Recovering Private Keys Generated with Weak PRNGs

Suppose that the private key of discrete logarithm-based or factoring-based public-key primitive is obtained by concatenating the outputs of a linear congruential generator. How seriously is the scheme weakened as a result? While linear congruential generators are cryptographically very weak "pseudorandom" number generators, the answer to that question is not immediately obvious, since an adversary in such a setting does not get to examine the outputs of the congruential generator directly, but can only obtain an implicit hint about them--namely the public key. In this paper, we take a closer look at that problem, and show that, in most cases, an attack does exist to retrieve the key much faster than with a naive exhaustive search on the seed of the generator. The problem is similar to the one considered by Bellare, Goldwasser and Micciancio regarding DSA and "pseudorandomness", and this line of work arguably has renewed relevance in view of the sensitive role that random number generation has been found to play in a number of recent noted papers, such as the one by Lenstrai¾źet al. at CRYPTO 2012.

[1]  Joan Boyar,et al.  Inferring sequences produced by pseudo-random number generators , 1989, JACM.

[2]  Adi Shamir,et al.  On the Generation of Cryptographically Strong Pseudo-Random Sequences , 1981, ICALP.

[3]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[4]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[5]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2012 , 2012, Lecture Notes in Computer Science.

[6]  Éric Schost,et al.  Polynomial evaluation and interpolation on special sets of points , 2005, J. Complex..

[7]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[8]  Ivan Damgård,et al.  On Generation of Probable Primes By Incremental Search , 1992, CRYPTO.

[9]  Alan M. Frieze,et al.  Reconstructing Truncated Integer Variables Satisfying Linear Congruences , 1988, SIAM J. Comput..

[10]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[11]  Éric Schost,et al.  On the complexities of multipoint evaluation and interpolation , 2004, Theor. Comput. Sci..

[12]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[13]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[14]  Silvio Micali,et al.  Efficient, perfect polynomial random number generators , 2004, Journal of Cryptology.

[15]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[16]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[17]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[18]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[19]  Jacques Stern,et al.  Secret linear congruential generators are not cryptographically secure , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[20]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[21]  Phong Q. Nguyen,et al.  Faster Algorithms for Approximate Common Divisors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers , 2012, IACR Cryptol. ePrint Arch..

[22]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[23]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[24]  Antoine Joux,et al.  Cryptanalysis of the RSA Subgroup Assumption from TCC 2005 , 2010, IACR Cryptol. ePrint Arch..

[25]  Anand Desai,et al.  A Practice-Oriented Treatment of Pseudorandom Number Generators , 2002, EUROCRYPT.

[26]  Charles M. Fiduccia,et al.  Polynomial evaluation via the division algorithm the fast Fourier transform revisited , 1972, STOC.

[27]  Igor E. Shparlinski,et al.  On Stern's Attack Against Secret Truncated Linear Congruential Generators , 2005, ACISP.

[28]  Mihir Bellare,et al.  "Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case , 1997, CRYPTO.

[29]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[30]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[31]  Rosario Gennaro,et al.  Public Key Cryptography - PKC 2011 - 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6-9, 2011. Proceedings , 2011, Public Key Cryptography.

[32]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[33]  Joan Boyar,et al.  Inferring sequences produced by a linear congruential generator missing low-order bits , 1989, Journal of Cryptology.