New Results on Modular Inversion Hidden Number Problem and Inversive Congruential Generator

Abstract

The Modular Inversion Hidden Number Problem (MIHNP), introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001, is briefly described as follows: Let \({\mathrm {MSB}}_{\delta }(z)\) refer to the \(\delta \) most significant bits of z. Given many samples \(\left( t_{i}, {\mathrm {MSB}}_{\delta }((\alpha + t_{i})^{-1} \bmod {p})\right) \) for random \(t_i \in \mathbb {Z}_p\), the goal is to recover the hidden number \(\alpha \in \mathbb {Z}_p\). MIHNP is an important class of Hidden Number Problem.

In this paper, we revisit the Coppersmith technique for solving a class of modular polynomial equations, which is respectively derived from the recovering problem of the hidden number \(\alpha \) in MIHNP. For any positive integer constant d, let integer \(n=d^{3+o(1)}\). Given a sufficiently large modulus p, \(n+1\) samples of MIHNP, we present a heuristic algorithm to recover the hidden number \(\alpha \) with a probability close to 1 when \(\delta /\log _2 p>\frac{1}{d\,+\,1}+o(\frac{1}{d})\). The overall time complexity of attack is polynomial in \(\log _2 p\), where the complexity of the LLL algorithm grows as \(d^{\mathcal {O}(d)}\) and the complexity of the Gröbner basis computation grows as \((2d)^{\mathcal {O}(n^2)}\). When \(d> 2\), this asymptotic bound outperforms \(\delta /\log _2 p>\frac{1}{3}\) which is the asymptotic bound proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. It is the first time that a better bound for solving MIHNP is given, which implies that the conjecture that MIHNP is hard whenever \(\delta /\log _2 p<\frac{1}{3}\) is broken. Moreover, we also get the best result for attacking the Inversive Congruential Generator (ICG) up to now.

Appendices

A Asymptotic Time Complexities in Previous Works

The running time functions for solving MIHNP or ICG are not fully presented explicitly in previous works. For the sake of comparison, we analyze the corresponding running time functions according to the following way. Let \(\rho = \delta /\log _2 p\) and \(k=\log _2 p\), where \(0<\rho <1\).

In [3, Theorem 1], the bound \(\rho >\frac{3}{4}\) is shown for solving ICG with known \(\mathcal {F}\) based on the SVP assumption. Since the involved lattice is 4-dimensional, the time complexity of the SVP algorithm is \(k^{\mathcal {O}(1)}\), which is deterministic polynomial in the bit size of a given basis of the lattice for the fixed dimension [17].

In [20, Corollary 1], the bound \(\rho \ge \frac{2}{3}+\varepsilon \) is presented to solve MIHNP based on the SVP assumption. By taking \(\varepsilon =\rho -\frac{2}{3}\), the time complexity using SVP algorithm becomes \(k^{\mathcal {O}(1)}2^{\mathcal {O}(\frac{1}{\rho \,-\,\frac{2}{3}})}\) [22].

In [1, Section 3.4 and Theorem 2], the asymptotic bound \(\rho \ge \frac{1}{2}+\frac{1}{2^{n+3}}\) is obtained to solve ICG with known \(\mathcal {F}\) based on the Coppersmith technique, where \(n+2\) denotes the number of unknown variables. Let \(m=n^{\mathcal {O}(1)}\). The involved lattice dimension can be expressed as \(\mathcal {O}(m^n)\), and the bit size of lattice basis matrix is at most km. Hence, the time complexity of the LLL algorithm is \({(\mathcal {O}(m^n))}^{\mathcal {O}(1)}\cdot (km)^{\mathcal {O}(1)}=\mathcal {O}\big ( k^{\mathcal {O}(1)}n^{\mathcal {O}(n)}\big )\). For the Gröbner basis, the maximal degree of input polynomials is 2m, and the number of unknown variables of input polynomials is \(n+2\). Under Assumption 1, these polynomials generate a zero-dimensional Gröbner basis. We have that the time complexity of Gröbner basis computation is \((n+2)^{\mathcal {O}((2m)^2)}=n^{\mathcal {O}(n^2)}\) [10]. Based on the above bound \(\rho \ge \frac{1}{2}+\frac{1}{2^{n+3}}\), we can take \(n\approx \log _2{(\frac{1}{\rho \,-\,\frac{1}{2}})}\). Hence, time complexities of the LLL algorithm and the Gröbner basis computation are reduced to \(\mathcal {O}\big (k^{\mathcal {O}(1)}\big (\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}}\big )^{\mathcal {O}(\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}})}\big )\) and \(\big (\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}}\big )^{\mathcal {O}\big ((\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}})^2\big )}\) respectively.

