Solving Generalized Small Inverse Problems

Transcription

1 Solving Generalized Small Inverse Problems Noboru Kuniiro Te University of Tokyo, Japan Abstract. We introduce a generalized small inverse problem (GSIP) and present an algoritm for solving tis problem. GSIP is formulated as finding small solutions of f(x 0, x 1,..., x n ) = x 0 (x 1,..., x n ) + C = 0(mod M) for an n-variate polynomial, non-zero integers C and M. Our algoritm is based on lattice-based Coppersmit tecnique. We provide a strategy for construction of a lattice basis for solving f = 0, wic are systematically transformed from a lattice basis for solving = 0. Ten, we derive an upper bound suc tat te target problem can be solved in polynomial time in log M in an explicit form. Since GSIPs include some RSA-related problems, our algoritm is applicable to tem. For example, te small key attacks by Bone and Durfee are re-found automatically. Tis is a full version of [13]. Keywords: LLL algoritm, small inverse problem, RSA. lattice-based cryptanalysis 1 Introduction Since te seminal work of Coppersmit [3 5], many cryptanalysis ave been proposed by using is tecnique wic is based on LLL algoritm. Te first typical application is a small secret exponent attack on RSA proposed by Bone and Durfee [2]. Te second is a proof of deterministic polynomial time equivalence between computing te RSA secret key and factoring [6, 16]. In RSA [18], te small secret exponent d is commonly used to speed up te decryption or signature generation. In 1990, Wiener sowed tat wen d 1 3 N 1/4, te RSA moduli N can be factored in polynomial time [20]. Ten, in 1999, Bone and Durfee [2] improved te Wiener s bound to d N Furtermore, tey proved tat N can be factored in polynomial time wen d N In teir attack, lattice reduction algoritms suc as LLL algoritm [14] play an important role. Let us briefly describe teir attack. First, tey reduce small secret exponent attack to solving a bivariate modular equation: x(a + y) = 1 (mod e),

2 were A is a given integer and te solution (x, y) = ( x, ȳ) satisfies x < e δ and ȳ < e 1/2. Tey referred tis problem as small inverse problem. Ten, tey proposed a polynomial time algoritm for solving tis problem. Tey obtained te condition on δ suc tat te algoritm outputs te solution. Tis leads to te weaker bound: d N and te stronger bound: d N By extending teir (weaker) algoritm, Durfee and Nguyen sowed cryptanalysis on some variants of RSA wit sort secret exponent [7]. Tey proposed an algoritm for solving trivariate modular equation f(x, y, z) = x(a + y + z) + 1 = 0 (mod e) wit constraint yz = N in teir analysis. It is crucial in teir algoritm ow to andle te constraint yz = N. To do so, tey introduced so-called Durfee-Nguyen tecnique. May (and Coron-May) proved tat if te RSA secret key d is revealed, te RSA moduli N can be factored in deterministic polynomial time [6, 16]. We will focus on te Coron-May s proof [6] rater tan May s original proof [16]. Consider a univariate modular equation: (y) A + y = 0 (mod S), were S is an unknown divisor of a known positive integer U and A is a known positive integer. Tey sowed a deterministic polynomial time algoritm wic solves te equation for S U 1/2 to prove tat (balanced) RSA moduli N can be factored deterministically wen d is revealed. Tey extended teir result to te unbalanced RSA case [6]. Tey sowed te condition tat te bivariate modular equation: (y, z) A + y + z = 0 (mod S) wit constraint yz = N, were S and U are in te same setting as te balanced RSA. 1.1 Our Contribution In tis paper, we introduce generalized small inverse problem (GSIP) for an n + 1-variate equation. Let f be an n + 1-variate polynomial by f(x 0, x 1,..., x n ) = x 0 (x 1,..., x n ) + C for an n-variate polynomial and a non-zero integer C. Let M be a positive integer wose prime factors are unknown. Suppose tat te solution of f = 0 (mod M) satisfies x 0 < X 0, x 1 < X 1,..., x n < X n for fixed positive integers X 0, X 1,..., X n. Ten, one wants to find te solution: (x 0, x 1,..., x n ) = ( x 0, x 1,..., x n ). Some cases may ave constraints between variables x 1,..., x n. Wen C = 1, te problem can be viewed as follows: given a function (x 1, x 2,..., x n ), find small elements ( x 1,..., x n ) suc tat te inverse of ( x 1, x 2,..., x n ) modulo M is small. So, we call tis problem as generalized small inverse problem. Classical small 2

3 inverse problem [2] corresponds to n = 1, (x 1 ) = A + x 1 and C = 1, were A is a given integer. GSIP is not only a natural extension of classical small inverse problem, but also is applicable to many RSA-related cryptanalysis. In our paper, we are concerned wit only modular equations not integer equations. Second, we propose a polynomial time algoritm for solving tis problem. Our algoritm is based on Coppersmit s approac [3] and as te following property in te lattice basis construction: 1. First, construct a lattice basis for solving (x 1,..., x n ) = 0 (mod p), were p is an unknown divisor of known integer N. 2. Ten, construct a lattice basis for f(x 0,..., x n ) = 0 (mod M) by employing a lattice basis for. We introduce 4 restrictions for a lattice in solving = 0. Since many metods in te literature old tese restrictions, tey are not too strong restrictions. Ten, we propose a simple but effective compiler wic transforms a lattice basis for = 0 to tat for f = x 0 + C = 0 (Compiler). Our compiler works if a lattice for = 0 olds te 4 restrictions. It gives a good insigt in construction of a lattice basis for f. Our compiler is applicable to many kinds of cryptanalysis. For example, we can re-find Bone-Durfee s small secret exponent attack on RSA [2] by using our compiler and te lattice employed in te proof for deterministic polynomial time equivalence [6]. Tat is, our compiler builds a bridge between tese two works. It is te first time to point out tis kind of connection as far as we know. Our compiler is especially effective wen one needs to construct a special type of lattice. Suppose tat some variables ave constraint, ex. yz = N. In tis case, it is well known tat Durfee-Nguyen tecnique is effective [7]. If one can construct a good lattice for n-variate equation: = 0 built Durfee-Nguyen tecnique into, one as also a good lattice for n + 1-variate equation: f built Durfee- Nguyen tecnique into. In general, te more variables are involved, te arder te construction of a good lattice is. If one uses our compiler, one just constructs a lattice basis for not for f. Hence, one can more easily construct a good lattice basis for f. Next, we obtain te upper bound of te solution suc tat te equation: f(x 0, x 1,..., x n ) = 0 (mod M) is solvable in polynomial time in log M (but not in n) (Lemma 5 and Teorem 2). Tat means, letting te solution be ( x 0,..., x n ) and positive integers X 0,..., X n, wen x i < X i for eac i, one can solve te problem in polynomial time. In deriving X i, one needs not tedious computation. In particular, wen X 1,..., X n are fixed, one can easily obtain te upper bound of solution X 0. 3

