Des. Codes Cryptogr.

(2019) 87:1–13
https://doi.org/10.1007/s10623-018-0484-3

Secure simultaneous bit extraction from Koblitz curves

Xinxin Fan1 · Guang Gong2 · Berry Schoenmakers3 · Francesco Sica4 ·

Andrey Sidorenko5

Received: 7 August 2017 / Revised: 3 April 2018 / Accepted: 4 April 2018 /

Published online: 12 April 2018
© Springer Science+Business Media, LLC, part of Springer Nature 2018

Abstract Secure pseudo-random number generators (PRNGs) have a lot of important appli-
cations in cryptography. In this paper, we analyze a new PRNG related to the elliptic curve
power generator. The new PRNG has many desirable randomness properties such as long
period, uniform distribution, etc. In particular, the proposed PRNG is provably secure under
the l-strong Diffie–Hellman assumptions. An important feature of our PRNG is that many
bits can be simultaneously output without significantly affecting its security. For instance,

Communicated by S. D. Galbraith.

The author X. Fan work was done when the author was a research associate at the University of Waterloo.
The author F. Sica project is financially supported by the grant of the Corporate Fund “Fund of Social
Development”.

B Francesco Sica
francesco.sica@nu.edu.kz
Xinxin Fan
xinxin@iotex.io
Guang Gong
ggong@uwaterloo.ca
Berry Schoenmakers
berry@win.tue.nl
Andrey Sidorenko
sidorenko@brightsight.com
1 IoTeX, Menlo Park, CA 94025, USA
2 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON N2L
3G1, Canada
3 Department of Mathematics and Computer Science, Technical University Eindhoven, Eindhoven,
The Netherlands
4 School of Science and Technology, Nazarbayev University, 53 Kabanbay Batyr Avenue, 010000
Astana, Kazakhstan
5 Brightsight, Delftechpark 1, 2628 XJ Delft, The Netherlands

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
2 X. Fan et al.

at 150-bit security, more than 100 bits can be output at each iteration, with a statistical dis-
tance from a uniform sequence less than 1/2150 . Our experimental results show that the new
PRNG provides a secure and flexible solution for high security applications. Hence, our work
is another step towards the construction of provably secure PRNGs in practice.

Keywords Cryptography · Elliptic curves · Pseudo-random Number generator

Mathematics Subject Classification 11T23 · 11K45 · 94A60

1 Introduction

Elliptic curves are nonsingular plane cubics with a distinguished point, usually taken to be
an inflection point at infinity. In this case, a change of coordinates will transform the curve
into the Weierstraß form

y 2 + a1 x y + a3 y = x 3 + a2 x 2 + a4 x + a6 .

Elliptic curves over finite fields have made their mark in cryptography since 1985 with
their independent application to this branch by Miller [30] and Koblitz [21]. They have
a group structure which can be a very efficient substitute for finite fields and rings, used
in cryptosystems based on the hardness of integer factorization. Their use in public-key
cryptography has since then been expanding considerably, including in the last decade a
tripartite Diffie–Hellman key agreement [20], a simple identity-based encryption protocol
[5] and short signatures [6]. In this work, we are interested in using properties of elliptic
curves in order to show provably secure bit extractor in a cryptographic, not mathematical
sense, in that one assumes that some computational problem is intractable in polynomial time.
Previous authors have already used binary elliptic curves for this purpose, see for instance
[16,18,23–29,32]. Also, relating the security of the elliptic curve power generator to a DDH-
type problem, has been examined in [15], under the assumption that there exists an efficiently
computable function enumerating group elements.
The importance of producing provably secure pseudo-random bit generators has received
in the past few years renewed attention in light of the negative publicity and subsequent dep-
recation of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG):
this PRNG didn’t come with a security argument and was actually proved insecure by two of
us [31]. A subsequent analysis at the Crypto 2007 rump session by Shumow and Ferguson
has shown the possibility of a backdoor in its design. After having been adopted as a NIST
standard, the Dual_EC_DRBG was eventually dropped in 2014 and NSA ceased supporting
it 1 year later after further damaging analysis [8,9].
In this work, we use results in [11], together with a new security argument, to provide an
unconditional reduction of the security of some extractors on binary Koblitz elliptic curves to
a DDH-type problem, including [16]. In particular, we also point out that performance can be
enhanced with limited loss of security by the parallel output of several mutually independent
random bit sequences.
The remainder of this paper is organized as follows. Section 2 briefly reviews two Koblitz
curves in NIST standards, followed by the construction of a simple and efficient deterministic
bit extractor in Sect. 3. In Sect. 4, we recall l-strong Diffie–Hellman assumptions. Sections 5–
8 prove the randomness properties as well as the security of the new PRNG. In Sect. 9, we

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Secure simultaneous bit extraction from Koblitz curves 3

implement the proposed PRNG and compare its performance with the well-known Blum–
Blum–Shub generator in great detail. Finally, Sect. 10 concludes this work.

