certain dimensions. The block preprocessing algorithm in our approach enables independent execution without data exchange, making it suitable for leveraging multi-processing advantages in scenarios involving higher degrees of modular polynomial equations. This offers a new perspective for achieving the parallel computation of the Coppersmith algorithm, facilitating parallel execution and providing valuable insights.

1. Introduction

Currently, the research on lattice theory in cryptography is mainly divided into two directions [1]. The first direction focuses on cryptographic design, where lattice-based hard problems are utilized to construct post-quantum secure cryptographic algorithms that can resist quantum attacks. The second direction is cryptographic analysis, which uses lattice-based algorithms to analyze the security of traditional public-key cryptographic algorithms. Lattice-based analysis methods are crucial in modern cryptography analysis. The basic idea is to transform a specific cryptographic structure, under a particular configuration, into a class of mathematical problems based on lattices. By constructing a specific lattice, these mathematical problems are converted into difficult problems on lattices. Ultimately, lattice-based reduction algorithms [2] are used to effectively solve these problems and obtain accurate results. In practical applications, experimental data often demonstrate the superior performance of lattice basis reduction algorithms compared to theoretical results [3].

Lattice analysis has broad applications in the field of cryptography, where it is widely used to analyze the security of many public-key cryptographic algorithms. In 1978, three cryptographers from the Massachusetts Institute of Technology—Rivest, Shamir, and Adleman—introduced the well-known RSA algorithm [4]. RSA was the first practical public-key cryptographic algorithm and continues to be extensively utilized. The analysis of its security has remained a prominent research topic in the field of cryptography. During the same period, Merkle and Hellman [5] proposed the MH public-key cryptographic algorithm based on the knapsack problem. It was initially considered a potential alternative to RSA. However, the MH algorithm was later broken by Shamir [6] using integer programming problems. In 1982, A.K. Lenstra, H.W. Lenstra, and L. Lovász [7] introduced the LLL algorithm—this algorithm is capable of reducing a random input set of lattice bases to a shorter and approximately orthogonal set of lattice bases. It is commonly used for solving the approximate shortest vector problem on lattices. In 1983, Adleman [8] made a significant advancement in cryptography by successfully breaking the MH public-key cipher using the LLL algorithm. This marked the first application of the LLL algorithm in cryptographic analysis and showcased its superiority over Shamir’s attack algorithm in terms of simplicity and effectiveness. At EUROCRYPT’96, Coppersmith [9] proposed an algorithm based on the LLL algorithm for solving small root problems in univariate modular polynomial equations. In a later publication [10], he further extended this approach to solving small root problems in bivariate polynomial equations with integer coefficients. These developments played a crucial role in establishing the groundwork for analyzing the RSA algorithm. In 1997 [11], Coppersmith presented a significant breakthrough in the field of cryptography. He demonstrated how the LLL algorithm can be utilized to factorize the RSA modulus when partial information is available. This pioneering work set a precedent for using lattice-based methods in the analysis of RSA. Coppersmith’s pioneering work has inspired extensive research by scholars. The same year, Howgrave-Graham [12] presented an algorithm, which is equivalent to Coppersmith’s method, for solving small root problems in univariate modular equations. This algorithm offers a more straightforward understanding and implementation compared to Coppersmith’s original approach [9]. Afterward, the analysis of RSA primarily revolved around specific variants of the RSA algorithm [13], with particular emphasis on the analysis of the CRT-RSA algorithm [14]. In 2010, May [15] conducted a systematic review of the applications of lattice basis reduction algorithms in RSA analysis. Additionally, lattice basis reduction algorithms have been used to analyze the security of other public-key cryptographic algorithms, including DSA [16] and ECDSA [17]. Micheli [18] provided relevant examples pertaining to key recovery in situations involving the partial leakage of information for these types of cryptographic problems. In recent years, the Coppersmith algorithm has remained one of the most important algorithms for analyzing RSA and its variants [19]. In addition, it has also been used to solve the sum of EC-HNP problems under certain conditions [20] and factorization problems when a sufficient number of bits of the prime factors are known [21].

The core of the Coppersmith algorithm is to use the LLL algorithm to convert modular equations into integer equations; thus, the overall running time of the Coppersmith algorithm primarily depends on the time of the LLL algorithm. Although the LLL algorithm is polynomial time, its time complexity is $O\left(n^6{log}^{3}C\right)$, where n is the dimension of the matrix and C is the maximum length of the row vectors in the matrix [7]. In practical applications, for attacking RSA algorithms with limited information, constructing higher-degree modular polynomials and reducing higher-dimensional lattice basis matrices are often necessary. However, this leads to an exponential increase in the solution time of the algorithm. Therefore, finding efficient solutions and reducing the algorithm’s solution time hold significant practical significance. Motivated by the aforementioned research background, in this study, the following contributions are proposed:

• Based on the analysis of the construction and characteristics of the Coppersmith matrix, we propose a preprocessing algorithm, which involves partitioning the lattice matrix into blocks according to the degree of a modular polynomial equation. The correctness of the algorithm is rigorously proved, demonstrating its validity and reliability.
• It is proven that the algorithm proposed in this study is compatible with the rounding algorithm proposed by Bi et al. [22] at PKC 2014. The combined algorithm can be improved by up to 22.4% compared with the original Coppersmith algorithm and by up to 12.1% compared with the rounding algorithm.
• The improved Coppersmith algorithm is obtained by combining the block preprocessing and rounding algorithms. Compared with the improved Coppersmith algorithm proposed by Wang et al. [23] in 2021, the improvement effect is almost the same, and notably, our algorithm performs better in some dimensions.
• Since block preprocessing does not need to exchange data when executing the LLL algorithm, it can run independently. Therefore, this study provides a way to support the parallel operation of the Coppersmith algorithm.

Section 2 of this paper provides an introduction to the necessary background knowledge. Section 3 presents and describes the improved Coppersmith algorithm. In Section 4, we present and analyze the experimental results. Finally, in Section 5, a summary and conclusion of the paper are provided.

2. Preliminary

2.1. Notation

Definition 1 (Lattice).

Given n linearly independent vectors $b_1,b_2,\dots ,b_n\in R^m$, a lattice L is the set of all integer linear combinations, defined as

$$L\left(b_1,b_2\dots b_n\right)=\left\{\sum _{i=1}^n{x}_i{b}_i|x_i\in Z\right\}.$$

We call $b_1,b_2,\dots ,b_n$ a basis of the lattice, n is referred to as the rank of the lattice, and m is referred to as the dimension of the lattice. In general, $n\le m$; if $n=m$, the lattice is called a full-rank lattice. In most cases, we primarily consider examples of full-rank lattices.

When dealing with lattice bases, a more compact matrix form can be used. The matrix consists of column vectors $b_1,b_2,\dots ,b_n$ representing the basis of the lattice. In other words, we can express it as

$$B=\left(\begin{array}{ccc}|& & |\\ b_1& \cdots & b_n\\ |& & |\end{array}\right).$$

Thus, the lattice can be represented as

$$L\left(B\right)=\left\{Bx|x\in Z^n\right\}.$$

Definition 2 (Unimodular Matrix).

