Attacks on Pseudo Random Number Generators Hiding a Linear Structure

Abstract

We introduce lattice-based practical seed-recovery attacks against two efficient number-theoretic pseudo-random number generators: the fast knapsack generator and a family of combined multiple recursive generators. The fast knapsack generator was introduced in 2009 by von zur Gathen and Shparlinski. It generates pseudo-random numbers very efficiently with strong mathematical guarantees on their statistical properties but its resistance to cryptanalysis was left open since 2009. The given attacks are surprisingly efficient when the truncated bits do not represent a too large proportion of the internal states. Their complexities do not strongly increase with the size of parameters, only with the proportion of discarded bits.

A multiple recursive generator is a pseudo-random number generator based on a constant-recursive sequence. A combined multiple recursive generator is a pseudo-random number generator based on combining two or more multiple recursive generators. L’Écuyer presented the general construction in 1996 and a popular instantiation deemed MRG32k3a in 1999. We use algebraic relations of both pseudo-random generators with underlying algebraic generators to show that they are cryptographically insecure. We provide a theoretical analysis as well as efficient implementations.

Appendices

A Bernoulli Trials

We suppose that we have \(n\) Bernoulli trials, each with a probability of success of \(p\). We want to compute the probability of having a run of at least \(k\) consecutive successes. We denote this probability \(Pr(n,p,k)\).

As we cannot have more successes than trials, if \(k>n\) then \(Pr(n,p,k) = 0\). If \(k=n\), it means all the trials must be successes, hence \(Pr(n,p,k)= p^k\).

If \(n>k\) we have two excluding possibilities to have \(k\) successes. First possibility, a run of \(k\) successes happen in the last \(n-1\) trials. Second possibility, a run of \(k\) successes happen in the \(k\) first trial an there is no run of \(k\) successes in the last \(n-1\) trials. It means the first \(k\) trials are successes, then the \(k+1\)-th trial is a failure and there is no run of \(k\) successes in the \(n-k-1\) remaining trials. Hence the probability of having a run of \(k\) successes in \(n\) trials when \(n>k\) is \(Pr(n,p,k) = Pr(n-1,p,k) + p^k\times (1-p)\times (1-Pr(n-k-1,p,k))\)

We fix \(k\) and \(p\) and consider \(S[n] = 1-Pr(n,p,k)\). We notice that \((S[n])_{n\in \mathbb {N}}\) is a constant-recursive sequence:

$$\begin{aligned} S[n+1] = S[n] - p^k(1-p)S[n-k-1] \end{aligned}$$

of order \(k+1\) with initial terms being \(S[0]=\dots =S[k-1] = 1\) and \(S[k] = 1-p^k\).

The explicit values of the sequence are given by \(S[n] = C_1(r_1)^n + \dots + C_{k+1}(r_{k+1})^n\) where the \(r_i\) are the roots of the characteristic polynomial \(x^{k+1}-x^k + p^k(1-p)\) and the \(C_i\) are constants given by the initial terms.

In our case, we have \(m\) outputs and we want to know the probability of having \(k+1\) consecutive internal states of the form \(v_{i+1}=zv_i \bmod 2^n\). Given a \(v_i\), the probability that \(v_{i+1}=zv_i \bmod 2^n\) is 1/4. So our problem is to compute the probability of having a run of at least \(k\) successes in a sequence of \(m-1\) Bernoulli trials, the probability of success of each trial being 1/4.

In the following table we give the minimal values of \(m\) such that the probability of having a run of \(k\) successes in \(m-1\) trials is greater than 1/2.

k	2	3	4	5	6	7	8	11
m	15	58	236	944	3783	15138	60565	3876354

(Warning, these values are given by numerical approximations, they might not be exact.)

B Improvement of Coppersmith?

Let \(P\) be the polynomial constructed thanks to the outputs of our LCG. We are searching for a root of \(P\) modulo \(N\). In Sect. 2, we saw that we had two possibilities. We could directly construct the matrix used in the Coppersmith method \(\mathcal {M}\) with only \(P\) or we could build a bigger set of polynomials \(P_i\) of the form \(f=y_0^{k_0},\dots ,y_n^{k_n}P^{k_p}\). In Sect. 3, we presented attacks were the set of polynomials was not extended. The goal of this appendix will be to try to find a family of polynomials \(P_i\)’s such that we can retrieve the root even when more bits are discarded.

For the reader familiar with [1] by Benhamouda et al., we will use the same notations. We denote \(\mathcal {P}\) the bigger set constructed from \(P\). The polynomials in \(\mathcal {P}\) are of the form \(f=y_0^{k_0},\dots ,y_n^{k_n}P^{k_p}\) and all linearly independent. We denote by \(\chi _\mathcal {P}(f)\) the multiplicity of our small root as a root of \(f \bmod N\): \(\chi _\mathcal {P}(f) = k_p\). We denote \(\mathfrak {M}\) the set of all the monomials appearing in \(\mathcal {P}\). If \(m\) in \(\mathfrak {M}\) is of the form \(y_0^{k_0}\dots y_n^{k_n}\), we denote \(\chi _\mathfrak {M}(m) = k_0+\dots +k_n\). We know by Eq. (1) that the attack is suppose to work as long as

$$\begin{aligned} \ell /n \le \frac{\sum _{f \in \mathcal {P}} \chi _\mathcal {P}(f)}{\sum _{m \in \mathfrak {M}}\chi _\mathfrak {M}(m)} \end{aligned}$$

where \(\ell \) is the number of discarded bits and \(n\) the size of the internal states of our generator.

