Uniform Generators and Combinatorial Designs Alexis Bonnecaze and - - PowerPoint PPT Presentation

Uniform Generators and Combinatorial Designs

Alexis Bonnecaze and Pierre Liardet

IML/ERISCS, Université de la Méditerranée and LATP , Université de Provence

CryptoPuces, 2011

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 1 / 16

Table of contents

Random generators k-out-of-n generators Background in coding theory and combinatorial designs Background in automorphism groups and random walks Our algorithm Conclusion

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 2 / 16

Random generators

Computational or physical device designed to generate a sequence of symbols that appears as random. Physical devices (not always practical): true random generators Computational devices: pseudo-random generators For many applications, pseudo-random generators are used instead of true random generators, except in cryptography Examples Jitter effect in semiconductor oscillators and white noise From a computer’s real time clock as the seed LFSR From arithmetic properties From /dev/random etc.

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 3 / 16

Applications

Main application: cryptography

Secret keys for block ciphers Secret keys for stream ciphers, like one time pad (problem of key size) Private keys for asymmetric cryptography Random numbers for crypto protocols (nounce, salt, etc.)

Other applications:

Network security Information theory Genetic algorithms But also (Quasi) Monte Carlo Method and simulations

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 4 / 16

Example: Client/Server architecture

Server is a weak point Server may be corrupted or victim of denial of service attacks (DoS) The problem may not have a malicious origin but a hardware or software

• rigin.

How to prevent the server from failing? One solution: use a multiserver architecture (for example n servers). For each request to the system, k servers out of the n servers are randomly chosen to process the request These k servers are said to be the active servers An attacker does not know a priori what are the active servers for a given request. Main problem: How to construct a k-out-of-n random generator from a Bernoulli binary generator?

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 5 / 16

Three sorts of algorithms

Algorithms that output the uniform distribution on letters in a bounded running time Las Vegas algorithms: they output the uniform distribution on letters with unbounded running time but with a finite expectation Monte Carlo algorithms: they end in a bounded running time, output a distribution usually distinct to the uniform distribution but arbitrarily closed to it in term of total variation

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 6 / 16

Existing solutions

Naive solution (Las Vegas type):

Pick an integer a1 belonging to E := [1..n] Pick another element in E1 := E \ {a1} Next, pick an another element in E2 := E1 \ {a2} and so on, until obtaining k integers

Probabilistic algorithm based on Fisher-Yates shuffle algorithm (Las Vegas type) RANKSB algorithm (Nijenhuis and Wilf, 1978), These solutions lead to important bias in comparison to the uniform distribution

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 7 / 16

Our solution (Monte Carlo type)

Based on combinatorial properties of error correcting codes Every code having a design can be used to construct such a generator Our method uses a random walk on the automorphism group of the code We focus on the extended binary Golay code which leads to a 5 out of 24 uniform generator

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 8 / 16

Background on coding and combinatorial designs

Linear block codes A binary linear block code C of length n is a subspace of Fn

2

Parameters of C are [n, k, d], where k is the dimension, d is the minimal distance Combinatorial designs Let Y be a v-set (a set of v elements). a t − (v, k, λ) design is a collection of distincts k-subsets of Y (the blocks) with the property that every t-set of Y is covered by exactly λ blocks. If λ = 1, the design is called a Steiner system

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 9 / 16

Background on coding and combinatorial designs

Example: the binary Golay code [24, 12, 8]: G24 An octad of G24 is a codeword of Hamming weight 8 The octads form the blocks of a 5 − (24, 8, 1) design. The octads form a Steiner system Any binary vector of length 24 and Hamming weight 5 is covered by exactly one octad of G24 binary vector: (010000010010100000000100)

• ctad of G24:

(010010010010110001000100)

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 10 / 16

Automorphism group of G24

The automorphism group of G24 is the Mathieu group M24. M24 is generated by four permutations acting on the coordinates of the codewords S : i → i + 1, V : i → 2i, U : i → −1/i and W :    ∞ → 0, 0 → ∞ i → −(i/2)2 if i is a quadratic residu modulo 23 i → (2i)2

• therwise.

This group is 5-homogeneous and 5-transitive on octads #M24 = 210.33.5.7.11.23

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 11 / 16

Random walks

Random walks on some groups can lead to uniform k-out-of-n generators Since the size of M24 is huge, the speed of convergence of a walk on the Mathieu group would be rather low. We introduce a Markov walk on the set of blocks of a Steiner system. The Markov walk is done on the set of octads by the action of the four generators of M24: S, V, U et W. Let I be the identity. We make the walk symmetrical by taking the transition set E = {I, S, S−1, U, V, V −1, W, W −1}, with the uniform probability.

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 12 / 16

G5-24(N) Algorithm

INPUT : N OUTPUT : a binary vector of Hamming weight 5 and length 24 (a) choose an octad of G24 : m (b) replace m by m′, replacing the first three coordinates equal to 1 in m by zeros (c) randomly act on m′ the four generators or their inverse or the identity, N times (d) output the obtained word. Theorem G5-24(N) Algorithm realizes a uniform k-out-of-n generator asymptotically with exponential speediness.

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 13 / 16

G5-24(N) Algorithm

Total number of octads is 759 Number of octads Number of steps to obtain 759 octads 683 6 76 7 This table shows that for 683 octads out of 759, 6 steps are sufficient to obtain all the octads All octads can be reached from any octad in exactly 7 steps

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 14 / 16

Generalization : Gk-n(N) Algorihm

INPUT : N OUTPUT : a binary vector of Hamming weight k and length n Choose a block m of weight b among the blocks of a k − (n, b, λ) design. The automorphism group A of the design must be transitive on the blocks. If A is (b − k)-transitive on the blocks, then (b.1) replace m by m′, replacing the first b − k coordinates equal to 1 in m by zeros (b.2) randomly act on m′ the generators of G, N times (b.3) output the obtained word. else (c.1) randomly act on m the generators of G, N times, and obtain m′ (c.2) randomly choose k coordinates equal to 1 in m′ using a k-out-of-b generator (c.3) output the obtained word.

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 15 / 16

Conclusion

We introduced a method to construct k-out-of-n generators Our constructions are applicable whenever there exists a k − (n, b, λ) design. They make use of t−designs in order to obtain uniformity They make use of random walks in order to control the accuracy of convergence. The speed of convergence is better than any existing k-out-of-n generators.

• A. Bonnecaze, P. Liardet

(IML and LATP) Uniform Generators and Combinatorial Designs 2011 16 / 16