Inferring sequences produced by elliptic curve generators using Coppersmith's methods

HAL Id: hal-02568170

https://hal.archives-ouvertes.fr/hal-02568170

Submitted on 8 May 2020

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Inferring sequences produced by elliptic curve generators using Coppersmith’s methods

Thierry Mefenza, Damien Vergnaud

To cite this version:

Thierry Mefenza, Damien Vergnaud. Inferring sequences produced by elliptic curve generators using Coppersmith’s methods. Theoretical Computer Science, Elsevier, 2020, 830-831, pp.20-42.

�10.1016/j.tcs.2020.04.025�. �hal-02568170�

Inferring Sequences Produced by Elliptic Curve Generators using Coppersmith’s Methods

Thierry Mefenza¹, Damien Vergnaud^2,

Abstract

We analyze the security of two number-theoretic pseudo-random generators based on elliptic curves: the elliptic curve linear congruential generator and the elliptic curve power generator. We show that these recursive generators are insecure if sufficiently many bits are output at each iteration (improving notably the prior cryptanalysis of Gutierrez and Ibeas from 2007). We present several theoretical attacks based on Coppersmith’s techniques for finding small roots on polynomial equations. Our results confirm that these generators are not appropriate for cryptographic purposes.

Keywords.

Keywords: Pseudo-random generator, Elliptic curve linear congruential generator, Elliptic curve power generator, Coppersmith’s methods, Elliptic curves

1. Introduction

In cryptography, a pseudo-random number generator is a polynomial-time deterministic algorithm which takes as input a short random seed and outputs a long sequence which is indistinguishable in polynomial time from a truly random sequence. Pseudo-random numbers have found numerous applications in the literature. For instance they are useful in cryptography for key generation, encryption and digital signature.

Number-theoretic pseudorandom generators work by iterating an algebraic mapF (public or private) over a residue ringZN (whereN is usually a prime number or an RSA modulus) on a secret random initial seed values₀∈ZN to compute the intermediate state valuess_i+1=F(s_i) modN fori∈Nand outputting (some consecutive bits of) the state value s_i at each iteration. The inputs₀ of the generator (and possibly the description ofF) is called the seed and the output is called the pseudorandom sequence. The case whereF is an affine function is known as thelinear congruential generator. This generator is efficient and has good statistical properties. Unfortunately, it is cryptographically insecure: Boyar [Boy89] proved that - with a sufficiently long run of the pseudorandom sequence - one can recover the seed in time polynomial in the bit-size of N. It was suggested to use a non-linear algebraic map F in order to avoid these attacks. The provably secure classicalpower-generator from [BBS86] uses the algebraic map is F : x7−→x^emodN for some integere∈Nand outputs asymptotically only at mostO((log logN)/(loge)) bits per multiply modulo an RSA modulusN, and hence are too slow to be used in many practical applications. Even if one wants to use this generator with no proven security guarantees, it outputs at mostO(logN/loge) bits per multiply moduloN and for this reason, this generator is used only with a very small integere(typicallye∈ {2,3}).

In 1994, Hallgren [Hal94] proposed a pseudo-random number generator based on a subgroup of points of an elliptic curve defined over a prime finite field. This generator is known as the Linear Congruential

?A preliminary version of this work appeared in the proceedings of the conferenceInternational Computing and Combina- torics Conference – COCOON 2016[Mef16]. This is the full version.

Email addresses: [email protected](Thierry Mefenza),[email protected](Damien Vergnaud)

1Department of Mathematics, Faculty of Sciences, University of Yaound´e I, Yaound´e, Cameroon

2Sorbonne Universit´e, CNRS, Laboratoire d’Informatique de Paris 6, LIP6, Paris, France and Institut Universitaire de France

Generator on Elliptic Curves (EC-LCG). Let pbe a prime number (with p> 5) and letE be an elliptic curve defined over a prime finite fieldFp, that is a rational curve given by the following Weierstrass equation

E:y²=x³+ax+b

for somea, b∈Fp with 4a³+ 27b²6= 0. It is well known that the setE(Fp) ofFp-rational points (including the special pointO at infinity) forms an Abelian group with an appropriate composition rule (denoted ⊕) where O is the neutral element. For a given point G ∈ E(Fp), the EC-LCG generates a sequence U_n of points defined by the relation:

U_n=U_n−1⊕G= [n]G⊕U₀, n∈N

whereU0∈E(Fp) is the initial value or seed. We refer toGas thecomposer of the EC-LCG.

For a positive integer e >1 and a point G ∈ E(Fp) of order ` with gcd(e, `) = 1, the Elliptic Curve Power Generator (EC-PG), introduced by Lange and Shparlinksi in [LS05], generates a sequence of points Vn defined by the relation:

Vn= [e]Vn−1= [eⁿ]G, n∈N whereV0∈E(Fp) is the initial value or seed.

The EC-LCG and the EC-PG provide a very attractive alternative to linear congruential generators and power generators and they have been extensively studied in the literature (see [GBS00, GL01, MS02, BD02, LS05, Shp05, HS02, IS09, Mer17] and the references therein). In cryptography, one may want to use the output of these generators as a keystream for encryption. One can notice that if two consecutive values U_n, U_n+1of the EC-LCG generator are revealed, it is easy to findU₀andG(see also [Mer17] for the EC-PG).

In order to use the produced sequences for cryptography, one should therefore output only some bits (e.g.

the most significant ones) of each coordinate ofU_n orV_n, n∈Nin the hope that this makes the resulting output sequence difficult to predict. As for the classical power generator [BBS86, BVZ12], in cryptographic uses of the EC-PG, e is always assumed to be “small” (and does not grow with the security parameter).

