Pseudorandom Sequence Generation

Similar documents
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Jacobi symbols and application to primality

CPSC 467: Cryptography and Computer Security

CS 6260 Some number theory. Groups

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

CPSC 467: Cryptography and Computer Security

x 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

Cryptanalysis of Pseudorandom Generators

Primes - Problem Sheet 5 - Solutions

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Probabilistic Algorithms

RECIPROCITY LAWS JEREMY BOOHER

QUADRATIC RECIPROCITY

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education

Math 104B: Number Theory II (Winter 2012)

Pseudo-random Number Generation. Qiuliang Tang

Advanced Cryptography Midterm Exam

Practice Final Solutions

t s (p). An Introduction

LECTURE 10: JACOBI SYMBOL

We collect some results that might be covered in a first course in algebraic number theory.

Quadratic Reciprocity

A recipe for an unpredictable random number generator

Algebraic number theory LTCC Solutions to Problem Sheet 2

CDH/DDH-Based Encryption. K&L Sections , 11.4.

POINTS ON CONICS MODULO p

Split the integral into two: [0,1] and (1, )

Cryptography Assignment 3

ON FREIMAN S 2.4-THEOREM

Extension of Minimax to Infinite Matrices

How does the computer generate observations from various distributions specified after input analysis?

The Jacobi Symbol. q q 1 q 2 q n

MATH 371 Class notes/outline October 15, 2013

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Efficient Cryptosystems From 2 k -th Power Residue Symbols

Modeling Chebyshev s Bias in the Gaussian Primes as a Random Walk

Quadratic Residues, Quadratic Reciprocity. 2 4 So we may as well start with x 2 a mod p. p 1 1 mod p a 2 ±1 mod p

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

MATH 2710: NOTES FOR ANALYSIS

MATH 361: NUMBER THEORY EIGHTH LECTURE

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018

MATH 3240Q Introduction to Number Theory Homework 7

Notes for Lecture 25

Almost All Palindromes Are Composite

Practice Final Solutions

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

Cryptography. Lecture 8. Arpita Patra

Degree in Mathematics

QUADRATIC RECIPROCITY

Math 261 Exam 2. November 7, The use of notes and books is NOT allowed.

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2018

QUADRATIC RECIPROCITY

On generalizing happy numbers to fractional base number systems

Public Key Cryptosystems RSA

Topic 7: Using identity types

HENSEL S LEMMA KEITH CONRAD

4. Score normalization technical details We now discuss the technical details of the score normalization method.

Prime Reciprocal Digit Frequencies and the Euler Zeta Function

Notes on Zero Knowledge

#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS

THE DIOPHANTINE EQUATION x 4 +1=Dy 2

Linear diophantine equations for discrete tomography

16 The Quadratic Reciprocity Law

Mobius Functions, Legendre Symbols, and Discriminants

p-adic Measures and Bernoulli Numbers

Verifying Two Conjectures on Generalized Elite Primes

Quaternionic Projective Space (Lecture 34)

The Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001

Introduction to MVC. least common denominator of all non-identical-zero minors of all order of G(s). Example: The minor of order 2: 1 2 ( s 1)

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security

HOMEWORK # 4 MARIA SIMBIRSKY SANDY ROGERS MATTHEW WELSH

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

Chapter 3. Number Theory. Part of G12ALN. Contents

CSE 599d - Quantum Computing When Quantum Computers Fall Apart

MA3H1 Topics in Number Theory. Samir Siksek

MAT 311 Solutions to Final Exam Practice

Characteristics of Fibonacci-type Sequences

ISOSCELES TRIANGLES IN Q 3. Matt Noble Department of Mathematics, Middle Georgia State University, Macon, Georgia

MATH342 Practice Exam

Experimental Mathematics Publication details, including instructions for authors and subscription information:

CPSC 467: Cryptography and Computer Security

Bilinear Entropy Expansion from the Decisional Linear Assumption

On the Rank of the Elliptic Curve y 2 = x(x p)(x 2)

Statistics II Logistic Regression. So far... Two-way repeated measures ANOVA: an example. RM-ANOVA example: the data after log transform

