Download ECEN 5022 Cryptography - Pseudo Random Number Generators

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
Document related concepts
no text concepts found
Transcript 
Pseudo Random Number Generators
ECEN 5022 Cryptography
Pseudo Random Number Generators
Peter Mathys
University of Colorado
Spring 2008
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Random Number Generation
I
Random numbers are needed for many different purposes in
engineering and computer science, e.g., to run simulations, to
generate random passwords, etc.
I
True sequences of random symbols can be obtained by
flipping coins, measuring a radioactive source, using a noise
diode, etc.
I
Often there are some very specific requirements for a random
sequence. For instance, for debugging purposes it is essential
that a “random” sequence can be repeated.
I
Pseudo-random number generators (PRNG) are widely
used for computer simulations as well as cryptographic
purposes, because they can be easily implemented using
computers. But the requirements for cryptography are
different than for general purpose computing.
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Middle Square Method
I
Around 1946 John von Neumann came up with the “middle
square method” for generating random numbers. Suppose you
have an 8-digit number, e.g., si = 60684258. Keep the middle
4 digits as xi = 6842. Compute the next number as
si+1 = xi2 = 46812964 and thus xi+1 = 8129.
I
What are the properties of the sequence xi , xi+1 , . . .? Will it
continue forever? Will it die out? What statistical properties
does it have?
I
Here is an example sequence, obtained by using 4-digit
numbers and keeping the middle two numbers after each
squaring
42, 76, 77, 92, 46, 11, 12, 14, 19, 36, 29, 84, 5, 2, 0, 0, . . .
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Middle Square Method
I
Here is another example using 4-digit numbers and keeping
the middle two
xi = 57 → 572 = 3249 → xi+1 = 24 → 242 = 0576
→ xi+2 = 57 → 572 = 3249 → . . .
I
Moral of the story: Some theory is needed to make good
PRNGs with predictable properties.
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Linear Congruential Method
I
The linear congruential method generates the sequence
x0 , x1 , x2 , . . . using the recursion
xi+1 = a xi + c
(mod m) ,
where m is the modulus (often a power of 2 or 10), a is the
multiplier, c is the increment, and x0 is the seed.
I
Theorem. The sequence x0 , x1 , x2 , . . . has period of length m
(which is the maximum) iff
(i) gcd(c, m) = 1 ,
(ii) b = a − 1 is multiple of p for every p dividing m ,
(iii) b is multiple of 4 if m is multiple of 4 .
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Example
I
Example: m = 100, a = 41, c = 7, x0 = 5, produces the
sequence
5
83
41
79
97
95
73
31
12
10
88
46
84
2
0
78
99
17
15
93
51
89
7
5
66
4
22
20
98
56
94
13
71
9
27
25
3
61
40
18
76
14
32
30
8
47
45
23
81
19
37
35
34
52
50
28
86
24
42
1
39
57
55
33
91
29
48
6
44
62
60
38
96
75
53
11
49
67
65
43
82
80
58
16
54
72
70
which has period 100.
Peter Mathys
ECEN 5022 Cryptography
69
87
85
63
21
59
77
36
74
92
90
68
26
64
Pseudo Random Number Generators
Linear Feedback Shift Register
+
s 0 , s1 , s2 , . . .
−cL
-cL-1
s0
s1
···
···
+
+
−c2
−c1
sL−2
sL−1
sL
L
I
Linear feedback shift register (LFSR) of length L. Uses initial
state (s0 , s1 , . . . sL−1 ) and connection polynomial
C (D) = cL D L + . . . + c2 D 2 + c1 D + 1 to produce output
sequence s0 , s1 , s2 , . . ..
I
Arithmetic is computed modulo p for some prime number p.
Very often p = 2 and then the output is binary.
I
The maximum period of the output sequence is p L − 1. It is
achieved when C (D) is a primitive polynomial modulo p.
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Linear Feedback Shift Register
PL−1
I
Recursion: sL = −
I
Initial condition: s0 , s1 , . . . sL−1 .
P
i
Define: S(D) = ∞
i=0 si D (D: delay operator). Then
I
i=0
si cL−i .
