On Optimal Bounds of Small Inverse Problems and Approximate GCD Problems with Higher Degree

Abstract

We show a relation between optimal bounds of a small inverse problem and an approximate GCD problem. First, we present a lattice based method to solve small inverse problems with higher degree. The problem is a natural extension of small secret exponent attack on RSA cryptosystem introduced by Boneh and Durfee. They reduced this attack to solving a bivariate modular equation: $x(A+y) \equiv 1 \pmod{e}$, where A is a given integer and e is a public exponent. They proved that the problem can be solved in polynomial time when d≤N0.292. In this paper, we extend the Boneh---Durfee's result to more general problem. For a monic polynomial h(y) of degree κ(≥1), integers C and e, we want to find all small roots of a bivariate modular equation: $xh(y)+C \equiv 0 \pmod{e}$. We denote by X and Y the upper bound of roots. We present an algorithm for solving the problem and prove that the problem can be solved in polynomial time if $\gamma \leq 1-\sqrt{\kappa \alpha}$ and |C| is small enough, where X=eγ and Y=eα. We employ a similar approach as unravelled linearization technique introduced by Herrmann and May in especially evaluating the lattice volume. Interestingly, our algorithm does not rule out the case of C=0, which implies that our algorithm can solve a univariate unknown modular equation $h(y) \equiv 0 \pmod{p}$, where p is unknown. Our algorithm achieves the best bound in the literature. Then, we show that our obtained bound is natural under the similar sense of Howgrave-Graham's discussion in CaLC2001 and we prove that our bound, including Boneh---Durfee's bound, is optimal under the reasonable assumption.