The difficulty of factoring large integers into primes is the basis for cryptosystems such as RSA. Due to the widespread popularity of RSA, there have been many proposed attacks on the factorization problem such as side-channel attacks where some bits of the prime factors are available. When enough bits of the prime factors are known, two methods that are effective at solving the factorization problem are satisfiability (SAT) solvers and Coppersmith's method. The SAT approach reduces the factorization problem to a Boolean satisfiability problem, while Coppersmith's approach uses lattice basis reduction. Both methods have their advantages, but they also have their limitations: Coppersmith's method does not apply when the known bit positions are randomized, while SAT-based methods can take advantage of known bits in arbitrary locations, but have no knowledge of the algebraic structure exploited by Coppersmith's method. In this paper we describe a new hybrid SAT and computer algebra approach to efficiently solve random leaked-bit factorization problems. Specifically, Coppersmith's method is invoked by a SAT solver to determine whether a partial bit assignment can be extended to a complete assignment. Our hybrid implementation solves random leaked-bit factorization problems significantly faster than either a pure SAT or pure computer algebra approach.

翻译：将大整数分解为素数的困难性是RSA等密码系统的基础。由于RSA的广泛普及，针对分解问题已提出多种攻击方法，例如侧信道攻击——当素数因子的部分比特位已知时即可实施。当已知足够多的素数因子比特位时，求解分解问题的两种有效方法是可满足性（SAT）求解器和Coppersmith方法。SAT方法将分解问题转化为布尔可满足性问题，而Coppersmith方法则采用格基约化技术。两种方法各有优势，但也存在局限：当已知比特位位置随机分布时Coppersmith方法不再适用；而基于SAT的方法虽能利用任意位置的已知比特，却无法利用Coppersmith方法所依赖的代数结构。本文提出一种结合SAT与计算机代数的新型混合方法，可高效求解随机泄露比特的分解问题。具体而言，SAT求解器通过调用Coppersmith方法来判断部分比特赋值能否扩展为完整赋值。实验表明，我们的混合实现求解随机泄露比特分解问题的速度显著快于纯SAT方法或纯计算机代数方法。