In this paper we revisit the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and consider how to attack them more efficiently. We consider systems of modular polynomial equations of the form aij+bijxi+cijxj+xixj=0(modp) and show the relation between solving such equations and attacking MIHNP and ICG. We present three heuristic strategies using Coppersmith’s lattice-based root-finding technique for solving the above modular equations. In the first strategy, we use the polynomial number of samples and get the same asymptotic bound on attacking ICG proposed in PKC 2012, which is the best result so far. However, exponential number of samples is required in the work of PKC 2012. In the second strategy, a part of polynomials chosen for the involved lattice are linear combinations of some polynomials and this enables us to achieve a larger upper bound for the desired root. Corresponding to the analysis of MIHNP we give an explicit lattice construction of the second attack method proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. We provide better bound than that in the work of PKC 2012 for attacking ICG. Moreover, we propose the third strategy in order to give a further improvement in the involved lattice construction in the sense of requiring fewer samples. © 2017, Springer Science+Business Media, LLC.

Santanu Sarkar

Department of Mathematics

Computer applications

Mathematical techniques

CONGRUENTIAL GENERATORS

Exponential numbers

Lattice

LATTICE CONSTRUCTION

Linear combinations

LLL ALGORITHM

MODULAR INVERSION

MODULAR POLYNOMIAL

Polynomials

IIT Madras is a public technical and research university located in Chennai, Tamil Nadu. Founded in 1959, it is recognised as an Institute of National Importance.

IIT Madras has been ranked as the top engineering institute in India for four years in a row by the National Institutional Ranking Framework of the MHRD

It currently offers undergraduate, postgraduate and research degrees across 16 disciplines in Engineering, Sciences, Humanities and Management. About 596 faculty belonging to science and engineering departments and centres of the Institute are engaged in teaching, research and industrial consultancy.

IIT Madras

Designs, Codes, and Cryptography

In PKC 2017, the elliptic curve hidden number problem (EC-HNP) was revisited in order to rigorously assess the bit security of the elliptic curve Diffie–Hellman key exchange protocol. In this paper, we solve EC-HNP by using the Coppersmith technique which combines the idea behind the second lattice method of Boneh, Halevi and Howgrave-Graham for solving the modular inversion hidden number problem. We show that the hidden point in EC-HNP can be recovered asymptotically if about half of the most significant bits of the x-coordinates of the corresponding points are given. A similar result is also obtained for the least significant bits. We provide better bounds than the one in the work of PKC 2017, which needs about 5/6 of the bits as a result of a rigorous algorithm. However, our solution is based on a heuristic assumption. We verify the validity of our heuristic algorithm by computer experiments. © 2019, Springer Science+Business Media, LLC, part of Springer Nature.

Cryptanalysis of elliptic curve hidden number problem from PKC 2017

The Modular Inversion Hidden Number Problem (MIHNP), introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001, is briefly described as follows: Let$${\mathrm {MSB}}_{\delta }(z)$$ refer to the$$\delta $$ most significant bits of z. Given many samples$$\left(t_{i}, {\mathrm {MSB}}_{\delta }((\alpha + t_{i})^{-1} \bmod {p})\right) $$ for random$$t:i \in \mathbb {Z}_p$$, the goal is to recover the hidden number$$\alpha \in \mathbb {Z}_p$$. MIHNP is an important class of Hidden Number Problem. In this paper, we revisit the Coppersmith technique for solving a class of modular polynomial equations, which is respectively derived from the recovering problem of the hidden number$$\alpha $$ in MIHNP. For any positive integer constant d, let integer$$n=d^{3+o(1)}$$. Given a sufficiently large modulus p,$$n+1$$ samples of MIHNP, we present a heuristic algorithm to recover the hidden number$$\alpha $$ with a probability close to 1 when$$\delta /\log _2 p>\frac{1}{d\,+\,1}+o(\frac{1}{d})$$. The overall time complexity of attack is polynomial in$$\log _2 p$$, where the complexity of the LLL algorithm grows as$$d^{\mathcal {O}(d)}$$ and the complexity of the Gröbner basis computation grows as$$(2d)^{\mathcal {O}(n^2)}$$. When$$d> 2$$, this asymptotic bound outperforms$$\delta /\log _2 p>\frac{1}{3}$$ which is the asymptotic bound proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. It is the first time that a better bound for solving MIHNP is given, which implies that the conjecture that MIHNP is hard whenever$$\delta /\log _2 p<\frac{1}{3}$$ is broken. Moreover, we also get the best result for attacking the Inversive Congruential Generator (ICG) up to now. © 2019, International Association for Cryptologic Research.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

New Results on Modular Inversion Hidden Number Problem and Inversive Congruential Generator

Ceramic Materials for Electronics

for dij

Undergraduate Texts in Mathematics Ideals, Varieties, and Algorithms

Correction to: Ideals, Varieties, and Algorithms

Information Security Practice and Experience Lecture Notes in Computer Science

Modular Inversion Hidden Number Problem Revisited

The ZZ domain of cytoplasmic polyadenylation element binding protein 1 (CPEB1)

Journal of Symbolic Computation

On the modular inversion hidden number problem

Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator

Journal	Data powered by TypesetDesigns, Codes, and Cryptography
Publisher	Data powered by TypesetSpringer New York LLC
ISSN	09251022
Open Access	No