1.1 B.1 Consecutive Outputs

Here our Polynomial is \(P = y_1^2+2H_1y_1+H_1^2 - y_0y_2 - H_0y_2 - H_2y_0 - H_0H_2\). We fix a parameter \(T\) and choose \(\mathcal {P}_T\) as following:

$$\begin{aligned} \mathcal {P}_T = \{y_0^{k_0}y_1^\epsilon y_2^{k_2}P^{k_p}|\epsilon \in \{0,1\}, k_0 + \epsilon + k_2 +2k_p \le T\} \end{aligned}$$

All the polynomials in \(\mathcal {P}_T\) are linearly independent. Indeed, if we consider the monomial order \(y_1>y_0>y_2\) then the leading monomial of \(y_0^{k_0}y_1^\epsilon y_2^{k_2}P^{k_p}\) is \(y_1^{2k_p+\epsilon }y_0^{k_0}y_2^{k_2}\) thus all leading monomials are different.

We are not going to precisely compute the set of monomial of \(\mathcal {P}_T\) instead we are going to approach it with

$$\begin{aligned} \mathfrak {M}_T = \{y_0^{k_0}y_1^{k_1}y_2^{k_2} | k_0+k_1+k_2 \le T\}. \end{aligned}$$

Now we must compute \(\sum _{f \in \mathcal {P}_T} \chi _{\mathcal {P}_T}(f)\) and \(\sum _{m \in \mathfrak {M}_T}\chi _{\mathfrak {M}_T}(m)\):

$$\begin{aligned} \sum _{f \in \mathcal {P}_T} \chi _{\mathcal {P}_T}(f) =&\sum _{k_0=0}^{T-2}\sum _{\epsilon =0}^1\sum _{k_2=0}^{T-2-k_0-\epsilon }\sum _{k_p=1}^{\lfloor \frac{T-k_0-\epsilon -k_2}{2}\rfloor } k_p \\&= \lfloor \frac{((T+1)^2-1)\times ((T+1)^2-3)}{48}\rfloor \\ \sum _{m \in \mathfrak {M}_T}\chi _{\mathfrak {M}_T}(m)&=\sum _{k_0=0}^T\sum _{k_1=0}^{T-k_0}\sum _{k_2=0}^{T-k_0-k_1}k_0+k_1+k_2 \\&= \frac{T(T+1)(T+2)(T+3)}{8}. \end{aligned}$$

Thus this new construction should allow us to recover the small root as long as

$$\begin{aligned} \ell /n \le \lfloor \frac{((T+1)^2-1)\times ((T+1)^2-3)}{48}\rfloor \times \frac{8}{T(T+1)(T+2)(T+3)}. \end{aligned}$$

This value tends to 1/6.

To obtain a bound bigger than 1/7 (our already achieved result), we need \(T\ge 13\). But \(T=13\) means our lattice would be of dimension 924, and running the LLL algorithm on a lattice of dimension 900 is hardly doable.

1.2 B.2 Not Consecutive Outputs

Here our Polynomial is \(P = y_0y_{i+1} - y_1y_{i} + H_{i+1}y_0 + H_0y_{i+1} - H_iy_1 - H_1y_i + H_0H_{i+1} - H_1H_i\). We fix a parameter \(T\) and choose \(\mathcal {P}_T\) as following:

$$\begin{aligned} \mathcal {P}_T = \{y_0^{k_0}y_1^{k_1}y_i^{k_i}P^{k_p} | k_0 + k_1 + k_i +2k_p \le T\} \bigcup \{y_1^{k_1}y_i^{k_i}y_{i+1}^{k_{i+1}}P^{k_p} | k_1 + k_i+k_{i+1} +2k_p \le T\}. \end{aligned}$$

All the polynomials in \(\mathcal {P}_T\) are linearly independent.

We are not going to precisely compute the set of monomial of \(\mathcal {P}_T\) instead we are going to approach it with

$$\begin{aligned} \mathfrak {M}_T = \{y_0^{k_0}y_1^{k_1}y_i^{k_i}y_{i+1}^{k_{i+1}} | k_0+k_1+k_i + k_{i+1} \le T\}. \end{aligned}$$

Now we must compute \(\sum _{f \in \mathcal {P}_T} \chi _{\mathcal {P}_T}(f)\) and \(\sum _{m \in \mathfrak {M}_T}\chi _{\mathfrak {M}_T}(m)\):

$$\begin{aligned} \sum _{f \in \mathcal {P}_T} \chi _{\mathcal {P}_T}(f)&=2\left( \sum _{k_0=0}^{T-2}\sum _{k_1=0}^{T-2-k_0}\sum _{k_i=0}^{T-2-k_0-k_1}\sum _{k_p=1}^{\lfloor \frac{T-k_0-k_1-k_2}{2}\rfloor } k_p \right) \\&=\frac{(T+2)(2T^4 +16T^3 +28T^2 -16T +15\times (-1)^T - 15)}{480}\\ \sum _{m \in \mathfrak {M}_T}\chi _{\mathfrak {M}_T}(m)&= \sum _{k_0=0}^T\sum _{k_1=0}^{T-k_0}\sum _{k_i=0}^{T-k_0-k_1}\sum _{k_{i+1}=0}^{T-k_0-k_1-k_i}k_0+k_1+k_i+k_{i+1}\\&= \frac{T(T+1)(T+2)(T+3)(T+4)}{30}. \end{aligned}$$

Thus this new construction should allow us to recover the small root as long as

$$\begin{aligned} \ell /n \le \frac{(2T^4 +16T^3 +28T^2 -16T +15\times (-1)^T -15)}{T(T+1)(T+3)(T+4)}\times \frac{30}{480} . \end{aligned}$$

This value tends to 1/8. But our second attack with one polynomial already recover the small root when \(\ell /n \le 1/8\). Hence adding more polynomials in our Coppersmith method does not seem relevant.