Abstract
Let p be a prime and let \(E(\mathbb{F}_p)\) be an elliptic curve defined over the finite field \(\mathbb{F}_p\) of p elements. For a given point \(G \in E(\mathbb{F}_p)\) the linear congruential genarator on elliptic curves (EC-LCG) is a sequence (U n ) of pseudorandom numbers defined by the relation: \( U_n=U_{n-1} \oplus G = nG \oplus U_0,\quad n=1,2, . . .,\) where \(\oplus\) denote the group operation in \(E(\mathbb{F}_p)\) and \(U_0 \in E(\mathbb{F}_p)\) is the initial value or seed. We show that if G and sufficiently many of the most significants bits of two consecutive values U n , U n+1 of the EC-LCG are given, one can recover the seed U 0 (even in the case where the elliptic curve is private) provided that the former value U n does not lie in a certain small subset of exceptional values. We also estimate limits of a heuristic approach for the case where G is also unknown. This suggests that for cryptographic applications EC-LCG should be used with great care. Our results are somewhat similar to those known for the linear and non-linear pseudorandom number congruential generator.
References
Ajtai M, Kumar R, Sivakumar D (2001) A sieve algorithm for the shortest lattice vector problem. Proc. 33rd ACM symp. on theory of comput. (STOC 2001), Association for Computing Machinery, pp 601–610
Avanzi R, Cohen H, Doche C, Frey G, Lange T, Nguyen K (2005) Elliptic and hyperelliptic curve crytography: theory and practice. CRC Press
Beelen P and Doumen J (2002). Pseudorandom sequences from elliptic curves. Finite fields with applications to coding theory. Cryptography and related areas. Springer-Verlag, Berlin, 37–52
Blackburn SR, Gomez-Perez D, Gutierrez J, Shparlinski IE (2003) Predicting the inversive generator. Proc. coding and cryptography, IMA-03, LNCS 2898. Springer-Verlag, Berlin, pp 264–275
Blackburn SR, Gomez-Perez D, Gutierrez J and Shparlinski IE (2005). Predicting nonlinear pseudorandom number generators. Math Comput 74: 1471–1494
Blackburn SR, Gomez-Perez D, Gutierrez J and Shparlinski IE (2006). Reconstructing noisy polynomial evaluation in residue rings. J Algorithms 61(12): 45–57
Blake I, Seroussi G, Smart N (1999) Elliptic curves in cryptography. In: London Math. Soc., Lecture note series, 265, Cambridge Univ. Press
Bloemer J, May A (2003) A tool kit for finding small roots of bivariate polynomial over the integers. In: Advances in cryptology-crypto 2003, LNCS 2729. Springer Verlag 27–43
Boyar J (1989). Inferring sequences produced by pseudo-random number generators. J ACM 36: 129–141
Boyar J (1989). Inferring sequences produces by a linear congruential generator missing low-order bits. J Crypt 1: 177–184
Brickell EF and Odlyzko AM (1992). Cryptanalysis: a survey of recent results. In: Simmons, GJ (eds) Contemp. cryptology, pp 501–540. IEEE Press, NY
Coppersmith D (1996). Finding a small root of a bivariate integer equations; factoring with high bits known. In: Maurer, U (eds) Proc.EUROCRYPT-96 LNCS 1070, pp 155–156. Springer-Verlag, Berlin
Coppersmith D (1997). Small solutions to polynomial equations and low exponent RSA vulnerabilities. J Crypt 10(4): 233–260
Coron J-S (2004) Finding small roots of bivariate integer polynomial equations revisted. In: Proc. advances in cryptology- Eurocrypt’04, LNCS 3027. Springer Verlag, 492–505
El Mahassni E, Shparlinski IE (2002) On the uniformity of distribution of congruential generators over elliptic curves. In: Proc. intern. conf. on sequences and their applications. Bergen 2001. Springer-Verlag, London pp 257–264
Frieze AM, Håstad J, Kannan R, Lagarias JC and Shamir A (1988). Reconstructing truncated integer variables satisfying linear congruences. SIAM J Comp 17: 262–280
Gomez-Perez D, Gutierrez J, Ibeas A (2005) Cryptanalysis of the quadratic generator. In: Proceedings in cryptology-INDOCRYPT 2005, LNCS 3797. Springer Verlag, Berlin pp 118–129
Gomez-Perez D, Gutierrez J, Ibeas A (2006) An algorithm for finding small roots of multivariate polynomials over the integers. Faculty of Science, University of Cantabria, Preprint
