Cryptanalyzing the Dual Elliptic Curve Pseudorandom Generator

The Dual Elliptic Curve Pseudorandom Generator (DEC PRG) is proposed by Barker and Kelsey [2]. It is claimed (see Section 10.3.1 of [2]) that the pseudorandom generator is secure unless the adversary can solve the elliptic curve discrete logarithm problem (ECDLP) for the corresponding elliptic curve. The claim is supported only by an informal discussion. No security reduction is given, that is, it is not shown that an adversary that breaks the pseudorandom generator implies a solver for the ECDLP. Our experimental results and also empirical argument show that the DEC PRG is insecure. The attack does not imply solving the ECDLP for the corresponding elliptic curve. The attack is very efficient. It can be run on an ordinary PC. Actually, the generator is insecure because pseudorandom bits are extracted from points of the elliptic curve improperly. The authors of [2] assume that 240 least significant bits of x-coordinate of a random point of the elliptic curve over the prime field Fp, where dlog2 pe = 256, are indistinguishable from 240 uniformly distributed random bits. We show that this is not the case. Based on this observation, we construct an algorithm (an adversary) that efficiently distinguishes the pseudorandom sequences produced by the DEC PRG from the sequences of uniformly distributed random bits. We note that the complexity of our attack is proportional to 2256−240 = 2, so extracting less than 240 bits (say, 2 bits) makes the attack impractical. However, extracting less random bits does not guarantee that there exists no other attack that successfully breaks the pseudorandom generator. The reason is that the DEC PRG is not provably secure, its security does not provably rely on the intractability of the ECDLP. To make a real provably secure pseudorandom generator one has to construct a security reduction, that is, to show that breaking the generator does imply solving a well-known and supposedly difficult problem (e.g., ECDLP, factoring, etc.) In fact, provable security might be the only argument in favor of the relatively slow DEC PRG versus more efficient generators based on hash functions and block ciphers (e.g., the generators described in Sections 10.1 and 10.2 of [2]). Unfortunately, the DEC PRG is not secure so there are no reasons to use this generator rather than the others.