Attacking the linear congruential generator on elliptic curves via lattice techniques

In this paper we study the linear congruential generator on elliptic curves from the cryptographic point of view. We show that if sufficiently many of the most significant bits of the composer and of three consecutive values of the sequence are given, then one can recover the seed and the composer (even in the case where the elliptic curve is private). The results are based on lattice reduction techniques and improve some recent approaches of the same security problem. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for nonlinear congruential generators. Several examples are tested using implementations of ours algorithms.


Introduction
A PseudoRandom Bit Generator(PRBG) is a deterministic algorithm that, once initialized with some random value (called the seed), outputs a sequence that appears random, in the sense that an observer who does not know the value of the seed cannot distinguish the output from that of a (true) random bit generator. PRBG's have important applications on simulations (e.g. for the Monte Carlo method), electronic games (e.g. for procedural generation), and cryptography. Good statistical properties are a vital requirement for the output of a PRBG. Cryptographic applications require the output not to be predictable from earlier outputs, and more elaborate algorithms, which do not inherit the linearity of simpler PRBGs, are needed.
There is a vast literature devoted to generating pseudorandom numbers using arithmetic of finite field and residue rings, see [33,37,38,45]. In 1994, Hallgreen [21] proposed a pseudorandom number generator based on the group of points of an elliptic curve defined over a prime finite field.
For a prime p, denote by F p the field of p elements and always assume that it is represented by the set {0, 1, . . . , p − 1}. Accordingly, sometimes, where obvious, we treat elements of F p as integer numbers in the above range.
Let E be an elliptic curve defined over F p given by an affine Weierstrass equation, which for gcd(p, 6) = 1 takes form for some a, b ∈ F p with 4a 3 + 27b 2 = 0. We recall that the set E(F p ) of F p -rational points forms an abelian group, with the point at infinity O as the neutral element of this group (which does not have affine coordinates).
For a given point G ∈ E(F p ) the Linear Congruential Generator on Elliptic Curves, EC-LCG is a sequence U n of pseudorandom numbers defined by the relation U n = U n−1 ⊕ G = nG ⊕ U 0 , n = 1, 2, . . . , (2) where ⊕ denotes the group operation in E(F p ) and U 0 ∈ E(F p ) is the initial value or seed. We refer to G as the composer of the EC-LCG. It is clear that the period of the sequence (2) is equal to the order of G. The EC-LCG provides a very attractive alternative to linear and non-linear congruential generators with many applications to cryptography and it has been extensively studied in the literature, see [3,12,17,18,21,22,34,35,39,40].
In the cryptographic setting, the initial value U 0 = (x 0 , y 0 ) and the constants G, a, and b are assumed to be the secret key, and we want to use the output of the generator as ephemeral key of a stream cipher. Of course, if two consecutive values U n are revealed, it is almost always easy to find U 0 and G. So, we output only the most significant bits of each U n in the hope that this makes the resulting output sequence difficult to predict.
It is known that not too many bits can be output at each stage: the EC-LCG is unfortunately predictable if sufficiently many bits of its consecutive elements are revealed, see [20,31,32]. Now, we are formalising the results. Assume that the sequence (U n ) is not known, but for some n, approximations W j of two consecutive values U n+j , j = 0, 1 are given. The results involve another parameter which measures how well the values W j approximate the terms U n+j . This parameter is assumed to vary independently of p subject to satisfying the inequality < p (and is not involved in the complexity estimates of our algorithms). More precisely, we say that W = (x W , y W )∈ F 2 p is a -approximation to U = (x U , y U )∈ F 2 p if there exist integers e, f satisfying: |e|, |f | ≤ , x W + e = x U , y W + f = y U .
In general, we say that W = (α 1 , α 2 , . . . , α n )∈ F n p is a -approximation to U = (x 1 , x 2 , . . . , x n )∈ F n p if there exist integers i , (i = 1, . . . , n) satisfying: The case where grows like a fixed power p δ where 0 < δ < 1 corresponds to the situation where a positive proportion δ of the least significant bits of terms of the output sequence remain hidden. The goal is to get δ as much larger as possible, recovering the rest of the bits in polynomial time.
