PseudoPseudo--random Number random Number Generation Generation
Qiuliang TangQiuliang Tang
Random Numbers in Cryptography Random Numbers in Cryptography
►►
The keystream in the oneThe keystream in the one--time padtime pad
►►
The secret key in the DES encryptionThe secret key in the DES encryption
►►
The prime numbers p, q in the RSA encryptionThe prime numbers p, q in the RSA encryption
►►
The private key in DSA The private key in DSA
►►
The initialization vectors (IVs) used in ciphersThe initialization vectors (IVs) used in ciphers
PseudoPseudo--random Number Generatorrandom Number Generator
►►
PseudoPseudo--random number generatorrandom number generator: :
A polynomialA polynomial--time computable function f (x) that expands a short time computable function f (x) that expands a short random string x into a long string f (x) that appears randomrandom string x into a long string f (x) that appears random
►►
Not truly random in thatNot truly random in that: :
Deterministic algorithmDeterministic algorithm
Dependent on initial valuesDependent on initial values
►►
Objectives Objectives
FastFast
SecureSecure
PseudoPseudo--random Number Generatorrandom Number Generator
►►
Classical Classical PRNGsPRNGs
Linear Linear CongruentialCongruential GeneratorGenerator
►►
Cryptographically Secure Cryptographically Secure PRNGsPRNGs
RSA GeneratorRSA Generator
BlumBlum--MicaliMicali GeneratorGenerator
BlumBlum--BlumBlum--ShubShub GeneratorGenerator
►►
Standardized Standardized PRNGsPRNGs
ANSI X9.17 GeneratorANSI X9.17 Generator
FIPS 186 GeneratorFIPS 186 Generator
Linear Congruential Generator Linear Congruential Generator -- AlgorithmAlgorithm
►►
Based on the linear recurrence:Based on the linear recurrence:xx ii = a x= a x ii--1 1 + b mod m+ b mod m ii≥≥11
WhereWherexx 00 is the seed or start valueis the seed or start valuea is the multipliera is the multiplierb is the incrementb is the incrementm is the modulusm is the modulus
Output Output (x(x 11 , x, x 22 , , ……, , xx kk ))yy ii = x= x ii mod 2mod 2Y = (yY = (y 11 yy 22 ……yy kk ) )
pseudopseudo--random sequence of K bitsrandom sequence of K bits
Linear Congruential Generator Linear Congruential Generator -- ExampleExample
►►
Let Let xx nn = 3 x= 3 x nn--1 1 + 5 mod 31 n+ 5 mod 31 n≥≥1, and 1, and xx 00 = 2= 2
3 and 31 are relatively prime, one3 and 31 are relatively prime, one--toto--one (affine cipher) one (affine cipher)
31 is prime, order is 3031 is prime, order is 30
►►
Then we have the 30 residues in a cycle:Then we have the 30 residues in a cycle:
2, 11, 7, 26, 21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 2, 11, 7, 26, 21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 19, 0, 19, 0, 5, 20, 3, 14, 16, 22, 9, 1, 8, 29, 305, 20, 3, 14, 16, 22, 9, 1, 8, 29, 30
►►
PseudoPseudo--random sequences of 10 bits random sequences of 10 bits
when xwhen x 00 = 2= 2
11010100011101010001
When xWhen x 00 = 3= 3
00011010010001101001
Linear Congruential Generator Linear Congruential Generator -- SecuritySecurity
►►
Fast, but insecureFast, but insecure
Sensitive to the choice of parameters a, b, and mSensitive to the choice of parameters a, b, and m
Serial correlation between successive valuesSerial correlation between successive values
Short period, often m=2Short period, often m=23232 or m=2or m=26464
Linear Congruential Generator Linear Congruential Generator -- ApplicationApplication
►►
Used commonly in compilersUsed commonly in compilers
Rand()Rand()
►►
Not suitable for highNot suitable for high--quality randomness applicationsquality randomness applications
Issues with the RANDU random number algorithmIssues with the RANDU random number algorithm
Use Use MersenneMersenne Twister algorithm in Monte Carlo simulationsTwister algorithm in Monte Carlo simulations
Longer period 2Longer period 21993719937--11
►►
Not suitable for cryptographic applicationsNot suitable for cryptographic applications
Use cryptographically secure pseudoUse cryptographically secure pseudo--random number generatorsrandom number generators