4 In Bone-Durfee s [2] and Durfee-Nguyen s analyses [7], tedious computations are needed. Furtermore, teir computations are not applicable to te oter kind of attacks. We generalize tis kind of calculation to obtain te evaluation formula, wic is easy to use and covers many kind of cryptanalysis including Bone-Durfee s. Hence, we provide anoter type of toolkit for (especially RSA-related) cryptanalysis from tat of Blömer-May [1]. Our Strategies vs. General Strategies for Construction of Lattice Basis It is well known tat te sape of Newton polytope of a polynomial to be solved is important. Tis is suggested by Coppersmit [4] and fully explained by Blömer and May in te case of bivariate integer equation [1]. For general polynomials, Jocemsz and May proposed general metods for construction of optimal lattice basis [11]. Altoug teir metod is general and effective, it cannot andle constrained variables case. Actually, wen Durfee-Nguyen tecnique is involved, teir metod could not generate a good lattice. Using our compiler, Durfee-Nguyen tecnique is automatically involved in constructing te lattice for f if it is involved in te lattice for. Our compiler is especially effective for specific type of equations and is applicable to many kinds of RSA-related cryptanalysis. 1.2 Organization Section 2 gives preliminaries. In Section 3, we sow ow to solve te generalized small inverse problems. First, we introduce 4 restrictions for a lattice in solving = 0. Ten, we give a compiler wic transforms a lattice basis for (x 1,..., x n ) = 0 into tat for f(x 0, x 1,..., x n ) = x 0 (x 1,..., x n ) + C = 0. In Section 4, we evaluate te volume of lattice for f and derive te condition among upper bounds of solutions. In Section 5, we argue application of our compiler to GSIP and give details of an application: te small secret exponent attack to RSA, wic sows te effectiveness of our compiler. Section 6 concludes te paper. Some of proofs are given in Appendix A. Some of examples are given in Appendix B. 2 Preliminaries 2.1 Small Secret Exponent Attack on RSA [2] Let (N, e) be a public key in RSA cryptosystem, were N = pq is te product of two distinct primes. For simplicity, we assume tat gcd(p 4

5 1, q 1) = 2. A secret key d satisfies tat ed = 1 mod (p 1)(q 1)/2. Hence, tere exists an integer k suc tat ed+k((n +1)/2 (p+q)/2) = 1. Writing s = (p+q)/2 and A = (N +1)/2, we ave k(a+s) = 1 ( mod e). We set f(x, y) = x(a + y) + 1. If one can solve a bivariate modular equation: f(x, y) = x(a+y)+1 = 0 ( mod e), one as k and s and knows te prime factors p and q of N. Suppose tat te secret key satisfies d N δ. Furter assume tat e N. To summarize, te secret key will be recovered by finding te solution (x, y) = ( x, ȳ) of te equation: x(a + y) = 1 (mod e), were x e δ and y e 1/2. Tey referred tis as te small inverse problem. Bone and Durfee gave an algoritm for solving tis problem and obtained te condition on δ so tat te algoritm works in polynomial time. Concretely, tey sowed tat if d N 0.284, N can be factored in polynomial time. Furtermore, tey improved te bound to d N LLL Algoritm and Howgrave-Graam s Lemma For a vector b, b denotes te Euclidean norm of b. For a n-variate polynomial (x 1,..., x n ) = j1,...,j n x j 1 1 x jn n, define te norm of a polynomial as (x 1,..., x n ) = 2 j1,...,j n. Tat is, (x 1,..., x n ) denotes te Euclidean norm of te vector wic consists of coefficients of (x 1,..., x n ). Let B = {a ij } be a w w matrix of integers. Te rows of B generate a lattice L, a collection of vectors closed under addition and subtraction; in fact te rows forms a basis of L. Te lattice L is also represented as follows. Letting a i = (a i1, a i2,..., a iw ), te lattice L spanned by a 1,..., a w consists of all integral linear combinations of a 1,..., a w, tat is: L = { w i=1 n i a i n i ZZ}. Te volume of lattice is defined by vol (L) = det(b t B), were t B is a transposed matrix of B. In particular, vol (L) = det(b) if B is full-rank. LLL algoritm outputs sort vectors in te lattice L. Proposition 1 (LLL). Let B = {a ij } be a non-singular w w matrix of integers. Te rows of B generates a lattice L. Given B, te LLL algoritm outputs a reduced basis {b 1,..., b w } wit b i 2 w(w 1)/(4(w+1 i)) (vol (L)) 1/(w+1 i) in time polynomial in (w, max log 2 a ij ). Te following lemma is used wen a modular equation is reduced into integer equation. 5

