# Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith's Methods

@inproceedings{Bauer2012InferringSP, title={Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith's Methods}, author={Aur{\'e}lie Bauer and Damien Vergnaud and Jean-Christophe Zapalowicz}, booktitle={Public Key Cryptography}, year={2012} }

Number-theoretic pseudorandom generators work by iterating an algebraic map F (public or private) over a residue ring ℤN on a secret random initial seed value v 0 ∈ℤN to compute values $v_{n+1} = F(v_n) \bmod{N}$ for n ∈ℕ. They output some consecutive bits of the state value v n at each iteration and their efficiency and security are thus strongly related to the number of output bits. In 2005, Blackburn, Gomez-Perez, Gutierrez and Shparlinski proposed a deep analysis on the security of such…

## 19 Citations

### Inferring sequences produced by elliptic curve generators using Coppersmith's methods

- Mathematics, Computer ScienceTheor. Comput. Sci.
- 2020

### Easing Coppersmith Methods Using Analytic Combinatorics: Applications to Public-Key Cryptography with Weak Pseudorandomness

- Computer Science, MathematicsPublic Key Cryptography
- 2016

A toolbox based on analytic combinatorics is provided, which can be used for many different applications, including multivariate polynomial systems with arbitrarily many unknowns of possibly different sizes and simultaneous modular equations over different moduli.

### Long Period Sequences Generated by the Logistic Map over Finite Fields with Control Parameter Four

- Mathematics, Computer ScienceIEICE Trans. Fundam. Electron. Commun. Comput. Sci.
- 2017

Conditions for parameters and initial values to generate long period sequences, and asymptotic properties for periods by numerical experiments are shown, and it is ensured that generating sequences of Dickson generator of degree two have long period.

### Inferring Sequences Produced by a Linear Congruential Generator on Elliptic Curves Using Coppersmith's Methods

- Computer Science, MathematicsCOCOON
- 2016

This work analyzes the security of the Elliptic Curve Linear Congruential Generator (EC-LCG) and improves its security bounds using the Coppersmith’s methods.

### Pseudo-Random Generators and Pseudo-Random Functions: Cryptanalysis and Complexity Measures. (Générateurs et fonctions pseudo-aléatoires: cryptanalyse et mesures de complexité)

- Computer Science, Mathematics
- 2017

Lattice based polynomial-time (heuristic) algorithms that recover the signer’s secret in the pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the exponents are known by the attacker.

### Recent Progress on Coppersmith's Lattice-Based Method: A Survey

- Mathematics, Computer ScienceCREST Crypto-Math Project
- 2017

A survey of recent approaches for lattice constructions that can deeply exploit the algebraic relations of the target polynomials in cryptanalysis of RSA crypto algorithm and its variants.

### Cryptanalysis of elliptic curve hidden number problem from PKC 2017

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2020

This paper solves EC-HNP by using the Coppersmith technique which combines the idea behind the second lattice method of Boneh, Halevi and Howgrave-Graham for solving the modular inversion hidden number problem.

### Finding Small Solutions of a Class of Simultaneous Modular Equations and Applications to Modular Inversion Hidden Number Problem and Inversive Congruential Generator

- MathematicsIACR Cryptol. ePrint Arch.
- 2014

This paper revisits the modular inversion hidden number problem and the inversive congruential pseudo random number generator and considers how to more efficiently attack them in terms of fewer samples or outputs, and presents two strategies to construct lattices in Coppersmith's lattice-based root-finding technique for the solving of the equations.

### Modular Inversion Hidden Number Problem- A Lattice Approach

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2015

The Modular Inversion Hidden Number Problem is introduced by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001 and a variant of this which seems to be hard to solve under lattice attack is discussed.

### Solving a class of modular polynomial equations and its relation to modular inversion hidden number problem and inversive congruential generator

- Mathematics, Computer ScienceDes. Codes Cryptogr.
- 2018

This paper revisits the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and considers how to attack them more efficiently and presents three heuristic strategies using Coppersmith’s lattice-based root-finding technique for solving modular equations.

## References

SHOWING 1-10 OF 25 REFERENCES

### Predicting nonlinear pseudorandom number generators

- MathematicsMath. Comput.
- 2005

If sufficiently many of the most significant bits of several consecutive values u n of the ICG are given, one can recover the initial value u 0 and the results are somewhat similar to those known for the linear congruential generator (LCG), x n+1 ≡ ax n + b mod p, but they apply only to much longer bit strings.

### Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?

- Computer Science, MathematicsASIACRYPT
- 2009

A new technique is introduced, which combines the benefits of two techniques, namely the method of linearization and the methods of Coppersmith for finding small roots of polynomial equations, is called unravelled linearization.

### Secret linear congruential generators are not cryptographically secure

- Mathematics, Computer Science28th Annual Symposium on Foundations of Computer Science (sfcs 1987)
- 1987

This paper discusses the predictability of the sequence given by outputing a constant proportion α of the leading bits of the numbers produced by a linear congruential generator and proves that a significant proportion of the bits can be predicted from the previous ones.

### Predicting the Inversive Generator

- MathematicsIMACC
- 2003

If b and sufficiently many of the most significant bits of three consecutive values u n of the ICG are given, one can recover in polynomial time the initial value u 0 (even in the case where the coefficient a is unknown) provided that the initialvalue u 0 does not lie in a certain small subset of exceptional values.

### Cryptanalysis of the Quadratic Generator

- MathematicsINDOCRYPT
- 2005

It is shown that if sufficiently many of the most significant bits of several consecutive values vn of the QCG are given, one can recover in polynomial time the initial value v0 (even in the case where the coefficient c is unknown), provided that the initialvalue v0 does not lie in a certain small subset of exceptional values.

### Reconstructing noisy polynomial evaluation in residue rings

- MathematicsJ. Algorithms
- 2006

### Progress in Cryptology - INDOCRYPT 2005, 6th International Conference on Cryptology in India, Bangalore, India, December 10-12, 2005, Proceedings

- Computer Science, MathematicsINDOCRYPT
- 2005

Invited Talk.- Abelian Varieties and Cryptography, Proof of a Conjecture on the Joint Linear Complexity Profile of Multisequences, and Design Principles for Combiners with Memory.

### Inferring sequences produced by a linear congruential generator missing low-order bits

- Mathematics, Computer ScienceJournal of Cryptology
- 2005

An efficient algorithm is given for inferring sequences produced by linear congruential pseudorandom number generators when some of the low-order bits of the numbers produced are unavailable. These…

### Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings

- Computer Science, MathematicsEUROCRYPT
- 2007

This work discusses an Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries, and a Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security.

### Lattice Reduction: A Toolbox for the Cryptanalyst

- Mathematics, Computer ScienceJournal of Cryptology
- 1998

The aim of this paper is to explain what can be achieved by lattice reduction algorithms, even without understanding the actual mechanisms involved, in the cryptanalytic attack of various systems.