Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits

Let p be a prime and let $$E(\mathbb{F}_p)$$ be an elliptic curve defined over the finite field $$\mathbb{F}_p$$ of p elements. For a given point $$G \in E(\mathbb{F}_p)$$ the linear congruential genarator on elliptic curves (EC-LCG) is a sequence (Un) of pseudorandom numbers defined by the relation: $$ U_n=U_{n-1} \oplus G = nG \oplus U_0,\quad n=1,2, . . .,$$ where $$\oplus$$ denote the group operation in $$E(\mathbb{F}_p)$$ and $$U_0 \in E(\mathbb{F}_p)$$ is the initial value or seed. We show that if G and sufficiently many of the most significants bits of two consecutive values Un, Un+1 of the EC-LCG are given, one can recover the seed U0 (even in the case where the elliptic curve is private) provided that the former value Un does not lie in a certain small subset of exceptional values. We also estimate limits of a heuristic approach for the case where G is also unknown. This suggests that for cryptographic applications EC-LCG should be used with great care. Our results are somewhat similar to those known for the linear and non-linear pseudorandom number congruential generator.

[1]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[2]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[3]  Igor E. Shparlinski,et al.  On the Linear Complexity and Multidimensional Distribution of Congruential Generators over Elliptic Curves , 2005, Des. Codes Cryptogr..

[4]  Sean Hallgren,et al.  Linear Congruential Generators Over Elliptic Curves , 2001 .

[5]  Igor E. Shparlinski Pseudorandom points on elliptic curves over finite fields , 2008 .

[6]  Johannes Blömer,et al.  A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers , 2005, EUROCRYPT.

[7]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[8]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[9]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[10]  Igor E. Shparlinski,et al.  Reconstructing noisy polynomial evaluation in residue rings , 2006, J. Algorithms.

[11]  Jean-Sébastien Coron,et al.  Finding Small Roots of Bivariate Integer Polynomial Equations Revisited , 2004, EUROCRYPT.

[12]  Alan M. Frieze,et al.  Reconstructing Truncated Integer Variables Satisfying Linear Congruences , 1988, SIAM J. Comput..

[13]  Domingo Gómez-Pérez,et al.  Attacking the Pollard Generator , 2006, IEEE Transactions on Information Theory.

[14]  Hugo Krawczyk How to Predict Congruential Generators , 1992, J. Algorithms.

[15]  Domingo Gómez-Pérez,et al.  An Algorithm for Finding Small Roots of Multivariate Polynomials over the Integers , 2007, IACR Cryptol. ePrint Arch..

[16]  Igor E. Shparlinski,et al.  On the Uniformity of Distribution of Congruential Generators over Elliptic Curves , 2001, SETA.

[17]  Igor E. Shparlinski,et al.  On the Naor–Reingold Pseudo-Random Function from Elliptic Curves , 2000, Applicable Algebra in Engineering, Communication and Computing.

[18]  Joan Boyar,et al.  Inferring sequences produced by a linear congruential generator missing low-order bits , 1989, Journal of Cryptology.

[19]  T. Lange,et al.  Certain Exponential Sums and Random Walks on Elliptic Curves , 2005, Canadian Journal of Mathematics.

[20]  Domingo Gómez-Pérez,et al.  Cryptanalysis of the Quadratic Generator , 2005, INDOCRYPT.

[21]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[22]  Joan Boyar,et al.  Inferring sequences produced by pseudo-random number generators , 1989, JACM.

[23]  Guang Gong,et al.  Linear Recursive Sequences over Elliptic Curves , 2001, SETA.

[24]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[25]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[26]  Guang Gong,et al.  Elliptic Curve Pseudorandom Sequence Generators , 1999, Selected Areas in Cryptography.

[27]  E. Brickell,et al.  Cryptanalysis: a survey of recent results , 1988, Proc. IEEE.

[28]  J. Doumen,et al.  Pseudorandom Sequences from Elliptic Curves , 2002 .

[29]  Igor E. Shparlinski,et al.  Predicting nonlinear pseudorandom number generators , 2004, Math. Comput..

[30]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[31]  Donald E. Knuth,et al.  Deciphering a linear congruential encryption , 1985, IEEE Trans. Inf. Theory.

[32]  Igor E. Shparlinski,et al.  Predicting the Inversive Generator , 2003, IMACC.

[33]  Ie Shparlinski Orders of points on elliptic curves , 2005 .

[34]  Harald Niederreiter,et al.  New Developments in Uniform Pseudorandom Number and Vector Generation , 1995 .

[35]  I. Shparlinski Cryptographic Applications of Analytic Number Theory , 2003 .

[36]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[37]  Igor E. Shparlinski,et al.  On the Linear Complexity of the Naor–Reingold Pseudo-random Function from Elliptic Curves , 2001, Des. Codes Cryptogr..

[38]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[39]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[40]  C. A. Rogers,et al.  An Introduction to the Geometry of Numbers , 1959 .

[41]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[42]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[43]  L. Lovász,et al.  Geometric Algorithms and Combinatorial Optimization , 1981 .

[44]  F. Thorne,et al.  Geometry of Numbers , 2017, Algebraic Number Theory.