6 Lemma 1 (Howgrave-Graam [8]). Let ĥ(x 1,..., x n ) ZZ[x 1,..., x n ] be a polynomial, wic is a sum of at most w monomials. Let m and φ be positive integers and X 1,..., X n be some positive integers. Suppose tat 1. ĥ( x 1,..., x n ) = 0 mod φ m, were x 1 < X 1,... x n < X n and 2. ĥ(x 1X 1,..., x n X n ) < φ m / w. Ten ĥ( x 1,..., x n ) = 0 olds over integers. 3 How to Solve Generalized Small Inverse Problem For a polynomial (x 1,..., x n ), consider te following two problems: (I) Given N(= pq), find a small solution of (x 1,..., x n ) = 0(mod p). (II) Given M, find a small solution of x 0 (x 1,..., x n ) + C = 0(mod M). Problem (II) corresponds to a generalized small inverse problem. We will sow a compiler wic transforms a lattice basis for (I) to tat for (II). 3.1 Lattice-Based Algoritm for (I) Te problem (I) can be solved by combining te LLL algoritm and Lemma 1 as follows. Let X 1,..., X n be positive integers of Lemma 1. Define a polynomial as [j1,...,j n,k](x 1,..., x n ) := x j 1 1 x jn n (x 1,..., x n ) k for non-negative integers j 1,..., j n, k. Let u be a non-negative integer. Using [j1,...,j n,k], we define a sift-polynomial (u) [j 1,...,j n,k] (x 1,..., x n ) := [j1,...,j n,k](x 1,..., x n )N u k. (1) Let a solution of = 0 (mod p) be (x 1,..., x n ) = ( x 1,..., x n ). It is easy to see tat (u) [j 1,...,j n,k] ( x 1,..., x n ) = 0 (mod p u ) for any (j 1,..., j n, k). Fix a set H (u) of [j 1,..., j n, k] for eac u. We construct a lattice L (u) spanned by a set of te coefficient vector of (u) [j 1,...,j n,k] (x 1X 1,..., x n X n ) for [j 1,..., j n, k] H (u). Ten, we apply te LLL algoritm to tis lattice. Te LLL algoritm yields small vectors of tis lattice. Finally, we can obtain polynomial ĥ satisfying te condition of Lemma 1 from tis small vector. How to coose H (u) for eac u depends on (x 1,..., x n ). 6

7 First, we define te set M( [j1,...,j n,k]) of monomials M( [j1,...,j n,k]) {x i 1 1 x i n n x i 1 1 x i n n is a monomial of [j1,...,j n,k](x 1,..., x n )}. Next, we define te set M(H (u) ) of monomials M(H (u) ) [j 1,...,j n,k] H (u) M( [j1,...,j n,k]). We will introduce 4 restrictions for a lattice in solving = 0 and consider only a set H (u) of [j 1,..., j n, k] for eac u wic olds 4 restrictions. Restriction 1 For any positive integer u, tere exist two sets A = {[j 1i,..., j ni ]} 1 i #A and B = {[j 1i,..., j ni ]} 1 i #B suc tat A B and H (u) is given by H (u) = u 1 k=0 {[j 1i,..., j ni, k]} 1 i #A {[j 1i,..., j ni, u]} 1 i #B. (2) We call (A, B) a generator. Restriction 2 For any u, L (u) is full rank. Restriction 3 A generator B is parametrized by some optimizing parameters t = (t 1,..., t k ). If needed, we use notation: B(t). Restriction 4 Te volume of L (u) does not depend on coefficients of. Tat is, it is given by vol L (u) = N γ U X γ 1 1 Xγ 2 2 Xγ n n. (3) Let w be te dimension of te lattice. Here, γ U, γ 1,..., γ n and w are functions of u and t. Moreover, eac total degree of γ U, γ 1,..., γ n and uw is 2. If needed, we use vol L (u;t), γ U (u; t), γ i (u; t) for 1 i n. Lattices derived in many previous metod [6, 9, 12, 17] olds Restrictions 1 4 as described in Table 1. Restriction 1 implies tat if [j 1,..., j n, k] H (u) and k 1, ten [j 1,..., j n, k 1] H (u 1), wic is crucial for our compiler. For convenience, we use te following notation: for a set A and k ZZ 0, a set [A, k] is defined by {[j 1,..., j n, k] [j 1,..., j n ] A}. If tis notation is used, we can rewrite Eq. (2) as H (u) = u 1 k=0 [A, k] [B, u]. 7

8 Restriction 2 implies tat #H (u) = #M(H (u) ). Te polynomial order of H (u) and monomial order of M(H (u) ) sould be adequately defined so as to be linearly ordered. Let B (u) (A, B) denote a #H(u) #H (u) square matrix, were eac row of B (u) (A, B) is te coefficient vector of (u) [j 1,...,j n,k] (x 1X 1,..., x n X n ) wen A and B is used as a generator. If A and B are clear from te context, we often omit A, B and simply write B (u). Since L(u) is full-rank, vol L (u) = det B (u). 3.2 How to Solve (II) We sow ow to solve te problem (II). First, we overview our algoritm and ten focus on Step 1-2. Input: n + 1-variate equation f(x 0, x 1,..., x n ) = x 0 (x 1,..., x n ) + C = 0 (mod M) wit small roots Output: All small roots ( x 0,..., x n ) of f(x 0, x 1,..., x n ) = 0 (mod M) Step1 Construct a lattice for f. Step1-1 Construct a lattice L (u) for or coose a generator A and B for. Step1-2 Construct a lattice L f for f by employing te lattice for L (u) or A and B. Step2 Run LLL algoritm for input L f to obtain n + 1 polynomials r 1, r 2,..., r n+1 ZZ[x 0, x 1,..., x n ] over te integers, were tey are non-zero integer combination of f [i,j1,...,j n,k](x 0 X 0, x 1 X 1,..., x n X n ) wit small coefficients. Step3 Compute a resultant for r i to obtain a univariate integer equation. Ten, solve te equation by using standard tecnique. We point out some remarks. Our algoritm cannot always guarantee to output correct solutions. So, our algoritm is euristic. We assume te following as same as [11]. Assumption 1 Te resultant computations for polynomials r i yield nonzero polynomials. Experiments are needed for specific cases to justify te assumption. We move on to te discussion of Step 1-2. Letting m be a positive integer, we define sift-polynomials for f(x 0, x 1,..., x n ) as f [i,j1,...,j n,k](x 0, x 1,..., x n ) := x i 0x j 1 1 x j n n f(x 0, x 1,..., x n ) k M m k. 8

