• "Pseudo-Random" Number Generation within Cryptographic Algorithms: the DSS Case

Authors: M. Bellare, S. Goldwasser and D. Micciancio

Abstract: The DSS signature algorithm requires the signer to generate a new random number with
every signature. We show that if random numbers for DSS are generated using a linear
congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered
after seeing a few signatures. This illustrates the high vulnerability of the DSS to weaknesses in
the underlying random number generation process. It also confirms, that a sequence produced by
LCG is not only predictable as has been known before, but should be used with extreme caution
even within cryptographic applications that would appear to protect this sequence. The attack we
present applies to truncated linear congruential generators as well, and can be extended to any
pseudo random generator that can be described via modular linear equations.

Ref: Extended abstract was in Advances in Cryptology- Crypto 97 Proceedings, Lecture Notes
in Computer Science Vol. 1294, B. Kaliski ed, Springer-Verlag, 1997. Full paper available below.

Full paper: Available in postscript.