Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits

Let p be a prime and let E(IFp) be an elliptic curve defined over the finite field IFp of p elements. For a given point G ∈ E(IFp) the linear congruential genarator on elliptic curves (EC-LCG) is a sequence (Un) of pseudorandom numbers defined by the relation Un = Un−1 ⊕G = nG⊕ U0, n = 1, 2, . . . , where ⊕ denote the group operation in E(IFp) and U0 ∈ E(IFp) is the initial value or seed. We show that if G and sufficiently many of the most significants bits of two consecutive values Un, Un+1 of the EC-LCG are given, one can recover the seed U0 (even in the case where the elliptic curve is private) provided that the former value Un does not lie in a certain small subset of exceptional values. We also estimate limits of a heuristic approach for the case where G is also unknown. This suggests that for cryptographic applications EC-LCG should be used with great care. Our results are somewhat similar to those known for the linear and non-linear pseudorandom number congruential generator.