9 Let a solution of f = 0 (mod M) be (x 0,..., x n ) = ( x 0,..., x n ). It is easy to see tat f [i,j1,...,j n,k]( x 0,..., x n ) = 0 (mod M m ) for any (i, j 1,..., j n, k). Let F be a set of indexes [i, j 1,..., j n, k]. We construct te lattice L f spanned by te coefficient vectors of f [i,j1,...,j n,k](x 0 X 0,..., x n X n ) wit [i, j 1,..., j n, k] F. How does one coose a set of indexes F? Tis is a difficult problem. Te coice of F determines te performance of te algoritm. Indeed, te volume of te lattice derived by F sould be small. Moreover, one must calculate or estimate te volume of lattice. If F is badly cosen, it migt be difficult to calculate (or even toug estimate) its volume. So, one must coose in a clever way te set F. We overcome tis problem by employing a lattice basis for solving = 0. We propose te following compiler, wic transforms a set of sift-polynomial for = 0 into tat for f = 0. In explanation, we use a notation: a set [k 1, A, k 2 ] is defined by [k 1, A, k 2 ] = {[k 1, j 1,..., j n, k 2 ] [j 1,..., j n ] A}. Compiler Fix a positive integer m. By using generators A and B for = 0, we construct a set F of sift-polynomials as follows. First, we set Ten, we set F (u) u 1 k=0 [u k, A, k] [0, B, u]. { m m u 1 } F F (u) = [u k, A, k] [0, B, u]. u=0 u=0 k=0 F is explicitly given by { m u 1 } F = {[u k, j 1i,..., j ni, k]} 1 i #A {[0, j1i,..., jni, u]} 1 i #B. u=0 k=0 Obviously, #F (u) = #H (u). If we define polynomial and monomial orders as follows, te polynomial set F and te monomial order are linearly ordered. monomial order: We define as x u 0 xj 1 1 x j n n x u 0 xj 1 1 x j n n if { u < u or u = u and x j 1 1 x j n n x j 1 1 x j n n in M(H (u) ). 9

10 polynomial order We define as [i, j 1,..., j n, k] [i, j 1,..., j n, k ] if { i + k < i + k or i + k = i + k and [j 1,..., j n, k] [j 1,..., j n, k ] in H (i+k) Informally, letting f F (u ) and f F (u ), f f if u < u. Teorem 1. Suppose tat F is set by our Compiler and H (u) olding 4 restrictions. Let B be a matrix, were eac row of B is te coefficient vectors of f [u k,j1,...,j n,k](x 0 X 0,..., x n X n ) according to te order of F. Ten, te matrix B is square and blocked lower triangular. For Teorem 1, B is written as B 0 0 B 1 B =...., * B m were eac B u is a #H (u) #H (u) matrix for 0 u m. Note tat B u corresponds to #H (u) polynomials {f [i,j1,...,j n,k] [i, j 1,..., j n, k] F (u) } and #H (u) monomials wic are divisible by x u 0. Te determinant of B is simply given by det B = det B 0 det B 1 det B m. Te application to small secret exponent attack will be given in Section 5.1. Oter examples are given in Section 5 and Appendix B. 3.3 Proof of Teorem 1 We define te set of monomials as M(f [u k,j1,...,j n,k]) {x i 0 0 x i 1 1 x i n n x i 0 0 x i 1 1 x i n n and M(F (u) ) J F (u) M(f J ). is a monomial of f [u k,j1,...,j n,k]} We use te notation: x i 0 0 M {x i 0 0 x i 1 1 x in n x i 1 1 x in n M} for M = {x i 1 1 x in n }. First, we sow te following two lemmas. Lemma 2. If [u k, j 1,..., j n, k] F for k 1,it olds tat M(f [u k,j1,...,j n,k 1]) M(f [u k,j1,...,j n,k]). Furtermore, it olds tat for k 1, M(f [u k,j1,...,j n,k])\m(f [u k,j1,...,j n,k 1]) = x u 0 {xi 1 1 x i n n x i 1 1 x i n n is a monomial of [j1,...,j n,k]}. 10

11 Lemma 3. It olds tat Furtermore, it olds tat M(F (0) ) M(F (1) ) M(F (m) ). M(F (u) ) \ M(F (u 1) ) = x u 0M(H (u) ). Proof (of Lemma 2). For k 1, if [u k, j 1,..., j n, k] F (u), ten [u k, j 1,..., j n, k 1] F (u 1). Te expansion of f [u k,j1,...,j n,k](x 0, x 1,..., x n ) is given by f [u k,j1,...,j n,k](x 0, x 1,..., x n ) = x u k ( ) k k = x u 0 [j1,...,j n,k]m m k + i i=1 0 x j 1 1 x j n n (x 0 + C) k M m k C i M m k x u i 0 [j1,...,j n,k i]. Te expansion of f [u k,j1,...,j n,k 1](x 0, x 1,..., x n ) is given by f [u k,j1,...,j n,k 1](x 0, x 1,..., x n ) = x u k+1 Ten, we ave te lemma. = 0 x j 1 ) k i=1 ( k 1 i 1 1 x j n n (x 0 + C) k 1 M m k+1 C i 1 M m k+1 x u i 0 [j1,...,j n,k i]. For Lemma 3, te number of monomials firstly appearing in F (u) is #(M(F (u) )\M(F (u 1) )) = #M(H (u) ). For te construction of our Compiler, te number of polynomials in F (u) is #F (u) = #H (u). Restriction 2 implies tat #H (u) = #M(H (u) ). Ten, #(M(F (u) ) \ M(F (u 1) )) = #F (u). Tis implies tat B is blocked lower triangular. 3.4 Small Example of our Compiler We sow a small example wic sows ow our Compiler works. Let (y) be a univariate monic polynomial wit degree 1: (y) = A+y. In tis case, a target equation is f(x, y) = x(y) + C = x(a + y) + C = 0 (mod M). Let (u) [j,k] (y) := yj (y) k N u k. Suppose tat we use a generator A = {[0]} and B = {[0], [1], [2]}. Ten, H (0) = {[0, 0], [1, 0], [2, 0]} and H (1) = {[0, 0], [0, 1], [1, 1], [2, 1]}. Corresponding matrixes B (0) and B (1) are given as follows. B (0) = 1 y y 2 (0) (= 1) [0,0] (0), B (= Y y) 0 Y 0 [1,0] (0) [2,0] (= Y 2 y 2 ) 0 0 Y 2 (1) = 11 1 y y 2 y 3 (1) (= N) [0,0] N (= A + Y y) A Y 0 0 (1) [0,1] (1) [1,1] (= AY y + Y 2 y 2 ) 0 AY Y 2 0 (1) [2,1] (= AY 2 y 2 + Y 3 y 3 ) 0 0 AY 2 Y 3