2 Binary Koblitz curves

Our focus is on binary elliptic curves, with coefficients in F2 . In particular, Koblitz curves
E a are defined for a = 0, 1 as curves of equation

y 2 + x y = x 3 + ax 2 + 1.

We will work in finite field extensions F2 p for some prime p. Some of these curves appear
in NIST standards, of which we give a couple of examples.

2.1 Examples of NIST Koblitz curves

1. The curve E 1 over F2163 (called K163) has order 2n where

n = 5846006549323611672814741753598448348329118574063

is prime. The prime factor decomposition of n − 1 is

n − 1 = 2 ∗ 3 ∗ 7 ∗ 89 ∗ 163 ∗ 1141450141721
∗ 8405730267419952240402658413113

and it can be checked that ordn (3) = n − 1. An irreducible polynomial generating F2163
is

p(t) = t 163 + t 7 + t 6 + t 3 + 1.

2. The curve E 0 over F2233 (called K233) has order 4n where

n = 3450873173395281893717377931138512760570940988862252126328087024741343

is prime. The prime factor decomposition of n − 1 is

n − 1 = 2 ∗ 32 ∗ 11 ∗ 233 ∗ 108642473 ∗ 2207506409

∗ 311893462098235579692316688834118334464906148909

and it can be checked that ordn (3) = n − 1. An irreducible polynomial generating F2233
is

p(t) = t 233 + t 74 + 1.

3 Bit extraction from Koblitz curves

Let E a be a Koblitz curve as in the previous section. Our bit extraction uses the power
generator on a cyclic group of E a (F2 p ) of large prime order n. Let r ∈ [1, n − 1] be of large
multiplicative order mod n (say n −1, which is possible for φ(n −1) choices of r ). We choose
P0 = (x0 , y0 ) ∈ E a (F2 p ) of order n and define, for k ≥ 0 integer, xk as the x-coordinate of
Pk = r k P0 .

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
4 X. Fan et al.

Let α1 , . . . , α p be a basis of F2 p over F2 . Writing

(1) ( p)
xk = sk α1 + · · · + sk α p (1)
(i)
we consider the sequences sk for fixed i = 1, . . . , p. We want to show some properties of
these sequences, namely:
1. Large period: these sequences have a period equal to the period of (x k ),
2. Under the -Strong Computational Diffie–Hellman assumption (see below), it is hard to
recover x0 , knowing x1 , . . . , x ,
(1) (m)
3. These sequences are independently uniformly distributed, in the sense that (sk , . . . , sk )
is uniformly distributed in F2 if m < (1 − δ) p with δ > 0, as p → ∞. This is only a
m

necessary requirement for the security of a PRNG.

4. Under the -Strong Decisional Diffie–Hellman assumption (see below), it is hard to
predict the next term of any sequence from  previous terms.
Note that computing xk from Pk−1 can be done by an efficient algorithm, using double
bases [2,13]. In fact, we can represent r as
w

r= φ u m φ̂ vm
m=0

where vm ≤ vm+1 = O(log n/(log log n)2 ) and max u m = O(log n). Here φ and φ̂ denote
respectively the Frobenius endomorphism (x, y)  → (x 2 , y 2 ) and its dual (the Verschiebung).
The computation of the former is negligible (particularly so if normal bases are used), while
the latter can be computed with only 2 multiplications and 2 squarings in F2 p [14]. The
previous expression is called a double-base representation of r . It is significantly shorter than
a single base representation (such as binary, ternary or even in base φ), already for small
values of r as verified in [12], since w can be asymptotically chosen close to log n/ log log n,
see [2]. We relate our performance evaluations in Sect. 9.

4 Computational assumptions

We state two computational assumptions, the first one of which is standard [4,7], the other
one, new as far as we know, being its decisional variant. We state them in general form, in an
additive cyclic group G generated by an element of prime order n. Let  be an integer such
that  = O(logc n) for some constant c > 0.

4.1 The -strong computational Diffie–Hellman assumption

Setup r ∈ [1, n − 1] and P ∈ G are chosen randomly.

Challenge An adversary A wanting to solve the -Strong CDH problem will receive the
points P, r P, . . . , r  P. We say it is successful if and only if it is able to return r +1 P.
The -Strong CDH assumption says that there is no probabilistic polynomial-time algo-
rithm (in the bit size of the order n) to solve this problem with non-negligible probability.

4.2 The -strong decisional Diffie–Hellman assumption

We introduce the -Strong Decisional Diffie–Hellman (-Strong DDH for short) assumption,
the natural decision problem based on the -Strong Diffie–Hellman problem.

