"Pseudo-Random" Generators within cryptographic applications: the DSS case

Authors: Mihir Bellare, Shafi Goldwasser and Daniele Micciancio

Advances in Cryptology - CRYPTO 97. August 17-21, 1997, Santa Barbara. Lecture Notes in Computer Science 1294. Springer-Verlag. pp. 277-291

[BibTeX] [PostScript] [PDF]

Abstract: The DSS signature algorithm requires the signer to generate a new random number with every signature. We show that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures. This illustrates the high vulnerability of the DSS to weaknesses in the underlying random number generation process. It also confirms, that a sequence produced by LCG is not only predictable as has been known before, but should be used with extreme caution even within cryptographic applications that would appear to protect this sequence. The attack we present applies to truncated linear congruential generators as well, and can be extended to any pseudo random generator that can be described via modular linear equations.