The problem is a particular case of the following computational problem: given f 1 (X 1 , . . . , X n ), . . . , f s (X 1 , . . . , X n ) irreducible multivariate polynomials defined over the integer ring Z, having a common root (x 1 , . . . , x n ) modulo a known integer N , namely, The root should be small root, in the sense that each x i is bounded by a known value . We require to bound the sizes of allowing to recover the desired root in polynomial time. For polynomial in one variable an algorithm has been given by Coppersmith in [9]. For bivariate polynomials does exist different methods in [6,10,11,16] and, for general multivariate polynomials in [16,24]. All of them are based on the so called lattice reduction techniques, also called the LLL techniques, because the celebrated LLL algorithm of Lenstra, Lenstra and Lovász [30]. However in the general case only heuristic results are known, which are just generalization of the original result by Coppersmith.
An algorithm to recover the seed U 0 in deterministic polynomial time if < p 1/6 , requiring compute a closest vector of a lattice of dimension 8 and coefficients size log p is presented in [20]. The recent results [31,32] recover 'heuristically' the seed U 0 if < p 1/5 . The heuristic method, since there is no guarantee of success, may fail by several reason, among them the difficulty of finding a short vector in a high dimensional lattice. Since the number of the monomials is quite large; those results does not imply practical attacks, since the naive application of Coppersmith method is impractical for high dimensional lattice.
The computation which is theoretically polynomial-time becomes in practice prohibitive, for instance and according to [32], if the quality is 0.187 < 0.2 = 1/5 requires 188 polynomials and 314 monomials, so the lattice dimension is 502.
In this paper, we prove a deterministic algorithm to recover the seed U 0 in polynomial time if < p 1/6 , requiring compute a closest vector of a lattice of dimension 5. Previous result in [20] required a lattice of dimension 8.
We also provide an heuristic method to recovering U 0 if < p k−1 4k−2 , requiring compute a closest vector for a lattice of dimension 3k − 1, when k > 2 consecutive −approximations to points U i , (0, . . . , k − 1) of the curve E are given. A similar result is also presented in [31,32] with a theoretical better bound < p 3k 11k+4 , but again requiring computing LLL's algorithm for a lattice of huge dimension. In fact, there is no practical way of testing their methods, not only because the lattice large dimension used, but the size of the prime p should be several hundreds of bits. On the other hand, for instance, we can recover the sequence produced by EC-LCG if only three consecutive −approximations are given as soon as < p 1/5 requiring, the most time consuming, to find a closest vector for a lattice of dimension 7, and it matched by primes p of only 1000 bits.
In principle, we cannot obtain any approximation to composer G from any approximations to two consecutive values U n , U n+1 of the EC-LCG, because the elliptic curve group operation. We also rigorously demonstrate our approach in the special case when we have an approximation to composer G; we show that given if sufficiently many of the most significant bits of G and of three consecutive values U n , U n+1 , U n+2 of the EC-LCG are given, one can recover the seed U 0 and the composer G as soon as O( ) < p 1/6 requiring compute two closest vector for two lattices of dimension 7. And heuristic algorithm if O( ) < p 5/12 by computing a short vector for a lattice of dimension 9. Finally, we obtain an heuristic method to recovering the whole sequence if < p k−1 5k−4 , by computing a closest vector of a certain lattice of dimension 4k−3 when k >2 consecutive −approximations to points U i , (0, . . . , k−1) of the curve E and an −approximation to composer G are given.
This suggests that for cryptographic applications EC-LCG should be used with great care. For the linear congruential generator similar problems have been introduced by Knuth [26] and then considered in [7,13,23,27]; see also the surveys [8,28]. The quadratic congruential generator and the inverse congruential generator have been studied in [4] and [15], see also the recent paper [44] for a more general problem On the other hand, our results are substantially weaker than those known for the linear and nonlinear congruential generators.
The remainder of the paper is structured as follows. We start with a very short outline of some basic facts about the Closest Vector Problem (CVP), and the polynomial equations associated to the elliptic curve abelian group in Section 2. In Section 3 we attack the EC-LCG when the composer G is known. Section 4 is dedicated to study the case when the composer G is private. Then in Section 5 we discuss the results of numerical tests of pour approaches. We conclude with Section 6, which makes some final comments and poses open questions.
Throughout the paper, we use the convention that the parameters on which the implied constant in a Landau symbol O are written in the subscript of O. A symbol O without a subscript indicates and absolute implied constant.

