A security analysis of the NIST SP 800-90 elliptic curve random number generator

Authors:
Daniel R. L. Brown;Kristian Gjøsteen
Affiliations:
Certicom Research, University of Science and Technology, Trondheim, Norway;Department of Mathematical Sciences, Norwegian, University of Science and Technology, Trondheim, Norway
Venue:
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Year:
2007

Citing 7
Cited 5

How to generate cryptographically strong sequences of pseudo-random bits

SIAM Journal on Computing
A pseudo-random bit generator based on elliptic logarithms

Proceedings on Advances in cryptology---CRYPTO '86
A note on the x-coordinate of points on an elliptic curve in characteristic two

Information Processing Letters
Foundations of Cryptography: Basic Tools

Foundations of Cryptography: Basic Tools
Pseudorandomness and Cryptographic Applications

Pseudorandomness and Cryptographic Applications
The Decision Diffie-Hellman Problem

ANTS-III Proceedings of the Third International Symposium on Algorithmic Number Theory
Number-theoretic constructions of efficient pseudo-random functions

FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science

Extractors for binary elliptic curves

Designs, Codes and Cryptography
Security Analysis of DRBG Using HMAC in NIST SP 800-90

Information Security Applications
Optimal Randomness Extraction from a Diffie-Hellman Element

EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Efficient, secure, private distance bounding without key updates

Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
Splittable pseudorandom number generators using cryptographic hashing

Proceedings of the 2013 ACM SIGPLAN symposium on Haskell

Quantified Score

Hi-index	0.00

Visualization

Abstract

An elliptic curve random number generator (ECRNG) has been approved in a NIST standard and proposed for ANSI and SECG draft standards. This paper proves that, if three conjectures are true, then the ECRNG is secure. The three conjectures are hardness of the elliptic curve decisional Diffie-Hellman problem and the hardness of two newer problems, the x-logarithm problem and the truncated point problem. The x-logarithm problem is shown to be hard if the decisional Diffie-Hellman problem is hard, although the reduction is not tight. The truncated point problem is shown to be solvable when the minimum amount of bits allowed in NIST standards are truncated, thereby making it insecure for applications such as stream ciphers. Nevertheless, it is argued that for nonce and key generation this distinguishability is harmless.