Pseudorandom Generator
Pseudorandom Generator
Synopsis
1. Pseudorandom Generator
2. Pseudorandom Function
3. One-Way Function
Computational Complexity, by Y. Fu Pseudorandom Generator 1 / 49
Pseudorandom Generator
Computational Complexity, by Y. Fu Pseudorandom Generator 2 / 49
Modern cryptography addresses the long key issue by studying howto generate long keys from short ones.
I An efficient observer can only detect ignorable differencesbetween a generated key and a random key.
Computational Complexity, by Y. Fu Pseudorandom Generator 3 / 49
What is a random string? How do we characterize random strings?
I For modern cryptography it suffices that strings are distributedin a way that looks random to all efficient observers.
Computational Complexity, by Y. Fu Pseudorandom Generator 4 / 49
Pseudorandom Generator
Let G : {0, 1}∗ → {0, 1}∗ and ` : N→ N be P-time computablesuch that `(n) > n for all n and |G (x)| = `(|x |) for all x ∈ {0, 1}∗.
G is a computationally secure pseudorandom generator of stretch`(n) if, for every P-time PTM A, there exists a negligible functionε : N→ [0, 1] such that∣∣Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1]
∣∣ ≤ ε(n).
Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.
Computational Complexity, by Y. Fu Pseudorandom Generator 5 / 49
The definition of pseudorandom generator says nothing about howto construct such a generator.
Computational Complexity, by Y. Fu Pseudorandom Generator 6 / 49
Unpredictability
Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch `(n),where ` : N→ N is P-time computable such that ∀n.`(n) > n.
We say that G is unpredictable if for every P-time PTM B there isa negligible function ε : N→ [0, 1] such that∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−
1
2
∣∣∣∣ ≤ ε(n).
M. Blum, S. Micali. How to Generate Cryptographically StrongSequences of Pseudorandom Bits. FOCS 1982.
Computational Complexity, by Y. Fu Pseudorandom Generator 7 / 49
Unpredictability ⇐ Pseudorandomness
Suppose G is a pseudorandom generator. If it is not unpredictablethen there is some c such that∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−
1
2
∣∣∣∣ ≥ 1
nc
holds for a P-time PTM B for infinitely many n. Some i exists st.∣∣∣∣Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ]−1
2
∣∣∣∣ ≥ 1
nc`(n)
for infinitely many n. It follows from Pr[B(U`(n)) = 1] = 12 that
Pr[B(G (Un)) = 1]− Pr[B(U`(n)) = 1] ≥ 1
nc`(n)
for infinitely many n, which is a contradiction.
Computational Complexity, by Y. Fu Pseudorandom Generator 8 / 49
Unpredictability ⇒ Pseudorandomness
Theorem (Yao, 1982).
If G is unpredictable, then it is a pseudorandom generator.
Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.
Computational Complexity, by Y. Fu Pseudorandom Generator 9 / 49
Unpredictability ⇒ Pseudorandomness
Let ` : N→ N be P-time computable such that `(n) ≥ n.Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch `.
Suppose G is not a pseudorandom generator. Then there is someconstant c and some P-time PTM A such that, wlog,
Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1] ≥ 1
nc
for infinitely many n.
Computational Complexity, by Y. Fu Pseudorandom Generator 10 / 49
Unpredictability ⇒ Pseudorandomness
For i ≤ `(n), the hybrid distribution Di is defined as follows:
1. choose x ∈R {0, 1}n and compute y = G (x);
2. output y1, . . . , yi , zi+1, . . . , z`(n) with zi+1, . . . , z`(n) ∈R {0, 1}.
Note that D0 = U`(n) and D`(n) = G (Un).
Let pi = Pr[A(Di ) = 1]. By assumption p`(n) − p0 ≥ 1nc . Now
p`(n)− p0 = (p`(n)− p`(n)−1) + (p`(n)−1− p`(n)−2) + . . .+ (p1− p0).
Computational Complexity, by Y. Fu Pseudorandom Generator 11 / 49
Unpredictability ⇒ Pseudorandomness
Algorithm B asserts that everything A says is correct.
