Predicting the elliptic curve congruential generator

TL;DR

This paper demonstrates that sequences generated by elliptic curve congruential generators can be efficiently reconstructed from a small segment of consecutive elements, revealing potential vulnerabilities in their security.

Contribution

The authors show that given just eight consecutive elements, one can polynomially compute the entire generator and its secret parameters, even if the curve is private.

Findings

Sequence can be reconstructed from 8 elements

Generator parameters can be computed in polynomial time

Sequence security assumptions may be compromised

Abstract

Let $p$ be a prime and let $\mathbf{E}$ be an elliptic curve defined over the finite field $\mathbb{F}_p$ of $p$ elements. For a point $G\in\mathbf{E}(\mathbb{F}_p)$ the elliptic curve congruential generator (with respect to the first coordinate) is a sequence $(x_n)$ defined by the relation $x_n=x(W_n)=x(W_{n-1}\oplus G)=x(nG\oplus W_0)$, $n=1,2,\dots$, where $\oplus$ denotes the group operation in $\mathbf{E}$ and $W_0$ is an initial point. In this paper, we show that if some consecutive elements of the sequence $(x_n)$ are given as integers, then one can compute in polynomial time an elliptic curve congruential generator (where the curve possibly defined over the rationals or over a residue ring) such that the generated sequence is identical to $(x_n)$ in the revealed segment. It turns out that in practice, all the secret parameters, and thus the whole sequence $(x_n)$, can be computed from eight consecutive elements, even if the prime and the elliptic curve are private.