A matrix $U\in Z^{n\times n}$ is called unimodular if $det\left(U\right)=\pm 1$. For example, the matrix $\left(\begin{array}{cc}1& 2\\ 0& 1\end{array}\right)$ is unimodular.

Corollary 1.

Two bases $B_1,B_2\in R^{m\times n}$ are equivalent if, and only if, $B_2=B_{1}U$ for some unimodular matrix U. This implies that for a given lattice, there can be multiple lattice bases. Any two lattice bases differ by a unimodular matrix.

Definition 3 (Fundamental Parallelepiped).

Given n linearly independent vectors $b_1,b_2,\dots ,b_n$, their fundamental parallelepiped is defined as

$$P\left(b_1,b_2,\dots ,b_n\right)=\left\{\sum _{i=1}^n{x}_i{b}_i|x_i\in R,0\le x_i<1\right\}.$$

Thus, a fundamental parallelepiped is the (half-open) region enclosed by the vectors $b_1,b_2,\dots ,b_n$. Evidently, different bases of the same lattice generate different fundamental parallelepipeds.

Definition 4 (Determinant).

Let L be a lattice of rank n. We define the determinant of L, denoted $det\left(L\right)$, as the n-dimensional volume of $P\left(L\right)$. In symbols, this can be written as

$$det\left(L\right)=\sqrt{det\left(B^{T}B\right)}.$$

Particularly, if the lattice L is a full-rank lattice and B is a square matrix, the formula is

$$det\left(L\right)=\sqrt{det\left(B^{T}B\right)}=\sqrt{det\left(B\right)det\left(B^T\right)}=\left|det\left(B\right)\right|.$$

Definition 5 (Euclidean Norm).

The Euclidean norm (also known as the 2-norm) of a vector $V=\left(v_1,v_2,v_3,\dots ,v_n\right)$, referred to as the length of the vector, is defined as

$$∥V∥=\sqrt{\sum _{i=1}^n{v}_i^2}.$$

Definition 6 (Polynomial Norm).

Let $f\left(x\right)={\sum }_{i=1}{a}_i{x}^i$, where $a_i\ne 0$. We define the polynomial norm of $f\left(x\right)$ as

$$∥f\left(x\right)∥={\left(\sum _i{a}_i^2\right)}^{\frac{1}{2}}.$$

Definition 7 (Gram–Schmidt Orthogonalization).

For a sequence of n linearly independent vectors $b_1,b_2,\dots ,b_n$, we define their Gram–Schmidt orthogonalization as

$${\tilde{b}}_1=b_1,$$

$${\tilde{b}}_i=b_i-\sum _{j=1}^{i-1}{\mu }_{i,j}{\tilde{b}}_{{}_i},1<i\le n.$$

Thus, ${\tilde{b}}_j$ is the component of $b_i$ orthogonal to ${\tilde{b}}_1,\dots ,{\tilde{b}}_{i-1}$, and ${\mu }_{i,j}$ is called the Gram–Schmidt coefficients.

2.2. LLL Algorithm

In 1982, A.K. Lenstra, H.W. Lenstra, and L. Lovász [7] introduced the LLL lattice basis reduction algorithm. Although it does not directly yield the shortest vector exactly, it can produce a short vector with an approximate factor of ${\left(\left(1+\epsilon \right)\sqrt{4/3}\right)}^{{}^{\left(n-1\right)/2}}$ in polynomial time. Here, $\epsilon$ is a positive constant, and n represents the dimension of the lattice [24]. The LLL algorithm ensures that the length of the output vectors does not exceed a multiple of the shortest vector’s length. Notably, in practical applications, the algorithm exhibits a lower time complexity compared to its theoretical complexity [25]. In 2006, Nguyen and Stehlé [26] conducted extensive experiments on the LLL algorithm, revealing its superior ability to approximate the shortest vector in lower-dimensional lattices when compared to higher-dimensional cases.

Definition 8 (LLL Reduction Basis).

A basis $B=\{b_1,b_2,\dots ,b_n\}\in R^m$ is a $\delta -LLL$ reduction basis if the following holds

(1) 

$\forall 1\le i\le n,j<i,\left|{\mu }_{i,j}\right|\le \frac{1}{2}$;

(2) 

$\forall 1\le i<n,\delta {∥{\tilde{b}}_i∥}^2\le {∥{\mu }_{i+1,i}{\tilde{b}}_i+{\tilde{b}}_{i+1}∥}^2$.

In other words, ${\tilde{b}}_1,{\tilde{b}}_2,\dots ,{\tilde{b}}_n$ are the results of the Gram–Schmidt orthogonalization on $b_1,b_2,\dots ,b_n$. Since ${\tilde{b}}_i$ and ${\tilde{b}}_{i+1}$ are orthogonal, the second condition in Definition 8 can be written as

$$\forall 1\le i<n,{∥{\tilde{b}}_{i+1}∥}^2\ge \left(\delta -{\mu }_{i+1,i}^2\right){∥{\tilde{b}}_i∥}^2.$$

Given any basis $b_1,b_2,\dots ,b_n$ of a lattice, the LLL algorithm can produce a reduced basis by running in polynomial time. The specific steps of the LLL algorithm are depicted in Algorithm 1.

Algorithm 1 LLL Algorithm

Input: A basis $b_1,b_2,\dots ,b_n$. Output: A $\delta -\mathrm{LLL}$ reduction basis.    1: Compute ${\tilde{b}}_1,{\tilde{b}}_2,\dots ,{\tilde{b}}_n$.    2: for $i=2$ to n do    3:     for $j=i-1$ to 1 do    4:         $b_i\leftarrow b_i-{\mu }_{i,j}{b}_j$, where ${\mu }_{i,j}=\lceil \langle b_i,{\tilde{b}}_j\rangle /\langle {\tilde{b}}_j,{\tilde{b}}_j\rangle \rfloor$.    5:     end for    6: end for    7: if $\exists i$ such that $∥{\tilde{b}}_{i+1}∥<\sqrt{\delta -{\mu }_{i+1,i}^2}∥{\tilde{b}}_i∥$ then    8:     swap $b_i$ and $b_{i+1}$.    9:     return step 1.   10: end if   11: Return $b_1,b_2,\dots ,b_n$.

Remark 1.

We use $\lceil ·\rfloor$ to denote rounding to the nearest integer; for example, $\lceil 3.3\rfloor =3$, $\lceil 3.8\rfloor =4$.

Here, we present a significant theorem regarding the length relationship among the output vectors of the LLL algorithm.

