Abstract
The DSS signature algorithm requires the signer to generate a new random number with every signature. We show that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures. This illustrates the high vulnerability of the DSS to weaknesses in the underlying random number generation process. It also confirms, that a sequence produced by LCG is not only predictable as has been known before, but should be used with extreme caution even within cryptographic applications that would appear to protect this sequence. The attack we present applies to truncated linear congruential generators as well, and can be extended to any pseudo random generator that can be described via modular linear equations.
Chapter PDF
References
L. Babai. On Lovász' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13, 1986.
M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Communications Security, ACM, 1993.
M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Computing, 13(4):850–863, November 1984.
Joan Boyar. Inferring sequences produced by pseudo-random number generators. Journal of the ACM, 36(1):129–141, January 1989.
A. M. Frieze, R. Kannan, and J. C. Lagarias. Linear congruential generators do not produce random sequences. In Proc. 25th IEEE Symp. on Foundations of Comp. Science, pages 480–484, Singer Island, 1984. IEEE.
Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In G. R. Blakley and D. C. Chaum, editors, Proc. CRYPTO 84, pages 10–18. Springer, 1985. Lecture Notes in Computer Science No. 196.
O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. In Proc. 25th IEEE Symp. on Foundations of Comp. Science, pages 464–479, Singer Island, 1984. IEEE.
S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences 28:270–299, April 1984.
J. Hastad and A. Shamir. The cryptographic security of truncated linearly related variables. In Proc. 17th ACM Symp. on Theory of Computing, pages 356–362, Providence, 1985. ACM.
R. Kannan. Minkowski's convex body theorem and integer programming. Mathematics of operations research, 12(3):415–440, 1987.
Donald E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Computer Programming. Addison-Wesley, 1969. Second edition, 1981.
Donald E. Knuth. Deciphering a linear congruential encryption. IEEE Transactions on Information Theory, IT-31(1):49–52, January 1985.
H. Krawczyk. How to predict congruential generators. In G. Brassard, editor, Proc. CRYPTO 89, pages 138–153. Springer, 1990. Lecture Notes in Computer Science No. 435.
H.W. Lenstra. Integer programming with a fixed number of variables. Mathematics of operations research, 8(4):538–548, 1983.
National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.
National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 19, 1994.
J. Plumstead (Boyar). Inferring a sequence generated by a linear congruence. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 153–159, Chicago, 1982. IEEE.
Adi Shamir. The generation of cryptographically strong pseudo-random sequences. In Allen Gersho, editor, Advances in Cryptology: A Report on CRYPTO 81, pages 1–1. U.C. Santa Barbara Dept. of Elec. and Computer Eng., 1982. Tech Report 82-04.
J. Stern. Secret linear congruential generators are not cryptographically secure. In Proc. 28th IEEE Symp. on Foundations of Comp. Science, pages 421–426, Los Angeles, 1987. IEEE.
A. C. Yao. Theory and application of trapdoor functions. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 80–91, Chicago, 1982. IEEE.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1997 Springer-Verlag
About this paper
Cite this paper
Bellare, M., Goldwasser, S., Micciancio, D. (1997). “Pseudo-random” number generation within cryptographic algorithms: The DDS case. In: Kaliski, B.S. (eds) Advances in Cryptology — CRYPTO '97. CRYPTO 1997. Lecture Notes in Computer Science, vol 1294. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0052242
Download citation
DOI: https://doi.org/10.1007/BFb0052242
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-63384-6
Online ISBN: 978-3-540-69528-8
eBook Packages: Springer Book Archive