Abstract
We introduce lattice-based practical seed-recovery attacks against two efficient number-theoretic pseudo-random number generators: the fast knapsack generator and a family of combined multiple recursive generators. The fast knapsack generator was introduced in 2009 by von zur Gathen and Shparlinski. It generates pseudo-random numbers very efficiently with strong mathematical guarantees on their statistical properties but its resistance to cryptanalysis was left open since 2009. The given attacks are surprisingly efficient when the truncated bits do not represent a too large proportion of the internal states. Their complexities do not strongly increase with the size of parameters, only with the proportion of discarded bits.
A multiple recursive generator is a pseudo-random number generator based on a constant-recursive sequence. A combined multiple recursive generator is a pseudo-random number generator based on combining two or more multiple recursive generators. L’Écuyer presented the general construction in 1996 and a popular instantiation deemed MRG32k3a in 1999. We use algebraic relations of both pseudo-random generators with underlying algebraic generators to show that they are cryptographically insecure. We provide a theoretical analysis as well as efficient implementations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Benhamouda, F., Chevalier, C., Thillard, A., Vergnaud, D.: Easing coppersmith methods using analytic combinatorics: applications to public-key cryptography with weak pseudorandomness. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016, Part II. LNCS, vol. 9615, pp. 36–66. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_3
Bouillaguet, C., Martinez, F., Sauvage, J.: Practical seed-recovery for the PCG pseudo-random number generator. IACR Trans. Symmetric Cryptology 2020(3), 175–196 (2020)
Ferrenberg, A.M., Landau, D.P., Wong, Y.J.: Monte Carlo simulations: hidden errors from “good’’ random number generators. Phys. Rev. Lett. 69, 3382–3384 (1992)
Franke, D.: How I hacked hacker news (with arc security advisory) (2009). https://news.ycombinator.com/item?id=639976
Frieze, A.M., Hastad, J., Kannan, R., Lagarias, J.C., Shamir, A.: Reconstructing truncated integer variables satisfying linear congruences. SIAM J. Comput. 17(2), 262–280 (1988)
Frieze, A.M., Kannan, R., Lagarias, J.C.: Linear congruential generators do not produce random sequences. In: 25th FOCS, pp. 480–484. IEEE Computer Society Press, October 1984. https://doi.org/10.1109/SFCS.1984.715950
Von zur Gathen, J., Shparlinski, I.E.: Subset sum pseudorandom numbers: fast generation and distribution. J. Math. Cryptol. 3(2), 149–163 (2009)
Jochemsz, E., May, A.: A strategy for finding roots of multivariate polynomials with new applications in attacking RSA variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_18
Joux, A., Stern, J.: Lattice reduction: a toolbox for the cryptanalyst. J. Cryptol. 11(3), 161–185 (1998). https://doi.org/10.1007/s001459900042
Kaas, R., Buhrman, J.: Mean, median and mode in binomial distributions. Stat. Neerl. 34, 13–18 (1980)
Knellwolf, S., Meier, W.: Cryptanalysis of the knapsack generator. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 188–198. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_11
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(Article), 515–534 (1982)
L’Écuyer, P.: Random number generation with multiple streams for sequential and parallel computing. In: 2015 Winter Simulation Conference (WSC), pp. 31–44. IEEE (2015)
Mitra, A.: On the properties of pseudo noise sequences with a simple proposal of randomness test. Int. J. Electr. Comput. Eng. 3(3), 164–169 (2008)
Ritzenhofen, M.: On efficiently calculationg small solutions of systmes of polynomial equations: lattice-based methods and applications to cryptography. Ph.D. thesis, Verlag nicht ermittelbar (2010)
Rueppel, R.A., Massey, J.L.: Knapsack as a nonlinear fonction. In: IEEE International Symposium on Information Theory. IEEE Press, New York (1985)
Stern, J.: Secret linear congruential generators are not cryptographically secure. In: 28th FOCS, pp. 421–426. IEEE Computer Society Press, October 1987. https://doi.org/10.1109/SFCS.1987.51
Van der Walt, S., Colbert, S.C., Varoquaux, G.: The NumPy array: a structure for efficient numerical computation. Comput. Sci. Eng. 13(2), 22–30 (2011)
Wichmann, B.A., Hill, I.D.: Algorithm as 183: an efficient and portable pseudo-random number generator. J. Roy. Stat. Soc.: Ser. C (Appl. Stat.) 31(2), 188–190 (1982)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Bernoulli Trials
We suppose that we have \(n\) Bernoulli trials, each with a probability of success of \(p\). We want to compute the probability of having a run of at least \(k\) consecutive successes. We denote this probability \(Pr(n,p,k)\).
As we cannot have more successes than trials, if \(k>n\) then \(Pr(n,p,k) = 0\). If \(k=n\), it means all the trials must be successes, hence \(Pr(n,p,k)= p^k\).
If \(n>k\) we have two excluding possibilities to have \(k\) successes. First possibility, a run of \(k\) successes happen in the last \(n-1\) trials. Second possibility, a run of \(k\) successes happen in the \(k\) first trial an there is no run of \(k\) successes in the last \(n-1\) trials. It means the first \(k\) trials are successes, then the \(k+1\)-th trial is a failure and there is no run of \(k\) successes in the \(n-k-1\) remaining trials. Hence the probability of having a run of \(k\) successes in \(n\) trials when \(n>k\) is \(Pr(n,p,k) = Pr(n-1,p,k) + p^k\times (1-p)\times (1-Pr(n-k-1,p,k))\)
We fix \(k\) and \(p\) and consider \(S[n] = 1-Pr(n,p,k)\). We notice that \((S[n])_{n\in \mathbb {N}}\) is a constant-recursive sequence:
of order \(k+1\) with initial terms being \(S[0]=\dots =S[k-1] = 1\) and \(S[k] = 1-p^k\).