Theorem 1

([7]). For a lattice L, the LLL algorithm can find a set of reduced basis $b_1,\dots ,b_n$ in polynomial time, satisfying the following condition

$$∥b_1∥\le ∥b_2∥\le \dots \le ∥b_n∥\le 2^{\frac{n(n-1)}{4(n-i+1)}}det{\left(L\right)}^{\frac{1}{n-i+1}},1\le i\le n.$$

2.3. Coppersmith Algorithm

In their work [9], Coppersmith proposed a small root algorithm for solving univariate modular polynomial equations. In the following sections, we present an overview of this algorithm and provide a detailed description of the specific steps.

Definition 9 (Univariate Modular Equation).

Let N be an integer of unknown factorization, where b is one of its factors satisfying $b\ge N^{\beta },0<\beta \le 1$. Let $f\left(x\right)$ be a univariate monic polynomial of degree δ. The objective is to find all small roots of $f\left(x\right)$, that is,

$$f\left(x_0\right)\equiv 0modb,\left|x_0\right|\le X,$$

where X represents the absolute upper bound for the small root solutions.

The goal of this problem is to maximize the upper bound X of the roots, allowing for a greater number of output roots satisfying the given condition while ensuring that the computational time complexity remains polynomial. In other words, the algorithm’s running time is a polynomial function of ($logN,\delta$).

Theorem 2

(Coppersmith [15]). Let N be an integer of unknown factorization, where b is one of its factors satisfying $b\ge N^{\beta },0<\beta \le 1$. Furthermore, let $f\left(x\right)$ be a univariate monic polynomial of degree δ, $0<\epsilon \le \frac{1}{7}\beta$. Then, we can find all solutions for the following equation:

$$f\left(x_0\right)\equiv 0modb,\left|x_0\right|\le \frac{1}{2}{N}^{\frac{{\beta }^2}{\delta }-\epsilon }.$$

The running time primarily depends on the time it takes the LLL algorithm to reduce a lattice basis of dimension $O\left({\epsilon }^{-1}\delta \right)$ with entries of bit-size $O\left({\epsilon }^{-1}logN\right)$, which can be achieved in time $O\left({\epsilon }^{-7}{\delta }^5{log}^{2}N\right)$. Moreover, Coppersmith also provided a specific case of this theorem by using an exhaustive search, namely it is possible to eliminate the terms $\frac{1}{2}$ and $\epsilon$ described in Theorem 3.

Theorem 3

(Coppersmith [15]). Let N be an integer of unknown factorization. Furthermore, let $f_N\left(x\right)$ be a univariate monic polynomial of degree δ. Then, we can find all solutions $x_0$ for the following equation

$$f_N\left(x_0\right)\equiv 0modN,\left|x_0\right|\le N^{\frac{1}{\delta }},$$

in time $O\left({\delta }^5{log}^{9}N\right)$.

In 1997, Howgrave-Graham summarized and simplified Coppersmith’s original algorithm, presenting a more practical lattice algorithm [12]. Nowadays, the majority of applied Coppersmith algorithms are based on Howgrave-Graham’s implementation. The subsequent references to the Coppersmith algorithm in this paper specifically refer to the improved algorithm by Howgrave-Graham. Here, we provide a detailed explanation of this algorithm.

The core idea of the Coppersmith algorithm is to transform the problem of finding small roots of a univariate modular equation into the problem of finding small roots of a univariate integer equation. In other words, the algorithm aims to solve the following problem

$$f\left(x_0\right)\equiv 0modN\Rightarrow g\left(x_0\right)=0,\left|x_0\right|\le X.$$

Thus, the goal is to find such values of $g\left(x\right)$. Howgrave-Graham presents the following theorem [12].

Theorem 4

(Howgrave-Granham [15]). Let $g\left(x\right)$ be a univariate polynomial with n monomials. Further, let m be a positive integer. Suppose that

(1) 

$g\left(x_0\right)\equiv 0\left(mod{N}^m\right)$, where $x_0<X$;

(2) 

$∥g\left(xX\right)∥<\frac{N^m}{\sqrt{n}}$.

Then, $g\left(x\right)=0$ holds over the integers.

In the specific algorithm, the construction of $g\left(x\right)$ can be divided into the following two steps:

Step 1: Fix a positive integer and construct a set of polynomials where each polynomial shares a common root but has a modulus $N^m$. The commonly used approach for constructing is

$$g_{i,j}\left(x\right)=x^{j}f{\left(x\right)}^i{N}^{m-i},i=0,\dots ,m-1,j=0,\dots ,\delta -1.$$

Thus, it is easy to observe that

$$g_{i,j}\left(x_0\right)=x_0^{j}f{\left(x_0\right)}^i{N}^{m-i}=x_0^j{\left(\frac{f\left(x_0\right)}{N}\right)}^i{N}^m\equiv 0mod{N}^m.$$

Step 2: Construct an integer coefficient linear combination of $g\left(x\right)$ in set C to satisfy $\left|g\left(x_0\right)\right|<N^m$. By combining this with $g\left(x_0\right)\equiv 0mod{N}^m$ in step 1, we establish the validity of $g\left(x_0\right)=0$ over integers.

The condition in step 2 can be achieved through the LLL algorithm, as demonstrated in Theorem 1. After applying the LLL algorithm for reduction, the length of the first output vector satisfies a certain upper bound requirement. We can utilize this vector to construct

$$∥b_1∥=∥g\left(xX\right)∥<\frac{N^m}{\sqrt{n}}.$$

As a result, polynomials with smaller norms can be obtained, which further allows for the deduction of $\left|g\left(x_0\right)\right|<N^m$; May provides proof of this process in [15]. Therefore, by following the aforementioned steps, a suitable $g\left(x\right)$ is found. It shares a common root with $f\left(x\right)$ and has an integer root. Finally, the solution can be obtained using a general method for solving integer equations. The general steps of the Howgrave-Graham-improved Coppersmith algorithm are presented in Algorithm 2.

Algorithm 2: Original Coppersmith Algorithm

Input: A univariate monic polynomial of degree d with modulus N, parameter $\beta ,\epsilon ,m,X$. Output: All $x_0\in Z$, such that $\left|x_0\right|\le N^{\frac{1}{\delta }}$ and $f\left(x_0\right)\equiv 0modN$.    1: Choose $\beta =1,\epsilon =\frac{\beta }{7},m=⌈\frac{{\beta }^2}{d\epsilon }⌉$.    2: Compute polynomials $g_{i,j}\left(x\right)=x^j·N^{m-i}·f{\left(x\right)}^i,i=0,\dots ,m-1,j=0,\dots ,d-1$.    3: Compute $X=⌈\frac{1}{2}{N}^{\frac{{\beta }^2}{d}-\epsilon }⌉$, where X is the bound of ${\mathrm{x}}_0$.    4: Build the $n\times n$ matrix B, the rows of which are the $g\left(xX\right)$ coefficients.    5: Apply the LLL algorithm to the lattice basis B. Let v be the shortest vector in the LLL-reduced basis. The vector v is the coefficient vector of some polynomial; then, construct $g\left(x\right)$ from v.    6: Find the set R of all roots of $g\left(x\right)$ over the integers using standard methods. For every root $x_0\in R$, check whether $gcd\left(N,f\left(x_0\right)\right)\ge N^{\beta }$. If this condition is not satisfied, remove $x_0$ from R.    7: Return R.