I Input 1n, i ∈ [`(n)] and y1, . . . , yi−1.
1. randomly generate zi , . . . , z`(n);2. compute a = A(y1, . . . , yi−1, zi , . . . , z`(n));3. output zi if a = 1 and 1− zi if a = 0.
We are done if we can prove the following inequality
Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yn−1) = yi ]−1
2≥ 1
nc`(n),
which can be derived if the following holds for every i ∈ [`(n)]:
Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ] =1
2+ (pi − pi−1).
Computational Complexity, by Y. Fu Pseudorandom Generator 12 / 49
Unpredictability ⇒ Pseudorandomness
B predicts yi correctly if a = 1 ∧ zi = yi or a = 0 ∧ zi = 1− yi .This event happens with probability
1
2Prx,y=G(x)[a = 1|zi = yi ] +
1
2
(1− Prx,y=G(x)[a = 1|zi = 1− yi ]
).
Now Prx∈R{0,1}n,y=G(x)[a = 1|zi = yi ] = pi . On the other hand,
pi−1 = Pr[A(Di−1) = 1]
= Pr[a = 1|zi = yi ]/2 + Pr[a = 1|zi = 1− yi ]/2
= pi/2 + Pr[a = 1|zi = 1− yi ]/2. (1)
We get Pr[a = 1|zi = 1− yi ] = 2pi−1 − pi from (1).
Computational Complexity, by Y. Fu Pseudorandom Generator 13 / 49
Theorem Given a pseudorandom generator with stretch nc , onecan design a computationally secure encryption scheme (E, D) usingn-length keys for nc -length messages.
Given a random key of length n, generate a key of length nc usingthe pseudorandom generator, and then apply the one-time padencryption scheme.
Computational Complexity, by Y. Fu Pseudorandom Generator 14 / 49
Application: Derandomization
If pseudorandom generator exists, then we can constructsubexponential deterministic algorithms for problems in BPP.
I This is the derandomization of BPP.
The basic idea:
I Let L be decided by an nd -time PTM P with bounded error.
I For every small ε let c be such that 0 < dc < ε < 1.
I Apply to all strings of length ndc the pseudorandom generator
with stretch nc and then execute P by following the choicesprescribed by the produced pseudorandom strings of length nd .
I The algorithm runs in time O(2nε)
Computational Complexity, by Y. Fu Pseudorandom Generator 15 / 49
Pseudorandom Function
Computational Complexity, by Y. Fu Pseudorandom Generator 16 / 49
Let Fn denote the set of all functions of type {0, 1}n → {0, 1}n.
1. Generally n2n bits are necessary to specify a function in Fn.
2. Consequently its computation is not efficient.
We look for an efficient subset Gn of Fn that appears random.
1. Every element of Gn is specified by n bits.
2. Every element of Gn is P-time computable.
3. Yet no P-time PTM can detect noticeable difference betweena random element of Gn and a random element of Fn.
I There are 2n2n
elements in Fn.
I There are only 2n elements in Gn.
Computational Complexity, by Y. Fu Pseudorandom Generator 17 / 49
Pseudorandom functions are pseudorandom generators withexponential stretch.
I A pseudofunction is a blackbox, a distinguisher can only askfor the values of the function at a small number of inputs.
Computational Complexity, by Y. Fu Pseudorandom Generator 18 / 49
Pseudorandom Function
Let {fk}k∈{0,1}∗ be a family of functions such that
I fk : {0, 1}|k| → {0, 1}|k| for every k ∈ {0, 1}∗, and
I fk(x) is P-time computable from k , x .
The family {fk}k∈{0,1}∗ is pseudorandom if for every P-timeprobabilistic OTM A there is a negligible function ε : N→ [0, 1]such that for all n,∣∣∣Prk∈R{0,1}n [Afk (1n) = 1]− Prg∈RFn [Ag (1n) = 1]
∣∣∣ ≤ ε(n).
A needs no input. The string 1n marks the input length.
