Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino.
-
date post
20-Dec-2015 -
Category
Documents
-
view
225 -
download
2
Transcript of Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino.
Definitions
• A random bit generator is a device or algorithm which outputs a sequence of statistically independent and unbiased binary digits.
• A pseudorandom bit generator(PRBG) is a deterministic algorithm which, given a truly random binary sequence of length k, outputs a binary sequence of length l»k which “appears” to be random. The input to the PRBG is called the seed, while the output of the PRBG is called a pseudorandom bit sequence.
Definitions
• A pseudorandom bit generator is said to pass all polynomial-time statistical tests if no polynomial-time algorithm can correctly distinguish between an output sequence of the generator and a truly random sequence of the same length with probability significantly greater that 1/2.
• A pseudorandom bit generator is said to pass the next-bit test if there is no polynomial time algorithm which, on input of the first l bits of an output sequences, can predict the l+1 bit of s with probability significantly greater than 1/2
Definitions
• A PRBG that passes the next-bit test is called a cryptographically secure pseudorandom bit generator (CSPRBG)
Hardware based generators
• elapsed time between emission of particles during radioactive decay;
• thermal noise from a semiconductor diode or resistor;• the frequency instability of a free running oscilator;• the amount a metal insulator semiconductor capacitor is
charged during a fixed period of time;• air turbulence within a sealed disk drive which causes
random fluctuations in disk drive sector read latency times;
• sound from a microphone or video input from a camera.
Software based generators
• the system clock;• elapsed time between kaystrokes or
mouse movement;• content of input/output buffers;• user/system/hardware/network serial
numbers and/or addresses;• user input;• operating system values such as system
load and network statistics.
Mixing functions
• A strong mixing function is one which combines two or more inputs and produces an output where each output bit is a different complex non-linearfunction of all the input bits.
Example
• A trivial example for single bit inputs is the Exclusive Or function.
• DES is an example of a strong mixing function for multiple bit quantities.
• Cryptographic hash function such as SHA-1 or MD5.
• Diffie-Hellman expotential key exchange is another example. If initial values are random, then the shared secret contains the combined randomness of them both, assuming they are uncorelated.
De-skewing
• Suppose in an output sequence the probability of 1 is p. Then lets group the output bits into pairs and lets treat each 01 as 1 and 10 as 0. We discard 00 and 11 pairs. The resulting sequence is both unbiased and uncorelated.
Matematics Model Of PRBG
INPUTX0= seed
Xi+1=f(i,X0,X1,X2,X3,...) i=0,1,2,3,...
OUTPUT X1 X2 X3 X4 ... Pseudorandom sequence
Pseudorandom Generators
- Linear Congruential Generator- J-Bit Output Feedback- Ansi X9.17- Blum Blum Shub Pseudorandom Bit Generator- RSA Pseudorandom Bit Generator
Linear Congruential Generator
Nowadays the most used technique for
Pseudorandom generator
[Lehmer 1951]
X0=Seed m>0
0≤a<m
Xi+1=a∙(Xi+b) mod m 0≤b<m
Example of LCG
a = 7 b = 0 m = 32
Xi+1 = 7 Xi mod 32 7, 17, 23, 1, 7, 17, 23, … X0 = 1period 4
a = 5 b = 0m = 32
Xi+1 = 5 Xi mod 32 5, 25, 29, 17, 21, 9, 13, 1, … X0 = 1period 8
Linear Congruential Generator
Xi+1 = 75 · Xi mod 231-1
a= 75
b= 0
m=231-1 (Prime number convient for 32 bits)
Used for IBM 360[1969]
ANSI X9.17 Generator
• Ad-hoc construction which is not proved to be cryptographicly secure,
though it should be sufficient for most applications
• U.S. Federal Information Processing Standard (FIPS) approved method
• Makes use of 2 key tripple DES algorithm
Algorithm
Input:
s – 64 bit secret seed
m – interger (counter)
k – 3DES key
1. Get 64 bit representation of computer date/time, D
Def:Ek is 3DES encryption under key k^ is XOR
2. Calc I = Ek(D)
3. for (i = 0; i < m; i++){ xi = Ek(I ^ s); // Calc next 64 bit string s = Ek(xi ^ I); // Update seed}
4. Return Xi’s
Blum blum shub PRBG
1. Generate p and q:two big blum primes
2. N=p∙q
3. Choose sє[1,n-1] : The Seed
4. X0=s2(mod n)
5. The sequence is defined as xi=xi-12(mod n) and zi=parity(xi)
6. The output is z1,z2,z3.....
Example• Let n=p∙q=7∙19=133• S=100• X0=1002(mod 133)=25• X1=252(mod 133)=93• X2=932(mod 133)=42• X3=422(mod 133)=16• X4=162(mod 133)=123• The OUTPUT:1,0,0,1
RSA generator
• It is a pseudorandom bit generation and is cryptographically secure pseudorandom bit generation under the assumption that factoring a large number n composed of two large prime p and q is intractable!
RSA generator
Z i ->z i-1 e (mod n) LSBz0 zi xi
i=i+1
•p and q ->prime
•n->p∙q
•e=integer in [3,Ф(n)[:gcd(e,Ф(n))=1
Algorithm
1. Generate p and q2. n=p∙q3. Pich a random integer e : 1<e<φ and gcd(e,
φ)=14. Select a random integer x0 (the seed) in the
interval [1,n-1]5. For i=1 to l6. Xi = xi-1e mod n7. Zi=LSB of xi
8. Return z1,...,zl
RSA generator
Z i ->z i-1 e (mod n) C log log n bit less significative
z0 zi xi
i=i+1
•p and q ->prime
•n->p∙q
•e=integer in [3,Ф(n)[:gcd(e,Ф(n))=1
Frequency test (monobit test)
• The purpose of this test is to determine whether the number of 0’s and 1’s in a genrator output sequence are approximately the same, as would be expected for a random sequence.
Serial test (two-bit test)
• The purpose of this test is to determine whether the number of occurrences of 00, 01, 10, and 11 as subsequences of s are approximately the same, as would be expected for a random sequence.
Poker test
• Let’s divide s into k non-overlaping parts each of length m. The poker test determines whether the sequences of length m each appear approximately the same number of times in s, as would be expected for a random sequence. Note that this test is a generalization of the frequency test: setting m= = 1 in the poker test yields the frequency test.
Runs test
• The purpose of the runs test is to determine whether the number of runs (of either zeros or ones) of various lengths in the sequence s is as expected for a random sequence.
Autocorrelation test
• The purpose of this test is to check for correlations between the sequence s and (noncyclic) shifted versions of it.
References
• Handbook Of Applied Cryptography
A. Menezes
P. van Oorschot
S. Vanstone
• www.cacr.math.uwaterloo.ca/hac
• www.ietf.org/rfc/rfc1750.txt