Simple Unpredictable Pseudo-Random Number Generator

Transcription

1 Simple Unpredictable Pseudo-Random Number Generator The 1/P Generator R. Ashworth & H. Imanda University of Oxford 1/18

2 Definition Let l be a polynomial. We say that a deterministic polynomial-time algorithm G : {0, 1} n {0, 1} l(n), is a pseudo-random generator (PRG) if the following conditions hold: 1 expansion: For every n it holds that l(n) > n. 2 pseudorandomness: For any PPT algorithm D, there is a negligible function ε such that Pr[D(G(x)) = 1] Pr[D(r) = 1] ε(n). 2/18

3 Definition A cryptographically secure pseudo-random generator is one that is polynomial-time unpredictable: for every finite initial segment of sequence that has been produced by the PRG, but with any element deleted from that segment, a probabilistic polynomial time algorithm cannot predict the missing element with probability significantly less than /18

4 Definition For integers b, P, let P b denote the size of P written in base b. Example Let P = Then P 2 = log 2 (753) + 1 = 10. 4/18

5 The 1/P Generator Fix an integer b > 1 and let Σ = {0, 1,..., b 1}. Let N = {P Z gcd(p, b) = 1} and let the seed domain be X = P N Z P. X can also be identified as the set {r/p P N, r Z p} [0, 1). 5/18

6 The 1/P Generator Define G : X Σ by letting G(r/P) = q 1 q 2... be the sequence of b-ary quotient digits that follow the decimal point, where r/p X is expanded base b. The 1/P Generator The pseudo-random number generator defined by G(r/P) = q 1 q 2 q 3 is called the 1/P generator (base b). 6/18

7 Example Let b = 10 and P = 7 and r = 1. Then the above sequence has input 1/7 giving /18

8 Lemma The 1/P sequence of quotient digits has period P 1. Proof r m = b m r 0 mod P where b is a primitive root. The sequence of quotients rm P is periodic, period at most P 1 by pigeonhole principle. If period less than P 1 then 0 m 1 < m 2 < P 1 such that.q m1 +1q m =.q m2 +1q m But r mp =.q m+1 q m+2... a contradiction. 8/18

9 Some Crypto Why is the 1/P PRG good? If P P and b is a primitive root modulo P the sequences have long periods (P 1) and nice distributional properties. Hard to infer: Given r generated during the expansion of 1/P mod P, it is difficult to find any m such that r m = r. Note the second reason is the DLP: an adversary must solve r m b m mod P. This is assumed a difficult problem for suitable P and b. 9/18

10 Definition A generalised de Bruijn sequence of period P 1, base b is a sequence q 1 q 2... of b-ary digits such that 1 every b-ary string of length ( P b 1) occurs at least once in the sequence and 2 every b-ary string of length P b occurs at most once in any given sequence. Example The sequence below is a base two, P = 3 de Bruijn sequence: /18

11 Theorem Let P P and b {1,..., P 1} be a primitive root modulo P. Then the PRG sequence of quotient digits of 1/P, base b is a generalised de Bruijn sequence. 11/18

12 Claim The 1/P sequence of quotient digits is a de Bruijn sequence. Sketch Proof The set of length s b-ary strings partition of the unit interval [0, 1), [l/b s, (l + 1)/b s ). 1/P < 1/(b P b+1 ) so for every l there is a k such that k/p is in a step of the partition, proving (1). Also 1/b P b < 1/P so for each l there is at most one k such that k/p is in any given block of the partition, proving (2). 12/18

13 Theorem The 1/P generator is not a CSPRG. Equivalently, there exists a statistical test for deciding if a string is generated by 1/P or not. Given a 3n long string of digits, where n = P b one may use a simple, yet efficient test to attempt to recover P and hence the sequence. 13/18

14 Example Let b = 10 and P = 503, so the PRG generates a period 502 sequence: /18

15 = 3, so every string of two decimal digits appears at least once in the above sequence and every string of three digits appears at most once. A number theortic attack exists to generate the sequence, using continued fractions. Consider the block /18

16 Breaking the 1/P Generator The continued fraction of is / = [0; 2, 3, 3, 1, 16, 6, 1, 1, 151], with convergents 1 2, 3 7,..., = These digits agree with the segment we identified. With P = 503, b = 10 and the numerator (remainder term modulo P) r m = 218. Calculating r m 1 = b 1 r m mod 503 = mod 503 = 223. Then consider 223/503 = /18

17 Comparing Results Prediction gives: 223/503 = , so we want a 4 before and a 602 after /18

18 References L. Blum, M. Blum, & M. Shub A SIAM Journal on Computing, 15(2) J. Katz & Y. Lindell Introduction to Modern Cryptography CRC Press, /18