Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits

Authors:
Jaime Gutierrez;Álvar Ibeas
Affiliations:
Applied Mathematics and Computer Science Department, University of Cantabria, Santander, Spain 39071;Applied Mathematics and Computer Science Department, University of Cantabria, Santander, Spain 39071
Venue:
Designs, Codes and Cryptography
Year:
2007

Citing 17
Cited 2

Minkowski's convex body theorem and integer programming

Mathematics of Operations Research
Reconstructing truncated integer variables satisfying linear congruences

SIAM Journal on Computing - Special issue on cryptography
Inferring sequences produced by pseudo-random number generators

Journal of the ACM (JACM)
Inferring sequences produced by a linear congruential generator missing low-order bits

Journal of Cryptology
A sieve algorithm for the shortest lattice vector problem

STOC '01 Proceedings of the thirty-third annual ACM symposium on Theory of computing
Complexity of Lattice Problems

Complexity of Lattice Problems
On the Linear Complexity of the Naor–Reingold Pseudo-random Function from Elliptic Curves

Designs, Codes and Cryptography
Finding Small Roots of Univariate Modular Equations Revisited

Proceedings of the 6th IMA International Conference on Cryptography and Coding
Number-theoretic constructions of efficient pseudo-random functions

FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
Linear Congruential Generators Over Elliptic Curves

Linear Congruential Generators Over Elliptic Curves
On the Linear Complexity and Multidimensional Distribution of Congruential Generators over Elliptic Curves

Designs, Codes and Cryptography
Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series)

Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series)
Reconstructing noisy polynomial evaluation in residue rings

Journal of Algorithms
Finding a small root of a bivariate integer equation; factoring with high bits known

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Cryptanalysis of the quadratic generator

INDOCRYPT'05 Proceedings of the 6th international conference on Cryptology in India
Attacking the Pollard Generator

IEEE Transactions on Information Theory

On pseudorandom numbers from multivariate polynomial systems

Finite Fields and Their Applications
Predicting masked linear pseudorandom number generators over finite fields

Designs, Codes and Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

Let p be a prime and let be an elliptic curve defined over the finite field of p elements. For a given point the linear congruential genarator on elliptic curves (EC-LCG) is a sequence (Un) of pseudorandom numbers defined by the relation: where denote the group operation in and is the initial value or seed. We show that if G and sufficiently many of the most significants bits of two consecutive values U n, Un+1 of the EC-LCG are given, one can recover the seed U0 (even in the case where the elliptic curve is private) provided that the former value U n does not lie in a certain small subset of exceptional values. We also estimate limits of a heuristic approach for the case where G is also unknown. This suggests that for cryptographic applications EC-LCG should be used with great care. Our results are somewhat similar to those known for the linear and non-linear pseudorandom number congruential generator.