Reconstructing noisy polynomial evaluation in residue rings

Let q>1 be an integer and let a and b be elements of the residue ring Z"q of integers modulo q. We show how, when given a polynomial f@?Z"q[X] and approximations to v"0,v"1@?Z"q such that v"1=f(v"0)modq one can recover v"0 and v"1 efficiently. This result has direct applications to predicting the polynomial congruential generator: a sequence (v"n) of pseudorandom numbers defined by the relation v"n"+"1=f(v"n)modq for some polynomial f@?Z"q[X]. The applications lead to analogues of results known for the linear congruential generator x"n"+"1=ax"n+bmodq, although the results are much more restrictive due to nonlinearity of the problem.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[3]  E. Brickell,et al.  Cryptanalysis: a survey of recent results , 1988, Proc. IEEE.

[4]  Martin Grötschel,et al.  Geometric Algorithms and Combinatorial Optimization , 1988, Algorithms and Combinatorics.

[5]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[6]  G. Hardy,et al.  An Introduction to the Theory of Numbers , 1938 .

[7]  Joan Boyar,et al.  Inferring sequences produced by a linear congruential generator missing low-order bits , 1989, Journal of Cryptology.

[8]  R. Kannan ALGORITHMIC GEOMETRY OF NUMBERS , 1987 .

[9]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[10]  Hugo Krawczyk How to Predict Congruential Generators , 1992, J. Algorithms.

[11]  Igor E. Shparlinski,et al.  Dynamical Systems Generated by Rational Functions , 2003, AAECC.

[12]  Donald E. Knuth,et al.  Deciphering a linear congruential encryption , 1985, IEEE Trans. Inf. Theory.

[13]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[14]  Igor E. Shparlinski,et al.  Predicting the Inversive Generator , 2003, IMACC.

[15]  Henryk Iwaniec,et al.  ON THE PROBLEM OF JACOBSTHAL , 1978 .

[16]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[17]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[18]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[19]  L. Lovász,et al.  Geometric Algorithms and Combinatorial Optimization , 1981 .

[20]  Igor E. Shparlinski,et al.  Predicting nonlinear pseudorandom number generators , 2004, Math. Comput..

[21]  Don Coppersmith,et al.  Finding Small Solutions to Small Degree Polynomials , 2001, CaLC.

[22]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[23]  Igor E. Shparlinski,et al.  Recent Advances in the Theory of Nonlinear Pseudorandom Number Generators , 2002 .

[24]  Joan Boyar,et al.  Inferring sequences produced by pseudo-random number generators , 1989, JACM.

[25]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[26]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[27]  Alan M. Frieze,et al.  Reconstructing Truncated Integer Variables Satisfying Linear Congruences , 1988, SIAM J. Comput..