Cryptographically Secure Cryptographically Secure
►►
Passing all polynomialPassing all polynomial--time statistical teststime statistical tests
There is no polynomialThere is no polynomial--time algorithm that can correctly distinguish time algorithm that can correctly distinguish a string of k bits generated by a pseudoa string of k bits generated by a pseudo--random bit generator random bit generator (PRBG) from a string of k truly random bits with probability (PRBG) from a string of k truly random bits with probability significantly greater than significantly greater than ½½
Probability distributions indistinguishableProbability distributions indistinguishable
►►
Passing the nextPassing the next--bit testbit test
Given the first k bits of a string generated by PRBG, there is nGiven the first k bits of a string generated by PRBG, there is no o polynomialpolynomial--time algorithm that can correctly predict the next time algorithm that can correctly predict the next (k+1)(k+1)th th bit with probability significantly greater than bit with probability significantly greater than ½½
NextNext--bit unpredictablebit unpredictable
►►
The two notions are equivalentThe two notions are equivalent
Proved by Proved by YaoYao
Cryptographically Secure Cryptographically Secure PRNGsPRNGs
►►
A PRNG from any oneA PRNG from any one--way functionway function
A function f is oneA function f is one--way if it is easy to compute y = f (x) but hard to way if it is easy to compute y = f (x) but hard to compute x = f compute x = f --1 1 (y) (y)
There is a PRNG if and only if there is a oneThere is a PRNG if and only if there is a one--way functionway function
►►
OneOne--way functions way functions
The RSA functionThe RSA function
The discrete logarithm functionThe discrete logarithm function
The squaring functionThe squaring function
►►
Cryptographically secure Cryptographically secure PRNGsPRNGs
RSA GeneratorRSA Generator
BlumBlum--MicaliMicali GeneratorGenerator
BlumBlum--BlumBlum--ShubShub GeneratorGenerator
RSA Generator RSA Generator -- AlgorithmAlgorithm
►►
Based on the RSA oneBased on the RSA one--way function:way function:
xx ii = x= x ii--11
b b mod nmod n ii≥≥11
WhereWhere
xx 00 is the seed, an element of Zis the seed, an element of Z nn
**
n = p*q, p and q are large primesn = p*q, p and q are large primes
gcdgcd (b, (b, ΦΦ(n) ) = 1(n) ) = 1 where where ΦΦ(n) = (p(n) = (p--1)(q1)(q--1)1)
n and b are public, p and q are secretn and b are public, p and q are secret
OutputOutput(x(x 11 , x, x 22 , , ……, , xx kk ) ) yy ii = x= x ii mod 2mod 2Y = (yY = (y 11 yy 22 ……yy kk ) )
pseudopseudo--random sequence of K bitsrandom sequence of K bits
RSA Generator RSA Generator -- SecuritySecurity
►►
RSA Generator is provably secure RSA Generator is provably secure
It is difficult to predict the next number in the sequence given the previous numbers, assuming that it is difficult to invert the RSA function (Shamir)
RSA Generator RSA Generator -- EfficiencyEfficiency
►►
RSA Generator is relatively slow RSA Generator is relatively slow
Each pseudo-random bit yi requires a modular exponentiation operation
Can be improved by extracting j least significant bits of xi instead of 1 least significant bit, where j=cloglogn and c is a constant
Micali-Schnorr Generator improves the efficiency
BlumBlum--MicaliMicali Generator Generator -- ConceptConcept
►
Discrete logarithm
Let p be an odd prime, then (Zp
*, ·) is a cyclic group with order p-1
Let g be a generator of the group, then |<g>| = p-1, and for any element a in the group , we have gk = a mod p for some integer k
If we know k, it is easy to compute a
However, the inverse is hard to compute, that is, if we know a, it is hard to compute k = logg a
►
Example
(Z17
*, ·) is a cyclic group with order 16, 3 is the generator of the group and 316 = 1 mod 17
Let k=4, 34 = 13 mod 17, which is easy to compute
The inverse: 3k = 13 mod 17, what is k? what about large p?