Indeed, the computation of Vn from V_n−1 requires Ω(log(e)) multiplications modulo pand the generator outputs at most O(log(p)) bits. The EC-PG is used only with a very small integere(typicallye∈ {2,3}) and it is therefore assumed to be known to the adversary (it this is not the case, the adversary can perform an exhaustive search on all possible eand this adds only a constant factor overhead to its computational complexity).

In this paper, we show that the EC-LCG and the EC-PG are insecure if sufficiently many bits are output at each stage. Therefore a secure use of these generators requires to output fewer bits at each iteration and the efficiency of the schemes is thus degraded. Our attacks used the well-known Coppersmith’s methods for finding small roots on polynomial equations. These methods have been introduced in 1996 by Coppersmith for polynomial of one or two variables [Cop96a, Cop96b] and have been generalized to many variables.

These methods have been used to infer many pseudo-random generators and to cryptanalyze many schemes in cryptography (see [BCTV16, BVZ12] and the references therein). In this paper we notably used such techniques to improve the previous bounds known on the security of the EC-LCG in the literature. Our improvements are theoretical since in practice, the cost of Coppersmith’s method in our case is prohibitive because of large dimension of the lattice. However, they confirm that these generators are not appropriate for cryptographic purposes.

Prior work. In the cryptography setting, the initial valueU₀ and the constants G, a andb may be kept secret. Gutierrez and Ibeas [GI07] consider two settings: the case where thecomposer G is known to the attacker anda, bare kept secret and the case where thecomposer Gis unknown anda, bare kept secret. In the first case, they showed that the EC-LCG is insecure if a proportion of at most 1/6 of the least significant bits of two consecutive values of the sequence is hidden. When the composer is unknown, they showed heuristically that the EC-LCG is insecure if a proportion of at most 1/46 of the least significant bits of three consecutive values of the sequence is hidden. Their result is based on a lattice basis reduction attack, using a certain linearization technique. In some sense, their technique can be seen as a special case of the problem of finding small solutions of multivariate polynomial congruences. The Coppersmith’s methods also tackle

the problem of finding small solutions of multivariate polynomial congruences. Gutierrez and Ibeas due to the special structure of the polynomials involved claimed that “the Coppersmith’s methods does not seem to provide any advantages”, and that “it may be very hard to give any precise rigorous or even convincing heuristic analysis of this approach”. Our purpose in this paper is to tackle this issue.

Contributions of the paper. We predict the EC-LCG sequence and the EC-PG sequence using Copper- smith’s method for calculating the small roots of multivariate polynomials modulo an integer. The method for multivariate polynomials is heuristic since it is not proven and may fail (but in practice it works most of the time). At the end of the Coppersmith’s methods we use the methods from [BCTV16] to analyze the success condition.

In the case where the composer is known, we showed that the EC-LCG is insecure if a proportion of at most 1/5 of the least significant bits of two consecutive values U0 and U1 of the sequence is hidden. This improves the previous bound of 1/6 of Gutierrez and Ibeas. We further improve this result by considering several consecutive values of the sequence. We showed that the EC-LCG is insecure if a proportion of at most 3/11 of the least significant bits of these values is hidden.

We also consider the case where some most significant bits of the abscissa of several pointsUknare given, withn∈N for some fixed integerk. In this case, the addition law on the elliptic curve gives us a system of polynomials of high degree whose roots are the hidden bits. We use summation polynomials [Sem04]

on elliptic curves to obtain a system of polynomials of low degree. We then showed that the EC-LCG is insecure if a proportion of at most 1/8 of the least significant bits of two valuesX(U₀) andX(U_k) is hidden, whereX(P) denotes the abscissa of the pointP on the curve. This attack is the first cryptanalytic result on the EC-LCG when the attacker knows some most significant bits of non-consecutive values of the generator.

We further improve this result by considering several valuesUkn,n∈Nof the sequence. We also show that the EC-LCG is insecure if a proportion of at most 1/4 of the least significant bits of the abscissa of these values is hidden.

In the case where thecomposer is unknown, we showed that the EC-LCG is insecure if a proportion of at most 1/24 of the least significant bits of two consecutive valuesU0andU1of the sequence is hidden. This improves significantly the (heuristic) previous bound 1/46 of Gutierrez and Ibeas. We further improve this result by considering sufficiently many consecutive values of the sequence. We showed that the EC-LCG is insecure if a proportion of at most 1/8 of the least significant bits of these values is hidden.

Finally, we also showed that the EC-PG is insecure if a proportion of at most 1/2e²of the least significant bits of the abscissa of two consecutive valuesV0 andV1of the sequence is hidden. We improve this bound by considering several consecutive values of the sequence and we showed that the EC-PG is insecure if a proportion of at most 1/e² of the least significant bits of the abscissa of these values is hidden. To our knowledge no such results are known in the literature for the EC-PG.

The table below gives a comparison between our results and those known in the literature. It gives the bound of the proportion of least significant bits hidden from each value necessary to break the EC-LCG in (heuristic) polynomial time. The basic proportion corresponds to the case where the adversary knows bits coming from the minimum number of intermediate values leading to a feasible attack; while the asymptotic proportion corresponds to the case when the bits known by the adversary knows bits coming from arbitrary number of values.

Generator Setting Basic proportion Asymptotic proportion Prior result Our result Prior result Our result

EC-LCG

knowncomposer 1/6 1/5

– 3/11

consecutive values (proven) (heuristic) (heuristic) knowncomposer

– 1/8

– 1/4

non-consecutive values (heuristic) (heuristic)

unknowncomposer 1/46 1/24

– 1/8

(heuristic) (heuristic) (heuristic) EC-PG

– 1/2e²

– 1/e²

(heuristic) (heuristic)

2. Preliminaries

In this section, we collect some statements about elliptic curves, Coppersmith’s methods and analytic combinatorics.