Closest vector problem in lattices
Here we review some results and definitions concerning the Closest Vector Problem, all of which can be found in [19]. For more details and more recent references, we recommend consulting [23].
Let {b 1 , . . . , b s } be a set of linearly independent vectors in R r . The set One basic lattice problem is the Closest Vector Problem (CVP): given a basis of a lattice L in R s and a shift vector t in R s , the goal is finding a vector in the lattice L closest to the target vector t. It is well known that this problem is NP-hard when the dimension grows. However, it is solvable in deterministic polynomial time provided that the dimension of L is fixed (see [25], for example).
In fact, lattices in this paper consist of integer solutions: x = (x 0 , . . . , x s−1 ) ∈ Z s of a system of congruences a ij x i ≡ 0 mod q j , j = 1, . . . , m, modulo some positive integers q 1 , . . . , q m . Typically (although not always) the volume of such a lattice is the product Q = q 1 · · · q m . Moreover, all the aforementioned algorithms, when applied to such a lattice, become polynomial in log Q. If textbf b 1 , . . . , b s } is a basis of the above lattice, by the Hadamard inequality we have: For a slightly weaker task of finding a sufficiently close vector, the celebrated LLL algorithm of Lenstra, Lenstra and Lovász [30] provides a desirable solution, as noticed by [2], that is, a polynomial time algorithm in the bit size coefficients of the lattice basis and also of the lattice dimension. Here, we state this result as Lemma 1.

Lemma 1
There exists a deterministic polynomial time algorithm which, when given an sdimensional full rank lattice L and a shift vector t, finds a lattice vector u ∈ L satisfying the inequality An outline of the algorithms presented in this paper goes as follows. They are divided into two stages.
• Stage 1: We construct a certain lattice L of dimension s; this lattice depends on the given approximations. We also show that a certain vector E directly related to missing information is a very short vector. A closest vector F is found; see [25] for fixed dimension and Lemma 1 the approximation solution for arbitrary dimension. • Stage 2: We show that F provides the required information about E if the approximation is good enough.
Many other results on both exact and approximate finding of a closest vector in a lattice are discussed in [19,23].

The polynomial equation of the group associated to an elliptic curve
The operation ⊕ acts over the points P = (x P , y P ) and Q = (x Q , y Q ) of E(F p ) with P , Q = O as follows: • If x P = x Q but y P = y Q , then P ⊕ Q = O.
• If P = Q and y P = 0, then • If P = Q and y P = 0, then P ⊕ Q = O.
See [1,5,43] for these and other general properties of elliptic curves. Our context is a pseudorandom bit generator which outputs affine points in an elliptic curve. One obtains recursively them by operating a fixed composer G to the previous value. So, almost always, the above equations in the first case (4) will determine the process.
If P is not Q or −Q, then, clearing denominators in (4), we can translate P ⊕ Q = R into the following identities in the field F p : Lemma 2 Let L 1 (X Q , Y Q , X P , Y P , X R ), L 2 (X Q , Y Q , X P , Y P , X R , Y R ) be elements of the polynomial ring F p [X Q , Y Q , X P , Y P , X R , Y R ] and let U, V , W be algebraically independent variables.

Let be the linear transformation:
Proof It is straightforward.
On the other hand, since P = (x P , y P ), Q = (x Q , y Q ) and R = (x R , y R ) are points of the elliptic curve E, we have: Eliminating the curve parameters a, b and assuming that x P = x R , we obtain the following polynomial verifying L 3 (x Q , y Q , x P , y Q , x R , y R ) ≡ 0 mod p. Now, we consider the linear map :

Predicting EC-LCG for Known composer
Assume that a, b are unknown, but the prime p is given to us. In [20] shows that when we are given -approximations W n , W n+1 to (respectively) two consecutive affine values U n , U n+1 produced by the EC-LCG; we can recover the exact values, provided that x 0 does not lie in a certain set, whose size is bounded by O( 6 ). Note that once two affine points in a curve as (1) are given, such that their first component is different, the curve (the parameters a and b) are determined. Then, after discovering the values U n and U n+1 , we can reproduce (backwards and forwards) the whole sequence. To simplify the notation, we assume that n = 0 from now on. We write W j = (α j , β j ), U j = (x j , y j ), for j = 0, 1; so there exist integers e j , f j for j=0, 1 with: Theorem 1 [20] With the above notations and definitions, there exists a set U ( ; a, x G , y G ) ⊆ F p of cardinality #U ( ; a, x G , y G ) = O( 6 ) with the following property: whenever x 0 ∈ U ( ; a, x G , y G ) then, given −approximations W 0 , W 1 to two consecutive affine values U 0 , U 1 produced by linear congruential generator on elliptic curves (2), and given the prime p one can recover the seed U 0 in deterministic polynomial time.
