Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Random Number Generation ◮ Random numbers are needed for many different purposes in engineering and computer science, e.g., to run simulations, to generate random passwords, etc. ◮ True sequences of random symbols can be obtained by flipping coins, measuring a radioactive source, using a noise diode, etc. ◮ Often there are some very specific requirements for a random sequence. For instance, for debugging purposes it is essential that a “random” sequence can be repeated. ◮ Pseudo-random number generators (PRNG) are widely used for computer simulations as well as cryptographic purposes, because they can be easily implemented using computers. But the requirements for cryptography are different than for general purpose computing. Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Middle Square Method ◮ Around 1946 John von Neumann came up with the “middle square method” for generating random numbers. Suppose you have an 8-digit number, e.g., s i = 60684258. Keep the middle 4 digits as x i = 6842. Compute the next number as s i +1 = x 2 i = 46812964 and thus x i +1 = 8129. ◮ What are the properties of the sequence x i , x i +1 , . . . ? Will it continue forever? Will it die out? What statistical properties does it have? ◮ Here is an example sequence, obtained by using 4-digit numbers and keeping the middle two numbers after each squaring 42 , 76 , 77 , 92 , 46 , 11 , 12 , 14 , 19 , 36 , 29 , 84 , 5 , 2 , 0 , 0 , . . . Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Middle Square Method ◮ Here is another example using 4-digit numbers and keeping the middle two x i = 57 → 57 2 = 3249 → x i +1 = 24 → 24 2 = 0576 → x i +2 = 57 → 57 2 = 3249 → . . . ◮ Moral of the story: Some theory is needed to make good PRNGs with predictable properties. Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Linear Congruential Method ◮ The linear congruential method generates the sequence x 0 , x 1 , x 2 , . . . using the recursion x i +1 = a x i + c (mod m ) , where m is the modulus (often a power of 2 or 10), a is the multiplier, c is the increment, and x 0 is the seed. ◮ Theorem. The sequence x 0 , x 1 , x 2 , . . . has period of length m (which is the maximum) iff (i) gcd ( c , m ) = 1 , (ii) b = a − 1 is multiple of p for every p dividing m , (iii) b is multiple of 4 if m is multiple of 4 . Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Example ◮ Example: m = 100, a = 41, c = 7, x 0 = 5, produces the sequence 5 12 99 66 13 40 47 34 1 48 75 82 69 36 83 10 17 4 71 18 45 52 39 6 53 80 87 74 41 88 15 22 9 76 23 50 57 44 11 58 85 92 79 46 93 20 27 14 81 28 55 62 49 16 63 90 97 84 51 98 25 32 19 86 33 60 67 54 21 68 95 2 89 56 3 30 37 24 91 38 65 72 59 26 73 0 7 94 61 8 35 42 29 96 43 70 77 64 31 78 5 which has period 100. Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Linear Feedback Shift Register + + + · · · − c L - c L - 1 − c 2 − c 1 s 0 , s 1 , s 2 , . . . s L s L − 2 s L − 1 s 0 s 1 · · · L ◮ Linear feedback shift register (LFSR) of length L . Uses initial state ( s 0 , s 1 , . . . s L − 1 ) and connection polynomial C ( D ) = c L D L + . . . + c 2 D 2 + c 1 D + 1 to produce output sequence s 0 , s 1 , s 2 , . . . . ◮ Arithmetic is computed modulo p for some prime number p . Very often p = 2 and then the output is binary. ◮ The maximum period of the output sequence is p L − 1. It is achieved when C ( D ) is a primitive polynomial modulo p . Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Linear Feedback Shift Register ◮ Recursion: s L = − � L − 1 i =0 s i c L − i . ◮ Initial condition: s 0 , s 1 , . . . s L − 1 . ◮ Define: S ( D ) = � ∞ i =0 s i D i ( D : delay operator). Then + � ∞ S ( D ) = s 0 + s 1 D + . . . + s L − 1 D L − 1 j =0 s L + j D L + j � �� � = P ( D ) = P ( D ) − � ∞ � L − 1 i =0 s i + j c L − i D j + L j =0 = P ( D ) − � ∞ � k − L +1 s k c L − k + j D j + L − k D k k =0 j = k = P ( D ) − � ∞ � k − L +1 c L − k + j D L − k + j D k k =0 s k j = k � �� � = C ( D ) − 1 S ( D ) = P ( D ) � � = P ( D ) − S ( D ) C ( D ) − 1 = ⇒ C ( D ) Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Examples ◮ Some primitive connection polynomials for p = 2 are D 3 + D 2 + 1 , D 4 + D 3 + 1 , D 5 + D 3 + 1 , D 6 + D 5 + 1 . Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Berlekamp-Massey Algorithm Berlekamp-Massey START Algorithm Initialize C ( D ) ← 1 C ∗ ( D ) ← 1 δ ∗ ← 1 L ← 0 n ← 0 x ← 1 Input is sequence Get M { s i } M − 1 of length M i =0 Get s n δ is next discrepancy δ ← s n + c 1 s n − 1 + . . . + c L s n − L (desired symbol minus generated symbol) yes no δ = 0 ? T ( D ) : Temp storage T ( D ) ← C ( D ) C ∗ ( D ) , δ ∗ : Conn poly C ( D ) ← C ( D ) − δ δ ∗− 1 D x C ∗ ( D ) and discrepancy before last length change yes no 2 L ≤ n ? x : Number of Length change symbols No length L ← n + 1 − L No length change C ∗ ( D ) ← T ( D ) since last change δ ∗ ← δ x ← x + 1 length x ← x + 1 x ← 1 change n ← n + 1 yes Output no n = M ? STOP < C ( D ) , L > Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Berlekamp-Massey Algorithm ◮ The Berlekamp-Massey algorithm computes ¡ c ( D ) , L ¿ and ( s 0 , s 1 , . . . s L − 1 ) from 2 L contiguous LFSR output symbols. ◮ Do not use a LFSR output directly in a cryptosystem (unless you want it to be broken easily). Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Using a Block Cipher Output S i • E K ( . ) K S i − 1 IV ◮ Any secure block cipher encryption function E K ( . ) can be used in output feedback mode (OFB) to generate a (reasonably) secure pseudo-random sequence. ◮ IV is the initialization vector (can be transmitted publicly). ◮ If block cipher encrypts blocks of size B , use full block size B in feedback path. Output B or less symbols per iteration. Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Toy Example ◮ A block cipher with B output bits obtained from B input bits can be regarded as a permutation of the numbers 0 , 1 , 2 , . . . , 2 B − 1. ◮ An example of a permutation for B = 4 is „ 0 « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 π = 7 14 1 15 9 6 3 2 10 13 5 11 8 4 12 0 ◮ Setting IV = 0 yields the sequence Period: 12 0,7,2,1,14,12,8,10,5,6,3,15,0, . . . ◮ But setting IV = 4 only yields the sequence Period: 3 4,9,13,4, . . . ◮ And setting IV = 11 only yields Period: 1 11,11,11, . . . Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators Blum, Blum, Shub PRNG ◮ Let n = p q where p , q are large primes satisfying p ≡ 3 (mod 4) and q ≡ 3 (mod 4). Use a seed x 0 to generate the sequence x 0 , x 1 = x 2 0 , x 2 = x 2 (mod n ) 1 , . . . Output the least significant bit of each x i to obtain a secure binary random sequence (based on difficulty of computing square roots modulo n = p q if p , q are not known). ◮ Example: p = 11, q = 19, x 0 = 4 yields the sequence x i = { 4 , 16 , 47 , 119 , 158 , 93 , 80 , 130 , 180 , 5 , 25 , 207 , 4 , . . . } ◮ The pseudo-random bit sequence is 0 , 0 , 1 , 1 , 0 , 1 , 0 , 0 , 0 , 1 , 1 , 1 , 0 , . . . . Peter Mathys ECEN 5022 Cryptography
Recommend
More recommend