Gomez-Perez D, Gutierrez J and Ibeas A (2006). Attacking the pollard generator. IEEE Trans Inform Theory 52(12): 5518–5523
Gong G, Lam CCY (2001) Linear recursive sequences over elliptic curves. In: Proc. intern. conf. on sequences and their applications, Bergen 2001. Springer-Verlag, London, pp 182–196
Gong G, Berson TA, Stinson DA (2000) Elliptic curve pseudorandom sequence generators. Lect. Notes in Comp. Sci., vol 1758. Springer-Verlag, Berlin 34–49
Grötschel M, Lovász L and Schrijver A (1993). Geometric algorithms and combinatorial optimization. Springer-Verlag, Berlin
Hallgren S (1994) Linear congruential generators over elliptic curves. Preprint CS-94-143, Dept. of Comp. Sci., Cornegie Mellon Univ., pp 1–10
Hess F and Shparlinski IE (2005). On the linear complexity and multidimensional distribution of congruential generators over elliptic curves. Design Code Cryptogr 35: 111–117
Howgrave-Graham NA (1997) Finding small roots of univariate modular equations revisited. In: Proc. 6th IMA intern. conf on cryptography and coding, Lect. Notes in Comp. Sci., vol 1355. Springer-Verlag, Berlin 131–142
Jochemz E, May A (2006) A Strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants In: n Advances in cryptology (Asiacrypt 2006), Lecture Notes in Computer Science, Springer-Verlag
Joux A and Stern J (1998). Lattice reduction: a toolbox for the cryptanalyst. J Cryptol 11: 161–185
Kannan R (1987). Minkowski’s convex body theorem and integer programming. Math Oper Res 12: 415–440
Knuth DE (1985). Deciphering a linear congruential encryption. IEEE Trans Inf Theory 31: 49–52
Krawczyk H (1992). How to predict congruential generators. J Algorithms 13: 527–545
Lagarias JC (1990) Pseudorandom number generators in cryptography and number theory. In: Proc. symp. in appl. math., vol.42. Amer Math Soc, Providence, RI, pp 115–143
Lange T and Shparlinski IE (2005). Certain exponential sums and random walks on elliptic curves. Canad J Math 57: 338–350
Lenstra AK, Lenstra HW and Lovász L (1982). Factoring polynomials with rational coefficients. Math Annal 261: 515–534
Micciancio D, Goldwasser S (2002) Complexity of lattice problems. Kluwer Acad. Publ
Naor M, Reingold O (1997) Number theoretic constructions of efficient pseudo-random functions. In: Proc 38th IEEE symp. on found. of comp. sci., IEEE, pp 458–467
Niederreiter H (1995). New developments in uniform pseudorandom number and vector generation. In: Niederreiter, H and Shiue, PJ (eds) Monte Carlo and quasi-Monte Carlo methods in scientific computing, Lect. Notes in Statistics vol 106, pp 87–120. Springer-Verlag, Berlin
Niederreiter H (2001). Design and analysis of nonlinear pseudorandom number generators. In: Schueller, GI and Spanos, PD (eds) Monte Carlo simulation., pp 3–9. A.A. Balkema Publishers, Rotterdam
Shoup V (2005) “Number theory C++ library (NTL)”, version 5.4, available at http://www.shoup.net /ntl/
Shparlinski IE (2000). On the Naor-Reingold pseudo-random function from elliptic curves. Appl Algebra Eng Commun Comput 11: 27–34
Shparlinski IE (2003) Cryptographic applications of analytic number theory. Birkhauser
Shparlinski IE (2005) Orders of points on elliptic curves. In: Affine algebraic geometry. Amer Math Soc, pp 245–252
Shparlinski IE (2005) Pseudorandom points on elliptic curves over finite fields. Macquarie University. Preprint
Shparlinski IE and Silverman JH (2001). On the linear complexity of the Naor-Reingold pseudorandom function from elliptic curves. Design Codes Cryptogr 24: 279–289
Silverman JH (1995). The arithmetic of elliptic curves. Springer-Verlag, Berlin
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by P. Wild.
Rights and permissions
About this article
Cite this article
Gutierrez, J., Ibeas, Á. Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits. Des. Codes Cryptogr. 45, 199–212 (2007). https://doi.org/10.1007/s10623-007-9112-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-007-9112-3