Mathematical Problems in Engineering

Volume 2015, Article ID 257904, 16 pages

http://dx.doi.org/10.1155/2015/257904

## Pseudorandom Bit Sequence Generator for Stream Cipher Based on Elliptic Curves

Department of Electronics and Communication Engineering, National Institute of Technology, Calicut, Kerala 673 601, India

Received 1 April 2015; Revised 17 August 2015; Accepted 24 August 2015

Academic Editor: David Bigaud

Copyright © 2015 Jilna Payingat and Deepthi P. Pattathil. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

This paper proposes a pseudorandom sequence generator for stream ciphers based on elliptic curves (EC). A detailed analysis of various EC based random number generators available in the literature is done and a new method is proposed such that it addresses the drawbacks of these schemes. Statistical analysis of the proposed method is carried out using the NIST (National Institute of Standards and Technology) test suite and it is seen that the sequence exhibits good randomness properties. The linear complexity analysis shows that the system has a linear complexity equal to the period of the sequence which is highly desirable. The statistical complexity and security against known plain text attack are also analysed. A comparison of the proposed method with other EC based schemes is done in terms of throughput, periodicity, and security, and the proposed method outperforms the methods in the literature. For resource constrained applications where a highly secure key exchange is essential, the proposed method provides a good option for encryption by time sharing the point multiplication unit for EC based key exchange. The algorithm and architecture for implementation are developed in such a way that the hardware consumed in addition to point multiplication unit is much less.

#### 1. Introduction

Wireless sensor networks have a wide range of applications such as habitat monitoring, home automation, and military and medical applications [1, 2]. Compared to conventional wireless networks, wireless sensors have limited resources that demand cryptographic solutions with reduced complexity. Due to the resource constrained nature, WSNs employ symmetric key encryption techniques that necessitate key management schemes suitable for these constrained applications. A detailed analysis of the proposals available in literature for key distribution shows that only the one-way function based schemes can provide security when a node is compromised in the initialisation phase. The light weight cryptographic algorithms based on random key predistribution [3, 4], polynomial based key distribution [5], and so forth offer no security in this scenario. All these schemes assume that a node cannot be compromised in the initialisation phase which is not true. For such schemes the time-out period of the initialisation phase cannot be kept large because it increases the probability that a node is compromised in the initialisation phase. On the other hand if the time-out period is kept small, then the connectivity of the network is affected. So there exists a trade-off between security and connectivity in such schemes whereas for the one-way function based methods no such trade-off exists. Thus for high security applications like military or medical applications, the one-way function based key management schemes are preferred.

Elliptic curve cryptography (ECC) is a promising solution in such scenarios because of the increased security per bit of the key, compared to other one-way functions [6–8]. All sensor networks require a message authentication code (MAC) and pseudorandom generator for secret key establishment and data transfer. If these two functions are implemented using standalone algorithms like SHA and AES along with ECC for key exchange, then the overall hardware complexity of the system will be very high. If the point multiplication unit used for key exchange can be time shared to perform the other two functions, the complexity of the entire system can be reduced. In this paper, an EC based pseudorandom sequence generator is proposed. The proposed method is developed in such a way that the hardware required to build the pseudorandom bit sequence generator in addition to EC point multiplication unit is much less. So this provides a highly suitable option for light weight encryption in systems using EC based key exchange.

#### 2. Related Works

In [9] Blum and Micali introduced the concept of generating CSPBSG (cryptographically strong pseudorandom bit sequence generator) using a cryptographic one-way function. Since then there are several approaches which make use of the cryptographic one-way operation of EC point multiplication for constructing stream ciphers. The concept of linear congruential generator is extended to EC and a generator for pseudorandom bit sequence from points on the elliptic curve is described in [10]. The sequence is proved to have good randomness properties but the security is dependent on the secrecy of the base point . In 2000 Shparlinski introduced the Naor-Reigngold generator [11]. The seed is a vector of random integers given as . The key for the th iteration is where . The output bit sequence is generated by applying truncation function to the -coordinate of the point in each iteration. The security of the random number generator is vested in ECDLP but the number of input random bits required to generate the sequence is high. The elliptic curve power generator (ECPG) [12] published in 2005 makes use of an integer as the random seed. The th iteration key and the output point is . The bit sequence is generated by truncating the -coordinate of the output point. The periodicity of the generator is very low and the period reveals some of the properties of the seed . The pseudorandom sequence generator based on EC published in [13] makes use of a single point multiplication in each iteration. The output bit sequence is the -coordinate of the output point sequence which is generated as where . The sequence is proved to have good statistical properties but the security analysis is not done. The dual EC generator proposed by Elaine Barker and John Kelsey was chosen as standard random number generator by NIST [14]. The random seed is an integer and makes use of two points and on the EC. The iteration key and the output point is . The output of the generator is where is the truncation function. The periodicity of the generator is found to be very low because of the method used for generating the iterating key. To increase the periodicity the iterating key is modified as . But then it is found that as the sequence becomes independent of the seed. New stream cipher designs based on EC are proposed in [15]. The three algorithms proposed are derived from the dual EC generator, linear congruential generator, and the Naor-Reigngold generator. The authors have proved that the sequences generated using these algorithms have large periodicity, but the hardware complexity is high. A stream cipher based on ECDLP is described in [16]. The method consists of three stages of operation: (i) initialization stage, (ii) key stream generation, and (iii) encryption stage. The mapping of key to a point on the EC is carried out in the initialization stage which increases the hardware and computational complexity and makes it less suitable for resource constrained applications. A key generation based on EC over finite prime field is published in 2012 [17]. The output is generated by truncating the -coordinate of the point where is the random value from the LFSR and ’s are points on the EC. The method described requires a lot of parameters, that is, the feedback polynomial of LFSR, seed value, EC parameters, and so forth, to be kept secret. The security of the sequence depends entirely on the secrecy of these parameters.

