Download 4.1 The BBS Generator - staff.uni

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
Document related concepts

Law of large numbers wikipedia , lookup

Collatz conjecture wikipedia , lookup

Elementary mathematics wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

List of prime numbers wikipedia , lookup

Transcript 
K. Pommerening, Bitstream Ciphers
4.1
97
The BBS Generator
As with the RSA cipher we consider an integer module m that is a product of
two large prime numbers. For the BBS generator we choose Blum primes
p; these are primes ≡ 3 mod 4. A product of two Blum primes is called a
Blum integer.
The BBS generator works in the following way: As a first step choose
two large random Blum primes p and q, and form their product m = pq. As
a second step choose a random integer “seed” s with 1 ≤ s ≤ m − 1, and
coprime with m.
If we catch an s not coprime with m, we have factorized m by
hazard. This might happen, but is extremely unlikely, and can
easily be captured at initialization time.
Now we proceed with generating a pseudo-random sequence: Take x0 =
mod m as initial state (we want x0 to be a quadratic residue), and form
the sequence of inner states of the random generator: xi = x2i−1 mod m
for i = 1, 2, 3, . . . In each step output the last significant bit of the binary
representation, that is ui = xi mod 2 for i = 0, 1, 2, . . ., or in other words,
the parity of xi .
√
If xi < m, then x2i mod m = x2i , the integer square, so x2i+1 has
the same parity as xi . In order to avoid a constant segment at
√
the beginning of the output, often the boundary area s < m,
√
as well as s > m − m, is excluded. However if we really choose
s as a true random value, the probability for s falling into these
boundary areas is extremely low. But to be on the safe side we
√
√
may require m ≤ s ≤ m − m.
s2
Example
Of course an example with small numbers is practically irrelevant, but it
illustrates the algorithm: Take p = 7, q = 11, m = 77, s = 53. Then
s2 = 2809, hence x0 = 37, and u0 = 1 since x0 is odd. The following table
shows the beginning of the sequence of states:
i
xi
ui
0
37
1
1
60
0
2
58
0
3
53
1
...
...
...
Treating the Blum primes p and q as secret is essential for the security of
the BBS generator. They serve for forming m only, afterwards they may even
be destroyed. In contrast with RSA there is no further use for them. Likewise
all the non-output bits of the inner states xi must be secret. Moreover there
is no reason to reveal the product m = pq even if the security proof doesn’t
depend on this.
K. Pommerening, Bitstream Ciphers
98
A program that generates the parameters for the BBS generator consists
of two procedures:
Procedure BlumPrime
[generates the smallest prime p ≥ x for which p−1
2 is also prime]
Input parameter:
x = positive integer
Output parameter:
p = the smallest prime ≥ x such that p−1
2 is prime
Instructions:
Set p = x.
If p is even increment p by 1.
If p−1
2 is even increment p by 2.
While ( p−1
2 is not prime) and (p is not prime)
increment p by 4.
From the section on the prime number theorem we know that there probably exist lots of such numbers. Thus the algorithm is “empirically correct”
even without (artificially) forcing its termination. By the way ‘BlumPrime’
presupposes a prime test as treated in Part II.
Procedure BlumRandomPrime
[generates a random n bit Blum prime p for which also
Input parameter:
n = number of bits
Output parameter:
p = a prime with 2n−1 < p < 2n and p−1
2 prime
Instructions:
Generate a random integer x with 2n−1 ≤ x < 2n .
Set p = BlumPrime(x).
If p ≥ 2n set x = 2n−1 and p = BlumPrime(x).
p−1
2
is prime]
As before the correctness of this algorithm relies on empirical evidence
only. Nevertheless we’ll never encounter a situation where no prime is found.
A serious objection is the fact that the algorithm outputs different primes
with different probabilities. For the probability of a given prime is proportional to the difference with the next prime below it (where the difference
is meant mod 2n−1 to take care of the switch from 2n to 2n−1 at the end
of the interval). Furthermore the density of the primes changes by a factor
of (almost) 2 between 2n−1 and 2n , as the considerations surrounding the
prime number theorem have shown. However we don’t know of any procedure that exploits this non-uniformity of the distribution for an attack on
the BBS generator, so there is no obvious need to complicate the algorithm.
