Abstract
The Modular Inversion Hidden Number Problem (MIHNP), introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001, is briefly described as follows: Let \({\mathrm {MSB}}_{\delta }(z)\) refer to the \(\delta \) most significant bits of z. Given many samples \(\left( t_{i}, {\mathrm {MSB}}_{\delta }((\alpha + t_{i})^{-1} \bmod {p})\right) \) for random \(t_i \in \mathbb {Z}_p\), the goal is to recover the hidden number \(\alpha \in \mathbb {Z}_p\). MIHNP is an important class of Hidden Number Problem.
In this paper, we revisit the Coppersmith technique for solving a class of modular polynomial equations, which is respectively derived from the recovering problem of the hidden number \(\alpha \) in MIHNP. For any positive integer constant d, let integer \(n=d^{3+o(1)}\). Given a sufficiently large modulus p, \(n+1\) samples of MIHNP, we present a heuristic algorithm to recover the hidden number \(\alpha \) with a probability close to 1 when \(\delta /\log _2 p>\frac{1}{d\,+\,1}+o(\frac{1}{d})\). The overall time complexity of attack is polynomial in \(\log _2 p\), where the complexity of the LLL algorithm grows as \(d^{\mathcal {O}(d)}\) and the complexity of the Gröbner basis computation grows as \((2d)^{\mathcal {O}(n^2)}\). When \(d> 2\), this asymptotic bound outperforms \(\delta /\log _2 p>\frac{1}{3}\) which is the asymptotic bound proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. It is the first time that a better bound for solving MIHNP is given, which implies that the conjecture that MIHNP is hard whenever \(\delta /\log _2 p<\frac{1}{3}\) is broken. Moreover, we also get the best result for attacking the Inversive Congruential Generator (ICG) up to now.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bauer, A., Vergnaud, D., Zapalowicz, J.C.: Inferring sequences produced by nonlinear pseudorandom number generators using Coppersmith’s methods. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 609–626. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_36
Bi, J., Coron, J., Faugère, J., Nguyen, P.Q., Renault, G., Zeitoun, R.: Rounding and chaining LLL: finding faster small roots of univariate polynomial congruences. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 185–202. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_11
Blackburn, S.R., Gomez-perez, D., Gutierrez, J., Shparlinski, I.E.: Predicting nonlinear pseudorandom number generators. Math. Comput. 74, 2004 (2004)
Boneh, D., Halevi, S., Howgrave-Graham, N.: The modular inversion hidden number problem. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 36–51. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_3
Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_11
Cohn, H., Heninger, N.: Approximate common divisors via lattices. Open Book Ser. 1(1), 271–293 (2013)
Coppersmith, D.: Finding a small root of a bivariate integer equation; factoring with high bits known. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_16
Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_14
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Faugère, J., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)
Herrmann, M., May, A.: Solving linear equations modulo divisors: on factoring given any bits. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 406–424. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_25
Herrmann, M., May, A.: Attacking power generators using unravelled linearization: when do we output too much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_29
Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024458
Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44670-2_6
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_18
Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_25
Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)
Lazard, D.: Gröbner bases, Gaussian elimination and resolution of systems of algebraic equations. In: van Hulzen, J.A. (ed.) EUROCAL 1983. LNCS, vol. 162, pp. 146–156. Springer, Heidelberg (1983). https://doi.org/10.1007/3-540-12868-9_99
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Ling, S., Shparlinski, I.E., Steinfeld, R., Wang, H.: On the modular inversion hidden number problem. J. Symb. Comput. 47(4), 358–367 (2012)