MA3H1 TOPICS IN NUMBER THEORY PART III

On The j-invariants of CM-Elliptic Curves Defined Over Z p

An Inverse Problem for Two Spectra of Complex Finite Jacobi Matrices

An Estimate For Heilbronn s Exponential Sum

AVERAGES OF EULER PRODUCTS, DISTRIBUTION OF SINGULAR SERIES AND THE UBIQUITY OF POISSON DISTRIBUTION

CPSC 467b: Cryptography and Computer Security

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models

HASSE INVARIANTS FOR THE CLAUSEN ELLIPTIC CURVES

A NOTE ON A YAO S THEOREM ABOUT PSEUDORANDOM GENERATORS

CPSC 467b: Cryptography and Computer Security

Eötvös Loránd University Faculty of Informatics. Distribution of additive arithmetical functions

Robust hamiltonicity of random directed graphs

Almost 4000 years ago, Babylonians had discovered the following approximation to. x 2 dy 2 =1, (5.0.2)

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

c 2007 Society for Industrial and Applied Mathematics

Transcription:

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy and Comuter Security Handout #21 Professor M. J. Fischer November 29, 2005 Pseudorandom Seuence Generation 1 Distinguishability and Bit Prediction Let D be a robability distribution on a finite set Ω. Then D associates a robability P D (ω) with each each element ω Ω. We will also regard D as a random variable that ranges over Ω and assumes value ω Ω with robability P D (ω). Definition: An (S, l)-seudorandom seuence generator (PRSG) is a function f: S 0, 1} l. (We generally assume 2 l S.) More roerly seaking, a PRSG is a randomness amlifier. Given a random, uniformly distributed seed s S, the PRSG yields the seudorandom seuence z = f(s). We use S also to denote the uniform distribution on seeds, and we denote the induced robability distribution on seudorandom seuences by f(s). The goal of an (S, l)-prsg is to generate seuences that look random, that is, are comutationally indistinguishable from seuences drawn from the uniform distribution U on length-l seuences. Informally, a robabilistic algorithm A that always halts distinguishes X from Y if its outut distribution is noticeably differently deending whether its inut is drawn at random from X or from Y. Formally, there are many different kinds of distinguishably. In the following definition, the only asect of A s behavior that matters is whether or not it oututs 1. Definition: Let ɛ > 0, let X, Y be distributions on 0, 1} l, and let A be a robabilistic algorithm. Algorithm A naturally induces robability distributions A(X) and A(Y ) on the set of ossible outcomes of A. We say that A ɛ-distinguishes X and Y if rob[a(x) = 1] rob[a(y ) = 1] ɛ, and we say X and Y are ɛ-indistinguishable by A if A does not distinguish them. A natural notion of randomness for PRSG s is that the next bit should be unredictable given all of the bits that have been generated so far. Definition: Let ɛ > 0 and 1 i l. A robabilistic algorithm N i is an ɛ-next bit redictor for bit i of f if rob[n i (Z 1,..., Z i 1 ) = Z i ] 1 2 + ɛ where (Z 1,..., Z l ) is distributed according to f(s). A still stronger notion of randomness for PRSG s is that each bit i should be unredictable, even if one is given all of the bits in the seuence excet for bit i. Definition: Let ɛ > 0 and 1 i l. A robabilistic algorithm B i is an ɛ-strong bit redictor for bit i of f if rob[b i (Z 1,..., Z i 1, Z i+1,..., Z l ) = Z i ] 1 2 + ɛ where (Z 1,..., Z l ) is distributed according to f(s).