The proof of this result in [20], the 'bad' set of values U ( ; a, x G , y G ) for the components x 0 is described, proving whenever that value lies outside the set, the algorithm works correctly. Furthermore, the size of the set is asymptotically bounded with 6 . This means that if = o(p 1/6 ) and p is large enough, assuming an uniform distribution of probabilities for x 0 ∈ F p , the method is unlikely to fail.
The proof in [20] requires the two polynomials L 1 and L 2 of (6) and 8 monomials, so the involved lattice has dimension 8. Here, we use only the polynomial L 2 of (6), then the corresponding lattice dimension is only 5. The present proof is a simple observation of the same strategy, we have included here a significant part of the details for the reader convenience.
Proof We assume that x 0 ∈ F p is chosen so as not to lie in a certain subset U ( ; a, x G , y G ) of F p We place the value x G ∈ U ( ; a, x G , y G ), so that U 0 is not G or −G. Then, clearing denominators in (4), Using the equalities x j = α j + e j and y j = β j + f j for j = 0, 1, the polynomial L 2 of (6) become: is it easy to check that the vector is a solution to the following linear system of congruences: Moreover, bounds (9) implies E is a relatively short vector. We have: Let L be the lattice consisting of integer solutions X = (X 1 , X 2 , . . . , X 5 ) ∈ Z 5 of the system of congruences: We compute a solution T of the system of congruences (12), using linear diophantine equations methods. Applying an algorithm solving the CVP for the shift vector T and the lattice (14), we obtain a vector We have F = v + T (where v is the lattice vector returned by the CVP algorithm) is the vector of minimal norm satisfying (12), hence F must have norm at most equal to the norm of the solution E. Using the bounds (13), we get: Note that we can compute F in polynomial time from the information we are given. We might hope that E and F are the same, or at least, that we can recover the approximations errors from F. If not, we will show that x 0 belongs to a subset U ( ; a, Bounds (13) and (15) imply D ≤ 4 2 and From here, by closely following the proof in [20], since only depends on L 2 and D i , we bound the "bad" possibilities for which this process does not succeed.
We now present some heuristic arguments showing that Theorem 1 could possibly be strengthened so that it becomes nontrivial when the precision is of the order of p 1/4 rather than of order p 1/6 as currently.
The heuristic that we use is of a totally different nature than that used in the so called Coppersmith's method, where the heuristic assumption is that all created polynomials define a zero dimension algebraic variety. Here, we use the so-called "Gaussian heuristic" that suggests that and s-dimensional lattice L with volume vol(L) is unlikely to have a nonzero vector which is substantially shorter than vol(L) 1/s . Moreover, if it is known that such a very short vector does exist, then up to a scalar factor it is likely to be the only vector with this property.
Let us formalise the problem. Again, we assume that a, b are unknown, but the prime p is given to us. Suppose that we are given k ≥ 2 consecutive −approximations W j = (α j , β j ) to U j = (x j , y j ) ∈ E(F p ) (j = 0, . . . , k − 1), produced by the EC-LCG, so there exist integers e j , f j with: x j = α j + e j , y j = β j + f j |e j |, |f j | ≤ , j = 0, . . . , k − 1 (16) Theorem 2 With above notation, under the 'Gaussian heuristic' we can recovering the seed U 0 in polynomial time in log p as soon as < p k−1 4k−2 by computing a closest vector of a certain lattice of dimension 3k − 1.
We have F = v + T (where v is the lattice vector returned by the CVP algorithm) is the vector of minimal norm satisfying (17), hence F must have norm at most equal to the norm of the solution E. Using the bounds (18), we get: Note that we can compute F in polynomial time from the information we are given, see Lemma 1. We might hope that E and F are the same, or at least, that we can recover the approximations errors from F. The volume of the lattice (19) is p k−1 2k (see Section 2.1) Then, using (20) and Gaussian heuristic vector E is likely to be the one founded whenever 2 < p k−1 3k−1 2k 3k−1 , this is: This finishes the proof.
