Secure simultaneous bit extraction from Koblitz curves

Xinxin Fan; Guang Gong; Berry Schoenmakers; Francesco Sica; Andrey Sidorenko

doi:10.1007/s10623-018-0484-3

Designs, Codes and Cryptography

pp 1–13 | Cite as

Secure simultaneous bit extraction from Koblitz curves

Authors
Authors and affiliations

Xinxin Fan
Guang Gong
Berry Schoenmakers
Francesco SicaEmail author
Andrey Sidorenko

Article

First Online: 12 April 2018

Received: 07 August 2017

Revised: 03 April 2018

Accepted: 04 April 2018

16 Downloads

Abstract

Secure pseudo-random number generators (PRNGs) have a lot of important applications in cryptography. In this paper, we analyze a new PRNG related to the elliptic curve power generator. The new PRNG has many desirable randomness properties such as long period, uniform distribution, etc. In particular, the proposed PRNG is provably secure under the l-strong Diffie–Hellman assumptions. An important feature of our PRNG is that many bits can be simultaneously output without significantly affecting its security. For instance, at 150-bit security, more than 100 bits can be output at each iteration, with a statistical distance from a uniform sequence less than $1/2^{150}$. Our experimental results show that the new PRNG provides a secure and flexible solution for high security applications. Hence, our work is another step towards the construction of provably secure PRNGs in practice.

Keywords

Cryptography Elliptic curves Pseudo-random Number generator

Mathematics Subject Classification

11T23 11K45 94A60

This is a preview of subscription content, to check access

Notes

Acknowledgements

We thank the referees, whose constructive comments greatly improved the presentation of our work.

Appendix A: Proof of Theorem 1 for the NIST polynomial bases

Theorem 5

For K163 and K233, if in (1) the $\alpha _i$ are the polynomial basis suggested by NIST (from the irreducible polynomial p(t)), then the period of $(s_k^{(i)})$ equals the period of $(x_k)$, namely $(n-1)/2$.

Proof

First of all, let $\{\sigma _k^{(i)}\}$ be the sequence constructed with some $P_0'$ of order n and $r=3$, which is a primitive root mod n. Call $P_k'= 3^k P_0'$. We claim that it is sufficient to show the theorem on $\{\sigma _k^{(i)}\}$. In fact, if $P_0=3^{k_0} P_0'$ and $r\equiv 3^{k_r} \pmod n$ with $\gcd (k_r,n-1)=1$, then

$$\begin{aligned} P_k=r^kP_0= 3^{k_rk+k_0}P_0', \end{aligned}$$

hence $s_k^{(i)}=\sigma _{k_rk+k_0}^{(i)}$ and the period of $(s_k^{(i)})$ is the same as the period $\pi _i$ of $\{\sigma _k^{(i)}\}$, since they divide $n-1$. We will then use the sequence $\{\sigma _k^{(i)}\}$ with $P_0'$ the point suggested in the NIST standards.

Note that for all i, we have $\pi _i\mid (n-1)/2=u$, since

$$\begin{aligned} P_{k+u}' = 3^u P_{k}' = - P_k', \end{aligned}$$

hence their x-coordinates are equal. We next explain our method for K163. Consider

$$\begin{aligned} Q_0= & {} P_0', \quad Q_1 = 3^{u/3} P_0', \quad Q_2 = 3^{u/7} P_0',\\ Q_3= & {} 3^{u/89} P_0', \quad Q_4 = 3^{u/163} P_0',\\ Q_5= & {} 3^{u/1141450141721} P_0',\\ Q_6= & {} 3^{u/8405730267419952240402658413113} P_0'. \end{aligned}$$

Denote by $x(P)_i$ for the ith bit (i.e. the coefficient of $\alpha ^{i-1}$, where $p(\alpha )=0$) of the x-coordinate of P. If for some i, $\pi _i<u$, then it must be a divisor of one of $u/3, u/7, u/89 \dots $ Say it is a divisor of u / 163, corresponding to $Q_4$. Then (we say the ith sequence passes the fourth test at k)

$$\begin{aligned} x\left( 3^kQ_0\right) _i = x\left( 3^kQ_4\right) _i, \quad k=0,1,2,\dots \end{aligned}$$

