Skip to main content
Log in

Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits

Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Let p be a prime and let \(E(\mathbb{F}_p)\) be an elliptic curve defined over the finite field \(\mathbb{F}_p\) of p elements. For a given point \(G \in E(\mathbb{F}_p)\) the linear congruential genarator on elliptic curves (EC-LCG) is a sequence (U n ) of pseudorandom numbers defined by the relation: \( U_n=U_{n-1} \oplus G = nG \oplus U_0,\quad n=1,2, . . .,\) where \(\oplus\) denote the group operation in \(E(\mathbb{F}_p)\) and \(U_0 \in E(\mathbb{F}_p)\) is the initial value or seed. We show that if G and sufficiently many of the most significants bits of two consecutive values U n , U n+1 of the EC-LCG are given, one can recover the seed U 0 (even in the case where the elliptic curve is private) provided that the former value U n does not lie in a certain small subset of exceptional values. We also estimate limits of a heuristic approach for the case where G is also unknown. This suggests that for cryptographic applications EC-LCG should be used with great care. Our results are somewhat similar to those known for the linear and non-linear pseudorandom number congruential generator.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Ajtai M, Kumar R, Sivakumar D (2001) A sieve algorithm for the shortest lattice vector problem. Proc. 33rd ACM symp. on theory of comput. (STOC 2001), Association for Computing Machinery, pp 601–610

  2. Avanzi R, Cohen H, Doche C, Frey G, Lange T, Nguyen K (2005) Elliptic and hyperelliptic curve crytography: theory and practice. CRC Press

  3. Beelen P and Doumen J (2002). Pseudorandom sequences from elliptic curves. Finite fields with applications to coding theory. Cryptography and related areas. Springer-Verlag, Berlin, 37–52

    Google Scholar 

  4. Blackburn SR, Gomez-Perez D, Gutierrez J, Shparlinski IE (2003) Predicting the inversive generator. Proc. coding and cryptography, IMA-03, LNCS 2898. Springer-Verlag, Berlin, pp 264–275

  5. Blackburn SR, Gomez-Perez D, Gutierrez J and Shparlinski IE (2005). Predicting nonlinear pseudorandom number generators. Math Comput 74: 1471–1494

    Article  MATH  MathSciNet  Google Scholar 

  6. Blackburn SR, Gomez-Perez D, Gutierrez J and Shparlinski IE (2006). Reconstructing noisy polynomial evaluation in residue rings. J Algorithms 61(12): 45–57

    MathSciNet  Google Scholar 

  7. Blake I, Seroussi G, Smart N (1999) Elliptic curves in cryptography. In: London Math. Soc., Lecture note series, 265, Cambridge Univ. Press

  8. Bloemer J, May A (2003) A tool kit for finding small roots of bivariate polynomial over the integers. In: Advances in cryptology-crypto 2003, LNCS 2729. Springer Verlag 27–43

  9. Boyar J (1989). Inferring sequences produced by pseudo-random number generators. J ACM 36: 129–141

    Article  MATH  MathSciNet  Google Scholar 

  10. Boyar J (1989). Inferring sequences produces by a linear congruential generator missing low-order bits. J Crypt 1: 177–184

    Article  MATH  MathSciNet  Google Scholar 

  11. Brickell EF and Odlyzko AM (1992). Cryptanalysis: a survey of recent results. In: Simmons, GJ (eds) Contemp. cryptology, pp 501–540. IEEE Press, NY

    Google Scholar 

  12. Coppersmith D (1996). Finding a small root of a bivariate integer equations; factoring with high bits known. In: Maurer, U (eds) Proc.EUROCRYPT-96 LNCS 1070, pp 155–156. Springer-Verlag, Berlin

    Google Scholar 

  13. Coppersmith D (1997). Small solutions to polynomial equations and low exponent RSA vulnerabilities. J Crypt 10(4): 233–260

    Article  MATH  MathSciNet  Google Scholar 

  14. Coron J-S (2004) Finding small roots of bivariate integer polynomial equations revisted. In: Proc. advances in cryptology- Eurocrypt’04, LNCS 3027. Springer Verlag, 492–505

  15. El Mahassni E, Shparlinski IE (2002) On the uniformity of distribution of congruential generators over elliptic curves. In: Proc. intern. conf. on sequences and their applications. Bergen 2001. Springer-Verlag, London pp 257–264

  16. Frieze AM, Håstad J, Kannan R, Lagarias JC and Shamir A (1988). Reconstructing truncated integer variables satisfying linear congruences. SIAM J Comp 17: 262–280

    Article  MATH  Google Scholar 

  17. Gomez-Perez D, Gutierrez J, Ibeas A (2005) Cryptanalysis of the quadratic generator. In: Proceedings in cryptology-INDOCRYPT 2005, LNCS 3797. Springer Verlag, Berlin pp 118–129

  18. Gomez-Perez D, Gutierrez J, Ibeas A (2006) An algorithm for finding small roots of multivariate polynomials over the integers. Faculty of Science, University of Cantabria, Preprint

