ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/prng90.pdf · Peter Mathys ECEN 5022 Cryptography. Pseudo Random Number Generators

Pseudo Random Number Generators

ECEN 5022 CryptographyPseudo Random Number Generators

Peter Mathys

University of Colorado

Spring 2008

Peter Mathys ECEN 5022 Cryptography


Random Number Generation

I Random numbers are needed for many different purposes inengineering and computer science, e.g., to run simulations, togenerate random passwords, etc.

I True sequences of random symbols can be obtained byflipping coins, measuring a radioactive source, using a noisediode, etc.

I Often there are some very specific requirements for a randomsequence. For instance, for debugging purposes it is essentialthat a “random” sequence can be repeated.

I Pseudo-random number generators (PRNG) are widelyused for computer simulations as well as cryptographicpurposes, because they can be easily implemented usingcomputers. But the requirements for cryptography aredifferent than for general purpose computing.



Middle Square Method

I Around 1946 John von Neumann came up with the “middlesquare method” for generating random numbers. Suppose youhave an 8-digit number, e.g., si = 60684258. Keep the middle4 digits as xi = 6842. Compute the next number assi+1 = x2

i = 46812964 and thus xi+1 = 8129.

I What are the properties of the sequence xi , xi+1, . . .? Will itcontinue forever? Will it die out? What statistical propertiesdoes it have?

I Here is an example sequence, obtained by using 4-digitnumbers and keeping the middle two numbers after eachsquaring

42, 76, 77, 92, 46, 11, 12, 14, 19, 36, 29, 84, 5, 2, 0, 0, . . .



Middle Square Method

I Here is another example using 4-digit numbers and keepingthe middle two

xi = 57 → 572 = 3249 → xi+1 = 24 → 242 = 0576

→ xi+2 = 57 → 572 = 3249 → . . .

I Moral of the story: Some theory is needed to make goodPRNGs with predictable properties.



Linear Congruential Method

I The linear congruential method generates the sequencex0, x1, x2, . . . using the recursion

xi+1 = a xi + c (mod m) ,

where m is the modulus (often a power of 2 or 10), a is themultiplier, c is the increment, and x0 is the seed.

I Theorem. The sequence x0, x1, x2, . . . has period of length m(which is the maximum) iff

(i) gcd(c ,m) = 1 ,

(ii) b = a− 1 is multiple of p for every p dividing m ,

(iii) b is multiple of 4 if m is multiple of 4 .



Example

I Example: m = 100, a = 41, c = 7, x0 = 5, produces thesequence

5 12 99 66 13 40 47 34 1 48 75 82 69 3683 10 17 4 71 18 45 52 39 6 53 80 87 7441 88 15 22 9 76 23 50 57 44 11 58 85 9279 46 93 20 27 14 81 28 55 62 49 16 63 9097 84 51 98 25 32 19 86 33 60 67 54 21 6895 2 89 56 3 30 37 24 91 38 65 72 59 2673 0 7 94 61 8 35 42 29 96 43 70 77 6431 78 5

which has period 100.



Linear Feedback Shift Register

−cL -cL-1 −c2 −c1

+ + +

s0 s1 sL−2 sL−1

· · ·

· · ·

L

s0, s1, s2, . . . sL

I Linear feedback shift register (LFSR) of length L. Uses initialstate (s0, s1, . . . sL−1) and connection polynomialC (D) = cL DL + . . . + c2 D2 + c1 D + 1 to produce outputsequence s0, s1, s2, . . ..

I Arithmetic is computed modulo p for some prime number p.Very often p = 2 and then the output is binary.

I The maximum period of the output sequence is pL − 1. It isachieved when C (D) is a primitive polynomial modulo p.



Linear Feedback Shift Register

I Recursion: sL = −∑L−1

i=0 si cL−i .

I Initial condition: s0, s1, . . . sL−1.

