Skip to main content

Posts

Showing posts from December, 2017

How to try to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization. Part II

See  also Part I and Part III  of this series

tl;dr In the previous article of the same series we tried to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization. In this blog post we continue the effort started in part I showing different strategies.  If you want to skip all my failures and go directly to the (in my humble opinion) most promising approach you can read directly the Solinas Prime and Generalized Mersenne Numbers section below.

If you actually wonder what is MS-DRBG and why I am trying to do it I'd suggest to go back and read the first article.
What I am NOT claiming in this post though is that there is a NSA's backdoor in the ANSI and ISO standards. Introduction and Failure #1 So let's start from were we actually finished the last post. We focused on an easier version of the problem directly extracted from the original Micali Schnorr paper


where the known output is up to 3/4 of the RSA computation and secret state is only 1/4 o…