By looking at sufficiently many values of k, we are thus able to exclude all such equalities, for each point $Q_1,\dots Q_6$. Specifically, only ten sequences pass the jth test (for some j) at all $k=0, \dots , 6$. The sequence of the coefficient of $\alpha ^{62}$, the last to be “killed”, passes the first test at $k=0,\dots 13$ and fails at $k=14$. Therefore, all sequences have $\pi _i=u$. The same approach can be followed for K233, where the coefficient of $\alpha ^{115}$ passes the fifth test at $k=0,\dots ,9$ and fails at $k=10$. $\square $

References

1.
Alex W., Chor B., Goldreich O., Shub M.: RSA and Rabin functions: certain parts are as hard as the whole. SIAM J. Comput. 17, 194–209 (1988).MathSciNetCrossRefMATHGoogle Scholar
2.
Avanzi R., Dimitrov V.S., Doche C., Sica F.: Extending scalar multiplication using double bases. In: Lai Xuejia, Chen Kefei (eds.) Proceedings of Asiacrypt 2006, vol. 4284, pp. 130–144. Lecture Notes in Computer ScienceSpringer, Berlin (2006).CrossRefGoogle Scholar
3.
Blum L., Blum M., Shub M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15, 364–383 (1986).MathSciNetCrossRefMATHGoogle Scholar
4.
Boneh D., Boyen X.: Short signatures without random oracles. In: Advances in Cryptology—EUROCRYPT 2004. International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004, Proceedings, pp. 56–73 (2004).Google Scholar
5.
Boneh D., Franklin M.: Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003). Extended abstract in Proceedings of Crypto ’2001. Lecture Notes in Computer Science, vol. 2139. Springer, Berlin, pp. 213–229 (2001).Google Scholar
6.
Boneh D., Shacham H., Lynn B.: Short signatures from the Weil pairing. In: Boyd C. (ed.) Advances in Cryptology—ASIACRYPT 2001, vol. 2248, pp. 514–532. Lecture Notes in Computer ScienceSpringer, Berlin (2001).CrossRefGoogle Scholar
7.
Boneh D., Boyen X., Hovav S.: Short group signatures. In: Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004, Proceedings, pp. 41–55 (2004).Google Scholar
8.
Checkoway S., Fredrikson M., Niederhagen R., Everspaugh A., Green M., Lange T., Ristenpart T., Bernstein D.J., Maskiewicz J., Shacham H.: On the practical exploitability of dual EC in TLS implementations. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, pp. 319–335. USENIX Association, Berkeley, CA, USA (2014).Google Scholar
9.
Checkoway S., Maskiewicz J., Garman C., Fried J., Cohney S., Green M., Heninger N., Weinmann R.-P., Rescorla E., Shacham H.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pp. 468–479. ACM, New York, NY, USA (2016).Google Scholar
10.
Cheon J.H.: Security analysis of the strong Diffie–Hellman problem. In: Proceedings of EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004, pp. 1–11. Springer, Heidelberg (2006).Google Scholar
11.
Ciss A.A., Sow D.: On randomness extraction in elliptic curves. In: Proceedings of AFRICACRYPT 2011. Lecture Notes in Computer Science, vol. 6737, pp. 290–297. Springer, Heidelberg (2011).Google Scholar
12.
Dimitrov V., Howe E.: Lower bounds on the lengths of double-base representations. Proc. Am. Math. Soc. 139(10), 3423–3430 (2011).MathSciNetCrossRefMATHGoogle Scholar
13.
Dimitrov V., Imbert L., Mishra P.K.: The double-base number system and its application to elliptic curve cryptography. Math. Comput. 110(22), 1003–1006 (2010).MATHGoogle Scholar
14.
Doche C., Kohel D.R., Sica F.: Double-base number system for multi-scalar Multiplications. In: Joux A. (ed.) Proceedings of EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 502–517. Springer, Heidelberg (2009).Google Scholar
15.
Farashahi R.R., Schoenmakers B., Sidorenko A.: Efficient pseudorandom generators based on the DDH assumption. In: Proceedings of PKC 2007. Lecture Notes in Computer Science, vol. 4450, pp. 426–441. Springer, Heidelberg (2007).Google Scholar
16.
Farashahi R.R., Pellikaan R., Sidorenko A.: Extractors for binary elliptic curves. Des. Codes Cryptogr. 49(1–3), 171–186 (2008).MathSciNetCrossRefMATHGoogle Scholar
17.
Golomb S.W., Gong G.: Signal design for good correlation: for wireless communication, cryptography, and radar applications. Cambridge University Press, Cambridge (2005).CrossRefMATHGoogle Scholar
18.
Gong G., Berson T.A., Stinson D.R.: Elliptic curve pseudorandom sequence generators. In: Selected Areas in Cryptography, 6th Annual International Workshop, SAC’99, Kingston, ON, Canada, 9–10 August 1999, Proceedings, pp. 34–48 (1999).Google Scholar
19.
Hankerson D., Menezes A., Vanstone S.: Guide to Elliptic Curve Cryptography. Springer Professional Computing. Springer, New York (2004).Google Scholar
20.
Joux A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma W. (ed.) Algorithmic Number Theory, 4th International Symposium, ANTS-IV. Lecture Notes in Computer Science, vol. 1838, pp. 385–394. Springer, Berlin (2000).Google Scholar
21.
Koblitz N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987).MathSciNetCrossRefMATHGoogle Scholar
22.
Lidl R., Niederreiter H.: Finite fields. With a foreword. In: Cohn P.M. (ed.) Encyclopedia of Mathematics and Its Applications, vol. 20. Cambridge University Press, Cambridge (1997).Google Scholar
23.
Liu H.: A family of elliptic curve pseudorandom binary sequences. Des. Codes Cryptogr. 73(1), 251–265 (2014).MathSciNetCrossRefMATHGoogle Scholar
24.
Liu H., Zhan T., Wang X.: Large families of elliptic curve pseudorandom binary sequences. Acta Arith. 140, 135–144 (2009). Instytut Matematyczny PAN.MathSciNetCrossRefMATHGoogle Scholar
25.
Mérai L.: Remarks on pseudorandom binary sequences over elliptic curves. Fundam. Inf. 114(3–4), 301–308 (2012).MathSciNetMATHGoogle Scholar
26.
Mérai L.: On the elliptic curve power generator. Unif. Distrib. Theory 9(2), 59–65 (2014).MathSciNetMATHGoogle Scholar
27.
Mérai L.: On pseudorandom properties of certain sequences of points on elliptic curve. In: Arithmetic of Finite Fields—6th International Workshop, WAIFI 2016, Ghent, Belgium, 13–15 July 2016, Revised Selected Papers, pp. 54–63 (2016).Google Scholar
28.
Mérai L.: On the elliptic curve endomorphism generator. Des. Codes Cryptogr. Bd. 85, S. 121–128 (2017).Google Scholar
29.
Mérai L., Winterhof A.: On the linear complexity profile of some sequences derived from elliptic curves. Des. Codes Cryptogr. 81(2), 259–267 (2016).MathSciNetCrossRefMATHGoogle Scholar
30.
Miller V.S.: Use of elliptic curves in cryptography. In: Williams H.C. (ed.) Advances in Cryptology—Proceedings of CRYPTO 1985, vol. 218, pp. 417–426. Lecture Notes in Computer ScienceSpringer, New York (1986).Google Scholar
31.
Schoenmakers B., Sidorenko A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. IACR Cryptology. ePrint Archive 2006, p. 190 (2006).Google Scholar
32.
Shparlinski I.E.: Pseudorandom number generators from elliptic curves. Contemp. Math. 9, 121–141 (2009).MathSciNetCrossRefMATHGoogle Scholar
33.
Sidorenko A., Schoenmakers B.: Concrete security of the Blum–Blum–Shub pseudorandom generator. In: Cryptography and Coding, 10th IMA International Conference, Cirencester, UK, 19–21 December 2005, Proceedings. Lecture Notes in Computer Science, vol. 3796, pp. 355–375. Springer, Berlin (2005).Google Scholar
34.
Vazirani U.V., Vazirani V.V.: Efficient and secure pseudo-random number generation (extended abstract). In: 25th Annual Symposium on Foundations of Computer Science (FOCS), West Palm Beach, Florida, USA, 24–26 October 1984, pp. 458–463. IEEE Computer Society, Philadelphia (1984).Google Scholar

Copyright information

Authors and Affiliations

Xinxin Fan
- 1
Guang Gong
- 2
Berry Schoenmakers
- 3
Francesco Sica
- 4
Email authorView author's OrcID profile
Andrey Sidorenko
- 5

1.IoTeXMenlo ParkUSA
2.Department of Electrical and Computer EngineeringUniversity of WaterlooWaterlooCanada
3.Department of Mathematics and Computer ScienceTechnical University EindhovenEindhovenThe Netherlands
4.School of Science and TechnologyNazarbayev UniversityAstanaKazakhstan
5.BrightsightDelftThe Netherlands

Secure simultaneous bit extraction from Koblitz curves

Abstract

Keywords

Mathematics Subject Classification

Notes

Acknowledgements

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite article

Cookies