The Cryptographic Security of

Truncated Linearly Related Variables

Johun Hastad*

proving lower bounds on the complexity of problems in

NP, it is probably unavoidable.

Abstract
In this paper we describe a polynomial time ali;,.
rithm for computing the values of variables zl,. . . , zk
when some of their bits and some linear relationships bctween them are known. The a1gorith.m is essentially optimal in its use of information in the sense that it can be
applied as soon as the values of the xi become uniquciy
determined by the constraints. Its cryptanalytic signiflcance is demonstrated by two applications: breaking iinear congruential generators whose outputs are truncated,
and breaking Blums protocol for exchanging secrets.

1. Introduct ion
The design and analysis of cryptographic schemes
and protocols has been a very active research area in recent years. A large number of cryptosystems, signature
schemes, key distribution schemes, key sharing schemes,
secret exchange schemes, pseudo random bit generators,
and a variety of protocols were proposed in the literature.
However, progress in cryptographic research was accompanied by progress in cryptanalytic research, and some of
these schemes and protocols wore shown to be insecure.
This game of proposing and breaking schemes might seem
a bit strange, but in the absence of any techniques for
-___
-_
* Department uf Mathemat,ics,MIT, Cambridge, MA
02139. Partially supported b:r NSF grant 8413577DCR.
* * Drvpartment of Applied M;lt,hematics, The Wr?Anla.nn
Inxtihtr
of SGcnce, R.ehwot., Ismel. Partially supprtcd by NW grant nrj. MCS-80-06938.
Permlsslon
10copy without feeall or par1of this material is granted
provided
that the copies are no1 made or distributed
for direct
commercial
advantage.
the AChl copyright
Inotice and the rltlc of the
pubhcauon
and its date appear. and notice is given tha! copying 1s by
permls\lon
of the A~~c~at~on
for (Tompurmg
Machinery.
lr~ copy
othcrwlre.
or IO rcpuhhsh, require, a fee and or qxclfic
pcrmisrioo.

1985 ACM

O-89791-151-2! 85;005/0356

and Adi Shamir**

$00.75

To make rcsearchin cryptography less empirical, proponrnts of new schemes and protocols should carefully list
all the assumptions they make about the computational
complexity of various problems, and rigorously prove the
security of their proposal under these assumptions. The
proof becomes particularly useful when the security of the
scheme is shown to be equivalent to the complexity of a
single well studied problem such as factoring or discrete
log. An a,iterna.tivc approach is to develop schemes which
are not b,aqedon a specific problem but on any one-way
function. The large class of possible implementations of
these schemes makes them less vulnerable to attacks (but
still leaves the possibility that such functions do not exist
or that P =NP).
One commou idea which is used in several of these
schemes and protocols is to hide the values of certain variables by applying (regular or modular) arithmetic operations to them and then truncating the binary representations of the results. A simple scheme of this type (which
was used extensively on the early computers) generates a
pseudo random sequence of numbers by alternately squaring the previous tl bit value and discarding the top and
bottom n/2 bits of the 2n-bit result.
The purpose of this paper is to analyze the security
of such procedures in a general setting. The main result
is a novel cryptanalytic technique which can solve many
of the instmces of truncated linearly related variables in
polynomial time. WC demonstrate the power of this technique by describing two applications:
1.

It simplifies, generalizes, and puts in a clearer perspective the recent result by Frieze, Kannan and Lagarias [ 31 that truncated linear congruentiai generators we insecure.

2.

It shows that au assumption in Biums protocol for

exchn.nging secrets ( I] about the infeasibility of a
certain comput&iona.i task is not correct and hence
thr protocol is insecure. This example is particularly
surprising since at first glance the protocol appears
to bc inhcrcntiy quadratic while our techniques are
inherently linear.

We believe that other applications of the technique

will be found in the future,

Lemmu L: If A, 2 4.); then Xk s yk4 c-(k-l)Dk

is Henuites constant.
Proof:

2.

