Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator

Abstract

In this paper we revisit the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and consider how to attack them more efficiently. We consider systems of modular polynomial equations of the form \(a_{ij}+b_{ij}x_i+c_{ij}x_j+x_ix_j=0~(\mathrm {mod}~p)\) and show the relation between solving such equations and attacking MIHNP and ICG. We present three heuristic strategies using Coppersmith’s lattice-based root-finding technique for solving the above modular equations. In the first strategy, we use the polynomial number of samples and get the same asymptotic bound on attacking ICG proposed in PKC 2012, which is the best result so far. However, exponential number of samples is required in the work of PKC 2012. In the second strategy, a part of polynomials chosen for the involved lattice are linear combinations of some polynomials and this enables us to achieve a larger upper bound for the desired root. Corresponding to the analysis of MIHNP we give an explicit lattice construction of the second attack method proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. We provide better bound than that in the work of PKC 2012 for attacking ICG. Moreover, we propose the third strategy in order to give a further improvement in the involved lattice construction in the sense of requiring fewer samples.

Appendices

Appendix A: The leading monomial of the polynomial in (13)

From (12) and (13), we can deduce

$$\begin{aligned} f_{i_0, i_1, \ldots , i_n}(x_0, x_1, \ldots , x_n)=x^{i_0}_0\cdot (x_{j_1}\ldots x_{j_s})+u_{{i_0+1},1}\cdot h_1+\cdots +u_{{i_0+1},s}\cdot h_s. \end{aligned}$$

Since that \(x^{i_0}_0x^{i_1}_1\ldots x^{i_n}_n\) is written as \(x^{i_0}_0\cdot (x_{j_1}\cdots x_{j_s})\), thus, our goal is to analyze \(x^{i_0}_0\cdot (x_{j_1}\ldots x_{j_s})\) is the leading monomial of \(f_{i_0, i_1, \ldots , i_n}(x_0, x_1, \ldots , x_n)\). Note that the polynomial \(h_l\) \((1\le l \le s)\) is composed of the terms in \(g_l\) except for the corresponding terms of monomials

$$\begin{aligned} x_{j_1}\ldots x_{j_s},~ x_0\cdot (x_{j_1}\ldots x_{j_s}), \ldots , x^{s-1}_0\cdot (x_{j_1}\ldots x_{j_s}). \end{aligned}$$

Let \(x^{l_0}_0x_{k_1}\cdots x_{k_t}\) be a monomial of \(u_{{i_0+1},1}\cdot h_1+\cdots +u_{{i_0+1},s}\cdot h_s\). Hence, we can obtain \(\{k_1, \ldots , k_t\}\subset \{j_1, \ldots , j_s\}\) where \(t<s\). According to the defined order (1), there is

$$\begin{aligned} x^{l_0}_0\cdot (x_{k_1}\ldots x_{k_t})\prec x^{i_0}_0\cdot (x_{j_1}\ldots x_{j_s}), \end{aligned}$$

which implies that the leading monomial of \(f_{i_0, i_1, \ldots , i_n}(x_0, x_1, \ldots , x_n)\) is \(x^{i_0}_0\cdot (x_{j_1}\ldots x_{j_s})\).

Appendix B: Computation of the determinant of L(n, d)

Note that the determinant of L(n, d) is product of the diagonal entries. For the case 1, the contribution of \(h_{i_0, i_1, \ldots , i_n}(x_0, x_{1}, \ldots , x_n)\) to the determinant of L(n, d) is

$$\begin{aligned} \prod \limits ^d_{i_0=0}\left( p^{d}\cdot X^{i_0}\right) . \end{aligned}$$

For the case 2.a, the contribution of \(h_{i_0, i_1, \ldots , i_n}(x_0, x_{1}, \ldots , x_n)\) to the determinant of L(n, d) is given by:

$$\begin{aligned} \prod ^d_{i_0=s}\prod ^d_{s=1}\left( p^{(d-s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }}\cdot X^{(i_0+s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }}\right) . \end{aligned}$$

For the case 2.b, the contribution of \(f_{i_0, i_1, \ldots , i_n}(x_0X, x_{1}X, \ldots , x_nX)\) is:

$$\begin{aligned} \prod ^d_{s=1}\prod ^{s-1}_{i_0=0}\left( p^{(d+1-s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }} \cdot X^{(i_0+s){\left( {\begin{array}{c}n\\ s\end{array}}\right) }}\right) . \end{aligned}$$

To sum up, we get

$$\begin{aligned} \det (L(n,d))=p^{\alpha (n,d)}\cdot X^{\beta (n,d)}, \end{aligned}$$

where \(\alpha (n,d)=d(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) - d\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) \) and \(\beta (n,d)=\frac{d(d+1)}{2}\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +(d+1)\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) \).

