1. Forum
  2. Usenet
  3. SCI.CRYPT.RANDOM-NUMBERS

  • bcd32 with 128bit seed - question on predicting the output

    From Karl.Frank@21:1/5 to All on Sat Apr 22 12:10:33 2017
    Just a quick note on a change of the seeding function for bcd32. It
    accept a 128bit seed now in order to set the initial state of a,b,c,d
    and t. This way for example a 128bit hash can be used for seeding.
    The seed function include a check that a and b never be set to zero.

    The modified source code for keystream generation is available here

    http://www.freecx.co.uk/bcd32/bcd32_keystream.c

    http://paste.debian.net/928753/


    Additionally I like to ask if someone has any idea on how to predict the
    output of bcd32 without knowing the 128bit seed nor the internal state?




    --
    cHNiMUBACG0HAAAAAAAAAAAAAABIZVbDdKVM0w1kM9vxQHw+bkLxsY/Z0czY0uv8/Ks6WULxJVua zjvpoYvtEwDVhP7RGTCBVlzZ+VBWPHg5rqmKWvtzsuVmMSDxAIS6Db6YhtzT+RStzoG9ForBcG8k G97Q3Jml/aBun8Kyf+XOBHpl5gNW4YqhiM0=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Karl.Frank@21:1/5 to Karl.Frank on Sun Apr 30 22:40:03 2017
    On 22.04.17 12:10, Karl.Frank wrote:

    http://www.freecx.co.uk/bcd32/bcd32_keystream.c

    http://paste.debian.net/928753/


    The source code published recently does produce a wrong test vector with
    a key shorter than 128bit. This is because the function that convert the
    given hex string into 4 x 32bit unsigned integers will simply read over
    the bounds if there are less than 128bit and fill up the variables with "imaginary" values. I suppose that's one of the reasons why so many
    programs written in C are prone to buffer overflow attacks.

    The function in question is

    for (int i=0; i<4; i++) {
    strncpy(hexKey, argv[1]+(i*8), 8);
    seed[i] = (int)strtoul(hexKey, NULL, 16);
    }

    I have changed the hex string conversion into 32bit unsigned integers accordingly. Now all available hex characters are stored in a 8bit array
    first and then converted into 32bit unsigned integers in order to seed
    the internal state.

    Additionally I have included the test vectors as hex output as they
    should appear on a big endian machine.

    The updated source code is available here

    http://www.freecx.co.uk/bcd32/bcd32_keystream.c

    http://paste.debian.net/930128


    Any comment on the error as well as on the endianess output is welcome.


    --
    cHNiMUBACG0HAAAAAAAAAAAAAABIZVbDdKVM0w1kM9vxQHw+bkLxsY/Z0czY0uv8/Ks6WULxJVua zjvpoYvtEwDVhP7RGTCBVlzZ+VBWPHg5rqmKWvtzsuVmMSDxAIS6Db6YhtzT+RStzoG9ForBcG8k G97Q3Jml/aBun8Kyf+XOBHpl5gNW4YqhiM0=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Karl.Frank@21:1/5 to Karl.Frank on Sun May 21 21:15:02 2017
    On 22.04.17 12:10, Karl.Frank wrote:
    Just a quick note on a change of the seeding function for bcd32. It
    accept a 128bit seed now in order to set the initial state of a,b,c,d
    and t. This way for example a 128bit hash can be used for seeding.
    The seed function include a check that a and b never be set to zero.

    The modified source code for keystream generation is available here

    http://www.freecx.co.uk/bcd32/bcd32_keystream.c

    http://paste.debian.net/928753/


    Additionally I like to ask if someone has any idea on how to predict the output of bcd32 without knowing the 128bit seed nor the internal state?

    Well, for a start this is a possible way:

    We capture two or more consecutive output values, seed the PRNG with
    arbitrary values and observe the output and all internal values until at
    least two identical consecutive output values were found. At this moment
    we know the complete internal state and can calculate all future states. Additionally we might revert the PRNG and get hands on the seed.

    But this is a very expensive approach. Is anyone aware of a more
    effective and faster method?


    --
    cHNiMUBACG0HAAAAAAAAAAAAAABIZVbDdKVM0w1kM9vxQHw+bkLxsY/Z0czY0uv8/Ks6WULxJVua zjvpoYvtEwDVhP7RGTCBVlzZ+VBWPHg5rqmKWvtzsuVmMSDxAIS6Db6YhtzT+RStzoG9ForBcG8k G97Q3Jml/aBun8Kyf+XOBHpl5gNW4YqhiM0=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Karl.Frank@21:1/5 to Karl.Frank on Sun May 21 21:18:44 2017
    On 22.04.17 12:10, Karl.Frank wrote:
    Just a quick note on a change of the seeding function for bcd32. It
    accept a 128bit seed now in order to set the initial state of a,b,c,d
    and t. This way for example a 128bit hash can be used for seeding.
    The seed function include a check that a and b never be set to zero.

    The modified source code for keystream generation is available here

    http://www.freecx.co.uk/bcd32/bcd32_keystream.c

    http://paste.debian.net/928753/


    Additionally I like to ask if someone has any idea on how to predict the output of bcd32 without knowing the 128bit seed nor the internal state?





    Well, for a start this is a possible way:

    We capture two or more consecutive output values, seed the PRNG with
    arbitrary values and observe the output and all internal values until at
    least two identical consecutive output values were found. At this moment
    we know the complete internal state and can calculate all future states. ***rubish removed* ==> Additionally we might revert the PRNG and get
    hands on the seed. <== *** Obviously know the seed, of course!

    But this is a very expensive approach. Is anyone aware of a more
    effective and faster method?

    --
    cHNiMUBACG0HAAAAAAAAAAAAAABIZVbDdKVM0w1kM9vxQHw+bkLxsY/Z0czY0uv8/Ks6WULxJVua zjvpoYvtEwDVhP7RGTCBVlzZ+VBWPHg5rqmKWvtzsuVmMSDxAIS6Db6YhtzT+RStzoG9ForBcG8k G97Q3Jml/aBun8Kyf+XOBHpl5gNW4YqhiM0=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)