A Variation on Knellwolf and Meier\u27s Attack on the Knapsack Generator

Pseudo-random generators are deterministic algorithms that take in input a random secret seed and output a flow of random-looking numbers. The Knapsack generator, presented by Rueppel and Massey in 1985 is one of the many attempt at designing a pseudo-random generator that is cryptographically secure. It is based on the subset-sum problem, a variant of the Knapsack optimization problem, which is considered computationally hard. In 2011 Simon Knellwolf et Willi Meier found a way to go around this hard problem and exhibited a weakness of this generator. In addition to be able to distinguish the outputs from the uniform distribution, they designed an algorithm that retrieves a large portion of the secret. We present here an alternate version of the attack, with similar costs, that works on the same range of parameters but retrieves a larger portion of the secret

Practical Seed Recovery of Fast Cryptographic Pseudo Random Number Generators

Trifork is a family of pseudo-random number generators described in 2010 by Orue et al. It is based on Lagged Fibonacci Generators and has been claimed as cryptographically secure. In 2017 was presented a new family of lightweight pseudo-random number generators: Arrow. These generators are based on the same techniques as Trifork and designed to be light, fast and secure, so they can allow private communication between resource-constrained devices. The authors based their choices of parameters on NIST standards on lightweight cryptography and claimed these pseudo-random number generators were of cryptographic strength. We present practical implemented algorithms that reconstruct the internal states of the Arrow generators for different parameters given in the original article. These algorithms enable us to predict all the following outputs and recover the seed. These attacks are all based on a simple guess-and-determine approach which is efficient enough against these generators. We also present an implemented attack on Trifork, this time using lattice-based techniques. We show it cannot have more than 64 bits of security, hence it is not cryptographically secure

Attacks on Pseudo Random Number Generators Hiding a Linear Structure

We introduce lattice-based practical seed-recovery attacks against two efficient number-theoretic pseudo-random number generators: the fast knapsack generator and a family of combined multiple recursive generators. The fast knapsack generator was introduced in 2009 by Von Zur Gathen and Shparlinski. It generates pseudo-random numbers very efficiently with strong mathematical guarantees on their statistical properties but its resistance to cryptanalysis was left open since 2009. The given attacks are surprisingly efficient when the truncated bits do not represent a too large proportion of the internal states. Their complexities do not strongly increase with the size of parameters, only with the proportion of discarded bits. A multiple recursive generator is a pseudo-random number generator based on a constant-recursive sequence. A combined multiple recursive generator is a pseudo-random number generator based on combining two or more multiple recursive generators. L’Écuyer presented the general construction in 1996 and a popular instantiation deemed MRG32k3a in 1999. We use algebraic relations of both pseudo-random generators with underlying algebraic generators to show that they are cryptographically insecure. We provide a theoretical analysis as well as efficient implementations

Cryptanalysis of a Generalized Subset-Sum Pseudorandom Generator

We present attacks on a generalized subset-sum pseudorandom generator, which was proposed by von zur Gathen and Shparlinski in 2004. Our attacks rely on a sub-quadratic algorithm for solving a vectorial variant of the 3SUM problem, which is of independent interest. The attacks presented have complexities well below the brute-force attack, making the generators vulnerable. We provide a thorough analysis of the attacks and their complexities and demonstrate their practicality through implementations and experiments

TNFAIP3-interacting protein 1 polymorphisms and their association with symptomatic human respiratory syncytial virus infection and bronchiolitis in infants younger than one year from South Africa: A case-control study

Objectives: This study analyzed the association of TNFAIP3-interacting protein 1 (TNIP1) polymorphisms with the symptomatic human respiratory syncytial virus (HRSV) infection and bronchiolitis in infants. Methods: A case-control study was conducted involving 129 hospitalized infants with symptomatic HRSV infection (case group) and 161 healthy infants (control group) in South Africa (2016-2018). Six TNIP1 polymorphisms (rs869976, rs4958881, rs73272842, rs3792783, rs17728338, and rs999011) were genotyped. Genetic associations were evaluated using logistic regression adjusted by age and gender. Results: Both rs73272842 G and rs999011 C alleles were associated with reduced odds for symptomatic HRSV infection (adjusted odd ratio [aOR] = 0.68 [95% confidence interval {CI} = 0.48-0.96] and aOR = 0.36 [95% CI = 0.19-0.68], respectively] and bronchiolitis (aOR = 0.71 [95% CI = 0.50-1.00] and aOR = 0.38 [95% CI = 0.22-0.66], respectively). The significance of these associations was validated using the BCa Bootstrap method (P <0.05). The haplotype GC (composed of rs73272842 and rs999011) was associated with reduced odds of symptomatic HRSV infection (aOR = 0.53 [95% CI = 0.37-0.77]) and bronchiolitis (aOR = 0.62 [95% CI = 0.46-0.84]), which were validated by the BCa Bootstrap method (P = 0.002 for both). Conclusion: TNIP1 rs73272842 G allele and rs999011 C allele were associated with reduced odds of symptomatic HRSV infection and the development of bronchiolitis in infants, suggesting that TNIP1 polymorphisms could impact susceptibility to HRSV illness.The study was funded by Poliomyelitis Research Foundation (grant # 19/27 to FKT), South Africa. The study was also funded by the CIBER -Consorcio Centro de Investigación Biomédica en Red- (CB 2021), Instituto de Salud Carlos III, Ministerio de Ciencia e Innovación and Unión Europea – NextGenerationEU (grant #CB21/13/00044 to SR).S

