Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith’s Methods

  • Aurélie Bauer
  • Damien Vergnaud
  • Jean-Christophe Zapalowicz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7293)


Number-theoretic pseudorandom generators work by iterating an algebraic map F (public or private) over a residue ring ℤ N on a secret random initial seed value v 0 ∈ ℤ N to compute values \(v_{n+1} = F(v_n) \bmod{N}\) for n ∈ ℕ. They output some consecutive bits of the state value v n at each iteration and their efficiency and security are thus strongly related to the number of output bits. In 2005, Blackburn, Gomez-Perez, Gutierrez and Shparlinski proposed a deep analysis on the security of such generators. In this paper, we revisit the security of number-theoretic generators by proposing better attacks based on Coppersmith’s techniques for finding small roots on polynomial equations. Using intricate constructions, we are able to significantly improve the security bounds obtained by Blackburn et al..


Nonlinear Pseudorandom number generators Euclidean lattice LLL algorithm Coppersmith’s techniques Unravelled linearization 


  1. 1.
    Bauer, A., Joux, A.: Toward a Rigorous Variation of Coppersmith’s Algorithm on Three Variables. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 361–378. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Predicting the Inversive Generator. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 264–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Predicting nonlinear pseudorandom number generators. Math. Comput. 74(251), 1471–1494 (2005)Google Scholar
  4. 4.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Reconstructing noisy polynomial evaluation in residue rings. J. Algorithms 61(2), 47–59 (2006)Google Scholar
  5. 5.
    Blömer, J., May, A.: A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 251–267. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Boyar, J.: Inferring sequences produced by a linear congruential generator missing low-order bits. Journal of Cryptology 1(3), 177–184 (1989)MathSciNetMATHCrossRefGoogle Scholar
  7. 7.
    Boyar, J.: Inferring sequences produced by pseudo-random number generators. J. ACM 36(1), 129–141 (1989)MathSciNetMATHCrossRefGoogle Scholar
  8. 8.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Coppersmith, D.: Finding a Small Root of a Univariate Modular Equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)Google Scholar
  10. 10.
    Gomez, D., Gutierrez, J., Ibeas, Á.A.: Cryptanalysis of the Quadratic Generator. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 118–129. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Gomez, D., Gutierrez, J., Ibeas, Á.A.: Attacking the Pollard generator. IEEE Transactions on Information Theory 52(12), 5518–5523 (2006)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Herrmann, M., May, A.: Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 487–504. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Howgrave-Graham, N.: Finding Small Roots of Univariate Modular Equations Revisited. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)Google Scholar
  14. 14.
    Jochemsz, E., May, A.: A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 267–282. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Joux, A., Stern, J.: Lattice reduction: A toolbox for the cryptanalyst. Journal of Cryptology 11(3), 161–185 (1998)MathSciNetMATHCrossRefGoogle Scholar
  16. 16.
    Lenstra, A.K., Lenstra, H.W.J., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetMATHCrossRefGoogle Scholar
  17. 17.
    Stern, J.: Secret linear congruential generators are not cryptographically secure. In: FOCS, pp. 421–426. IEEE (1987)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Aurélie Bauer
    • 1
  • Damien Vergnaud
    • 2
  • Jean-Christophe Zapalowicz
    • 3
  1. 1.Agence Nationale de la Sécurité des Systèmes d’InformationParis 07France
  2. 2.École Normale Supérieure – C.N.R.S. – I.N.R.I.A.Paris Cedex 05France
  3. 3.INRIA Rennes – Bretagne AtlantiqueRennesFrance

Personalised recommendations