Abstract
We show a relation between optimal bounds of a small inverse problem and an approximate GCD problem. First, we present a lattice based method to solve small inverse problems with higher degree. The problem is a natural extension of small secret exponent attack on RSA cryptosystem introduced by Boneh and Durfee. They reduced this attack to solving a bivariate modular equation: \(x(A+y) \equiv 1 \pmod{e}\), where A is a given integer and e is a public exponent. They proved that the problem can be solved in polynomial time when d ≤ N 0.292. In this paper, we extend the Boneh–Durfee’s result to more general problem. For a monic polynomial h(y) of degree κ( ≥ 1), integers C and e, we want to find all small roots of a bivariate modular equation: \(xh(y)+C \equiv 0 \pmod{e}\). We denote by X and Y the upper bound of roots. We present an algorithm for solving the problem and prove that the problem can be solved in polynomial time if \(\gamma \leq 1-\sqrt{\kappa \alpha}\) and |C| is small enough, where X = e γ and Y = e α. We employ a similar approach as unravelled linearization technique introduced by Herrmann and May in especially evaluating the lattice volume. Interestingly, our algorithm does not rule out the case of C = 0, which implies that our algorithm can solve a univariate unknown modular equation \(h(y) \equiv 0 \pmod{p}\), where p is unknown. Our algorithm achieves the best bound in the literature. Then, we show that our obtained bound is natural under the similar sense of Howgrave-Graham’s discussion in CaLC2001 and we prove that our bound, including Boneh–Durfee’s bound, is optimal under the reasonable assumption.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Boneh, D., Durfee, G.: Cryptanalysis of RSA with private key d less than n 0.292. IEEE Transactions on Information Theory 46(4), 1339–1349 (2000)
Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)
Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)
Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully Homomorphic Encryption over the Integers with Shorter Public Keys. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 487–504. Springer, Heidelberg (2011)
van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully Homomorphic Encryption over the Integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)
Herrmann, M., May, A.: Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)
Herrmann, M., May, A.: Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 53–69. Springer, Heidelberg (2010)
Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)
Howgrave-Graham, N.: Approximate Integer Common Divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001)
Kunihiro, N.: Solving Generalized Small Inverse Problems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 248–263. Springer, Heidelberg (2010)
Kunihiro, N.: Solving generalized small inverse problems. IEICE Transactions E94-A(6), 1274–1284 (2011)
Kunihiro, N., Shinohara, N., Izu, T.: A Unified Framework for Small Secret Exponent Attack on RSA. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 260–277. Springer, Heidelberg (2012)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)
May, A.: New RSA Vulnerabilities Using Lattice Reduction Methods. Ph.D. thesis, University of Paderborn (2003)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Wiener, M.J.: Cryptanalysis of short RSA secret exponents. IEEE Transactions on Information Theory 36(3), 553–558 (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kunihiro, N. (2012). On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-33383-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33382-8
Online ISBN: 978-3-642-33383-5
eBook Packages: Computer ScienceComputer Science (R0)