2 Pseudorandom Seuence Generation The close relationshi between distinguishability and the two kinds of bit rediction is established in the following theorems. Theorem 1 Suose ɛ > 0 and N i is an ɛ-next bit redictor for bit i of f. Then algorithm B i is an ɛ-strong bit redictor for bit i of f, where algorithm B i (z 1,..., z i 1, z i+1,..., z l ) simly ignores its last l i inuts and comutes N i (z 1,..., z i 1 ). Proof: Obvious from the definitions. Let x = (x 1,..., x l ) be a vector. We define x i to be the result of deleting the i th element of x, that is, x i = (x 1,..., x i 1, x i+1,..., x l ). Theorem 2 Suose ɛ > 0 and B i is an ɛ-strong bit redictor for bit i of f. Then algorithm A ɛ-distinguishes f(s) and U, where algorithm A on inut x oututs 1 if B i (x i ) = x i and oututs 0 otherwise. Proof: By definition of A, A(x) = 1 recisely when B i (x i ) = x i. Hence, rob[a(f(s)) = 1] 1/2 + ɛ. On the other hand, for r = U, rob[b i (r i ) = r i ] = 1/2 since r i is a uniformly distributed bivalued random variable that is indeendent of r i. Thus, rob[a(u) = 1] = 1/2, so A ɛ-distinguishes f(s) and U. For the final ste in the 3-way euivalence, we have to weaken the error bound. Theorem 3 Suose ɛ > 0 and algorithm A ɛ-distinguishes f(s) and U. For each 1 i l and c 0, 1}, define algorithm N c i (z 1,..., z i 1 ) as follows: 1. Fli coins to generate l i + 1 random bits r i,..., r l. 1 if A(z1,..., z 2. Let v = i 1, r i,..., r l ) = 1; 0 otherwise. 3. Outut v r i c. Then there exist m and c for which algorithm N c m is an ɛ/l-next bit redictor for bit m of f. Proof: Let (Z 1,..., Z l ) = f(s) and (R 1,..., R l ) = U be random variables, and let D i = (Z 1,..., Z i, R i+1,..., R l ). D i is the distribution on l-bit seuences that results from choosing the first i bits according to f(s) and choosing the last l i bits uniformly. Clearly D 0 = U and D l = f(s). Let i = rob[a(d i ) = 1], 0 i l. Since A ɛ-distinguishes D l and D 0, we have l 0 ɛ. Hence, there exists m, 1 m l, such that m m 1 ɛ/l. We show that the robability that N c m correctly redicts bit m for f is 1/2+( m m 1 ) if c = 1 and 1/2+( m 1 m ) if c = 0. It will follow that either N 0 m or N 1 m correctly redicts bit m with robability 1/2+ m m 1 ɛ/l. Consider the following exeriments. In each, we choose an l-tule (z 1,..., z l ) according to f(s) and an l-tule (r 1,..., r l ) according to U. Exeriment E 0 : Succeed if A(z 1,..., z m 1, z m, r m+1,..., r l ) = 1. Exeriment E 1 : Succeed if A(z 1,..., z m 1, z m, r m+1,..., r l ) = 1. Exeriment E 2 : Succeed if A(z 1,..., z m 1, r m, r m+1,..., r l ) = 1.

Handout #21 November 29, 2005 3 Let j be the robability that exeriment E j succeeds, where j = 0, 1, 2. Clearly 2 = ( 0 + 1 )/2 since r m = z m is eually likely as r m = z m. Now, the inuts to A in exeriment E 0 are distributed according to D m, so m = 0. Also, the inuts to A in exeriment E 2 are distributed according to D m 1, so m 1 = 2. Differencing, we get m m 1 = 0 2 = ( 0 1 )/2. We now analyze the robability that N c m correctly redicts bit m of f(s). Assume without loss of generality that A s outut is in 0, 1}. A articular run of N c m(z 1,..., z m 1 ) correctly redicts z m if A(z 1,..., z m 1, r m,..., r l ) r m c = z m (1) If r m = z m, (1) simlifies to and if r m = z m, (1) simlifies to A(z 1,..., z m 1, z m,..., r l ) = c, (2) A(z 1,..., z m 1, z m,..., r l ) = c. (3) Let OK c m be the event that N c m(z 1,..., Z m 1 ) = Z m, i.e., that N c m correctly redicts bit m for f. From (2), it follows that rob[ok c m R m = Z m ] = 0 if c = 1 (1 0 ) if c = 0 for in that case the inuts to A are distributed according to exeriment E 0. Similarly, from (3), it follows that rob[ok c 1 if c = 1 m R m = Z m ] = (1 1 ) if c = 0 for in that case the inuts to A are distributed according to exeriment E 1. Since rob[r m = Z m ] = rob[r m = Z m ] = 1/2, we have rob[ok c m] = 1 2 rob[okc m R m = Z m ] + 1 2 rob[okc m R m = Z m ] = 0 /2 + (1 1 )/2 = 1/2 + m m 1 if c = 1 1 /2 + (1 0 )/2 = 1/2 + m 1 m if c = 0. Thus, rob[ok c m] = 1/2 + m m 1 ɛ/l for some c 0, 1}, as desired. 2 BBS Generator We now give a PRSG due to Blum, Blum, and Shub for which the roblem distinguishing its oututs from the uniform distribution is closely related to the difficulty of determining whether a number with Jacobi symbol 1 is a uadratic residue modulo a certain kind of comosite number called a Blum integer. The latter roblem is believed to be comutationally hard. First some background. A Blum rime is a rime number such that 3 (mod 4). A Blum integer is a number n =, where and are Blum rimes. Blum rimes and Blum integers have the imortant roerty that every uadratic residue a has a suare root y which is itself a uadratic residue. We call such a y a rincial suare root of a and denote it by a.

