Secure simultaneous bit extraction from Koblitz curves

Abstract

Secure pseudo-random number generators (PRNGs) have a lot of important applications in cryptography. In this paper, we analyze a new PRNG related to the elliptic curve power generator. The new PRNG has many desirable randomness properties such as long period, uniform distribution, etc. In particular, the proposed PRNG is provably secure under the l-strong Diffie–Hellman assumptions. An important feature of our PRNG is that many bits can be simultaneously output without significantly affecting its security. For instance, at 150-bit security, more than 100 bits can be output at each iteration, with a statistical distance from a uniform sequence less than \(1/2^{150}\). Our experimental results show that the new PRNG provides a secure and flexible solution for high security applications. Hence, our work is another step towards the construction of provably secure PRNGs in practice.

Appendix A: Proof of Theorem 1 for the NIST polynomial bases

Theorem 5

For K163 and K233, if in (1) the \(\alpha _i\) are the polynomial basis suggested by NIST (from the irreducible polynomial p(t)), then the period of \((s_k^{(i)})\) equals the period of \((x_k)\), namely \((n-1)/2\).

Proof

First of all, let \(\{\sigma _k^{(i)}\}\) be the sequence constructed with some \(P_0'\) of order n and \(r=3\), which is a primitive root mod n. Call \(P_k'= 3^k P_0'\). We claim that it is sufficient to show the theorem on \(\{\sigma _k^{(i)}\}\). In fact, if \(P_0=3^{k_0} P_0'\) and \(r\equiv 3^{k_r} \pmod n\) with \(\gcd (k_r,n-1)=1\), then

$$\begin{aligned} P_k=r^kP_0= 3^{k_rk+k_0}P_0', \end{aligned}$$

hence \(s_k^{(i)}=\sigma _{k_rk+k_0}^{(i)}\) and the period of \((s_k^{(i)})\) is the same as the period \(\pi _i\) of \(\{\sigma _k^{(i)}\}\), since they divide \(n-1\). We will then use the sequence \(\{\sigma _k^{(i)}\}\) with \(P_0'\) the point suggested in the NIST standards.

Note that for all i, we have \(\pi _i\mid (n-1)/2=u\), since

$$\begin{aligned} P_{k+u}' = 3^u P_{k}' = - P_k', \end{aligned}$$

hence their x-coordinates are equal. We next explain our method for K163. Consider

$$\begin{aligned} Q_0= & {} P_0', \quad Q_1 = 3^{u/3} P_0', \quad Q_2 = 3^{u/7} P_0',\\ Q_3= & {} 3^{u/89} P_0', \quad Q_4 = 3^{u/163} P_0',\\ Q_5= & {} 3^{u/1141450141721} P_0',\\ Q_6= & {} 3^{u/8405730267419952240402658413113} P_0'. \end{aligned}$$

Denote by \(x(P)_i\) for the ith bit (i.e. the coefficient of \(\alpha ^{i-1}\), where \(p(\alpha )=0\)) of the x-coordinate of P. If for some i, \(\pi _i<u\), then it must be a divisor of one of \(u/3, u/7, u/89 \dots \) Say it is a divisor of u / 163, corresponding to \(Q_4\). Then (we say the ith sequence passes the fourth test at k)

$$\begin{aligned} x\left( 3^kQ_0\right) _i = x\left( 3^kQ_4\right) _i, \quad k=0,1,2,\dots \end{aligned}$$

By looking at sufficiently many values of k, we are thus able to exclude all such equalities, for each point \(Q_1,\dots Q_6\). Specifically, only ten sequences pass the jth test (for some j) at all \(k=0, \dots , 6\). The sequence of the coefficient of \(\alpha ^{62}\), the last to be “killed”, passes the first test at \(k=0,\dots 13\) and fails at \(k=14\). Therefore, all sequences have \(\pi _i=u\). The same approach can be followed for K233, where the coefficient of \(\alpha ^{115}\) passes the fifth test at \(k=0,\dots ,9\) and fails at \(k=10\). \(\square \)