General Bounds for Small Inverse Problems and Its Applications to Multi-Prime RSA

Abstract

In 1999, Boneh and Durfee introduced small inverse problems which solve bivariate modular equations \(x(N+y)\equiv 1 \pmod {e}\). Sizes of solutions for \(x,y\) are bounded by \(X=N^{\delta }\) and \(Y=N^{\beta }\), respectively. They solved the problems for \( \beta ={1/2}\) in the context of small secret exponents attacks on RSA. They proposed a polynomial time algorithm which works when \( \delta <(7-2 \sqrt{7})/6 \approx {0.284}\), and further improved a bound to \( \delta <1-1/\sqrt{2}\approx {0.292}\). So far, small inverse problems for arbitrary \({\beta }\) have also been considered. Generalizations of Boneh and Durfee’s lattices to achieve the stronger bound provide the bound \( \delta <1-\sqrt{\beta }\). However, the algorithm works only when \( \beta \ge 1/4\). When \(0<\beta <1/4\), there have been several works which claimed the best bounds. In this paper, we revisit the problems for arbitrary \( \beta \). At first, we summarize the previous results for \(0<\beta <1/4\). We reveal that there are some results which are not valid and show that Weger’s algorithm provide the best bounds. Next, we propose an improved algorithm to solve the problem for \(0<\beta <1/4\). Our algorithm works when \( \delta <1-2(\sqrt{\beta (3+4 \beta )}-\beta )/3\). Our algorithm construction is based on the combinations of Boneh and Durfee’s two forms of lattices. This construction is more natural compared with previous works. In addition, we introduce an application of our result, small secret exponent attacks on Multi-Prime RSA with small primes differences.