On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree

  • Noboru Kunihiro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7483)


We show a relation between optimal bounds of a small inverse problem and an approximate GCD problem. First, we present a lattice based method to solve small inverse problems with higher degree. The problem is a natural extension of small secret exponent attack on RSA cryptosystem introduced by Boneh and Durfee. They reduced this attack to solving a bivariate modular equation: \(x(A+y) \equiv 1 \pmod{e}\), where A is a given integer and e is a public exponent. They proved that the problem can be solved in polynomial time when d ≤ N 0.292. In this paper, we extend the Boneh–Durfee’s result to more general problem. For a monic polynomial h(y) of degree κ( ≥ 1), integers C and e, we want to find all small roots of a bivariate modular equation: \(xh(y)+C \equiv 0 \pmod{e}\). We denote by X and Y the upper bound of roots. We present an algorithm for solving the problem and prove that the problem can be solved in polynomial time if \(\gamma \leq 1-\sqrt{\kappa \alpha}\) and |C| is small enough, where X = e γ and Y = e α . We employ a similar approach as unravelled linearization technique introduced by Herrmann and May in especially evaluating the lattice volume. Interestingly, our algorithm does not rule out the case of C = 0, which implies that our algorithm can solve a univariate unknown modular equation \(h(y) \equiv 0 \pmod{p}\), where p is unknown. Our algorithm achieves the best bound in the literature. Then, we show that our obtained bound is natural under the similar sense of Howgrave-Graham’s discussion in CaLC2001 and we prove that our bound, including Boneh–Durfee’s bound, is optimal under the reasonable assumption.


RSA Cryptosystem LLL algorithm Small Inverse Problem Approximate GCD Problem 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully Homomorphic Encryption over the Integers with Shorter Public Keys. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011)Google Scholar
  6. 6.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully Homomorphic Encryption over the Integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Herrmann, M., May, A.: Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Herrmann, M., May, A.: Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Kunihiro, N.: Solving Generalized Small Inverse Problems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 248–263. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Kunihiro, N.: Solving generalized small inverse problems. IEICE Transactions E94-A(6), 1274–1284 (2011)CrossRefGoogle Scholar
  13. 13.
    Kunihiro, N., Shinohara, N., Izu, T.: A Unified Framework for Small Secret Exponent Attack on RSA. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 260–277. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. thesis, University of Paderborn (2003)Google Scholar
  16. 16.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Noboru Kunihiro
    • 1
  1. 1.The University of TokyoJapan

Personalised recommendations