4 Pseudorandom Seuence Generation Lemma 4 Let be a Blum rime, and let a be a uadratic residue modulo. Then y = a (+1)/4 mod is a rincial suare root of a modulo. Proof: We must show that, modulo, y is a suare root of a and y is a uadratic residue. By the Euler criterion [Theorem 2, handout 15], since a is a uadratic residue modulo, we have a ( 1)/2 1 (mod ). Hence, y 2 (a (+1)/4 ) 2 aa ( 1)/2 a (mod ), so y is a suare root of a modulo. Alying the Euler criterion now to y, we have y ( 1)/2 Hence, y is a uadratic residue modulo. (a (+1)/4) ( 1)/2 ( a ( 1)/2) (+1)/4 1 (+1)/4 1 (mod ). Theorem 5 Let n = be a Blum integer, and let a be a uadratic residue modulo n. Then a has four suare roots modulo n, exactly one of which is a rincial suare root. Proof: By Lemma 4, a has a rincial suare root u modulo and a rincial suare root v modulo. Using the Chinese remainder theorem, we can find x that solves the euations x ±u (mod ) x ±v (mod ) for each of the four choices of signs in the two euations, yielding 4 suare roots of a modulo n. It is easily shown that the x that results from the +, + choice is a uadratic residue modulo n, and the others are not. From Theorem 4, it follows that the maing b b 2 mod n is a bijection from the set of uadratic residues modulo n onto itself. (A bijection is a function that is 1 1 and onto.) Definition: The Blum-Blum-Shub generator BBS is defined by a Blum integer n = and an integer l. It is a (Z n, l)-prsg defined as follows: Given a seed s 0 Z n, we define a seuence s 1, s 2, s 3,..., s l, where s i = s 2 i 1 mod n for i = 1,..., l. The l-bit outut seuence is b 1, b 2, b 3,..., b l, where b i = s i mod 2. Note that any s m uniuely determines the entire seuence s 1,..., s l and corresonding outut bits. Clearly, s m determines s m+1 since s m+1 = s 2 m mod n. But likewise, s m determines s m 1 since s m 1 = s m, the rincial suare root of s m modulo n, which is uniue by Theorem 5. 3 Security of BBS Theorem 6 Suose there is a robabilistic algorithm A that ɛ-distinguishes BBS(Z n) from U. Then there is a robabilistic algorithm Q(x) that correctly determines with robability at least ɛ = ɛ/l whether or not an inut x Z n with Jacobi symbol ( x n) = 1 is a uadratic residue modulo n. Proof: From A, one easily constructs an algorithm  that reverses its inut and then alies A.  ɛ-distinguishes the reverse of BBS(Z n) from U. By Theorem 3, there is an ɛ -next bit redictor N m for bit l m + 1 of BBS reversed. Thus, N m (b l, b l 1,..., b m+1 ) correctly oututs b m with robability at least 1/2 + ɛ, where (b 1,..., b l ) is the (unreversed) outut from BBS(Z n).

Handout #21 November 29, 2005 5 We now describe algorithm Q(x), assuming x Z n and ( x n) = 1. Using x as a seed, comute (b 1,..., b l ) = BBS(x) and let b = N m (b l m, b l m 1,..., b 1 ). Outut uadratic residue if b = x mod 2 and non-residue otherwise. To see that this works, observe first that N m (b l m, b l m 1,..., b 1 ) correctly redicts b 0 with robability at least 1/2+ɛ, where b 0 = ( x 2 mod n) mod 2. This is because we could in rincile let s m+1 = x 2 mod n and then work backwards defining s m = s m+1 mod n, s m 1 = s m mod n,..., s 0 = s 1 mod n. It follows that b 0,..., b l m are the last l m + 1 bits of BBS(s 0 ), and b 0 is the bit redicted by N m. Now, x and x are clearly suare roots of s m+1. We show that they both have Jacobi symbol 1. Since ( ( ) ( ) ( ) ( ) ( ) ( ) x n) = x x = 1, then either x = x = 1 or x = x = 1. But because ( ) ( ) and are Blum rimes, 1 is a uadratic non-residue modulo both and, so 1 = 1 = 1. It follows that ( ) x n = 1. Hence, x = ± sm+1, so exactly one of x and x is a uadratic residue. Since n is odd, x mod n and x mod n have oosite arity. Hence, x is a uadratic residue iff x and s m+1 have the same arity. But N m oututs s m+1 mod 2 with robability 1/2 + ɛ, so it follows that Q correctly determines the uadratic residuosity of its argument with robability 1/2 + ɛ.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback