Pseudorandom Bit Generation

Artur GadomskiPiero GiammarinoHenrik Goldman

Massimo Giulio Caterino

Definitions

• A random bit generator is a device or algorithm which outputs a sequence of statistically independent and unbiased binary digits.

• A pseudorandom bit generator(PRBG) is a deterministic algorithm which, given a truly random binary sequence of length k, outputs a binary sequence of length l»k which “appears” to be random. The input to the PRBG is called the seed, while the output of the PRBG is called a pseudorandom bit sequence.

Definitions

• A pseudorandom bit generator is said to pass all polynomial-time statistical tests if no polynomial-time algorithm can correctly distinguish between an output sequence of the generator and a truly random sequence of the same length with probability significantly greater that 1/2.

• A pseudorandom bit generator is said to pass the next-bit test if there is no polynomial time algorithm which, on input of the first l bits of an output sequences, can predict the l+1 bit of s with probability significantly greater than 1/2

Definitions

• A PRBG that passes the next-bit test is called a cryptographically secure pseudorandom bit generator (CSPRBG)

Random bit generation

Hardware based generators

• elapsed time between emission of particles during radioactive decay;

• thermal noise from a semiconductor diode or resistor;• the frequency instability of a free running oscilator;• the amount a metal insulator semiconductor capacitor is

charged during a fixed period of time;• air turbulence within a sealed disk drive which causes

random fluctuations in disk drive sector read latency times;

• sound from a microphone or video input from a camera.

Software based generators

• the system clock;• elapsed time between kaystrokes or

mouse movement;• content of input/output buffers;• user/system/hardware/network serial

numbers and/or addresses;• user input;• operating system values such as system

load and network statistics.

Mixing functions

• A strong mixing function is one which combines two or more inputs and produces an output where each output bit is a different complex non-linearfunction of all the input bits.

Example

• A trivial example for single bit inputs is the Exclusive Or function.

• DES is an example of a strong mixing function for multiple bit quantities.

• Cryptographic hash function such as SHA-1 or MD5.

• Diffie-Hellman expotential key exchange is another example. If initial values are random, then the shared secret contains the combined randomness of them both, assuming they are uncorelated.

De-skewing

• Suppose in an output sequence the probability of 1 is p. Then lets group the output bits into pairs and lets treat each 01 as 1 and 10 as 0. We discard 00 and 11 pairs. The resulting sequence is both unbiased and uncorelated.

Pseudo Random Bit Generators

Matematics Model Of PRBG

INPUTX0= seed

Xi+1=f(i,X0,X1,X2,X3,...) i=0,1,2,3,...

OUTPUT X1 X2 X3 X4 ... Pseudorandom sequence

Pseudorandom Generators

- Linear Congruential Generator- J-Bit Output Feedback- Ansi X9.17- Blum Blum Shub Pseudorandom Bit Generator- RSA Pseudorandom Bit Generator

Linear Congruential Generator

Nowadays the most used technique for

Pseudorandom generator

[Lehmer 1951]

X0=Seed m>0

0≤a<m

Xi+1=a∙(Xi+b) mod m 0≤b<m

Example of LCG

a = 7 b = 0 m = 32

Xi+1 = 7 Xi mod 32 7, 17, 23, 1, 7, 17, 23, … X0 = 1period 4

a = 5 b = 0m = 32

Xi+1 = 5 Xi mod 32 5, 25, 29, 17, 21, 9, 13, 1, … X0 = 1period 8

Linear Congruential Generator

Xi+1 = 75 · Xi mod 231-1

a= 75

b= 0

m=231-1 (Prime number convient for 32 bits)

Used for IBM 360[1969]

J-Bit Output Feedback

ANSI X9.17 Generator

• Ad-hoc construction which is not proved to be cryptographicly secure,

though it should be sufficient for most applications

• U.S. Federal Information Processing Standard (FIPS) approved method

• Makes use of 2 key tripple DES algorithm

Algorithm

Input:

s – 64 bit secret seed

m – interger (counter)

k – 3DES key

1. Get 64 bit representation of computer date/time, D

Def:Ek is 3DES encryption under key k^ is XOR

2. Calc I = Ek(D)

3. for (i = 0; i < m; i++){ xi = Ek(I ^ s); // Calc next 64 bit string s = Ek(xi ^ I); // Update seed}

4. Return Xi’s

Blum blum shub PRBG

1. Generate p and q:two big blum primes

2. N=p∙q

3. Choose sє[1,n-1] : The Seed

4. X0=s2(mod n)

5. The sequence is defined as xi=xi-12(mod n) and zi=parity(xi)

6. The output is z1,z2,z3.....

Example• Let n=p∙q=7∙19=133• S=100• X0=1002(mod 133)=25• X1=252(mod 133)=93• X2=932(mod 133)=42• X3=422(mod 133)=16• X4=162(mod 133)=123• The OUTPUT:1,0,0,1

RSA generator

• It is a pseudorandom bit generation and is cryptographically secure pseudorandom bit generation under the assumption that factoring a large number n composed of two large prime p and q is intractable!

RSA generator

Z i ->z i-1 e (mod n) LSBz0 zi xi

i=i+1

•p and q ->prime

•n->p∙q

•e=integer in [3,Ф(n)[:gcd(e,Ф(n))=1

Algorithm

1. Generate p and q2. n=p∙q3. Pich a random integer e : 1<e<φ and gcd(e,

φ)=14. Select a random integer x0 (the seed) in the

interval [1,n-1]5. For i=1 to l6. Xi = xi-1e mod n7. Zi=LSB of xi

8. Return z1,...,zl

RSA generator

Z i ->z i-1 e (mod n) C log log n bit less significative

z0 zi xi

i=i+1

•p and q ->prime

•n->p∙q

•e=integer in [3,Ф(n)[:gcd(e,Ф(n))=1

Statistical tests

Frequency test (monobit test)

• The purpose of this test is to determine whether the number of 0’s and 1’s in a genrator output sequence are approximately the same, as would be expected for a random sequence.

Serial test (two-bit test)

• The purpose of this test is to determine whether the number of occurrences of 00, 01, 10, and 11 as subsequences of s are approximately the same, as would be expected for a random sequence.

Poker test

• Let’s divide s into k non-overlaping parts each of length m. The poker test determines whether the sequences of length m each appear approximately the same number of times in s, as would be expected for a random sequence. Note that this test is a generalization of the frequency test: setting m= = 1 in the poker test yields the frequency test.

Runs test

• The purpose of the runs test is to determine whether the number of runs (of either zeros or ones) of various lengths in the sequence s is as expected for a random sequence.

Autocorrelation test

• The purpose of this test is to check for correlations between the sequence s and (noncyclic) shifted versions of it.

References

• Handbook Of Applied Cryptography

A. Menezes

P. van Oorschot

S. Vanstone

• www.cacr.math.uwaterloo.ca/hac

• www.ietf.org/rfc/rfc1750.txt

Thats all folks...