I've got a function f : S -> X x S where S = (Z/2Z)**96 and
X = (Z/2Z)**32.  Suppose that s_0 is fixed and (x_i, s_i) = f(s_{i-1}).
(f implements a PRNG.  The s_i are subsequent internal states and the
x_i are results.)

Now f happens to be linear.  I know the values of x_i, x_{i+1}, ...,
x_{i+k} module N, for a fixed, known N.  N is odd (but divisible by 9).
Is it possible to recover s_i with reasonable effort (better than brute
force, and k should be in the hundreds, not thousands)?  And if yes, how?
Prediction of candidates for x_{i+k+1} with high probability would be
helpful, too.

(Obviously, using f as an unpredictable PRNG is not a good idea.  But if
there's a real attack I can present, convincing the authors to replace
it would be so much easier.)

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to