BlumBlum--MicaliMicali Generator Generator -- AlgorithmAlgorithm
►
Based on the discrete logarithm one-way function:
Let p be an odd prime, then (Zp
*, ·) is a cyclic group
Let g be a generator of the group, then for any element a, we have gk = a mod p for some k
Let x0 be a seed
xi = gxi-1 mod p ii≥≥11
OutputOutput(x(x 11 , x, x 22 , , ……, , xx kk ))yy ii = 1= 1 if xif x ii ≥≥
(p(p--1)/21)/2
yy ii = 0 = 0 otherwiseotherwiseY = (yY = (y 11 yy 22 ……yy kk ) )
pseudopseudo--random sequence of K bitsrandom sequence of K bits
BlumBlum--MicaliMicali Generator Generator -- SecuritySecurity
►
Blum-Micali Generator is provably secure
It is difficult to predict the next bit in the sequence given the previous bits, assuming it is difficult to invert the discrete logarithm assuming it is difficult to invert the discrete logarithm function (by reduction)function (by reduction)
BlumBlum--BlumBlum--ShubShub Generator Generator -- ConceptConcept
►►
Quadratic residuesQuadratic residues
Let p be an odd prime and a be an integerLet p be an odd prime and a be an integer
a is a quadratic residue modulo p if a is not congruent to 0 moda is a quadratic residue modulo p if a is not congruent to 0 mod p p and there exists an integer x such that a and there exists an integer x such that a ≡≡
xx22 mod p mod p
a is a quadratic nona is a quadratic non--residue modulo p if a is not congruent to 0 residue modulo p if a is not congruent to 0 mod p and a is not a quadratic residue modulo p mod p and a is not a quadratic residue modulo p
►
Example
Let p=5, then 12 =1, 22 =4, 32 =4, 42 =1
1 and 4 are quadratic residues modulo 5
2 and 3 are quadratic non-residues modulo 5
BlumBlum--BlumBlum--ShubShub Generator Generator -- AlgorithmAlgorithm
►►
Based on the squaring oneBased on the squaring one--way functionway function
Let p, q be two odd primes and pLet p, q be two odd primes and p≡≡qq≡≡3 mod 43 mod 4
Let n = p*qLet n = p*q
Let xLet x 00 be a seed which is a quadratic residue modulo nbe a seed which is a quadratic residue modulo n
xx ii = x= x ii--11 22 mod nmod n ii≥≥11
OutputOutput
(x(x 11 , x, x 22 , , ……, , xx kk ) )
yy ii = x= x ii mod 2mod 2Y = (yY = (y 11 yy 22 ……yy kk ) )
pseudopseudo--random sequence of K bitsrandom sequence of K bits
BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity
►►
BlumBlum--BlumBlum--ShubShub Generator is provably secureGenerator is provably secure
EulerEuler’’s criterions criterion
LegendreLegendre symbolsymbol
JacobiJacobi symbolsymbol
Composite quadratic residuesComposite quadratic residues
BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity
►►
EulerEuler’’s criterions criterion
Let p be an odd prime. Then a is a quadratic residue modulo p ifLet p be an odd prime. Then a is a quadratic residue modulo p if and only if and only if aa(p(p--1)/21)/2 ≡≡
1 mod p1 mod p
►►
Proof:Proof:
Suppose a Suppose a ≡≡
xx22 mod p, thenmod p, then
aa(p(p--1)/2 1)/2 ≡≡
xx2*(p2*(p--1)/21)/2 ≡≡
xxpp--11 ≡≡
1 mod p (By Fermat1 mod p (By Fermat’’s little theorem)s little theorem)
Suppose aSuppose a(p(p--1)/21)/2 ≡≡
1 mod p. 1 mod p.