May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 315–348. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_10
Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. Electron. Colloq. Comput. Complex. (ECCC) 17, 14 (2010)
Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)
Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity: extended abstract. In: Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing, STOC 2011, pp. 403–412. ACM, New York (2011)
Peng, L., Hu, L., Lu, Y., Xu, J., Huang, Z.: Cryptanalysis of dual RSA. Des. Codes Cryptogr. 83(1), 1–21 (2017)
Prasolov, V.V.: Polynomials. Algorithms and Computation in Mathematics, vol. 11. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-642-03980-5
Shani, B.: On the bit security of elliptic curve Diffie–Hellman. In: Fehr, S. (ed.) PKC 2017, Part I. LNCS, vol. 10174, pp. 361–387. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_15
Shparlinski, I.E.: Playing hide-and-seek with numbers: the hidden number problem, lattices, and exponential sums. In: Proceeding of Symposia in Applied Mathematics, vol. 62, pp. 153–177 (2005)
Takayasu, A., Kunihiro, N.: Better lattice constructions for solving multivariate linear equations modulo unknown divisors. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 118–135. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_9
Takayasu, A., Kunihiro, N.: How to generalize RSA cryptanalyses. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016, Part II. LNCS, vol. 9615, pp. 67–97. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_4
Takayasu, A., Lu, Y., Peng, L.: Small CRT-exponent RSA revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 130–159. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_5
Tosu, K., Kunihiro, N.: Optimal bounds for multi-prime \(\varPhi \)-hiding assumption. In: Proceedings of Information Security and Privacy - 17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, 9–11 July 2012, pp. 1–14 (2012)
von zur Gathen, J., Gerhard, J.: Modern Computer Algebra, 3rd edn. Cambridge University Press, Cambridge (2013)
Xu, J., Hu, L., Huang, Z., Peng, L.: Modular inversion hidden number problem revisited. In: Huang, X., Zhou, J. (eds.) ISPEC 2014. LNCS, vol. 8434, pp. 537–551. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06320-1_39
Xu, J., Sarkar, S., Hu, L., Huang, Z., Peng, L.: Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator. Des. Codes Crypt. 86(9), 1997–2033 (2018)
Acknowledgments
The authors would like to thank the reviewers of Eurocrypt 2019 and Crypto 2019 for their helpful comments and suggestions. The work of this paper was supported the National Natural Science Foundation of China (Grants 61732021, 61502488, 61572490 and 61702505). J. Xu is supported by China Scholarship Council (No. 201804910206). H. Wang is supported by the National Research Foundation, Prime Ministers Office, Singapore under its Strategic Capability Research Centres Funding Initiative and Singapore Ministry of Education under Research Grant MOE2016-T2-2-014(S). Y. Pan is supported by the National Center for Mathematics and Interdisciplinary Sciences, CAS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Asymptotic Time Complexities in Previous Works
The running time functions for solving MIHNP or ICG are not fully presented explicitly in previous works. For the sake of comparison, we analyze the corresponding running time functions according to the following way. Let \(\rho = \delta /\log _2 p\) and \(k=\log _2 p\), where \(0<\rho <1\).
In [3, Theorem 1], the bound \(\rho >\frac{3}{4}\) is shown for solving ICG with known \(\mathcal {F}\) based on the SVP assumption. Since the involved lattice is 4-dimensional, the time complexity of the SVP algorithm is \(k^{\mathcal {O}(1)}\), which is deterministic polynomial in the bit size of a given basis of the lattice for the fixed dimension [17].
In [20, Corollary 1], the bound \(\rho \ge \frac{2}{3}+\varepsilon \) is presented to solve MIHNP based on the SVP assumption. By taking \(\varepsilon =\rho -\frac{2}{3}\), the time complexity using SVP algorithm becomes \(k^{\mathcal {O}(1)}2^{\mathcal {O}(\frac{1}{\rho \,-\,\frac{2}{3}})}\) [22].
