Pseudo Random Bit Generator

Motivation• It is crucial to security that cryptographic keys are

generated with a truly random or at least a pseudo-random generation process

• Otherwise , an attacker might reproduce the key generation process and easily find the key used to secure a specific communication

Motivation

• In cryptography, we are often in a situation where we need a random integer or a random sequence of bits.

• For example, secret keys are often required to be random. But what does that really mean?

• If we flip a coin eight times and assign 0 to one of the sides and 1 to the other, then the sequence 00000000 is just as likely as the sequence 10011100.

• Still, our intuition tells us that the second sequence is “more random” than the first one.

• But actually, humans are quite bad at consciously creating random sequences – so should we give any credit to their intuition?

Random numbers in Cryptography• Random numbers are required in many places• Producing good random number is difficult• Generation of pseudo-random numbers is required in cryptographic

protocols for the generation of• Example 1: One time pad

– Create a pad using random numbers• Example 2: Initialization vectors

– Required for example by Cipher block Chaining mode• Example 3: Session Key

– Create a shared secret for a communication session – Cryptographic keys– Nonce's

• Example usages– Authentication with challenge-response mechanism, e.g. GSM (Group

Spéciale Mobile), and UMTS (Universal Mobile Telecommunications System ) authentication

– IPSec and SSL authentication

Randomness Definition• Chaitin-Kolmogorov randomness (also called algorithmic randomness)

– a string of bits is random if and only if it is shorter than any computer program that can produce that string• this basically means that random strings are those that cannot be compressed.

• Consider the following two strings of length 64, each containing only lowercase letters, numbers, and spaces:

• abababababababababababababababababababababababababababababababab 4c1j5b2p0cv4w1x8rx2y39umgw5q85s7uraqbjfdppa0q7nieieqe9noc4cvafzf The

• first string has a short English-language description, namely "ab 32 times", which consists of 11 characters. The second one has no obvious simple description (using the same character set) other than writing down the string itself, which has 64 characters.

• Statistical Randomness– A numeric sequence is said to be statistically random when it contains no recognizable

patterns or regularities;

Inherent non-randomness

• Because any PRNG run on a deterministic computer (contrast quantum computer) is deterministic, its output will inevitably have certain properties that a true random sequence would not exhibit. – guaranteed periodicity—it is certain that if the generator uses only a

fixed amount of memory then, given a sufficient number of iterations, the generator will revisit the same internal state twice, after which it will repeat forever. A generator that isn't periodic can be designed, but its memory requirements would grow as it ran. In addition, a PRNG can be started from an arbitrary starting point, or seed state, and will always produce an identical sequence from that point on.

cont

– In practice, many PRNGs exhibit artifacts which can cause them to fail statistically significant tests. These include, but are certainly not limited to:• Shorter than expected periods for some seed states

(not full period) • Poor dimensional distribution • Successive values are not independent • Some bits may be 'more random' than others • Lack of uniformity

Random bits• A sequence of random bits is a sequence where the bits are

independent from each other and uniformly distributed.• Random bits can be generated in may different ways. • As it turns out, most of these ways are rather slow and/or

expensive. • Random-bit generators can be based on hardware or on

software. • For hardware, you could use things like the time elapsed

between emission of particles during radioactive decay, sounds from different sources, air turbulence within a disk drive causing random fluctuations in disk drive sector read latency times or any other phenomena that can be translated into bits

• For software, you could use time, some kind of user input (though having a human type 1’s and 0’s will most likely not yield a good result,) or the system environment.

• Most likely, none of these methods will give us a uniform distribution of 1’s and 0’s, but it can be solved by simple de-skewing techniques.

• For example, you can look at pairs of bits, throw them away if both bits are the same, and keep the first bit if they are different.

• Of course, this means you have to produce at least 4 times as many bits as you will need.

• Combining any number of these methods (as long as they are independent) should yield results that are as least as good as the best of the methods.

• There are different ways to accomplish this, a (possibly too) simple method is to just XOR the results. A better method would be to use some kind of hash-function on a concatenation of the results.

Random number, Pseudorandom

• The outputs of pseudorandom number generators are not truly random– they only approximate some of the properties of

random numbers. – "Anyone who considers arithmetical methods of

producing random digits is, of course, in a state of sin.”--- John von Neumann

– Truely random numbers can be generated using hardware random number generators

Pseudo-random bits

• A way to save a lot of time is to use a pseudo-random bit generator (PRBG). This is an algorithm that takes a relatively small number of random bits (length k) as input, and outputs a longer sequence (length l) of bits, that appears to be random.

