New Results on Modular Inversion Hidden Number Problem and Inversive Congruential Generator

The Modular Inversion Hidden Number Problem (MIHNP), introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001, is briefly described as follows: Let MSB delta(z) refer to the delta most significant bits of z. Given many samples (t(i), MSB delta((alpha + t(i))(-1) mod p)) for random t(i) is an element of Z(p), the goal is to recover the hidden number alpha is an element of Z(p). MIHNP is an important class of Hidden Number Problem. In this paper, we revisit the Coppersmith technique for solving a class of modular polynomial equations, which is respectively derived from the recovering problem of the hidden number alpha in MIHNP. For any positive integer constant d, let integer n = d(3+o(1)). Given a sufficiently large modulus p, n + 1 samples of MIHNP, we present a heuristic algorithm to recover the hidden number a with a probability close to 1 when delta/log(2) p > 1/d + 1 + o(1/d). The overall time complexity of attack is polynomial in log(2) p, where the complexity of the LLL algorithm grows as d(O(d)) and the complexity of the Grobner basis computation grows as (2d)(O(n2)()). When d > 2, this asymptotic bound outperforms delta/log(2) p > 1/3 which is the asymptotic bound proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001. It is the first time that a better bound for solving MIHNP is given, which implies that the conjecture that MIHNP is hard whenever delta/log(2)p < 1/3 is broken. Moreover, we also get the best result for attacking the Inversive Congruential Generator (ICG) up to now.