This time, we did not provide a rigorous proof to bound the number of possibilities for which this method could fail. We will see in Section 5 that our SAGEMATH implementation certifies the above bound.
The following illustrates the importance of knowledge parameter a of the elliptic curve (1).

Remark 1
If three consecutive values of the EC-LCG are given, then can eliminated G from U 0 ⊕ G = U 1 and U 1 ⊕ G = U 2 : So, given three −approximations to U 0 , U 1 , U 2 and, assuming that U 0 and U 1 are not G or −G and y 0 y 1 = 0, clearing denominators in (4) and (5) we can translate equation U 2 ⊕ U 0 = 2U 1 into two polynomial identities in the field F p , but involving the unknown parameter a.
On the other hand, given the parameters a and b of the elliptic curve (1) and −approximation (α 0 , β 0 ) to point P = (x 0 , y 0 ) of the curve we can recover P as soon as < p 1/7 , see [14,16].

Predicting EC-LCG for unknown composer
In previous section, it has been assumed that the cryptanalyst has access to the composer G, which places his task in a quite optimistic frame. This section is devoted to the case that the parameter G is also private. This case is studied in [20] and also [32] requiring three approximations, no necessarily consecutive, instead of two. They consider the information given as approximations to arbitrary points in the same elliptic curve, in such a way that they are not taking advantage from the knowledge of the procedure which has generated them. In other words, they provide a method to recover three points lying in an elliptic curve in the form (1), given corresponding approximations. And then use that method in the frame of an EC-LCG and three values partially revealed. Both methods are heuristics. In [20] requieres a −approximations such that < p 1/46 , a better result is presented in [31,32], which requieres < p 1/24 . Both methods are looking for small roots of polynomial We assume that approximations to the coordinates of G = (x G , y G ) ∈ E(F p ) and also W n , W n+1 to (respectively) two consecutive affine values U n , U n+1 produced by the EC-LCG; we are trying to recover the exact values, provided that the approximations are good enough.
The first attempt to design a such procedure would be, as in the previous Theorem 1, translate (10) into the identity in the fielp F p getting L 2 (x G , y G , x 0 , y 0 , x 1 , y 1 ) ≡ 0 mod p, and looking for small roots of L 2 . However, Lemma 2-(2) shows it is no possible recovering the seed. Neither from L 1 ≡ 0 mod p, again by Lemma 2-(2). So, we have to involve both polynomials: First, we rigorously demonstrate how recovering only abscissa coordinates if < p 1/6 .

Lemma 3
With the above notations and definitions, there exists a set U ( )⊆ F 6 p of cardinality #U ( ) = O(p 5 6 ) with the following property: whenever P = (x G , y G , x 0 , y 0 , x 1 , y 1 ) ∈ U ( ) then, given −approximation to point P and given the prime p, one can recover x G , x 0 , x 1 in deterministic polynomial time by computing a closest vector of a certain lattice of dimension 5.
Proof First, we place all points of the form (x 0 , y G , x 0 , x 1 , y 0 , y 1 ) ∈ U ( ), so that U 0 is not G or −G. We write L 2 as We write From (21), we obtain (β 0 + β 1 , γ x − α 1 , β 1 − γ y , α 0 − α 1 ) = (b 0 , a 0 , b 1 , a 1 ) is 2approximation to the root (w 0 , v 0 , w 1 , v 1 ) ∈ F 4 p ofL 2 . So, rewriting the (21) and (22): Writing: we obtain that vector is a solution to the following linear system of congruences: Moreover, bounds (23) imply E is a relatively short vector. We have: Let L be the lattice consisting of integer solutions X = (X 1 , X 2 , . . . , X 5 ) ∈ Z 5 of the system of congruences: We compute a solution T of the system of congruences (24), using linear diophantine equations methods. Applying an algorithm solving the CVP for the shift vector T and the lattice (26), we obtain a vector where v is the lattice vector returned by the CVP algorithm) is the vector of minimal norm satisfying (24), hence F must have norm at most equal to the norm of the solution E. Using the bounds (25), we get: Note that we can compute F in polynomial time from the information we are given. We might hope that E and F are the same, or at least, that we can recover the approximations errors from F. If not, we will show that (x G , y G , x 0 , y 0 , x 1 , y 1 ) belongs to a subset U ( ) ⊆ F 6 p of cardinality #U ( ) = O(p 5 6 ). Vector D = E − F lies in L: Bounds (25) and (27) imply D ≤ 8 √ 2 2 and Now, we distinguish two cases: In the first case, we can recover the root (w 0 , v 0 , w 1 , v 1 ) of the polynomialL 2 (W 0 , V 0 , W 1 , V 1 ), then by (22), we have Substituting those equalities into (6) polynomial L 1 and since x G = x 0 , that is v 0 = 0, then by Lemma 2-(1) we can recover x G , x 0 , x 1 .