Formulation

where

7k

Minkowskis second theorem I 21 tells us that

of the Problem

Let 991 be a given number and let 21,. . . , zk be R

unknown values in the range 0 5 xi < m which are
rclnted by I independent homogeneous linear equations
(mod m):
(mod m),

j=

&...,I

TheacocffXcnts ui and the modulus 992 are a.wu~rwd

to be known, but 1 < k and thus the Zis are not uniyuly
defined. However, we are given (or somehow obtain) certain bits of each xi, and our goal is to combine this partial
knowledge with the given linear relationships in order to
compute the remaining bits of all the zis. Our main
tools will come from the geometry of numbers. Let us
recall some facts:
A fatiice is de6ned to be the set of points

i=1

and thercforc by using the lower bound for Xi, i =

1, +. . , k - 1 we get the desired upper bound for &. p
Although the value of Hermites constant is not
kuowu for k > 0, WC have in ( 21 the upper estimate
7k 5 k. This cstimzrte is not far from the actual value,
ainco it is known th:ht 7k is of siee O(k) f 10) . In fact
I 51 . This also
most lattice3 will satisfy X1 > d &Di
shows th;& mo:;t lattices will be regular with constants
which arc not too large.
Let us return to our problem. Recall equation (1).
Let L bc the lattice in Rk spanned by the I vectors Cj
(the cocfficicuts of the known modular relations) and the
k vectors 9nG wharc C; ate the unit vectors along the
coordinate axes.
Obscrvc that L consists precisely of those vectors
v E& which arc. known to satisfy
k

(mod m)

i=l

where b, are linearly independent vectors in Rk. The set

gi is called a hai:, and k is the dimension of the lattice.
The determinant of a lattice is dcfinccl to be the absolute
value of the determinant of the matrix whose rows are
6,. Geometrically the determinant can be interpreted as
the VO~UIIW of the parallelepiped spanned by the basis
vectors. TJsing this interpretation it is possible to prove
that the clctcrminant is equal to the inverse of the density
of the lattice (where the density is the average number
of lattice points per unit volume). This characterization
shows th;rt the determinant is independent of the choice
of basis. WC dcline a set of R linearly independent vectors
in L inductively:
ul is the shortest vector in L.
Cj+l is the shortest vector in L which is linearly independent of Cl,. . . , Cj.

The determinant of L is mkdi. To see this we use

the trharactcrir,:rtion of the determiuant as the inverse of
th(l density. To calculate the density observe that in a
hyp(srcubc with side m there will be rn points in the
lattice and hence the deusity is rnlsk and therefore the
determinant is mk-.
We arc now ready to state the main theorem.
Theorem
1: Suppose that the lattice L defined above
has determinant D and dimension k. Assume that L is
regular with constant c and define a = ((log D)/k) + f +
k log k + loge + 1. Then if we are either given as inputs

(i)

the a most signilicant bits of all the Zi. Or

(ii) the s least significant bits of all the Zi and m is odd.

Then we can recover the zi completly in polynomial
time.

(Ties are broken in an arbitrary way.)

The lengths Xi =I1 $ 11of these vectors are called
the successive minima of the lattice.
Deflnition:
A lattice L c Rk with determinant D is
regular with conafant c if Xk 5 CDL.
(kufmlly
it is casicr to work with XI than with &.
Thus WC ;vilI rely on the foIlowing Iemma to transform
lower bounds for X1 to upper bounds for Xa.

Proof: We USCa three stage algorithm: First apply a

lattice reduction algorithm to the lattice of known modular relations L to get get modular equations with small
cociflcients. Now USCthe known bits of the zi to transform these equations to equations over the integers. From
thcsc~equations over the integers recover the exact values
Of tllC Li.
Wo a,pply the algorithm of Lenstra, Lenstra and LoV:LYKin [ 81to the lattice of modular relations to obtain a

good basis. They prove the following:

Theorem:
ithA: that
8.

C W{Z~= dim

(LLL) There exits a ,polynomial time algoinput L 5nds a basis gi such that 11& 112

OD

By our assumption on the Xi this means that we can

find linearly independent vectors i;i such that

As Gj are in L
k

CW:z+
+=I

=O

(mod m),

j = l,...,f

These equations can be regarded as equations over the

integers by letting

isI

where the djs are integers.

From this point on the proof depends on whether COIIdition (i) or condition (ii) of the theorem holds. Assume
first condition (i) i.e., that we know the a most signillcant
bits of all the Zis.
Decompose zi into z{i) + z!)
I where z!l
I is known
and ]z!]
I < m/2e.

