学术文献库

We derive a tight upper bound on the probability over $\mathbf{x}=(x_1,\dots,x_μ) \in \mathbb{Z}^μ$ uniformly distributed in $ [0,m)^μ$ that $f(\mathbf{x}) = 0 \bmod N$ for any $μ$-linear polynomial $f \in \mathbb{Z}[X_1,\dots,X_μ]$ co-prime to $N$. We show that for $N=p_1^{r_1},...,p_\ell^{r_\ell}$ this probability is bounded by $\fracμ{m} + \prod_{i=1}^\ell I_{\frac{1}{p_i}}(r_i,μ)$ where $I$ is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter $λ$ bounds the minimum size of $N$ for which the probability that $f(\mathbf{x}) \equiv 0 \bmod N$ is at most $2^{-λ} + \fracμ{m}$. For $μ=1$ this is simply $N \geq 2^λ$. For $μ\geq 2$, $\log_2(N) \geq 8 μ^{2}+ \log_2(2 μ)\cdot λ$ the probability that $f(\mathbf{x}) \equiv 0 \bmod N$ is bounded by $2^{-λ} +\fracμ{m}$. We also present a computational method that derives tighter bounds for specific values of $μ$ and $λ$. For example, our analysis shows that for $μ=20$, $λ= 120$ (values typical in cryptography applications), and $\log_2(N)\geq 416$ the probability is bounded by $ 2^{-120}+\frac{20}{m}$. We provide a table of computational bounds for a large set of $μ$ and $λ$ values.