Cryptanalysis of Linear Congruence Generators

Similar documents
CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

by the matrix A results in a vector which is a reflection of the given

Chapter 19. General Matrices. An n m matrix is an array. a 11 a 12 a 1m a 21 a 22 a 2m A = a n1 a n2 a nm. The matrix A has n row vectors

Solving Systems of Linear Equations

Lecture L3 - Vectors, Matrices and Coordinate Transformations

5.3 The Cross Product in R 3

Lecture 13 - Basic Number Theory.

How To Prove The Dirichlet Unit Theorem

8 Primes and Modular Arithmetic

Systems of Linear Equations

1 VECTOR SPACES AND SUBSPACES

Continued Fractions and the Euclidean Algorithm

Linear Algebra Notes

SUM OF TWO SQUARES JAHNAVI BHASKAR

The Ideal Class Group

Vector and Matrix Norms

Section 1.1. Introduction to R n

Math 319 Problem Set #3 Solution 21 February 2002

UNIVERSITY OF PUNE, PUNE BOARD OF STUDIES IN MATHEMATICS SYLLABUS

Section Continued

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

ISOMETRIES OF R n KEITH CONRAD

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS. + + x 2. x n. a 11 a 12 a 1n b 1 a 21 a 22 a 2n b 2 a 31 a 32 a 3n b 3. a m1 a m2 a mn b m

MATH 304 Linear Algebra Lecture 9: Subspaces of vector spaces (continued). Span. Spanning set.

THREE DIMENSIONAL GEOMETRY

Unified Lecture # 4 Vectors

Solving Systems of Linear Equations

Kevin James. MTHSC 412 Section 2.4 Prime Factors and Greatest Comm

Arrangements And Duality

GREATEST COMMON DIVISOR

DIVISIBILITY AND GREATEST COMMON DIVISORS

Factoring Algorithms

Linear Algebra I. Ronald van Luijk, 2012

Chapter 6. Cuboids. and. vol(conv(p ))

Vocabulary Words and Definitions for Algebra

Lecture 3: Finding integer solutions to systems of linear equations

Linear Equations and Inequalities

Common Core Unit Summary Grades 6 to 8

THE DIMENSION OF A VECTOR SPACE

Classification of Cartan matrices

MATH2210 Notebook 1 Fall Semester 2016/ MATH2210 Notebook Solving Systems of Linear Equations... 3

160 CHAPTER 4. VECTOR SPACES

Linear Codes. Chapter Basics

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Lectures notes on orthogonal matrices (with exercises) Linear Algebra II - Spring 2004 by D. Klain

Metric Spaces. Chapter Metrics

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

LEARNING OBJECTIVES FOR THIS CHAPTER

1 if 1 x 0 1 if 0 x 1

Quotient Rings and Field Extensions

Matrix Representations of Linear Transformations and Changes of Coordinates

MATH 423 Linear Algebra II Lecture 38: Generalized eigenvectors. Jordan canonical form (continued).

6. Vectors Scott Surgent (surgent@asu.edu)

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Orthogonal Projections

A =

Solving Linear Systems, Continued and The Inverse of a Matrix

December 4, 2013 MATH 171 BASIC LINEAR ALGEBRA B. KITCHENS

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS

= = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

a 11 x 1 + a 12 x a 1n x n = b 1 a 21 x 1 + a 22 x a 2n x n = b 2.

Algebra 2 Chapter 1 Vocabulary. identity - A statement that equates two equivalent expressions.

Prentice Hall Mathematics Courses 1-3 Common Core Edition 2013

NOTES ON LINEAR TRANSFORMATIONS

V Quantitative Reasoning: Computers, Number Theory and Cryptography

MATH 304 Linear Algebra Lecture 18: Rank and nullity of a matrix.

13 MATH FACTS a = The elements of a vector have a graphical interpretation, which is particularly easy to see in two or three dimensions.

Name: Section Registered In:

Adding vectors We can do arithmetic with vectors. We ll start with vector addition and related operations. Suppose you have two vectors

α = u v. In other words, Orthogonal Projection

Inner Product Spaces

3. INNER PRODUCT SPACES

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

Higher Education Math Placement

1.3. DOT PRODUCT If θ is the angle (between 0 and π) between two non-zero vectors u and v,

Solutions to Math 51 First Exam January 29, 2015

Number Sense and Operations

Actually Doing It! 6. Prove that the regular unit cube (say 1cm=unit) of sufficiently high dimension can fit inside it the whole city of New York.