Hence, we may assume that D i is nonzero for some i, i = 1, . . . , 4. Substituting b j = W j − e j , a j = V j − f j , j = 0, 1 in the first equation of lattice (26), we obtain a nonzero polynomial: whose coefficients are in Z[D i , e j , f j ], for i = 0, . . . , 5 and j = 0, 1 and such that: For every choice of D i , e j , f j , for i = 0, . . . , 5 and for j = 0, 1, the specialised is a linear polynomial, so the number of solutions in F 4 p is exactly p 3 . Now, for every zero (w 0 , v 0 , w 1 , v 1 ) ofḠ we have exactly p 2 points of the form (y 0 + y 1 , x G − x 0 , y 0 − y G , x 0 − x 1 ). In total we have p 5 points (x G , y G , x 0 , x 1 , y 0 , y 1 ) ∈ F 6 p such that L 2 (x G , y G , x 0 , x 1 , y 0 , y 1 ) ≡ 0 mod p, we place all of then into the set U ( )⊆ F 6 p . We need to show that the cardinality of U ( ) is as claimed in the statement of the theorem. In other words, we need to prove that for every choice of D i , e j , f j , (i = 0, . . . , 5 and j = 0, 1), the number of non zero specialized polynomials by O( 6 ).
We write (28) (23) and (28) we obtain that . So, the number of nonzero polynomials G are bound by O( 6 ), which finishes the proof.
The above result also finds the values U = y 0 + y 1 and V = y 0 − y G . Plugging y 1 = −y 0 + U and y G = y 0 + V to polynomial L 3 defined in (7), then from (8) we have So, we cannot recover y G , y 0 , y 1 from L 3 .
On the other hand, substituting y 1 = −y 0 + U and y G = y 0 + V in the elliptic curve (1): We can derive a linear equation in a and y 0 : G + x 3 0 + V 2 Now, we can recover a and y 0 if a 0 is -approximation to a with < p 1/2 using the same lattice technique's.
As previous remark, we can also obtain from (4) a linear equation in b and quadratic in y 0 b(x G − x 0 ) + Ay 0 + Ay 2 0 + C. where A, B, C ∈ Z[x 0 , x 1 , x G , U, V ] and A, B, C ≡ 0 mod p. Again, we can recover b and y 0 if b 0 is -approximation to b as soon as < p 1/3 .
Then, as consequence of Lemma 3 we have the following: Corollary 1 With the above notations and definitions, there exists a set U ( )⊆ F 6 p of cardinality #U ( ) = O(p 5 6 ) with the following property: whenever P = (x G , y G , x 0 , y 0 , x 1 , y 1 ) ∈ U ( ) then, given −approximation to U 0 = (x 0 , y 0 ), U 1 (x 1 , y 1 ) and to G = (x G , y G ) and −approximation to a with < p 1/2 or an −approximation to b with < p 1/3 one can recover the sequence produced EC-LCG in deterministic polynomial time.
Previous result it has been assumed that we have access to approximations to elliptic curve (1) parameters a or b, which again places this task in a quite optimistic frame.