3. Improved Coppersmith Algorithm

3.1. Block Preprocessing Algorithm

According to the number of modular polynomial equations, it is necessary to partition the lattice basis matrix before applying the LLL reduction algorithm. To illustrate the concept of partitioning, let us consider an example using a monic polynomial $f\left(x\right)=x^3+a_{12}{x}^2+a_{11}x+a_{10}$ of degree 3, where the square of $f\left(x\right)$ is denoted as $f{\left(x\right)}^2=x^6+a_{25}{x}^5+a_{24}{x}^4+a_{23}{x}^3+a_{22}{x}^2+a_{21}x+a_{20}$. Computing the small roots of a polynomial equation $f\left(x\right)$ with modulus N. The Coppersmith matrix constructed by selecting parameter $m=3$ is represented as follows

$$\begin{array}{cc}& 1x{x}^2{x}^3{x}^4{x}^5{x}^6{x}^7{x}^8\hfill \\ & \begin{array}{c}{g}_{0,0}\left(xX\right)\\ g_{0,1}\left(xX\right)\\ g_{0,2}\left(xX\right)\\ g_{1,0}\left(xX\right)\\ g_{1,1}\left(xX\right)\\ g_{1,2}\left(xX\right)\\ g_{2,0}\left(xX\right)\\ g_{2,1}\left(xX\right)\\ g_{2,2}\left(xX\right)\end{array}\left[\begin{array}{ccccccccc}{N}^3& & & & & & & & \\ & X{N}^3& & & & & & & \\ & & X^2{N}^3& & & & & & \\ a_{10}N& a_{11}X{N}^2& a_{12}{X}^2{N}^2& X^3{N}^2& & & & & \\ & a_{10}X{N}^2& a_{11}{X}^2{N}^2& a_{12}{X}^3{N}^2& X^4{N}^2& & & & \\ & & a_{10}{X}^2{N}^2& a_{11}{X}^3{N}^2& a_{12}{X}^4{N}^2& X^5{N}^2& & & \\ a_{20}N& a_{21}XN& a_{22}{X}^{2}N& a_{23}{X}^{3}N& a_{24}{X}^{4}N& a_{25}{X}^{5}N& X^{6}N& & \\ & a_{20}XN& a_{21}{X}^{2}N& a_{22}{X}^{3}N& a_{23}{X}^{4}N& a_{24}{X}^{5}N& a_{25}{X}^{6}N& X^{7}N& \\ & & a_{20}{X}^{2}N& a_{21}{X}^{3}N& a_{22}{X}^{4}N& a_{23}{X}^{5}N& a_{24}{X}^{6}N& a_{25}{X}^{7}N& X^{8}N\end{array}\right]\hfill \end{array}$$

In the above case of the polynomial $f\left(x\right)$ with a degree of 3, the constructed lattice basis matrix B is evenly partitioned into three blocks. Each block is separately preprocessed via the LLL algorithm. Finally, the blocks are reassembled in order, as shown in Algorithm 3. Step 6 means choosing a vector from row $d·(i-1)$ to row $d·i$ of matrix B, which is denoted as $B_i$.

Algorithm 3: Improved Coppersmith Algorithm Based on Block Preprocessing

Input: A univariate degree d monic polynomial $f\left(x\right)$ with modulus N, parameter $\beta ,\epsilon ,m,X$. Output: All $x_0\in Z$ such that $\left|x_0\right|\le N^{\frac{1}{\delta }}$ and $f\left(x_0\right)\equiv 0modN$.    1: Choose $\beta =1,\epsilon =\frac{\beta }{7},m=⌈\frac{{\beta }^2}{d\epsilon }⌉$.    2: Compute polynomials $g_{i,j}\left(x\right)=x^j·N^{m-i}·f{\left(x\right)}^i,i=0,\dots ,m-1,j=0,\dots ,d-1$.    3: Compute $X=⌈\frac{1}{2}{N}^{\frac{{\beta }^2}{d}-\epsilon }⌉$, where X is the bound of ${\mathrm{x}}_0$.    4: Build the $n\times n$ matrix B, the rows of which are the $g\left(xX\right)$ coefficients.    5: for $i=1$ to m do    6:     $B_i=B[d·(i-1):d·i]$.    7:     Applying the LLL algorithm on each block matrix $B_i$ produces ${B_i}^{\prime }$.    8: end for    9: Combine $B^{\prime }=\left({B_1}^{\prime }\Vert {B_2}^{\prime }\Vert \dots \Vert {B_m}^{\prime }\right)$ in order.   10: Apply the LLL algorithm to the lattice basis B. Let v be the shortest vector in the LLL-reduced basis. The vector v is the coefficient vector of some polynomial; then, construct $g\left(x\right)$ from v.   11: Find the set R of all roots of $g\left(x\right)$ over the integers using standard methods. For every root $x_0\in R$, check whether $gcd\left(N,f\left(x_0\right)\right)\ge N^{\beta }$. If this condition is not satisfied, remove $x_0$ from R.   12: Return R.

Applying the LLL algorithm to both the preprocessed matrix $B^{\prime }$ and the original matrix B yields completely consistent results. This implies that the preprocessing algorithm does not affect the correctness of the subsequent execution of the LLL algorithm, as depicted in Theorem 5.

Theorem 5.

Let B be a lattice basis matrix of rank n, and divide matrix B into m $(m\le n)$ blocks along the rows as $B=\left(B_1\Vert B_2\Vert B_3\Vert \dots \Vert B_m\right)$; let $B^{\prime }$ be the LLL-reduced result of matrix B, then $B^{\prime }={\left({B_1}^{\prime }\Vert {B_2}^{\prime }\Vert \dots \Vert {B_m}^{\prime }\right)}^{\prime }$. The parameter m is chosen for constructing the Coppersmith matrix.

Based on the construction characteristics of Algorithm 2, the dimension of the Coppersmith matrix is equal to the product of degree $\delta$ and parameter m. Therefore, when dividing matrix B into m blocks along the rows, there is no case in which it cannot be evenly divided.