2.1. Elliptic curves

Throughout this paper, letpbe a prime number (withp>5). We first recall the arithmetic of the group law⊕on elliptic curves defined by the Weierstrass equation (for more details on elliptic curves, we refer to [BSS99, Was08]). LetE:y²=x³+ax+bbe an elliptic curve overFp. For two pointsP= (x_P, y_P)∈E(Fp) andQ= (x_Q, y_Q)∈E(Fp), withP, Q6=O, the addition law⊕is defined asR= (x_R, y_R) =P⊕Qwhere:

• IfxP 6=xQ, then

x_R=m²−x_P−x_Qmodp, y_R=m(x_P −x_R)−y_P modp, where, m= yQ−yP

x_Q−x_P modp (1)

• Ifx_P =x_Q but y_P 6=y_Q, thenR=O

• IfP =Qand yP 6= 0, then

x_R=m²−2x_P modp, y_R=m(x_P−x_R)−y_P modp, where, m=3x²_Q+a 2yP

modp

• IfP =Qand yP = 0, thenR=O.

2.2. Division polynomials of elliptic curves

With the notation from the previous paragraph, we recall some basic facts on division polynomials of elliptic curves (see again [Was08] and [BSS99] for details). They provide a way to calculate multiples of points on elliptic curves and to study the fields generated by torsion points. The division polynomials ψm(X, Y)∈Fp[X, Y]/(Y²−X³−AX−B),m>0, are recursively defined by:

ψ₀ = 0 ψ1 = 1 ψ₂ = 2Y

ψ3 = 3X⁴+ 6AX²+ 12BX−A²

ψ4 = 4Y(X⁶+ 5AX⁴+ 20BX³−5A²X²−4ABX−8B²−A³) ψ2m+1 = ψm+ 2ψ_m³ −ψm−1ψ³_m+1, m>2

ψ2m = ψm(ψm+2ψ²_m−1−ψ_m−2ψ²_m+1)/ψ2, m>3,

whereψmis an abbreviation for ψm(X, Y).

Ifmis odd, thenψm(X, Y)∈Fp[X] is univariate and ifmis even then ψm(X, Y)∈ψ2(X, Y)Fp[X] soψm(X, Y)∈2YFp[X].

Therefore, asψ₂²(X, Y) = 4(X³+AX+B), we haveψ²_m(X, Y)∈Fp[X] andψ_m−1(X, Y)ψ_m+1(X, Y)∈Fp[X].

In particular, we may writeψ_2m+1(X) andψ_m²(X).

As mentioned above, the division polynomials can be used to calculate multiples of a point on the elliptic curveE. LetP = (x, y)∈E withP6=O, then the abscissa of [m]P is given by

θ_m(x)

ψ²_m(x), whereθ_m(X) =Xψ_m² −ψ_m−1ψ_m+1.

The zeros of the denominator ψ²_m(X) are exactly the abscissa of the non-trivial m-torsion points, i.e, the pointsQ= (x, y)∈Fp

2\ {O} onE with [m]Q=O. Note, that these points occur in pairs Q= (x, y) and

−Q= (x,−y), which coincide only if 2Q=O, i.e, ifxis a zero ofψ₂²(X).

We recall that the group of m-torsion points E[m], for an elliptic curve E defined over a field of char- acteristic p, is isomorphic to (Z/mZ)² if p - m and to a proper subgroup of (Z/mZ)² if p | m. If m is a power of p then E[m] is either isomorphic to (Z/mZ) or to {O}. Accordingly, the degree of ψ²_m(X) is m²−1 ifp-mand strictly less thanm²−1 otherwise. In particular, forp= 2 andma power of 2 we have deg(ψ²_m) = m−1 if E is not supersingular and deg(ψ²_m) = 0 otherwise. By induction one can show that θ_m(X)∈Fp[X] is monic of degreem².

2.3. Summation polynomials

With the same notation as above, for n ∈ N, n > 2, we define introduce n-th summation polynomial fn=fn(X1, X2, . . . , Xn) introduced by Semaev in [Sem04] such that

f_n(x₁, . . . , x_n) = 0

forx_i∈Fp(the algebraic closure ofFp if and only if there existy₁, . . . , y_n∈Fp such that (x₁, y₁), . . . ,(x_n, y_n)∈E(Fp) and

(x₁, y₁)⊕ · · · ⊕(x_n, y_n) =O.

These polynomials have found interesting applications in cryptography (in particular for solving the discrete logarithm problem on elliptic curves defined finite fields, see [Die11] and references therein).

The following lemma gives a simple way for calculating them:

Lemma 1. Then-th Semaev summation polynomialfn may be defined by:

f2(X1, X2) = X1−X2

f3(X1, X2, X3) = (X1−X2)²X₃²−2 ((X1+X2)(X1X2+a) + 2a)X3+ (X1X2−a)²−4b(X1+X2) fn(X1, . . . , Xn) = ResX(fn−k(X1, . . . , Xn−k−1, X), fk+2(Xn−k, . . . , Xn, X)), n>4 and16k6n−1 . The polynomialf_n is symmetric and of degree 2ⁿ⁻² in each variable X_i for anyn>3. The polynomial f_n is absolutely irreducible and we have

f_n(X₁, . . . , X_n) =f_n−1² (X₁, . . . , X_n−1)X_n²ⁿ⁻²+. . . 2.4. Coppersmith’s methods

In this section, we give a short description of Coppersmith’s method for solving a multivariate modular polynomial system of equations modulo an integerN. We refer the reader to [JM06] for details and proofs.

2.4.1. Problem definition.

Let f1(y1, . . . , yn), . . . , fs(y1, . . . , yn) be irreducible multivariate polynomials defined over Z, having a root (x1, . . . , xn) modulo a known integerN, namely fi(x1, . . . , xn)≡0 modN. We want this root to be small in the sense that each of its components is bounded by a known valueXi. We also need to bound the sizes ofXi allowing to recover the desired root in polynomial time.