12 For example, M( [1,1] ) = {y, y 2 } and M(H (1) ) = {1, y, y 2, y 3 }. For a positive integer m, let f [i,j,k] (x, y) := x i y j f(x, y) k M m k. In te example, we fix m = 1. Applying our compiler, we obtain F of f [i,j,k] for solving f(x, y) = x(y) + C = 0 (mod M) as follows: F = {[0, 0, 0], [0, 1, 0], [0, 2, 0], [1, 0, 0], [0, 0, 1], [0, 1, 1], [0, 2, 1]}. A matrix B generated by F is given as follows. B = 1 y y 2 x xy xy 2 xy 3 f [0,0,0] (= M) M f [0,1,0] (= Y My) 0 Y M f [0,2,0] (= Y 2 My 2 ) 0 0 Y 2 M f [1,0,0] (= XMx) XM f [0,0,1] (= C + AXx + XY xy) C 0 0 AX XY 0 0 f [0,1,1] (= CY y + AXY xy + XY 2 xy 2 ) 0 CY 0 0 AXY XY 2 0 f [0,2,1] (= CY 2 y 2 + AXY 2 xy 2 + XY 3 xy 3 ) 0 0 CY AXY 2 XY 3 Columns and rows are ordered by polynomial and monomial orders in F. Te determinant of B is given by te product of diagonal elements. So, det B = M 4 X 4 Y 9. 4 Deriving a Condition for Solving GSIP In te previous section, we sow ow to coose a set F. Te next ting to do is evaluation of a volume of te lattice L f or te determinant of te corresponding matrix B. Ten, we will derive te condition for solving te problem by combining te value of determinant and Lemma 1. First, we derive a determinant of matrix B (or a volume of L f ) obtained by our compiler. Lemma 4. Let B (u;t) be te corresponding matrix for and w(u; t) be te dimension of te lattice. Ten, te determinant of B derived by our Compiler is given by ( ) m det B = M mw X0 u=0 uw(u;t) m det B (u;t) (M), (4) M u=0 were W (= m u=0 w(u; t)) is te rank of B. Next, we derive a condition tat we can find all solutions of f = 0 (mod M). 12

13 Lemma 5. Suppose tat te determinant of B (u;t) is given as te same as Lemma 4. Under Assumption 1, we can find all solutions of te equation f = 0 (mod M) wit x 0 < X 0, x 1 < X 1,..., x n < X n if m u=0 ( ) det B (u;t) M uw(u;t) (M) < = X0 m u=0 ( M X 0 Te time complexity is polynomial in log M and 2 n. ) uw(u;t). (5) In case of Maximizing X 0 In many cryptanalysis, all te task is to maximize X 0 for fixed X 1, X 2,..., X n. Hereafter, we focus on tis situation. We introduce an operator: I : m k 1 k+1 mk+1. Obviously, te operator I is omomorpic. Hence, we can write m u=0 uw(u; t) = I(mw(m; t)) and m u=0 γ i (u; t) = I(γ i (m; t)). We rewrite Eq. (5) by using te operator I as: (X 0 /M) I(mw(m;t)) < M I(γ U (m;t)) X I(γ 1(m;t) 1 X I(γ n(m;t)) n. Hence, we ave X 0 < M/(M I(γ U (m;t)) X I(γ 1(m;t) 1 X I(γ n(m;t)) n ) 1/I(mw(m;t)). Let A i be a fixed positive number suc tat X i = M A i for 1 i n. We can simplify te above as X 0 < M/M (I(γ n U (m;t))+ Setting l(m; t) I(γ U(m; t)) + n i=1 A i I(γ i (m; t)) I(mw(m; t)) i=1 A ii(γ i (m;t)))/i(mw(m;t)). = I(γ U(m; t) + n i=1 A i γ i (m; t)), (6) I(mw(m; t)) we ave X 0 < M 1 l(m;t). Te next ting to do is to obtain t minimizing l(m; t) for fixed m. Te values t minimizing l(m; t) is given by solving simultaneous equations: l(m; t) l(m; t) l(m; t) = = = = 0. t 1 t 2 t k Let t be te solution of te above equations if it exists. If we ignore small terms 1, eac I(γ U (m; t)), I(γ 1 (m; t)),... I(γ n (m; t)), I(mw(m; t))) consists of one term wit te same total degree 3. Hence, eac element 1 If we don t ignore te small term, we can obtain te optimal value of m. But, we need tedious computation in general. For small secret exponent attack case, Bone-Durfee gave te details analysis [2]. 13

