ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys - - PowerPoint PPT Presentation

ecen 5022 cryptography
SMART_READER_LITE
LIVE PREVIEW

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys - - PowerPoint PPT Presentation

Jul 20, 2023 203 likes •357 views

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

slide-1
SLIDE 1

Pseudo Random Number Generators

ECEN 5022 Cryptography

Pseudo Random Number Generators Peter Mathys

University of Colorado

Spring 2008

Peter Mathys ECEN 5022 Cryptography

slide-2
SLIDE 2

Pseudo Random Number Generators

Random Number Generation

◮ Random numbers are needed for many different purposes in

engineering and computer science, e.g., to run simulations, to generate random passwords, etc.

◮ True sequences of random symbols can be obtained by

flipping coins, measuring a radioactive source, using a noise diode, etc.

◮ Often there are some very specific requirements for a random

  • sequence. For instance, for debugging purposes it is essential

that a “random” sequence can be repeated.

◮ Pseudo-random number generators (PRNG) are widely

used for computer simulations as well as cryptographic purposes, because they can be easily implemented using

  • computers. But the requirements for cryptography are

different than for general purpose computing.

Peter Mathys ECEN 5022 Cryptography

slide-3
SLIDE 3

Pseudo Random Number Generators

Middle Square Method

◮ Around 1946 John von Neumann came up with the “middle

square method” for generating random numbers. Suppose you have an 8-digit number, e.g., si = 60684258. Keep the middle 4 digits as xi = 6842. Compute the next number as si+1 = x2

i = 46812964 and thus xi+1 = 8129. ◮ What are the properties of the sequence xi, xi+1, . . .? Will it

continue forever? Will it die out? What statistical properties does it have?

◮ Here is an example sequence, obtained by using 4-digit

numbers and keeping the middle two numbers after each squaring 42, 76, 77, 92, 46, 11, 12, 14, 19, 36, 29, 84, 5, 2, 0, 0, . . .

Peter Mathys ECEN 5022 Cryptography

slide-4
SLIDE 4

Pseudo Random Number Generators

Middle Square Method

◮ Here is another example using 4-digit numbers and keeping

the middle two xi = 57 → 572 = 3249 → xi+1 = 24 → 242 = 0576 → xi+2 = 57 → 572 = 3249 → . . .

◮ Moral of the story: Some theory is needed to make good

PRNGs with predictable properties.

Peter Mathys ECEN 5022 Cryptography

slide-5
SLIDE 5

Pseudo Random Number Generators

Linear Congruential Method

◮ The linear congruential method generates the sequence

x0, x1, x2, . . . using the recursion xi+1 = a xi + c (mod m) , where m is the modulus (often a power of 2 or 10), a is the multiplier, c is the increment, and x0 is the seed.

◮ Theorem. The sequence x0, x1, x2, . . . has period of length m

(which is the maximum) iff (i) gcd(c, m) = 1 , (ii) b = a − 1 is multiple of p for every p dividing m , (iii) b is multiple of 4 if m is multiple of 4 .

Peter Mathys ECEN 5022 Cryptography

slide-6
SLIDE 6

Pseudo Random Number Generators

Example

◮ Example: m = 100, a = 41, c = 7, x0 = 5, produces the

sequence 5 12 99 66 13 40 47 34 1 48 75 82 69 36 83 10 17 4 71 18 45 52 39 6 53 80 87 74 41 88 15 22 9 76 23 50 57 44 11 58 85 92 79 46 93 20 27 14 81 28 55 62 49 16 63 90 97 84 51 98 25 32 19 86 33 60 67 54 21 68 95 2 89 56 3 30 37 24 91 38 65 72 59 26 73 7 94 61 8 35 42 29 96 43 70 77 64 31 78 5 which has period 100.

Peter Mathys ECEN 5022 Cryptography

slide-7
SLIDE 7

Pseudo Random Number Generators

Linear Feedback Shift Register

−cL

  • cL-1

−c2 −c1 + + + s0 s1 sL−2 sL−1 · · · · · · L s0, s1, s2, . . . sL

◮ Linear feedback shift register (LFSR) of length L. Uses initial

state (s0, s1, . . . sL−1) and connection polynomial C(D) = cL DL + . . . + c2 D2 + c1 D + 1 to produce output sequence s0, s1, s2, . . ..

◮ Arithmetic is computed modulo p for some prime number p.

Very often p = 2 and then the output is binary.

◮ The maximum period of the output sequence is pL − 1. It is

achieved when C(D) is a primitive polynomial modulo p.