2.4.2. Polynomials collection.

In a first step, one generates a collection P of polynomials {f˜1, . . . ,f˜r} linearly independent having (x1, . . . , xn) as a root moduloN. Usually, multiples and powers of products offifori∈ {1, . . . , s}are chosen, namely ˜f` = y<sub>1</sub><sup>α1,`</sup>· · ·y^αn^{n,`</sup>f<sub>1</sub><sup>k1,`}· · ·fs<sup>ks,`</sup> for some integersα1,`, . . . , αn,`, k1,`, ks,`. Such polynomials satisfy the relation ˜f<sub>`</sub>(x₁, . . . , x_n)≡0 modN^{Psi=1ki,`</sup> , i.e., there exists an integer c<sub>i</sub> such that ˜f<sub>i</sub>(x<sub>1</sub>, . . . , x<sub>n</sub>) = ciN<sup>Psj=1kj,`}.

2.4.3. Matrix construction.

We denote as Mthe set of monomials appearing in collection of polynomials P. Then each polynomial f˜i can be expressed as a vector with respect to a chosen order onM. We hence construct a matrixM as follows and we define asL the lattice generated by its rows:

f˜1 · · · f˜r

↓ · · · ↓















































 1

?

1

X₁⁻¹ y₁

. .. ...

X₁^−a1. . . X_n^−an y₁^a1. . . y^a_nⁿ

0

Ps i=1k_i,1

. ..

N^Psi=1ki,r

On that figure, every row of the upper part is related to one monomial ofM (we assume in the figure that M contains 1, y1, andy^a₁¹. . . y_n^an among other monomials). The left-hand side contains the bounds on these monomials (e.g., the coefficient X₁⁻¹X₂⁻² is put in the row related to the monomial y1y₂²). The right-hand side is formed by all vectors coming fromP.

2.4.4. A short vector in a sublattice.

Let us now consider the row vector

r0= (1, x1, . . . , x^a₁¹. . . x^a_nⁿ,−c1, . . . ,−cr) . By multiplying this vector by the matrixM, one obtains:

s0=

1, x1

X₁

, . . . , x1

X₁ ^a1

· · · xn

X_n ^an

,0, . . . ,0

.

The knowledge ofs0∈ Lis sufficient to recover the root we are searching for and its norm is very small sinceks0k26√

]M. Thus, the recovery of a small vector inL, will likely lead to the recovery of the desired root (x1, . . . , xn). To this end, we first restrict ourselves in a more appropriated subspace. Indeed, noticing that the last coefficients of s₀ are all null, we know that this vector belongs to a sublattice L⁰ whose last coordinates are composed by zero coefficients. By doing elementary operations on the rows ofM, one can construct that sublattice and its determinant is the same as the one ofL.

2.4.5. Method conclusion.

From that point, one computes an LLL-reduction on the lattice L⁰ and computes the Gram-Schmidt’s orthogonalized basis (b^?₁, . . . , b^?_t) of the LLL output basis (b1, . . . , bt). Since s0 belongs to L⁰, this vector can be expressed as a linear combination of theb^?_i’s. Consequently, if its norm is smaller than those ofb^?_t, thens0 is orthogonal tob^?_t. Extracting the coefficients appearing in b^?_t, one can construct a polynomialp1

defined overZsuch that p1(x1, . . . , xn) = 0. Repeating the same process with the vectorsb^?_t−1, . . . , b^?_t−n+1 leads to the system {p1(x1, . . . , xn) = 0, . . . , pn(x1, . . . , xn) = 0}. Under the (heuristic) assumption that all created polynomials define an algebraic variety of dimension 0, the previous system can be solved (e.g., using elimination techniques such as Groebner basis) and the desired root recovered in polynomial time.

The conditions on the bounds X_i that make this method work are given by the following (simplified) inequation (see [JM06] for details):

Y

y^k₁¹...yn^kn∈M

X₁^k1· · ·X_n^kn < N^{Pr`=1Psi=1ki,`} . (2)

For such techniques, the most complicated part is the choice of the collection of polynomials, what could be a really intricate task when working with multiple polynomials.

Remark 1. As noted above, the inequality 2 is simplified. In [JM06], there is an additionnal multiplicative term in the right-hand side that depends only on the dimension of the lattice and does not depend onN(and therefore only contributes to an error term as N grows with the security parameter). The non-simplified equation is

Y

y^k₁¹...y_n^kn∈M

X₁^k1· · ·X_n^kn<

2^{−ω(ω−1)/4}ω^−ω/2

N^{Pr`=1Psi=1ki,`} . (3)

whereω= #Mdenotes the number of monomials.

2.5. Analytic combinatorics

In the following, we recall the analytic combinatorics methods from [FS09] to estimate the exponents of the boundsX1, . . . , Xnand of the moduloN on the monomials and polynomials appearing in the inequality (2) in Coppersmith’s methods. Those methods can be used to compute the cardinalities of the setsPand M. We used the same notations as in [BCTV16] and for more details of the methods the reader is referred to that paper.

To make things clear, we will explain the method with one simple example. Suppose we want to solve the equation: f(y1, . . . , yn) = 0 modN, with|yi|6Xi. We consider the set of polynomials

P={fk=y^k₁¹. . . y^k_nⁿf^{k`</sup> modN<sup>k`} : 16k`< t

and deg(fk) =k1+· · ·+kn+k`e < te}, The set of monomials appearing in the collectionPwill usually look like

M={yk=y^k₁¹. . . y^k_nⁿ: 06deg(yk) =k1+· · ·+kn < te} .

These considerations imply that for the final condition in Coppersmith’s method (see Equation (2)), one needs to compute the values

ψ= X

f_k∈P

k` and ∀i∈ {1, . . . , n}, αi= X

y_k∈M

ki .