Appendix C: Computation on \(p^{F(n,d)-\epsilon _2}\)

Our goal is to derive a lower bound of

$$\begin{aligned} {\left( \omega ^{\frac{\omega -n}{2}}2^{\frac{\omega (\omega -1)}{4}}p^{dn}\right) ^{-\frac{1}{\beta (n,d)}}}\cdot {p^{\frac{d\omega -\alpha (n, d)}{\beta (n, d)}}}. \end{aligned}$$

First, from the values \(\beta (n, d)=\frac{d(d+1)}{2}\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +(d+1)\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) \) and \(\omega =\dim (L(n,d))=(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) \), we get \(\frac{\omega }{\beta (n,d)}<\frac{2}{d+2}\). Further, there is

$$\begin{aligned} {\left( \omega ^{\frac{\omega -n}{2}} 2^{\frac{\omega (\omega -1)}{4}}p^{dn}\right) ^{\frac{1}{\beta (n,d)}}} < \omega ^{\frac{1}{d+2}} 2^{\frac{\omega -1}{2(d+2)}}p^{\frac{dn}{\beta (n,d)}}=p^{\epsilon _2}, \end{aligned}$$

where \(\epsilon _2=\frac{2\log _2 \omega +\omega -1}{2(d+2) \log _2 p}+{\frac{dn}{\beta (n,d)}}\).

Second, plugging the values \(\omega \), \(\alpha (n,d)\) and \(\beta (n,d)\) into \(\frac{d \omega -\alpha (n, d)}{\beta (n, d)}\), we get that

$$\begin{aligned} \frac{d\omega -\alpha (n, d)}{\beta (n, d)}=\frac{2d\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) }{d(d+1)\sum \limits ^d_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) +2(d+1)\sum \limits ^d_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) }=F(n,d). \end{aligned}$$

Thus,

$$\begin{aligned} {\left( \omega ^{\frac{\omega -n}{2}}2^{\frac{\omega (\omega -1)}{4}}p^{dn}\right) ^{-\frac{1}{\beta (n,d)}}}\cdot {p^{\frac{d\omega -\alpha (n, d)}{\beta (n, d)}}}>p^{F(n,d)-\epsilon _2}. \end{aligned}$$

Appendix D: Analysis of the polynomial in (19)

First, we analyze the leading monomial of the polynomial. We know that the leading monomial of the polynomial in (19) is the product of the leading monomials of the following polynomials:

$$\begin{aligned} g{\big (x^{s_1}_0;S_1\big )}, \ldots , g{\big (x^{s_l}_0;S_l\big )}, g{\big (x^{i_0-(s_1+\cdots +s_l)}_0;S_{l+1}\big )}, g{\big (x^0_0;S_{l+2}\big )}, \ldots , g{\big (x^0_0;S_m\big )}. \end{aligned}$$

Note that the leading monomials of \(g{(x^{s_1}_0;S_1)}, \ldots , g{(x^{s_l}_0;S_l)}\) are respectively

$$\begin{aligned} x^{s_1}\cdot (x_{j_1} \ldots x_{j_{s_1}}), \ldots , x^{s_l}\cdot (x_{j_1} \ldots x_{j_{s_l}}), \end{aligned}$$

the leading monomial of \(g{(x^{i_0-(s_1+\cdots +s_l)}_0;S_{l+1})}\) is \(x^{i_0-(s_1+\cdots +s_l)}\cdot (x_{j_{1}} \ldots x_{j_{s_{l+1}}})\) and the leading monomials of \(g{(x^0_0;S_{l+2})}, \ldots , g{(x^0_0;S_m)}\) are respectively

$$\begin{aligned} \big (x_{j_1} \ldots x_{j_{s_{l+2}}}\big ), \ldots , \big (x_{j_1} \ldots x_{j_{s_m}}\big ). \end{aligned}$$

It is easy to compute that the leading monomial of the polynomial in (19) is

$$\begin{aligned} x^{i_0}\cdot \big (x_{j_1} \ldots x_{j_{s_1}}\big )\cdot \big (x_{j_1} \ldots x_{j_{s_2}}\big ) \ldots \big (x_{j_1} \ldots x_{j_{s_m}}\big ) \end{aligned}$$

which is equal to \(x^{i_0}_0x^{i_1}_1\ldots x^{i_n}_n\) from (18) directly. Hence, the leading monomial of the polynomial in (19) is \(x^{i_0}_0x^{i_1}_1\ldots x^{i_n}_n\).

