On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree

We show a relation between optimal bounds of a small inverse problem and an approximate GCD problem. First, we present a lattice based method to solve small inverse problems with higher degree. The problem is a natural extension of small secret exponent attack on RSA cryptosystem introduced by Boneh and Durfee. They reduced this attack to solving a bivariate modular equation: $x(A+y) \equiv 1 \pmod{e}$, where A is a given integer and e is a public exponent. They proved that the problem can be solved in polynomial time when d≤N0.292. In this paper, we extend the Boneh---Durfee's result to more general problem. For a monic polynomial h(y) of degree κ(≥1), integers C and e, we want to find all small roots of a bivariate modular equation: $xh(y)+C \equiv 0 \pmod{e}$. We denote by X and Y the upper bound of roots. We present an algorithm for solving the problem and prove that the problem can be solved in polynomial time if $\gamma \leq 1-\sqrt{\kappa \alpha}$ and |C| is small enough, where X=eγ and Y=eα. We employ a similar approach as unravelled linearization technique introduced by Herrmann and May in especially evaluating the lattice volume. Interestingly, our algorithm does not rule out the case of C=0, which implies that our algorithm can solve a univariate unknown modular equation $h(y) \equiv 0 \pmod{p}$, where p is unknown. Our algorithm achieves the best bound in the literature. Then, we show that our obtained bound is natural under the similar sense of Howgrave-Graham's discussion in CaLC2001 and we prove that our bound, including Boneh---Durfee's bound, is optimal under the reasonable assumption.

[1]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[2]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[3]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[4]  Jean-Sébastien Coron,et al.  Fully Homomorphic Encryption over the Integers with Shorter Public Keys , 2011, IACR Cryptol. ePrint Arch..

[5]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[6]  Alexander May,et al.  New RSA vulnerabilities using lattice reduction methods , 2003 .

[7]  N. Kunihiro Solving Generalized Small Inverse Problems , 2011 .

[8]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[9]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[10]  Alexander May,et al.  Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA , 2010, Public Key Cryptography.

[11]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[12]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[13]  Noboru Kunihiro,et al.  A Unified Framework for Small Secret Exponent Attack on RSA , 2011, Selected Areas in Cryptography.

[14]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[15]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[16]  Alexander May,et al.  Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? , 2009, ASIACRYPT.

[17]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[18]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[19]  Nick Howgrave-Graham,et al.  Approximate Integer Common Divisors , 2001, CaLC.

[20]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[21]  Aggelos Kiayias,et al.  Multi-query Computationally-Private Information Retrieval with Constant Communication Rate , 2010, Public Key Cryptography.

[22]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[23]  Michael J. Wiener,et al.  Cryptanalysis of Short RSA Secret Exponents (Abstract) , 1990, EUROCRYPT.

[24]  Elisabeth Oswald,et al.  A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework , 2011, CRYPTO.

[25]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 2000, IEEE Trans. Inf. Theory.