Abstract
In this paper we study the linear congruential generator on elliptic curves from the cryptographic point of view. We show that if sufficiently many of the most significant bits of the composer and of three consecutive values of the sequence are given, then one can recover the seed and the composer (even in the case where the elliptic curve is private). The results are based on lattice reduction techniques and improve some recent approaches of the same security problem. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for nonlinear congruential generators. Several examples are tested using implementations of ours algorithms.
Highlights
A PseudoRandom Bit Generator(PRBG) is a deterministic algorithm that, once initialized with some random value, outputs a sequence that appears random, in the sense that an observer who does not know the value of the seed cannot distinguish the output from that of a random bit generator
Cryptographic applications require the output not to be predictable from earlier outputs, and more elaborate algorithms, which do not inherit the linearity of simpler PRBGs, are needed
In 1994, Hallgreen [21] proposed a pseudorandom number generator based on the group of points of an elliptic curve defined over a prime finite field
Summary
A PseudoRandom Bit Generator(PRBG) is a deterministic algorithm that, once initialized with some random value (called the seed), outputs a sequence that appears random, in the sense that an observer who does not know the value of the seed cannot distinguish the output from that of a (true) random bit generator. For instance, we can recover the sequence produced by EC-LCG if only three consecutive −approximations are given as soon as < p1/5 requiring, the most time consuming, to find a closest vector for a lattice of dimension 7, and it matched by primes p of only 1000 bits. We rigorously demonstrate our approach in the special case when we have an approximation to composer G; we show that given if sufficiently many of the most significant bits of G and of three consecutive values Un, Un+1, Un+2 of the EC-LCG are given, one can recover the seed U0 and the composer G as soon as O( ) < p1/6 requiring compute two closest vector for two lattices of dimension 7. A symbol O without a subscript indicates and absolute implied constant
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