Computational Complexity, by Y. Fu Pseudorandom Generator 19 / 49
Pseudorandom Generator ⇐ Pseudorandom Function
Suppose {fk}k∈{0,1}∗ is a pseudorandom family of functions.
I For every polynomial `(n), the map G defined by
k ∈ {0, 1}n 7→ fk(1), . . . , fk(`(n)) ∈ {0, 1}n`(n)
is a pseudorandom generator.
I This follows from definition.
Computational Complexity, by Y. Fu Pseudorandom Generator 20 / 49
Goldreich-Goldwasser-Micali Theorem.
Suppose that there exists a pseudorandom generator G with stretch`(n) = 2n. Then there exists a pseudorandom function family.
O. Goldreich, S. Goldwasser, S. Micali. How to Construct RandomFunctions. FOCS 1984.
Computational Complexity, by Y. Fu Pseudorandom Generator 21 / 49
Pseudorandom Generator ⇒ Pseudorandom Function
Let G be a pseudorandom generator with stretch 2n.
I G0(x) is the first n bits;
I G1(x) is the last n bits.
For each k ∈ {0, 1}n the function fk is defined by
fk(x) = Gxn(Gxn−1(. . .Gx1(k) . . .)).
We will prove that {fk}k∈{0,1}∗ is a pseudorandom function family.
Computational Complexity, by Y. Fu Pseudorandom Generator 22 / 49
x1= 0 x
1 = 1
x2=0 x
2 =1 x2
=0 x
2 =1
......
......
......
......
k
G0(k) G1(k)
G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))
Figure: The Algorithm that Calculates fk(x).
Computational Complexity, by Y. Fu Pseudorandom Generator 23 / 49
Pseudorandom Generator ⇒ Pseudorandom Function
Let A be a T -time PTM that distinguishes {fk}k∈{0,1}n and Fn.Ie. some c and A exist st the following holds for infinitely many n,
Prg∈RFn [Ag (1n) = 1]− Prk∈R{0,1}n [Afk (1n) = 1] ≥ 1
nc.
We construct a P-time PTM B that distinguishes the distributionsU2n and G (Un) with 1
nT ·1nc bias.
I For that purpose we define a random implementation O of theoracles fUn in terms of G .
1. generate the seed k ∈R {0, 1}n randomly;2. run the algorithm that calculates fk on all queries.
I We then modify O to obtain {Oi}i≤nT using hybrid approach.
Computational Complexity, by Y. Fu Pseudorandom Generator 24 / 49
Pseudorandom Generator ⇒ Pseudorandom Function
For i ≤ nT the random oracle Oi is defined as follows:
1. For the first i invocations of G , Oi chooses randomly.
I the random answers must be consistent!I the random number generated at the i-th step is the seed k.
2. In the rest of the invocations of G , Oi calculates like O.
Clearly O0 is O, and OnT is a random function.
Let pi = Pr[AOi (1n) = 1]. Observe that
I p0 = Prk∈R{0,1}n [Afk (1n) = 1] and
I pnT = Prg∈RFn [Ag (1n) = 1].
By assumption pnT − p0 ≥ 1nc .
Computational Complexity, by Y. Fu Pseudorandom Generator 25 / 49
Algorithm B.
1. Input k ∈ {0, 1}2n.
2. Generate i ∈R [nT ].
3. Run AOi (1n), with the modification that in the i-th invocationthe two children are the first respectively the last n bits of k .
The following can be easily verified.
I If k ∈R U2n, then B’s output is distributed as AOi (1n).
I If k ∈R G (Un), then B’s output is distributed as AOi−1(1n).
Consequently Pr[B(U2n) = 1]− Pr[B(G (Un)) = 1] is
∑i∈[nT ]
AOi (1n)
nT−∑
i∈[nT ]
AOi−1(1n)
nT=
pnTnT− p0
nT≥ 1
nT· 1
nc.
Computational Complexity, by Y. Fu Pseudorandom Generator 26 / 49
Application: One Key for Many Messages
By Goldreich-Goldwasser-Micali Theorem and Yao’s Theorem, thestring fk(r1), fk(r2), fk(r3), . . . is unpredictable.
