More general - what is the hard problem of recovering r from r*p mod q?

Question

I would like to know the cryptographic hard problem that is most closely tied to recovering integer $r$ from the modular product $r\times p\mod q$. (This is a simplification of an earlier post that had some errors). It really looks like integer factorization to me; if not, what else would it be?

More specifically, select two prime numbers $p$ and $q$, $q>p$, and a random positive integer $r$, large enough such that $q/p<r<q$. Publish $q$, but keep $p$ and $r$ private. Further, assume there are several instances of $r$ for a given pair of $\langle p, q\rangle$ to work with. Assuming existence of a hardness problem X, such that a polynomial-time solution of X could be reduced to finding either $r$ or $p$ from the integer $$r\times p\mod q$$in polynomial time, what is this problem X?

I am relatively new to this. I looked at a few hard problems; none of the residuosity or discrete logarithmic problems seem to apply, but I'm hesitant to say that it's integer factorization or RSA in case there is some problem with a stronger assumption that fits. I want to get a good characterization of the construct so that I may describe it accurately.

Thanks for your help and patience!

Answer 1

When given a single triple consisting of $(p,q,x)$ with $x = r \cdot p \mod q$, then there is no hard problem. It takes one inversion and one multiplication (both in modular arithmetic) to calculate $r$.

If just $x$ is given, then you can choose $p$ and $q$ arbitrarily and calculate a matching $r$ to fullfill $x = rp \mod q$.

If the actual question is about recovering the original values: That's not possible. This is exactly the same situation like only giving some bounds for random values (e.g. $q>x$) and nothing else.

Answer 2

In the currently stated problem, $p$ and $q$ are primes with $p$ secret and $q$ known, $p<q$, it is chosen some number of (I'll assume: uniformly) random $r_i$ with $q/p<r_i<q$, and revealed $x_i=X(r_i)=r_i\times p\bmod q$. The problem is finding $p$ (or otherwise finding some $r_i$, which in practice will lead to $p$).

If we replace the selection of $r_i$ by $0<r_i<q$, then the problem is demonstrably intractable, since $X$ is a mapping of the set $\{1,2,\dots,q-1\}$, thus the distribution of the $x_i$ is uniformly random no matter what $p$ is.

If $q/p<2$, then $r_i=1$ can't happen (since $p$ does not divide $q$). Thus, $p$ cannot be one of the $x_i$ among $\{1,2,\dots,q-1\}$, and the problem becomes finding that missing value $p$. The number of necessary $x_i$ is related to the well-studied coupon collector's problem, and reaching certainty about $p$ requires $O(q\log(q))$ values of $x_i$, and is intractable for large $q$.

More generally, we can only be certain of $p$ when we have found that $x_i$ reached all but one of $q-\lfloor q/p\rfloor$ values, and the problem is untractable unless both $p$ and $q$ are small.

That's not a well-studied problem that I know of. It has nothing to do with the Integer Factorization problem or the Discrete Logarithm problem, which both have relatively small input, when here the input includes a large number of $x_i$.