Then suppose -approximations to U 0 = (x 0 , y 0 ), U 1 = (x 1 , y 1 ) and U 2 = (x 2 , y 2 ) points generated by the EC-LCG and to G = (x G , y G ) then applying Lemma 3 to equation U 0 ⊕ G = U 1 we recovering (x G , x 0 , x 1 ) and also Z 1 = y 0 + y 1 , Z 2 = y 0 − y G Again applying the same Lemma 3 but in this case to equation U 1 ⊕ G = U 2 , we are able to recovering x G , x 1 , x 2 and Z 3 = y 1 + y 2 , Z 4 = y 1 − y G as soon as < p 1/6 . We obtain the following linear system of equation in F p : ⎛  y 2 ) and to G = (x G , y G ), one can recover the whole sequence produced by EC-LCG in deterministic polynomial time.
Notice that we can not applies Remark 1 because the parameter a of the elliptic curve (1) is unknown.
On one hand the previous result requires computing a closest vector of two distinct lattices. On the other hand, it would be interesting attacking EC-LCG when we have access to several consecutive approximations and having an approximation to composer G. The following result try to answer those interesting computational problems.
Let us formalise the problem. Again, we assume that a, b and the composer G are unknown, but we have a −approximationḠ = (γ x , γ y ) to G = (x G , y G ). Suppose that we are given k + 1 ≥ 2 consecutive −approximations W j = (α j , β j ) to U j = (x j , y j ) ∈ E(F p ) (j = 0, . . . , k − 1), produced by the EC-LCG, so there exist integers h x , h y and e j , f j with: 2 (w i , s i , v i , t i ) ≡ 0 mod p and we obtain the following system of congruences: From (29), we have Using the equalities (30) the polynomialL for i = 1, . . . , k − 1 becomes: Now, we linearize this polynomial system. Writing, for i = 1, . . . , k − 1 and for j = 1, . . . , k − 1: is a solution to the following linear system of congruences (i = 1, . . . , k − 1): Moreover, from (30) we have E is a relatively short vector. We have: Let L k be the lattice consisting of integer solutions of the system of congruences, (i = 0, . . . , k − 1): We compute a solution T of the system of congruences (31), using linear diophantine equations methods. Applying an algorithm solving the CVP for the shift vector T and the lattice (33), we obtain a vector We have F = v + T (where v is the lattice vector returned by the CVP algorithm) is the vector of minimal norm satisfying (31), hence F must have norm at most equal to the norm of the solution E. Using the bounds (32), we get: Note that we can compute F in polynomial time from the information we are given, see Lemma 1. We might hope that E and F are the same, or at least, that we can recover the approximations errors from F. This time, we are not giving a rigorous proof to bound the number of possibilities for which this method could fail. The volume of the lattice (33) is p k−1 3k−2 (see Section 2.1) Then, by Gaussian heuristic and (34) vector E is likely to be the one founded whenever 2 < p k−1 4k−3 3k−2 4k−3 , this is: As we can see, if k = 3, we obtain from Theorem 4 that O( ) = p 2/11 which is an improvement of Theorem 3.

Numerical results
We have proposed algorithms to recover a sequence of pseudorandom numbers produced by EC-LCG. The input required by all of them include approximations to some pseudorandom values. The first Theorem 1 and the second one Theorem 2 requires additionally precise knowledge of the parameter G. The rest require an approximation to the composer G. The quality of those approximations is the measure used to characterise when the algorithms output the expected sequence.
In Theorem 1 a "bad" set of values for the components x 0 is described, proving that whenever that value lies outside the set, the algorithm works correctly. Furthermore, the size of the set is asymptotically bounded with O( 6 ). This means that if < p 1/6 and p is large enough, assuming a uniform distribution of probabilities for x 0 ∈ F p , the method is unlikely to fail. The same applies in Theorem 3 where the two "bad" subsets of F 6 p are asymptotically bounded with O(p 5 6 ), again it means that if < p 1/6 and p is large enough the method is unlikely to fail.
In Theorem 2 the heuristic algorithm requires k consecutive −approximations with < p k−1 4k−2 when G is public. Finally, the heuristic method described in Theorem 4 when an approximation to composer G and k consecutive −approximations are given recovering the whole sequence if < p k−1 5k−4 However, two aspects must be taken into account before considering those bounds as the threshold for the error tolerance upon which the algorithms fail. On the one side, the constants hidden in the asymptotic reasoning (namely, the size of the prime p). On the other one, the threshold could be higher, as the "bad" set does not guarantee that the methods indeed fails.