In [1, Section 3.4 and Theorem 2], the asymptotic bound \(\rho \ge \frac{1}{2}+\frac{1}{2^{n+3}}\) is obtained to solve ICG with known \(\mathcal {F}\) based on the Coppersmith technique, where \(n+2\) denotes the number of unknown variables. Let \(m=n^{\mathcal {O}(1)}\). The involved lattice dimension can be expressed as \(\mathcal {O}(m^n)\), and the bit size of lattice basis matrix is at most km. Hence, the time complexity of the LLL algorithm is \({(\mathcal {O}(m^n))}^{\mathcal {O}(1)}\cdot (km)^{\mathcal {O}(1)}=\mathcal {O}\big ( k^{\mathcal {O}(1)}n^{\mathcal {O}(n)}\big )\). For the Gröbner basis, the maximal degree of input polynomials is 2m, and the number of unknown variables of input polynomials is \(n+2\). Under Assumption 1, these polynomials generate a zero-dimensional Gröbner basis. We have that the time complexity of Gröbner basis computation is \((n+2)^{\mathcal {O}((2m)^2)}=n^{\mathcal {O}(n^2)}\) [10]. Based on the above bound \(\rho \ge \frac{1}{2}+\frac{1}{2^{n+3}}\), we can take \(n\approx \log _2{(\frac{1}{\rho \,-\,\frac{1}{2}})}\). Hence, time complexities of the LLL algorithm and the Gröbner basis computation are reduced to \(\mathcal {O}\big (k^{\mathcal {O}(1)}\big (\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}}\big )^{\mathcal {O}(\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}})}\big )\) and \(\big (\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}}\big )^{\mathcal {O}\big ((\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}})^2\big )}\) respectively.
In [34, Theorem 1], the asymptotic bound \(\rho \ge \frac{1}{2}+\frac{1}{(n\,+\,1)!}\) is obtained to solve MIHNP according to the Coppersmith technique, where n denotes the number of unknown variables. Similar to the above analysis, we can also get that time complexities of the LLL algorithm and Gröbner basis computation are \(\mathcal {O}\big (k^{\mathcal {O}(1)}n^{\mathcal {O}(n)}\big )\) and \(n^{\mathcal {O}(n^2)}\) respectively. Further, from the above bound \(\rho \ge \frac{1}{2}+\frac{1}{(n\,+\,1)!}\), we can take \(n\log _2 n \approx \log _2{(\frac{1}{\rho \,-\,\frac{1}{2}})}\) by the Stirling formula. Therefore, time complexities of the LLL algorithm and the Gröbner basis computation are reduced to \(\mathcal {O}\big (k^{\mathcal {O}(1)}\big (\frac{1}{\rho \,-\,\frac{1}{2}}\big )^{\mathcal {O}(1)}\big )\) and \(\big (\frac{1}{\rho \,-\,\frac{1}{2}}\big )^{o\big (\log _2{\frac{1}{\rho \,-\,\frac{1}{2}}}\big )}\) respectively.
In [4, Section 3.2], the asymptotic bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\) is obtained to solve MIHNP based on the SVP assumption, where d is an integer satisfying some requirement. Note that the dimension of the involved lattice is equal to \(\mathcal {O}(d^{\mathcal {O}(d)})\). Thus, the time complexity to solve MIHNP is \(k^{\mathcal {O}(1)}2^{\mathcal {O}(d^{\mathcal {O}(d)})}\) using the SVP algorithm, such as [22]. According to the above bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\), we can take \(d\approx \frac{2}{3\rho \,-\,1}\). Then the above time complexity is reduced to \(k^{\mathcal {O}(1)}2^{\mathcal {O}\big ((\frac{2}{3\rho \,-\,1})^{\mathcal {O}({\frac{1}{\rho \,-\,\frac{1}{3}}})}\big )}\).
