A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Finding Small Roots of Univariate Modular Equations Revisited
Proceedings of the 6th IMA International Conference on Cryptography and Coding
Approximate Integer Common Divisors
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Finding a small root of a univariate modular equation
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Finding a small root of a bivariate integer equation; factoring with high bits known
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Solving generalized small inverse problems
ACISP'10 Proceedings of the 15th Australasian conference on Information security and privacy
Fully homomorphic encryption over the integers with shorter public keys
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Maximizing small root bounds by linearization and applications to small secret exponent RSA
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Fully homomorphic encryption over the integers
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
A unified framework for small secret exponent attack on RSA
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Cryptanalysis of RSA with private key d less than N0.292
IEEE Transactions on Information Theory
Cryptanalysis of short RSA secret exponents
IEEE Transactions on Information Theory
| Hi-index | 0.00 |
We show a relation between optimal bounds of a small inverse problem and an approximate GCD problem. First, we present a lattice based method to solve small inverse problems with higher degree. The problem is a natural extension of small secret exponent attack on RSA cryptosystem introduced by Boneh and Durfee. They reduced this attack to solving a bivariate modular equation: $x(A+y) \equiv 1 \pmod{e}$, where A is a given integer and e is a public exponent. They proved that the problem can be solved in polynomial time when d≤N0.292. In this paper, we extend the Boneh---Durfee's result to more general problem. For a monic polynomial h(y) of degree κ(≥1), integers C and e, we want to find all small roots of a bivariate modular equation: $xh(y)+C \equiv 0 \pmod{e}$. We denote by X and Y the upper bound of roots. We present an algorithm for solving the problem and prove that the problem can be solved in polynomial time if $\gamma \leq 1-\sqrt{\kappa \alpha}$ and |C| is small enough, where X=eγ and Y=eα. We employ a similar approach as unravelled linearization technique introduced by Herrmann and May in especially evaluating the lattice volume. Interestingly, our algorithm does not rule out the case of C=0, which implies that our algorithm can solve a univariate unknown modular equation $h(y) \equiv 0 \pmod{p}$, where p is unknown. Our algorithm achieves the best bound in the literature. Then, we show that our obtained bound is natural under the similar sense of Howgrave-Graham's discussion in CaLC2001 and we prove that our bound, including Boneh---Durfee's bound, is optimal under the reasonable assumption.