• These algorithms are deterministic, that means that they will always produce the same output for a given input.

• The intent is to make the outputs indistinguishable from truly random bit-strings.

Random Bit Generator -example

• Example: random.org• Atmospheric noise• You just need – microphone, soundcard,

frequency where nobody is broadcasting• Sample at 8kHz• Discard the upper bits• Create a stream using the lower bits

Construction of PRG’s

• Theorem: Suppose there is a one way permutation, then there is a PRG with arbitrary polynomial expansion.

• Need the following ideas:– One way function– One way permutation– Hard core bit

Pseudo Random Number Generator (PRNG)

• Computer simulation of random variables is the task of using computers to generate many random numbers that are independent and identically distributed. It is also known as random number generation (RNG).

• In fact, these computer-generated random numbers form a deterministic sequence, and the same list of numbers will be cycled over and over again. This cycle can be made to be so long that the lack of true independence is unimportant.

• Therefore, such computer codes are often termed pseudo-random number generators (PRNG).

• There exist mathematical transformation methods to obtain other distributions from uniform variates. For this reason, most PRNGs found in software libraries produce uniform random numbers in the unit interval (0, 1).

Pseudo-Random Bit Generators

• Deterministic functions– RNG : {0,1}n {0,1}

• Stretch fixed-size seedto an unbounded sequencethat looks random

• Computable approximationof one-time pad

• Example: RC4

Example:

i := 0j := 0do forever

i := i+1 mod 256j := j+s[I] mod 256swap s[i],s[j]t := s[i]+s[j] mod 256output s[t]

Seed: initial value of s

Size of state: (2256)256

Stream Ciphers

One-time pad using a RNG

• Use k as seed? Ek(m) = m RNG(k)– Reuse problem!

• Typical usage (e.g., with DES)

Ek(m) = DESk(s) , m RNG(s)

– Chose new s each time

strong fast

19

Pseudo-random Bit Generator

• Several applications– Key generation– Some encryption algorithms, or one-time pad

• Let l>k be integers– Function f: Z2

k Z2l computable in poly-time

– Then f called (k,l)-pseudo-random bit generator

– The input s0 Z2k is called the seed

– Output f(s0) is called the pseudo-random string

Desired Properties

• Three important properties: – Unbiased (uniform distribution): • All values of whatever sample size is collected are

equiprobable

– Unpredictable (independence): • It is impossible to predict what the next output will

be, given all the previous outputs, but not the internal "hidden" state.

– Irreproducible:• Two of the same generators, given the same

starting conditions, will produce different outputs.

Desired Properties

• Usually when a person says – A "good" pseudo-random number generator• they mean it is unbiased.

– A "true" PRNG• they usually mean it's irreproducible

– A "cryptographically strong" PRNG • they mean it's unpredictable

– Very rarely they mean it's all threes

More Properties

• Long period– The generator should be of long period

• Fast computation– The generator should be reasonably fast

• Security– The generator should be secure– What is security level of PRNG?

• There are many different PRBG’s out there. One often used is the linear congruential generator.

• It produces a pseudorandom sequence of numbers through the formula

xn = axn-1 +b mod m, n 1• where a, b and m are chosen parameters.• This is a very useful function for things like simulations

or other algorithms where the randomness is more important than the secrecy, but it has been proven completely insecure for cryptographic purposes.

Secure PRBG’s should must have at least the following properties:

1. The length k of the seed (the input to the function) should be large enough, so that an adversary cannot simply run through all possibilities

2. The output sequences should be statistically indistinguishable from random sequences

3. The output bits should be unpredictable to an adversary with limited resources

next-bit test

• The next-bit test (for condition 3):• A PRBG is said to pass the next-bit test if there

is no polynomial-time algorithm that given bits 0 to m-1 of an output sequence can predict bit m with probability significantly higher than 50%.

• A PRBG passing the next-bit test is called cryptographically secure (CSPRBG.)

For condition 2• A random sequence is assumed to have certain properties. These

properties should appear in pseudo-random sequence as well. • Some of these are mentioned in Golomb's randomness postulates. • For example, the number of 1's and 0's should be about the same,

the bits should not depend on each other, and so on. • There are tests for each of these properties. • Failing one of these tests indicates non-randomness. • Of course, passing one of these tests does not guarantee

randomness – in fact, even passing all of these tests does not guarantee randomness.

• Each test just makes it more and more unlikely that a sequence is non-random.