#### 3. Mathematical Background

Elliptic curves (EC) over a field are set of points that satisfy the Weierstrass equation given asThe variables , and the constants , and are all elements of the field . The definition of EC also includes a single element called the “point at infinity” or the “zero point” denoted by .

The set of points on an EC is an abelian group under an addition operation, and is the identity element. The addition operation is defined such that if , , and are three points on EC lying on the same straight line, then .

The cryptographic operation on EC is point multiplication. Given an integer “” and a point on the EC computing “” where “” is a new point on the EC is called point multiplication. This is a one-way function because computing “” is easy but given and finding “” is difficult. This is known as the elliptic curve discrete logarithm problem (ECDLP). The EC defined over (Galois field) are more suitable for hardware implementation. These curves are classified as super singular and nonsuper singular curves. The MOV (Menezes, Okamoto, and Vanstone) reduction method shows that ECDLP is harder in nonsuper singular curves [19]. Point addition and point doubling are the two mathematical operations defined on an EC. The point multiplication is done by repeated point addition and doubling.

Rules for point addition and point doubling on nonsuper singular curves over are as follows.(1)Point addition: if and , then is(2)Point doubling: if , then is given by

The security of EC point multiplication is increased by truncating the “” bit representation of the -coordinate of the point to “” bits and giving out as output. In [20] the authors have proved that, for an EC defined over , if the “” bit representation of the -coordinate is truncated to “” bits, the statistical distance between the output of truncation function and a random “” bit string is . Hence it is hard to determine whether a sequence is generated by truncating the -coordinate of a point on the EC or if it is chosen uniformly at random. This is known as truncation point problem (TPP).

#### 4. Analysis of EC Based Pseudorandom Sequence Generators

In this section, the analysis of various EC based pseudorandom sequence generators available in literature is carried out. For analysis the EC chosen is defined over . A point on the EC means where is root of the polynomial used for constructing the finite field.

##### 4.1. EC Based Linear Congruential Generator

In EC based linear congruential generator, the output point sequence is generated as where is the iteration number and is a point on the elliptic curve which is kept secret. The sequence passes through the complete cyclic subgroup of point . Thus the period of the sequence reveals the order of point which reduces the search space to a smaller value. The symmetric properties of the generated sequence also help to make cryptanalysis easier. The detailed cryptanalysis of this generator is given in [15]. Though the sequence has a good linear span and statistical properties, it cannot be used as key stream for stream cipher because of reduced security.

##### 4.2. PBSG-B

PBSG-B in [15] is a modification of the EC based linear congruential generator such that the periodicity is independent of the order of point and the output sequence does not have any symmetric properties which makes the cryptanalysis easier. For security, the authors assume that both point and the seed of the LFSR are kept secret. But the analysis shows that the security is dependent only on secrecy of point , which cannot be quantified.

For analysis, assume point is known to the attacker. The attacker can generate the entire sequence by choosing an arbitrary value as seed of LFSR. As the LFSR passes through the same sequence of states, the output bit sequence generated will only be a shifted version of the original sequence. If a part of the key stream is known to the attacker (considering a known plain text attack), the shift can be easily computed from the plot of the cross-correlation of the generated sequence and the known bit sequence. Let the EC be defined over . The feedback polynomial of the LFSR is , , and the initial seed . Assume the attacker knows a few initial bits of the sequence, that is, 10100011010001010011110010110. Let the initial seed chosen by the attacker to generate the sequence be 42. The plot of cross-correlation between the sequence generated with and the known sequence is given in Figure 1. From the position of the peak value in the cross-correlation function, the position of the known sequence and hence the LFSR seed (LFSR value at the 31st iteration = 126) can be easily determined.