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Secure simultaneous bit extraction from Koblitz curves 5

Setup r ∈ [1, n − 1] and P, Q 1 ∈ G are chosen randomly. Define Q 0 = r +1 P. A bit

b ∈ {0, 1} is similarly chosen randomly.
Challenge An adversary A wanting to solve the -Strong DDH problem will receive the
points P, r P, . . . , r  P as well as Q b . It returns a bit b . We say A is successful if b = b
otherwise it is unsuccessful.
Quantification Define the advantage of A as
 
Adv(A) = Prob[b = 1 | b = 1] − Prob[b = 1 | b = 0]
 
= 2 Prob[b = b] − 1,
the probabilities being taken over all random choices of parameters as in the setup.
The -Strong DDH assumption is that any polynomial-time adversary A can only solve
the -Strong DDH problem with a negligible advantage (i.e. for any c > 0, there exists
n c ∈ N such that Adv(A) < log−c n for all n > n c ).

4.3 Cheon’s work

In 2006, Cheon [10] showed that the -Strong CDH is easier to solve than the discrete log in
many instances.
√ The current state of the art can solve a discrete logarithm
 problem√on Koblitz
√ 
curves
 in √ O( n) bit operations, while the Cheon attacks require O log n( n/+ ) (resp.
O log n( n/ + ) ) for the (n − 1)-attack (resp. the (n + 1)-attack), where  is a divisor
of n − 1 (resp. n + 1). Therefore Cheon’s attacks are not a concern asymptotically if  is
polynomially bounded in log n.

5 Period of (sk(i) )
p−1
Recall that a normal basis of F2 p is a basis of the form α, α 2 , . . . , α 2 for some α ∈ F2 p .
We come back to our elliptic curve setting and prove the following.

Theorem 1 If the basis α1 , . . . , α p in (1) is a normal basis and ordn (r ) = n − 1, then for
(i)
any 1 ≤ i ≤ p, the period of (sk ) equals the period of (xk ), namely (n − 1)/2.

Proof Note that if Pk = (xk , yk ) = r k P0 , then, calling u = (n − 1)/2, since r u ≡ −1

(mod n), we have
Pk+u = r u Pk = −Pk
hence xk+u = xk . Since the x-coordinates of two points are equal if and only if the points
are equal or opposite, this shows that u is the period of (xk ).
Recall the following results from the theory of linear feedback shift registers (LFSR),
which can be found in [17,22].
Let S be the set of sequences of elements
d of a finite field F. Then the polynomials of F[x]
act on S in the following way: if h(x) = i=0 ci x i , then define, for a sequence (ak )∞
k=0 ⊂ S,


d
h · (ak ) = (bk ) : bk = ci ak+i .
i=0

The set I ⊂ F[x] of polynomials h which annihilate (ak ), i.e. such that h · (ak ) = 0 (the
zero sequence), is an ideal (the ideal of characteristic polynomials of (ak )), and as such, if

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
6 X. Fan et al.

it is not zero, it is generated by a unique nonzero monic polynomial f , called the minimal
polynomial of (ak ). It can be shown that I = (0) if and only if (ak ) is ultimately periodic
(i.e. there exists π ∈ N such that ak+π = ak for all sufficiently large k ∈ N), and that (ak ) is
(purely) periodic (i.e. there exists π ∈ N such that ak+π = ak for all k ≥ 0) if and only if
f (0) = 0.
We will now restrict ourselves to periodic sequences over finite fields F. Let f ∈ F[x]
such that f (0) = 0. There exists an integer π > 0 such that f | x π − 1. The minimal such
π is called the period of the polynomial f and denoted per( f ). From the definition follows
immediately that if f | g then per( f ) ≤ per(g) (when actually per( f ) | per(g)).
It can be shown that the period of the minimal polynomial of a periodic sequence equals
(i)
the smallest period of the sequence. Hence, when studying the period of the (sk ), we can
consider the period of their minimal polynomials gi ∈ F2 [x] instead.
Claim For all 1 ≤ i ≤ p, we have gi (x) = g(x) for some g ∈ F2 [x] (the minimal polynomials
are all equal).
In (1) we have αi+1 = αi2 for all i since we are using a normal basis, where the index of
α has to be understood mod p. Note that
 2 2
xk , yk = r (n−1)h/ p (xk , yk )
for some 0 < h < p. This is because the Frobenius endomorphism on the subgroup of order
n acts by multiplication by a pth root of unity mod n, and the fact that r (n−1)/ p is a primitive
pth root of unity mod n. Denoting μ = (n − 1)h/ p, we then have, by definition,
xk2 = xk+μ
and therefore
(i) (i+1)
sk = sk+μ
for all k ≥ 0 and i mod p. From the definition it is easy to show that cyclic shifts of periodic
sequences have the same minimal polynomials, therefore gi = gi+1 , thus proving our claim.
By linearity it follows that g is a characteristic polynomial of (x k ) and therefore its minimal
polynomial f ∈ F2 p [x] will divide g. This implies
u = per( f ) ≤ per(g) ≤ u
(i) (i)
the last inequality stemming from the fact that clearly sk+u = sk for all k, i. Since per(g)
(i)
is also the period of all the sequences (sk ) the theorem is proved. 