To prove Theorem 5 without the loss of generality, we randomly select a lattice basis matrix B of rank 4. This choice allows us to avoid the inadequacy of a low-rank lattice basis in illustrating the problem, as well as the excessive complexity of proof steps associated with a high-rank lattice basis. We can divide the lattice basis matrix B into two rank-2 matrices $B_1=\left(b_1,b_2\right)$ and $B_2=\left(b_3,b_4\right)$. After applying the LLL algorithm for reduction, matrix B is transformed into matrix $B^{\prime }=\left(\widetilde{b_1},\widetilde{b_2},\widetilde{b_3},\widetilde{b_4}\right)$, where the vector form is denoted as

$$\begin{array}{cc}& \widetilde{b_1}=b_1\hfill \\ & \widetilde{b_2}=b_2-\lceil \langle b_2,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}\hfill \\ & \widetilde{b_3}=b_3-\lceil \langle b_3,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2\rfloor ·\widetilde{b_2}-\lceil \langle b_3,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}\hfill \\ & \widetilde{b_4}=b_4-\lceil \langle b_4,\widetilde{b_3}\rangle /\left|\right|\widetilde{b_3}|{|}^2\rfloor ·\widetilde{b_3}-\lceil \langle b_4,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2\rfloor ·\widetilde{b_2}-\lceil \langle b_4,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}.\hfill \end{array}$$

Similarly, after the application of the LLL algorithm for reduction, the matrix $B_1$ is transformed into matrix ${B_1}^{\prime }=\left({b_1}^{\prime },{b_2}^{\prime }\right)$, while matrix $B_2$ is transformed into matrix ${B_2}^{\prime }=\left({b_3}^{\prime },{b_4}^{\prime }\right)$. The vector forms are represented as

$$\begin{array}{ccccc}& {b_1}^{\prime }=b_1\hfill & \hfill & {b_3}^{\prime }=b_3\hfill & \\ & {b_2}^{\prime }=b_2-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor ·{b_1}^{\prime }\hfill & \hfill & {b_4}^{\prime }=b_4-\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·{b_3}^{\prime }.\hfill \end{array}$$

After combining them, we can obtain the matrix ${B_{12}}^{\prime }=\left({B_1}^{\prime }\Vert {B_2}^{\prime }\right)=({b_1}^{\prime },{b_2}^{\prime },{b_3}^{\prime },{b_4}^{\prime }).$ The reduction result obtained after executing the LLL algorithm on matrix ${B_{12}}^{\prime }$ is ${B_{12}}^{″}=\left({b_1}^{″},{b_2}^{″},{b_3}^{″},{b_4}^{″}\right)$, where the vector form is

$\begin{array}{cc}& {b_1}^{″}={b_1}^{\prime }\hfill \\ & {b_2}^{″}={b_2}^{\prime }-\lceil \langle {b_2}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ & {b_3}^{″}={b_3}^{\prime }-\lceil \langle {b_3}^{\prime },{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}-\lceil \langle {b_3}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ & {b_4}^{″}={b_4}^{\prime }-\lceil \langle {b_4}^{\prime },{b_3}^{″}\rangle /\left|\right|{b_3}^{″}|{|}^2\rfloor ·{b_3}^{″}-\lceil \langle {b_4}^{\prime },{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}-\lceil \langle {b_4}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}.\hfill \end{array}$

Proof of Theorem 5. 

If we can obtain ${b_i}^{″}=\widetilde{b_i}$ ($i=1,2,3,4$), it can be proven that the two are equivalent. The specific proof process is given below

$$\begin{array}{cc}\hfill {b_1}^{″}& ={b_1}^{\prime }=b_1=\widetilde{b_1}\hfill \\ \hfill {b_2}^{″}& ={b_2}^{\prime }-\lceil \langle {b_2}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ \hfill & =b_2-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor ·{b_1}^{\prime }-\lceil \langle b_2-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor ·{b_1}^{\prime },{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor ·{b_1}^{\prime }\hfill \\ \hfill & =b_2-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor ·{b_1}^{\prime }-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor \rfloor ·{b_1}^{\prime }\hfill \\ \hfill & =b_2-\lceil \langle b_2,{b_1}^{\prime }\rangle /\left|\right|{b_1}^{\prime }|{|}^2\rfloor ·{b_1}^{\prime }\hfill \\ \hfill & =b_2-\lceil \langle b_2,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}\hfill \\ \hfill & =\widetilde{b_2}\hfill \\ \hfill {b_3}^{″}& ={b_3}^{\prime }-\lceil \langle {b_3}^{\prime },{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}-\lceil \langle {b_3}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ \hfill & =b_3-\lceil \langle b_3,{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}-\lceil \langle b_3,{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ \hfill & =b_3-\lceil \langle b_3,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2\rfloor ·\widetilde{b_2}-\lceil \langle b_3,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}{|}^2\rfloor ·\widetilde{b_1}\hfill \\ \hfill & =\widetilde{b_3}\hfill \\ \hfill {b_4}^{″}& ={b_4}^{\prime }-\lceil \langle {b_4}^{\prime },{b_3}^{″}\rangle /\left|\right|{b_3}^{″}|{|}^2\rfloor ·{b_3}^{″}-\lceil \langle {b_4}^{\prime },{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}-\lceil \langle {b_4}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ & =b_4-\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·{b_3}^{\prime }\hfill \\ & -\lceil \langle b_4,{b_3}^{″}\rangle /\left|\right|{b_3}^{″}|{|}^2-\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·\langle {b_3}^{\prime },{b_3}^{″}\rangle /\left|\right|{b_3}^{″}|{|}^2\rfloor ·{b_3}^{″}\hfill \\ \hfill & -\lceil \langle b_4,{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2-\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·\langle {b_3}^{\prime },{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}\hfill \\ \hfill & -\lceil \langle b_4,{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2-\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·\langle {b_3}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ \hfill & =b_4-\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·{b_3}^{\prime }-\lceil \langle b_4,{b_3}^{″}\rangle /\left|\right|{b_3}^{″}|{|}^2\rfloor ·{b_3}^{″}-\lceil \langle b_4,{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}-\lceil \langle b_4,{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\hfill \\ \hfill & +\lceil \langle b_4,{b_3}^{\prime }\rangle /\left|\right|{b_3}^{\prime }|{|}^2\rfloor ·\left(\lceil \langle {b_3}^{\prime },{b_3}^{″}\rangle /\left|\right|{b_3}^{″}|{|}^2\rfloor ·{b_3}^{″}+\lceil \langle {b_3}^{\prime },{b_2}^{″}\rangle /\left|\right|{b_2}^{″}|{|}^2\rfloor ·{b_2}^{″}+\lceil \langle {b_3}^{\prime },{b_1}^{″}\rangle /\left|\right|{b_1}^{″}|{|}^2\rfloor ·{b_1}^{″}\right)\hfill \\ \hfill & =b_4-\lceil \langle b_4,b_3\rangle /\left|\right|b_3|{|}^2\rfloor ·b_3-\lceil \langle b_4,\widetilde{b_3}\rangle /\left|\right|\widetilde{b_3}|{|}^2\rfloor ·\widetilde{b_3}-\lceil \langle b_4,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2\rfloor ·\widetilde{b_2}-\lceil \langle b_4,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}\hfill \\ \hfill & +\lceil \langle b_4,b_3\rangle /\left|\right|b_3|{|}^2\rfloor ·\left(\lceil \langle b_3,\widetilde{b_3}\rangle /\left|\right|\widetilde{b_3}|{|}^2\rfloor ·\widetilde{b_3}+\lceil \langle b_3,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2\rfloor ·\widetilde{b_2}+\lceil \langle b_3,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}\right)\hfill \\ \hfill & =b_4-\lceil \langle b_4,b_3\rangle /\left|\right|b_3|{|}^2\rfloor ·b_3-\lceil \langle b_4,\widetilde{b_3}\rangle /\left|\right|\widetilde{b_3}|{|}^2\rfloor ·\widetilde{b_3}-\lceil \langle b_4,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2\rfloor ·\widetilde{b_2}-\lceil \langle b_4,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2\rfloor ·\widetilde{b_1}\hfill \\ \hfill & +\lceil \langle b_4,b_3\rangle /\left|\right|b_3|{|}^2\rfloor ·b_3\hfill \\ \hfill & =b_4-\langle b_4,\widetilde{b_3}\rangle /\left|\right|\widetilde{b_3}|{|}^2·\widetilde{b_3}-\langle b_4,\widetilde{b_2}\rangle /\left|\right|\widetilde{b_2}|{|}^2·\widetilde{b_2}-\langle b_4,\widetilde{b_1}\rangle /\left|\right|\widetilde{b_1}|{|}^2·\widetilde{b_1}\hfill \\ \hfill & =\widetilde{b_4}.\hfill \end{array}$$

