PseudoPseudo--random Number random Number Generation Generation

Qiuliang TangQiuliang Tang

Random Numbers in Cryptography Random Numbers in Cryptography

►►

The keystream in the oneThe keystream in the one--time padtime pad

►►

The secret key in the DES encryptionThe secret key in the DES encryption

►►

The prime numbers p, q in the RSA encryptionThe prime numbers p, q in the RSA encryption

►►

The private key in DSA The private key in DSA

►►

The initialization vectors (IVs) used in ciphersThe initialization vectors (IVs) used in ciphers

PseudoPseudo--random Number Generatorrandom Number Generator

►►

PseudoPseudo--random number generatorrandom number generator: :

A polynomialA polynomial--time computable function f (x) that expands a short time computable function f (x) that expands a short random string x into a long string f (x) that appears randomrandom string x into a long string f (x) that appears random

►►

Not truly random in thatNot truly random in that: :

Deterministic algorithmDeterministic algorithm

Dependent on initial valuesDependent on initial values

►►

Objectives Objectives

FastFast

SecureSecure

PseudoPseudo--random Number Generatorrandom Number Generator

►►

Classical Classical PRNGsPRNGs

Linear Linear CongruentialCongruential GeneratorGenerator

►►

Cryptographically Secure Cryptographically Secure PRNGsPRNGs

RSA GeneratorRSA Generator

BlumBlum--MicaliMicali GeneratorGenerator

BlumBlum--BlumBlum--ShubShub GeneratorGenerator

►►

Standardized Standardized PRNGsPRNGs

ANSI X9.17 GeneratorANSI X9.17 Generator

FIPS 186 GeneratorFIPS 186 Generator

Linear Congruential Generator Linear Congruential Generator -- AlgorithmAlgorithm

►►

Based on the linear recurrence:Based on the linear recurrence:xx ii = a x= a x ii--1 1 + b mod m+ b mod m ii≥≥11

WhereWherexx 00 is the seed or start valueis the seed or start valuea is the multipliera is the multiplierb is the incrementb is the incrementm is the modulusm is the modulus

Output Output (x(x 11 , x, x 22 , , ……, , xx kk ))yy ii = x= x ii mod 2mod 2Y = (yY = (y 11 yy 22 ……yy kk ) )

pseudopseudo--random sequence of K bitsrandom sequence of K bits

Linear Congruential Generator Linear Congruential Generator -- ExampleExample

►►

Let Let xx nn = 3 x= 3 x nn--1 1 + 5 mod 31 n+ 5 mod 31 n≥≥1, and 1, and xx 00 = 2= 2

3 and 31 are relatively prime, one3 and 31 are relatively prime, one--toto--one (affine cipher) one (affine cipher)

31 is prime, order is 3031 is prime, order is 30

►►

Then we have the 30 residues in a cycle:Then we have the 30 residues in a cycle:

2, 11, 7, 26, 21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 2, 11, 7, 26, 21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 19, 0, 19, 0, 5, 20, 3, 14, 16, 22, 9, 1, 8, 29, 305, 20, 3, 14, 16, 22, 9, 1, 8, 29, 30

►►

PseudoPseudo--random sequences of 10 bits random sequences of 10 bits

when xwhen x 00 = 2= 2

11010100011101010001

When xWhen x 00 = 3= 3

00011010010001101001

Linear Congruential Generator Linear Congruential Generator -- SecuritySecurity

►►

Fast, but insecureFast, but insecure

Sensitive to the choice of parameters a, b, and mSensitive to the choice of parameters a, b, and m

Serial correlation between successive valuesSerial correlation between successive values

Short period, often m=2Short period, often m=23232 or m=2or m=26464

Linear Congruential Generator Linear Congruential Generator -- ApplicationApplication

►►

Used commonly in compilersUsed commonly in compilers

Rand()Rand()

►►

Not suitable for highNot suitable for high--quality randomness applicationsquality randomness applications

Issues with the RANDU random number algorithmIssues with the RANDU random number algorithm