1. Alice encrypts a message x ∈ {0, 1}n by choosing r ∈R {0, 1}nand sends (r , fk(r)⊕ x) to Bob, where k ∈ {0, 1}n is the key.
2. Bob receives (r , y) and calculates fk(r)⊕ y to recover x .
Computational Complexity, by Y. Fu Pseudorandom Generator 27 / 49
Application: Message Authentication Code
For the same reason the following protocol is secure.
1. Alice sends x to Bob.
2. Bob sends (x , fk(x)) to Alice.
3. Alice receives (x , y) and checks if y = fk(x) to verify that themessage has not been corrupted.
Computational Complexity, by Y. Fu Pseudorandom Generator 28 / 49
Application: Lower Bound for Machine Learning
In machine learning the goal is to learn a function f from asequence of examples (r1, f (r1)), . . . , (rk , f (rk)).
I The existence of pseudorandom function implies that even if fis P-time computable, there is no way to learn it in P-time.
Computational Complexity, by Y. Fu Pseudorandom Generator 29 / 49
One-Way Function
Computational Complexity, by Y. Fu Pseudorandom Generator 30 / 49
Suppose G : {0, 1}∗ → {0, 1}∗ is a pseudorandom generator.
For every P-time PTM A there must be a negligible functionε : N→ [0, 1] such that the following holds for every n,
Prx∈R{0,1}n [A(1n,G (x)) = x ′ ∧ G (x ′) = G (x)] ≤ ε(n).
Computational Complexity, by Y. Fu Pseudorandom Generator 31 / 49
One-Way Function
A P-time function f : {0, 1}∗ → {0, 1}∗ is a one-way function if forevery P-time PTM A there is a negligible function ε : N→ [0, 1]such that for every n,
Prx∈R{0,1}n,y=f (x)[A(1n, y) = x ′ ∧ f (x ′) = y ] ≤ ε(n).
Computational Complexity, by Y. Fu Pseudorandom Generator 32 / 49
Let f : {0, 1}∗ → {0, 1}∗ be a P-time computable function suchthat ∀x .|x | ≤ |f (x)|.I If P = NP then {(l , u, y) | ∃x .f (x) = y ∧ l ≤ x ≤ u} ∈ P.
I By divide-and-conquer one can compute f −1 in P-time.
The existence of one way function implies P 6= NP.
Computational Complexity, by Y. Fu Pseudorandom Generator 33 / 49
Integer multiplication is believed to be one-way.
Computational Complexity, by Y. Fu Pseudorandom Generator 34 / 49
Theorem. If one-way permutations exist, then for every c ∈ N,there exists a pseudorandom generator with stretch S(n) = nc .
Q. Yao.
I Theory and Applications of Trapdoor Functions. FOCS 1982.
Theorem. If one-way functions exist, then for every c ∈ N, thereexists a pseudorandom generator with stretch S(n) = nc .
J. Hastad, R. Impagliazzo, L. Levin and M. Luby.
I A Pseudorandom Generator from any One-way Function.SIAM Journal on Computing, 28:1364-1396, 1999.
Computational Complexity, by Y. Fu Pseudorandom Generator 35 / 49
The crucial step is in obtaining a pseudorandom generator thatextends its input by one bit.
I If f is a one-way permutation, then G (x , r) = f (x), r , x � r isa pseudorandom generator. Notice that f (x), r are completelyrandom and independent, and the (2n + 1)-th bit cannot bepredicted with probability noticeably larger than 1/2.
We shall prove Theorem using Goldreich-Levin Theorem.
Computational Complexity, by Y. Fu Pseudorandom Generator 36 / 49
Goldreich-Levin Theorem. Suppose f : {0, 1}∗ → {0, 1}∗ is aone-way permutation. Then for every P-time PTM A there is anegligible function ε : N→ [0, 1] such that∣∣∣∣Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1
2
∣∣∣∣ ≤ ε(n),
where x � r =∑n
i=1 xi ri (mod 2). �
We call x � r the hard core bit of the function xr 7→ f (x)r .