From the above deduction, we can conclude that ${b_i}^{″}=\widetilde{b_i}(i=1,2,3,4)$, indicating that applying the LLL algorithm to the lattice basis matrix with block partitioning and sequential combination yields results consistent with directly applying the LLL algorithm to the entire matrix. When the rank of the lattice basis matrix increases, the number of lattice bases that need to be reduced also increases. However, fundamentally, the same block partitioning concept and computational steps are used. Therefore, this approach can be extended to the case of rank n.    □

3.2. Rounding Algorithm

At PKC 2014, Bi et al. [22] proposed a rounding algorithm. This algorithm simplifies the row vectors through elementary row operations, ensuring that each non-diagonal element in the matrix is smaller than the corresponding diagonal element in its column. It is guaranteed to reduce the size of elements when the matrix dimension is unchanged, aiming to shorten the running time in the subsequent execution of the LLL algorithm. See Algorithm 4 for more details.

Algorithm 4: Improved Coppersmith Algorithm Based on Rounding

Input: A univariate degree d monic polynomial $f\left(x\right)$ with modulus N, parameter $\beta ,\epsilon ,m,X$. Output: All $x_0\in Z$ such that $\left|x_0\right|\le N^{\frac{1}{\delta }}$ and $f\left(x_0\right)\equiv 0modN$.    1: Choose $\beta =1,\epsilon =\frac{\beta }{7},m=⌈\frac{{\beta }^2}{d\epsilon }⌉$.    2: Compute polynomials $g_{i,j}\left(x\right)=x^j·N^{m-i}·f{\left(x\right)}^i,i=0,\dots ,m-1,j=0,\dots ,d-1$.    3: Compute $X=⌈\frac{1}{2}{N}^{\frac{{\beta }^2}{d}-\epsilon }⌉$, where X is the bound of ${\mathrm{x}}_0$.    4: Build the $n\times n$ matrix B, the rows of which are the $g\left(xX\right)$ coefficients.    5: for $i=n-2$ to 0 do    6:     for $j=i+1$ to $n-1$ do    7:         $CO=⌊\left(B\left[j,i\right]/B\left[i,i\right]\right)⌋$.    8:         $B\left[j\right]=B\left[j\right]-CO·B\left[i\right]$.    9:     end for   10: end for   11: Apply the LLL algorithm to the lattice basis B. Let v be the shortest vector in the LLL-reduced basis. The vector v is the coefficient vector of some polynomial; then, construct $g\left(x\right)$ from v.   12: Find the set R of all roots of $g\left(x\right)$ over the integers using standard methods. For every root $x_0\in R$, check whether $gcd\left(N,f\left(x_0\right)\right)\ge N^{\beta }$. If this condition is not satisfied, remove $x_0$ from R.   13: Return R.

The lattice basis matrix constructed using the Coppersmith algorithm is a lower triangular matrix, with all elements in the upper right corner being zero. Consequently, the algorithm is designed to operate from the lower right corner to the upper left corner of the matrix. This transformation process preserves the main diagonal elements and does not alter the determinant of the matrix, ensuring the correctness of subsequent computations.

3.3. Improved Coppersmith Algorithm

Wang et al. [23] introduced an improved algorithm in 2021 that combines the structural characteristics and element properties of the lattice basis matrix in the Coppersmith algorithm. By iteratively extracting common factors from the row vectors of different blocks in the lattice basis matrix, the solving time of the Coppersmith algorithm is effectively reduced. Furthermore, they demonstrated the compatibility between the row common factor extraction algorithm and the rounding algorithm. The experimental results showed that the combined algorithm further improved the efficiency of the Coppersmith algorithm. The key distinction of this work is the proposal of an improved algorithm based on block preprocessing and its compatibility with the rounding algorithm. As described in Section 3.1, the constructed lattice basis matrix is first divided into blocks for preprocessing using the LLL algorithm; then, the remaining steps are carried out. Through testing on the same software platform and with the same parameter settings, the experimental results demonstrated that both the proposed improved algorithm with the rounding algorithm and the improved algorithm, as proposed by Wang et al., with the rounding algorithm correctly solve the problem. In terms of time efficiency, these two improved algorithms show consistent improvements over the original Coppersmith algorithm. In certain dimensions, the proposed algorithm in this work performs even better. Additionally, the proposed improved algorithm in this work does not require data exchanging during block preprocessing, as each block can be processed independently. This provides a method to support the Coppersmith algorithm in parallel. The following theorem provides a detailed introduction to the proposed improved algorithm and demonstrates its compatibility with the rounding algorithm, as outlined in Theorem 6.

Theorem 6.

After executing the block preprocessing algorithm on the Coppersmith matrix, the output matrix remains a lower triangular matrix, which does not affect the subsequent execution of the rounding algorithm.

Proof of Theorem 6. 