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

3 Some Integer Functions

THE NUMBER OF REPRESENTATIONS OF n OF THE FORM n = x 2 2 y, x > 0, y 0

Ideal Class Group and Units

Similarity and Diagonalization. Similar Matrices

BALTIC OLYMPIAD IN INFORMATICS Stockholm, April 18-22, 2009 Page 1 of?? ENG rectangle. Rectangle

Number Theory Hungarian Style. Cameron Byerley s interpretation of Csaba Szabó s lectures

Continued Fractions. Darren C. Collins

Orthogonal Diagonalization of Symmetric Matrices

Today s Topics. Primes & Greatest Common Divisors

Primality Testing and Factorization Methods

Factoring Algorithms

Integer Factorization using the Quadratic Sieve

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

Math 215 HW #6 Solutions

On the representability of the bi-uniform matroid

The Determinant: a Means to Calculate Volume

Introduction. Appendix D Mathematical Induction D1

Algebra I Vocabulary Cards

Section 1: How will you be tested? This section will give you information about the different types of examination papers that are available.

Transcription:

Cryptanalysis of Linear Congruence Generators Abstract Multiplicative congruential generators have been first suggested by D.H.Lehmer as an arithmetic procedure to generate pseudo random numbers. A mild variation of it is the linear congruence generator. Over many years both these generators were widely used in simulations and reported to have good statistical properties and favorable cycle length. Cryptanalysts have come up with numerous complex methods to cryptanalyze the generators mentioned above. We discuss a simple method to cryptanalyze both multiplicative and linear congruence generators, which make them unsuitable as raw input to simulations and various cryptosystem. If we take n truly randomly numbers between 0 and 1 and truncate them to a finite accuracy, so that each is an integer multiple of 1/v for some given value v, then the n dimensional points generated will have an extremely regular structure. Multiplicative and linear congruence generators happen to have such a regular structure. The n-tuples P 1 =(u 1,u 2,,u n ), P 2 =(u 2,u 3,,u n+1 ), of uniform variations produced by the generator are viewed as points in the unit cube of n dimensions that has a perfectly regular structure. Furthermore, we show that all the points are found to lie on a relatively small number of parallel hyperplanes. We further discuss the theory to parallel hyperplanes defined by the equations c 1 x 1 +c 2 x 2 +...+c n x n =0,(+ or -)1, (+ or -)2,... whose solutions are P i =(u i, u i+1,, u i+n-1 ), formed by successive tuples of the pseudo random generator. We make use of this property that the points lie mainly in a few hyperplanes to cryptanalyze linear congruence generator. We then illustrate the theory discussed using a practical example. 1

Introduction The basic idea is to analyze the set of points generated by r (i+1) =k*r (i) +c mod m. (1) Such a generator (1) is called a linear congruence generator. If c=0, it is a multiplicative congruence generator as shown below (2) I.e. r (i+1) =k*r (i) mod m. (2). Let r 1,r 2,r 3... 0<r i <m be the sequence of residues modulo m generated by (2) and let u1,u2,u3,... be the sequence viewed as a fraction of m. { 1/m (r 1,r 2,... r n ) 0<r i <m)}. Let P 1 =(u 1,...,u n ), P 2 =(u 2,.... u n+1 ), P 3 =(u 3,...,u n+2 ),... be points of the unit n-cube formed by taking n successive u s. The arrangement of points in 2-dimensions is as shown below. Fig 1. Lattice Structure of points generated by the multiplicative generator We see that all of the points can be covered by a relatively small number of parallel hyperplanes (Hyperplanes are lines in 2-dimension, since hyperplanes are vectors on a subspace of co- 2

dimension 1). The points may be covered by a family of vertical lines or diagonal lines or, lines at a given inclination with the co-ordinate axes. In each case, there is a different count on the number of hyperplanes required to cover all the points. Y X Fig 2. Intersection of hyperplanes in 3-dimension. Figure 2. can be viewed as the intersection of hyperplanes in 3-dimension.with a unit cube enclosing it. Let 1/v be the maximum distance between lines, taken over all the families of parallel hyperplanes in n-dimension, v is called the accuracy of the pseudo random number generator in n- dimensions. If there are m points in n-dimensions, the maximum dimensional accuracy obtained is v n <m 1/n. Therefore, the maximum number of hyperplanes required to cover all points is (n!.m) 1/n. Table below gives the upper bound for the number of hyperplanes containing all n tuples. n=3 n=4 n=5 n=6 n=7 n=8 n=9 n=10 m=2 16 73 35 23 19 16 15 14 13 m=2 32 2953 566 220 120 80 60 48 41 m=2 48 119086 9065 2021 766 391 240 167 126 Table 1 3