In [34, Theorem 1], the asymptotic bound \(\rho \ge \frac{1}{2}+\frac{1}{(n\,+\,1)!}\) is obtained to solve MIHNP according to the Coppersmith technique, where n denotes the number of unknown variables. Similar to the above analysis, we can also get that time complexities of the LLL algorithm and Gröbner basis computation are \(\mathcal {O}\big (k^{\mathcal {O}(1)}n^{\mathcal {O}(n)}\big )\) and \(n^{\mathcal {O}(n^2)}\) respectively. Further, from the above bound \(\rho \ge \frac{1}{2}+\frac{1}{(n\,+\,1)!}\), we can take \(n\log _2 n \approx \log _2{(\frac{1}{\rho \,-\,\frac{1}{2}})}\) by the Stirling formula. Therefore, time complexities of the LLL algorithm and the Gröbner basis computation are reduced to \(\mathcal {O}\big (k^{\mathcal {O}(1)}\big (\frac{1}{\rho \,-\,\frac{1}{2}}\big )^{\mathcal {O}(1)}\big )\) and \(\big (\frac{1}{\rho \,-\,\frac{1}{2}}\big )^{o\big (\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}}\big )}\) respectively.

In [4, Section 3.2], the asymptotic bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\) is obtained to solve MIHNP based on the SVP assumption, where d is an integer satisfying some requirement. Note that the dimension of the involved lattice is equal to \(\mathcal {O}(d^{\mathcal {O}(d)})\). Thus, the time complexity to solve MIHNP is \(k^{\mathcal {O}(1)}2^{\mathcal {O}(d^{\mathcal {O}(d)})}\) using the SVP algorithm, such as [22]. According to the above bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\), we can take \(d\approx \frac{2}{3\rho \,-\,1}\). Then the above time complexity is reduced to \(k^{\mathcal {O}(1)}2^{\mathcal {O}\big ((\frac{2}{3\rho \,-\,1})^{\mathcal {O}({\frac{1}{\rho \,-\,\frac{1}{3}}})}\big )}\).

In [35, Remark 4], the asymptotic bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\) is given for solving MIHNP and ICG based on the Coppersmith technique, where d is the same as that in [4]. Note that the dimension of the involved lattice is equal to \(\mathcal {O}(d^{\mathcal {O}(d)})\) and the maximal bit size of lattice basis matrix is at most 2dk. Hence, the time complexity of the LLL algorithm is \((\mathcal {O}(d^{\mathcal {O}(d)}))^{\mathcal {O}(1)} \cdot (2dk)^{\mathcal {O}(1)}=\mathcal {O}(k^{\mathcal {O}(1)}d^{\mathcal {O}(d)})\). For the Gröbner basis, the maximal degree of input polynomials is 2d and the number of variables is equal to \(d^{\mathcal {O}(1)}\). Thus, under Assumption 1, the time complexity of the Gröbner basis computation is \((2d)^{\mathcal {O}(d^{\mathcal {O}(1)})}\) [10]. Based on the above bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\), we can take \(d\approx \frac{2}{3\rho \,-\,1}\). Then, time complexities of the LLL algorithm and Gröbner basis computation are reduced to \(\mathcal {O}(k^{\mathcal {O}(1)}(\frac{2}{3\rho \,-\,1})^{\mathcal {O}(\frac{1}{\rho \,-\,\frac{1}{3}})})\) and \((\frac{4}{3\rho \,-\,1})^{\mathcal {O}({(\frac{1}{\rho \,-\,\frac{1}{3}})}^{\mathcal {O}(1)})}\) respectively.

B Computation of the Determinant of \(\mathcal {L}(n,d,t)\)

Note that the determinant of \(\mathcal {L}(n,d,t)\) is the product of the diagonal entries. We will consider the following two cases.