Five tests for PRBG

• We will now present five tests that are often used in testing PRBG's.

• They all test the hypothesis that the sequence was generated by a random number generator, with a significance level of 5%.

• That means, that sequences actually produced with a random number generator are rejected with a probability of 5%.

• This may seem like a lot, but it also makes it more unlikely that we will accept sequences that do not possess the randomness-properties.

Frequency test

• The purpose of this test is to see if there are about as many 1's as 0's.

n: the number of bits, n0: the number of 0’s, n1: the number of 1’s • should be less than 3.8415

n

nnX

2

1)10(

1X

The Serial Test• This test is similar to the frequency test, but looks for 2-

bit subsequences instead.• n: the number of bits, n0: the number of 0's, n1: the

number of 1's, n00: the number of 00's, ...• For example, for the sequence 011100, the values would

be n=6, n0=3, n1=3, n00=1, n01=1, n10=1, n11=2.

• should be less than 5.9915

12

1

4 21

20

211

210

201

2002

nn

nnnnn

nX

2X

The Poker Test

• We divide the sequence into subsequences of a certain length, and then test if these sequences appear the same number of times. m is a positive integer such as:

• ni is the number of occurrence of the ith type of sequence of length m and

• The poker test is a generalisation of the frequency test : m=1 in the poker test yields the frequency test.

,),2.(5

m

nkm

m

n

mi 21

• The static used is:

• should be less than 14,0671

km

ii

nk

mX

2

1

223

3X

The Run Test

• A run is a subsequence , which consist of the consecutive 0’s or consecutive 1’s. A run of 0’s is called a gap, and a run of 1’s is called a block.

• In runs test we check if the number of runs is as expected for a random sequence.

• The expected number of gaps or blocks of length i in a random sequence of length n is :

• K is equal to the largest integer I for which ei 5, Bi, Gi are the number of gaps and blocks of length I in s for each I, and 1 I k

22)3(

ii

ine

• The Statistics used is:

• X4 should be less than 9,4877

k

i ei

eiGik

i ei

eiBi

1

2

1

2

4X

The Autocorrelation test

• The purpose of the autocorrelation test is to check that bits don't depend on other bits. We choose a number d, and then compare each bit i to the bit i+d.

• If the two bits are the same too often, or different too often, the test rejects the input.

X5 should be less than 1,96 and bigger than -1,96.

PRG Definition

• Uk denotes the uniform distribution on bit strings of length k

• Security is built-in following definition• A PRG with expansion l(K) is a deterministic poly-

time algorithm from bit strings to bit strings s.t.:• L(k) is a polynomial in k s.t. l(k) > k• No PPT distinguisher D exists with• Prob(D(g(Uk)) = 1) – Prob(D(Ul(k) = 1)• Non-negligible in terms of k

Blum-Blum-Shub Pseudo Random bit generator

Setup: generate two large secret random (and distinct) prime p and q, each congruent to 3 modulo 4, and compute n =pq (n =pq is an RSA modulus with p,q = 3 mod 4.)

– Select a random integer s (the seed) in the interval [1, n-1] such that gcd(s,n) = 1, and compute x0= (s)2 mod n

– For i from 1 to l do the following:

1. xi = (xi-1)2 mod n

2. zi = the least significant bit of xi

– The output sequence is z1,z2,..., zl

Blum-Blum-Shub

• IETF RFC 1750 (Eastlake et al.) states:“If you use no more than the log2log2(xi) low order bits, then predicting any additional bits from a sequence generated in this manner is provable [sic] as hard as factoring n.”

Blum-Blum-Shub

• Analysis by Koblitz and Menezes:– Take the best bounds on security and hardness of factoring

known in the literature.– Apply them for j=9 and n with 768 bits, extracting M=109

bits from the generator.– Allowing a success probability of 0.01 for the adversary,

what is the time bound on the adversary?– Answer: 2-264

– Yes, that is a negative sign in the exponent!• Concrete security analysis does not always give us

results that are useful in practice.

Security• A PRNG suitable for cryptographic applications is called a

cryptographically secure PRNG (CSPRNG). – Its output should not only pass all statistical tests for

randomness but satisfy some additional cryptographic requirements.

– Used in many aspects of cryptography require random numbers, for example:• Key generation• Nonces• Salts in certain signature schemes, (ECDSA, RSASSA-PSS). • One-time pads

CSPRNG• CSPRNG requirements fall into two groups:

– their statistical properties are good (passing tests of randomness), – they hold up well in case of attack, even when (part of) their secrets are

revealed.

