Plumstead, J., "Inferring a Sequence Generated by a Linear Congruence", 23 FOCS, 1982, pp 153-159.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....i b) mod m Knuth s book ( Knu69] contains a thorough discussion of these generators. 10 In case all the bits of the successive x i s are announced, the sequence becomes exactly predictable even if the modulus, the multiplier and the increment are not known. This is a result of J. Boyar (see [Plu82] The journal version [Boy89] which appeared after [Ste87] extends the initial method to the case where a small portion of the lower bits are discarded. The idea of outputting the leading bits of each of the x i s in order to increase the resistance of the LCG goes back to Knuth ( Knu80] ....

J. Plumstead. Inferring a sequence generated by a linear congruence. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, pages 153--159, Chicago, 1982. IEEE.

....random number generators are also insecure. These generators use the recurrence X i 1 = aX i b (mod m) 8) to generate an output sequence fX 0 ; X 1 ; g from secret parameters a, b, and m, and starting point X 0 . It is possible to infer the secret parameters given just a few of the X i [125]. Even if only a fraction of the bits of each X i are revealed, but a, b, and m are known, Frieze, Hastad, Kannan, Lagarias, and Shamir show how to determine the seed X 0 (and thus the entire sequence) using the marvelous lattice basis reduction (or L 3 ) algorithm of Lenstra, Lenstra, and ....

J. Plumstead. Inferring a sequence generated by a linear congruence. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, pages 153-159, IEEE, Chicago, 1982.

....and the discrete log problem over elliptic curves. There appears to be a tradeoff between the speed of the pseudo random bit generator and the unpredictability of bits generated. On the fast side we have the linear congruential generator over integers mod n, but the sequence is predictable ([Plu82]) On the slower side are the cryptographically strong generators in which no bits can be predicted ( BM84] In this paper linear congruential generators over elliptic curves are examined. One might hope that this would be a fast, unpredictable generator (Kaliski lists this as an open problem in ....

....Elliptic Curves The linear congruential generator is commonly used in practice. The seed consists of a list of constants a, b, n, and x 0 . The numbers output are x 0 , x 1 , x 2 , where x i is determined by the recurrence x i 1 = ax i b (mod n) However, this generator is unsecure ([Plu82], FKL84] In [Plu82] it is first shown that computing the constants a, b and n is reducible to computing an a 0 and n such that y k 1 = a 0 y k (mod n) which generates a sequence of differences (i.e. y k = x k Gamma x k Gamma1 ) Then the following algorithm gives a and b. If y 1 = 0 then ....

[Article contains additional citation context not shown here]

Plumstead, J., Inferring a sequence generated by a linear congruence. In Proceedings of the Twenty-third Annual Symposium on Foundations of Computer Science, pages 153-159, 1982.

....spite of this extensive literature, it appears that until now no one has extended the Berlekamp Massey algorithm so as to find the shortest linear recurrence that will generate a given sequence of numbers modulo m, where m is an arbitrary (but known) integer. For the case when m is unknown, see [24], 25] In this note we describe such an algorithm. The original algorithm ( 1] 21] fails in this case because not all numbers have inverses modulo m, and other versions such as those involving the Euclidean algorithm [32] fail because certain polynomial rings are no longer principal ....

J. B. Plumstead, Inferring a sequence generated by a linear congruence, in 23rd Annual Symposium on Foundations of Computer Science, IEEE Press, NY, 1982, pp. 153-159.

....is only guaranteed asymptotically. In a particular example, one cannot compute exact bounds on the size of the seed needed. Third, most such generators are too inefficient to be used in practice. Linear congruential generators, although known not to be cryptographically secure (see e.g. FKL] [P]) continue to be used in practice. Because of these disadvantages, work has been done to construct good generators for more specific tasks. For example, Santha [Sa] and Sipser [Si] introduced the notion of a quasi perfect pseudo random generator. A quasi perfect prg can be used to decrease the ....

J. Plumstead, "Inferring a Sequence Generated by a Linear Congruence," 24th FOCS, 1983.

....and show good statistical behavior when their parameters are well chosen. However, efficient algorithms have been designed to infer sequences produced by linear congruential generators, even when the multiplier, increment and modulus are unknown, by looking at the first few numbers generated (Plumstead (1982)) Discarding the low order bits of the numbers in the output still fails to assure unpredictability (Boyar (1989a) Stern (1987) Frieze et al. 1984, 1988) Finally, general results for multiple linear congruential recurrences and for oneterm polynomial congruential recurrences of an arbitrary ....

