Abstract
Suppose that the private key of discrete logarithm-based or factoring-based public-key primitive is obtained by concatenating the outputs of a linear congruential generator. How seriously is the scheme weakened as a result?
While linear congruential generators are cryptographically very weak “pseudorandom” number generators, the answer to that question is not immediately obvious, since an adversary in such a setting does not get to examine the outputs of the congruential generator directly, but can only obtain an implicit hint about them—namely the public key.
In this paper, we take a closer look at that problem, and show that, in most cases, an attack does exist to retrieve the key much faster than with a naive exhaustive search on the seed of the generator.
The problem is similar to the one considered by Bellare, Goldwasser and Micciancio regarding DSA and “pseudorandomness”, and this line of work arguably has renewed relevance in view of the sensitive role that random number generation has been found to play in a number of recent noted papers, such as the one by Lenstra et al. at CRYPTO 2012.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: ACM CCS, pp. 203–212 (2005)
Bellare, M., Goldwasser, S., Micciancio, D.: “Pseudo-random” number generation within cryptographic algorithms: The DSS case. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)
Bleichenbacher, D.: On the generation of one-time keys in DL signature schemes. Presentation at the IEEE P1363 Working Group Meeting (November 2000)
Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984)
Bostan, A., Schost, É.: On the complexities of multipoint evaluation and interpolation. Theor. Comput. Sci. 329(1-3), 223–235 (2004)
Bostan, A., Schost, É.: Polynomial evaluation and interpolation on special sets of points. J. Complexity 21(4), 420–446 (2005)
Boyar, J.: Inferring sequences produced by a linear congruential generator missing low-order bits. J. Cryptology 1(3), 177–184 (1989)
Boyar, J.: Inferring sequences produced by pseudo-random number generators. J. ACM 36(1), 129–141 (1989)
Brandt, J., Damgård, I.B.: On generation of probable primes by incremental search. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 358–370. Springer, Heidelberg (1993)
Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divisors: Breaking fully-homomorphic-encryption challenges over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 502–519. Springer, Heidelberg (2012)
Contini, S., Shparlinski, I.E.: On stern’s attack against secret truncated linear congruential generators. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 52–60. Springer, Heidelberg (2005)
Coron, J.-S., Joux, A., Mandal, A., Naccache, D., Tibouchi, M.: Cryptanalysis of the RSA subgroup assumption from TCC 2005. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 147–155. Springer, Heidelberg (2011)
Desai, A., Hevia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 368–383. Springer, Heidelberg (2002)
Fiduccia, C.M.: Polynomial evaluation via the division algorithm: The fast fourier transform revisited. In: STOC, pp. 88–93 (1972)
Frieze, A.M., Håstad, J., Kannan, R., Lagarias, J.C., Shamir, A.: Reconstructing truncated integer variables satisfying linear congruences. SIAM J. Comput. 17(2), 262–280 (1988)
Heninger, N., Durumeric, Z., Wustrow, E., Alex Halderman, J.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Kohno, T. (ed.) USENIX Security 2012 (2012)
Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Cryptography 23(3), 283–290 (2001)
Joux, A., Stern, J.: Lattice reduction: A toolbox for the cryptanalyst. J. Cryptology 11(3), 161–185 (1998)
Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012)
Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Menezes, A., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography (1996)
Micali, S., Schnorr, C.-P.: Efficient, perfect polynomial random number generators. J. Cryptology 3(3), 157–172 (1991)
Nguyen, P.Q., Shparlinski, I.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)
Shamir, A.: On the generation of cryptographically strong pseudo-random sequences. In: Even, S., Kariv, O. (eds.) ICALP 1981. LNCS, vol. 115, pp. 544–550. Springer, Heidelberg (1981); U. C. Santa Barbara, Dept. of Elec. and Computer Eng., ECE Report No 82-04
Stern, J.: Secret linear congruential generators are not cryptographically secure. In: FOCS, pp. 421–426. IEEE Computer Society (1987)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fouque, PA., Tibouchi, M., Zapalowicz, JC. (2013). Recovering Private Keys Generated with Weak PRNGs. In: Stam, M. (eds) Cryptography and Coding. IMACC 2013. Lecture Notes in Computer Science, vol 8308. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45239-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-45239-0_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45238-3
Online ISBN: 978-3-642-45239-0
eBook Packages: Computer ScienceComputer Science (R0)