Étude de générateurs pseudo aléatoires en cryptographie mathématique

Les générateurs de nombres pseudo-aléatoires linéaires sont faciles à comprendre et à mettre en œuvre. Le plus célèbre d'entre eux est le générateur congruentiel linéaire . Dans la première partie de cette thèse, nous présentons ce générateur et les différents algorithmes de récupération de clés qui ont été conçus contre lui depuis les années soixante-dix. Parce que ce générateur est simple, il a été utilisé pour concevoir des générateurs plus complexes et potentiellement cryptographiquement sûrs comme le Générateur Congruentiel Permuté (présenté et attaqué dans le chapitre 3) et Trifork (présenté et attaqué dans le chapitre 4). Il peut également être généralisé en tant que générateur récursif multiple, mais la plupart des algorithmes connus peuvent être adaptés directement, ce qui signifie que la généralisation n'apporte pas beaucoup plus de sécurité. D'autres générateurs de nombres pseudo-aléatoires linéaires sont basés sur des problèmes difficiles, tels que le Knapsack generator et ses variantes, basées sur le problème du sac à dos. Le Fast Knapsack Generator est attaqué au chapitre 5 en raison de sa ressemblance avec le générateur congruentiel linéaire et le Knapsack generator elliptique est attaqué au chapitre 7. Arrow, décrit et attaqué au chapitre 8, est un générateur de nombres pseudo-aléatoires qui mélange des opérations linéaires et binaires. Il est très rapide et simple à mettre en œuvre. Mais ces opérations binaires et linéaires sont trop faciles à inverser et presque toutes les attaques présentées dans ce chapitre s'exécutent en moins de vingt minutes sur un ordinateur portable standard.Linear pseudo-random numbers generators are easy to understand and to implement. The most famous of them is the Linear Congruential Generator. In the first part of this thesis we present this generator and the different key-recovering algorithms that have been designed against it since the seventies. Because this generator is simple, it have been used as a core part to design more complex and potentially cryptographically secure generators like the Permuted Congruential Generator (presented and attacked in chapter 3) and Trifork (presented and attacked in chapter 4). It can also be generalized as the Multiple Recursive Generator but most of the known algorithms can be straight forwardly adapted meaning that the generalization do not give much more security. Other linear pseudo-random number generators are based on computationally hard problems such as the Knapsack Generator and it variations, based on the Subset Sum Problem. The Fast Knapsack Generator is attacked in chapter 5 because of the resemblance it bears with the Linear Congruential Generator and the Elliptic Knapsack Generator is attacked in chapter 7. Arrow, described and attacked in chapter 8 is a pseudo-random number generator that mix linear and binary operations. It is very fast and simple to implement. But these binary and linear operations are to easy to revert and almost all the attacks presented in this chapter runs under twenty minutes on a standard laptop

