generalized elias schemes for truly random bits

Generalized Elias Schemes for Efficient

Harvesting of Truly Random Bits

Riccardo Bernardini and Roberto Rinaldo

University of Udine

[email protected], [email protected]

http://link.springer.com/article/10.1007/s10207-016-0358-5

DOI: 10.1007/s10207-016-0358-5

Int. J. Inf. Secur. (2017), Springer

2 January 2017

mailto:[email protected]

mailto:[email protected]

http://link.springer.com/article/10.1007/s10207-016-0358-5

Generalized Elias Schemes for Efficient Harvesting of Truly Random Bits

Outline

• Why true random numbers?

• Why Poisson sources?

• What is a (Generalized) Elias Scheme?

• Elias for Poisson

• Conclusions

1

DIEGM University of Udine

Why true random numbers?


Why random numbers?

• Widely used in cryptography

– Challenges

– Keys (temporary & long-term)

– Prime numbers

• Critical requirement: true unpredictability

• Usual generators not good enough

– Cryptographically strong PRNG

– They need truly random seed

2



Example: Prime number generation

Uniformly distributed

3



How many bits?

• # primes less than N ≈ NlnN

# of expected iterations ln(2b) ×# of bit/iteration b− 1 =Total # of bit required O(b2)

• For two 1024-bit primes we need ≈ 1.4 · 106 random bits

• /dev/random generates ≈ 300 bit/s

1.4 · 106bit

300 bit/s= 4800 s ≈ 1h 20m

4


Why Poisson sources?


Why?

• Very common

– Radioactive decay

– Photon arrivals on a photodiode

– Shot noise

– . . .

5



Sampling a Poisson source

n = Interarrival time modulo 2M (in units of ∆)

P [n = k] = C · pk, k ∈ [0,2M − 1], geometric, but finite

6



Performance

# bit/s ≈ λ log2 e− λ log2(λ∆) λ = intensity,M →∞

−5 0 5 10 15 200

5

10

15

20

MEaten by the mod...

Rate (bit/event)

−log2(λ∆)

H(N

) (b

its)

Approximation

True entropy

7



However. . .

• Samples not uniform

P [n = k] =

C · pk k ∈ {0,1, . . . ,2M − 1}0 else

• We need to extract a sequence of iid bits

• Note

– We can rely on the Poisson hypothesis

– We cannot rely on the exact value of p

8


(Generalized) Elias Schemes


The conditioning problem

• A random process {Xk}k∈N with alphabet A

• Variables Xk iid, but probabilities P [Xk = a] not exactly known

• We want to map {Xk}k∈N into a sequence {Bk}k∈N of unbiased,

iid bits

9



Blockwise conditioner• A map

f : AL →{0,1}∗︸︷︷︸Set of all finite bitstrings

• Output process

f(X1, . . . , XL)︸︷︷︸S1

& f(XL+1, . . . , X2L)︸︷︷︸S2

& f(X2L+1, . . . , X3L)︸︷︷︸S3

& · · ·

Note: the length of bitstrings Sn may vary (it can be even zero)

• Output process iid and unbiased. Moreover, we would like

Output rate =E [|f(X1, . . . , XL)|]

L≈ H(X)

10



Von Neumman

• Blocksize = 2. Binary input A = {0,1}.

X2n X2n+1 bn = f(X2n, X2n+1)0 0 φ0 1 01 0 11 1 φ

iid⇒ P [(X2n, X2n+1) = (0,1)] = P [(X2n, X2n+1) = (1,0)]

⇒ P [bn = 0] = P [bn = 1]

• Requires only iid

• Not efficient

11



Elias

Use larger blocks & exploit iid

Use “binary expansion” of isoprobability sets

12



Generalized Elias

First (and key) step Partition AL in isoprobability sets Wi

• In Elias: isoprobability set = permutation class

• In Generalized Elias: isoprobability set = chosen by “user”

Second step Split Wi into sets whose cardinality is a power of two

Properties

• The partition of a GES is coarser than the partition of Elias

• If only iid is assumed, Elias is the only possibility

13



GES Performance

⇒ We can buy performance with generality ⇐14


GES for Poisson


Geometric variables

• If Xk are obtained by M-bit sampling a Poisson process

P [Xk = n] = C · pn n ∈ {0, . . . ,2M − 1}

We do not know the exact value of p

• Note that

P [X1 = n1, . . . , XL = nL] = CL · p∑k nk

depends only on∑k nk

Isoprobability = Isosum

15



Why?

• Partition sizes

PEliasL =

(2M + L− 1

L

)>≈

(2M

L

)LPGeomL = L2M

• Example, M = 16, L = 128, [H(`)/L ≤ 0.25]

PEliasL ≈ 2.8 · 1042 PGeom

L = 8192

log2PEliasL

L≈ 4.4

log2PGeomL

L≈ 0.4

16



Experimental Results

2M = 16 2M = 64

2 3 4 5 6 7 8 9 100

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

Block size

bit/s

ym

bol

EliasProposedno modmod M

2 3 4 5 6 7 8 9 100

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

Block size

bit/s

ym

bol

EliasProposedno modmod M

p = 0.1, H(geometric) = 4.69

17


The Gaussian case


Extension to continuous r.v.

The idea of isoprobability sets can be extended to the case of con-

tinuous random variables

1. Collect the variables in vectors of length L

2. Partition RL with a vector quantizer

3. Collect the decision regions of the vector quantizer into iso-probability

sets

4. Use the iso-probability sets like in the discrete case

18



Example: Gaussian variables

• If Xi, i = 1, . . . , L are Gaussian iid, the joint pdf depends only on

X21 +X2

2 + · · ·+X2L = r2

• This suggests the following approach

1. Partition the space in spherical shells

Sk = {x ∈ RL : rk−1 ≤ ‖x‖ < rk}

2. Partition the unit sphere in iso-area sections Uj3. Define the (k, j)-th decision region Vk,j as (see next slide)

Vk,j = {x : x ∈ Sk,x/‖x‖ ∈ Uj}

4. Note that P [X ∈ Vk,j depends only on k

5. The k-th iso-probabilty set is ∪jVk,j

19



Example of partitioning in Gaussian case

20


Toward the end. . .


Conclusions

• A blockwise conditioner for Poisson processes has been presented

• The proposed conditioner is a GES that uses iso-sum sets as iso-

probability sets

The size of the resulting partition is order of magnitude smaller

than the Elias partition

The proposed scheme is much more efficient than classic Elias

21


generalized elias schemes for truly random bits

Engineering