Predicting the elliptic curve congruential generator

Cryptography (94A60) Algebraic coding theory; cryptography (number-theoretic aspects) (11T71) Pseudo-random numbers; Monte Carlo methods (11K45) Computer solution of Diophantine equations (11Y50) Elliptic curves (14H52) Calculation of integer sequences (11Y55)

Abstract: Let

p

be a prime and let

m a t h b f E

be an elliptic curve defined over the finite field

m a t h b b F_{p}

of

p

elements. For a point

G i n m a t h b f E (m a t h b b F_{p})

the elliptic curve congruential generator (with respect to the first coordinate) is a sequence

(x_{n})

defined by the relation

x_{n} = x (W_{n}) = x (W_{n - 1} o p l u s G) = x (n G o p l u s W_{0})

,

n = 1, 2, d o t s

, where

o p l u s

denotes the group operation in

m a t h b f E

and

W_{0}

is an initial point. In this paper, we show that if some consecutive elements of the sequence

(x_{n})

are given as integers, then one can compute in polynomial time an elliptic curve congruential generator (where the curve possibly defined over the rationals or over a residue ring) such that the generated sequence is identical to

(x_{n})

in the revealed segment. It turns out that in practice, all the secret parameters, and thus the whole sequence

(x_{n})

, can be computed from eight consecutive elements, even if the prime and the elliptic curve are private.

Recommendations

Cites work

Cited in

(5)

This page was built for publication: Predicting the elliptic curve congruential generator

Report a bug (only for logged in users!)Click here to report a bug for this page (MaRDI item Q2363380)