This question is related to these:
But the answers do not state clearly on how and no example code is given which makes harder for a beginner to understand lattice attack on TLCG.
I have an equation:
$k_i = (k_{i-1}+x_i)*c +1 \, mod \,2^{32}$
Where first 8 bits of $k$ are known for 5 consecutive $i$ values (i=0 to 4), c is known, each $x$ value is 8 bits.
Here are the values
k x
--------------
375335B3 63
A6908B3C 8C
4A354CB5 E8
B503AFFD 17
4E931FF8 CE
$c = 134775813$
The only code that i think could work is in Sagemath but unfortunately my Kali Linux doesn't have repos for it.
M = 2^32
c = 0x08088405
L = matrix([
[ M, 0, 0, 0],
[c^1, -1, 0, 0],
[c^2, 0, -1, 0],
[c^3, 0, 0, -1]
])
B = L.LLL()
size = 4
k10 = randint(0, M)
ks = [ c^(n + 1) * k10 % M for n in range(size) ]
print "ks: "
print map(hex, ks)
msbs = [(k & 0xff0c0000) for k in ks]
secret = [ks[i] - msbs[i] for i in range(size)]
w1 = B * vector(msbs)
w2 = vector([ round(RR(w) / M) * M - w for w in w1 ])
guess = list(B.solve_right(w2))
print "guess: "
print [hex(Integer(guess[i])) for i in range(size)]
print guess
print "diff from msb + guess: "
print [hex(Integer(ks[i] - msbs[i] - guess[i])) for i in range(size)]
print vector(ks) - vector(msbs) - vector(guess)
My goal is to recover the last 24 bits of $k$ using lattice attack with LLL rreduction.