The explicit values of the sequence are given by \(S[n] = C_1(r_1)^n + \dots + C_{k+1}(r_{k+1})^n\) where the \(r_i\) are the roots of the characteristic polynomial \(x^{k+1}-x^k + p^k(1-p)\) and the \(C_i\) are constants given by the initial terms.
In our case, we have \(m\) outputs and we want to know the probability of having \(k+1\) consecutive internal states of the form \(v_{i+1}=zv_i \bmod 2^n\). Given a \(v_i\), the probability that \(v_{i+1}=zv_i \bmod 2^n\) is 1/4. So our problem is to compute the probability of having a run of at least \(k\) successes in a sequence of \(m-1\) Bernoulli trials, the probability of success of each trial being 1/4.
In the following table we give the minimal values of \(m\) such that the probability of having a run of \(k\) successes in \(m-1\) trials is greater than 1/2.
k | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 11 |
---|---|---|---|---|---|---|---|---|
m | 15 | 58 | 236 | 944 | 3783 | 15138 | 60565 | 3876354 |
(Warning, these values are given by numerical approximations, they might not be exact.)
B Improvement of Coppersmith?
Let \(P\) be the polynomial constructed thanks to the outputs of our LCG. We are searching for a root of \(P\) modulo \(N\). In Sect. 2, we saw that we had two possibilities. We could directly construct the matrix used in the Coppersmith method \(\mathcal {M}\) with only \(P\) or we could build a bigger set of polynomials \(P_i\) of the form \(f=y_0^{k_0},\dots ,y_n^{k_n}P^{k_p}\). In Sect. 3, we presented attacks were the set of polynomials was not extended. The goal of this appendix will be to try to find a family of polynomials \(P_i\)’s such that we can retrieve the root even when more bits are discarded.
For the reader familiar with [1] by Benhamouda et al., we will use the same notations. We denote \(\mathcal {P}\) the bigger set constructed from \(P\). The polynomials in \(\mathcal {P}\) are of the form \(f=y_0^{k_0},\dots ,y_n^{k_n}P^{k_p}\) and all linearly independent. We denote by \(\chi _\mathcal {P}(f)\) the multiplicity of our small root as a root of \(f \bmod N\): \(\chi _\mathcal {P}(f) = k_p\). We denote \(\mathfrak {M}\) the set of all the monomials appearing in \(\mathcal {P}\). If \(m\) in \(\mathfrak {M}\) is of the form \(y_0^{k_0}\dots y_n^{k_n}\), we denote \(\chi _\mathfrak {M}(m) = k_0+\dots +k_n\). We know by Eq. (1) that the attack is suppose to work as long as
where \(\ell \) is the number of discarded bits and \(n\) the size of the internal states of our generator.
1.1 B.1 Consecutive Outputs
Here our Polynomial is \(P = y_1^2+2H_1y_1+H_1^2 - y_0y_2 - H_0y_2 - H_2y_0 - H_0H_2\). We fix a parameter \(T\) and choose \(\mathcal {P}_T\) as following:
All the polynomials in \(\mathcal {P}_T\) are linearly independent. Indeed, if we consider the monomial order \(y_1>y_0>y_2\) then the leading monomial of \(y_0^{k_0}y_1^\epsilon y_2^{k_2}P^{k_p}\) is \(y_1^{2k_p+\epsilon }y_0^{k_0}y_2^{k_2}\) thus all leading monomials are different.
We are not going to precisely compute the set of monomial of \(\mathcal {P}_T\) instead we are going to approach it with
Now we must compute \(\sum _{f \in \mathcal {P}_T} \chi _{\mathcal {P}_T}(f)\) and \(\sum _{m \in \mathfrak {M}_T}\chi _{\mathfrak {M}_T}(m)\):
Thus this new construction should allow us to recover the small root as long as
This value tends to 1/6.
To obtain a bound bigger than 1/7 (our already achieved result), we need \(T\ge 13\). But \(T=13\) means our lattice would be of dimension 924, and running the LLL algorithm on a lattice of dimension 900 is hardly doable.
1.2 B.2 Not Consecutive Outputs
Here our Polynomial is \(P = y_0y_{i+1} - y_1y_{i} + H_{i+1}y_0 + H_0y_{i+1} - H_iy_1 - H_1y_i + H_0H_{i+1} - H_1H_i\). We fix a parameter \(T\) and choose \(\mathcal {P}_T\) as following:
All the polynomials in \(\mathcal {P}_T\) are linearly independent.
We are not going to precisely compute the set of monomial of \(\mathcal {P}_T\) instead we are going to approach it with
Now we must compute \(\sum _{f \in \mathcal {P}_T} \chi _{\mathcal {P}_T}(f)\) and \(\sum _{m \in \mathfrak {M}_T}\chi _{\mathfrak {M}_T}(m)\):
Thus this new construction should allow us to recover the small root as long as
This value tends to 1/8. But our second attack with one polynomial already recover the small root when \(\ell /n \le 1/8\). Hence adding more polynomials in our Coppersmith method does not seem relevant.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Martinez, F. (2022). Attacks on Pseudo Random Number Generators Hiding a Linear Structure. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-95312-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95311-9
Online ISBN: 978-3-030-95312-6
eBook Packages: Computer ScienceComputer Science (R0)