Analysis of pseudorandom sequences

Transcription

1 Eötvös Loránd University, Budapest, Hungary Department of Computer Algebra Summer School on Real-world Crypto and Privacy June 5 9, 2017 Sibenik, Croatia

2 Introduction New, constructive approach - definitions - analysis of constructions Results

3 Pseudorandomness: - numerical analysis, pure mathematics, cryptography - keystream in Vernam-cipher: New, constructive approach: Mauduit and Sárközy, 1996 m + k = c

4 Advantages: 1. More constructive 2. No use unproved hypothesis 3. Describe the single sequences 4. Apriori testing 5. Characterizing with real-valued function comparableness

5 Measures For a given sequence E N = (e 1,..., e N ) { 1, +1} N the correlation measure of order k of E N is: C k (E N ) = max M,D M 1 e n+d1 e n+d2...e n+dk, n=0 where the maximum is taken over all D = (d 1,...d k ) (d 1 <... < d k are nonnegative integers) and M N with M + d k N.

6 Well-distribution measure of E N is: t W (E N ) = max a,b,t j=1 e a+jb where the maximum is taken over all a Z, b, t N and 1 a + b a + tb N.,

7 E N is considered a good pseudorandom sequence, if both C k (E N ) and W (E N ) are small in terms of N. This terminology is justified: Cassaigne, Mauduit and Sárközy (2002): for almost all E N = { 1, +1} N truly random sequence both measures are small: O(N 1/2 (log N) c )

8 Main topic of my research: collisions and avalanche effect Important in applications: e.g. DES S is a given set Assume that N N, S is a given set and to each s S we assign a unique binary sequence E N = E N (s) = (e 1,..., e N ) { 1, +1} N, and let F = F(S) denote the family of the binary sequences obtained in this way: F = F(S) = {E N (s) : s S}. (1)

9 Definition 1 If s S, s S, s s and E N (s) = E N (s ), (2) then (2) is said to be a collision in F = F(S). If there is no collision in F = F(S), then F is said to be collision free. In other words, F = F(S) is collision free if we have F = S.

10 An ideally good family of pseudorandom binary sequences is collision free. If F is not collision free but the number of collisions is limited = they do not cause many problems. A good measure of the number of collisions is the following:

11 Definition 2 The collision maximum M = M(F, S) is defined by M = M(F, S) = max E N F {s : s S, E N(s) = E N } (i.e., M is the maximal number of elements of S representing the same binary sequence E N ).

12 Definition 3 If in (1) we have S = { 1, +1} l, and for any s S, changing any element of s changes many elements of E N (s) (i.e., for s s many elements of the sequences E N (s) and E N (s ) are different), then we speak about avalanche effect, and we say that F = F(S) possesses the avalanche property. If for any s S, s S, s s at least ( 1 2 o(1))n elements of E N (s) and E N (s ) are different then F is said to possess strict avalanche property.

13 To study the avalanche property, I introduced the following measure: Definition 4 If N N, E N = (e 1,..., e N ) { 1, 1} N and E N = (e 1,..., e N ) { 1, 1}N, then the distance d(e N, E N ) between E N and E N is defined by d(e N, E N ) = {n : 1 n N, e n e n}. Moreover, if F is a family of form (1), then the distance minimum m(f) of F is defined by m(f) = min s,s S s s d(e N (s), E N (s )).

14 Applying this notion we may say that the family F is collision free m(f) > 0, and F possesses the strict avalanche property if ( ) 1 m(f) 2 o(1) N.

15 A good candidate for testing the measures of pseudorandomness is the Legendre symbol: ( ) a = p 0, if p a +1, if a quadratic residue mod p 1, if a nonquadratic residue mod p - its random behaviour is known for long (Jacobstahl, Davenport, Bach, Peralta, Damgard, Sárközy)

16 Mauduit and Sárközy, 1997 : ( ) n e n = (n = 1, 2,..., p 1) p Goubin, Mauduit and Sárközy, 2004 : { ( ) f (n) e n = p, if (f (n), p) = 1 +1, if p f (n). (3)

17 Theorem 1 (VTóth) Let S be the set of polynomials f (x) F p [X ] of degree D 2 which do not have multiple zeros. Define E p = E p (f ) = (e 1,..., e p ) by (3) and F = F(S) by (1). Then we have m(f) 1 ( ) p (2D 1)p 1/2 2D. 2 The proof is based on the theorem of Weil.

18 Corollary 1 (VTóth) If S, F are defined as in Theorem 1 and we also have D < p1/2 2, then F is collision free. Corollary 2 (VTóth) If S, F are defined as in Theorem 1 and we have p +, D = o(p 1/2 ) then F possesses the strong avalanche property.

19 Mauduit, Rivat and Sárközy introduced the following construction in 2004: let p be an odd prime number, f (X ) F p [X ], and define E p = (e 1,..., e p ) by { +1, if 0 r p (f (n)) < p/2 e n = (4) 1, if p/2 r p (f (n)) < p, where r p (n) denotes the unique r {0,..., p 1} such that n r(mod p).

20 Advantages: - small measures - fast Disadvantages: - correlation measure of large order can be large (Mauduit, Rivat and Sárközy) - there are many collisions in it

21 Many collisions: S k = {f (x) : f (x) F p [x], deg f (x) = k} F k = {E p (f ) = (e 1,...e p ) : f S k } If k, p(log p) 1 then Theorem 2 (VTóth) M(F k, S k ). If p is a fixed prime and F 2, S 2 are defined as above then we have M(F 2, S 2 ) 1 6 log p.

22 It can be saved: P d = {f (x) F p [x] : f (x) = d a i x i,ahol a 0 = 0, a d = 1} i=0 Theorem 3 (VTóth) If f (x) P d, then the family of binary sequences constructed by (4) is collision free and possesses the strict avalanche property.

23 Java programme by Viktória Fonyó Goal: testing the constructions in the real life - generation of the sequences: fast - calculation of the measures: comparing with other constructions - using the sequences in Vernam cipher Result: they can be used easily and in a fast way in applications as well

24 - large families of binary sequences with strong pseudorandom properties - mathematically provable nice properties - can be used in applications

25 I. Damgard, On the randomness Legendre and Jacobi sequences, Lect. Notes in Comp. Sci. 403, Springer-Verlag, Berlin (1990), V. Fonyó, Pszeudovéletlen sorozatok konstrukciói, Thesis work (2017) L. Goubin, C. Mauduit, A. Sárközy, Construction of large families of pseudorandom binary sequences, J. Number Theory 106 (2004),

26 C. Mauduit, J. Rivat, A. Sárközy, Construction of pseudorandom binary sequences using additive characters, Monatshefte Math. 141 (2004), C. Mauduit, A. Sárközy, On finite pseudorandom binary sequences I: The measures of pseudorandomness, the Legendre symbol, Acta Arith. 82 (1997) V. Tóth, in families of pseudorandom binary sequences, Periodica Math. Hungar. 55. (2007) 2,

27 V. Tóth, The study of collision and avalanche effect in a family of pseudorandom binary sequences, Periodica Math. Hungar. 59. (2009) 1, 1 8. V. Tóth, Extension of the notion of collision and avalanche effect to sequences of k symbols, Periodica Math. Hungar. 65. (2012) 2, V. Tóth, in pseudorandom sequences, Annales Univ. Sci. Budapest., Sect. Comp. 41. (2013),