A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator

  • Daniel R. L. Brown
  • Kristian Gjøsteen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


An elliptic curve random number generator (ECRNG) has been approved in a NIST standard and proposed for ANSI and SECG draft standards. This paper proves that, if three conjectures are true, then the ECRNG is secure. The three conjectures are hardness of the elliptic curve decisional Diffie-Hellman problem and the hardness of two newer problems, the x-logarithm problem and the truncated point problem. The x-logarithm problem is shown to be hard if the decisional Diffie-Hellman problem is hard, although the reduction is not tight. The truncated point problem is shown to be solvable when the minimum amount of bits allowed in NIST standards are truncated, thereby making it insecure for applications such as stream ciphers. Nevertheless, it is argued that for nonce and key generation this distinguishability is harmless.


Random Number Generation Elliptic Curve Cryptography 


  1. 1.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal on Computing 13, 850–864 (1984)zbMATHCrossRefGoogle Scholar
  2. 2.
    Kaliski, B.S.: A pseudo-random bit generator based on elliptic logarithms. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 84–103. Springer, Heidelberg (1987)Google Scholar
  3. 3.
    Barker, E., Kelsey, J.: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. National Institute of Standards and Technology (2006),
  4. 4.
    Johnson, D.B.: X9.82 part 3 number theoretic DRBGs. Presentation at NIST RNG Workshop (2004),
  5. 5.
    Barker, E.: ANSI X9.82: Part 3 —2006, Random Number Generation, Part 3: Deterministic Random Bit Generators. American National Standards Institute (2006), Draft.
  6. 6.
    Standards for Efficient Cryptography Group: SEC 1: Elliptic Curve for Cryptography. Draft 1.7 edn. (2006),
  7. 7.
    Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) Algorithmic Number Theory. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998), CrossRefGoogle Scholar
  8. 8.
    Mahassni, E.E., Shparlinksi, I.: On the uniformity of distribution of congruential generators over elliptic curves. In: SETA 2001. International Conference on Sequences and Their Applications, pp. 257–264. Springer, Heidelberg (2002)Google Scholar
  9. 9.
    Gürel, N.: Extracting bits from coordinates of a point of an elliptic curve. ePrint 2005/324, IACR (2005),
  10. 10.
    Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. ePrint 2006/190, IACR (2006),
  11. 11.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: FOCS 1997, pp. 458–467. IEEE Computer Society Press, Los Alamitos (1997), Google Scholar
  12. 12.
    Farashahi, R.R., Schoenmakers, B., Sidorenko, A.: Efficient pseudorandom generators based on the DDH assumption. ePrint 2006/321, IACR (2006),
  13. 13.
    Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton, NJ (1996)zbMATHGoogle Scholar
  14. 14.
    Goldreich, O.: Foundations of Cryptography. Cambridge University Press, Cambridge (2001)zbMATHGoogle Scholar
  15. 15.
    Smart, N.P.: A note on the x-coordinate of points on an elliptic curve in characteristic two. Information Processing Letters 80(5), 261–263 (2001)zbMATHCrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Daniel R. L. Brown
    • 1
  • Kristian Gjøsteen
    • 2
  1. 1.Certicom Research 
  2. 2.Department of Mathematical Sciences, Norwegian, University of Science and Technology, NO-7491 TrondheimNorway

Personalised recommendations