An Improved Pseudo-random Generator Based on Discrete Log

  • Rosario Gennaro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1880)


Under the assumption that solving the discrete logarithm problem modulo an n-bit prime p is hard even when the exponent is a small c-bit number, we construct a new and improved pseudo-random bit generator. This new generator outputs n - c - 1 bits per exponentiation with a c-bit exponent.

Using typical parameters, n = 1024 and c = 160, this yields roughly 860 pseudo-random bits per small exponentiations. Using an implementation with quite small precomputation tables, this yields a rate of more than 20 bits per modular multiplication, thus much faster than the the squaring (BBS) generator with similar parameters.


  1. 1.
    L. Adleman. A Subexponential Algorithm for the Discrete Logarithm Problem with Applications to Cryptography. IEEE FOCS, pp. 55–60, 1979.Google Scholar
  2. 2.
    W. Alexi, B. Chor, O. Goldreich and C. Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. Computing, 17(2):194–209, April 1988.Google Scholar
  3. 3.
    L. Blum, M. Blum and M. Shub. A Simple Unpredictable Pseudo-Random Number Generator. SIAM J.Computing, 15(2):364–383, May 1986.Google Scholar
  4. 4.
    M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM J.Computing, 13(4):850–864, November 1984.Google Scholar
  5. 5.
    W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Trans. Inf. Theory, IT-22:644–654, November 1976.Google Scholar
  6. 6.
    R. Fischlin and C. Schnorr. Stronger Security Proofs for RSA and Rabin Bits. J.Crypt., 13(2):221–244, Spring 2000.MATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    S. Goldwasser and S. Micali. Probabilistic Encryption. JCSS, 28:270–299, 1988.MathSciNetGoogle Scholar
  8. 8.
    J. Håstad, R. Impagliazzo, L. Levin and M. Luby. A Pseudo-Random Generator from any One-Way Function. SIAM J.Computing, 28(4):1364–1396, 1999.MATHCrossRefGoogle Scholar
  9. 9.
    J. Håstad and M. Näslund. The Security of Individual RSA Bits. IEEE FOCS, pp. 510–519, 1998.Google Scholar
  10. 10.
    J. Håstad, A. Schrift and A. Shamir. The Discrete Logarithm Modulo a Composite Hides O(n) Bits. JCSS, 47:376–404, 1993.MATHGoogle Scholar
  11. 11.
    R. Impagliazzo and M. Naor. Efficient Cryptographic Schemes Provably as Secure as Subset Sum. J.Crypt., 9(4):199–216, 1996.MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    D. Knuth. The Art of Computer Programming (vol.3): Sorting and Searching. Addison-Wesley, 1973.Google Scholar
  13. 13.
    C.H. Lim and P.J. Lee. More Flexible Exponentiation with Precomputation. CRYPTO’94, LNCS 839, pp. 95–107.Google Scholar
  14. 14.
    D. Long and A. Wigderson. The Discrete Log Hides O(logn) Bits. SIAM J.Computing, 17:363–372, 1988.MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    M. Naor and O. Reingold. Number-Theoretic Constructions of Efficient Pseudo-Random Functions. IEEE FOCS, pp. 458–467, 1997.Google Scholar
  16. 16.
    S. Patel and G. Sundaram. An Efficient Discrete Log Pseudo Random Generator. CRYPTO’98, LNCS 1462, pp. 304–317, 1998.Google Scholar
  17. 17.
    R. Peralta. Simultaneous Security of Bits in the Discrete Log. EUROCRYPT’85, LNCS 219, pp. 62–72, 1986.Google Scholar
  18. 18.
    J. Pollard. Monte-Carlo Methods for Index Computation (mod p). Mathematics of Computation, 32(143):918–924, 1978.MATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    C. Schnorr Security of Allmost ALL Discrete Log Bits. Electronic Colloquium on Computational Complexity. Report TR98-033. Available at
  20. 20.
    A. Yao. Theory and Applications of Trapdoor Functions. IEEE FOCS, 1982.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Rosario Gennaro
    • 1
  1. 1.IBM T.J.Watson Research CenterYorktown Heights

Personalised recommendations