Let g be a generator of the group Let g be a generator of the group (Zp*, ·) , then a ≡≡
gk mod p for
some integer kWe have aa(p(p--1)/2 1)/2 ≡≡
gk*(p(p--1)/2 1)/2 ≡≡ gk/2 /2 ≡≡
1 mod p1 mod p
Then k must be even Then k must be even Let k=2m, then a Let k=2m, then a ≡≡
(g(gmm))2 2 mod pmod p
which means that a is a quadratic residue modulo p which means that a is a quadratic residue modulo p
BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity
►►
LegendreLegendre symbolsymbol
Let p be an odd prime and a be an integerLet p be an odd prime and a be an integer
If a is a multiple of p, then aIf a is a multiple of p, then a(p(p--1)/2 1)/2 ≡≡
0 mod p0 mod p
If a is a quadratic residue modulo p, then aIf a is a quadratic residue modulo p, then a(p(p--1)/2 1)/2 ≡≡
1 mod p1 mod p
If a is a quadratic nonIf a is a quadratic non--residue modulo p, then aresidue modulo p, then a(p(p--1)/2 1)/2 ≡≡
--1 mod p 1 mod p
since (asince (a(p(p--1)/21)/2))2 2 ≡≡
aapp--1 1 ≡≡
1 mod p1 mod p
Example: Let p=5Example: Let p=5(0/5)=0; (1/5)=(4/5)=1; (2/5)=(3/5)=(0/5)=0; (1/5)=(4/5)=1; (2/5)=(3/5)=--1 1
BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity
►►
JacobiJacobi symbolsymbol
Let n be an odd positive integerLet n be an odd positive integer
pp ii is the prime factor of n and is the prime factor of n and ee ii is the power of the prime factoris the power of the prime factor
(a/p(a/p ii ) is the ) is the LegendreLegendre symbol and (a/n) is the symbol and (a/n) is the JacobiJacobi symbolsymbol
Example: Let n=15=3*5Example: Let n=15=3*5(9/15)=(9/3)(9/5)=0(9/15)=(9/3)(9/5)=0(11/15)=(11/3)(11/5)=(2/3)(1/5)=((11/15)=(11/3)(11/5)=(2/3)(1/5)=(--1)(1)=1)(1)=--11(8/15)=(8/3)(8/5)=(2/3)(3/5)=((8/15)=(8/3)(8/5)=(2/3)(3/5)=(--1)(1)(--1)=11)=1(4/15)=(4/3)(4/5)=(1)(1)=1(4/15)=(4/3)(4/5)=(1)(1)=1
BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity
►►
Composite quadratic residuesComposite quadratic residues
Let p, q be two odd primes and n = p*qLet p, q be two odd primes and n = p*q
If (If (x/nx/n) = () = (x/p)(x/qx/p)(x/q) = 1, then) = 1, theneither (either (x/px/p) = () = (x/qx/q) = 1) = 1 x is a quadratic residue modulo nx is a quadratic residue modulo nor (or (x/px/p) = () = (x/qx/q) = ) = --1 1 x is a pseudox is a pseudo--square modulo nsquare modulo n
It is difficult to determine if x is a quadratic residue modulo It is difficult to determine if x is a quadratic residue modulo n as n as factoring n=p*q is difficultfactoring n=p*q is difficult
Example: Let n=15=3*5Example: Let n=15=3*5(8/15)=(8/3)(8/5)=(2/3)(3/5)=((8/15)=(8/3)(8/5)=(2/3)(3/5)=(--1)(1)(--1)=1; 8 is a pseudo1)=1; 8 is a pseudo--squaresquare(4/15)=(4/3)(4/5)=(1)(1)=1; (4/15)=(4/3)(4/5)=(1)(1)=1; 4 is a quadratic residue 4 is a quadratic residue
BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity
►►
Why pWhy p≡≡qq≡≡3 mod 43 mod 4
Such that every quadratic residue x has a square root y which isSuch that every quadratic residue x has a square root y which is itself a quadratic residue itself a quadratic residue
Denote the square root of x to be y, that is, x=yDenote the square root of x to be y, that is, x=y2 2 mod nmod n
