CLOSE VALUES OF SHIFTED MODULAR INVERSIONS AND THE DECISIONAL MODULAR INVERSION HIDDEN NUMBER PROBLEM

. We give deterministic polynomial time algorithms for two diﬀerent decision version the modular inversion hidden number problem introduced by D. Boneh, S. Halevi and N. A. Howgrave-Graham in 2001. For example, for one of our algorithms we need to be given about 1 / 2 of the bits of each inversion, while for the computational version the best known algorithm requires about 2 / 3 of the bits and is probabilistic.


Introduction
The hidden number problem, introduced and studied by Boneh and Venkatesan [3,4], has played an important role in several cryptographic algorithms and has been generalised in a number of directions, see [17] for a survey of relevant results and also [1] for some recent developments within a new approach. Here we consider a modification of the original problem which has been suggested by Boneh, Halevi and Howgrave-Graham [2].
For a prime p, we denote by IF p the field of p elements and always assume that it is represented by the set {0, 1, . . . , p − 1}. Thus, sometimes, where obvious, we treat elements of IF p as integer numbers in the above range.
Motivated by several cryptographic applications, such as constructions of efficient and reliable pseudorandom number generators, and an analogy with the original hidden number problem of [3,4], Boneh, Halevi and Howgrave-Graham [2] have introduced the modular inversion hidden number problem, where the goal is to recover a "hidden" shift s ∈ IF p from approximations to the inversions (s + x) −1 ∈ IF p for several field elements x ∈ IF p , where hereafter we set 0 −1 = 0 (thus, alternatively one can say that we are given approximations to (s + x) p−2 ).
More precisely, for z ∈ IF p we denote by MSB (z) any u ∈ IF p such that We then extend this definition to integer values of z in a natural way. Roughly speaking, MSB (z) gives most significant bits of the remainder on division of z by p. However, this definition is more flexible and suits better our purposes. In particular we remark that in the above inequality need not be an integer.
Boneh, Halevi and Howgrave-Graham [2] have introduced and studied the following problem, which is natural to call Computational Modular Inversion Hidden Number Problem: CMIHNP: Given an oracle O ,s , that for x ∈ IF p outputs O ,s (x) = MSB (s + x) −1 , recover s ∈ IF p . Let n = log p log 2 be the bit length of p.
Developing and extending some ideas of [2], Ling, Shparlinski, Steinfeld and Wang [14] have given a rigorously analysed algorithm for the CMIHNP, that, for any fixed ε > 0, a sufficiently large p and > (2/3 + ε)n, with overwhelming probability recovers s in polynomial time, by querying O ,s at randomly chosen elements x ∈ IF p . We remark, that although the oracle queries are randomised, rest of the algorithm of [2] is deterministic.
Here we consider two modification of the CMIHNP, which we call the Decisional Modular Inversion Hidden Number Problems. More precisely, we consider: DMIHNP-1: Given t ∈ IF p and an oracle O ,s , that for x ∈ IF p outputs O ,s (x) = MSB (s + x) −1 , decide whether s = t; and DMIHNP-2: Given two oracles O ,s and O ,t that for x ∈ IF p output O ,s (x) = MSB (s + x) −1 and O ,t (x) = MSB (t + x) −1 , respectively, decide whether s = t. For example, for DMIHNP-1, we give a polynomial time deterministic algorithm which works for less precise oracles O ,s than those in [14], namely for oracles O ,s with > (1/2 + ε)n. We remark that such an algorithm can also be considered as a deterministic verification of the output of the algorithm of [14] which may occasionally output wrong answers.
For DMIHNP-2, we need the oracle of the same strength as in [14], however the algorithm is deterministic.
The previously known heuristic [2] and rigorous [14] algorithms have been based on lattice algorithms. Here we use a very different approach which is based on studying the frequency of close values of two rational function (X +s) −1 , (X +t) −1 ∈ IF p (X), computed on a short interval I of consecutive values {u+1, . . . , u+h} ⊆ IF p . In turn, these number theoretic results are based on the method introduced by Cilleruelo and Garaev [6], and then extended in several more works [5,7,8]. We believe that these results can be of independent interest, and can also be used for several modifications of the DMIHNP-1 and DMIHNP-2, for example, with "noisy" oracles, see Section 5.
Throughout the paper, all implied constants in the symbols 'O' are absolute, unless stated otherwise.

