Linux Prng Analysis 2012.03

7/31/2019 Linux Prng Analysis 2012.03

http://slidepdf.com/reader/full/linux-prng-analysis-201203 1/23

∗

†

‡

§

∗

†

‡

§



264 296







X n I mf

{0, 1}n × {0, 1}m {0, 1}n H f

H (f (X, I)) ≥ H (X) H (f (X, I)) ≥ H (I).

X

I

I

232 264



k

k

k k

k

k k

hI

k = min(hI/8, k)k = min(hI/8 − 16, k)

k < 8

8k

k k

k2k 2k + k k

hO

hO < 8k hO/8

k





GF(232)Q(X ) = α3(P (X ) − 1) + 1 α GF(232)

X P (X )

P (X ) = X 128 + X 103 + X 76 + X 51 + X 25 + X + 1P (X ) = X 32 + X 26 + X 20 + X 14 + X 7 + X + 1

α3

GF(2)GF(232)

Q(X ) = α3(P (X ) − 1) + 1 GF(232)

292∗32 − 1 2128∗32 − 1226∗32 − 1 232∗32 − 1

Q(X )

P (X ) = X 128 +X104 + X 76 + X 51 + X 25 + X + 1

P (X ) = X 32 + X 26 +X19 + X 14 + X 7 + X + 1

(2128∗32−1)/3 (232∗32−1)/3αi(P (X )−1)+1 gcd(i, 232−1) = 1

i = 1, 2, 4, 7, . . . P (X )2i α2(X 32+X 26+X23+X 14+X 7+X )+ 1

L1 :{0, 1}8 → {0, 1}32 L2 :

{0, 1}32

5→ {0, 1}32 L1

y GF(232)L2(x0, xi1 , xi2 , xi3 , xi4 , xi5)



X = (X0, . . . , Xn−1)Xi n = 32 n = 128

(0, i1, i2, i3, i4, n − 1) X[i,j]

Xi, . . . , X j X YX Y

f (Y, X) = (˜X0, . . . ,

˜Xn−1)X0 = L1(Y) ⊕ L2(X0, Xi1 , Xi2, Xi3, Xi4, Xn−1)

Xi = Xi−1 1 ≤ i ≤ n − 1

H (f (Y, X)) ≥ max

H (Y), H (Xn−1|X[0,n−2])

+ H (X[0,n−2]).

H (f (Y, X)) = H (L1(Y) ⊕ L2(X), X[0,n−2])= H (L1(Y) ⊕ L2(X)|X[0,n−2]) + H (X[0,n−2]).

g Z H (g(Z)) = H (Z)(X[0,n−2], Xn−1) = x L1(·) ⊕ L2(x)

H (L1(Y) ⊕ L2(X)|X) = H (Y|X) X YH (Y|X) = H (Y)

H (L1(Y) ⊕ L2(X)|X[0,n−2], Xn−1) = H (Y).

X[0,n−2] = x[0,n−2] Y = y L1(y)⊕L2(x[0,n−2], ·)X Y

H (L1(Y) ⊕ L2(X)|Y, X[0,n−2]) = H (Xn−1|X[0,n−2]).

Z1, Z2 H (Z1) ≥ H (Z1|Z2)

H (f (Y, X)) ≥ H (Y) + H (X[0,n−2])

H (f (Y, X)) ≥ H (Xn−1|X[0,n−2]) + H (X[0,n−2]) = H (X),

L1 L2

Xn−1



X,T,∆, . . .X , T , D x ∈ X , t ∈ T , δ ∈ D, . . .

X pX =

{ pX(η)}η∈X pX(η) = P r[X = η] X η ∈ X X

x0, x1, . . . , xn ˆ pη = #{0 ≤ i ≤ n : xi = η}/nη H = −

η∈X ˆ pη log2 ˆ pη

T0,T1, . . .

∆[1]i = |Ti −Ti−1|

∆[1]1 ,∆

[1]2 , . . .

D ∆[1]i D = |D| 2 δ

[1]i

ii ≥ 3

∆[2]

i

= ∆[1]

i

−∆[1]

i−1

∆[3]i = ∆

[2]i −∆

[2]i−1 = ∆

[1]i − 2∆

[1]i−1 +∆

[1]i−2

∆i = min

|∆[1]i |, |∆

[2]i |, |∆

[3]i |

.

LOG2(m) =

0 m < 211 m ≥ 212

log2 (m)

δ[1]1 , δ

[1]2 , . . . i

H [3]i = H [3]

δ[1]i , δ

[1]i−1, δ

[1]i−2

= LOG2(δi).

∆[1]i

D = {0, 1, . . . , D − 1} p(η) = P r[δ = η]

0 ≤ η < D H [3]i ti

ti−1 δ[1]i−1 δ

[2]i−1 ti−1 δ

[1]i−1 δ

[2]i−1

π : X → X q qη = pπ(η) H ( p) = H (q)





w[m...n] m , . . . , n ww0, w1, w2, w3, w4 w0 ⊕ w3, w1 ⊕ w4, w2[0...15] ⊕ w2[16...31].

k

G X → Y x x |G|/|Y| g ∈ G g(x) = g(x)

X

X pX H 2(X) G

X → {0, 1}rY = G(X)

H (Y|G) ≥ H 2(Y|G) ≥ r −2r−H 2(X)

ln(2).

