Re: Java encryption implementation

In article <dmi0gq$olc$1@domitilla.aioe.org>,
Lars Schoening <lars@newdarkness.com> wrote:
>Maybe it helps to say that I only use the 8 least significant bits of
>the 64 bit linear congruence generator to xor with 8 bits of cleartext,
>so you cannot derive the exact value of the generator, and even if you
>did you would need to know the byte before in clear-text, and the
>position in the stream (due to -2n).

No, that doesn't help. There are algorithms out
there that can recover the state of the congruence
give enough of the output from the generator, and
it is standard to assume that the input and
position in the stream are known (or even chosen!)
by the attacker.

The canonical reference for this is:
J. Plumstead (Boyar). Inferring a sequence
generated by a linear congruence. In Proc. 23rd
IEEE Symp. on Foundations of Comp. Science, pages
153{159, Chicago, 1982. IEEE.

Note that this reference is so old I have never
found it online. But you might look at a paper I
just tripped over, which shows that if you use LCG
as the random number generator for DSS, it breaks
DSS! (DSS = Digital Signature Standard.) See
http://www-cse.ucsd.edu/users/mihir/papers/dss-lcg.pdf
for that result. (Crypto '97, my first Crypto! I'd
forgotten the result.)

Greg.

-- 
Greg Rose
232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au