Remark 1 The essential point in the above proof was the claim, that the minimal polynomials
of all bit sequences are equal. This should be true for any basis, not just normal, and we hope
to prove it in a follow-up of this work. For the NIST polynomial bases (relative to the modular
polynomials p(t)) for K163 and K233, we have given an ad-hoc proof, which can be found
in the Appendix A.
(1) (m)
In the following, for 1 ≤ m < p, we will let sk = (sk , . . . , sk ).

6 Determination of x0

Theorem 2 Under the -Strong Diffie–Hellman assumption, it is not possible to recover

x0 ∈ F2 p with non-negligible probability from sk with k = 1, . . . , .

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Secure simultaneous bit extraction from Koblitz curves 7

Proof The argument makes use of a PRNG oracle, who works in this way: a challenger picks
a random seed x0 ∈ F2 p , then computes sk for k = 1, . . . ,  and gives the sequence of sk ’s
to the PRNG oracle, who is able to recover x0 with a non-negligible probability δ > 0.
Consider an instance of the -Strong CDH problem, so that P, r P, . . . , r  P are given and
we (the adversary) want to compute r +1 P using the PRNG oracle. Calling P0 = r +1 P,
and t = r −1 (mod n − 1), so that t P0 = r  P, . . . , t  P0 = r P, by hypothesis a call to the
PRNG oracle can recover with probability δ the x-coordinate of P0 because we can feed A
the multibit sequence s1 , . . . , s , formed from the knowledge of t P0 , . . . , t  P0 . Since there
are two opposite points with the same x-coordinate, we therefore compute P0 = r +1 P or
−P0 . Hence, with probability δ/2, we recover r +1 P. 


7 Uniformity of the bits (sk(i) ) in blocks

(1) (m)
As proved [11], improving upon [16], the distribution of sk = (sk , . . . , sk ) ∈ Fm 2 as
defined in (1), when 1 ≤ k ≤ (n − 1)/2 is statistically indistinguishable from the uniform
(i)
distribution in Fm
2 . In particular, for any 1 ≤ i ≤ p, Prob[sk = 1] = 1/2 up to a negligible
error. We follow the account of [11].

Definition 1 (Statistical distance) Let S be a set and X and Y be S-valued random variables.
The statistical distance Δ(X, Y ) between X and Y is
1  
Δ(X, Y ) = Prob[X = s] − Prob[Y = s].
2
s∈S

Let U S be a random variable uniformly distributed on S and δ > 0. A random variable X on

S is said to be δ-uniform if

Δ(X, U S ) ≤ δ.

Definition 2 Let G be a subgroup of E a (F2 p ) and 0 < m < p. We define the function (the
extractor) Dm : G → Fm 2 by Dm (v, w) = (v1 , . . . , vm ) where v = v1 α1 + · · · + v p α p as
in (1).

Remark 2 There is nothing special about Koblitz curves for the previous definition or the
next result. The specialization is made out of simplicity.

Theorem 3 [11] Let G be a subgroup of E a (F2 p ). Then

  2√2 p+m
Δ Dm (UG ), UFm2 ≤ ,
|G|
where UG is uniformly distributed in G and UFm2 is the uniform distribution in Fm
2.

This theorem tells us that as long as m is substantially smaller than p, the statistical
(1) (m)
distance between the random variable obtained by considering sk = (sk , . . . , sk ) and the
corresponding uniform distribution over m random bits is negligible. For instance, if m = 2,
in the case of K163, this statistical distance is ≈ 4/281.5 ≤ 1/279.5 . The same upper bound
applies to the case of K233 when m = 72.

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
8 X. Fan et al.

8 Hardness of predicate prediction

Below we relate the existence of a predictor of a function of sk++1 given the previous
m-bit blocks sk , . . . , sk+ to a cryptographically hard problem, namely the -Strong DDH
assumption, in light of the results of the previous section.

Definition 3 (Balanced predicate) A function f : {0, 1}m → {0, 1} is a balanced predicate

if # f −1 (0) = # f −1 (1) = 2m−1 .

Definition 4 (Predicate predictor) A function b : {0, 1}m(+1) → {0, 1} is called a next-

block-from- f -predicate predictor with advantage δ > 0 for (sk ) if
 
 
Prob[b (sk , sk+1 , . . . , sk+ ) = f (sk++1 )] − 1  = δ ,
 2 2
the probability being taken on k running over a full period of (sk ), as well as the all possible
choices of sequences (sk ) constructed as in Sect. 1 (or equivalently, over all uniform choices
of r ).

This generalizes the notion of next-bit-from- predictor, which corresponds to taking m = 1

and f the identity in the above definition. We now come to the main result of this section.

Theorem 4 Let f be a balanced predicate. A next-block-from- f -predicate predictor with

advantage δ > 0 for (sk ) can be used to build an adversary A which can solve the -Strong
DDH problem with advantage ≥ δ/2, up to negligible error.

