We consider the subset sum pseudorandom generator, introduced by Rueppel and Massey in 1985 and given by a linearly recurrent bit sequence uo, u 1, ... of order n over Z2, and weights w = (wo,..., wn-i) £Rn for some ring R. The rings R = Zm are of particular interest. The ith value produced by this generator is 3ojUi+jWjIt is also recommended to discard about log n least significant bits of the result before using this sequence. We present several attacks on this generator (with and without the truncation), some of which are rigorously proven while others are heuristic. They work when one "half of the secret is given, either the control sequence uj or the weights Wj. Our attacks do not mean that the generator is insecure, but that one has to be careful in evaluating its security parameters. © Springer-Verlag 2005.
CITATION STYLE
Von Gathen, J. Z., & Shparlinski, I. E. (2004). Predicting Subset Sum Pseudorandom Generators. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3357, 241–251. https://doi.org/10.1007/978-3-540-30564-4_17
Mendeley helps you to discover research relevant for your work.