Étude de générateurs pseudo aléatoires en cryptographie mathématique

Linear pseudo-random numbers generators are easy to understand and to implement. The most famous of them is the Linear Congruential Generator. In the first part of this thesis we present this generator and the different key-recovering algorithms that have been designed against it since the seventies. Because this generator is simple, it have been used as a core part to design more complex and potentially cryptographically secure generators like the Permuted Congruential Generator (presented and attacked in chapter 3) and Trifork (presented and attacked in chapter 4). It can also be generalized as the Multiple Recursive Generator but most of the known algorithms can be straight forwardly adapted meaning that the generalization do not give much more security. Other linear pseudo-random number generators are based on computationally hard problems such as the Knapsack Generator and it variations, based on the Subset Sum Problem. The Fast Knapsack Generator is attacked in chapter 5 because of the resemblance it bears with the Linear Congruential Generator and the Elliptic Knapsack Generator is attacked in chapter 7. Arrow, described and attacked in chapter 8 is a pseudo-random number generator that mix linear and binary operations. It is very fast and simple to implement. But these binary and linear operations are to easy to revert and almost all the attacks presented in this chapter runs under twenty minutes on a standard laptop.Les générateurs de nombres pseudo-aléatoires linéaires sont faciles à comprendre et à mettre en œuvre. Le plus célèbre d'entre eux est le générateur congruentiel linéaire . Dans la première partie de cette thèse, nous présentons ce générateur et les différents algorithmes de récupération de clés qui ont été conçus contre lui depuis les années soixante-dix. Parce que ce générateur est simple, il a été utilisé pour concevoir des générateurs plus complexes et potentiellement cryptographiquement sûrs comme le Générateur Congruentiel Permuté (présenté et attaqué dans le chapitre 3) et Trifork (présenté et attaqué dans le chapitre 4). Il peut également être généralisé en tant que générateur récursif multiple, mais la plupart des algorithmes connus peuvent être adaptés directement, ce qui signifie que la généralisation n'apporte pas beaucoup plus de sécurité. D'autres générateurs de nombres pseudo-aléatoires linéaires sont basés sur des problèmes difficiles, tels que le Knapsack generator et ses variantes, basées sur le problème du sac à dos. Le Fast Knapsack Generator est attaqué au chapitre 5 en raison de sa ressemblance avec le générateur congruentiel linéaire et le Knapsack generator elliptique est attaqué au chapitre 7. Arrow, décrit et attaqué au chapitre 8, est un générateur de nombres pseudo-aléatoires qui mélange des opérations linéaires et binaires. Il est très rapide et simple à mettre en œuvre. Mais ces opérations binaires et linéaires sont trop faciles à inverser et presque toutes les attaques présentées dans ce chapitre s'exécutent en moins de vingt minutes sur un ordinateur portable standard

Practical seed-recovery for the PCG Pseudo-Random Number Generator

The Permuted Congruential Generators (PCG) are popular conventional (non-cryptographic) pseudo-random generators designed in 2014. They are used by default in the NumPy scientific computing package. Even though they are not of cryptographic strength, their designer stated that predicting their output should nevertheless be "challenging".In this article, we present a practical algorithm that recovers all the hidden parameters and reconstructs the successive internal states of the generator. This enables us to predict the next “random” numbers, and output the seeds of the generator. We have successfully executed the reconstruction algorithm using 512 bytes of challenge input; in the worst case, the process takes 20 000 CPU hours.This reconstruction algorithm makes use of cryptanalytic techniques, both symmetric and lattice-based. In particular, the most computationally expensive part is a guessand-determine procedure that solves about 252 instances of the Closest Vector Problem on a very small lattice

Cryptanalysis of Modular Exponentiation Outsourcing Protocols

International audiencePublic-key cryptographic primitives are time-consuming for resource-constrained devices. A classical problem is to securely offload group exponentiations from a (comparatively) weak device-the client-to an untrusted more powerful device-the server. A delegation protocol must usually meet two security objectives: privacy-the exponent or the base should not be revealed to a passive adversary-and verifiability-a malicious server should not be able to make the client accept an invalid value as the result of the delegated computation. Most proposed protocols relies on a secret splitting of the exponent and the base and a considerable amount of literature has been devoted to their analysis. Recently, Su, Zhang and Xue [The Computer Journal, 2020] and Rangasamy and Kuppusamy [Indocrypt 2018] proposed outsourcing protocols for modular exponentiations. They claim that their protocols achieve security (privacy and verifiability). We show that these claims are flawed and that their schemes are broken beyond repair. They remain insecure even if one increases significantly the proposed parameters (and consequently the protocols computational and communication complexities). Our attacks rely on standard lattice-based cryptanalytic techniques, namely the Coppersmith methods to find small integer zeroes of modular multivariate polynomials and simultaneous Diophantine approximation methods for the so-called approximate greatest common divisor problem

Practical seed-recovery for the PCG Pseudo-Random Number Generator

International audienceThe Permuted Congruential Generators (PCG) are popular conventional (non-cryptographic) pseudo-random generators designed in 2014. They are used by default in the NumPy scientific computing package. Even though they are not of cryptographic strength, their designer stated that predicting their output should be nevertheless be "challenging". In this article, we present a practical algorithm that recovers all the hidden parameters and reconstructs the successive internal states of the generator. This enables us to predict the next "random" numbers, and output the seeds of the generator. We have successfully executed the reconstruction algorithm using 512 bytes of challenge input; in the worst case, the process takes 20 000 CPU hours. This reconstruction algorithm makes use of cryptanalytic techniques, both symmetric and lattice-based. In particular, the most computationally expensive part is a guess-and-determine procedure that solves about 2^52 instances of the Closest Vector Problem on a very small lattice