Next, we show that the polynomial in (19) has the following relation

$$\begin{aligned} f_{i_0, i_1, \ldots , i_n}({x}_0, {x}_1, \ldots , {x}_n)=0~\mathrm {mod}~p^{(i_1+\cdots +i_n)-(m-l)}. \end{aligned}$$

Note that the polynomials in (19) are composed of the polynomials generated by the second strategy. From \(|S_1|=s_1, \ldots , |S_l|=s_l\), we have

$$\begin{aligned} g{(x^{s_1}_0;S_1)}=0~\mathrm {mod}~p^{s_1}, \ldots , g{(x^{s_l}_0;S_l)}~\mathrm {mod}~p^{s_l}. \end{aligned}$$

From \(s_1+\cdots +s_l \le i_0<(s_1+\cdots +s_l)+s_{l+1}\), we get \(0\le i_0-(s_1+\cdots +s_l)<s_{l+1}=|S_{l+1}|\), thus there is

$$\begin{aligned} g{(x^{i_0-(s_1+\cdots +s_l)}_0;S_{l+1})}=0~\mathrm {mod}~p^{s_{l+1}-1}. \end{aligned}$$

According to \(|S_m|\ge \cdots \ge |S_{l+2}|\ge |S_{l+1}|=s_{l+1}>0\), we obtain

$$\begin{aligned} g{(x^0_0;S_{l+2})}=0~\mathrm {mod}~p^{s_{l+2}-1}, \ldots ,g{(x^0_0;S_m)}=0~\mathrm {mod}~p^{s_{m}-1}. \end{aligned}$$

Therefore, we get \(f_{i_0, i_1, \ldots , i_n}(x_0, x_1, \ldots , x_n)=0~\mathrm {mod}~p^{(s_1+\cdots +s_m)+(m-l)}.\) From (18), we have \(s_1+\cdots +s_m=i_1+\cdots +i_n\). Hence

$$\begin{aligned} f_{i_0, i_1, \ldots , i_n}({x}_0, {x}_1, \ldots , {x}_n)=0~\mathrm {mod}~p^{(i_1+\cdots +i_n)-(m-l)}. \end{aligned}$$

Appendix E: Computation on dimension and determinant of L(n, d, k)

Let

$$\begin{aligned} S(n, d, k)=\{(i_1, \ldots , i_n), 0\le i_1,\ldots , i_n \le k, 0 \le i_1+\cdots +i_n\le dk\}. \end{aligned}$$

Denote |S(n, d, k)| is the cardinality of S(n, d, k). Note that |S(n, d, k)| can also be regarded as the sum of coefficients of the \(x^s\) in the expansion of the polynomial \((1+x+\cdots +x^k)^n\), \(s=0, 1, \ldots , dk\). Namely, \(|S(n, d, k)|=\sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}.\)

First, we compute the dimension of L(n, d, k). Clearly, the dimension of the lattice L(n, d, k) is equal to the number of vectors in I(n, d, k), which can be expressed as \((dk+1)\cdot |S(n, d, k)|\), Therefore,

$$\begin{aligned} \dim (L(n, d, k))=(dk+1)\sum ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}. \end{aligned}$$

Then, we compute the determinant of L(n, d, k). Since that the determinant of L(n, d, k) is product of the diagonal entries where all tuples \((i_0, i_1, \ldots , i_n)\in I(n, d, k)\), we consider the following cases.

For the case 1 and case 2.a, the contribution of \(h_{i_0, i_1, \ldots , i_n}(x_0, x_{1}, \ldots , x_n)\) to the determinant of L(n, d) is

$$\begin{aligned} \prod _{(i_1, \ldots , i_n)\in S(n, d, k)}\prod ^{dk}_{i_0= i_1+\cdots +i_n}\left( p^{dk-(i_1+\cdots +i_n)}\cdot X^{i_0+i_1+\cdots +i_n}\right) , \end{aligned}$$

where \(i_1+\cdots +i_n=0\) in the case 1 and \(i_1+\cdots +i_n>0\) in the case 2.a.