In [35, Remark 4], the asymptotic bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\) is given for solving MIHNP and ICG based on the Coppersmith technique, where d is the same as that in [4]. Note that the dimension of the involved lattice is equal to \(\mathcal {O}(d^{\mathcal {O}(d)})\) and the maximal bit size of lattice basis matrix is at most 2dk. Hence, the time complexity of the LLL algorithm is \((\mathcal {O}(d^{\mathcal {O}(d)}))^{\mathcal {O}(1)} \cdot (2dk)^{\mathcal {O}(1)}=\mathcal {O}(k^{\mathcal {O}(1)}d^{\mathcal {O}(d)})\). For the Gröbner basis, the maximal degree of input polynomials is 2d and the number of variables is equal to \(d^{\mathcal {O}(1)}\). Thus, under Assumption 1, the time complexity of the Gröbner basis computation is \((2d)^{\mathcal {O}(d^{\mathcal {O}(1)})}\) [10]. Based on the above bound \(\rho \ge \frac{1}{3}+\frac{2}{3d\,+\,3}\), we can take \(d\approx \frac{2}{3\rho \,-\,1}\). Then, time complexities of the LLL algorithm and Gröbner basis computation are reduced to \(\mathcal {O}(k^{\mathcal {O}(1)}(\frac{2}{3\rho \,-\,1})^{\mathcal {O}(\frac{1}{\rho \,-\,\frac{1}{3}})})\) and \((\frac{4}{3\rho \,-\,1})^{\mathcal {O}({(\frac{1}{\rho \,-\,\frac{1}{3}})}^{\mathcal {O}(1)})}\) respectively.
B Computation of the Determinant of \(\mathcal {L}(n,d,t)\)
Note that the determinant of \(\mathcal {L}(n,d,t)\) is the product of the diagonal entries. We will consider the following two cases.
For the case of \(i_0\ge s\), the contribution of \(F_{i_0, i_1, \cdots , i_n}(x_0X, x_1X, \cdots , x_nX)\) to the determinant of \(\mathcal {L}(n,d,t)\) is
For the case of \(i_0<s\), the contribution of \(F_{i_0, i_1, \cdots , i_n}(x_0X, x_1X, \cdots , x_nX)\) is
To sum up, we get
where
C Lower Bound in Theorem 1
Our goal is to derive a lower bound of
where w is the dimension of \(\mathcal {L}(n,d,t)\). We now analyze its first two terms. According to the expressions of w and \(\beta (n,d,t)\), i.e.,
it is easy to deduce \(\frac{\beta (n,d,t)}{w}>\frac{d\,+\,2}{2}\). Then we have \(2^{-\frac{w(w-1)}{4\beta (n,d,t)}} \ge 2^{-\frac{w}{2(d+2)}}\) and \(w^{-\frac{w-n}{2\beta (n,d,t)}}\ge w^{-\frac{1}{d+2}}\). Furthermore, we obtain
Note that d and w are independent of the modulus p. For a sufficiently large p, the exponent term \({-\frac{w\,+\,2\log w}{2(d\,+\,2)\log _2p}}\) is negligible. In this case, we only consider the exponent term \(\lambda (n, d,t)\). In other words, the right-hand side of the above condition can be simplified as \(p^{\lambda (n,d,t)}\) for a sufficiently large p.
Next, we further analyze the lower bound of \(\lambda (n,d,t)\). We rewrite
where
Note that we have
For any \(0\le s \le d\), according to
we deduce that
Then we obtain that
By taking the parameter \(t=0\), \(\lambda (n,d,t)\) is optimized as
Further, by taking the parameter \(n=d^{3+o(1)}\), the above relation is expressed as
Finally, we explicitly present how big the modulus p is in the asymptotic sense. Based on the above analysis, we need that the term \({-\frac{w\,+\,2\log w}{2(d\,+\,2)\log _2p}}\) is negligible. For the case of \(t=0\) and \(n=d^{3+o(1)}\), we have that the dimension of L(n, d, t) is equal to \(w=(d+1)\sum ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +\left( {\begin{array}{c}n\\ d+1\end{array}}\right) =d^{3d+3}(1+o(1))\). Hence, when \(\log _2 p=\omega (d^{3d+2})\), i.e., \(p=2^{\omega (d^{3d+2})}\), the term \({-\frac{w\,+\,2\log w}{2(d\,+\,2)\log _2p}}\) is negligible.
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Xu, J., Sarkar, S., Hu, L., Wang, H., Pan, Y. (2019). New Results on Modular Inversion Hidden Number Problem and Inversive Congruential Generator. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11692. Springer, Cham. https://doi.org/10.1007/978-3-030-26948-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-26948-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26947-0
Online ISBN: 978-3-030-26948-7
eBook Packages: Computer ScienceComputer Science (R0)