14 t i of t is represented by t i = τ i m for positive integers τ i s. Letting τ = (τ 1,..., τ n), we ave te condition for X 0 : X 0 max M 1 l(m;t) = M 1 min t l(m;t) = M 1 l(m;mτ ), (7) t wic does not depend on m. Next, we will analyze te most simple case, tat is, B is parametrized by one parameter. In tis case, we ave an explicit formula of te upper bound of X 0. Teorem 2. Suppose tat a lattice for = 0 olds Restrictions 1 4 olds and B is parametrized by one parameter t. For given positive integers A 1,..., A n, we set a 2 m 2 + a 1 mt + a 0 t 2 γ U (m; t) + n i=1 A i γ i (m; t) and w(m; t) = b 2 m + b 1 t. Suppose tat a 1 b 2 < a 2 b 1. Under Assumption 1, we can find all solutions of equation: f = 0 (mod M) wit x 0 < X 0, x 1 < M A 1,..., x n < M A n if X 0 < M 1 4a 0 c b a 1 1 b 1, were c = ( 4a 2 0 b2 2 3a 0a 1 b 1 b 2 + 3a 0 a 2 b 2 1 2a 0b 2 )/(3a 0 b 1 ). In particular, if b 1 = b 2, we simply ave te condition as X 0 < M 1 4 4a 2 0 3a 0 a 1 +3a 0 a 2 8a 0 +3a 1 3b 1. (8) Time complexity is in polynomial in log M and 2 n. Remark 1. Eqs. (5) and (8) do not depend on te constant C. 5 Application of our Compiler to RSA-Related Cryptanalysis We sow several examples of GSIP and argue applications of our compiler to tem. Table 1 summarizes some example of GSIP in te literature. Constraint sows wat kind of constraint variables ave in bot of solving f = 0 and = 0. A and B sow wat kind of generators we use in bot of solving f = 0 and = 0. We give more explanation for eac cases and give details of Case 1. More examples are given in Appendix B. Case 1 Consider te small secret exponent attack on RSA by Bone and Durfee [2]. In teir attack, tey andled f(x, y) = x(y + A) + 1 = 0 (mod e). Hence, tis problem corresponds to (y) = y + A and C = 1. By using our compiler, te lattice basis for f(x) = 0 is automatically obtained. Ten, one can easily obtain te bound: d N We ll discuss te details later. 14

15 Table 1. Examples of GSIP Case 1 Case 1 Case 2 Case 3 Bone-Durfee [2] May [15] Durfee-Nguyen [7] Ito et al. [10] f = x + C x(a + y) + 1 x(y N) + N x(a + y + z) + 1 x(y 1)(z 1) + 1 Constraint - - yz = N y r z = N Howgrave-Graam [9] Coron-May [6] Kuniiro-Kurosawa [12] y + A y N A + y + z (y 1)(z 1) A {[0]} {[0, 0], [1, 0]} {[0, 0], [1, 0]} r 1 {[i, 1]} i=1 B t i=0{[i]} t 1 i=0 {[i, 0]} t 2 j=1 t 1 i=0 {[i, 0]} r 1 t2 {[k, j]} k=0 j=1 Case 1 Consider te small CRT exponent attack on unbalanced RSA by May [15]. In is attack, e andled f(x, y) = x(y N) + N = 0 (mod e). Hence, tis problem corresponds to (y) = y N and C = N. By using our compiler, te lattice basis for f(x) = 0 is automatically obtained. Furtermore, one can easily obtain te bound d p e 1 2( β 2 +3β+β)/3, were q < e β. Case 2 Consider cryptanalysis on some variants of RSA wit small secret exponent by Durfee-Nguyen [7]. In teir attack, tey andled te trivariate modular equation: f(x, y, z) = x(a+y +z)+1 = 0 ( mod e) wit constraint yz = N. Hence, tis problem corresponds to (y, z) = A + y + z and C = 1. By using our compiler, te lattice basis for Durfee-Nguyen s attack is automatically obtained. Case 3 Consider te small secret exponent attacks on Takagi s variant of RSA [19] by Ito et al. [10]. Tis attack can be obtained by our compiler and a lattice basis used in proving a deterministic polynomial equivalence between factoring and computing te secret exponent in tat sceme [12]. Note tat since Durfee-Nguyen tecnique is adequately involved in a lattice basis for, we can easily obtain tat for f. One can easily obtain te bound: d < N (7 2 7)/3(r+1). 5.1 Case 1: Transforming Howgrave-Graam s Lattice Basis to Bone-Durfee s Lattice Basis Next, we move on to an actual cryptanalysis. We sow tat our compiler builds a bridge between a lattice basis in [9] and tat in [2]. We simply write x, y, X, Y instead of x 0, x 1, X 0 and X 1. 15

16 Howgrave-Graam [9] provided an algoritm 2 for solving (y) = A + y = 0 (mod S) for integers A and S, wic is an unknown divisor of an known integer U. Set sift-polynomials as (u) [j,k] (y) := [j,k]n u k = y j (y) k N u k. In is paper, e cose te set of te indexes of siftpolynomials as H (u) = u 1 k=0 {[0, k]} t i=0 {[i, u]}. We set a polynomial order by tis. Note tat a generator is given by A = {[0]} and B = t i=0 {[i]}. Hence, H (u) olds Restrictions 1 3. Let f(x, y) = x(a + y) + 1. We argue a lattice basis construction for f. Since f(x, y) = x(y) + 1, we can employ our Compiler to construct a lattice basis for f. For a positive integer m, we define sift-polynomials for f as f [i,j,k] (x, y) = x i y j f(x, y) k M m k. By our Compiler and Howgrave- Graam s lattice basis, we ave a set F as { m u 1 } t F = {[u k, 0, k]} {[0, i, u]} u=0 k=0 i=0 for fixed t. We ave explicitly F = {[0, 0, 0], [0, 1, 0],..., [0, t, 0], [1, 0, 0], [0, 0, 1], [0, 1, 1],..., [0, t, 1], [m, 0, 0], [m 1, 0, 1],..., [0, 0, m], [0, 1, m], [0, 2, m],..., [0, t, m]}. As you can easily verify, Bone-Durfee s set of sift-polynomials [2] and ours are completely te same as a set (but, a polynomial order is different). Ten, tey are te same as a lattice basis. So, we obtain te same lattice wit Bone-Durfee s by using our compiler and Howgrave-Graam s lattice basis [9]. Next, according to te discussion in Section 4, we will re-derive te bound of te secret key d. In [6], γ U and γ Y are given as γ U (u; t) = u(u+1)/2 and γ Y (u; t) = (u+t)(u+t+1)/2. And, te dimension is given by w(u; t) = u + t + 1 and A Y = log e Y = 1/2. In tis case, we can obtain te same bound very easily. Since deg(γ U (u; t)) = deg(γ Y (u; t)) = 2 and deg(w(u; t)) = 1, Restriction 4 olds. Ten, we can use Teorem 2. By ignoring small terms, we ave a 0 = 1/4, a 1 = 1/2, a 2 = 3/4, b 1 = b 2 = 1. By plugging tese values into Eq. (8), one can easily obtain te bound X < e = e (7 2 7)/6 N 0.284, wic is exactly same as te Bone-Durfee s weaker bound. 2 By employing is algoritm, Coron and May gave te deterministic polynomial time algoritm for factoring te RSA modulus under te condition tat te secret key d is given [6]. 16