Peter Mathys ECEN 5022 Cryptography

slide-8
SLIDE 8

Pseudo Random Number Generators

Linear Feedback Shift Register

◮ Recursion: sL = − L−1 i=0 si cL−i. ◮ Initial condition: s0, s1, . . . sL−1. ◮ Define: S(D) = ∞ i=0 si Di (D: delay operator). Then

S(D) = s0 + s1 D + . . . + sL−1 DL−1

  • =P(D)

+ ∞

j=0 sL+j DL+j

= P(D) − ∞

j=0

L−1

i=0 si+j cL−i Dj+L

= P(D) − ∞

k=0

k−L+1

j=k

sk cL−k+j Dj+L−k Dk = P(D) − ∞

k=0 sk

k−L+1

j=k

cL−k+j DL−k+j

  • =C(D)−1

Dk = P(D) − S(D)

  • C(D) − 1
  • =

⇒ S(D) = P(D) C(D)

Peter Mathys ECEN 5022 Cryptography

slide-9
SLIDE 9

Pseudo Random Number Generators

Examples

◮ Some primitive connection polynomials for p = 2 are

D3 + D2 + 1, D4 + D3 + 1, D5 + D3 + 1, D6 + D5 + 1 .

Peter Mathys ECEN 5022 Cryptography

slide-10
SLIDE 10

Pseudo Random Number Generators

Berlekamp-Massey Algorithm

n = M ? Output <C(D), L> STOP n ← n + 1 No length change x ← x + 1 Length change L ← n + 1 − L C∗(D) ← T(D) δ∗ ← δ x ← 1 No length change x ← x + 1 2L ≤ n ? T(D) ← C(D) C(D) ← C(D) − δ δ∗−1 Dx C∗(D) δ = 0 ? δ ← sn + c1 sn−1 + . . . + cL sn−L Get sn Get M Initialize C(D) ← 1 C∗(D) ← 1 L ← 0 δ∗ ← 1 n ← 0 x ← 1 START Berlekamp-Massey Algorithm Input is sequence {si}M−1

i=0

  • f length M

δ is next discrepancy (desired symbol minus generated symbol) T(D) : Temp storage C∗(D), δ∗ : Conn poly and discrepancy before last length change x : Number of symbols since last length change no yes no yes no yes

Peter Mathys ECEN 5022 Cryptography

slide-11
SLIDE 11

Pseudo Random Number Generators

Berlekamp-Massey Algorithm

◮ The Berlekamp-Massey algorithm computes ¡c(D), L¿ and

(s0, s1, . . . sL−1) from 2L contiguous LFSR output symbols.

◮ Do not use a LFSR output directly in a cryptosystem (unless

you want it to be broken easily).

Peter Mathys ECEN 5022 Cryptography

slide-12
SLIDE 12

Pseudo Random Number Generators

Using a Block Cipher

IV Si−1 EK(.) K

  • Si

Output

◮ Any secure block cipher encryption function EK(.) can be

used in output feedback mode (OFB) to generate a (reasonably) secure pseudo-random sequence.

◮ IV is the initialization vector (can be transmitted publicly). ◮ If block cipher encrypts blocks of size B, use full block size B

in feedback path. Output B or less symbols per iteration.

Peter Mathys ECEN 5022 Cryptography

slide-13
SLIDE 13

Pseudo Random Number Generators

Toy Example

◮ A block cipher with B output bits obtained from B input bits

can be regarded as a permutation of the numbers 0, 1, 2, . . . , 2B − 1.

◮ An example of a permutation for B = 4 is

π = „0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 7 14 1 15 9 6 3 2 10 13 5 11 8 4 12 «

◮ Setting IV = 0 yields the sequence

0,7,2,1,14,12,8,10,5,6,3,15,0, . . . Period: 12

◮ But setting IV = 4 only yields the sequence

4,9,13,4, . . . Period: 3

◮ And setting IV = 11 only yields

11,11,11, . . . Period: 1

Peter Mathys ECEN 5022 Cryptography

slide-14
SLIDE 14

Pseudo Random Number Generators

Blum, Blum, Shub PRNG

◮ Let n = p q where p, q are large primes satisfying p ≡ 3

(mod 4) and q ≡ 3 (mod 4). Use a seed x0 to generate the sequence x0, x1 = x2

0, x2 = x2 1, . . .

(mod n) Output the least significant bit of each xi to obtain a secure binary random sequence (based on difficulty of computing square roots modulo n = p q if p, q are not known).

◮ Example: p = 11, q = 19, x0 = 4 yields the sequence

xi = {4, 16, 47, 119, 158, 93, 80, 130, 180, 5, 25, 207, 4, . . .}

◮ The pseudo-random bit sequence is

0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, . . ..

Peter Mathys ECEN 5022 Cryptography