Let [Formula: see text] be an RSA public key with private exponent [Formula: see text] where [Formula: see text] and [Formula: see text] are large primes of the same bit size. At Eurocrypt 96, Coppersmith presented a polynomial-time algorithm for finding small roots of univariate modular equations based on lattice reduction and then succussed to factorize the RSA modulus. Since then, a series of attacks on the key equation [Formula: see text] of RSA have been presented. In this paper, we show that many of such attacks can be unified in a single attack using a new notion called Coppersmith’s interval. We determine a Coppersmith’s interval for a given RSA public key [Formula: see text] The interval is valid for any variant of RSA, such as Multi-Prime RSA, that uses the key equation. Then we show that RSA is insecure if [Formula: see text] provided that we have approximation [Formula: see text] of [Formula: see text] with [Formula: see text] [Formula: see text] The attack is an extension of Coppersmith’s result.

中文翻译：

---

使用格的 RSA 私有指数攻击的统一方法

让 [Formula: see text] 是具有私有指数 [Formula: see text] 的 RSA 公钥，其中 [Formula: see text] 和 [Formula: see text] 是相同位大小的大素数。在 Eurocrypt 96 上，Coppersmith 提出了一种多项式时间算法，用于查找基于格约简的单变量模方程的小根，然后成功分解 RSA 模数。此后，针对RSA的密钥方程[公式：见正文]的一系列攻击相继出现。在本文中，我们展示了许多此类攻击可以使用一种称为 Coppersmith 区间的新概念统一为一次攻击。我们确定给定 RSA 公钥的 Coppersmith 区间 [公式：见正文] 该区间适用于使用密钥方程的任何 RSA 变体，例如 Multi-Prime RSA。然后我们证明 RSA 是不安全的，如果 [公式：