I Define: S(D) =∑∞

i=0 si Di (D: delay operator). Then

S(D) = s0 + s1 D + . . . + sL−1 DL−1︸︷︷︸=P(D)

+∑∞

j=0 sL+j DL+j

= P(D)−∑∞

j=0

∑L−1i=0 si+j cL−i D

j+L

= P(D)−∑∞

k=0

∑k−L+1j=k sk cL−k+j D j+L−k Dk

= P(D)−∑∞

k=0 sk∑k−L+1

j=k cL−k+j DL−k+j︸︷︷︸=C(D)−1

Dk

= P(D)− S(D)(C (D)− 1

)=⇒ S(D) =

P(D)

C (D)



Examples

I Some primitive connection polynomials for p = 2 are

D3 + D2 + 1, D4 + D3 + 1, D5 + D3 + 1, D6 + D5 + 1 .



Berlekamp-Massey Algorithm

n = M ?Output

<C(D), L> STOP

n← n + 1

No lengthchange

x← x + 1

Length changeL← n + 1− LC∗(D)← T (D)

δ∗ ← δx← 1

No lengthchange

x← x + 1

2L ≤ n ?

T (D)← C(D)C(D)← C(D)− δ δ∗−1 Dx C∗(D)

δ = 0 ?

δ ← sn + c1 sn−1 + . . . + cL sn−L

Get sn

Get M

InitializeC(D)← 1 C∗(D)← 1

L← 0 δ∗ ← 1n← 0 x← 1

START Berlekamp-MasseyAlgorithm

Input is sequence{si}M−1

i=0 of length M

δ is next discrepancy(desired symbol minus

generated symbol)

T (D) : Temp storageC∗(D), δ∗ : Conn polyand discrepancy before

last length change

x : Number ofsymbolssince lastlengthchange

no

yes no

yes no

yes



Berlekamp-Massey Algorithm

I The Berlekamp-Massey algorithm computes ¡c(D), L¿ and(s0, s1, . . . sL−1) from 2L contiguous LFSR output symbols.

I Do not use a LFSR output directly in a cryptosystem (unlessyou want it to be broken easily).



Using a Block Cipher

IV Si−1

EK(.)K

•Si Output

I Any secure block cipher encryption function EK (.) can beused in output feedback mode (OFB) to generate a(reasonably) secure pseudo-random sequence.

I IV is the initialization vector (can be transmitted publicly).

I If block cipher encrypts blocks of size B, use full block size Bin feedback path. Output B or less symbols per iteration.



Toy Example

I A block cipher with B output bits obtained from B input bitscan be regarded as a permutation of the numbers0, 1, 2, . . . , 2B − 1.

I An example of a permutation for B = 4 is

π =

„0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 157 14 1 15 9 6 3 2 10 13 5 11 8 4 12 0

«I Setting IV = 0 yields the sequence

0,7,2,1,14,12,8,10,5,6,3,15,0, . . . Period: 12

I But setting IV = 4 only yields the sequence

4,9,13,4, . . . Period: 3

I And setting IV = 11 only yields

11,11,11, . . . Period: 1



Blum, Blum, Shub PRNG

I Let n = p q where p, q are large primes satisfying p ≡ 3(mod 4) and q ≡ 3 (mod 4). Use a seed x0 to generate thesequence

x0, x1 = x20 , x2 = x2

1 , . . . (mod n)

Output the least significant bit of each xi to obtain a securebinary random sequence (based on difficulty of computingsquare roots modulo n = p q if p, q are not known).

I Example: p = 11, q = 19, x0 = 4 yields the sequence

xi = {4, 16, 47, 119, 158, 93, 80, 130, 180, 5, 25, 207, 4, . . .}

I The pseudo-random bit sequence is0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, . . ..


ECEN 5022 Cryptography - University of Colorado Boulderecee.colorado.edu/~mathys/ecen5022/slides/prng90.pdf · Peter Mathys ECEN 5022 Cryptography. Pseudo Random Number Generators

Documents