Proof Given a challenge for the -Strong DDH, P, r P, . . . , r  P, Q b , we (the adversary)

want to guess whether b = 0 or 1. Suppose we have at our disposal a next-block-from-
f -predicate predictor with advantage δ > 0 for (sk ), which we call b and treat like a black
box. We can actually suppose that
1 δ
Prob[b (sk , sk+1 , . . . , sk+ ) = f (sk++1 )] = + . (2)
2 2
Let s(Q) be the vector whose coordinates are the first m bits of the x-coordinate of

 point Q, so that sk = s(Pk ), . . . , sk+ = s(r Pk ) and s(Q 0 ) = sk++1 . Denote σi =
the
f s(Q i ) for i = 0, 1. We feed b the m-bit blocks sk , sk+1 , . . . , sk+ and get the response
σ = b (sk , sk+1 , . . . , sk+ ). We compare σ to σb . If they are different, we output b = 1,
otherwise (if σ = σb ) we output b = 0 We now analyze the advantage of this choice of
b over a random guess of b. We analyze separately the two equiprobable events b = 0 and
b = 1.
Event b = 0. In this case
1+δ
Prob[b = b | b = 0] = Prob[b = 0 | b = 0] = Prob[σ = σ0 ] = ,
2
by (2).
Event b = 1. Note that s(Q 1 ) is uniformly distributed in {0, 1}m by Theorem 3, if m
is not too large. Furthermore, in this case, since f is balanced, we obtain Prob[σ1 = 1] =
Prob[σ1 = 0] = 1/2, up to negligible errors. Since the random variable σ1 is independent of
σ , we get
Prob[σ = σ1 ] = Prob[σ = 0 | σ1 = 0] Prob[σ1 = 0]
+ Prob[σ = 1 | σ1 = 1] Prob[σ1 = 1]

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Secure simultaneous bit extraction from Koblitz curves 9

1  1
= Prob[σ = 0] + Prob[σ = 1] = ,
2 2
hence
1
Prob[b = b | b = 1] = Prob[b = 1 | b = 1] = Prob[σ = σ1 ] = .
2
Putting everything together we obtain
Prob[b = b] = Prob[b = b | b = 0] Prob[b = 0] + Prob[b = b | b = 1] Prob[b = 1]
1+δ 1 1 1 1 δ
= × + × = + .
2 2 2 2 2 4
which shows that the advantage in choosing b in this way is δ/2. 


9 Performance evaluation and analysis

9.1 Asymptotic improvement of BBS

In this section, we report the performance of the proposed Koblitz curve pseudo-random num-
ber generator (KCPRNG) and compare it with the well-known Blum–Blum–Shub (BBS)
generator [3]. All experiments are conducted on an Intel Core™i7 processor with a clock
speed of 2.4 GHz. The code is written in C and compiled and debugged using Microsoft Visual
Studio 2010. To compare two pseudo-random number generators at 80-bit and 112-bit secu-
rity level, we implement two instances of BBS generator (i.e., BBS-1024 and BBS-2048)
as well as two instances of KCPRNG (i.e., KCPRNG-163 and KCPRNG-233), respec-
tively. While BBS-1024 and BBS-2048 denote BBS generators with moduli of 1024-bit
and 2048-bit, KCPRNG-163 and KCPRNG-233 employ Koblitz curves K163 and K233
(see Sect. 2), respectively. The operations over integer rings (for BBS-1024 and BBS-2048)
and finite fields (for KCPRNG-163 and KCPRNG-233) are implemented with various effi-
cient algorithms in [19]. Moreover, the double-base chain representations [2] are utilized to
accelerate scalar multiplications for KCPRNG-163 and KCPRNG-233 implementations.
In addition, one bit is extracted from each iteration of both pseudo-random number gen-
erators. Table 1 summarizes our experimental results when generating different length of
random numbers using BBS and KCPRNG at 80-bit and 112-bit security level, respectively.
All of the timings are given in milliseconds or seconds.
From Table 1, we note that if only one bit is extracted from each iteration the performance
of BBS generator is about 28.2 and 18.3 times faster than that of KCPRNG at 80-bit and

Table 1 Timings for generating random bytes using BBS and KCPRNG (one bit extraction per iteration)

Pseudo-random number generators

BBS-1024 KCPRNG-163 BBS-2048 KCPRNG-233

10 0.43 ms 12.15 ms 1.19 ms 21.78 ms

102 4.42 ms 121.47 ms 11.82 ms 217.78 ms
103 44.35 ms 1.24 s 118.27 ms 2.18 s
104 442.76 ms 12.46 s 1.18 s 21.82 s
The first column represents the number of random bytes to be generated

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
10 X. Fan et al.

Fig. 1 Performance comparison of BBS-6800 and KCPRNG-409 generators

112-bit security level, respectively. The reason is that each iteration of BBS generator only
involves a modular squaring computation over an integer ring, whereas KCPRNG needs to
compute a scalar multiplication on a Koblitz curve for extracting one bit. However, it is not
difficult to find that the performance gap between BBS and KCPRNG will continue to be
reduced with the increase of security level.
Note that so far our work has reduced the security of KCPRNG to a problem easier than
the discrete logarithm. However, this problem is still exponential in security and therefore
the performance imbalance gap will provably decrease until asymptotically curve-based
generators will outperform BBS.