Use Use MersenneMersenne Twister algorithm in Monte Carlo simulationsTwister algorithm in Monte Carlo simulations

Longer period 2Longer period 21993719937--11

►►

Not suitable for cryptographic applicationsNot suitable for cryptographic applications

Use cryptographically secure pseudoUse cryptographically secure pseudo--random number generatorsrandom number generators

Cryptographically Secure Cryptographically Secure

►►

Passing all polynomialPassing all polynomial--time statistical teststime statistical tests

There is no polynomialThere is no polynomial--time algorithm that can correctly distinguish time algorithm that can correctly distinguish a string of k bits generated by a pseudoa string of k bits generated by a pseudo--random bit generator random bit generator (PRBG) from a string of k truly random bits with probability (PRBG) from a string of k truly random bits with probability significantly greater than significantly greater than ½½

Probability distributions indistinguishableProbability distributions indistinguishable

►►

Passing the nextPassing the next--bit testbit test

Given the first k bits of a string generated by PRBG, there is nGiven the first k bits of a string generated by PRBG, there is no o polynomialpolynomial--time algorithm that can correctly predict the next time algorithm that can correctly predict the next (k+1)(k+1)th th bit with probability significantly greater than bit with probability significantly greater than ½½

NextNext--bit unpredictablebit unpredictable

►►

The two notions are equivalentThe two notions are equivalent

Proved by Proved by YaoYao

Cryptographically Secure Cryptographically Secure PRNGsPRNGs

►►

A PRNG from any oneA PRNG from any one--way functionway function

A function f is oneA function f is one--way if it is easy to compute y = f (x) but hard to way if it is easy to compute y = f (x) but hard to compute x = f compute x = f --1 1 (y) (y)

There is a PRNG if and only if there is a oneThere is a PRNG if and only if there is a one--way functionway function

►►

OneOne--way functions way functions

The RSA functionThe RSA function

The discrete logarithm functionThe discrete logarithm function

The squaring functionThe squaring function

►►

Cryptographically secure Cryptographically secure PRNGsPRNGs

RSA GeneratorRSA Generator

BlumBlum--MicaliMicali GeneratorGenerator

BlumBlum--BlumBlum--ShubShub GeneratorGenerator

RSA Generator RSA Generator -- AlgorithmAlgorithm

►►

Based on the RSA oneBased on the RSA one--way function:way function:

xx ii = x= x ii--11

b b mod nmod n ii≥≥11

WhereWhere

xx 00 is the seed, an element of Zis the seed, an element of Z nn

**

n = p*q, p and q are large primesn = p*q, p and q are large primes

gcdgcd (b, (b, ΦΦ(n) ) = 1(n) ) = 1 where where ΦΦ(n) = (p(n) = (p--1)(q1)(q--1)1)

n and b are public, p and q are secretn and b are public, p and q are secret

OutputOutput(x(x 11 , x, x 22 , , ……, , xx kk ) ) yy ii = x= x ii mod 2mod 2Y = (yY = (y 11 yy 22 ……yy kk ) )

pseudopseudo--random sequence of K bitsrandom sequence of K bits

RSA Generator RSA Generator -- SecuritySecurity

►►

RSA Generator is provably secure RSA Generator is provably secure

It is difficult to predict the next number in the sequence given the previous numbers, assuming that it is difficult to invert the RSA function (Shamir)

RSA Generator RSA Generator -- EfficiencyEfficiency

►►

RSA Generator is relatively slow RSA Generator is relatively slow

Each pseudo-random bit yi requires a modular exponentiation operation

Can be improved by extracting j least significant bits of xi instead of 1 least significant bit, where j=cloglogn and c is a constant

Micali-Schnorr Generator improves the efficiency

BlumBlum--MicaliMicali Generator Generator -- ConceptConcept

►

Discrete logarithm

Let p be an odd prime, then (Zp

*, ·) is a cyclic group with order p-1

Let g be a generator of the group, then |<g>| = p-1, and for any element a in the group , we have gk = a mod p for some integer k

If we know k, it is easy to compute a

However, the inverse is hard to compute, that is, if we know a, it is hard to compute k = logg a

►

Example

(Z17

*, ·) is a cyclic group with order 16, 3 is the generator of the group and 316 = 1 mod 17

Let k=4, 34 = 13 mod 17, which is easy to compute

The inverse: 3k = 13 mod 17, what is k? what about large p?

BlumBlum--MicaliMicali Generator Generator -- AlgorithmAlgorithm

►

Based on the discrete logarithm one-way function:

Let p be an odd prime, then (Zp

*, ·) is a cyclic group

Let g be a generator of the group, then for any element a, we have gk = a mod p for some k

Let x0 be a seed

xi = gxi-1 mod p ii≥≥11

OutputOutput(x(x 11 , x, x 22 , , ……, , xx kk ))yy ii = 1= 1 if xif x ii ≥≥

(p(p--1)/21)/2

yy ii = 0 = 0 otherwiseotherwiseY = (yY = (y 11 yy 22 ……yy kk ) )

pseudopseudo--random sequence of K bitsrandom sequence of K bits

BlumBlum--MicaliMicali Generator Generator -- SecuritySecurity

►

Blum-Micali Generator is provably secure

It is difficult to predict the next bit in the sequence given the previous bits, assuming it is difficult to invert the discrete logarithm assuming it is difficult to invert the discrete logarithm function (by reduction)function (by reduction)

BlumBlum--BlumBlum--ShubShub Generator Generator -- ConceptConcept

►►

Quadratic residuesQuadratic residues

Let p be an odd prime and a be an integerLet p be an odd prime and a be an integer

a is a quadratic residue modulo p if a is not congruent to 0 moda is a quadratic residue modulo p if a is not congruent to 0 mod p p and there exists an integer x such that a and there exists an integer x such that a ≡≡

xx22 mod p mod p

a is a quadratic nona is a quadratic non--residue modulo p if a is not congruent to 0 residue modulo p if a is not congruent to 0 mod p and a is not a quadratic residue modulo p mod p and a is not a quadratic residue modulo p

►

Example

Let p=5, then 12 =1, 22 =4, 32 =4, 42 =1

1 and 4 are quadratic residues modulo 5

2 and 3 are quadratic non-residues modulo 5

BlumBlum--BlumBlum--ShubShub Generator Generator -- AlgorithmAlgorithm

►►

Based on the squaring oneBased on the squaring one--way functionway function

Let p, q be two odd primes and pLet p, q be two odd primes and p≡≡qq≡≡3 mod 43 mod 4

Let n = p*qLet n = p*q

Let xLet x 00 be a seed which is a quadratic residue modulo nbe a seed which is a quadratic residue modulo n

xx ii = x= x ii--11 22 mod nmod n ii≥≥11

OutputOutput

(x(x 11 , x, x 22 , , ……, , xx kk ) )

yy ii = x= x ii mod 2mod 2Y = (yY = (y 11 yy 22 ……yy kk ) )

pseudopseudo--random sequence of K bitsrandom sequence of K bits

BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity

►►

BlumBlum--BlumBlum--ShubShub Generator is provably secureGenerator is provably secure

EulerEuler’’s criterions criterion

LegendreLegendre symbolsymbol

JacobiJacobi symbolsymbol

Composite quadratic residuesComposite quadratic residues

BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity

►►

EulerEuler’’s criterions criterion

Let p be an odd prime. Then a is a quadratic residue modulo p ifLet p be an odd prime. Then a is a quadratic residue modulo p if and only if and only if aa(p(p--1)/21)/2 ≡≡

1 mod p1 mod p

►►

Proof:Proof:

Suppose a Suppose a ≡≡

xx22 mod p, thenmod p, then

aa(p(p--1)/2 1)/2 ≡≡

xx2*(p2*(p--1)/21)/2 ≡≡

xxpp--11 ≡≡

1 mod p (By Fermat1 mod p (By Fermat’’s little theorem)s little theorem)

Suppose aSuppose a(p(p--1)/21)/2 ≡≡

1 mod p. 1 mod p.

Let g be a generator of the group Let g be a generator of the group (Zp*, ·) , then a ≡≡

gk mod p for

some integer kWe have aa(p(p--1)/2 1)/2 ≡≡

gk*(p(p--1)/2 1)/2 ≡≡ gk/2 /2 ≡≡

1 mod p1 mod p

Then k must be even Then k must be even Let k=2m, then a Let k=2m, then a ≡≡

(g(gmm))2 2 mod pmod p

which means that a is a quadratic residue modulo p which means that a is a quadratic residue modulo p

BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity

►►

LegendreLegendre symbolsymbol

Let p be an odd prime and a be an integerLet p be an odd prime and a be an integer

If a is a multiple of p, then aIf a is a multiple of p, then a(p(p--1)/2 1)/2 ≡≡

0 mod p0 mod p

If a is a quadratic residue modulo p, then aIf a is a quadratic residue modulo p, then a(p(p--1)/2 1)/2 ≡≡

1 mod p1 mod p

If a is a quadratic nonIf a is a quadratic non--residue modulo p, then aresidue modulo p, then a(p(p--1)/2 1)/2 ≡≡

--1 mod p 1 mod p

since (asince (a(p(p--1)/21)/2))2 2 ≡≡

aapp--1 1 ≡≡

1 mod p1 mod p

Example: Let p=5Example: Let p=5(0/5)=0; (1/5)=(4/5)=1; (2/5)=(3/5)=(0/5)=0; (1/5)=(4/5)=1; (2/5)=(3/5)=--1 1

BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity

►►

JacobiJacobi symbolsymbol

Let n be an odd positive integerLet n be an odd positive integer

pp ii is the prime factor of n and is the prime factor of n and ee ii is the power of the prime factoris the power of the prime factor

(a/p(a/p ii ) is the ) is the LegendreLegendre symbol and (a/n) is the symbol and (a/n) is the JacobiJacobi symbolsymbol

Example: Let n=15=3*5Example: Let n=15=3*5(9/15)=(9/3)(9/5)=0(9/15)=(9/3)(9/5)=0(11/15)=(11/3)(11/5)=(2/3)(1/5)=((11/15)=(11/3)(11/5)=(2/3)(1/5)=(--1)(1)=1)(1)=--11(8/15)=(8/3)(8/5)=(2/3)(3/5)=((8/15)=(8/3)(8/5)=(2/3)(3/5)=(--1)(1)(--1)=11)=1(4/15)=(4/3)(4/5)=(1)(1)=1(4/15)=(4/3)(4/5)=(1)(1)=1

BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity

►►

Composite quadratic residuesComposite quadratic residues

Let p, q be two odd primes and n = p*qLet p, q be two odd primes and n = p*q

If (If (x/nx/n) = () = (x/p)(x/qx/p)(x/q) = 1, then) = 1, theneither (either (x/px/p) = () = (x/qx/q) = 1) = 1 x is a quadratic residue modulo nx is a quadratic residue modulo nor (or (x/px/p) = () = (x/qx/q) = ) = --1 1 x is a pseudox is a pseudo--square modulo nsquare modulo n

It is difficult to determine if x is a quadratic residue modulo It is difficult to determine if x is a quadratic residue modulo n as n as factoring n=p*q is difficultfactoring n=p*q is difficult

Example: Let n=15=3*5Example: Let n=15=3*5(8/15)=(8/3)(8/5)=(2/3)(3/5)=((8/15)=(8/3)(8/5)=(2/3)(3/5)=(--1)(1)(--1)=1; 8 is a pseudo1)=1; 8 is a pseudo--squaresquare(4/15)=(4/3)(4/5)=(1)(1)=1; (4/15)=(4/3)(4/5)=(1)(1)=1; 4 is a quadratic residue 4 is a quadratic residue

BlumBlum--BlumBlum--ShubShub Generator Generator -- SecuritySecurity

►►

Why pWhy p≡≡qq≡≡3 mod 43 mod 4

Such that every quadratic residue x has a square root y which isSuch that every quadratic residue x has a square root y which is itself a quadratic residue itself a quadratic residue

Denote the square root of x to be y, that is, x=yDenote the square root of x to be y, that is, x=y2 2 mod nmod n

Let p= 4m+3, then m=(pLet p= 4m+3, then m=(p--3)/4. 3)/4. ►► y = xy = x(p+1)/4(p+1)/4 mod p is a principal square root of x modulo p mod p is a principal square root of x modulo p

xx(p(p--1)/21)/2=x=x(4m+3(4m+3--1)/21)/2=x=x2m+12m+1=1 mod p => x=1 mod p => x2m+22m+2=x mod p =x mod p =>(x=>(xm+1m+1))2 2 = x mod p => y = x= x mod p => y = xm+1 m+1 = x= x(p+1)/4(p+1)/4

►► y is a quadratic residuey is a quadratic residueyy(p(p--1)/21)/2= (x= (x(p+1)/4(p+1)/4))(p(p--1)/21)/2= (x= (x(p(p--1)/21)/2))(p+1)/4(p+1)/4=1=1(p+1)/4(p+1)/4=1 mod p=1 mod p

Similar for q, y = xSimilar for q, y = x(q+1)/4(q+1)/4 mod q mod q

Since n=p*q and x is a quadratic residue modulo n, then x has a Since n=p*q and x is a quadratic residue modulo n, then x has a unique square root modulo n (Chinese remainder theorem)unique square root modulo n (Chinese remainder theorem)

As a result, the mapping from x to xAs a result, the mapping from x to x22 mod n is a mod n is a bijectionbijection from the from the set of quadratic residues modulo n onto itselfset of quadratic residues modulo n onto itself

BlumBlum--BlumBlum--ShubShub Generator Generator -- ApplicationApplication

►►

The basis for the BlumThe basis for the Blum--GoldwasserGoldwasser probabilistic publicprobabilistic public--key key encryptionencryption

To generate the To generate the keystreamkeystream during encryption and decryption during encryption and decryption

Standardized Standardized PRNGsPRNGs

►►

General characteristicsGeneral characteristics

Not been proven to be cryptographically secureNot been proven to be cryptographically secure

Sufficient for most applicationsSufficient for most applications

Using oneUsing one--way functions such as hash function SHAway functions such as hash function SHA--1 or block 1 or block cipher DES with secret key kcipher DES with secret key k

►►

ExamplesExamples

ANSI X9.17 GeneratorANSI X9.17 Generator

FIPS 186 GeneratorFIPS 186 Generator

ANSI X9.17 GeneratorANSI X9.17 Generator

►►

AlgorithmAlgorithm

Let s be a random secret 64Let s be a random secret 64--bit seed, bit seed, EE kk be the DES Ebe the DES E--DD--E twoE two--key key tripletriple--encryption with key k, and m be an integer encryption with key k, and m be an integer

I = I = EE kk (D), where D is a 64(D), where D is a 64--bit representation of the date/time with bit representation of the date/time with finest available resolutionfinest available resolution

For i=1,For i=1,……,m do,m doxx ii = = EE kk (I (I XOR s))s = s = EE kk (x(x ii XOR I) XOR I)

Return (xReturn (x 11 , x, x 22 , , ……xx mm ) )

m pseudom pseudo--random 64random 64--bit strings bit strings

►►

Used as an initialization vector or a key for DESUsed as an initialization vector or a key for DES

FIPS 186 GeneratorFIPS 186 Generator

►►

Used for DSA private keysUsed for DSA private keys►►

AlgorithmAlgorithm

Let q be a 160Let q be a 160--bit prime number, and m be an integerbit prime number, and m be an integer

Let (b, G) = (160, DES) or (b, G) = (160..512, SHALet (b, G) = (160, DES) or (b, G) = (160..512, SHA--1)1)

Let s be a random secret seed with b bitsLet s be a random secret seed with b bits

Let t be a 160Let t be a 160--bit constant, t= bit constant, t= 67452301 efcdab89 98badcfe 10325476 c3d2e1f0

For i=1For i=1……m dom doEither select a bEither select a b--bit string bit string yy ii , or set , or set yy ii =0 (optional user input)=0 (optional user input)zz ii = (s + = (s + yy ii ) mod 2) mod 2bb

aa ii = = G(tG(t, , zz ii ) mod q) mod qs = (1 + s + s = (1 + s + aa ii ) mod 2) mod 2bb

Return (aReturn (a 11 , a, a 22 , , ……, a, a mm ) )

m pseudom pseudo--random numbers in [0, qrandom numbers in [0, q--1]1]

FIPS 186 GeneratorFIPS 186 Generator

►►

Used for DSA per message secret numbersUsed for DSA per message secret numbers►►

AlgorithmAlgorithm

Let q be a 160Let q be a 160--bit prime number, and m be an integerbit prime number, and m be an integer

Let (b, G) = (160, DES) or (b, G) = (160..512, SHALet (b, G) = (160, DES) or (b, G) = (160..512, SHA--1)1)

Let s be a random secret seed with b bitsLet s be a random secret seed with b bits

Let t be a 160Let t be a 160--bit constant, t= bit constant, t= efcdab89 98badcfe 10325476 c3d2e1f0 67452301

For i=1For i=1……m dom dokk ii = = G(tG(t, s) mod q, s) mod qs = (1 + s + s = (1 + s + kk ii ) mod 2) mod 2bb

Return (kReturn (k 11 , k, k 22 , , ……, k, k mm ) )

m pseudom pseudo--random numbers in [0, qrandom numbers in [0, q--1]1]

ReferencesReferences

1.1. D. Stinson. D. Stinson. Cryptography, Theory and PracticeCryptography, Theory and Practice. 3. 3rdrd Ed. Chapman & Ed. Chapman & Hall/CRC, 2006Hall/CRC, 2006

2. A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC Press, 1997

3. J. Hastad, R. Impagliazzo, L. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM Journal on Computing, 28(4): 1364-1393, 1999

4. S. Goldwasser and M. Bellare. Lecture Notes on Cryptography. 2008. http://cseweb.ucsd.edu/~mihir/papers/gb.pdf

5. P. Junod. Cryptographic Secure Pseudo-Random Bits Generation: The Blum-Blum-Shub Generator. 1999. http://crypto.junod.info/bbs.pdf

6. M. J. Fischer. Pseudorandom Sequence Generation. Yale University. http://zoo.cs.yale.edu/classes/cs467/2006f/course/handouts/ho15.pdf

7. Federal Information Processing Standards Publication. Digital Signature Standard (DSS). 2000. http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf

QuizQuiz

1.1. Name one criterion when considering a pseudoName one criterion when considering a pseudo--random number random number generator to be cryptographically securegenerator to be cryptographically secure

2.2. Name the oneName the one--way function that the Blumway function that the Blum--MicaliMicali generator is based generator is based onon

3.3. What are the four concepts that are used when considering the What are the four concepts that are used when considering the security of the Blumsecurity of the Blum--BlumBlum--ShubShub generator ?generator ?

4.4. Let p be an odd prime and p Let p be an odd prime and p ≡≡3 mod 4. Let x be a quadratic residue 3 mod 4. Let x be a quadratic residue modulo p. Let y be the principal square root of x. What is y in modulo p. Let y be the principal square root of x. What is y in terms terms of x and p ?of x and p ?

5.5. Name the two standardized pseudoName the two standardized pseudo--random number generatorsrandom number generators

Bonus:Bonus:What are the two objectives when designing a pseudoWhat are the two objectives when designing a pseudo--random random number generator ?number generator ?