# Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator

@article{Xu2018SolvingAC, title={Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator}, author={Jun Xu and Santanu Sarkar and Lei Hu and Zhangjie Huang and Liqiang Peng}, journal={Designs, Codes and Cryptography}, year={2018}, volume={86}, pages={1997-2033} }

In this paper we revisit the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and consider how to attack them more efficiently. We consider systems of modular polynomial equations of the form $$a_{ij}+b_{ij}x_i+c_{ij}x_j+x_ix_j=0~(\mathrm {mod}~p)$$aij+bijxi+cijxj+xixj=0(modp) and show the relation between solving such equations and attacking MIHNP and ICG. We present three heuristic strategies using Coppersmith’s lattice-based root-finding…

## 4 Citations

### New Results on Modular Inversion Hidden Number Problem and Inversive Congruential Generator

- MathematicsIACR Cryptol. ePrint Arch.
- 2019

The Modular Inversion Hidden Number problem, introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001, is briefly described as follows: the goal is to recover the hidden number \(\alpha \in \mathbb {Z}_p\).

### Cryptanalysis of elliptic curve hidden number problem from PKC 2017

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2020

This paper solves EC-HNP by using the Coppersmith technique which combines the idea behind the second lattice method of Boneh, Halevi and Howgrave-Graham for solving the modular inversion hidden number problem.

### On the judgement of full-period sequences and a novel congruential map with double modulus on Z(pn)

- Computer ScienceChina Communications
- 2019

The analysis and experiments show that the novel congruential map with double modulus on Z(pn) can be applied in the pseudo-random number generation (PRNG), cryptography, spread spectrum communications and so on.

### Improving Bounds on Elliptic Curve Hidden Number Problem for ECDH Key Exchange

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

The Coppersmith method for solving the involved modular multivariate polynomials in the Diffie–Hellman variant of EC-HNP is revisited and it is demonstrated that, for any given positive integer d, a given sufficiently large prime p , and a fixed elliptic curve over the prime field F p, the heuristic result 1 d +1 significantly outperforms both the rigorous bound 56 and heuristic bound 12 .

## References

SHOWING 1-10 OF 27 REFERENCES

### Modular Inversion Hidden Number Problem Revisited

- Mathematics, Computer ScienceISPEC
- 2014

A better polynomial time algorithm is presented to solve the modular inversion hidden number problem by utilizing a technique of priority queue computation and by constructing related lattices from algebraically dependent polynomials.

### The Modular Inversion Hidden Number Problem

- Mathematics, Computer ScienceASIACRYPT
- 2001

This work describes an algorithm for this MIHNP problem when k > (log2 p)/3 and conjecture that the problem is hard whenever k < ( log2 p/3) and shows that assuming hardness of some variants of this MIhNP problem leads to very efficient algebraic PRNGs and MACs.

### Predicting nonlinear pseudorandom number generators

- MathematicsMath. Comput.
- 2005

If sufficiently many of the most significant bits of several consecutive values u n of the ICG are given, one can recover the initial value u 0 and the results are somewhat similar to those known for the linear congruential generator (LCG), x n+1 ≡ ax n + b mod p, but they apply only to much longer bit strings.

### Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith's Methods

- Computer Science, MathematicsPublic Key Cryptography
- 2012

This paper revisits the security of number-theoretic generators by proposing better attacks based on Coppersmith's techniques for finding small roots on polynomial equations and is able to significantly improve the security bounds obtained by Blackburn et al.

### Solving Hidden Number Problem with One Bit Oracle and Advice

- Computer Science, MathematicsCRYPTO
- 2009

An algorithm solving HNP, when given an advice depending only on p and g; the running time and advice length are polynomial in logp, and the algorithm succeeds with high probability even if the oracle to f is corrupted by random noise.

### Ideals, varieties, and algorithms - an introduction to computational algebraic geometry and commutative algebra (2. ed.)

- Computer ScienceUndergraduate texts in mathematics
- 1997

The algorithmic roots of algebraic object, called a close relationship between ideals, many of polynomial equations in geometric, object called a more than you, for teaching purposes and varieties, and the solutions and reduce even without copy.

### Finding Small Roots of Univariate Modular Equations Revisited

- Computer Science, MathematicsIMACC
- 1997

An alternative technique for finding small roots of univariate modular equations is described and it is compared with that taken in (Coppersmith, 1996), which links the concept of the dual lattice to the LLL algorithm.

### Predicting the Inversive Generator

- MathematicsIMACC
- 2003

If b and sufficiently many of the most significant bits of three consecutive values u n of the ICG are given, one can recover in polynomial time the initial value u 0 (even in the case where the coefficient a is unknown) provided that the initialvalue u 0 does not lie in a certain small subset of exceptional values.

### Ideals, Varieties, and Algorithms

- Mathematics
- 1997

(here, > is the Maple prompt). Once the Groebner package is loaded, you can perform the division algorithm, compute Groebner bases, and carry out a variety of other commands described below. In…

### Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

- Computer Science, MathematicsCRYPTO
- 1996

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.…