9.2 Superior multiple bit extraction

To further boost the performance of BBS and KCPRNG, multiple bits can be extracted from
each iteration. As proved in [1,34], up to O(log log N ) bits can be extracted on each iteration
from BBS generator, where N is the modulus
 (a Blum integer). On the other hand, in view of
Theorem 3, we can safely extract Ω (log n)1−δ bits from KCPRNG for any δ > 0, where
n is the order of the large cyclic subgroup. Since, under current attacks, log n ≈ (log N )1/3 ,
we can extract many more bits for the same security level.
Moreover, Sidorenko and Schoenmakers [33] pointed out the extraction of 5 bits per
iteration is optimal for BBS generator, where the corresponding length of the modulus N is
6800 bits. The closest comparison to the Sidorenko and Schoenmakers result uses the NIST
Koblitz curve K409 [19, Appendix A.2.3] of cardinality 4n where n is a 407-bit prime. We
have that n − 1 is divisible by a 299-bit
 √prime and√ n + 1 by a 360-bit√prime. In this
 case,
Cheon’s attacks, which require O log n( n/d + d) (resp. O log n( n/d + d) ) for the
(n − 1)-attack (resp. the (n + 1)-attack), where d is a divisor of n − 1 (resp. n + 1), will
work in more than 2150 bit operations, compared to the optimal 2102 , due to the presence of
larger than normal prime divisors. Therefore, K409 is a little less secure as a KCPRNG than
BBS-6800, which has a security likely around 2187 .
However, KCPRNG-409 enables us to extract more than 100 bits per iteration and
maintain a extremely small statistical distance (i.e., ≤ 1/2150 ) from uniform distribution
simultaneously (see Theorem 3), which is far more efficient than the 5 bits of BBS-6800
in [33]. Figure 1 compares the performance of BBS-6800 and KCPRNG-409 generators
when generating different number of random bytes, where we extract 5 and 100 bits from
BBS-6800 and KCPRNG-409 in each iteration, respectively.

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Secure simultaneous bit extraction from Koblitz curves 11

From Fig. 1, we noticed that the performance of BBS-6800 is better than KCPRNG-409
when a small number of random bytes (e.g., less than 7 bytes in our experiment) are extracted.
However, as the number of extracted random bytes goes up, KCPRNG-409 is consistently
faster than BBS-6800 and the performance gap increases gradually as well. Therefore, when
compared to BBS, KCPRNG is more flexible for extracting multiple bits and can achieve
much better performance at high security levels.

10 Conclusion

In this paper, we presented a new pseudo-random number generator that is related to the
elliptic curve power generator. The new KCPRNG has strong cryptographic properties such
as long period, uniform distribution, etc., and is provably secure under the -Strong compu-
tational and decision Diffie–Hellman assumptions. When compared to the well-known BBS
generator on the same platform, KCPRNG is expected to provide better performance at high
security levels, especially when considering multiple bit output. Additionally, KCPRNG
enables users to make trade-offs between performance and security when deployed in prac-
tice.

Acknowledgements We thank the referees, whose constructive comments greatly improved the presentation
of our work.

Appendix A: Proof of Theorem 1 for the NIST polynomial bases

Theorem 5 For K163 and K233, if in (1) the αi are the polynomial basis suggested by NIST
(i)
(from the irreducible polynomial p(t)), then the period of (sk ) equals the period of (xk ),
namely (n − 1)/2.
(i)
Proof First of all, let {σk } be the sequence constructed with some P0 of order n and r = 3,
which is a primitive root mod n. Call Pk = 3k P0 . We claim that it is sufficient to show the
(i)
theorem on {σk }. In fact, if P0 = 3k0 P0 and r ≡ 3kr (mod n) with gcd(kr , n − 1) = 1,
then

Pk = r k P0 = 3kr k+k0 P0 ,
(i) (i) (i) (i)
hence sk = σkr k+k0 and the period of (sk ) is the same as the period πi of {σk }, since they
(i)
divide n − 1. We will then use the sequence {σk } with P0 the point suggested in the NIST
standards.
Note that for all i, we have πi | (n − 1)/2 = u, since

Pk+u = 3u Pk = −Pk ,

hence their x-coordinates are equal. We next explain our method for K163. Consider

Q 0 = P0 , Q 1 = 3u/3 P0 , Q 2 = 3u/7 P0 ,
Q3 = 3 u/89
P0 , Q 4 = 3 u/163
P0 ,
Q5 = 3 u/1141450141721
P0 ,
Q 6 = 3u/8405730267419952240402658413113 P0 .

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
12 X. Fan et al.