For the case of \(i_0\ge s\), the contribution of \(F_{i_0, i_1, \cdots , i_n}(x_0X, x_1X, \cdots , x_nX)\) to the determinant of \(\mathcal {L}(n,d,t)\) is

$$ \prod ^d_{s=0}\prod ^d_{i_0=s}\left( p^{(d-s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }}\cdot X^{(i_0+s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }}\right) . $$

For the case of \(i_0<s\), the contribution of \(F_{i_0, i_1, \cdots , i_n}(x_0X, x_1X, \cdots , x_nX)\) is

$$ \prod ^d_{s=1}\prod ^{s-1}_{i_0=0}\left( p^{(d+1-s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }} \cdot X^{(i_0+s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }}\right) \cdot \prod ^{t}_{i_0=0}X^{(i_0+d+1)\left( {\begin{array}{c}n\\ d+1\end{array}}\right) }. $$

To sum up, we get

$$\begin{aligned} \det (\mathcal {L}(n,d,t))=p^{\alpha (n,d)}\cdot X^{\beta (n,d,t)}, \end{aligned}$$

where

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \alpha (n,d)=d(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) - d\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) ,\\ \beta (n,d,t)=\frac{d(d\,+\,1)}{2}\sum \limits \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +(d+1)\sum \limits \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) +\frac{(2d\,+\,t\,+\,2)(t\,+\,1)}{2}\left( {\begin{array}{c}n\\ d+1\end{array}}\right) .\\ \end{array} \end{aligned} \end{aligned}$$

C Lower Bound in Theorem 1

Our goal is to derive a lower bound of

$$\begin{aligned} 2^{-\frac{w(w-1)}{4\beta (n,d,t)}} w^{-\frac{w-n}{2\beta (n,d,t)}} p^{\lambda (n,d,t)}, \end{aligned}$$

where w is the dimension of \(\mathcal {L}(n,d,t)\). We now analyze its first two terms. According to the expressions of w and \(\beta (n,d,t)\), i.e.,

$$\begin{aligned} \begin{aligned} \begin{array}{ll} w=(t+1)\left( {\begin{array}{c}n\\ d+1\end{array}}\right) +(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) ,\\ \beta (n,d,t)=\frac{(2d\,+\,t\,+\,2)(t+1)}{2}\left( {\begin{array}{c}n\\ d+1\end{array}}\right) +\frac{d(d\,+\,1)}{2}\sum \limits \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +(d+1)\sum \limits \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) ,\\ \end{array} \end{aligned} \end{aligned}$$

it is easy to deduce \(\frac{\beta (n,d,t)}{w}>\frac{d\,+\,2}{2}\). Then we have \(2^{-\frac{w(w-1)}{4\beta (n,d,t)}} \ge 2^{-\frac{w}{2(d+2)}}\) and \(w^{-\frac{w-n}{2\beta (n,d,t)}}\ge w^{-\frac{1}{d+2}}\). Furthermore, we obtain

$$ 2^{-\frac{w(w-1)}{4\beta (n,d,t)}} w^{-\frac{w-n}{2\beta (n,d,t)}} p^{\lambda (n,d,t)}\ge p^{\lambda (n,d,t)-\frac{w+2\log w}{2(d+2)\log _2p}}. $$

Note that d and w are independent of the modulus p. For a sufficiently large p, the exponent term \({-\frac{w\,+\,2\log w}{2(d\,+\,2)\log _2p}}\) is negligible. In this case, we only consider the exponent term \(\lambda (n, d,t)\). In other words, the right-hand side of the above condition can be simplified as \(p^{\lambda (n,d,t)}\) for a sufficiently large p.

Next, we further analyze the lower bound of \(\lambda (n,d,t)\). We rewrite

$$\begin{aligned} \lambda (n,d,t)= & {} \frac{2d(t\,+\,1)\left( {\begin{array}{c}n\\ d+1\end{array}}\right) +2d\sum \limits ^d_{s=2}s\left( {\begin{array}{c}n\\ s\end{array}}\right) }{(2d+2+t)(t+1)\left( {\begin{array}{c}n\\ d+1\end{array}}\right) +d(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +2(d+1)\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) }\\= & {} \frac{2d}{2d\,+\,2\,+\,t}(1-\epsilon (n, d, t)), \end{aligned}$$

where

$$ \epsilon (n,d,t)=\frac{d(d\,+\,1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) -t\sum \limits ^d_{s=2}s\left( {\begin{array}{c}n\\ s\end{array}}\right) +2(d+1)\left( {\begin{array}{c}n\\ 1\end{array}}\right) }{(2d+2+t)(t+1)\left( {\begin{array}{c}n\\ d+1\end{array}}\right) +d(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +2(d+1)\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) }. $$