(,mod 2)

everything is known except djs Since m is odd we CMI calculnte dj uniquely

(mod 2). Finally the siee estimates
of the djy determine the djs over the integers. Once the
dj are determined all that remains are k linearly independent equations in k unknowns over the rationals and
these can be easily solved in polynomial time. I
Remark: It is also possible to consider the case when
we know a window of consecutive bits in the xis, but not
ncccasarily the moat or least significant bits. However in
this case the analysis is harder, and the conditions on m
turn out to be complicated. Thus we omit this analysis.
Remark: The leading term in a is logD/k, which equals
(k - I) logm/t by the definition of D. When the k unknown values Xi are related by I independent linear equations (mod m), at least (h - 1)log m bits are required to
specify a particular solution. Consequently, the problem
cannot be solved uniquely if fewer than ((k - I)/k) log,m
of the bits of each zi arc known. When k is fixed our algorithm matches this information-theoretic bound up to an
additive constaut, and thus it is essentially optimal in its
USCof information. Note iu addition that for any 5xed k
we can replace the LLL algorithm by Kannans algorithm
[ S] and thus reduce 8 by $.
3. Cryptanalysis of Truncated Linear Congruential Generators

This means that

A linear congruential generator is based on the recurrence
id

i=l

i=l

The 5rst sum is known, and the second sum can be

bounded since by the definition of N

Since the uncertainty is less than m/2 and we know

that the total sum is a multiple of m we can calculate it
exactly aud hence determine dj, This Bnishes the treatment of case (i).
Assuine now that condition (ii) holds instead. Then:

If we consider the equation

Zi+l=

azi +

(mod m)

in which a, c and m are known and the seed ze is secret,

Plumstead [ 111 has shown that if the entire numbers are
published we can start predicting this sequence after having been given a short initial segment even if Q,Cand m
are unknown. The case when LI,Cand m are known but
only some of the bits of the #is are published was first
considered by Knuth [ 71 . The first polynomial time algorithm for this case was given by Frieze, Kannan and
Lagarias 131 . They show that with high probability it is
possible to recover the seed if at least 215 of the leading
bits of three consecutive numbers are known, and claim
(without proof) a similar result for any 5xed fraction of
the leading bits whenever m is squarefree. In this section
we show that this stronger result follows directly from our
general cryptanalytic technique. We also improve 2/5 to
any fraction greater than l/3 for a general m. The proof
in the case where m is square free involves analyzing the
same number of theoretic problems that were considered
in the unpublished proof of Frieze et. al. but our use of
lattices avoids several other complications they encountered.

Proof: A vector v is in L, precisely when a satisfies the

polynomial equation

In this section we consider the case when some of

the most significant bits are published, but our technique
applies to the other cases as well. Without loss of generality we can assume that c = 0 (otherwise WCcan use
ti = x,+1 - z1 requiring one estra number to be seen).
The k variables zi are related by the following system of
Ic - 1 independent homogeneous equations:
ai-zl-Zi

=O

(modm)

~vlai-

= 0 (mod m)

i=l

where v= (uI, u2.. . , uk). We want to estimate the cardinality of t,he set of a which. sati::fy such an equation with
smaJ1coeflfcients. To do this WCestimate the number of
such equations and the number of solutions to each equation. Let us make this precise.

i=2,...,k

The lattice spanned by the k - 1 coefficient vectors

where the pi are differSuppose that m = flF-,pi

ent prima,. We want to estimate the cardinality of the
following set:

(a'-',O,...,O,-l,O,...,O)

is the set of vectors

k

i=l

(CLI-lUi,-Va,.r-Uk)

Estimating the size of F(l) involves

number of lattice points in sphcrcs. This
cated prot,lem[ 91 . For this reason WCtrade
clarity and repface the sphere by the larger

i=2

for

all possible choices of ua, - - a, uk in 2. If we defSne

lUil<m,

counting the
is n compliconstants for
cube:

i=O,...,R-1

i=2

Let tl be the product of 1 of tke prime factors of

m. If gce!(god(u),m) = d i he number of solutions to the
equation

then an alternative characterization of this lattice is the

set of all vectors 3 = (ur,. . . , uk) in Zk for which

Cv,a-

Y
i=l

When the vectors rn6 are added to the basis of this lattice, we can change each Vi by arbitrary multiples of m,
and thus the final lattice with which we have to deal is
L, = {v 6 Zk 1eai-Ui

= 0

(mod m)

i=l

= Cl

is cstimatcd by d(k - I)-.

The reason for this is that
we have at most k - 1 solutions modulo the primes which
do not divide d. We therefore need to count the number
of vectors that satisfy the condition gcd(gcd(iT), m) = d.

(mod m)).

i=1

Lemma 3: If d 1 m then the number of integer vectors

satisfying gcd(gcd(v), m) = d and Iui) < h, i = 1,. . . , k is
less than (,-).