Preparations
Here we collect some number theoretic results. For an integer a we used a p to denote the smallest by absolute value residue of a modulo p, that is First, we recall [8, Lemma 3.2], which follows easily from the Dirichlet pigeon-hole principle.
and any integers a 1 , . . . , a ν there exists an integer u with gcd(u, p) = 1 and such that Let τ (m) denote the number of positive integer divisors of an integer m ≥ 1. The following result follows immediately from a stronger and much more general estimate of Shiu [16,Theorem 2] (taken with r = λ = 1 and x = y), which in turn is a very special case of [16, Theorem 1]; even more general results are given by Nair and Tenenbaum [15].
Lemma 2.2. For any fixed real ε > 0, and integers M ≥ p 1+ε and a ≡ 0 (mod p), where the implied constant depends only on ε.

Frequency of small values of shifted inversions
Given s, t ∈ IF p and two positive integers h and H, we denote by T s,t (h, H) the number of x ∈ {1, . . . , h} such that for some y ∈ {0, ±1, . . . , ±H}.
The case when one of the shifts s, t is zero is of special interest to us. Furthermore, we denote T r (h, H) = T r,0 (h, H).
For s = t, rewriting the congruence (1) as we see that y = 0 and furthermore we have the trivial bound T s,t (h, H) ≤ min{h, 4H}.
First we study the case when the bound T r (h, H) ≤ h is attained, which is the main tool in our study of the DMIHNP. Proof. For s = r, and t = 0 we derive from (2) x 2 y + rxy + r ≡ 0 (mod p).
Clearly v = 0. In particular, (5) x | v for every solution (x, y) to the congruence (3). Now, assume that T r (h, H) = h, then we have (5) for very x = 1, . . . , h. Hence we see that the divisibility condition (6) implies which is impossible for h ≥ (1/2 + δ) log p and a sufficiently large p.
We now obtain a similar but weaker result for T s,t (h, H). Proof. As in the proof of Theorem 3.1 we transform (2) into x 2 y + (s + t)xy + sty + s − t ≡ 0 (mod p).
It is also clear that the method of proof of Theorems 3.1 and 3.2, and the wellknown bound τ (m) = m o (1) lead to the estimates

respectively.
We now obtain upper bounds on T r (h, H) and T s,t (h, H) for slightly large values of h and H.

Theorem 3.3. Assume that
for a fixed real ε > 0. Then for any integer r ≡ 0 (mod p) we have T r (h, H) = O p −1/2 Hh 3/2 log p .

Theorem 3.3 is nontrivial if
and Similarly, we also derive Theorem 3.4. Assume that H 3 h 3 ≥ p 1+ε for a fixed real ε > 0. Then for any integers s ≡ t (mod p) we have

Testing the hidden shift in modular inversion
We first present an algorithm for DMIHNP-1, that is, when t is known. Proof. We set h = log p and query O ,s for x = −t + 1, . . . , −t + h. Clearly if s = t then for every x ∈ IF p we have Otherwise, that is, if s = t, we see from Theorem 3.1 applied with H = p/2 +1 that for at least one of the above values of x the inequality (9) fails.
We see that compared with the result of [14], the algorithm of Theorem 4.1 works with weaker oracles (that is, returning weaker approximations) and is also fully deterministic. However, of course it addresses an easier problem.
Using Theorem 3.2 instead of Theorem 3.1 in the argument of the proof of Theorem 4.1, we obtain an analogue of Theorem 4.1 for DMIHNP-2, that is, when t is unknown. Unfortunately the algorithm of Theorem 4.1 requires the oracle of the same strength as in [14], however it is deterministic (and is certainly faster than that of [14]).

Comments
It is also natural to consider the case of a noisy oracle O (s) that returns MSB (s + x) −1 only with a certain non-negligible probability and returns a random element of IF p otherwise. Unfortunately the algorithm of [14] does not apply to such oracles (and neither do the heuristic algorithms of [2]). One can however obtain efficient algorihtms for such analogues of DMIHNP-1 and DMIHNP-2, which are based on Theorem 3.3 and Theorem 3.4, respectively.
Our results also provide some information about the entropy of the pseudorandom generators based on the function x → MSB (s + x) −1 . In particular, Theorem 3.2 implies that there is an absolute constant C such that for any s ∈ IF p , > (2/3+ε)n and h > (log p) C all h-tuples MSB (s + k + 1) −1 , . . . MSB (s + k + h) −1 , are pairwise distinct for k = 0, 1, . . . , p − 1, provided that p is large enough.
Finally, we note that for Hh > p 3/4+ε , with some fixed ε, one can immediately derive an asymptotic formula for T s,t (h, H) from the more general results of [13,19], see also [18] for survey of results about the distribution of inverses.