H 2(X) ≥ r G

r G = gh : X → Y X = {0, 1}n

Y = {0, 1}r r < ny ∈ Y #{x|h(x) = y} = |X |/|Y|

O(2r/2)X

Π π : X → X pX = { pX(η)}X H (X) qXπ = { pX(π(η))}η∈X π ∈ Π

π

G ={h ◦ π}π∈Π |G| = |X |! (x1, x2) ∈ X 2 g ∈ G

g(x1) = g(x2)

|Y|

|X |

|Y| |X |

|Y| − 1

(| X | − 2)! =

|X |!

|Y|

| X | − | Y |

| X | − 1 ≤

|G|

|Y| .

r − 2r−H2(X)

ln(2)

k m ≤ k

m − 2m−k

ln(2) m





N δ[1]1 , δ

[1]2 , . . . , δ

[1]N −1

ˆ pη = #{i : δ[1]i = η}/(N − 1) η

• 1N −3

N −1i=2 H

[3]i

• H = −D−1

η=0 ˆ p(η)log2(ˆ p(η))

• H min = − log2 (max0≤η≤D−1(ˆ p(η)))

• H 2 = − log2D−1

η=0 ˆ p(η)2

1N −3

N −1i=3 H

[3]i

1.85 10.62 5.55

H 3.42 14.89 7.31

H min 0.68 9.69 4.97

H 2 1.34 11.29 6.65

H [3]i

k i ≥ k − 1

H [k]i = LOG2min|δ

[1]i |, . . . , |δ

[k]i |

δ[ j]i = δ

[ j−1]i − δ

[ j−1]i−1 1 ≤ j ≤ k

k ∆[1]i

2 ≤ k ≤ 5k = 2

kk = 3 k = 4



E [H[k]i ] ∆i



H 1N −k

N −1i=k H

[k]i

k = 1 k = 2 k = 3 k = 4

k = 5 k = 6 k = 7 k = 8

2160 280

k S 1 S 2S 1 S 2

S 2

2k−1 k



S 1S 1 2k−1

k ≥ 64k k

2k−1

k2k−1

k < 64k ≥ 64

m ≤ k km − 2m−k

ln(2).



8

296 2642160

GF(232)





http://www.kernel.org/

http://www.kernel.org/



X pX

H (X) H 2(X) H min(X)

H (X) = −η∈X

pX(η)log2 pX(η)

H 2(X) = − log2η∈X

( pX(η))2

H min(X

) = − log2 maxη∈X pX

(η)

H min(X) ≤ H 2(X) ≤ H (X) X

H (X|Y) =

κ∈Y pY(κ)H (X|Y = κ)

H 2(X|Y) =

κ∈Y pY(κ)H 2(X|Y = κ).

n(0, i1, . . . , i4, n − 1)

n = 128 (0, i1, . . . , i4, n−1) = (0, 24, 50, 75, 102, 127)n = 32 (0, i1, . . . , i4, n − 1) = (0, 6, 13, 19, 25, 31) b ← byte[n]

b n b[i] b[i . . . j] i bb[i], . . . , b[ j]

mix( pool, input)

y word32(y) y w

w <<< rot w rot

n pool ← word[n]m input ← byte[m]

rot ∈ {0, . . . , 31}i ∈ {0, . . . , n − 1}

j = 0 m − 1i ← i − 1 (mod n)w ← word32(input[ j])w ← w <<< rot



w ← w ⊕ pool[i + 1] ⊕ pool[i + i1 + 1]⊕ pool[i + i2 + 1] ⊕ pool[i + i3 + 1]⊕ pool[i + i4 + 1] ⊕ pool[i]

pool[i] ← wi = 0

rot ← rot + 14 (mod 32)

rot ← rot + 7 (mod 32)

out( pool, k)

ksha1(cv,m) cv m

IV sha1 fold trunc(·, r)r

n pool ← word[n]k

i ∈ {0, . . . , n − 1}res ← byte[k]

b ← byte[20] j ← 0

j < kb ← IV sha1

= 0 n/16 − 1b ← sha1 (b, pool[16 . . . 16 + 15])

mix( pool, b) iw ← word[16]

= 0 15w[] = pool[i − (mod n)]

b ← sha1(b, w)r ← min(10, k − j)res[ j . . . j + r − 1] ← trunc

fold(b), r

j ← j + 10

add( pool, event)

event = (source, jif, cyc, num)

entr(source, jif )

128 pool ← word[128] jif

cycnum

source



h ∈ {0, . . . , 4096}mix( pool, jif )mix( pool, cycles)mix( pool, num)h ← h + entr(source, jif )

h ← max(h, 4096)

gen( pool, k)

k

32 pool ← word[32]k

res ← byte[k]h ∈ {0, . . . , 1024}

inpool ← word[128]hI ∈ {0, . . . , 4096}

h < 8k ← min(max(k, 8), 128) 8 ≤ ≤ 128

← min(, hI/8 − 16)

← min(, hI/8) ≥ 8trans ← byte[]trans ← out(inpool, )

mix( pool, trans)h ← h + 8hI ← hI − 8

h < 8kk ← h/8res[0 . . . k − 1] ← out( pool, k)h ← h − 8k

res[k . . . k] ← gen( pool, k − k)

res ← out( pool, k)h ← max(0, h − 8k)

Documents

Linux Prng Analysis 2012.03