The density of L, is obviously A. and hence the determinant is m. Applying our general technique we get:

Proof: Dividing the Vi and m by d shows that it is enough

to prove the lemma when d = 1. In this case the estimate
follows from an estimate of the total number of points in
the region considered. 1

Theorem 2 Let m be squarefrec, e > 0, and k be a

given integer. Then knowlcdgc of log m( $ +t) +c, leading
bits of all the xi suffices to compute the 2, completely in
polynomial time for I-O(mq)
of the possible coefficients
a.

Therefore we have:
IF(t)1 < c

Remark: The fraction of bits that must be known can

he made arbitrarily smaJJ, and this result is essentially
optimal esccyt for the presence of the e.

dim

k-d(%l)x

c ke3kmfk Cdl-k
dim

The only nontr~ivial part of applying our general

framework is the analysis of the lattice L,. We have the
follcjwing lCIllmi1:

By elementary calculation Ice = O(mtl) for any e, >

0 and the same is true for the sum (the sum is of course
bounded by a constant if k > 2). Putting t = i(l - c)
and c1 = e/4 and using the proof of lemma 1 gives lemma
2.

Ler Ima 3: W!rcn m is squarefree, the lattice L, satisaes

the Itstinl.&r X;, 5 c,Di-b for 1 - o(m?)of the possible
cocfIicif~nt fi.

Now theorem 2 follows from theorem 1 by the same

proof. 4

35 9

The above proof works for m which are almost

squarefree. Define a number tn to be 6-squarefree if
m = n,=, pri and fl~=ip~-i
5 m6. Then we have the
following theorem.
Theorem 3: Let m be &squarefree e > 0 and k a constant. Then knowledge of logm( ;. + c + S) +- c, leading
bits of all the zi suffices to compute the z, completely in
polynomial time for 1 - mq of the possible coefficients
a.
The proof is essentially the salme as for theorem 2.
For Iz = 3 we can prove the following theorem, in
which m need not be squarafrec:
Theorem 4: For any m and given c > 0. knowledge of
logm( i + c) + ca lea.ding bits of zJ ,zs and 2s suffices to
compute the numbers in polynomial time for all u except
a set of cardinality ml-j,
As we have seen the hard part of the proof will be to
count the number of solutions to second degree equations
when the modulus is highly composite. To fix notation
let A(z) = a0 + 0~2 + a2z2.

where Q = b (mod p) while a # b (mod p+). It

is not hard to see that the number of solutions in this
case is 2pr. The number of solutions will therefore be
min(plelal, 2~). 1
It remains to estimate the frequencY with which the
condition in lemma 5 is satisfied.
6: Given I z-- 0 and d < mzt the number of
11Z11
5 rn that satisfy D(A) = 0 (mod d) is O(rn+/d).

Lemma

Proof: 4nonz -a: = 0 (mod d) splits into the O(m/d)

equations 4aonz - n,e = kd,(k( 5 :%y over the integers.
For each fixed (11 the equation becomes 4aoaz = c. If
c # 0 theu this equation has as many solutions as divisors
of c but it is not hard to see that this number is O(m)
siucc c < mzt. c = 0 gives 4m possibilities for a and c
but in this case b is determined by k and hence the total
number of solutions is O(mst+/d). 1

Dack to the proof of lcmnnt 4:

qd?!di.?+mI2
I~(01i Cd,m.d<m

(number of A:s

such that D = 0) 5

(number of divisors of m) clm3t+r + c2m1/2*t+C 5

(;SmJt+sl + c.mt/2+~+~

We want to estimate the sir,c of the following set:

Lemma 4: For any e > 0 it is, true that IF(t)1 5

O(max(mst+C, m.5+l+C))
Assume first that gcd(gcd(Ci)!m) = 1. Suppose
m = nr=,, pti where pi are different primes. If all the
ei are unity the theorem follows from theorem 2. We
are therefore interested in the number of solutions to
quadratic equations modulo prime powers. Let us remind
ourzlves that the discriminant of a quadratic polynomial
is 4uoa2 - o: = D aud that thr discriminant is 0 iff the
polynomial has a double root. WC have the following (well
known?) lemma.
Lemma 5: If p does not divide #cd(Z) then the number of solutions to A(z) = 0 (mod p) is bounded by
min(plfJ,2p)
where r is the largest integer such that
D = 0 (mod p).
Proof We can assume that the highest degree coefficient is not divisible by p since in that case the equation
only has at most one solution. If r > e A(z) factors
as t(z -t u)~ (mod p) and we havcepLe/J solutions. If
r < e then by the condition on tblc discriminant A(z)
doe!; not have any quadratic factors
(mod p+ ) but is
a square (mod p). We havr two possibilities: tither A
does not factor
(mod p+) or factors inlo different linear factors. ID the first case we grt no solutions and in the
second WCcan lift the factorization
(mod p+) to a factorization
(mod p) which ca.n be written t(z+a)(z+b)

