Abstract
In this paper, efficient algorithms are given for inferring sequences produced by certain pseudo-random number generators. The generators considered are all of the form Xn = Σkj-l αjφj(Xo, Xl, . . ., Xn-l) (mod m). In each case, we assume that the functions φj are known and polynomial time computable, but that the coefficients aj and the modulus m are unknown. Using this general method, specific examples of generators having this form, the linear congruential method, linear congruences with n terms in the recurrence, and quadratic congruences are shown to be cryptographically insecure.
- 1 ALEXl, W., CHOR, B., GOLDREICH, O., AND SCHNORR, C. P. RSA/rabin bits are 1/2 + I/poly(log N) secure. In Proceedings of the 25th IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1984, pp. 449-457.Google Scholar
- 2 BLUM, M., AND MICALI, S. HOW to generate cryptographicaUy strong sequences of pseudo-random bits. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1982, pp. i 12-117.Google Scholar
- 3 BLUM, L., BLUM, M., AND SNUB, M. A simple secure pseudo-random number generator. In Advances in Cryptography: Proceedings of CRYPTO 82. Plenum Press, New York, 1983, pp. 61-78.Google Scholar
- 4 BOYAR, j. Inferring sequences produced by pseudo-random number generators. Tech. Rep. 86- 002. Univ. of Chicago, Chicago, Ill., 1986. Google Scholar
- 5 BOYAR, J. Missing low order bits in a linear congruential generator. J. Crypt., to appear.Google Scholar
- 6 FLOYD, R. Nondeterministic algorithms. J. ACM 14, 4 (Oct. 1967), pp. 636-644. Google Scholar
- 7 FRIEZE, A. M., KANNAN, R., AND I~AGARIAS, J.C. Linear congruential generators do not produce random sequences. In Proceedings of the 25th IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1984, pp. 480-484.Google Scholar
- 8 GOLDWASSER, S., MICALI, S., AND TONG, P. Why and how to establish a private code on a public network. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1982, pp. 132-144.Google Scholar
- 9 HASTAD, J., AND SHAMIR, A. The cryptographic security of truncated linearly related variables. In Proceedings of the 17th ACM Symposium on Theory of Computing (Providence, R.I., May 6-8). ACM, New York, 1985, pp. 356-362. Google Scholar
- 10 KANNAN, R., AND BACHEM, A. Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix. SIAM J. Comput. 8, 4 (1979), 499-507.Google Scholar
- 11 KNUTH, D.E. Seminumerical Algorithms, The Art of Computer Programming, vol. 2. Addison- Wesley, Reading, Mass., 1969. Google Scholar
- 12 KNUTH, D.E. Deciphering a linear congruential encryption. Tech. Rep. 024800. Stanford Univ., Stanford, Calif., 1980.Google Scholar
- 13 LAGARIAS, J. C., AND REEDS, J. Unique extrapolation of polynomial recurrences. SIAM J. Comput. 17, 2 (1988), 342-362. Google Scholar
- 14 LONG, D. L., AND WIGDERSON, A. How discrete is the discrete log? in Proceedings of the 15th ACM Symposium on Theory of Computing (Boston, Mass., Apr. 25-27). ACM, New York, 1983, pp. 413-420. Google Scholar
- 15 MACLANE, S., AND BIRKHOFE, G. Algebra. The MacMillan Company, New York, 1967.Google Scholar
- 16 PLUMSTEAD, J.B. Inferring a sequence generated by a linear congruence. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1982, pp. 153-159.Google Scholar
- 17 PLUMSTEAD, J.B. Inferring a sequence generated by a linear congruence, abstract, in Advances in Cryptology: Proceedings of CRYPTO 82. Plenum Press, New York, 1983, pp. 317-319.Google Scholar
- 18 PLUMSTEAD, J. B. Inferring sequences produced by pseudo-random number generators. Ph.D. dissertation. Univ. of California, Berkeley, Berkeley, Calif., 1983. Google Scholar
- 19 REEDS, J. "Cracking" a random number generator. Cryptologia, 1 (Jan. 1977), 20-26.Google Scholar
- 20 SHAMIR, A. On the generation of cryptographically strong pseudo-random sequences. In 8th Colloquium on Automata, Languages, and Programming, 1980, 544-550. Google Scholar
- 21 SMITH, H. J.S. On systems of linear indeterminate equations and congruences. Phil. Trans. Royal Soc. London, A 151 (1861), 293-326.Google Scholar
- 22 VAZIRANI, U., AND VAZIRANI, V. Efficient and secure pseudo-random number generation. In Proceedings of the 25th IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1984, pp. 458-463.Google Scholar
- 23 YAO, A. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science. IEEE, New York, 1982, pp. 80-91.Google Scholar
Index Terms
Inferring sequences produced by pseudo-random number generators
Recommendations
Bit-Wise Behavior of Random Number Generators
In 1985, G. Marsaglia proposed the m-tuple test, a runs test on bits, as a test of nonrandomness of a sequence of pseudorandom integers. We try this test on the outputs from a large set of pseudorandom number generators and discuss the behavior of the ...
Resolution-stationary random number generators
Besides speed and period length, the quality of uniform random number generators (RNGs) is usually assessed by measuring the uniformity of their point sets, formed by taking vectors of successive output values over their entire period length. For F"2-...








Comments