Predicting Subset Sum Pseudorandom Generators

  • Joachim von zur Gathen
  • Igor E. Shparlinski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3357)


We consider the subset sum pseudorandom generator, introduced by Rueppel and Massey in 1985 and given by a linearly recurrent bit sequence u0, u1, ... of order n over ℤ2, and weights w = (w 0, ..., w n − − 1) ∈ R n for some ring R. The rings R = ℤ m are of particular interest. The ith value produced by this generator is ∑0 ≤ j <  n u i + j w j . It is also recommended to discard about log n least significant bits of the result before using this sequence. We present several attacks on this generator (with and without the truncation), some of which are rigorously proven while others are heuristic. They work when one “half” of the secret is given, either the control sequence u j or the weights w j . Our attacks do not mean that the generator is insecure, but that one has to be careful in evaluating its security parameters.


  1. 1.
    Bach, E., Driscoll, J., Shallit, J.: Factor refinement. J. Algorithms 15, 199–222 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Predicting the inversive generator. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 264–275. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Predicting nonlinear pseudorandom number generators. Math. Comp. (to appear)Google Scholar
  4. 4.
    Blackburn, S.R., Gomez-Perez, D., Gutierrez, J., Shparlinski, I.E.: Reconstructing noisy polynomial evaluation in residue rings. J. Algorithms (to appear)Google Scholar
  5. 5.
    Brickell, E.F., Odlyzko, A.M.: Cryptoanalysis: A survey of recent results. In: Contemp. Cryptology, pp. 501–540. IEEE Press, NY (1992)Google Scholar
  6. 6.
    Conflitti, A., Shparlinski, I.E.: On the multidimensional distribution of the subset sum generator of pseudorandom numbers. Math. Comp. 73, 1005–1011 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    von zur Gathen, J., Gerhard, J.: Modern computer algebra. Cambridge University Press, Cambridge (2003)zbMATHGoogle Scholar
  8. 8.
    Joux, A., Stern, J.: Lattice reduction: A toolbox for the cryptanalyst. J. Cryptology 11, 161–185 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Krawczyk, H.: How to predict congruential generators. J. Algorithms 13, 527–545 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Lagarias, J.C.: Pseudorandom number generators in cryptography and number theory. In: Proc. Symp. in Appl. Math., Amer. Math. Soc., Providence, RI, vol. 42, pp. 115–143 (1990)Google Scholar
  11. 11.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Lidl, R., Niederreiter, H.: Finite fields. Cambridge University Press, Cambridge (1997)Google Scholar
  13. 13.
    Micciancio, D., Goldwasser, S.: Complexity of lattice problems. Kluwer Acad. Publ., Dordrecht (2002)zbMATHGoogle Scholar
  14. 14.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of applied cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  15. 15.
    Nguyen, P.Q., Stern, J.: Lattice reduction in cryptology: An update. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 85–112. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Rueppel, R.A.: Analysis and design of stream ciphers. Springer, Berlin (1986)zbMATHGoogle Scholar
  18. 18.
    Rueppel, R.A.: Stream ciphers. In: Contemporary cryptology: The science of information integrity, pp. 65–134. IEEE Press, NY (1992)Google Scholar
  19. 19.
    Rueppel, R.A., Massey, J.L.: Knapsack as a nonlinear function. In: IEEE Intern. Symp. of Inform. Theory, p. 46. IEEE Press, NY (1985)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Joachim von zur Gathen
    • 1
  • Igor E. Shparlinski
    • 2
  1. 1.Fakultät für Elektrotechnik, Informatik und MathematikUniversität PaderbornPaderbornGermany
  2. 2.Department of ComputingMacquarie UniversityAustralia

Personalised recommendations