Denote by x(P)i for the ith bit (i.e. the coefficient of α i−1 , where p(α) = 0) of the x-
coordinate of P. If for some i, πi < u, then it must be a divisor of one of u/3, u/7, u/89 . . .
Say it is a divisor of u/163, corresponding to Q 4 . Then (we say the ith sequence passes the
fourth test at k)

   
x 3k Q 0 = x 3k Q 4 , k = 0, 1, 2, . . .
i i

By looking at sufficiently many values of k, we are thus able to exclude all such equalities,
for each point Q 1 , . . . Q 6 . Specifically, only ten sequences pass the jth test (for some j) at
all k = 0, . . . , 6. The sequence of the coefficient of α 62 , the last to be “killed”, passes the
first test at k = 0, . . . 13 and fails at k = 14. Therefore, all sequences have πi = u. The
same approach can be followed for K233, where the coefficient of α 115 passes the fifth test
at k = 0, . . . , 9 and fails at k = 10. 


References
1. Alex W., Chor B., Goldreich O., Shub M.: RSA and Rabin functions: certain parts are as hard as the
whole. SIAM J. Comput. 17, 194–209 (1988).
2. Avanzi R., Dimitrov V.S., Doche C., Sica F.: Extending scalar multiplication using double bases. In:
Lai Xuejia, Chen Kefei (eds.) Proceedings of Asiacrypt 2006, vol. 4284, pp. 130–144. Lecture Notes in
Computer ScienceSpringer, Berlin (2006).
3. Blum L., Blum M., Shub M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput.
15, 364–383 (1986).
4. Boneh D., Boyen X.: Short signatures without random oracles. In: Advances in Cryptology—
EUROCRYPT 2004. International Conference on the Theory and Applications of Cryptographic
Techniques, Interlaken, Switzerland, 2–6 May 2004, Proceedings, pp. 56–73 (2004).
5. Boneh D., Franklin M.: Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–
615 (2003). Extended abstract in Proceedings of Crypto ’2001. Lecture Notes in Computer Science, vol.
2139. Springer, Berlin, pp. 213–229 (2001).
6. Boneh D., Shacham H., Lynn B.: Short signatures from the Weil pairing. In: Boyd C. (ed.) Advances in
Cryptology—ASIACRYPT 2001, vol. 2248, pp. 514–532. Lecture Notes in Computer ScienceSpringer,
Berlin (2001).
7. Boneh D., Boyen X., Hovav S.: Short group signatures. In: Advances in Cryptology—CRYPTO 2004, 24th
Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004, Proceedings,
pp. 41–55 (2004).
8. Checkoway S., Fredrikson M., Niederhagen R., Everspaugh A., Green M., Lange T., Ristenpart T., Bern-
stein D.J., Maskiewicz J., Shacham H.: On the practical exploitability of dual EC in TLS implementations.
In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, pp. 319–335. USENIX
Association, Berkeley, CA, USA (2014).
9. Checkoway S., Maskiewicz J., Garman C., Fried J., Cohney S., Green M., Heninger N., Weinmann R.-P.,
Rescorla E., Shacham H.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the
2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pp. 468–479.
ACM, New York, NY, USA (2016).
10. Cheon J.H.: Security analysis of the strong Diffie–Hellman problem. In: Proceedings of EUROCRYPT
2006. Lecture Notes in Computer Science, vol. 4004, pp. 1–11. Springer, Heidelberg (2006).
11. Ciss A.A., Sow D.: On randomness extraction in elliptic curves. In: Proceedings of AFRICACRYPT
2011. Lecture Notes in Computer Science, vol. 6737, pp. 290–297. Springer, Heidelberg (2011).
12. Dimitrov V., Howe E.: Lower bounds on the lengths of double-base representations. Proc. Am. Math.
Soc. 139(10), 3423–3430 (2011).
13. Dimitrov V., Imbert L., Mishra P.K.: The double-base number system and its application to elliptic curve
cryptography. Math. Comput. 110(22), 1003–1006 (2010).
14. Doche C., Kohel D.R., Sica F.: Double-base number system for multi-scalar Multiplications. In: Joux
A. (ed.) Proceedings of EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 502–517.
Springer, Heidelberg (2009).

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Secure simultaneous bit extraction from Koblitz curves 13

