Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith's Methods

@inproceedings{Bauer2012InferringSP,
  title={Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith's Methods},
  author={Aur{\'e}lie Bauer and Damien Vergnaud and Jean-Christophe Zapalowicz},
  booktitle={Public Key Cryptography},
  year={2012}
}
Number-theoretic pseudorandom generators work by iterating an algebraic map F (public or private) over a residue ring ℤN on a secret random initial seed value v 0 ∈ℤN to compute values $v_{n+1} = F(v_n) \bmod{N}$ for n ∈ℕ. They output some consecutive bits of the state value v n at each iteration and their efficiency and security are thus strongly related to the number of output bits. In 2005, Blackburn, Gomez-Perez, Gutierrez and Shparlinski proposed a deep analysis on the security of such… 

Easing Coppersmith Methods Using Analytic Combinatorics: Applications to Public-Key Cryptography with Weak Pseudorandomness

TLDR
A toolbox based on analytic combinatorics is provided, which can be used for many different applications, including multivariate polynomial systems with arbitrarily many unknowns of possibly different sizes and simultaneous modular equations over different moduli.

Long Period Sequences Generated by the Logistic Map over Finite Fields with Control Parameter Four

  • K. TsuchiyaY. Nogami
  • Mathematics, Computer Science
    IEICE Trans. Fundam. Electron. Commun. Comput. Sci.
  • 2017
TLDR
Conditions for parameters and initial values to generate long period sequences, and asymptotic properties for periods by numerical experiments are shown, and it is ensured that generating sequences of Dickson generator of degree two have long period.

Inferring Sequences Produced by a Linear Congruential Generator on Elliptic Curves Using Coppersmith's Methods

TLDR
This work analyzes the security of the Elliptic Curve Linear Congruential Generator (EC-LCG) and improves its security bounds using the Coppersmith’s methods.

Pseudo-Random Generators and Pseudo-Random Functions: Cryptanalysis and Complexity Measures. (Générateurs et fonctions pseudo-aléatoires: cryptanalyse et mesures de complexité)

TLDR
Lattice based polynomial-time (heuristic) algorithms that recover the signer’s secret in the pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the exponents are known by the attacker.

Recent Progress on Coppersmith's Lattice-Based Method: A Survey

TLDR
A survey of recent approaches for lattice constructions that can deeply exploit the algebraic relations of the target polynomials in cryptanalysis of RSA crypto algorithm and its variants.

Cryptanalysis of elliptic curve hidden number problem from PKC 2017

TLDR
This paper solves EC-HNP by using the Coppersmith technique which combines the idea behind the second lattice method of Boneh, Halevi and Howgrave-Graham for solving the modular inversion hidden number problem.

Finding Small Solutions of a Class of Simultaneous Modular Equations and Applications to Modular Inversion Hidden Number Problem and Inversive Congruential Generator

TLDR
This paper revisits the modular inversion hidden number problem and the inversive congruential pseudo random number generator and considers how to more efficiently attack them in terms of fewer samples or outputs, and presents two strategies to construct lattices in Coppersmith's lattice-based root-finding technique for the solving of the equations.

Modular Inversion Hidden Number Problem- A Lattice Approach

  • P. Dutta
  • Computer Science
    IACR Cryptol. ePrint Arch.
  • 2015
TLDR
The Modular Inversion Hidden Number Problem is introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001 and a variant of this which seems to be hard to solve under lattice attack is discussed.

Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator

TLDR
This paper revisits the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and considers how to attack them more efficiently and presents three heuristic strategies using Coppersmith’s lattice-based root-finding technique for solving modular equations.

References

SHOWING 1-10 OF 25 REFERENCES

Predicting nonlinear pseudorandom number generators

TLDR
If sufficiently many of the most significant bits of several consecutive values u n of the ICG are given, one can recover the initial value u 0 and the results are somewhat similar to those known for the linear congruential generator (LCG), x n+1 ≡ ax n + b mod p, but they apply only to much longer bit strings.

Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?

TLDR
A new technique is introduced, which combines the benefits of two techniques, namely the method of linearization and the methods of Coppersmith for finding small roots of polynomial equations, is called unravelled linearization.

Secret linear congruential generators are not cryptographically secure

  • J. Stern
  • Mathematics, Computer Science
    28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
  • 1987
TLDR
This paper discusses the predictability of the sequence given by outputing a constant proportion α of the leading bits of the numbers produced by a linear congruential generator and proves that a significant proportion of the bits can be predicted from the previous ones.

Predicting the Inversive Generator

TLDR
If b and sufficiently many of the most significant bits of three consecutive values u n of the ICG are given, one can recover in polynomial time the initial value u 0 (even in the case where the coefficient a is unknown) provided that the initialvalue u 0 does not lie in a certain small subset of exceptional values.

Cryptanalysis of the Quadratic Generator

TLDR
It is shown that if sufficiently many of the most significant bits of several consecutive values vn of the QCG are given, one can recover in polynomial time the initial value v0 (even in the case where the coefficient c is unknown), provided that the initialvalue v0 does not lie in a certain small subset of exceptional values.

Progress in Cryptology - INDOCRYPT 2005, 6th International Conference on Cryptology in India, Bangalore, India, December 10-12, 2005, Proceedings

TLDR
Invited Talk.- Abelian Varieties and Cryptography, Proof of a Conjecture on the Joint Linear Complexity Profile of Multisequences, and Design Principles for Combiners with Memory.

Inferring sequences produced by a linear congruential generator missing low-order bits

  • J. Boyar
  • Mathematics, Computer Science
    Journal of Cryptology
  • 2005
An efficient algorithm is given for inferring sequences produced by linear congruential pseudorandom number generators when some of the low-order bits of the numbers produced are unavailable. These

Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings

  • M. Naor
  • Computer Science, Mathematics
    EUROCRYPT
  • 2007
TLDR
This work discusses an Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries, and a Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security.

Lattice Reduction: A Toolbox for the Cryptanalyst

TLDR
The aim of this paper is to explain what can be achieved by lattice reduction algorithms, even without understanding the actual mechanisms involved, in the cryptanalytic attack of various systems.