On a binary computer with 32-bit words, m=2 32, fewer than 41 hyperplanes will contain all 10- tuples and fewer than 566 hyperplanes will consist of all 4-tuples. We now turn our attention to the equation of hyperplanes. Given below are two hyperplanes of dimension 2. x 2 C(2,3) 0 x 1 2x 1 +3x 2 =0 2x 1 +3x 2 =-6 Fig 2. Parallel hyperplanes in 2-dimension Clearly different families of parallel hyperplanes have different values for c, the point normal to the hyperplane. We now try to formulate a mathematical structure for the above discussions. Our goal is to show that all points P 1, P 2, P 3,..., of the multiplicative congruence generator will lie on a set of parallel hyperplanes. Theorem: If c 1,c 2,...,c n are any choice of integers such that c 1 +c 2 k+c 3 k 2 +...+ c n k n-1 ==0 modulo m, then all the points P 1, P 2, P 3,... will lie on a set of parallel hyperplanes defined by the equation c 1 x 1 +c 2 x 2 +...+c n x n =0,(+ or -)1, (+ or -)2,... such that all the points fall in fewer than (n!.m) 1/n hyperplanes. First we show that if c 1 +c 2 k+c 3 k 2 +...+ c n k n-1 ==0 modulo m, then c 1 u i +c 2 u i+1 +...+c n u i+n-1 is an integer for every i. Let [ ] denote the greatest integer function. The sequence r 1,r 2,...r n can be rewritten as 4

r 1, kr 1 -m[(kr 1 )/m], k 2 r 1 -m[(k 2 r 1 )/m],... and the sequence u 1, u 2,...,u n can be written as r 1 /m-[r 1 /m], (kr 1 )/m-[(kr 1 )/m], (k 2 r 1 )/m-[(k 2 r 1 )/m],... Clearly if c 1 +c 2 k+c 3 k 2 +...+ c n k n-1 is a multiple of m, then c 1 u i +c 2 u i+1 +...+c n u i+n-1 is an integer. Now it remains to be shown that there are integers c 1,c 2,...,c n not all zero such that c 1 +c 2 k+c 3 k 2 +...+ c n k n-1 ==0 modulo m. We have seen that c 1 u i +c 2 u i+1 +...+c n u i+n-1 =0,(+ or -)1, (+ or -)2,...We now show that there exist non-zero c 1,c 2,...,c n using a general theorem on linear forms by Minkowski, using the basic result that a symmetric convex set of volume 2 n in n space must contain a point (other than the origin) with integer co-ordinates. Minkowski s Lemma Let C be a bounded, symmetric, convex domain in R n. Let a 1, a 2,...,a n be linearly independent vectors in R n s. Let A be the n*n matrix whose rows are the a i. If vol(c)>2 n det A, there exist integers c 1,c 2,...,c n (not all zero) such that c 1 a 1 +c 2 a 2 +...+c n a n (element of )C If we consider set D of all (c 1,c 2,...,c n) (element of) R n such that c 1 a 1 +c 2 a 2 +...+c n a n (element of )C. It is easily seen that D is bounded, symmetric and convex because C is. Moreover, D=A -1 C so that by linear algebra, Vol(D)= Vol(C) ( det A ) -1 Thus, if Vol(D)>2 n, then D contains the lattice points (c 1,c 2,...,c n) not equal to zero such that c 1 a 1 +c 2 a 2 +...+c n a n (element of )C. But Vol(D)>2 n is equivalent to Vol(C )> 2 n det A, as desired. We now look at a live cryptanalysis of linear congruence generators in 2-dimesnion. Before that, as a corollary of Minkowski s lemma, we show that- A lattice L in R 2 contains a non-zero vector alpha, such that alpha 2 <=(4*(Area of parallelogram spanned by a lattice basis for L.) )/ pi, pi=3.1415 Let dl= Area of parallelogram spanned by a lattice basis for L. Let the convex S be a circle of radius r about the origin. Minkowski s lemma guarantees the existence of a non-zero lattice point in S, provided 5