W(* would like to remove the restriction that

gcr@zcd(Z),m) = 1. Look at the set of a which satisfy
gcd(gcd(a), Tut) = d. Dividing the equation by d we get a
polynomial with coefficients of size ml/d and a modulus
m/d. Looking at the corresponding F-set we see that it
has cardinabty a.t most O(ms+c/d) and that each SO~Ution will havr exactly d images when lifted to (mod m).
This leaves us with the bound O(ms+/d2).
The total
count will therefore be:

Lemma 4 implies theorem 4 by a proof similar to that of

theorem 1.

4.

Cryptanalysis

of Blums

Protocol

for EX-

changing Secrets
Bluxns
protocol[ I) was one of the first resukts which
dealt with the issue of simultaneity in sequential processes.It enables two parties A and r) to exchLnge the factorization of their published moduli MA and rnR (which
are the products of two large primes) in a fair and verifiable way. Let n = log mA = log mg be the size parameter.

Thr protocol is symmetric, and the two parties alternately perform thr following steps:
1.

Ghoose k random numbers ~1, . . . , gk <aridsrnd their

squares modulo thr opponents modulus to the other
party.

2.

aud dd the k vectors tnei to the ba::is, then this lattice

beconws the set of all the vectors of the form ~1; for

Extract the four square roots modulo your own uumber of each number g, received from the other party.
This is possible since you know the factorization.
Now write the 4k square roots in a 41%x n binary
matrix where the least signihcant bits are in the last
column.

v E Zk which satisfy

i-1

Send the i-th column of the matrix to the other party.

3.

Sinw yl is almost certainly invertible

(mod m), we can
elirninatc it and obtin the following characterication of
the lattice:

(Fori=l,...,nf.

The idea behind this procedure is that by having one

of the square roots of JJ; at hand it is possible to check
that what you receive is correct information. If B wants
to cheat he can guess which square root A has and send
that square root and its negation correctly while the rest
are unrelated bits. The probability that such a technique
would not be detected by A is 2-k. The security of the
protocol depends on the inability of the parties to factor
eficiently before all (or almost all) the columns have been
exchanged. Blum stated this as au assumption in the
proof of correctness of his protocol. We show that this
assumption is incorrect.

L, = (5 E Zk 1kyiui

To apply our general technique, we only have to prove

that L, is regular for almost all choices of a.
Lemma 7~ Given e > 0, with probability l-c for random
Yl,.*.r gk, the equation
k
C ciyr = 0

There is a polynomial time algorithm

which when given as input k random numbers vi and
n/k+ck,,
most significant bits of all square roots of the %I,?
(mod tn) factors with prohability 1 - t. The probability
is taken over the probability distribution over the ui and
the running time is polynomial in n but not iu k.
Theorem

5:

cannot be solved with Ci not all 0 satisfying )Ci) < dk,,m+.

Proof: The lemma is trne for all m but we prove it only in
the* case we need it, namely when rn i!~the product of two
large%primes. For each lixcrl set of ci the proportion of the
gi which satisfy the linear cyoatiun is ;,;. The number of
sets Of Cc is approximately wkdi,cm where Wkis the vohme
of the unit ball in Rk. By making dk,s small we can make
the proportion of gi satisfying any equation in the set as
small as we please. This implies the regularity of L,, and
theorem 5 is proved. a

Thus we can conclude that for almost all gi we can recover the Xi when n/k+ck columns have been exchanged.
As pointed out above this enables us to factor by calculating gcd(zi -vii, m). The original protocol can therefore
be broken by somebody who only deviates from the protocol by stopping early and using our algorithm-there
is
no need to control the choice of random bits or to lie to
the other party.

Since the unknown values of the 5i are fixed multiples

of the known values of the yi, we can relate them by k - 1
modular linear equations:
=O

(mod m),

iz2,sa.k.