K. Pommerening, Bitstream Ciphers
99
The algorithm ‘BlumRandomPrime’ uses a random integer x. We should
take a “true” random value, for example computed from a sufficiently long
pass phrase provided by the user.
Procedure BlumInteger
[generates a random Blum integer with n or n + 1 bits
that is hard to factorize]
Input parameter:
n = number of bits
Output parameter:
m = a Blum integer
Instructions:
Set k = � n2 �.
Set l = n − k + 1.
Set p = BlumRandomPrime(k).
Set q = BlumRandomPrime(l).
Set m = p · q.
This completes the procedures for parameter generation. Table 4.1 shows
a Blum integer with n = 1025 (or 309 decimal places) that was generated
by this program. Considering the progress of factorization algorithms we
better should use Blum integers of at least 2048 bits.
4506
69340
53909
40823
07594
27681
83739
15286
10344
02080
70452
51105
66632
34537
74466
80414
09976
14981
16833
02722
50249
96318
45161
62658
44889
32988
26225
08671
76261
94574
30109
57145
14044
21639
91025
67753
66289
85172
26383
63710
59480
74945
10763
07427
22616
30387
62175
83135
64987
89442
74480
17602
49124
16199
90309
30004
10227
25696
86394
61782
41852
31819
Table 4.1: A 1025 bit Blum integer
Using these auxiliary procedures we now generate pseudo-random numbers: Set the module m as a global constant and the seed x = s as a global
variable that is initiated by a “true” random value in the integer interval
√
√
[� m � . . . m−� m �]. The following procedure then generates a bit sequence
of a desired length:
K. Pommerening, Bitstream Ciphers
100
Procedure BBSrandomBit
[generates a sequence of n pseudo-random bits]
Input parameter:
n = number of desired bits
Output parameter:
blist = a list of bits
Instructions:
For i = 1, . . . , n
replace x by x2 mod m,
set b = x mod 2,
append b to blist.
Using the previously generated module and a secret seed this procedure
produced the 1024 bit sequence shown in Table 4.2.
1000
1010
1000
0111
0001
1011
1101
0001
1010
1001
1000
1001
1010
0111
0011
1101
1001
0100
1101
1111
0110
1110
1111
0101
1010
1111
1011
0010
1000
0011
1100
0000
0111
0101
1001
0110
0010
1000
0110
0010
1111
0001
1111
1001
1001
1110
1000
0001
0100
0011
0010
1111
1011
0010
1100
0011
0110
1101
0110
0011
1010
0010
0011
0010
1111
1001
0101
1001
1101
0100
0100
0100
0111
0011
0011
0000
0000
1000
0011
0011
1110
0010
0000
0010
0001
1000
0011
1001
1001
1010
1111
1010
1010
1101
1000
0011
1111
0111
1011
0010
1001
0110
1000
1000
0000
0010
1000
0110
1011
0111
1001
1101
0000
0010
1001
0110
0101
1000
0111
0110
0011
0100
0010
1000
1110
0000
1011
0000
1011
0000
0011
0110
1010
1100
1010
0101
1110
0001
1001
1001
1011
1010
1000
1110
1110
1000
1011
0100
0111
0111
1010
0100
0010
1100
1010
1010
0100
0111
0001
0100
0001
1010
1001
1111
0010
1110
1101
0111
0000
0111
0011
0010
0010
1010
1100
0101
0110
0111
1110
1010
0001
1111
0111
1100
1001
0000
0011
1010
1010
1100
1110
1111
1100
1000
1010
0001
1000
1001
0100
1101
0110
1110
0100
0100
0010
1001
1100
0010
0001
0010
1010
1111
1011
0010
1100
0111
0101
1110
0111
0010
0110
0101
1111
1010
1110
1111
0010
1011
0100
0011
1100
1101
0011
0101
1001
0001
0111
1001
0000
1100
0111
1000
1000
1111
0011
1001
1001
1000
1111
0100
1100
1010
0000
1011
0100
0101
Table 4.2: 1024 “perfect” pseudo-random bits
Figure 4.1 gives an optical impression of the randomness of this sequence.
K. Pommerening, Bitstream Ciphers
101
30
25
20
15
10
5
0
5
10
15
20
25
30
Figure 4.1: Visualization of the “perfect” pseudo-random sequence
Related documents
Monday
Monday
(4 5) + 2
(4 5) + 2
2.2 Equations of Lines Point-Slope Form of a Line ) ( xxmyy
2.2 Equations of Lines Point-Slope Form of a Line ) ( xxmyy
Enabling Innovation inside the Network
Enabling Innovation inside the Network
Document
Document
Why This Course?
Why This Course?
A x
A x
Document
Document
Level 5 slides (2010)
Level 5 slides (2010)
Number system
Number system
Overview of Different Types of Values
Overview of Different Types of Values
A. Multiplying Two 2-digit Numbers: 47 x 38
A. Multiplying Two 2-digit Numbers: 47 x 38
2.4 BCD 2.5 Signed numbers
2.4 BCD 2.5 Signed numbers
Part a
Part a
Example
Example
Introduction to Computer Science week 01 “Computing…it is all
Introduction to Computer Science week 01 “Computing…it is all
Downloads
Downloads
Euler`s Elegant Equation - University of Hawaii Mathematics
Euler`s Elegant Equation - University of Hawaii Mathematics
Mathematics: The Locus of Reality
Mathematics: The Locus of Reality