Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?

We look at iterated power generators $s_i = s_{i-1}^e {\rm mod} N$ for a random seed s 0 *** *** N that in each iteration output a certain amount of bits. We show that heuristically an output of $(1-\frac 1 e)\log N$ most significant bits per iteration allows for efficient recovery of the whole sequence. This means in particular that the Blum-Blum-Shub generator should be used with an output of less than half of the bits per iteration and the RSA generator with e = 3 with less than a $\frac 1 3$-fraction of the bits. Our method is lattice-based and introduces a new technique, which combines the benefits of two techniques, namely the method of linearization and the method of Coppersmith for finding small roots of polynomial equations. We call this new technique unravelled linearization .

[1]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[2]  Igor E. Shparlinski,et al.  Reconstructing noisy polynomial evaluation in residue rings , 2006, J. Algorithms.

[3]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[4]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[5]  Claus-Peter Schnorr,et al.  Stronger Security Proofs for RSA and Rabin Bits , 1997, Journal of Cryptology.

[6]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[7]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[8]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[9]  Ron Steinfeld,et al.  On the Provable Security of an Efficient RSA-Based Pseudorandom Generator , 2006, ASIACRYPT.

[10]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[11]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[12]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[13]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[14]  Adi Shamir,et al.  On the cryptographic security of single RSA bits , 1983, STOC '83.

[15]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[16]  Charanjit S. Jutla,et al.  On Finding Small Solutions of Modular Multivariate Polynomial Equations , 1998, EUROCRYPT.

[17]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[18]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[19]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..