For the case 2.b, the contribution of \(h_{i_0, i_1, \ldots , i_n}(x_0X, x_{1}X, \ldots , x_nX)\) is given as follows:

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \prod \limits _{(i_1, \ldots , i_n)\in S(n, d,k)}\prod \limits ^{m-1}_{l=0}\prod \limits ^{s_1+s_2+\cdots +s_{l+1}-1}_{i_0=s_1+s_2+\cdots +s_{l}}\left( p^{dk-(i_1+\cdots +i_n)+(m-l)}\cdot X^{i_0+i_1+\cdots +i_n}\right) ,\\ \end{array} \end{aligned} \end{aligned}$$

which can be rearranged as

$$\begin{aligned} \prod _{(i_1, \ldots , i_n)\in S(n, d, k)} \left( p^{\sum \limits ^{m-1}_{l=0}(m-l)s_{l+1}} \cdot \prod ^{ i_1+\cdots +i_n-1}_{i_0=0}\left( p^{dk-(i_1+\cdots +i_n)}\cdot X^{i_0+i_1+\cdots +i_n}\right) \right) \end{aligned}$$

according to the relation \(s_1+\cdots +s_m=i_1+\cdots +i_n\) in (18).

Thus, we can get that \(\det (L(n,d,k))\) =

$$\begin{aligned} \prod _{(i_1, \ldots , i_n)\in S(n, d, k)}\left( p^{\sum \limits ^{m-1}_{l=0}(m-l)s_{l+1}}\cdot \prod ^{dk}_{i_0=0}\left( p^{dk-(i_1+\cdots +i_n)}\cdot X^{i_0+i_1+\cdots +i_n}\right) \right) . \end{aligned}$$

First, let us compute \(\prod \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}\prod \limits ^{dk}_{i_0=0}p^{dk-(i_1+\cdots +i_n)}.\) We can deduce that

$$\begin{aligned} \begin{aligned}&\sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}\sum \limits ^{dk}_{i_0=0} \left( {dk-(i_1+\cdots +i_n)}\right) \\ {}&\qquad \qquad \begin{array}{ll} =dk(dk+1)\cdot \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}1-(dk+1)\cdot \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}(i_1+\cdots +i_n)\\ =dk(dk+1)\sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}-(dk+1)\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}\\ \end{array} \end{aligned} \end{aligned}$$

where \(s=i_1+\cdots +i_n\). Hence,

$$\begin{aligned} \prod \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}\prod \limits ^{dk}_{i_0=0}p^{dk-(i_1+\cdots +i_n)}=p^{dk(dk+1)\sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}-(dk+1)\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}}. \end{aligned}$$

Second, let us compute \(\prod \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}\prod \limits ^{dk}_{i_0=0}X^{i_0+i_1+\cdots +i_n}.\) Note that

$$\begin{aligned} \begin{aligned}&\sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}\sum \limits ^{dk}_{i_0=0} \left( {i_0+i_1+\cdots +i_n}\right) \\ {}&\qquad \qquad \begin{array}{ll} =\frac{dk(dk+1)}{2}\cdot \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}1-(dk+1)\cdot \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}(i_1+\cdots +i_n)\\ =\frac{dk(dk+1)}{2}\sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}-(dk+1)\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}.\\ \end{array} \end{aligned} \end{aligned}$$

Therefore,

$$\begin{aligned} \prod \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}\prod \limits ^{dk}_{i_0=0}X^{i_0+i_1+\cdots +i_n}=X^{\frac{dk(dk+1)}{2}\sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}-(dk+1)\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}}. \end{aligned}$$

Third, let us compute \(\prod \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}p^{\sum \limits \limits ^{m-1}_{l=0}(m-l)s_{l+1}}\). We can rewrite

$$\begin{aligned} \begin{aligned} \begin{array}{ll} \sum \limits \limits ^{m-1}_{l=0}(m-l)s_{l+1}=\sum \limits \limits ^{m-1}_{l=0} (s_{l+1}-s_l)(1+\cdots +m-l) \end{array} \end{aligned} \end{aligned}$$

where \(s_0=0\). Note that there are exactly \((s_{l+1}-s_l)\) entries that are equal to \((m-l)\) in the exponent set \(\{i_1, \ldots , i_n\}\) for \(l=0, 1, \ldots , m-1\). Hence, \(\sum \limits \limits ^{m-1}_{l=0} (s_{l+1}-s_l)(1+\cdots +m-l)\) can be regarded as a rearrangement of \((1+\cdots +i_1)+\cdots +(1+\cdots +i_n)\), which is computed as \(\frac{i_1+\cdots +i_n+i^2_1+\cdots +i^2_n}{2}\). Therefore,

$$\begin{aligned} \sum _{(i_1, \ldots , i_n)\in S(n, d, k)}{\sum \limits ^{m-1}_{l=0}(t-l)s_{l+1}}=\sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}{\frac{i_1+\cdots +i_n+i^2_1+\cdots +i^2_n}{2}}. \end{aligned}$$

We have known \(\sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}{\left( i_1+\cdots +i_n\right) }=\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}.\) Next, we analyze

$$\begin{aligned} \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}{\left( i^2_1+\cdots +i^2_n\right) }. \end{aligned}$$