17 5.2 Case 1 By using te same lattice basis as Case1, we re-derive te small CRTexponent attack [15]. By just replacing A Y = β, we can derive te condition: d p < e 1 2( β 2 +3β+β)/3, were q < e β. 6 Concluding Remarks and Open Problems We note tat our conversion is not enoug. As sown in Sec. 5.1, our approac just acieves te Bone-Durfee s weaker bound. We need more analysis to acieve te stronger bound: d N Actually, Bone and Durfee [2] deleted some bad lattice bases and introduced te concept Geometrically Progressive Matrix to evaluate te upper bound of te determinant of te lattice. By tese efforts, tey acieved te stronger bound d N We need to develop a general teory including suc an improvement. Acknowledgement Te autor tanks Kaoru Kurosawa for elpful discussions. References 1. J. Blömer and A. May, A Tool Kit for Finding Small Roots of Bivariate Polynomials over te Integers, in Proc. of Eurocrypt2005, LNCS 3494, pp , D.Bone and G.Durfee, Cryptanalysis of RSA wit private key d less tan N 0.292, IEEE Transactions on Information Teory 46(4): 1339 (2000). (Firstly appeared in Eurocrypt 99). 3. D. Coppersmit, Finding a Small Root of a Univariate Modular Equation, in Proc. of Eurocrypt 96, LNCS 1070, pp , D. Coppersmit, Finding a Small Root of a Bivariate Integer Equation; Factoring wit Hig Bits Known, in Proc. of Eurocrypt 96, LNCS 1070, pp , D. Coppersmit, Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities, J. Cryptology 10(4): , J.S. Coron and A.May, Deterministic Polynomial Time Equivalence of Computing te RSA Secret Key and Factoring, Journal of Cryptology, Vol. 20, No. 1, pp , (IACR eprint Arcive: Report 2004/208, 2004.) 7. G. Durfee and P. Nguyen, Cryptanalysis of te RSA Scemes wit Sort Secret Exponent from Asiacrypt 99, in Proc. of Asiacrypt2000, LNCS 1976, pp , N. Howgrave-Graam, Finding Small Roots of Univariate Modular Equations Revisited, IMA Int. Conf., pp (1997) 9. N. Howgrave-Graam, Approximate Integer Common Divisors, in Proc. of Cryptograpy and Lattice Conference (CaLC2001), LNCS 2146, pp ,

18 10. K. Ito, N. Kuniiro and K. Kurosawa, Small Secret Key Attack on a Variant of RSA (due to Takagi), In Proc. of CT-RSA2008, LNCS4964, pp , E. Jocemsz and A. May, A Strategy for Finding Roots of Multivariate Polynomials wit New Applications in Attacking RSA Variants, In Proc. of Asiacrypt2006, LNCS4284, pp , N. Kuniiro and K. Kurosawa, Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA, In Proc. of PKC2007, LNCS4450, pp , N. Kuniiro, Solving Generalized Small Inverse Problems, to appear in Proc. of ACISP A.K. Lenstra, H.W. Lenstra, L. Lovász, Factoring polynomials wit rational coefficients, Matematisce Annalen 261, pp , A. May, Cryptanalysis of Unbalanced RSA wit Small CRT-Exponent, in Proc. of Crypto2002, LNCS 2442, pp , A. May, Computing te RSA Secret Key Is Deterministic Polynomial Time Equivalent to Factoring, in Proc. of Crypto2004, LNCS 3152, pp , A. May, Capter3.2 Te univariate case, in New RSA Vulnerabilities Using Lattice Reduction Metods, P.D tesis, University of Paderborn, R. Rivest, A. Samir and L. Adleman, A Metod for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of te ACM, vol. 21(2), pp , T. Takagi, Fast RSA-Type Cryptosystem Modulo p k q, in Proc. of Crypto 98, LNCS 1462, pp , M. Wiener, Cryptanalysis of Sort RSA Secret Exponents, IEEE Transactions on Information Teory, Vol. 36, pp , A Proofs A.1 Proof of Lemma 4 Te determinant of te submatrix B u is given by ( ) uw det B u = M (m u)w X0 uw det B (u) (M) = M mw X0 det B (u) M (M). Since te determinant det B for f is given by det B = m u=0 det B u, we ave te lemma. A.2 Proof of Lemma 5 For Lemma 1, if te norm of b n+1 is less tan M m / w, we can reduce te modular equations into integer equations. Combining Proposition 1, tis condition can be transformed into det B < M mw /γ, (9) 18

19 were γ is a constant. Since tis term is negligible compared to M mw, we can ignore tis term. By substituting Eq. (4) into Eq. (9), we ave m (X 0 /M) uw(u) < (det B (u) (M)) 1. (10) u=0 It is important tat M mw in bot and sides are canceled. By transforming tis inequality, we ave te above condition. A.3 Proof of Teorem 2 Te function l(m; t) is given by By replacing x = t/m, we ave l(m; t) = a 0mt 2 + a 1 m 2 t/2 + a 2 m 3 /3 b 1 m 2 t/2 + b 2 m 3. (11) /3 l(x) l(m; mx) = 6a 0x 2 + 3a 1 x + 2a 2 3b 1 x + 2b 2. Te value x minimizing l(x) satisfies 3a 0 b 1 x 2 +4a 0 b 2 x+(a 1 b 2 a 2 b 1 ) = 0. If a 1 b 2 a 2 b 1 < 0, tis equation as a positive solution. By solving te above equation, we ave 4a 2 0 x = b2 2 3a 0a 1 b 1 b 2 + 3a 0 a 2 b 2 1 2a 0b 2. 3a 0 b 1 Letting tis value c and plugging c into Eq. (7), we ave te following condition for X 0 : log M X 0 < 1 4a 0 c a 1. b 1 b 1 In particular, if b 1 = b 2, we ave simply 4a 2 c 0 = 3a 0a 1 + 3a 0 a 2 2 3a 0 3. B More Examples B.1 Application to Coron-May s Lattice Basis to Durfee-Nguyen s Lattice basis In tis subsection, we simply write x, y, z, X, Y, Z instead of x 0, x 1, x 2, X 0, X 1 and X 2. 19