  19. Gomez-Perez D, Gutierrez J and Ibeas A (2006). Attacking the pollard generator. IEEE Trans Inform Theory 52(12): 5518–5523

    Article  MathSciNet  Google Scholar 

  20. Gong G, Lam CCY (2001) Linear recursive sequences over elliptic curves. In: Proc. intern. conf. on sequences and their applications, Bergen 2001. Springer-Verlag, London, pp 182–196

  21. Gong G, Berson TA, Stinson DA (2000) Elliptic curve pseudorandom sequence generators. Lect. Notes in Comp. Sci., vol 1758. Springer-Verlag, Berlin 34–49

  22. Grötschel M, Lovász L and Schrijver A (1993). Geometric algorithms and combinatorial optimization. Springer-Verlag, Berlin

    MATH  Google Scholar 

  23. Hallgren S (1994) Linear congruential generators over elliptic curves. Preprint CS-94-143, Dept. of Comp. Sci., Cornegie Mellon Univ., pp 1–10

  24. Hess F and Shparlinski IE (2005). On the linear complexity and multidimensional distribution of congruential generators over elliptic curves. Design Code Cryptogr 35: 111–117

    Article  MATH  MathSciNet  Google Scholar 

  25. Howgrave-Graham NA (1997) Finding small roots of univariate modular equations revisited. In: Proc. 6th IMA intern. conf on cryptography and coding, Lect. Notes in Comp. Sci., vol 1355. Springer-Verlag, Berlin 131–142

  26. Jochemz E, May A (2006) A Strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants In: n Advances in cryptology (Asiacrypt 2006), Lecture Notes in Computer Science, Springer-Verlag

  27. Joux A and Stern J (1998). Lattice reduction: a toolbox for the cryptanalyst. J Cryptol 11: 161–185

    Article  MATH  MathSciNet  Google Scholar 

  28. Kannan R (1987). Minkowski’s convex body theorem and integer programming. Math Oper Res 12: 415–440

    Article  MATH  MathSciNet  Google Scholar 

  29. Knuth DE (1985). Deciphering a linear congruential encryption. IEEE Trans Inf Theory 31: 49–52

    Article  MATH  MathSciNet  Google Scholar 

  30. Krawczyk H (1992). How to predict congruential generators. J Algorithms 13: 527–545

    Article  MATH  MathSciNet  Google Scholar 

  31. Lagarias JC (1990) Pseudorandom number generators in cryptography and number theory. In: Proc. symp. in appl. math., vol.42. Amer Math Soc, Providence, RI, pp 115–143

  32. Lange T and Shparlinski IE (2005). Certain exponential sums and random walks on elliptic curves. Canad J Math 57: 338–350

    MATH  MathSciNet  Google Scholar 

  33. Lenstra AK, Lenstra HW and Lovász L (1982). Factoring polynomials with rational coefficients. Math Annal 261: 515–534

    Article  MATH  Google Scholar 

  34. Micciancio D, Goldwasser S (2002) Complexity of lattice problems. Kluwer Acad. Publ

  35. Naor M, Reingold O (1997) Number theoretic constructions of efficient pseudo-random functions. In: Proc 38th IEEE symp. on found. of comp. sci., IEEE, pp 458–467

  36. Niederreiter H (1995). New developments in uniform pseudorandom number and vector generation. In: Niederreiter, H and Shiue, PJ (eds) Monte Carlo and quasi-Monte Carlo methods in scientific computing, Lect. Notes in Statistics vol 106, pp 87–120. Springer-Verlag, Berlin

    Google Scholar 

  37. Niederreiter H (2001). Design and analysis of nonlinear pseudorandom number generators. In: Schueller, GI and Spanos, PD (eds) Monte Carlo simulation., pp 3–9. A.A. Balkema Publishers, Rotterdam

    Google Scholar 

  38. Shoup V (2005) “Number theory C++ library (NTL)”, version 5.4, available at http://www.shoup.net /ntl/

  39. Shparlinski IE (2000). On the Naor-Reingold pseudo-random function from elliptic curves. Appl Algebra Eng Commun Comput 11: 27–34

    Article  MATH  MathSciNet  Google Scholar 

  40. Shparlinski IE (2003) Cryptographic applications of analytic number theory. Birkhauser

  41. Shparlinski IE (2005) Orders of points on elliptic curves. In: Affine algebraic geometry. Amer Math Soc, pp 245–252

  42. Shparlinski IE (2005) Pseudorandom points on elliptic curves over finite fields. Macquarie University. Preprint

  43. Shparlinski IE and Silverman JH (2001). On the linear complexity of the Naor-Reingold pseudorandom function from elliptic curves. Design Codes Cryptogr 24: 279–289

    Article  MATH  MathSciNet  Google Scholar 

  44. Silverman JH (1995). The arithmetic of elliptic curves. Springer-Verlag, Berlin

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jaime Gutierrez.

Additional information

Communicated by P. Wild.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gutierrez, J., Ibeas, Á. Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits. Des. Codes Cryptogr. 45, 199–212 (2007). https://doi.org/10.1007/s10623-007-9112-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-007-9112-3

Keywords

AMS Classifications

Navigation