"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case

The DSS signature algorithm requires the signer to generate a new random number with every signature. We show that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures. This illustrates the high vulnerability of the DSS to weaknesses in the underlying random number generation process. It also confirms, that a sequence produced by LCG is not only predictable as has been known before, but should be used with extreme caution even within cryptographic applications that would appear to protect this sequence. The attack we present applies to truncated linear congruential generators as well, and can be extended to any pseudo random generator that can be described via modular linear equations.

[1]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[2]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[3]  Adi Shamir,et al.  On the Generation of Cryptographically Strong Pseudo-Random Sequences , 1981, ICALP.

[4]  Joan Boyar,et al.  Inferring sequences produced by pseudo-random number generators , 1989, JACM.

[5]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[6]  Jacques Stern,et al.  Secret linear congruential generators are not cryptographically secure , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[7]  J. Boyar Inferring a Sequence Generated by a Linear Congruence , 1982, FOCS.

[8]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[9]  Alan M. Frieze,et al.  Linear Congruential Generators Do Not Produce Random Sequences , 1984, FOCS.

[10]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[11]  Adi Shamir,et al.  The cryptographic security of truncated linearly related variables , 1985, STOC '85.

[12]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[13]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[14]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[15]  Hugo Krawczyk How to Predict Congruential Generators , 1992, J. Algorithms.

[16]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[17]  Donald E. Knuth,et al.  Deciphering a linear congruential encryption , 1985, IEEE Trans. Inf. Theory.

[18]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).