These values correspond to the exponent ofN andXi (fori∈ {1, . . . , n}) in Equation (2) respectively. We show how to compute these sumsψandαi for polynomials in PorMof a certain degree.

We see P (respectively M) as a combinatorial class with size function S(fk) = deg(fk)(respectively S(yk) = deg(yk)). We recall that a combinatorial class is a finite or countable set on which a size function is defined, satisfying the following conditions: (i) the size of an element is a non-negative integer and (ii) the number of elements of any given size is finite. We define another functionχ, called aparameter function, such thatχ(fk) =k`(respectively χ(yk) =ki). This allows us to computeψ(respectivelyαi) as:

ψ=χ_<te(P) = X

a∈P:S(a)<te

χ(a)

(respectively αi = χ_<te(M) = P

a∈P:S(a)<teχ(a) ). To do so we should be able to compute given a combinatorial classA(A=P orA=M) with size functionS and the parameter functionχ,

χ6p(A) = X

a∈A:S(a)6p

χ(a) .

We proceed as follows:

1. We give another description ofAwith respect toS andχ. This description associates to the combina- torial class an ordinary generating function (OGF)F(z, u) (using Table 1, see [BCTV16] for details).

When the class contains elements of different sizes (such as variables of degree 1 and polynomials of degreee), the variables in the OGF are represented by the atomic elementZ and the polynomials by the element Z^e, in order to take into account the degree of these polynomials. Then we “mark” the element useful for the parameter, with a new variableu. At this level we only know how to compute P

a∈A:S(a)=pχ(a). An easier way to computeχ_6p(A) is to force all elementsaof size less than or equal topto be of size exactlypby adding enough times adummy element y0 such thatχ(y0) = 0. In our context of polynomials, the aim of the dummy variabley0 is to homogenize the polynomial.

Table 1: Combinatorics constructions and their OGF

Construction OGF

Atomic class Z Z(z) =z

Neutral class ε E(z) = 1

Disjoint union A=B+C (whenB ∩ C=∅) A(z) =B(z) +C(z) Complement A=B \ C (whenC ⊆ B) A(z) =B(z)−C(z)

Cartesian product A=B × C A(z) =B(z)·C(z)

Cartesian exponentiation A=B^k =B × · · · × B A(z) =B(z)^k Sequence A=Seq(B) =ε+B+B²+. . . A(z) = _1−B(z)¹ 2. We have:

χ₆(A)(z) =

+∞

X

p=0

χ_6p(A)z^p= ∂F(z, u)

∂u _u=1

,

3. Since Coppersmith’s method is usually used in an asymptotic way, singularity analysis enables us to find the asymptotic value of the coefficients in an simple way by using the following theorem (see [FS09], page 392):

Theorem 2(Transfer Theorem). LetAbe a combinatorial class with an ordinary generating function F regular enough such that there exists a value c verifying

F(z) =

+∞

X

n=0

F_nzⁿ ∼

z→1

c (1−z)^α

for a non-negative integer α. The asymptotic value of the coefficientF_n is F_n ∼

n→∞(cn^α−1)/(α−1)! . 3. Predicting EC-LCG Sequences for Known Composer

Following [GI07], our results involve a parameter ∆ which measures how well some values approximate the sequence elements. More precisely, we say that W = (xW, yW) ∈ F²p is a ∆-approximation to U = (xU, yU)∈F²p if there exist integerse, f satisfying: |e|,|f|6∆,xW +e=xU andyW+f =yU.

For a given pointG∈E(Fp), the EC-LCG generates a sequenceUn of points defined by the relation:

Un=U_n−1⊕G= [n]G⊕U0, n∈N

where U0 ∈ E(Fp) is the initial value or seed. We refer to G as the composer of the EC-LCG. In the cryptographic setting, the initial valueU0 = (x0, y0) and the constants G, aandb are supposed to be the secret key. In the following we infer the sequence output by the EC-LCG in the case where the composerG is known and the curve is kept secret.

We consider two settings: the case where the most significant bits of consecutive valuesU_nof the sequence is output and the case where the most significant bits of the abscissa of consecutive multiple valuesU_kn(for some fixed integerk) of the sequence is output. In the first case, we show that the generator is insecure if at least a proportion of 4/5 of the most significant bits of two consecutive valuesU0 andU1of the sequence is output. In the second case, We show that the generator is insecure if at least a proportion of 7/8 of the most significant bits of two valuesX(U0) andX(Uk) is output,X(P) denoting the abscissa of the pointP. 3.1. Information on consecutive inputs

Theorem 3. (two consecutive outputs) Given∆-approximationsW0,W1to two consecutive affine value U0,U1 produced by the EC-LCG, and given the value of the composer G= (xG, yG). Under the heuristic assumption that all created polynomials we get by applying Coppersmith’s method with the polynomial setP below define an algebraic variety of dimension 0, one can recover the seed U0 in heuristic polynomial time inlogpas soon as∆< p^1/5

Proof. We supposeU₀∈ {−G, G}. Then, clearing denominators in (1), we can translate/ U1=U0⊕G

into the following identities in the fieldFp:

L₁=L₁(x₀, y₀, x₁) = 0mod p, L₂=L₂(x₀, y₀, x₁, y₁) = 0mod p whereU0= (x0, y0),U1= (x1, y1) and

L1 = x³_G+x1x²_G−x0x²_G−2x1xGx0−xGx²₀+x³₀+ 2yGy0+x1x²₀−y_G² −y²₀, L₂ = y₁x_G−y₁x₀−y_Gx₀+y_Gx₁−y₀x₁+y₀x_G.