Area(S)>4.dl i.e. pi*r 2 >4.dl or r 2 >(4.dl)/pi r 0,0 Figure 3. Circle of radius r about the origin So for any positive number e, there is a lattice point alpha with alpha 2 <( (4.dl)/pi )+e. Since there are only finitely many lattice points in a bounded region and since e can be arbitrarily small, there is a lattice point satisfying the above inequality. Illustration of Cryptanalysis of Linear Congruence Generator Since- Random numbers fall mainly in the planes The lattice structure of points produced by the congruential RNG x (n) =a*x (n-1) +c mod m makes it easy to find a, c and m if one is given a few pairs x (i),x (i+1) produced by the RNG. The idea is this: points (x 1, x 2 ), (x 3, x 4 ), (x 5, x 6 )...with Unit-cell volume the modulus of the generator, the m of x (n) =a*x (n-1) +c mod m. This means that the parallelepiped formed by any three points of the lattice has volume a multiple of the unit cell s volume, which is the (unknown) modulus m. So we need only choose any three points whose coordinates are successive integers from the RNG, find the absolute value of the determinant of the matrix. This is the volume of the parallelepiped and it must be a multiple of the unknown 6

modulus. It is clear that we have chosen n=2, i.e. over 2-dimensional space. This is because a parallelepiped is a parallelogram in two dimension and thus more convenient to find the volume of a parallelepiped in two dimension when compared to higher dimensions. Usually five or six such determinant values (i.e. the area of the parallelogram in determinant form) will have gcd that determine m, this is the volume of a parallelepiped determined by three points in the plane with coordinates successive integers from the generator. Then solving a*(x 3 -x 1 ) =(x 4 -x 2 ) mod m for a determines the multiplier. Example: Consider the congruential sequence 5,13,10,4,11,6,15,14,12,8, generated by x (n) =2*x (n-1) +3 mod 19. Form points from successive x s, for example (5,13), (10,4), (11,6), (15,14),(12,8),... Subtract the first point from the others. If (a,b) is the first point and (p,q) is the second point then we find (p-a, q-b) (Translate the lattice to include (0, 0)): (5,-9),(6,-7),(10,1),(7,-5),... Y 0,0 X 7

Form a few determinants: Abs ((5*-7)-(-9*6)) =19=m Abs ((6*1)-(-7*10)) =76=4*m Abs ((10*-5)-(7*1)) =57=3*m All determinants will be multiples of m. We needn t use successive points; for example: Abs ((5*-5)-(7*-9)) =38=2*m We will usually not be lucky enough to get m from the first two determinants, but successive gcd s quickly become a constant sequence...m, m, m, m, m, Let = = indicate congruence. If for ax = =b (mod m) and a is relatively prime to m, the solution (unique mod m) of the linear congruence is X=b*a (phi (m)-1) (mod m) where phi (m) is the Euler s Totient Function or simply by the Extended Euclid s algorithm From the first (or any other) point of the translated lattice, say (10,1), solve a*10=1 mod 19, to get a=2, From the original points, a*5+c=13 mod 19,gives 2*5+c==13 mod 19,c=3. We get c=3 and thus the generator x n =a*x n-1 +c mod m, has a=2, c=3 and m=19. 8

Acknowledgement The entire cryptanalysis of linear and multiplicative congruence generator and the statistics in table 1, presented here is due to [1]. The discussion of Minkowski s lemma and its corollary, presented are due to [4],[5],[6]. The intersecting hyper-planes in Fig 2. is derived from John Stembridge s page, http://www.math.lsa.umich.edu/~jrs/ Bibliography 1. George Marsaglia, Random Numbers Fall Mainly In The Planes, Mathematics Research Lab, Boeing Scientific Research Laboratories, Seattle, Washington. 2. Donald.E.Knuth, Semi Numerical Algorithms, Volume 2. 3. Shaum s, Linear Algebra, MGH. 4. G.Hadley, Linear Algebra, Addison-Wesley 5. Jody Esmonde and M.Ram Murthy, Problems in Algebraic Number Theory, Springer Edition. 6. Artin, Algebra, PHI-EEE 7. Tom Apostol, Introduction to Analytical Number Theory, Springer International, Student edition, 1989. 8. Neal Koblitz, A Course In Number Theory and Cryptography, Springer, Second edition, 1994. 9. Bruce Schneier, Applied Cryptography, Wiley Publications, Second edition, 2001. 10. George Marsaglia, Newsgroups: sci.math.symboli, Archives. -Compiled by Sarad A.V 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information