According to Algorithm 2, the initial Coppersmith matrix is a lower triangular matrix. Taking the construction of a Coppersmith matrix with a dimension of $9\times 9$ as an example from Section 3.1, utilizing the idea of block preprocessing, the constructed lattice basis matrix B can be divided into three matrices of dimension $3\times 9$. The vector form of the second block matrix is as follows.

$$\begin{array}{cccccccccc}{b}_4=(& a_{10}{N}^2& a_{11}X{N}^2& a_{12}{X}^2{N}^2& X^3{N}^2& 0& 0& 0& 0& 0)\\ b_5=(& 0& a_{10}X{N}^2& a_{11}{X}^2{N}^2& a_{12}{X}^3{N}^2& X^4{N}^2& 0& 0& 0& 0)\\ b_6=(& 0& 0& a_{10}{X}^2{N}^2& a_{11}{X}^3{N}^2& a_{12}{X}^4{N}^2& X^5{N}^2& 0& 0& 0)\end{array}$$

It can be seen that when applying the LLL algorithm to the above block during the reduction step $b_i\leftarrow b_i-{\mu }_{i,j}{b}_j$, vectors $b_4,b_5,b_6$ have zero elements in the later components. Since the reduction process proceeds from lower to upper, the computation results will not affect the form of the later components. However, it may change the portion of the earlier components of vectors $b_5$ and $b_6$, where the elements are zero. Due to the construction method of the Coppersmith algorithm, the non-zero elements in the vector of each row of the block matrices are N times the non-zero elements of the vector of the previous row, arranged in increasing order of row vector lengths. Therefore, the swapping step is not affected. After executing the LLL algorithm, the matrix can still maintain the aforementioned stepped structure. Similarly, for each subsequent block, as the dimension of the matrix increases, the number of non-zero elements in the vectors increases accordingly. However, during the reduction process, the calculation formulae between the elements remain the same, and the execution order remains unchanged. Therefore, each block retains its stepped structure after executing the LLL algorithm. When combining all the blocks in order, the resulting matrix remains a lower triangular matrix, ensuring that the subsequent execution of the rounding algorithm is not affected.    □

The rounding algorithm is essentially a row-equivalent transformation, representing the original lattice matrix. Thus, the transformation does not impact the correctness of the final result. Combining it with the block preprocessing algorithm enhances the solving efficiency of the Coppersmith algorithm. This integration leads to the development of the improved Coppersmith algorithm, as presented in Algorithm 5.

Algorithm 5: Improved Coppersmith Algorithm Based on Block Preprocessing and Rounding

Input: A univariate degree d monic polynomial $f\left(x\right)$ with modulus N, parameter $\beta ,\epsilon ,m,X$. Output: All $x_0\in Z$ such that $\left|x_0\right|\le N^{\frac{1}{\delta }}$ and $f\left(x_0\right)\equiv 0modN$.    1: Choose $\beta =1,\epsilon =\frac{\beta }{7},m=⌈\frac{{\beta }^2}{d\epsilon }⌉$.    2: Compute polynomials $g_{i,j}\left(x\right)=x^j·N^{m-i}·f{\left(x\right)}^i,i=0,\dots ,m-1,j=0,\dots ,d-1$.    3: Compute $X=⌈\frac{1}{2}{N}^{\frac{{\beta }^2}{d}-\epsilon }⌉$, where X is the bound of ${\mathrm{x}}_0$.    4: Build the $n\times n$ matrix B, the rows of which are the $g\left(xX\right)$ coefficients.    5: for $i=1$ to m do    6:     $B_i=B[d·(i-1):d·i]$.    7:     Applying the LLL algorithm on each block matrix $B_i$ produces ${B_i}^{\prime }$.    8: end for    9: Combine $B^{\prime }=\left({B_1}^{\prime }\Vert {B_2}^{\prime }\Vert \dots \Vert {B_m}^{\prime }\right)$ in order.   10: for $i=n-2$ to 0 do   11:     for $j=i+1$ to $n-1$ do   12:         $CO=⌊\left(B\left[j,i\right]/B\left[i,i\right]\right)⌋$.   13:         $B\left[j\right]=B\left[j\right]-CO·B\left[i\right]$.   14:     end for   15: end for   16: Apply the LLL algorithm to the lattice basis B. Let v be the shortest vector in the LLL-reduced basis. The vector v is the coefficient vector of some polynomial; then, construct $g\left(x\right)$ from v.   17: Find the set R of all roots of $g\left(x\right)$ over the integers using standard methods. For every root $x_0\in R$, check whether $gcd\left(N,f\left(x_0\right)\right)\ge N^{\beta }$. If this condition is not satisfied, remove $x_0$ from R.   18: Return R.

4. Experiments and Analysis

To verify the solving efficiency of the improved Coppersmith algorithm, simulation experiments were conducted on the proposed and comparative algorithms. The simulations were performed using a computer with the following configuration:

• RAM: 32 GB;
• CPU: 12th Gen Intel(R) Core(TM) i7-12700H 2.30 GHz;
• Operating System: Ubuntu 20.04.5 (64-bit).

The simulation experiments were conducted using SageMath 9.0 software, each experiment was conducted during the same time period and network environment. The following five algorithms were included:

• Algorithm2(Alg.2): the original Coppersmith algorithm [12];
• Algorithm3(Alg.3): the improved Coppersmith algorithm based on the block preprocessing algorithm;
• Algorithm4(Alg.4): the improved Coppersmith algorithm based on the rounding algorithm [22];
• Algorithm5(Alg.5): the improved Coppersmith algorithm based on the block preprocessing and rounding algorithm;
• Algorithm6(Alg.6): the improved Coppersmith algorithm based on the row common factor extraction algorithm and rounding algorithm [23].

Referring to the problem described in reference [27] and the commonly used RSA algorithm parameters in practical applications, we selected a polynomial equation with a degree of 3 and a modulus of 2048 bits for the experiments. We then constructed the corresponding Coppersmith matrix using parameters $m=8,9,\dots ,19,20$ to solve the small roots of the equation. All experiments were able to correctly solve the problem. We performed 10 experiments for each parameter and calculated the average solving time. The results are shown in Table 1, with the time measured in seconds. We compared the performance of the algorithm with the following five aspects:

• Property1(Prop.1): the performance improvement in Algorithm 3 compared to Algorithm 2;
• Property2(Prop.2): the performance improvement in Algorithm 4 compared to Algorithm 2;
• Property3(Prop.3): the performance improvement in Algorithm 5 compared to Algorithm 2;
• Property4(Prop.4): the performance improvement in Algorithm 5 compared to Algorithm 4;
• Property5(Prop.5): the performance improvement in Algorithm 6 compared to Algorithm 2.

The experimental results in Table 1 demonstrate that the proposed improved Coppersmith algorithm, based on block preprocessing, enhances the solving efficiency of the algorithm to a certain extent. Compared to the original Coppersmith algorithm, it achieves a maximum improvement of 8.1% (when $m=20$) and an average improvement of 5.6%. When combined with the rounding algorithm, the improved Coppersmith algorithm exhibits a maximum improvement of 22.4% (when $m=10$) and an average improvement of 18.0% over the original algorithm. Furthermore, compared to using the rounding algorithm alone, it achieves a maximum improvement of 12.1% and an average improvement of 7.2%. In comparison to the improved Coppersmith algorithm proposed by Wang et al. in 2021, the average improvement of this proposed algorithm is consistent at 17.1%, even surpassing it in cases with matrix dimensions of 30, 36, and 45.