Set W0 = (α0, β0) and W1 = (α1, β1). Then using the equalities xj =αj+ej and yj = βj+fj, for j∈ {0,1}, where|ej|,|fj|<∆ leads to the following polynomial system:

( f(e0, e1, f0) = 0 modp g(e₀, e₁, f₀, f₁) = 0 modp . where

f(z1, z2, z3) =A1z1+A2z2+A3z3+A4z²₁+A5z1z2+z₁³+z₁²z2−z²₃+A6

and

g(z₁, z₂, z₃, z₄) =B₁z₁+B₂z₂+B₃z₃+B₄z₄+z₁z₄+z₂z₃+B₅

are polynomials whose coefficientsA_iandB_iare functions ofx_G, and the approximations valuesα₀, α₁, β₀, β₁. If we fixu=z₁³+z₁²z₂−z²₃ andv=z₁z₄+z₂z₃, then the polynomialf becomes f₁(z₁, z₂, z₃, u) =A₁z₁+ A₂z₂+A₃z₃+A₄z²₁+A₅z₁z₂+u+A₆andgbecomesg₁(z₁, z₂, z₃, z₄, v) =B₁z₁+B₂z₂+B₃z₃+B₄z₄+v+B₅. Description of the attack. The adversary is therefore looking for the small solutions of the following modular multivariate polynomial system:

( f1(z1, z2, z3, u) = 0 modp g1(z1, z2, z3, z4, v) = 0 modp .

With|zj|<∆,|u|< X = ∆³ and |v|< Y = ∆². The attack consists in applying Coppersmith’s methods for multivariate polynomials. From now, we use the following collection of polynomials (parameterized by some integert∈N):

P=n

z₁^j1. . . z^j₄⁴f₁ⁱ¹gⁱ₁² modpⁱ¹⁺ⁱ² : i1+i2>0 andj1+· · ·+j4+ 2i1+i2<2to

The list of monomials appearing within this collection can be described as:

M=

z₁ⁱ¹z₂ⁱ²zⁱ₃³z₄ⁱ⁴uⁱ⁵vⁱ⁶ mod ∆^i1+i2+i3+i4Xⁱ⁵Yⁱ⁶ : i1+· · ·+i4+ 2i5+i6<2t .

If we use for instance the monomial order lex (withzi< u < v) on the set of monomials, then the leading monomial off1isLM(f1) =uandLM(g1) =v. Then the polynomials in Pare linearly independent since we have prohibited the multiplication byuandv.

Bounds for the polynomials modulo p. We consider the setP as a combinatorial class, with the size functionS(z₁^j1. . . z^j₄⁴f₁ⁱ¹gⁱ₁²) =j1+· · ·+j4+ 2i1+i2and the parameter functionχ(z₁^j1. . . z₄^j4f₁ⁱ¹g₁ⁱ²) =i1+i2. The degree of each variablez_i,u,vis 1, whereas the degree off₁ is 2 and the degree ofg₁is 1. For the sake of simplicity, we can consider 06i₁+i₂, since the parameter function equals 0 for elementsz₁^j1. . . z^j₄⁴f₁ⁱ¹gⁱ₁² withi₁+i₂= 0.

We can describePas:

4

Y

i=1

Seq(Z)×Seq(uZ²)×Seq(uZ)×Seq(Z), where the last one is for the dummy valuez0.

This leads to the generating function:

F(z, u) = 1

1−z ⁵

× 1

1−uz² × 1 1−uz. We have

∂F

∂u(u, z) _u=1

= z²(1−z) +z(1−z²) (1−z)⁷(1−z²)² , asz→1 , 1−zⁿ∼n(1−z) leads to:

∂F

∂u(u, z) _u=1

z→1∼

3(1−z)

4(1−z)⁹ ∼ 3 4(1−z)⁸, since 2t∼2t−1, this leads to:

χ<2t(P)∼3

4 ×(2t)⁷ 7!

Bounds for the monomials modulo ∆. We consider the set Mas a combinatorial class, with the size function S(z₁ⁱ¹. . . z₄ⁱ⁴uⁱ⁵vⁱ⁶) = i1+· · ·+i4 + 2i5 +i6 and the parameter function χ(z₁ⁱ¹. . . zⁱ₄⁴uⁱ⁵vⁱ⁶) = i1+· · ·+i4. Asz1, z2, z3, z4, u, v”count for” 1,1,1,1,2 and 1 respectively in the condition of the set, we can describeMas:

Seq(Z²)×Seq(Z)×

4

Y

i=1

Seq(uZ)×Seq(Z), where the last one is for the dummy valuez₀.

Which leads to the generating function:

F(z, u) = 1

(1−z²)(1−z)² × 1

1−uz 4

.

We have

∂F

∂u(u, z) _u=1

= 4z

(1−z)⁷(1−z²), asz→1, 1−zⁿ∼n(1−z) leads to:

∂F

∂u(u, z) _u=1

z→1∼ 2 (1−z)⁸, since 2t∼2t−1, this leads to:

χ<2t,∆(M)∼2(2t)⁷ 7!

Bounds for the monomials modulo X. We consider the setMas a combinatorial class, with the size functionS(zⁱ₁¹. . . z₄ⁱ⁴uⁱ⁵vⁱ⁶) =i₁+· · ·+i₄+ 2i₅+i₆ and the parameter functionχ(zⁱ₁¹. . . z₄ⁱ⁴uⁱ⁵vⁱ⁶) =i₅. As z1, z2, z3, z4, u, v ”count for” 1,1,1,1,2 and 1 respectively in the condition of the set, we can describeMas:

5

Y

i=1

Seq(Z)×Seq(uZ²)×Seq(Z), where the last one is for the dummy valuez₀.

Which leads to the generating function:

F(z, u) = 1 (1−z)⁶ ×

1 1−uz²

.

This leads to:

χ<2t,X(M)∼ (2t)⁷ 4×7!