O. Goldreich, L. Levin.
I A Hard-Core Predicate for All One-Way Functions. STOC’89.
Computational Complexity, by Y. Fu Pseudorandom Generator 37 / 49
Scenario:
I We know f (x) and that A(f (x), r) approximates x � r .
I We hope to recover x .
1. If A(f (x), r) = x � r for all r , then it is easy to recover x by thefollowing algorithm:
I Run A(f (x), e1), . . . , A(f (x), en).
I Paste the resulting n bits to form x .
Computational Complexity, by Y. Fu Pseudorandom Generator 38 / 49
2. Suppose Prr∈R{0,1}n [A(f (x), r) = x � r ] ≥ 0.9.
Now x � r is uniformly distributed. So by union bound
Prr∈R{0,1}n [(A(f (x), r) 6= x � r)∨ (A(f (x), r ⊕ e i ) 6= x � (r ⊕ e i ))] ≤ 0.2.
Using the equality x � (r ⊕ e i ) = (x � r)⊕ (x � e i ), one sees that
Prr∈R{0,1}n [A(f (x), r)⊕ A(f (x), r � e i ) = xi ] ≥ 0.8, (2)
which can be amplified to 1− 1/10n by majority vote.
I If we replace 0.9 by 0.75, then 0.8 decreases to 0.5, renderingthe lower bound in (2) utterly useless.
Computational Complexity, by Y. Fu Pseudorandom Generator 39 / 49
Algorithm B:
1. m := 200n.
2. Choose r1, . . . , rm ∈R {0, 1}n.
3. For i from 1 to n do
3.1 z1 := A(f (x), r1), z ′1 := A(f (x), r1 ⊕ e i ),. . . ,zm := A(f (x), rm), z ′m := A(f (x), rm ⊕ e i ).
3.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].
Computational Complexity, by Y. Fu Pseudorandom Generator 40 / 49
Analysis of B:
1. Let random variable Zj be defined by
Zj(rj) =
1, if A(f (x), r j) = x � r j and
A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.
2. Clearly Z1, . . . ,Zm are independent. Let Z = Z1 + . . .+ Zm.
3. E[Zj ] ≥ 0.8 and E[Z ] ≥ 0.8m.
4. Pr[|Z−E[Z ]| ≥ 0.3m] ≤ 1/(0.3√m)2 by Chebychev inequality.
5. It follows from m = 100n that Pr[Z ≤ 0.5m] ≤ 1/10n.
I Chebychev inequality: Pr[|Z−E[Z ]| ≥ k
√Var(Z )
]≤ 1/k2.
I Var(Z ) =∑m
j=1Var(Zj) ≤ m since Var(Zj) ≤ 1 for all j .
Computational Complexity, by Y. Fu Pseudorandom Generator 41 / 49
3. Suppose there are constant c ∈ N and P-time PTM A such that
Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1
2≥ 1
nc
for infinitely many n.
There is at least a 12nc fragment of x ’s, the good x ’s, such that
Prr∈R{0,1}n [A(f (x), r) = x � r ]− 1
2≥ 1
2nc
for infinitely many n’s.
Lemma. Suppose a1, a2, . . . , an ∈ [0, 1] and ρ = (∑
i∈[n] ai )/n.
Then there is at least ρ2 fraction of ai ’s such that ai ≥ ρ
2 .
Computational Complexity, by Y. Fu Pseudorandom Generator 42 / 49
We cannot afford to apply A twice.
Instead of calculating A(f (x), r1), . . . , A(f (x), rm), we can try toguess the values of x � r1, . . . , x � rm.
I Choose randomly distinct s1, . . . , sk ∈R {0, 1}n.
I {⊕
R}R⊆{s1,...,sk} are random and pairwise independent.
I {x �⊕
R}R⊆{s1,...,sk} are determined by x � s1, . . . , x � sk .
We can have and afford the exhaustive guessing if k = logm.