Let p= 4m+3, then m=(pLet p= 4m+3, then m=(p--3)/4. 3)/4. ►► y = xy = x(p+1)/4(p+1)/4 mod p is a principal square root of x modulo p mod p is a principal square root of x modulo p
xx(p(p--1)/21)/2=x=x(4m+3(4m+3--1)/21)/2=x=x2m+12m+1=1 mod p => x=1 mod p => x2m+22m+2=x mod p =x mod p =>(x=>(xm+1m+1))2 2 = x mod p => y = x= x mod p => y = xm+1 m+1 = x= x(p+1)/4(p+1)/4
►► y is a quadratic residuey is a quadratic residueyy(p(p--1)/21)/2= (x= (x(p+1)/4(p+1)/4))(p(p--1)/21)/2= (x= (x(p(p--1)/21)/2))(p+1)/4(p+1)/4=1=1(p+1)/4(p+1)/4=1 mod p=1 mod p
Similar for q, y = xSimilar for q, y = x(q+1)/4(q+1)/4 mod q mod q
Since n=p*q and x is a quadratic residue modulo n, then x has a Since n=p*q and x is a quadratic residue modulo n, then x has a unique square root modulo n (Chinese remainder theorem)unique square root modulo n (Chinese remainder theorem)
As a result, the mapping from x to xAs a result, the mapping from x to x22 mod n is a mod n is a bijectionbijection from the from the set of quadratic residues modulo n onto itselfset of quadratic residues modulo n onto itself
BlumBlum--BlumBlum--ShubShub Generator Generator -- ApplicationApplication
►►
The basis for the BlumThe basis for the Blum--GoldwasserGoldwasser probabilistic publicprobabilistic public--key key encryptionencryption
To generate the To generate the keystreamkeystream during encryption and decryption during encryption and decryption
Standardized Standardized PRNGsPRNGs
►►
General characteristicsGeneral characteristics
Not been proven to be cryptographically secureNot been proven to be cryptographically secure
Sufficient for most applicationsSufficient for most applications
Using oneUsing one--way functions such as hash function SHAway functions such as hash function SHA--1 or block 1 or block cipher DES with secret key kcipher DES with secret key k
►►
ExamplesExamples
ANSI X9.17 GeneratorANSI X9.17 Generator
FIPS 186 GeneratorFIPS 186 Generator
ANSI X9.17 GeneratorANSI X9.17 Generator
►►
AlgorithmAlgorithm
Let s be a random secret 64Let s be a random secret 64--bit seed, bit seed, EE kk be the DES Ebe the DES E--DD--E twoE two--key key tripletriple--encryption with key k, and m be an integer encryption with key k, and m be an integer
I = I = EE kk (D), where D is a 64(D), where D is a 64--bit representation of the date/time with bit representation of the date/time with finest available resolutionfinest available resolution
For i=1,For i=1,……,m do,m doxx ii = = EE kk (I (I XOR s))s = s = EE kk (x(x ii XOR I) XOR I)
Return (xReturn (x 11 , x, x 22 , , ……xx mm ) )
m pseudom pseudo--random 64random 64--bit strings bit strings
►►
Used as an initialization vector or a key for DESUsed as an initialization vector or a key for DES
FIPS 186 GeneratorFIPS 186 Generator
►►
Used for DSA private keysUsed for DSA private keys►►
AlgorithmAlgorithm
Let q be a 160Let q be a 160--bit prime number, and m be an integerbit prime number, and m be an integer
Let (b, G) = (160, DES) or (b, G) = (160..512, SHALet (b, G) = (160, DES) or (b, G) = (160..512, SHA--1)1)
Let s be a random secret seed with b bitsLet s be a random secret seed with b bits
Let t be a 160Let t be a 160--bit constant, t= bit constant, t= 67452301 efcdab89 98badcfe 10325476 c3d2e1f0
