Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino

Definitions A random bit generator is a device or algorithm which outputs a sequence of statistically independent and unbiased binary digits. A pseudorandom bit generator(PRBG) is a deterministic algorithm which, given a truly random binary sequence of length k, outputs a binary sequence of length l»k which “appears” to be random. The input to the PRBG is called the seed, while the output of the PRBG is called a pseudorandom bit sequence.

Definitions A pseudorandom bit generator is said to pass all polynomial-time statistical tests if no polynomial-time algorithm can correctly distinguish between an output sequence of the generator and a truly random sequence of the same length with probability significantly greater that 1/2. A pseudorandom bit generator is said to pass the next-bit test if there is no polynomial time algorithm which, on input of the first l bits of an output sequences, can predict the l+1 bit of s with probability significantly greater than 1/2

Definitions A PRBG that passes the next-bit test is called a cryptographically secure pseudorandom bit generator (CSPRBG)

Random bit generation

Hardware based generators elapsed time between emission of particles during radioactive decay; thermal noise from a semiconductor diode or resistor; the frequency instability of a free running oscilator; the amount a metal insulator semiconductor capacitor is charged during a fixed period of time; air turbulence within a sealed disk drive which causes random fluctuations in disk drive sector read latency times; sound from a microphone or video input from a camera.

Software based generators the system clock; elapsed time between kaystrokes or mouse movement; content of input/output buffers; user/system/hardware/network serial numbers and/or addresses; user input; operating system values such as system load and network statistics.

Mixing functions A strong mixing function is one which combines two or more inputs and produces an output where each output bit is a different complex non-linearfunction of all the input bits.

Example A trivial example for single bit inputs is the Exclusive Or function. DES is an example of a strong mixing function for multiple bit quantities. Cryptographic hash function such as SHA-1 or MD5. Diffie-Hellman expotential key exchange is another example. If initial values are random, then the shared secret contains the combined randomness of them both, assuming they are uncorelated.

De-skewing Suppose in an output sequence the probability of 1 is p. Then lets group the output bits into pairs and lets treat each 01 as 1 and 10 as 0. We discard 00 and 11 pairs. The resulting sequence is both unbiased and uncorelated.

Pseudo Random Bit Generators

Matematics Model Of PRBG INPUT  X0= seed X i+1 =f(i,X 0,X 1, X 2,X 3,...) i=0,1,2,3,... OUTPUT  X 1 X 2 X 3 X 4... Pseudorandom sequence

Pseudorandom Generators -Linear Congruential Generator -J-Bit Output Feedback -Ansi X9.17 -Blum Blum Shub Pseudorandom Bit Generator -RSA Pseudorandom Bit Generator

Linear Congruential Generator Nowadays the most used technique for Pseudorandom generator [Lehmer 1951] X 0 =Seed m>0 0≤a<m X i+1 =a∙(X i +b) mod m 0≤b<m

Example of LCG a = 7 b = 0 m = 32 X i+1 = 7 X i mod 32 7, 17, 23, 1, 7, 17, 23, … X 0 = 1 period 4 a = 5 b = 0 m = 32 X i+1 = 5 X i mod 32 5, 25, 29, 17, 21, 9, 13, 1, … X 0 = 1 period 8

Linear Congruential Generator X i+1 = 7 5 · X i mod a= 7 5 b= 0 m= (Prime number convient for 32 bits) Used for IBM 360[1969]

J-Bit Output Feedback

ANSI X9.17 Generator Ad-hoc construction which is not proved to be cryptographicly secure, though it should be sufficient for most applications U.S. Federal Information Processing Standard (FIPS) approved method Makes use of 2 key tripple DES algorithm

Algorithm Input: s – 64 bit secret seed m – interger (counter) k – 3DES key 1. Get 64 bit representation of computer date/time, D Def: E k is 3DES encryption under key k ^ is XOR 2. Calc I = E k (D) 3. for (i = 0; i < m; i++) { x i = E k (I ^ s); // Calc next 64 bit string s = E k (x i ^ I); // Update seed } 4. Return X i ’s

Blum blum shub PRBG 1.Generate p and q:two big blum primes 2.N=p∙q 3.Choose sє[1,n-1] : The Seed 4.X 0 =s 2 (mod n) 5.The sequence is defined as x i =x i-1 2 (mod n) and z i =parity(x i ) 6.The output is z 1,z 2,z

Example Let n=p∙q=7∙19=133 S=100 X 0 =100 2 (mod 133)=25 X 1 =25 2 (mod 133)=93 X 2 =93 2 (mod 133)=42 X 3 =42 2 (mod 133)=16 X 4 =16 2 (mod 133)=123 The OUTPUT:1,0,0,1

RSA generator It is a pseudorandom bit generation and is cryptographically secure pseudorandom bit generation under the assumption that factoring a large number n composed of two large prime p and q is intractable!

RSA generator Z i ->z i-1 e (mod n) LSB z0z0 zizi xixi i=i+1 p and q ->prime n->p∙q e=integer in [3,Ф(n)[:gcd(e,Ф(n))=1

Algorithm 1.Generate p and q 2.n=p∙q 3.Pich a random integer e : 1<e<φ and gcd(e, φ)=1 4.Select a random integer x 0 (the seed) in the interval [1,n-1] 5.For i=1 to l 6.X i = x i-1 e mod n 7.Z i =LSB of x i 8.Return z 1,...,z l

RSA generator Z i ->z i-1 e (mod n) C log log n bit less significative z0z0 zizi xixi i=i+1 p and q ->prime n->p∙q e=integer in [3,Ф(n)[:gcd(e,Ф(n))=1

Statistical tests

Frequency test (monobit test) The purpose of this test is to determine whether the number of 0’s and 1’s in a genrator output sequence are approximately the same, as would be expected for a random sequence.

Serial test (two-bit test) The purpose of this test is to determine whether the number of occurrences of 00, 01, 10, and 11 as subsequences of s are approximately the same, as would be expected for a random sequence.

Poker test Let’s divide s into k non-overlaping parts each of length m. The poker test determines whether the sequences of length m each appear approximately the same number of times in s, as would be expected for a random sequence. Note that this test is a generalization of the frequency test: setting m= = 1 in the poker test yields the frequency test.

Runs test The purpose of the runs test is to determine whether the number of runs (of either zeros or ones) of various lengths in the sequence s is as expected for a random sequence.

Autocorrelation test The purpose of this test is to check for correlations between the sequence s and (noncyclic) shifted versions of it.

References Handbook Of Applied Cryptography A. Menezes P. van Oorschot S. Vanstone

Thats all folks...