I’m posting some of my old cryptography notes online to make them more easily available. Here’s an attack I came up with against the Sapparot algorithm. The attack is pretty simple and was already known at the time. I just reproduced it for practice.
Update: Just found this paper I wrote where I clarify and improve upon the sapparot attack
The Sapparot pseudo-random number generator designed by Ilya Levin has a 64-bit internal state. Here is a known-keystream attack which recovers this state in an average of 2^31 time.
The Generator: Let A and B be two 32-bit registers, and the contents of these registers at the end of round i be denoted by Ai and Bi. Then A and B are updated as follows:
Ai = ((A{i-1} + phi) mod 2^32)<<7
Bi = (B{i-1} XOR (¬Ai) XOR (Ai<<3))<<7
The output, Ri, of round i is (Ai XOR Bi). Note that phi is a constant based on the golden ratio, but that its value is irrelevant to the attack given below.
The Attack: If we guess Ai for some round i then we have Bi = Ai XOR Ri and we can find A{i-1} and B{i-1} as follows:
A{i-1} = ((Ai>>7) – phi) mod 2^32
B{i-1} = (Bi>>7) XOR (¬Ai) XOR (Ai<<3)
Given sufficient known-keystream (not much appears to be needed – perhaps about 3 rounds worth), guesses at Ai can be tested by attempting to generate the same keystream. On average we will encounter the correct Ai after 2^31 attempts.