15. Farashahi R.R., Schoenmakers B., Sidorenko A.: Efficient pseudorandom generators based on the DDH
assumption. In: Proceedings of PKC 2007. Lecture Notes in Computer Science, vol. 4450, pp. 426–441.
Springer, Heidelberg (2007).
16. Farashahi R.R., Pellikaan R., Sidorenko A.: Extractors for binary elliptic curves. Des. Codes Cryptogr.
49(1–3), 171–186 (2008).
17. Golomb S.W., Gong G.: Signal design for good correlation: for wireless communication, cryptography,
and radar applications. Cambridge University Press, Cambridge (2005).
18. Gong G., Berson T.A., Stinson D.R.: Elliptic curve pseudorandom sequence generators. In: Selected Areas
in Cryptography, 6th Annual International Workshop, SAC’99, Kingston, ON, Canada, 9–10 August 1999,
Proceedings, pp. 34–48 (1999).
19. Hankerson D., Menezes A., Vanstone S.: Guide to Elliptic Curve Cryptography. Springer Professional
Computing. Springer, New York (2004).
20. Joux A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma W. (ed.) Algorithmic Number
Theory, 4th International Symposium, ANTS-IV. Lecture Notes in Computer Science, vol. 1838, pp.
385–394. Springer, Berlin (2000).
21. Koblitz N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987).
22. Lidl R., Niederreiter H.: Finite fields. With a foreword. In: Cohn P.M. (ed.) Encyclopedia of Mathematics
and Its Applications, vol. 20. Cambridge University Press, Cambridge (1997).
23. Liu H.: A family of elliptic curve pseudorandom binary sequences. Des. Codes Cryptogr. 73(1), 251–265
(2014).
24. Liu H., Zhan T., Wang X.: Large families of elliptic curve pseudorandom binary sequences. Acta Arith.
140, 135–144 (2009). Instytut Matematyczny PAN.
25. Mérai L.: Remarks on pseudorandom binary sequences over elliptic curves. Fundam. Inf. 114(3–4),
301–308 (2012).
26. Mérai L.: On the elliptic curve power generator. Unif. Distrib. Theory 9(2), 59–65 (2014).
27. Mérai L.: On pseudorandom properties of certain sequences of points on elliptic curve. In: Arithmetic
of Finite Fields—6th International Workshop, WAIFI 2016, Ghent, Belgium, 13–15 July 2016, Revised
Selected Papers, pp. 54–63 (2016).
28. Mérai L.: On the elliptic curve endomorphism generator. Des. Codes Cryptogr. Bd. 85, S. 121–128 (2017).
29. Mérai L., Winterhof A.: On the linear complexity profile of some sequences derived from elliptic curves.
Des. Codes Cryptogr. 81(2), 259–267 (2016).
30. Miller V.S.: Use of elliptic curves in cryptography. In: Williams H.C. (ed.) Advances in Cryptology—
Proceedings of CRYPTO 1985, vol. 218, pp. 417–426. Lecture Notes in Computer ScienceSpringer, New
York (1986).
31. Schoenmakers B., Sidorenko A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. IACR
Cryptology. ePrint Archive 2006, p. 190 (2006).
32. Shparlinski I.E.: Pseudorandom number generators from elliptic curves. Contemp. Math. 9, 121–141
(2009).
33. Sidorenko A., Schoenmakers B.: Concrete security of the Blum–Blum–Shub pseudorandom generator.
In: Cryptography and Coding, 10th IMA International Conference, Cirencester, UK, 19–21 December
2005, Proceedings. Lecture Notes in Computer Science, vol. 3796, pp. 355–375. Springer, Berlin (2005).
34. Vazirani U.V., Vazirani V.V.: Efficient and secure pseudo-random number generation (extended abstract).
In: 25th Annual Symposium on Foundations of Computer Science (FOCS), West Palm Beach, Florida,
USA, 24–26 October 1984, pp. 458–463. IEEE Computer Society, Philadelphia (1984).

123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center
GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers
and authorised users (“Users”), for small-scale personal, non-commercial use provided that all
copyright, trade and service marks and other proprietary notices are maintained. By accessing,
sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of
use (“Terms”). For these purposes, Springer Nature considers academic use (by researchers and
students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and
conditions, a relevant site licence or a personal subscription. These Terms will prevail over any
conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription (to
the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of
the Creative Commons license used will apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may
also use these personal data internally within ResearchGate and Springer Nature and as agreed share
it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not otherwise
disclose your personal data outside the ResearchGate or the Springer Nature group of companies
unless we have your permission as detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial
use, it is important to note that Users may not:

1. use such content for the purpose of providing other users with access on a regular or large scale
basis or as a means to circumvent access control;
2. use such content where to do so would be considered a criminal or statutory offence in any
jurisdiction, or gives rise to civil liability, or is otherwise unlawful;
3. falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association
unless explicitly agreed to by Springer Nature in writing;
4. use bots or other automated methods to access the content or redirect messages
5. override any security feature or exclusionary protocol; or
6. share the content in order to create substitute for Springer Nature products or services or a
systematic database of Springer Nature journal content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a
product or service that creates revenue, royalties, rent or income from our content or its inclusion as
part of a paid for service or for other commercial gain. Springer Nature journal content cannot be
used for inter-library loans and librarians may not upload Springer Nature journal content on a large
scale into their, or any other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not
obligated to publish any information or content on this website and may remove it or features or
functionality at our sole discretion, at any time with or without notice. Springer Nature may revoke
this licence to you at any time and remove access to any copies of the Springer Nature journal content
which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or
guarantees to Users, either express or implied with respect to the Springer nature journal content and
all parties disclaim and waive any implied warranties or warranties imposed by law, including
merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published
by Springer Nature that may be licensed from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a
regular basis or in any other manner not expressly permitted by these Terms, please contact Springer
Nature at

onlineservice@springernature.com