Plumstead, J. B. (Boyar) (1982). Inferring a Sequence Generated by a Linear Congruence. Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, 153--159.

....i b) mod m Knuth s book ( Knu69] contains a thorough discussion of these generators. In case all the bits of the successive x i s are announced, the sequence becomes exactly predictable even if the modulus, the multiplier and the increment are not known. This is a result of J. Boyar (see [Plu82] The journal version [Boy89] which appeared after [Ste87] extends the initial method to the case where a small portion of the lower bits are discarded. The idea of outputting the leading bits of each of the x i s in order to increase the resistance of the LCG goes back to Knuth ( Knu80] ....

J. Plumstead. Inferring a sequence generated by a linear congruence. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, pages 153--159, Chicago, 1982. IEEE.

....random number generators are also insecure. These generators use the recurrence X i 1 = aX i b (mod m) 8) to generate an output sequence fX 0 ; X 1 ; g from secret parameters a, b, and m, and starting point X 0 . It is possible to infer the secret parameters given just a few of the X i [125]. Even if only a fraction of the bits of each X i are revealed, but a, b, and m are known, Frieze, Hastad, Kannan, Lagarias, and Shamir show how to determine the seed X 0 (and thus the entire sequence) using the marvelous lattice basis reduction (or L 3 ) algorithm of Lenstra, Lenstra, and ....

J. Plumstead. Inferring a sequence generated by a linear congruence. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, pages 153--159, IEEE, Chicago, 1982.

....random number generators are also insecure. These generators use the recurrence X i 1 = aX i b (mod m) 3.1) to generate an output sequence fX 0 ; X 1 ; g from secret parameters a, b, and m, and starting point X 0 . It is possible to infer the secret parameters given just a few of the X i [139]. Even if only a fraction of the bits of each X i are revealed, but a, b, and m are known, Frieze, Hastad, Kannan, Lagarias, and Shamir show Cryptography: Lecture Notes 41 how to determine the seed X 0 (and thus the entire sequence) using the marvelous lattice basis reduction (or L 3 ) ....

J. Plumstead. Inferring a sequence generated by a linear congruence. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 153--159, Chicago, 1982. IEEE.

....with generating similar sequences using linear feedback shift registers. Some results on congruential generators are as follows. Marsaglia [74] questions the claims of sufficient random behavior for sequences produced using linear congruential generators and Reeds [102] Knuth [68] Plumstead [99], Hastad and Shamir [56] and Frieze, Kannan and Lagarias [37] have all cast considerable doubt on the cryptographic value of sequences generated using the multiplicative congruential generator. A paper by Frieze, Hastad, 14 Stream Ciphers Kannan, Lagarias and Shamir [36] and one by Boyar ....

J. Plumstead (Boyar). Inferring a sequence generated by a linear congruence. In Proceedings of 23rd IEEE Symposium on Foundations of Computer Science, pages 153--159, 1982.

....for appropriate choices of the parameters a; b; M . On the other hand, their unpredictability properties are known to be quite weak. Clearly they are predictable in their simplest form: if the parameters a, b and M are known, given X 0 all the other X n can be easily computed. Plumstead (Boyar) [17] shows that even if the parameters a; b; M are unknown the sequence of numbers produced by a linear congruential generator is still predictable given some of the X i . Truncated LCG were suggested by Knuth [12] as a possible way to make a linear congruential generator secure. However these ....

J. Plumstead (Boyar). Inferring a sequence generated by a linear congruence. In Proc. 23rd IEEE Symp. on Foundations of Comp. Science, pages 153--159, Chicago, 1982. IEEE.

....notion of cryptography where no partial knowledge can be leaked out of a cryptosystem, random events are truly random, etc. Real cryptosystems often do not observe these properties and several seemingly sound cyptographic protocols fail because partial knowledge can be leaked in the system [19, 2, 18]. In light of recent work on the possible attacks on the DES cryptosystem [4, 5] an extension of our analysis may be very important in actual applications. Another important extension of this model would allow it to account for zero knowledge authentication protocols [6, 19] This work builds a ....

J. Plumstead, "Inferring a Sequence Generated by a Linear Congruence", Proceeding 23 rd IEEE Symposium on the Foundation of Computer Science, pp. 153-159, October 1982.

No context found.

Plumstead, J., "Inferring a Sequence Generated by a Linear Congruence", 23 FOCS, 1982, pp 153-159.

No context found.

Plumstead, J., "Inferring a Sequence Generated by a Linear Congruence", 23 rd FOCS, 1982, pp 153-159.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC