5/28/2009

UU/IT

Random numbers
Pseudo Random Number  Important:
Generators • Key generation for PKS
 Primality testing
• Key generation for symmetric ciphers
• Nonces (one-time values)
 Randomness makes guessing impossible

Aletta Nylén @ UU/IT 2009-05-28 | #2

UU/IT UU/IT

Requirements on a sequence of RN Sources of randomness

 Randomness (statistical)  True randomness
1. Uniform distribution: relative frequency curve flat • Physical noise generators
2. Independence: no single value can be inferred  Radiation event detectors, etc
from others in the sequence  Impractical, slow, low precision

 Unpredictability (practical)  Tables of statistically random numbers

• Future elements not predictable from earlier • Limited in size
• Even though the sequence is generated by a • Predictable
deterministic algorithm!  Algorithms
• Deterministic: not statistically random
• Pseudo-randomness suffices (if good enough)
Aletta Nylén @ UU/IT 2009-05-28 | #3 Aletta Nylén @ UU/IT 2009-05-28 | #4

UU/IT UU/IT

Requirements on random number Linear congruences

generation function  Lehmer, 1951:
 Should generate full period [0,m] before xn+1 = (axn+c) mod m, given x0, a, c and m
repeating the sequence  Examples:
 Should pass reasonable tests on statistical a=c=1 gives xn+1 = (xn+1) mod m
randomness a=7, c=0, m=32, x0=1 gives { 7, 17, 23, 1 }
 Should be efficiently implemented  If m prime, c=0, som a pass all three tests
Ex: m = 231-1, a = 75 widely used for statistics

Aletta Nylén @ UU/IT 2009-05-28 | #5 Aletta Nylén @ UU/IT 2009-05-28 | #6

1
 5/28/2009

UU/IT UU/IT

Linear congruences, cont Linear Feedback Shift Registers

 n-bit shift register that pseudo-ranomly scrolls between 2n-1
 Linear congruences are fast, simple, pass values
requirements  Fast – minimal combinatorial logic involved
 Linear congruences are predictable  Shift register R=(rn, ..., r1) of bits
• Given the parameters a, c, m, a single x makes  Tap sequence T=(tn, ..., t1) of bits
the rest predictable  Output: r1
 Feedback: ri ri 1for i [1, n 1]
• Given a part of the sequence, parameters can be n
found rn TR ti ri mod 2 t1r1 ... tn rn
• Ex: given xn, xn+1, xn+2,xn+3 i 1

xn+1 = (axn+ c) mod m  So, R’ = HR mod 2, where H is an n n matrix whose first row is T
and the rest has 1 on the subdiagonal, 0 otherwise
xn+2 = (axn+1+ c) mod m
xn+3 = (axn+2+ c) mod m

Aletta Nylén @ UU/IT 2009-05-28 | #7 Aletta Nylén @ UU/IT 2009-05-28 | #8

UU/IT UU/IT

LFSR, cont LFSR example

 An n-bit LFSR generates a pseudo-ranom bit 1 0 0 1
sequence of length 2n-1 if T causes R to  T = (1,0,0,1) H
1 0 0 0
cycle through all non-zero values before 0 1 0 0
repeating 0 0 1 0

 This happens if the polynomial  T ( x) x 4 x 1 is primitive: given non-zero R it

T(x) = tnxn + tn-1xn-1 + ... + t1x1 + 1 generates all 15 non-zero values of Z16
is primitive 0001, 1000, 1100, 1110, 1111, 0111, 1011, 0101,
 A primitive polynomial of degree n is an 1010, 1101, 0110, 0011, 1001, 0100, 0010
irreducible polynomial that divides xn-1 + 1 but  Output stream (rightmost bits):
not xd + 1 for any d that divides 2n-1 100011110101100
Aletta Nylén @ UU/IT 2009-05-28 | #9 Aletta Nylén @ UU/IT 2009-05-28 | #10

UU/IT UU/IT

LFSR for encryption LFSR (cont)

 LFSR can be used in Vernam ciphers  Combinations of LFSR:
ci mi ki - Geffe : z (a b) ( b c)
 Easily broken: 2n pairs of (c,m) sufficient: where a LFSR(7), b LFSR(5), c LFSR(8)
- mi ci mi (mi ki ) ki for i [1,2n] gives a period (2 7 1)( 25 1)( 28 1) 10 9
3 1
- Let X (( k n ,..., k1 ), (k n 1 ,..., k 2 ),..., (k 2 n 1 ,..., k n )) - Still weak : p( z a) 4 , p( z c) 4

and Y (( k n 1 ,..., k 2 ), (k n 2 ,..., k3 ),..., (k 2 n ,..., k n 1 )) - GSM uses " A5" with LFSRs of length 19, 22, 23
-Y HX mod 2, and since X is always nonsingula r,  LFSRs are fast!
H YX 1 mod 2, and T is the first row of H
- Inverting X is O(n 3 ) :1 day for n 1000 , 1 MIPS
Aletta Nylén @ UU/IT 2009-05-28 | #11 Aletta Nylén @ UU/IT 2009-05-28 | #12

2
 5/28/2009

UU/IT UU/IT

Cryptographic RNGs Ansi X9.17 PRNG

 In cryptography, we want to reduce redundancy  Uses three triple DES encryptions (112-bit
and give minimal information about m given c key)
 Use this for random number generation! • Two ”random” sources: date/time and seed
 Examples: • Feedback of seed value
• Cyclic encryption: xi Ek (ni mod m) where ni 1 ni 1 • Random value Ri does not reveal seed Vi+1
• ni ni 1 , xi xi 1 and decryption without k is hard, so
the sequence is (computationally) unpredictable!
• E.g., use DES in OFB mode, use PRNG instead of
counter

Aletta Nylén @ UU/IT 2009-05-28 | #13 Aletta Nylén @ UU/IT 2009-05-28 | #14

UU/IT UU/IT

Blum Blum Shub BBS is a CSPRBG

 p, q large primes s.t. p q 3 (mod 4)  The BBS is a cryptographically secure
n=pq pseudo-random bit generator (CSPRBG): it
s random s.t. gcd(n,s)=1 passes the next-bit test:
 Output: bit sequence Bi • Given the first k bits, there is no polynomial
 x0=s2 mod n algorithm to predict the next bit with probability >
½
for (i=1; i>0; i++) {
 Security based on factorization of n
xi = (xi-1)2 mod n;
Bi = xi mod 2;
}
Aletta Nylén @ UU/IT 2009-05-28 | #15 Aletta Nylén @ UU/IT 2009-05-28 | #16