20 Coron and May gave te deterministic polynomial time algoritm for factoring te unbalanced RSA modulus under te condition tat te secret key d is given [6]. In te proof, tey provided an algoritm for solving (y, z) = A + y + z = 0 (mod S) for integers A and S, wic is an unknown divisor of an known integer U. Note tat y and z ave relation: yz = N. Set sift-polynomials as (u) [j,k,l] (y, z) := [j,k,l]n u l = y j z k (y, z) l N u l. In teir paper, tey cose te set of te indexes of sift-polynomials as H (u) = u 1 k=0 {[0, 0, k] [1, 0, k]} Note tat a generator is given by t 1 i 1 =0 {[i 1, 0, u]} A = {[0, 0], [1, 0]} and B = t 1 i1 =0 {[i 1, 0]} t 2 i 2 =0 t 2 i 2 =1 {[0, i 2, u]}. {[0, i 2 ]}. Hence, H (u) olds Restrictions 1 3. Let f(x, y, z) = x(a+y+z)+1 wit constraint yz = N. We argue a lattice basis construction for f. Since f(x, y, z) = x(y, z)+1, we can employ our Compiler to construct a lattice basis for f. For a positive integer m, we define sift-polynomials for f as f [i,j,k,l] (x, y) := x i y j z l f(x, y, z) l M m l. By our Compiler and Coron-May s lattice basis, we ave a set F as m u 1 t 1 t 2 F = {[u k, 0, 0, k] [u k, 1, 0, k]} {[0, i 1, 0, u]} {[0, 0, i 2, u]} u=0 k=0 i 1 =0 i 2 =0 for fixed t 1 and t 2. As you can easily verify, Durfee-Nguyen s set of siftpolynomials [7] and ours are completely te same as a set. Ten, tey are te same as a lattice basis. So, we obtain te same lattice wit Bone- Durfee s by using our compiler and Coron-May s lattice basis [6]. B.2 Application to Kuniiro-Kurosawa s Lattice Basis to Ito et al. s Lattice basis In tis subsection, we simply write x, y, z, X, Y, Z instead of x 0, x 1, x 2, X 0, X 1 and X 2. Kuniiro and Kurosawa gave te deterministic polynomial time algoritm for factoring te RSA modulus for te Takagi s variant of RSA under te condition tat te secret key d is given [12]. In te proof, tey provided an algoritm for solving (y, z) = (y 1)(z 1) = 0 (mod S) 20

21 for an integers, wic is an unknown divisor of an known integer U. Note tat y and z ave relation: y r z = N. Set sift-polynomials as (u) [j,k,l] (y, z) := [j,k,l]n u l = y j z k (y, z) l N u l. In teir paper, tey cose te set of te indexes of sift-polynomials as H (u) = u 1 k=0 t 1 { } r 1 [0, 0, k] [1, 0, k] {[i, 1, k]} i 1 =0 {[i 1, 0, u]} Note tat a generator is given by r 1 i=1 t 2 i 3 =0 i 2 =1 {[i 3, i 2, u]}. r 1 A = {[0, 0], [1, 0]} {[i, 1]} and B = t 1 i1 =0 {[i 1, 0]} i=1 r 1 t 2 i 3 =0 i 2 =1 {[i 3, i 2 ]}. Hence, H (u) olds Restrictions 1 3. Let f(x, y, z) = x(y 1)(z 1) + 1 wit constraint y r z = N. We argue a lattice basis construction for f. Since f(x, y, z) = x(y, z) + 1, we can employ our Compiler to construct a lattice basis for f. For a positive integer m, we define sift-polynomials for f as f [i,j,k,l] (x, y) := x i y j z l f(x, y, z) l M m l. By our Compiler and Kuniiro-Kurosawa s lattice basis, we ave a set F as F (u) = u 1 k=0 t 1 { } r 1 [u k, 0, 0, k] [u k, 1, 0, k] {[u k, i, 1, k]} i 1 =0 {[0, i 1, 0, u]} r 1 t 2 i 3 =0 i 2 =1 i=1 {[0, i 3, i 2, u]}. and m F = F (u) u=0 for fixed t 1 and t 2. As you can easily verify, Ito et. al s set of siftpolynomials [10] for weaker bound: d N (0.568/(r+1)) and ours are completely te same as a set. Ten, tey are te same as a lattice basis. So, we obtain te same lattice wit Ito et al. s by using our compiler and Kuniiro-Kurosawa s lattice basis [12]. 21

22 B.3 Analysis for Non-linear (y) May [17] extended te Howgrave-Graam s result [9] to analyze te case for univariate polynomial wit iger-degree. By using May s lattice basis, we analyze te case for te equation f(x, y) = x(y) + C = 0 (mod M), were is a univariate monic polynomial wit degree κ 1 and C is a non-zero integer. May [17] gave te set of indexes in te explicit form. A generator for is given by A = i=0 κ 1 {[i]} and B = t i=1 {[i]}. Te determinant of B (u) by det B (u) = N κu(u+1)/2 Y w(w 1)/2, were w = κu + t. By te similar analysis in Section 4, we ave X < M 1 2 (βκ) 2 +3βκ βκ 3, were β = log M Y. Letting M = e, β = 1/2 and κ = 1, one as again te Bone-Durfee s weaker bound: δ < (7 2 7)/6. 22