“Pseudo-random” number generation within cryptographic algorithms: The DDS case

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1294)


The DSS signature algorithm requires the signer to generate a new random number with every signature. We show that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures. This illustrates the high vulnerability of the DSS to weaknesses in the underlying random number generation process. It also confirms, that a sequence produced by LCG is not only predictable as has been known before, but should be used with extreme caution even within cryptographic applications that would appear to protect this sequence. The attack we present applies to truncated linear congruential generators as well, and can be extended to any pseudo random generator that can be described via modular linear equations.


  1. 1.
    L. Babai. On Lovász' lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13, 1986.zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. Proceedings of the First Annual Conference on Computer and Communications Security, ACM, 1993.Google Scholar
  3. 3.
    M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Computing, 13(4):850–863, November 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Joan Boyar. Inferring sequences produced by pseudo-random number generators. Journal of the ACM, 36(1):129–141, January 1989.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    A. M. Frieze, R. Kannan, and J. C. Lagarias. Linear congruential generators do not produce random sequences. In Proc. 25th IEEE Symp. on Foundations of Comp. Science, pages 480–484, Singer Island, 1984. IEEE.Google Scholar
  6. 6.
    Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In G. R. Blakley and D. C. Chaum, editors, Proc. CRYPTO 84, pages 10–18. Springer, 1985. Lecture Notes in Computer Science No. 196.Google Scholar
  7. 7.
    O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. In Proc. 25th IEEE Symp. on Foundations of Comp. Science, pages 464–479, Singer Island, 1984. IEEE.Google Scholar
  8. 8.
    S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences 28:270–299, April 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    J. Hastad and A. Shamir. The cryptographic security of truncated linearly related variables. In Proc. 17th ACM Symp. on Theory of Computing, pages 356–362, Providence, 1985. ACM.Google Scholar
  10. 10.
    R. Kannan. Minkowski's convex body theorem and integer programming. Mathematics of operations research, 12(3):415–440, 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Donald E. Knuth. Seminumerical Algorithms, volume 2 of The Art of Computer Programming. Addison-Wesley, 1969. Second edition, 1981.Google Scholar
  12. 12.
    Donald E. Knuth. Deciphering a linear congruential encryption. IEEE Transactions on Information Theory, IT-31(1):49–52, January 1985.CrossRefMathSciNetGoogle Scholar
  13. 13.
    H. Krawczyk. How to predict congruential generators. In G. Brassard, editor, Proc. CRYPTO 89, pages 138–153. Springer, 1990. Lecture Notes in Computer Science No. 435.Google Scholar
  14. 14.
    H.W. Lenstra. Integer programming with a fixed number of variables. Mathematics of operations research, 8(4):538–548, 1983.CrossRefMathSciNetzbMATHGoogle Scholar
  15. 15.
    National Institute of Standards and Technology (NIST). FIPS Publication 180: Secure Hash Standard (SHS), May 11, 1993.Google Scholar
  16. 16.
    National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 19, 1994.Google Scholar
  17. 17.
    J. Plumstead (Boyar). Inferring a sequence generated by a linear congruence. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 153–159, Chicago, 1982. IEEE.Google Scholar
  18. 18.
    Adi Shamir. The generation of cryptographically strong pseudo-random sequences. In Allen Gersho, editor, Advances in Cryptology: A Report on CRYPTO 81, pages 1–1. U.C. Santa Barbara Dept. of Elec. and Computer Eng., 1982. Tech Report 82-04.Google Scholar
  19. 19.
    J. Stern. Secret linear congruential generators are not cryptographically secure. In Proc. 28th IEEE Symp. on Foundations of Comp. Science, pages 421–426, Los Angeles, 1987. IEEE.Google Scholar
  20. 20.
    A. C. Yao. Theory and application of trapdoor functions. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 80–91, Chicago, 1982. IEEE.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA
  2. 2.Laboratory for Computer ScienceMITCambridgeUSA

Personalised recommendations