We have performed some numerical tests with a SAGEMATH implementation of all methods. Firstly, we generate an elliptic curve over a prime finite field of a desired size by chossing randomly in F p parameters a, b to fix (1). Then, we generate randomly points in the curve (1). For several pairs of points, an EC-LCG is simulated, and approximations to some consecutive values are given as input to our algorithms. size_prime = 1024 p=next_prime(ZZ.random_element(2 ** size_prime)) a=ZZ.random_element(p); b=ZZ.random_element(p) if (4 * a ** 3+27 * b ** 2)%p != 0: C =EllipticCurve(GF(p),[a,b]) G=C.random_element(); U_0=C.random_element() U_1= U_0 + G d=int(p ** (0.14)) # We use the ZZ.random_element SageMath method ZZ.random_element(-d+int(U_1[0]), d+int(U_1[0])) And it is certified that both heuristic and deterministic methods confirm the obtained bounds. We show the numerical results of the heuristic algorithms, which, on the other hand, also include the deterministic ones. We summarize its results in the following tables. We have selected primes of several sizes, and note the obtained success threshold.
• Theorem 2: −approximations to k consecutive values and G public. We have implemented the attack in SAGEMATH-8.1 on a MacBook Pro laptop computer (3,3 GHz Intel Core i7, 16 GB RAM 2133 MHz LPDDR3 Mac OSX 10.12.6). Since the lattice dimension is very low -the biggest one is 49 which correspond the case k = 13 in Theorem 4-the time consuming in any trail is, as maximum, a couple of seconds.

Remarks and open questions
We have presented efficient algorithms for predicting the sequence produced by the linear congruential generator on elliptic curves. In fact, they only require computing a closest vector for a lattice of very low dimension, and for practical purposes can be used Babai's Nearest Plane algorithm, see [2].
Following the ideas in [9] by generating more non-linear equations by multiplication of several non-linear equations before the linearization step, papers [31] and [32] present theoretical better bound O(p 1/5 ) for Theorem 1 and O(p 3k 11k+4 ) for Theorem 2, under the heuristic assumption that the created polynomials define a zero dimensional ideal. Their algorithm need to compute the LLL algorithm of a certain lattice of huge dimension and, after that, it also requires a Groebner Basis computation or alternatively any other elimination polynomial method. In practice the performance of the so called of Coppersmith's methods in those cases are very bad because of large dimension of the lattice as it is shown in that papers. In fact, they can not test the bound O(p 3k 11k+4 ) not only because the large dimension but the size of the prime p should be several hundreds of bits. On the other hand, for instance, we can recover the sequence produced by EC-LCG if only three consecutive −approximations are given as soon as < p 1/5 requiring, the most time consuming, to compute a closest vector for a lattice of dimension 7 and it it matched by primes p of only 1000 bits.
As papers [31] and [32] show the bound of the size of the set of exceptional values of u 0 given in Theorem 1 is not tight and might be improved by more careful examination of the structure of (4) and (5) and this applies to Theorem 2.
Obviously the result in Theorem 3 is nontrivial only for = O(p 1/6 ), we believe that this can be improvement to = O(p 2/11 ) as Theorem 4 shows.
Giving rigorous proofs of our heuristic Theorem 2 and Theorem 4 is a challenging open question as well.
Same question has been studied in [32] for the Power Generator on elliptic curves: for a positive integer e > 1 and a point G ∈ E(F p ) of order l with gcd(e, l) = 1, the elliptic curve Power Generator, (see [29]) generate a sequence of points V n defined by the relation V n = [e n ]G Requiring the prime p, integer e, constants a and b of the elliptic curve (1), and −approximations W 0 , W 1 to two consecutive values V 0 , V 1 for < p 1 2e 2 . An improvement is presented in [14] recovering the root U 0 = (x 0 , y 0 ) of the polynomial (1) from a −approximation to (x 0 , y 0 ) as soon as < p 1/7 , considering the information given as approximation to the seed, in such a way that it is not taking advantage from the knowledge of the procedure which has generated them, see also [16]. We also think that better bounds are expected.
Another open problem is to mount an attack when the modulo p is unknown. Unfortunately, we do not know how to predict the EC-LCG when the modulus p is secret.
Finally, it would be interesting to study the security other PRBG based on elliptic curves under these type of attacks. In particular, it is not clear how to mount an attack based on the lattices to the Naor-Reingold Generator on Elliptic curves, see [36,41,42].