Upload
nguyenkien
View
221
Download
3
Embed Size (px)
Citation preview
Pseudo Random Number Generators
ECEN 5022 CryptographyPseudo Random Number Generators
Peter Mathys
University of Colorado
Spring 2008
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Random Number Generation
I Random numbers are needed for many different purposes inengineering and computer science, e.g., to run simulations, togenerate random passwords, etc.
I True sequences of random symbols can be obtained byflipping coins, measuring a radioactive source, using a noisediode, etc.
I Often there are some very specific requirements for a randomsequence. For instance, for debugging purposes it is essentialthat a “random” sequence can be repeated.
I Pseudo-random number generators (PRNG) are widelyused for computer simulations as well as cryptographicpurposes, because they can be easily implemented usingcomputers. But the requirements for cryptography aredifferent than for general purpose computing.
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Middle Square Method
I Around 1946 John von Neumann came up with the “middlesquare method” for generating random numbers. Suppose youhave an 8-digit number, e.g., si = 60684258. Keep the middle4 digits as xi = 6842. Compute the next number assi+1 = x2
i = 46812964 and thus xi+1 = 8129.
I What are the properties of the sequence xi , xi+1, . . .? Will itcontinue forever? Will it die out? What statistical propertiesdoes it have?
I Here is an example sequence, obtained by using 4-digitnumbers and keeping the middle two numbers after eachsquaring
42, 76, 77, 92, 46, 11, 12, 14, 19, 36, 29, 84, 5, 2, 0, 0, . . .
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Middle Square Method
I Here is another example using 4-digit numbers and keepingthe middle two
xi = 57 → 572 = 3249 → xi+1 = 24 → 242 = 0576
→ xi+2 = 57 → 572 = 3249 → . . .
I Moral of the story: Some theory is needed to make goodPRNGs with predictable properties.
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Linear Congruential Method
I The linear congruential method generates the sequencex0, x1, x2, . . . using the recursion
xi+1 = a xi + c (mod m) ,
where m is the modulus (often a power of 2 or 10), a is themultiplier, c is the increment, and x0 is the seed.
I Theorem. The sequence x0, x1, x2, . . . has period of length m(which is the maximum) iff
(i) gcd(c ,m) = 1 ,
(ii) b = a− 1 is multiple of p for every p dividing m ,
(iii) b is multiple of 4 if m is multiple of 4 .
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Example
I Example: m = 100, a = 41, c = 7, x0 = 5, produces thesequence
5 12 99 66 13 40 47 34 1 48 75 82 69 3683 10 17 4 71 18 45 52 39 6 53 80 87 7441 88 15 22 9 76 23 50 57 44 11 58 85 9279 46 93 20 27 14 81 28 55 62 49 16 63 9097 84 51 98 25 32 19 86 33 60 67 54 21 6895 2 89 56 3 30 37 24 91 38 65 72 59 2673 0 7 94 61 8 35 42 29 96 43 70 77 6431 78 5
which has period 100.
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Linear Feedback Shift Register
−cL -cL-1 −c2 −c1
+ + +
s0 s1 sL−2 sL−1
· · ·
· · ·
L
s0, s1, s2, . . . sL
I Linear feedback shift register (LFSR) of length L. Uses initialstate (s0, s1, . . . sL−1) and connection polynomialC (D) = cL DL + . . . + c2 D2 + c1 D + 1 to produce outputsequence s0, s1, s2, . . ..
I Arithmetic is computed modulo p for some prime number p.Very often p = 2 and then the output is binary.
I The maximum period of the output sequence is pL − 1. It isachieved when C (D) is a primitive polynomial modulo p.
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Linear Feedback Shift Register
I Recursion: sL = −∑L−1
i=0 si cL−i .
I Initial condition: s0, s1, . . . sL−1.
I Define: S(D) =∑∞
i=0 si Di (D: delay operator). Then
S(D) = s0 + s1 D + . . . + sL−1 DL−1︸ ︷︷ ︸=P(D)
+∑∞
j=0 sL+j DL+j
= P(D)−∑∞
j=0
∑L−1i=0 si+j cL−i D
j+L
= P(D)−∑∞
k=0
∑k−L+1j=k sk cL−k+j D j+L−k Dk
= P(D)−∑∞
k=0 sk∑k−L+1
j=k cL−k+j DL−k+j︸ ︷︷ ︸=C(D)−1
Dk
= P(D)− S(D)(C (D)− 1
)=⇒ S(D) =
P(D)
C (D)
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Examples
I Some primitive connection polynomials for p = 2 are
D3 + D2 + 1, D4 + D3 + 1, D5 + D3 + 1, D6 + D5 + 1 .
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Berlekamp-Massey Algorithm
n = M ?Output
<C(D), L> STOP
n← n + 1
No lengthchange
x← x + 1
Length changeL← n + 1− LC∗(D)← T (D)
δ∗ ← δx← 1
No lengthchange
x← x + 1
2L ≤ n ?
T (D)← C(D)C(D)← C(D)− δ δ∗−1 Dx C∗(D)
δ = 0 ?
δ ← sn + c1 sn−1 + . . . + cL sn−L
Get sn
Get M
InitializeC(D)← 1 C∗(D)← 1
L← 0 δ∗ ← 1n← 0 x← 1
START Berlekamp-MasseyAlgorithm
Input is sequence{si}M−1
i=0 of length M
δ is next discrepancy(desired symbol minus
generated symbol)
T (D) : Temp storageC∗(D), δ∗ : Conn polyand discrepancy before
last length change
x : Number ofsymbolssince lastlengthchange
no
yes no
yes no
yes
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Berlekamp-Massey Algorithm
I The Berlekamp-Massey algorithm computes ¡c(D), L¿ and(s0, s1, . . . sL−1) from 2L contiguous LFSR output symbols.
I Do not use a LFSR output directly in a cryptosystem (unlessyou want it to be broken easily).
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Using a Block Cipher
IV Si−1
EK(.)K
•Si Output
I Any secure block cipher encryption function EK (.) can beused in output feedback mode (OFB) to generate a(reasonably) secure pseudo-random sequence.
I IV is the initialization vector (can be transmitted publicly).
I If block cipher encrypts blocks of size B, use full block size Bin feedback path. Output B or less symbols per iteration.
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Toy Example
I A block cipher with B output bits obtained from B input bitscan be regarded as a permutation of the numbers0, 1, 2, . . . , 2B − 1.
I An example of a permutation for B = 4 is
π =
„0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 157 14 1 15 9 6 3 2 10 13 5 11 8 4 12 0
«I Setting IV = 0 yields the sequence
0,7,2,1,14,12,8,10,5,6,3,15,0, . . . Period: 12
I But setting IV = 4 only yields the sequence
4,9,13,4, . . . Period: 3
I And setting IV = 11 only yields
11,11,11, . . . Period: 1
Peter Mathys ECEN 5022 Cryptography
Pseudo Random Number Generators
Blum, Blum, Shub PRNG
I Let n = p q where p, q are large primes satisfying p ≡ 3(mod 4) and q ≡ 3 (mod 4). Use a seed x0 to generate thesequence
x0, x1 = x20 , x2 = x2
1 , . . . (mod n)
Output the least significant bit of each xi to obtain a securebinary random sequence (based on difficulty of computingsquare roots modulo n = p q if p, q are not known).
I Example: p = 11, q = 19, x0 = 4 yields the sequence
xi = {4, 16, 47, 119, 158, 93, 80, 130, 180, 5, 25, 207, 4, . . .}
I The pseudo-random bit sequence is0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, . . ..
Peter Mathys ECEN 5022 Cryptography