• A CSPRNG should satisfy the 'next-bit test'. – Given the first l bits of a random sequence there is no polynomial-time

algorithm that can predict the next bit with probability of success significantly higher than 1/2.

– It has been proven that a generator passing the next-bit test will pass all other polynomial-time statistical tests for randomness.

• should withstand state compromise extensions. – That is, in the unfortunate case that part or all of the state has been revealed (or

guessed correctly), it should be impossible to reconstruct the stream of random numbers prior to the incident. Also if there is an input of entropy, it should be infeasible to use knowledge of the state to predict future conditions of the state.

Example

• the CSPRNG being considered produces output by computing some function of the next digit of pi (ie, 3.1415...),

it may well be random as pi appears to be a random sequence.

However, this does not satisfy the next-bit test, and thus is not cryptographically secure. There exists an algorithm that will predict the next

bit.

Design

• divide designs of CSPRNGs into classes:– those based on block ciphers; – those based upon hard mathematical problems,

and – special-purpose designs.

Designs based on cryptographic primitives

• Designs based on cryptographic primitives– A secure block cipher can also be converted into a CSPRNG by running it in counter

mode.

• This is done by choosing an arbitrary key and encrypting a zero, then encrypting a 1, then encrypting a 2, etc. The counter can also be started at an arbitrary number other than zero. Obviously, the period will be 2n for an n-bit block cipher; equally obviously, the initial values (i.e. key and 'plaintext') must not become known to an attacker lest, however good this CSPRNG construction might be otherwise, all security be lost.

• A cryptographically secure hash of a counter might also act as a good CSPRNG in some cases. – it is necessary that the initial value of this counter is random and secret. If the counter

is a bignum, then CSPRNG could have an infinite period.

DES Based Generator

• ANSI X9.17 PRNG (used by PGP,..)– Inputs: two pseudo-random inputs • one is a 64-bit representation of date and time• The other is 64-bit seed values

– Keys: three 3DES encryptions using same keys– Output: • a 64-bit pseudorandom number and • A 64-bit seed value for next-round use

ANSI X9.17

EDE

EDE

EDE

DT

Si

Ri

Si+1

K1,K2

Linear Congruential Generator

• Protocol– Let M be an integer and a, b less than M– Let k be number of bits of M– Integer l is between k+1 and M-1– Let s0 be a seed less than M

– Define si=asi-1+b mod M

– Then the ith random bit is si mod 2– It is not proved to be secure

Parameter Setting

• Not all a, b are good and m should be large• For example, m is a large prime number• For fast computation, usually m=231-1– And b is set to 0 often

• For this m, there are less than 100 integers a– It generates all numbers less than m– The generated sequences appear to be random

• One such a=7516807

– Used in IBM 360 family of computers

RSA Generator

• Protocol– Let p, q be two k/2 bits primes and define n=pq– Integer b: gcd(b, (n))=1– Public: n, b; Private p,q– A seed s0 with k bits

– Sequence si+1=sib mod n

– Then the ith random bit is si mod 2– It is proved to be secure!

BBS Generator• Blum-Blum-Shub Generator– Let p, q be two k/2 bits primes and define n=pq– Here p=q=3 mod 4

• this guarantees that each quadratic residue has one square root which is also a quadratic residue

– gcd(φ(p-1), φ(q-1)) should be small • this makes the cycle length large.

– Let QR(n) be all quadratic residues modulo n– Public: n; Private p,q– A seed s0 with k bits from QR(n)– Sequence si+1=si

2 mod n– Then the ith random bit is si mod 2

Cont on BBS

• Provably “secure”– When the primes are chosen appropriately, – and O(log log n) bits of each Si are output,

– then in the limit as n grows large, distinguishing the output bits from random will be at least as difficult as factoring n.

• However,– it's theoretically possible that a fast algorithm for

factoring will someday be found, so BBS is not yet guaranteed to be secure.

Discrete Logarithm Generator

• Protocol– Let p be a k-bit prime, – Let be primitive element modulo p– A seed s0 is any non-zero integer less than p

– Define si+1 = si mod p– Then the ith random bit is • 1 if si is larger than p/2

• 0 if si is less than p/2

Standards

• A number of designs of CSPRNGs have been standardized. They can be found in:– FIPS 186-2 – ANSI X9.17-1985 Appendix C – ANSI X9.31-1998 Appendix A.2.4 – ANSI X9.62-1998 Annex A.4