Prime Numbers

402 Chapter 8 THE UBIQUITY OF PRIME NUMBERS
1998], it is shown that most of the bits of xn can be kept, and the result is
still cryptographically secure. There is thus much less computation per bit.
There are many other generators in current use, such as shift-register,
chaotic, and cellular-automata (CA) generators. Some generators have been
cryptographically “broken,” notably the simpler congruential ones, even if
the linear congruence is replaced with higher polynomial forms [Lagarias
1990]. One dilemma that besets researchers in this field is that the generators
that may well be quite “secure,” such as the discrete exponential variety
that in turn depends on the DL problem for its security, are sluggish.
Incidentally, there are various standard randomness tests, especially as regard
random generation of binary bits, which can often be invoked to demolish—
alternatively to bestow some measure of confidence upon—a given generator
[Menezes et al. 1997].
On the issue of security, an interesting idea due to V. Miller is to use
a linear-congruential generator, but with elliptic addition. Given an elliptic
curve E over a finite field, one might choose integer a and point B ∈ E and
iterate
Pn+1 =[a]Pn + B, (8.1)
where the addition is elliptic addition and now the seed will be some initial
point P0 ∈ E. One might then use the x-coordinate of Pn as a random
field element. This scheme is not as clearly breakable as is the ordinary
linear congruential scheme. It is of interest that certain multipliers a, suchas
powers of two, would be relatively efficient because of the implied simplicity
of the elliptic multiplication ladder. Then, too, one could perhaps use reduced
operations inherent in Algorithm 7.2.8. In other words, use only x-coordinates
and live with the ambiguity in [a]P ± B, never actually adding points per se,
but having to take square roots.
Incidentally, a different approach to the use of elliptic curves for random
generators appears in [Gong et al. 1999], where the older ideas of shift registers
and codewords are generalized to curves over F2m (see Exercise 8.29).
Along the same lines, let us discuss for a moment the problem of random
bit generation. Surely, one can contemplate using some bit—such as the lowest
bit—of a “good” random-number generator. But one wonders, for example,
whether the calculation of Legendre symbols appropriate to point-finding on
elliptic curves,
3 x + ax + b
= ±1,
p
with x running over consecutive integers in an interval and with the (rare)
zero value thrown out, say, constitute a statistically acceptable random walk
of ±1 values. And one wonders further whether the input of x into a Legendresymbol
machine, but from a linear-congruential or other generator, provides
extra randomness in any statistical sense.
Such attempts at random bit streams should be compared statistically to
the simple exclusive-or bit generators. An example given in [Press et al. 1996]