Note that we have

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \epsilon (n,d,t)<\frac{d(d\,+\,1)}{(2d\,+\,2\,+\,t)(t\,+\,1)}\cdot \frac{\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) }{\left( {\begin{array}{c}n\\ d+1\end{array}}\right) }+\frac{2(d\,+\,1)}{(2d\,+\,2\,+\,t)(t\,+\,1)}\cdot \frac{\left( {\begin{array}{c}n\\ 1\end{array}}\right) }{\left( {\begin{array}{c}n\\ d+1\end{array}}\right) }<\frac{d}{2} \sum \limits ^d_{s=0}\frac{\left( {\begin{array}{c}n\\ s\end{array}}\right) }{\left( {\begin{array}{c}n\\ d+1\end{array}}\right) }+\frac{\left( {\begin{array}{c}n\\ 1\end{array}}\right) }{\left( {\begin{array}{c}n\\ d+1\end{array}}\right) }. \end{array} \end{aligned} \end{aligned}$$

For any \(0\le s \le d\), according to

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \frac{\left( {\begin{array}{c}n\\ s\end{array}}\right) }{\left( {\begin{array}{c}n\\ d+1\end{array}}\right) }=\frac{(d\,+\,1)!(n\,-\,d\,-\,1)!}{s! (n-s)!}=\frac{d\,+\,1}{n\,-\,d}\cdot \frac{d}{n\,-\,d\,+\,1} \cdots \frac{s\,+\,1}{n\,-\,s}\le (\frac{d\,+\,1}{n\,-\,d})^{d-s+1}, \end{array} \end{aligned} \end{aligned}$$

we deduce that

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \epsilon (n,d,t)<\left( \frac{d}{2}\sum \limits ^d_{s=0}(\frac{d\,+\,1}{n\,-\,d})^{d-s+1}\right) +(\frac{d\,+\,1}{n\,-\,d})^{d} =\frac{d(d\,+\,1)}{2(n\,-\,2d\,-\,1)}\big (1-(\frac{d\,+\,1}{n-d})^{d+1}\big )+(\frac{d\,+\,1}{n\,-\,d})^{d}. \end{array} \end{aligned} \end{aligned}$$

Then we obtain that

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \lambda (n,d,t)=\frac{2d}{2d\,+\,2\,+\,t}(1-\epsilon (n, d, t))>\frac{2d}{2d\,+\,2\,+\,t}\bigg (1-\frac{d(d\,+\,1)}{2(n\,-\,2d\,-\,1)}\big (1-(\frac{d\,+\,1}{n\,-\,d})^{d+1}\big )-(\frac{d\,+\,1}{n\,-\,d})^{d}\bigg ).\\ \end{array} \end{aligned} \end{aligned}$$

By taking the parameter \(t=0\), \(\lambda (n,d,t)\) is optimized as

$$\lambda (n,d,0)>1-\frac{1}{d\,+\,1}-\bigg (\frac{d^2}{2(n\,-\,2d\,-\,1)}\big (1-(\frac{d\,+\,1}{n\,-\,d})^{d+1}\big )+\frac{d}{d\,+\,1}(\frac{d\,+\,1}{n\,-\,d})^{d}\bigg ).$$

Further, by taking the parameter \(n=d^{3+o(1)}\), the above relation is expressed as

$$ \lambda (n,d,0)>1-\frac{1}{d\,+\,1}-o\big (\frac{1}{d}\big ). $$

Finally, we explicitly present how big the modulus p is in the asymptotic sense. Based on the above analysis, we need that the term \({-\frac{w\,+\,2\log w}{2(d\,+\,2)\log _2p}}\) is negligible. For the case of \(t=0\) and \(n=d^{3+o(1)}\), we have that the dimension of L(n, d, t) is equal to \(w=(d+1)\sum ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +\left( {\begin{array}{c}n\\ d+1\end{array}}\right) =d^{3d+3}(1+o(1))\). Hence, when \(\log _2 p=\omega (d^{3d+2})\), i.e., \(p=2^{\omega (d^{3d+2})}\), the term \({-\frac{w\,+\,2\log w}{2(d\,+\,2)\log _2p}}\) is negligible.