Table 1. Comparison of experimental results from different algorithms. Average execution time (seconds) for 10 runs of each algorithm.

m	Alg. 2	Alg. 3	Alg. 4	Alg. 5	Alg. 6	Prop. 1	Prop. 2	Prop. 3	Prop. 4	Prop. 5
8	8.79	8.16	7.85	7.30	7.17	7.2%	10.7%	17.0%	7.0%	18.4%
9	18.01	17.07	16.06	14.94	14.85	5.2%	10.8%	17.0%	7.0%	17.5%
10	35.67	33.19	30.44	27.68	28.31	7.0%	14.7%	22.4%	9.1%	20.6%
11	65.52	62.35	56.37	50.94	51.16	4.8%	14.0%	22.3%	9.6%	21.9%
12	108.33	102.50	96.05	84.42	87.15	5.4%	11.3%	22.1%	12.1%	19.6%
13	174.74	163.68	156.28	137.74	139.44	6.3%	10.6%	21.2%	11.9%	20.2%
14	279.86	264.58	251.47	227.26	228.10	5.5%	10.1%	18.8%	9.6%	18.5%
15	457.45	420.68	393.85	384.15	399.78	8.0%	13.9%	16.0%	2.5%	12.6%
16	655.06	633.84	572.97	543.31	547.18	3.2%	12.5%	17.1%	5.2%	16.5%
17	976.39	938.30	847.44	821.70	826.47	3.9%	13.2%	15.8%	3.0%	15.4%
18	1452.16	1396.65	1311.77	1173.08	1198.52	3.8%	9.7%	19.2%	10.6%	17.5%
19	1973.83	1897.81	1757.55	1702.86	1709.87	3.9%	11.0%	13.7%	3.1%	13.4%
20	2724.54	2504.61	2457.98	2399.13	2438.76	8.1%	9.8%	11.9%	2.4%	10.5%

Table 1. Comparison of experimental results from different algorithms. Average execution time (seconds) for 10 runs of each algorithm.

m	Alg. 2	Alg. 3	Alg. 4	Alg. 5	Alg. 6	Prop. 1	Prop. 2	Prop. 3	Prop. 4	Prop. 5
8	8.79	8.16	7.85	7.30	7.17	7.2%	10.7%	17.0%	7.0%	18.4%
9	18.01	17.07	16.06	14.94	14.85	5.2%	10.8%	17.0%	7.0%	17.5%
10	35.67	33.19	30.44	27.68	28.31	7.0%	14.7%	22.4%	9.1%	20.6%
11	65.52	62.35	56.37	50.94	51.16	4.8%	14.0%	22.3%	9.6%	21.9%
12	108.33	102.50	96.05	84.42	87.15	5.4%	11.3%	22.1%	12.1%	19.6%
13	174.74	163.68	156.28	137.74	139.44	6.3%	10.6%	21.2%	11.9%	20.2%
14	279.86	264.58	251.47	227.26	228.10	5.5%	10.1%	18.8%	9.6%	18.5%
15	457.45	420.68	393.85	384.15	399.78	8.0%	13.9%	16.0%	2.5%	12.6%
16	655.06	633.84	572.97	543.31	547.18	3.2%	12.5%	17.1%	5.2%	16.5%
17	976.39	938.30	847.44	821.70	826.47	3.9%	13.2%	15.8%	3.0%	15.4%
18	1452.16	1396.65	1311.77	1173.08	1198.52	3.8%	9.7%	19.2%	10.6%	17.5%
19	1973.83	1897.81	1757.55	1702.86	1709.87	3.9%	11.0%	13.7%	3.1%	13.4%
20	2724.54	2504.61	2457.98	2399.13	2438.76	8.1%	9.8%	11.9%	2.4%	10.5%

The block preprocessing algorithm in our method supports independent execution without data exchange, making it suitable for taking advantage of multiprocessing in scenarios involving a high degree of modular polynomial equations and a large number of blocks. For example, when analyzing the RSA algorithm with a large encryption index, it can be divided into several large dimensional blocks, and each block can be calculated in parallel without affecting each other, which may not only save the solving time of the LLL algorithm but also achieve the purpose of reducing the size of matrix elements, thus reducing the solving time of the Coppersmith algorithm. This provides a new perspective for implementing the parallel computation of the Coppersmith algorithm, facilitates parallel execution, and provides valuable insights.

In addition, during the experimental process, this study also attempted to present two heuristic algorithms:

• Heuristic Algorithm 1: In an effort to enhance the Coppersmith algorithm, based on row common factor extraction proposed by Wang et al. in 2021, this study integrates it with the block preprocessing algorithm. The lattice basis matrix is first subjected to the block preprocessing algorithm, followed by the execution of the rounding algorithm and subsequent row common factor extraction. However, during testing, it was observed that although the combined algorithm successfully obtains accurate results, it does not noticeably reduce the overall solving time of the Coppersmith algorithm. The solving time is nearly equivalent to that of combining the rounding algorithm and the row common factor extraction algorithm. This can be attributed to the fact that the block preprocessing algorithm already reduces the matrix element scale significantly, taking additional steps to further reduce it less impactful.
• Heuristic Algorithm 2: We attempted to place the rounding algorithm before the block preprocessing algorithm. By applying an equivalence transformation prior to block preprocessing, accurate results are obtained. However, it does not lead to a reduction in the solving time of the algorithm. The difference lies in Algorithm 5 proposed in this paper, which firstly pretreats each matrix using the block LLL algorithm and reduces each matrix to its simplest form. At this point, the rounding algorithm is used to transform the whole matrix from the lower-right corner to the upper-left corner, potentially achieving a reduction in the size of matrix elements to the greatest extent. On the contrary, if the constructed Coppersmith matrix is rounded, then LLL partitioning is performed. Although this process reduces the element size to a certain extent, it does not reflect the advantage of the block LLL algorithm in reducing the matrix to a simpler one; that is, the overall solving time of the algorithm is increased.

5. Conclusions

The proposed improved Coppersmith algorithm, based on the block preprocessing algorithm, effectively reduces the solving time of the algorithm. It also demonstrates compatibility with the rounding algorithm proposed by Bi et al. in 2014 [22]. This combination further enhances the efficiency of the Coppersmith algorithm. The experimental results show that the combined algorithm almost performs as equally well as the improved algorithm based on row common factor extraction proposed by Wang et al. in 2021 [23]. In fact, in certain dimensions, the algorithm proposed in this study exhibits even superior performance.

In practical applications, as the RSA encryption exponent increases, the degree of the corresponding modular polynomial equations also increases. Consequently, the dimensions of the resulting block matrices also increase. To ensure accurate solutions, it is necessary to choose larger parameters for constructing the lattice basis matrix, which, in turn, leads to a larger number of blocks. In such cases, the computational advantage of utilizing multiple processes in parallel can be harnessed. By parallelizing the proposed improved Coppersmith algorithm, which combines block preprocessing with the rounding algorithm, the solving time of the algorithm can be effectively reduced. Currently, the optimization of the Coppersmith algorithm can be explored in two directions. First, improvements can be made in constructing the lattice basis matrix by enhancing the polynomials used. Second, more-efficient LLL algorithms can be considered as replacements in the reduction process. Many aspects of the algorithm still require further research and investigation.