The lattice spanned by the k - 1 coefficient vectors

(Yi,",a"

(nlod m)

is1

Proof: For each i, the four square roots of u, can be

denoted by gir -uii, pi = tyi and -rui
(mod m) where r
is a square root of 1 different from 411. Since vi is known,
the first two vahms can be easily identified. The selection
of zi from the remaining two values when only some of
its bits are known requires guessing. However, for fixed k
the total number of guessesis a constant (zk-l). Observe
that if we can recover any of the xi we can factor m since
gCd(Zi
- &Ii, m) will be nontrivial.

ytzl-yl~i

= 0 (mod m)}.

i-1

Remark: The alternative protool in which the columns

of the matrices are exchanged in reverse order (from least
siguificant bits to most significant bits) is just as insecure,
since m is odd.

,o,-Ylio,-~~,o)

is the set of vectors

Discussion :
(~&uay-yI

h~**y-fhf&)

Blums paper is one of the best examples of thorough

and responsible research in cryptography. Due to the extraordinary care with which Blum listed his assumptions,
it is easy to trace the source of the problem to the following redundancy condition ([l] , pp. 187):

I=2
I
for au possible choices of us, * . . , uk in 2;. If we de6ne
YlUl = -klJii
I

Alice cannot use the 100 x k most significant bits,

, &,, to split rnB any better than she can use just
the k most significant bits $.

id

II!,..*

361

BIums paper axiomatically assumes that this condition is true, and rigorously proves the security of the
protocol modulo this assumption (aud a few others). We
did not find any error in Blums proofs - we just showed
that this assumption was too strong. This should not
be taken as a sign of sloppiness since progress in the design of efficient algorithms is relentless and unpredictable.
What is really important is to distinguish between facts,
assumptions and proofs, and to identify all the possible
sources of insecurity. Blum actually exceeds these minima1 criteria. While he expresses his Ipersonal belief that

I 61 R.

Kannan Improved AIgorithms for Integer Programming and Related Lattice Problems, STOC
1983, 193-256.

I 81

AK. Lenstra, H;W.,Lenstraaud L. Lovasz, Factoring Polynomials With Integer coefficients, Matematieche Anrralen, 261, (1982), 513-534.

I 101Minkowski

Diskontinuit$.sbereieh fiir Arithmetischc Aquivalene , Journal fiir Mathematik, 129,

19005,220-274.

J.B. Plumstcad, Inferring a Sequence Generated

by a Linear Congruence, FOCS 1982, 153-159.

he also prepares alternatives to the p.rotocol should something happen to his assumptions:
While the redundancy condition in the most demanding of our assumptions, the protocol can be modified to
work without this redundancy condition at all ..a If this
is done, the applications at the end of this paper can still
go through as before.
Blums modi5cation is based on a multi-moduli variant of his protocol and a redefinition of the secrets which
are exchanged by the parties. Another possible modification is to ask the parties to exchange fewer columns
from their matrices and to use our algorithm to factor
the moduli at an earlier stage. None of these variants
seems to be vulnerable to the cryptanalytic attack proposed in this paper, but its existence demonstrates once
more the extremely delicate nature of proofs of security
in cryptography.

Acknowledgements
We would like to thank Oded Goldreich and Silvio
Micali for starting this research and for contributing generously to its progress. The first author would like to
thank Sha5 Goldwasser for her consta.nt interest and helpful comments.

References
M. Blum, How to Exchauge (Secret) Keys, ACM
Tranractions on Computer Systems 1, 2, May 1983,
175-193.

[ 21 J.W.S. Cassels, Geometry of Numbers, Springer

Verlag 1959.
[ 3]

D.E. Knuth The Art of Computer Programming,

Vol. 2 Addison Wesley 1980.

I 91 J.E. Mazo and A.M. Odlyzko, Lattice points in

High-dimensional spheres. Paper in preraration.

these assumptions are not unreasonable, the protocol is

hardier even than the assumptions that underie our proof,
and consequently, one would be hard put to find a 5aw in
that protocol,

1 l]

I I

A.M. Frieze, R. Kannan and J..C. Lagariaa Linear

Con.gruential Generators do not Produce Random
Sequences, FOCS 1984 480-484.

[ 41 S. Goldwasser, S. Micali and C. Rackoff The

Knowledge Complexity of Interactive Protocols.
Unpublished manuscript.
[ 51 J. Hastad On the Shortest Vector in Random Lattices. Manuscript in preparation.

352