Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
K. Pommerening, Bitstream Ciphers 4.1 97 The BBS Generator As with the RSA cipher we consider an integer module m that is a product of two large prime numbers. For the BBS generator we choose Blum primes p; these are primes ≡ 3 mod 4. A product of two Blum primes is called a Blum integer. The BBS generator works in the following way: As a first step choose two large random Blum primes p and q, and form their product m = pq. As a second step choose a random integer “seed” s with 1 ≤ s ≤ m − 1, and coprime with m. If we catch an s not coprime with m, we have factorized m by hazard. This might happen, but is extremely unlikely, and can easily be captured at initialization time. Now we proceed with generating a pseudo-random sequence: Take x0 = mod m as initial state (we want x0 to be a quadratic residue), and form the sequence of inner states of the random generator: xi = x2i−1 mod m for i = 1, 2, 3, . . . In each step output the last significant bit of the binary representation, that is ui = xi mod 2 for i = 0, 1, 2, . . ., or in other words, the parity of xi . √ If xi < m, then x2i mod m = x2i , the integer square, so x2i+1 has the same parity as xi . In order to avoid a constant segment at √ the beginning of the output, often the boundary area s < m, √ as well as s > m − m, is excluded. However if we really choose s as a true random value, the probability for s falling into these boundary areas is extremely low. But to be on the safe side we √ √ may require m ≤ s ≤ m − m. s2 Example Of course an example with small numbers is practically irrelevant, but it illustrates the algorithm: Take p = 7, q = 11, m = 77, s = 53. Then s2 = 2809, hence x0 = 37, and u0 = 1 since x0 is odd. The following table shows the beginning of the sequence of states: i xi ui 0 37 1 1 60 0 2 58 0 3 53 1 ... ... ... Treating the Blum primes p and q as secret is essential for the security of the BBS generator. They serve for forming m only, afterwards they may even be destroyed. In contrast with RSA there is no further use for them. Likewise all the non-output bits of the inner states xi must be secret. Moreover there is no reason to reveal the product m = pq even if the security proof doesn’t depend on this. K. Pommerening, Bitstream Ciphers 98 A program that generates the parameters for the BBS generator consists of two procedures: Procedure BlumPrime [generates the smallest prime p ≥ x for which p−1 2 is also prime] Input parameter: x = positive integer Output parameter: p = the smallest prime ≥ x such that p−1 2 is prime Instructions: Set p = x. If p is even increment p by 1. If p−1 2 is even increment p by 2. While ( p−1 2 is not prime) and (p is not prime) increment p by 4. From the section on the prime number theorem we know that there probably exist lots of such numbers. Thus the algorithm is “empirically correct” even without (artificially) forcing its termination. By the way ‘BlumPrime’ presupposes a prime test as treated in Part II. Procedure BlumRandomPrime [generates a random n bit Blum prime p for which also Input parameter: n = number of bits Output parameter: p = a prime with 2n−1 < p < 2n and p−1 2 prime Instructions: Generate a random integer x with 2n−1 ≤ x < 2n . Set p = BlumPrime(x). If p ≥ 2n set x = 2n−1 and p = BlumPrime(x). p−1 2 is prime] As before the correctness of this algorithm relies on empirical evidence only. Nevertheless we’ll never encounter a situation where no prime is found. A serious objection is the fact that the algorithm outputs different primes with different probabilities. For the probability of a given prime is proportional to the difference with the next prime below it (where the difference is meant mod 2n−1 to take care of the switch from 2n to 2n−1 at the end of the