Abstract
Secure pseudo-random number generators (PRNGs) have a lot of important applications in cryptography. In this paper, we analyze a new PRNG related to the elliptic curve power generator. The new PRNG has many desirable randomness properties such as long period, uniform distribution, etc. In particular, the proposed PRNG is provably secure under the l-strong Diffie–Hellman assumptions. An important feature of our PRNG is that many bits can be simultaneously output without significantly affecting its security. For instance, at 150-bit security, more than 100 bits can be output at each iteration, with a statistical distance from a uniform sequence less than \(1/2^{150}\). Our experimental results show that the new PRNG provides a secure and flexible solution for high security applications. Hence, our work is another step towards the construction of provably secure PRNGs in practice.
Similar content being viewed by others
References
Alex W., Chor B., Goldreich O., Shub M.: RSA and Rabin functions: certain parts are as hard as the whole. SIAM J. Comput. 17, 194–209 (1988).
Avanzi R., Dimitrov V.S., Doche C., Sica F.: Extending scalar multiplication using double bases. In: Lai Xuejia, Chen Kefei (eds.) Proceedings of Asiacrypt 2006, vol. 4284, pp. 130–144. Lecture Notes in Computer ScienceSpringer, Berlin (2006).
Blum L., Blum M., Shub M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15, 364–383 (1986).
Boneh D., Boyen X.: Short signatures without random oracles. In: Advances in Cryptology—EUROCRYPT 2004. International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004, Proceedings, pp. 56–73 (2004).
Boneh D., Franklin M.: Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003). Extended abstract in Proceedings of Crypto ’2001. Lecture Notes in Computer Science, vol. 2139. Springer, Berlin, pp. 213–229 (2001).
Boneh D., Shacham H., Lynn B.: Short signatures from the Weil pairing. In: Boyd C. (ed.) Advances in Cryptology—ASIACRYPT 2001, vol. 2248, pp. 514–532. Lecture Notes in Computer ScienceSpringer, Berlin (2001).
Boneh D., Boyen X., Hovav S.: Short group signatures. In: Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004, Proceedings, pp. 41–55 (2004).
Checkoway S., Fredrikson M., Niederhagen R., Everspaugh A., Green M., Lange T., Ristenpart T., Bernstein D.J., Maskiewicz J., Shacham H.: On the practical exploitability of dual EC in TLS implementations. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, pp. 319–335. USENIX Association, Berkeley, CA, USA (2014).
Checkoway S., Maskiewicz J., Garman C., Fried J., Cohney S., Green M., Heninger N., Weinmann R.-P., Rescorla E., Shacham H.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pp. 468–479. ACM, New York, NY, USA (2016).
Cheon J.H.: Security analysis of the strong Diffie–Hellman problem. In: Proceedings of EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004, pp. 1–11. Springer, Heidelberg (2006).
Ciss A.A., Sow D.: On randomness extraction in elliptic curves. In: Proceedings of AFRICACRYPT 2011. Lecture Notes in Computer Science, vol. 6737, pp. 290–297. Springer, Heidelberg (2011).
Dimitrov V., Howe E.: Lower bounds on the lengths of double-base representations. Proc. Am. Math. Soc. 139(10), 3423–3430 (2011).
Dimitrov V., Imbert L., Mishra P.K.: The double-base number system and its application to elliptic curve cryptography. Math. Comput. 110(22), 1003–1006 (2010).
Doche C., Kohel D.R., Sica F.: Double-base number system for multi-scalar Multiplications. In: Joux A. (ed.) Proceedings of EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 502–517. Springer, Heidelberg (2009).
Farashahi R.R., Schoenmakers B., Sidorenko A.: Efficient pseudorandom generators based on the DDH assumption. In: Proceedings of PKC 2007. Lecture Notes in Computer Science, vol. 4450, pp. 426–441. Springer, Heidelberg (2007).
Farashahi R.R., Pellikaan R., Sidorenko A.: Extractors for binary elliptic curves. Des. Codes Cryptogr. 49(1–3), 171–186 (2008).
Golomb S.W., Gong G.: Signal design for good correlation: for wireless communication, cryptography, and radar applications. Cambridge University Press, Cambridge (2005).
Gong G., Berson T.A., Stinson D.R.: Elliptic curve pseudorandom sequence generators. In: Selected Areas in Cryptography, 6th Annual International Workshop, SAC’99, Kingston, ON, Canada, 9–10 August 1999, Proceedings, pp. 34–48 (1999).
Hankerson D., Menezes A., Vanstone S.: Guide to Elliptic Curve Cryptography. Springer Professional Computing. Springer, New York (2004).
Joux A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma W. (ed.) Algorithmic Number Theory, 4th International Symposium, ANTS-IV. Lecture Notes in Computer Science, vol. 1838, pp. 385–394. Springer, Berlin (2000).
Koblitz N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987).
Lidl R., Niederreiter H.: Finite fields. With a foreword. In: Cohn P.M. (ed.) Encyclopedia of Mathematics and Its Applications, vol. 20. Cambridge University Press, Cambridge (1997).
Liu H.: A family of elliptic curve pseudorandom binary sequences. Des. Codes Cryptogr. 73(1), 251–265 (2014).