Bounds for the monomials modulo Y. We consider again the setMas a combinatorial class, with the size functionS(z₁ⁱ¹. . . z₄ⁱ⁴uⁱ⁵vⁱ⁶) =i₁+· · ·+i₄+ 2i₅+i₆and the parameter functionχ(z₁ⁱ¹. . . z₄ⁱ⁴uⁱ⁵vⁱ⁶) =i₆. Asz₁, z₂, z₃, z₄, u, v ”count for” 1,1,1,1,2 and 1 respectively in the condition of the set, we can describeM as:

4

Y

i=1

Seq(Z)×Seq(Z²)×Seq(uZ)×Seq(Z), where the last one is for the dummy valuez0.

Which leads to the generating function:

F(z, u) = 1

(1−z)⁵(1−z²)× 1

1−uz

.

This leads to:

χ_<2t,Y(M)∼ (2t)⁷ 2×7!

Condition. If we denote by ν₁ = χ_<2t,∆(M), ν₂ = χ_<2t,X(M), ν₃ = χ_<2t,Y(M) and ε = χ_<2t(P), the condition for Coppersmith’s method isp^ε>∆^ν1X^ν2Y^ν3, ie ∆< p^{ν1 +3νε2 +2ν3}, where:

ε ν1+ 3ν2+ 2ν3

∼ χ_<2t(P)

χ<2t,∆(M) + 3χ<2t,X(M) + 2χ<2t,Y(M)∼ 1 5, this leads to the bound:

∆< p¹⁵.

Complexity of the attack. The dimensions of the matrix used in Coppersmith methods depend on the cardinalities of the set of polynomials and monomials. To compute the cardinalities of the setsP andM, we make use of the parameters functionsχ(z₁^j1. . . z^j₄⁴f₁ⁱ¹gⁱ₁²) = 1 and χ(zⁱ₁¹. . . zⁱ₄⁴uⁱ⁵vⁱ⁶) = 1. This leads to the generating functions:

F1(z) = 1

1−z 5

× 1

1−z² × 1 1−z −1

and

F2(z) = 1

1−z 5

× 1

1−z² × 1 1−z,

forPandMrespectively.

We have:

F₁(z), F₂(z) ∼

z→1

1 2(1−z)⁷, which leads whentgoes to infinity to the asymptotic bound:

1

2 ×(2t)⁶ 6!

From the inequality (2), one can see that the attack works if p^ε>∆^ν1X^ν2Y^ν3,

withI1 ={i= (i1, . . . , i6)|06i1+· · ·+i4+ 2i5+i6<2t},I2={i= (j1, . . . , j4, i1, i2)|i1+i2>0 and 06 j1+· · ·+j4+ 2i1+i2<2t},

ν₁=X

i∈I1

i₁+· · ·+i₄, ν₂=X

i∈I1

i₅, ν₃=X

i∈I1

i₆ and ε=X

i∈I2

i₁+i₂

. PuttingX= ∆³ andY = ∆², we then have the following theoretical bound

∆< p^δtheo, whereδ_theo= _ν ^ε

1+3ν2+2ν3 . If one uses the non-simplified inequality (3), we only obtain

∆<

2^{−ω(ω−1)/4}ω^−ω/2 p^δtheo

whereω= #Mdenotes the number of monomials. The “error term” is thus independent of pbut so small that we can only conclude theoretically that the attack works only for very largep(several hundreds of bits even for onlyt = 2). However, our experiments show that the attack works for practical values ofp(and even sometimes for ∆< p^δexp,where δexp > δtheo. We give in the table below the cardinalities of the sets P,Mand the theoretical boundδtheo for smallert.

t 1 2 3 4 5 6 7 8 9

number of polynomials 1 27 188 776 2393 6111 13664 27672 51897 number of monomials 6 62 314 1106 3108 7476 16044 31548 57882 δtheo 0.167 0.182 0.187 0.190 0.192 0.193 0.194 0.195 0.1953 Unfortunately, even if t is small, the constructed matrix is of huge dimension (since the number of monomials is quite large) and the computation which is theoretically polynomial-time becomes in practice prohibitive. These attacks are nethertheless good evidence of a weakness in this pseudo-random generator.

Experimental Results. We have implemented the attack in Sage 7.6 on a MacBook Air laptop computer (2,2 GHz Intel Core i7, 4 Gb RAM 1600 MHz DDR3, Mac OSX 10.10.5). Table 2 lists the dimensiondof the lattice (d=]P+]m), the theoretical boundδtheoand an experimental boundδexp for am-bit primep.

We consider the family of polynomialsP witht= 2 (since fort >2, the dimension of the lattice is huge).

We ran several experiments for all parameters and Table 2 gives the average running time (in seconds) of the LLL algorithm, the Gram-Schmidt’s orthogonalization algorithm and the Gr¨obner basis computation.

This bound improves the known bound ∆< p^1/6. Next we further improve the previous bound and we show that the generator is insecure if at least a proportion of 8/11 of the most significant bits of a large number of consecutive valuesUi of the sequence is output.

m t δ_theo δ_exp d LLL time(s) Gram-Schmidt’s time(s) Gr¨obner basis time(s)

128 2 0.182 0.20 89 2.908 20.910 0.567

256 2 0.182 0.12 89 2.957 46.157 6.474

Table 2: Predicting EC-LCG Sequences for Known Composer

Theorem 4. (more consecutive outputs)

Given ∆-approximationsW0, W1,. . . ,Wn (for some integer n > 1) to n+ 1 consecutive affine values U0, U1,. . . ,Un produced by the EC-LCG, and given the value of the composerG= (xG, yG). Under the heuristic assumption that all created polynomials we get by applying Coppersmith’s method with the polynomial setP below define an algebraic variety of dimension0, one can recover the seed U0 in polynomial time inlogpas soon as∆< p^11n+43n