interval). Furthermore the density of the primes changes by a factor of (almost) 2 between 2n−1 and 2n , as the considerations surrounding the prime number theorem have shown. However we don’t know of any procedure that exploits this non-uniformity of the distribution for an attack on the BBS generator, so there is no obvious need to complicate the algorithm. K. Pommerening, Bitstream Ciphers 99 The algorithm ‘BlumRandomPrime’ uses a random integer x. We should take a “true” random value, for example computed from a sufficiently long pass phrase provided by the user. Procedure BlumInteger [generates a random Blum integer with n or n + 1 bits that is hard to factorize] Input parameter: n = number of bits Output parameter: m = a Blum integer Instructions: Set k = � n2 �. Set l = n − k + 1. Set p = BlumRandomPrime(k). Set q = BlumRandomPrime(l). Set m = p · q. This completes the procedures for parameter generation. Table 4.1 shows a Blum integer with n = 1025 (or 309 decimal places) that was generated by this program. Considering the progress of factorization algorithms we better should use Blum integers of at least 2048 bits. 4506 69340 53909 40823 07594 27681 83739 15286 10344 02080 70452 51105 66632 34537 74466 80414 09976 14981 16833 02722 50249 96318 45161 62658 44889 32988 26225 08671 76261 94574 30109 57145 14044 21639 91025 67753 66289 85172 26383 63710 59480 74945 10763 07427 22616 30387 62175 83135 64987 89442 74480 17602 49124 16199 90309 30004 10227 25696 86394 61782 41852 31819 Table 4.1: A 1025 bit Blum integer Using these auxiliary procedures we now generate pseudo-random numbers: Set the module m as a global constant and the seed x = s as a global variable that is initiated by a “true” random value in the integer interval √ √ [� m � . . . m−� m �]. The following procedure then generates a bit sequence of a desired length: K. Pommerening, Bitstream Ciphers 100 Procedure BBSrandomBit [generates a sequence of n pseudo-random bits] Input parameter: n = number of desired bits Output parameter: blist = a list of bits Instructions: For i = 1, . . . , n replace x by x2 mod m, set b = x mod 2, append b to blist. Using the previously generated module and a secret seed this procedure produced the 1024 bit sequence shown in Table 4.2. 1000 1010 1000 0111 0001 1011 1101 0001 1010 1001 1000 1001 1010 0111 0011 1101 1001 0100 1101 1111 0110 1110 1111 0101 1010 1111 1011 0010 1000 0011 1100 0000 0111 0101 1001 0110 0010 1000 0110 0010 1111 0001 1111 1001 1001 1110 1000 0001 0100 0011 0010 1111 1011 0010 1100 0011 0110 1101 0110 0011 1010 0010 0011 0010 1111 1001 0101 1001 1101 0100 0100 0100 0111 0011 0011 0000 0000 1000 0011 0011 1110 0010 0000 0010 0001 1000 0011 1001 1001 1010 1111 1010 1010 1101 1000 0011 1111 0111 1011 0010 1001 0110 1000 1000 0000 0010 1000 0110 1011 0111 1001 1101 0000 0010 1001 0110 0101 1000 0111 0110 0011 0100 0010 1000 1110 0000 1011 0000 1011 0000 0011 0110 1010 1100 1010 0101 1110 0001 1001 1001 1011 1010 1000 1110 1110 1000 1011 0100 0111 0111 1010 0100 0010 1100 1010 1010 0100 0111 0001 0100 0001 1010 1001 1111 0010 1110 1101 0111 0000 0111 0011 0010 0010 1010 1100 0101 0110 0111 1110 1010 0001 1111 0111 1100 1001 0000 0011 1010 1010 1100 1110 1111 1100 1000 1010 0001 1000 1001 0100 1101 0110 1110 0100 0100 0010 1001 1100 0010 0001 0010 1010 1111 1011 0010 1100 0111 0101 1110 0111 0010 0110 0101 1111 1010 1110 1111 0010 1011 0100 0011 1100 1101 0011 0101 1001 0001 0111 1001 0000 1100 0111 1000 1000 1111 0011 1001 1001 1000 1111 0100 1100 1010 0000 1011 0100 0101 Table 4.2: 1024 “perfect” pseudo-random bits Figure 4.1 gives an optical impression of the randomness of this sequence. K. Pommerening, Bitstream Ciphers 101 30 25 20 15 10 5 0 5 10 15 20 25 30 Figure 4.1: Visualization of the “perfect” pseudo-random sequence