论文信息 - On the Security of Schnorr's Pseudo Random Generator

On the Security of Schnorr's Pseudo Random Generator

At Eurocrypt 88 Schnorr [8] proposed a pseudo random generator for which he claimed that it could not be distinguished from a truly random source with less than 2°(n) output bits, even when unlimited computing power was available. We show that this generator can, in fact, be distinguished with only 4n bits of output. Moreover, we present an efficient (linear-time) algorithm which recovers the key from a substring only slightly larger than the generator’s keysize. Consequently, the generator is insecure.

Rainer A. Rueppel | R. A. Rueppel

[1] Silvio Micali,et al. Efficient, Perfect Random Number Generators , 1988, CRYPTO.

[2] Adi Shamir,et al. On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[3] Hideki Imai,et al. Impossibility and Optimality Results on Constructing Pseudorandom Permutations (Extended Abstract) , 1989, EUROCRYPT.

[4] Michael Luby,et al. How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[5] Claus-Peter Schnorr,et al. On the Construction of Random Number Generators and Random Function Generators , 1988, EUROCRYPT.

[6] Manuel Blum,et al. A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[7] Adi Shamir,et al. On the Generation of Cryptographically Strong Pseudo-Random Sequences , 1981, ICALP.

[8] Manuel Blum,et al. How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[9] Oded Goldreich,et al. RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[10] Andrew Chi-Chih Yao,et al. Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[11] Ueli Maurer,et al. Perfect Local Randomness in Pseudo-Random Sequences , 1989, CRYPTO.