Proof. Let us assume, for instance that the adversary has access ton+ 1 ∆-approximationsW₀,W₁,. . . ,W_n ofU₀, U₁,. . . ,U_n produced by the EC-LCG. Then using the equalities x_j =α_j+e_j and y_j =β_j+f_j, for j ∈ {0, . . . , n}, where |e_j|,|f_j|<∆ andW_j = (α_j, β_j) and U_j = (x_j, y_j) leads to the following polynomial system:



















f₁⁰(e0, e1, f0) = 0 modp g⁰₁(e₀, e₁, f₀, f₁) = 0 modp

...

f_n⁰(e_n−1, en, f_n−1) = 0 modp g_n⁰(e_n−1, e_n, f_n−1, f_n) = 0 modp . Where fori∈ {1, . . . , n},

f_i⁰(z_i−1, zi, zn+i) =A1z_i−1+A2zi+A3zn+i+A4z_i−1² +A5z_i−1zi+z_i−1³ +z_i−1² zi−z²_n+i+A6

and

g_i⁰(z_i−1, zi, zn+i, zn+i+1) =B1z_i−1+B2zi+B3zn+i+B4zn+i+1+z_i−1zn+i+1+zizn+i+B5

are polynomials whose coefficientsAi and Bi are functions of xG, and the approximations values αk, βk, (k ∈ {i−1, i}). If we fix ui = z_i−1³ +z_i−1² zi−z_n+i² and vi = zi−1zn+i+1+zizn+i, then the polynomial f_i⁰ becomes fi(zi−1, zi, zn+i, ui) =A1zi−1+A2zi+A3zn+i+A4z_i−1² +A5zi−1zi+ui+A6 andg_i⁰ becomes gi(zi−1, zi, zn+i, zn+i+1, vi) =B1zi−1+B2zi+B3zn+i+B4zn+i+1+vi+B5. The adversary is then looking for the solutions of the modular multivariate polynomial system:



















f₁(z₀, z₁, z_n+1) = 0 modp g1(z0, z1, zn+1, zn+2) = 0 modp

...

fn(z_n−1, zn, z2n) = 0 modp g_n(z_n−1, z_n, z_2n, z_2n+1) = 0 modp .

With |zj| < ∆, j ∈ {0, . . . ,2n+ 1}, |ui| < X = ∆³ and |vi| < Y = ∆², i = 1, . . . , n. We consider the following collection of polynomials:

P=

f˜j₀,...,j_2n+1,i₁,...,i_n,l₁,...,l_n=z₀^j0. . . z^j_2n+1²ⁿ⁺¹f₁ⁱ¹. . . f_nⁱⁿg^l₁¹. . . g_n^ln mod p^{i1+l1···+in+ln}

s.t. i1+l1+· · ·+in+ln>0 and j0+· · ·+j2n+1+ 2(i1+· · ·+in) +l1+· · ·+ln<2t

.

The list of monomials appearing within this collection can be described as:

M=

z₀^j0. . . z^j_2n+1²ⁿ⁺¹uⁱ₁¹v^l₁¹. . . uⁱ_nⁿv_n^ln mod ∆^{j0+···+j2n+1}X^i0+···+inY^l0+···+ln s.t. j₀+· · ·+j_2n+1+ 2(i₁+· · ·+i_n) +l₁+· · ·+l_n<2t

.

Bounds for the Polynomials modulo p. We consider the setP as a combinatorial class, with the size functionS( ˜f_{j0,...,j2n+1,i1,...,in,l1,...,ln}) =j₀+· · ·+j_2n+1+ 2(i₁+· · ·+i_n) +l₁+· · ·+l_n and the parameter functionχ( ˜fj₀,...,j_2n+1,i₁,...,i_n,l₁,...,l_n) =i1+l1+· · ·+in+ln. We can describePas:

2n+1

Y

i=0

Seq(Z)×

n

Y

j=1

Seq(uZ²)×

n

Y

k=1

Seq(uZ)×Seq(Z), where the last one is for the dummy variable.

This leads to the generating function:

F(z, u) = 1

(1−z)²ⁿ⁺³ × 1

(1−uz²)ⁿ × 1 (1−uz)ⁿ. We have

∂F

∂u(u, z) _u=1

z→1∼

3n 2ⁿ⁺¹(1−z)⁴ⁿ⁺⁴, since 2t∼2t−1, we get:

χ<2t(P)∼ 3n

2ⁿ⁺¹ × (2t)⁴ⁿ⁺³ (4n+ 3)!

Bounds for the monomials modulo ∆. We consider the set Mas a combinatorial class, with the size function

S(z^j₀⁰. . . z_2n+1^j2n+1uⁱ₁¹v₁^l1. . . uⁱ_nⁿv^l_nⁿ) =j0+· · ·+j2n+1+ 2(i1+· · ·+in) +l1+· · ·+lnand the parameter function χ(z₀^j0. . . z_2n+1^j2n+1uⁱ₁¹v^l₁¹. . . uⁱ_nⁿv_n^ln) =j₀+· · ·+j_2n+1. We can describeMas:

n

Y

i=1

Seq(Z²)×

n

Y

i=1

Seq(Z)×

2n+1

Y

i=0

Seq(uZ)×Seq(Z), where the last one is for the dummy valuey0.

Which leads to the generating function:

F(z, u) = 1

(1−z²)ⁿ(1−z)ⁿ⁺¹ × 1 (1−uz)²ⁿ⁺². Asz→1, 1−zⁿ∼n(1−z) leads to:

∂F

∂u(u, z) _u=1

z→1∼

2n+ 2 2ⁿ(1−z)⁴ⁿ⁺⁴, since 2t∼2t−1, this leads to:

χ<2t,∆(M)∼ 2n+ 2

2ⁿ × (2t)⁴ⁿ⁺³ (4n+ 3)!