Liu H., Zhan T., Wang X.: Large families of elliptic curve pseudorandom binary sequences. Acta Arith. 140, 135–144 (2009). Instytut Matematyczny PAN.
Mérai L.: Remarks on pseudorandom binary sequences over elliptic curves. Fundam. Inf. 114(3–4), 301–308 (2012).
Mérai L.: On the elliptic curve power generator. Unif. Distrib. Theory 9(2), 59–65 (2014).
Mérai L.: On pseudorandom properties of certain sequences of points on elliptic curve. In: Arithmetic of Finite Fields—6th International Workshop, WAIFI 2016, Ghent, Belgium, 13–15 July 2016, Revised Selected Papers, pp. 54–63 (2016).
Mérai L.: On the elliptic curve endomorphism generator. Des. Codes Cryptogr. Bd. 85, S. 121–128 (2017).
Mérai L., Winterhof A.: On the linear complexity profile of some sequences derived from elliptic curves. Des. Codes Cryptogr. 81(2), 259–267 (2016).
Miller V.S.: Use of elliptic curves in cryptography. In: Williams H.C. (ed.) Advances in Cryptology—Proceedings of CRYPTO 1985, vol. 218, pp. 417–426. Lecture Notes in Computer ScienceSpringer, New York (1986).
Schoenmakers B., Sidorenko A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. IACR Cryptology. ePrint Archive 2006, p. 190 (2006).
Shparlinski I.E.: Pseudorandom number generators from elliptic curves. Contemp. Math. 9, 121–141 (2009).
Sidorenko A., Schoenmakers B.: Concrete security of the Blum–Blum–Shub pseudorandom generator. In: Cryptography and Coding, 10th IMA International Conference, Cirencester, UK, 19–21 December 2005, Proceedings. Lecture Notes in Computer Science, vol. 3796, pp. 355–375. Springer, Berlin (2005).
Vazirani U.V., Vazirani V.V.: Efficient and secure pseudo-random number generation (extended abstract). In: 25th Annual Symposium on Foundations of Computer Science (FOCS), West Palm Beach, Florida, USA, 24–26 October 1984, pp. 458–463. IEEE Computer Society, Philadelphia (1984).
Acknowledgements
We thank the referees, whose constructive comments greatly improved the presentation of our work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by S. D. Galbraith.
The author X. Fan work was done when the author was a research associate at the University of Waterloo. The author F. Sica project is financially supported by the grant of the Corporate Fund “Fund of Social Development”
Appendix A: Proof of Theorem 1 for the NIST polynomial bases
Appendix A: Proof of Theorem 1 for the NIST polynomial bases
Theorem 5
For K163 and K233, if in (1) the \(\alpha _i\) are the polynomial basis suggested by NIST (from the irreducible polynomial p(t)), then the period of \((s_k^{(i)})\) equals the period of \((x_k)\), namely \((n-1)/2\).
Proof
First of all, let \(\{\sigma _k^{(i)}\}\) be the sequence constructed with some \(P_0'\) of order n and \(r=3\), which is a primitive root mod n. Call \(P_k'= 3^k P_0'\). We claim that it is sufficient to show the theorem on \(\{\sigma _k^{(i)}\}\). In fact, if \(P_0=3^{k_0} P_0'\) and \(r\equiv 3^{k_r} \pmod n\) with \(\gcd (k_r,n-1)=1\), then
hence \(s_k^{(i)}=\sigma _{k_rk+k_0}^{(i)}\) and the period of \((s_k^{(i)})\) is the same as the period \(\pi _i\) of \(\{\sigma _k^{(i)}\}\), since they divide \(n-1\). We will then use the sequence \(\{\sigma _k^{(i)}\}\) with \(P_0'\) the point suggested in the NIST standards.
Note that for all i, we have \(\pi _i\mid (n-1)/2=u\), since
hence their x-coordinates are equal. We next explain our method for K163. Consider
Denote by \(x(P)_i\) for the ith bit (i.e. the coefficient of \(\alpha ^{i-1}\), where \(p(\alpha )=0\)) of the x-coordinate of P. If for some i, \(\pi _i<u\), then it must be a divisor of one of \(u/3, u/7, u/89 \dots \) Say it is a divisor of u / 163, corresponding to \(Q_4\). Then (we say the ith sequence passes the fourth test at k)
By looking at sufficiently many values of k, we are thus able to exclude all such equalities, for each point \(Q_1,\dots Q_6\). Specifically, only ten sequences pass the jth test (for some j) at all \(k=0, \dots , 6\). The sequence of the coefficient of \(\alpha ^{62}\), the last to be “killed”, passes the first test at \(k=0,\dots 13\) and fails at \(k=14\). Therefore, all sequences have \(\pi _i=u\). The same approach can be followed for K233, where the coefficient of \(\alpha ^{115}\) passes the fifth test at \(k=0,\dots ,9\) and fails at \(k=10\). \(\square \)
Rights and permissions
About this article
Cite this article
Fan, X., Gong, G., Schoenmakers, B. et al. Secure simultaneous bit extraction from Koblitz curves. Des. Codes Cryptogr. 87, 1–13 (2019). https://doi.org/10.1007/s10623-018-0484-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-018-0484-3