Since

$$\begin{aligned} \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}{\left( i^2_1+\cdots +i^2_n\right) }=n\cdot \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}i^2_n \end{aligned}$$

Here, \(0\le i_n \le k\) and \(0 \le (i_1+\cdots +i_{n-1})\le {\min \{dk-i_n,(n-1)k\}}\) as \({(i_1, \ldots , i_n)\in S(n, d, k)}\). Thus, we can rewrite the above relation using polynomial coefficients:

$$\begin{aligned} \sum \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}{\left( i^2_1+\cdots +i^2_n\right) }=n\cdot \sum ^{k}_{i=0}\sum ^{\min \{dk-i,(n-1)k\}}_{s=0}i^2\left( {\begin{array}{c}n-1\\ s\end{array}}\right) _{k+1}. \end{aligned}$$

Further, we obtain

$$\begin{aligned} \prod \limits _{(i_1, \ldots , i_n)\in S(n, d, k)}p^{\sum \limits \limits ^{m-1}_{l=0}(m-l)s_{l+1}}=p^{\frac{n}{2}\cdot \sum \limits ^{k}_{i=0}\sum \limits ^{\min \{dk-i,(n-1)k\}}_{s=0}i^2\left( {\begin{array}{c}n-1\\ s\end{array}}\right) _{k+1}+\frac{1}{2}\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}}. \end{aligned}$$

According to the above analysis, we get \(\det (n, d, k)=p^{\alpha (n, d, k)}\cdot X^{\beta (n, d, k)}\), where \(\alpha (n, d, k)\)=

$$\begin{aligned} dk(dk+1)\sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}+\frac{n}{2}\sum ^{k}_{i=0}\sum ^{\min \{dk-i,(n-1)k\}}_{s=0}i^2\left( {\begin{array}{c}n-1\\ s\end{array}}\right) _{k+1}-\frac{2dk+1}{2}\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1} \end{aligned}$$

and

$$\begin{aligned} \beta (n, d, k)=\frac{dk(dk+1)}{2} \sum \limits ^{dk}_{s=0}\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}+(dk+1)\sum \limits ^{dk}_{s=0}s\left( {\begin{array}{c}n\\ s\end{array}}\right) _{k+1}. \end{aligned}$$

Appendix F: Computation on \(p^{F(n,d, k)-\epsilon _3}\)

Our goal is to show a lower bound of

$$\begin{aligned} {\left( \omega ^{\frac{\omega -n}{2}}2^{\frac{\omega (\omega -1)}{4}}p^{ndk}\right) ^{-\frac{1}{\beta (n,d,k)}}}\cdot {p^{\frac{dk \omega -\alpha (n, d, k)}{\beta (n, d, k)}}} \end{aligned}$$

where \(\omega =\dim (L(n,d,k))\).

First, from the values \(\dim (L(n,d,k))\) and \(\beta (n,d,k)\), we get \(\frac{\omega }{\beta (n,d,k)}<\frac{2}{dk+2}\), furthermore,

$$\begin{aligned} {\left( \omega ^{\frac{\omega -n}{2}} 2^{\frac{\omega (\omega -1)}{4}}p^{ndk}\right) ^{\frac{1}{\beta (n,d,k)}}} < \omega ^{\frac{1}{dk+2}}2^{\frac{\omega -1}{2(dk+2)}}p^{\frac{ndk}{\beta (n,d,k)}}=p^{\epsilon _3} \end{aligned}$$

where \(\epsilon _3=\frac{2\log _2 \omega +(\omega -1)}{2(dk+2) \log _2 p}+\frac{ndk}{\beta (n,d,k)}\).

Second, according to the values \(\alpha (n, d, k)\), \(\beta (n, d,k)\), \(\omega \) and F(n, d, k), we can compute

$$\begin{aligned} \frac{dk\omega -\alpha (n, d, k)}{\beta (n, d,k)}=F(n,d,k). \end{aligned}$$

Therefore, there is the following relation

$$\begin{aligned} {\left( \omega ^{\frac{\omega -n}{2}}2^{\frac{\omega (\omega -1)}{4}}p^{ndk}\right) ^{-\frac{1}{\beta (n,d,k)}}}\cdot {p^{\frac{d\omega -\alpha (n, d, k)}{\beta (n, d, k)}}}>{p^{F(n,d,k)-\epsilon _3}}. \end{aligned}$$

Appendix G: Sage code for the first strategy

Appendix H: Sage code for the second strategy

Appendix I: Sage code for the third strategy