SecurityVulnerabilityTerminalCode

LGC

Linear Congruential Generator.

n (modulus), a (multiplier), b (increment), Seed X0

Xi+1 = aXi + b (mod n)

Attack with n, a known

b = Xi+1 - aXi (mod n)

Attack with n known

Xi+1 = aXi + b (mod n)
Xi+2 = aXi+1 + b (mod n)

a = (Xi+2 - Xi+1) * (Xi+1 - Xi)^-1 (mod n)
Demonstration
Xi+1 = aXi + b (mod n)
Xi+2 = aXi+1 + b (mod n)

Xi+2 - Xi+1 = aXi+1 +b - (aXi + b) (mod n)
Xi+2 - Xi+1 = aXi+1 +b -aXi -b (mod n)
Xi+2 - Xi+1 = a(Xi+1 - Xi) (mod n)
(Xi+2 - Xi+1) * (Xi+1 - Xi)^-1 = a(Xi+1 - Xi)*(Xi+1 - Xi)^-1 (mod n)

a = (Xi+2 - Xi+1) * (Xi+1 - Xi)^-1 (mod n)

Attack with nothing known

Take the differences 
Tn = Xn+1 - Xn                 For every n we know - 1

Take more sequence
Un = | Tn+2 * Tn - Tn+1^2 |    For every n we know - 3

With high probability we have that
n = gcd(U1, U2, U3, ...)       For each U we have
Demonstration

Now, the gcd of two random multiples of n will be n with probability approximately 0.61. The more U numbers you have, the higher the probability (usually 4/5 U are enough).

Code

Last updated

Was this helpful?