S(D) = s0 + s1 D + . . . + sL−1 D L−1 +
|
{z
}
P∞
j=0 sL+j
D L+j
=P(D)
= P(D) −
P∞ PL−1
= P(D) −
P∞ Pk−L+1
= P(D) −
P∞
j=0
k=0
k=0 sk
i=0
si+j cL−i D j+L
j=k
sk cL−k+j D j+L−k D k
Pk−L+1
j=k
|
=C (D)−1
= P(D) − S(D) C (D) − 1
Peter Mathys
cL−k+j D L−k+j D k
{z
}
=⇒
S(D) =
ECEN 5022 Cryptography
P(D)
C (D)
Pseudo Random Number Generators
Examples
I
Some primitive connection polynomials for p = 2 are
D 3 + D 2 + 1, D 4 + D 3 + 1, D 5 + D 3 + 1, D 6 + D 5 + 1 .
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Berlekamp-Massey Algorithm
Berlekamp-Massey
Algorithm
START
Initialize
C(D) ← 1
C ∗ (D) ← 1
L←0
δ∗ ← 1
n←0
x←1
Input is sequence
M −1
of length M
{si }i=0
Get M
Get sn
δ ← sn + c1 sn−1 + . . . + cL sn−L
yes
δ =0?
T (D) : Temp storage
C ∗ (D), δ ∗ : Conn poly
and discrepancy before
last length change
no
T (D) ← C(D)
C(D) ← C(D) − δ δ ∗−1 D x C ∗ (D)
yes
2L ≤ n ?
x : Number of
symbols
since last
length
change
Length change
L←n+1−L
C ∗ (D) ← T (D)
δ∗ ← δ
x←1
No length
change
x← x+1
δ is next discrepancy
(desired symbol minus
generated symbol)
no
No length
change
x←x+1
n←n+1
no
n=M?
Peter Mathys
yes
Output
<C(D), L>
STOP
ECEN 5022 Cryptography
Pseudo Random Number Generators
Berlekamp-Massey Algorithm
I
The Berlekamp-Massey algorithm computes ¡c(D), L¿ and
(s0 , s1 , . . . sL−1 ) from 2L contiguous LFSR output symbols.
I
Do not use a LFSR output directly in a cryptosystem (unless
you want it to be broken easily).
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Using a Block Cipher
Si
K
EK (.)
IV
Si−1
•
Output
I
Any secure block cipher encryption function EK (.) can be
used in output feedback mode (OFB) to generate a
(reasonably) secure pseudo-random sequence.
I
IV is the initialization vector (can be transmitted publicly).
I
If block cipher encrypts blocks of size B, use full block size B
in feedback path. Output B or less symbols per iteration.
Peter Mathys
ECEN 5022 Cryptography
Pseudo Random Number Generators
Toy Example
I
I
A block cipher with B output bits obtained from B input bits
can be regarded as a permutation of the numbers
0, 1, 2, . . . , 2B − 1.
An example of a permutation for B = 4 is
π=
I
„
0
7
1
14
2
1
3
15
4
9
5
6
6
3
7
2
8
10
9
13
10
5
11
11
Setting IV = 0 yields the sequence
0,7,2,1,14,12,8,10,5,6,3,15,0, . . .
I
But setting IV = 4 only yields the sequence
4,9,13,4, . . . Period: 3
I
And setting IV = 11 only yields
11,11,11, . . .
Peter Mathys
Period: 1
ECEN 5022 Cryptography
12
8
13
4
14
12
Period: 12
«
15
0
Pseudo Random Number Generators
Blum, Blum, Shub PRNG
I
Let n = p q where p, q are large primes satisfying p ≡ 3
(mod 4) and q ≡ 3 (mod 4). Use a seed x0 to generate the
sequence
x0 , x1 = x02 , x2 = x12 , . . .
(mod n)
Output the least significant bit of each xi to obtain a secure
binary random sequence (based on difficulty of computing
square roots modulo n = p q if p, q are not known).
I
Example: p = 11, q = 19, x0 = 4 yields the sequence
xi = {4, 16, 47, 119, 158, 93, 80, 130, 180, 5, 25, 207, 4, . . .}
I
The pseudo-random bit sequence is
0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, . . ..
Peter Mathys
ECEN 5022 Cryptography
Related documents