For i=1For i=1……m dom doEither select a bEither select a b--bit string bit string yy ii , or set , or set yy ii =0 (optional user input)=0 (optional user input)zz ii = (s + = (s + yy ii ) mod 2) mod 2bb
aa ii = = G(tG(t, , zz ii ) mod q) mod qs = (1 + s + s = (1 + s + aa ii ) mod 2) mod 2bb
Return (aReturn (a 11 , a, a 22 , , ……, a, a mm ) )
m pseudom pseudo--random numbers in [0, qrandom numbers in [0, q--1]1]
FIPS 186 GeneratorFIPS 186 Generator
►►
Used for DSA per message secret numbersUsed for DSA per message secret numbers►►
AlgorithmAlgorithm
Let q be a 160Let q be a 160--bit prime number, and m be an integerbit prime number, and m be an integer
Let (b, G) = (160, DES) or (b, G) = (160..512, SHALet (b, G) = (160, DES) or (b, G) = (160..512, SHA--1)1)
Let s be a random secret seed with b bitsLet s be a random secret seed with b bits
Let t be a 160Let t be a 160--bit constant, t= bit constant, t= efcdab89 98badcfe 10325476 c3d2e1f0 67452301
For i=1For i=1……m dom dokk ii = = G(tG(t, s) mod q, s) mod qs = (1 + s + s = (1 + s + kk ii ) mod 2) mod 2bb
Return (kReturn (k 11 , k, k 22 , , ……, k, k mm ) )
m pseudom pseudo--random numbers in [0, qrandom numbers in [0, q--1]1]
ReferencesReferences
1.1. D. Stinson. D. Stinson. Cryptography, Theory and PracticeCryptography, Theory and Practice. 3. 3rdrd Ed. Chapman & Ed. Chapman & Hall/CRC, 2006Hall/CRC, 2006
2. A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC Press, 1997
3. J. Hastad, R. Impagliazzo, L. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM Journal on Computing, 28(4): 1364-1393, 1999
4. S. Goldwasser and M. Bellare. Lecture Notes on Cryptography. 2008. http://cseweb.ucsd.edu/~mihir/papers/gb.pdf
5. P. Junod. Cryptographic Secure Pseudo-Random Bits Generation: The Blum-Blum-Shub Generator. 1999. http://crypto.junod.info/bbs.pdf
6. M. J. Fischer. Pseudorandom Sequence Generation. Yale University. http://zoo.cs.yale.edu/classes/cs467/2006f/course/handouts/ho15.pdf
7. Federal Information Processing Standards Publication. Digital Signature Standard (DSS). 2000. http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf
QuizQuiz
1.1. Name one criterion when considering a pseudoName one criterion when considering a pseudo--random number random number generator to be cryptographically securegenerator to be cryptographically secure
2.2. Name the oneName the one--way function that the Blumway function that the Blum--MicaliMicali generator is based generator is based onon
3.3. What are the four concepts that are used when considering the What are the four concepts that are used when considering the security of the Blumsecurity of the Blum--BlumBlum--ShubShub generator ?generator ?
4.4. Let p be an odd prime and p Let p be an odd prime and p ≡≡3 mod 4. Let x be a quadratic residue 3 mod 4. Let x be a quadratic residue modulo p. Let y be the principal square root of x. What is y in modulo p. Let y be the principal square root of x. What is y in terms terms of x and p ?of x and p ?
5.5. Name the two standardized pseudoName the two standardized pseudo--random number generatorsrandom number generators
Bonus:Bonus:What are the two objectives when designing a pseudoWhat are the two objectives when designing a pseudo--random random number generator ?number generator ?