Computational Complexity, by Y. Fu Pseudorandom Generator 43 / 49
Algorithm C:
1. Input y ∈ {0, 1}n. Think of y as f (x) for some x .
2. m := 10n2c+1;
3. k := log(m);
4. Generate s1, . . . , sk ∈R {0, 1}n;
5. Let R1, . . . ,Rm be subsets of {s1, . . . , sk} in a canonical way;
6. For each guess w ∈ {0, 1}k do
6.1 for each i ∈ [n] do
6.1.1 x � s1 := w1, . . . , x � sk := wk ;
z1 :=⊕
t∈R1
(x � s t
), . . . , zm :=
⊕t∈Rm
(x � s t
);
z ′1 := A(y ,⊕
R1 ⊕ e i), . . . , z ′m := A
(y ,⊕
Rm ⊕ e i);
6.1.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].
6.2 x := x1 . . . xn;
6.3 if f (x) = y , output x and halt.
Computational Complexity, by Y. Fu Pseudorandom Generator 44 / 49
Analysis of C:
1. Let the random variable Zj be defined by
Zj(rj) =
{1, if A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.
2. Z1, . . . ,Zm are pairwise independent and E[Zj ] ≥ 1/2 + 1/nc .
3. Hence E[Z ] ≥ m/2 + m/nc , where Z = Z1 + . . .+ Zm.
4. Using Var(Z ) =∑m
j=1Var(Zj) ≤ m, we derive
Pr[|Z−E[Z ]| ≥ m/nc ] ≤ Pr[|Z−E[Z ]| ≥√m
nc
√Var(Z )]
≤ n2c
m=
n2c
10n2c+1=
1
10n.
5. Now Pr[Z ≤ m/2] ≤ 110n follows from 3 and 4.
Computational Complexity, by Y. Fu Pseudorandom Generator 45 / 49
Theorem. If f is one-way permutation and c ∈ N, the function Gthat maps x , r ∈ {0, 1}n onto
r , f nc(x)� r , f n
c−1(x)� r , . . . , f 1(x)� r
is a pseudorandom generator of stretch n + nc .
Let A be a P-time PTM st for x , r ∈R {0, 1}n and i ∈R [nc ],
Pr[A(r , f nc
(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ]− 1
2≥ 1
nd
for some d ∈ N and infinitely many n.
Continued on the next slide.
Computational Complexity, by Y. Fu Pseudorandom Generator 46 / 49
The PTM B(y , r), where y , r ∈ {0, 1}n, is designed as follows:
1. Generate i ∈R [nc ];
2. Output A(r , f nc−i (y)� r , . . . , f 1(y)� r , y � r).
The probability that B(f (x), r) outputs x � r is the same as
Pr[A(r , f nc
(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ].
Hence
Prx,r∈R{0,1}n [B(f (x), r) = x � r ]− 1
2≥ 1
nd,
contradicting to Goldreich-Levin Theorem.
Since f is a permutation r , f nc−i (x)� r , . . . , f 1(x)� r , x � r is the
same distribution as r , f nc(x)� r , . . . , f i+1(x)� r , f i (x)� r .
Computational Complexity, by Y. Fu Pseudorandom Generator 47 / 49
one-way function ⇔ pseudorandom generator ⇔ unpredictability
Computational Complexity, by Y. Fu Pseudorandom Generator 48 / 49
Application: Tossing Coin Over Phone
Suppose A and B want to toss a coin over phone. We can applythe following protocol.
1. A chooses x , r ∈R {0, 1}n and sends (fn(x), r) to B, where fnis a one-way permutation known to both parties.
2. B chooses b ∈R {0, 1} and sends it to A.
3. A sends x to B.
A and B agree to use b ⊕ (x � r).
I A cannot manipulate the result because it cannot change x .
I B cannot manipulate the result because it did not know x .
I A can make sure that the result is random as long as x is.
I B can make sure that the result is random as long as b is.
Computational Complexity, by Y. Fu Pseudorandom Generator 49 / 49