Pseudo-random Number Generation. Qiuliang Tang

Similar documents
ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

CPSC 467: Cryptography and Computer Security

An Introduction to Probabilistic Encryption

Cryptography IV: Asymmetric Ciphers

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Public Key Algorithms

Pseudorandom Generators

1 Number Theory Basics

Computer Science A Cryptography and Data Security. Claude Crépeau

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Pseudorandom Generators

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 5)

Security II: Cryptography exercises

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

THE CUBIC PUBLIC-KEY TRANSFORMATION*

An Efficient Discrete Log Pseudo Random Generator

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Lecture Notes. Advanced Discrete Structures COT S

State Recovery Attacks on Pseudorandom Generators

CPSC 467: Cryptography and Computer Security

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Number Theory and Algebra: A Brief Introduction

Chapter 8 Public-key Cryptography and Digital Signatures

Algorithmic Number Theory and Public-key Cryptography

Mathematics of Cryptography

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Public-Key Cryptosystems CHAPTER 4

Introduction to Cybersecurity Cryptography (Part 4)

Pseudo-Random Generators

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Pseudo-Random Generators

Introduction to Cryptography. Lecture 8

Lecture 1: Introduction to Public key cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Efficient Pseudorandom Generators Based on the DDH Assumption

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

basics of security/cryptography

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

CS March 17, 2009

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Design of Cryptographically Strong Generator By Transforming Linearly Generated Sequences

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

ECE596C: Handout #11

CIS 551 / TCOM 401 Computer and Network Security

Other Public-Key Cryptosystems

Number Theory. Modular Arithmetic

Public Key Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

New Variant of ElGamal Signature Scheme

Public Key Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Asymmetric Encryption

Topics in Cryptography. Lecture 5: Basic Number Theory

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Introduction to Modern Cryptography. Benny Chor

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Public Key Cryptography

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Lecture Notes, Week 6

Lecture V : Public Key Cryptography

Introduction to Cryptography. Lecture 6

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Semantic Security of RSA. Semantic Security

Public-Key Encryption: ElGamal, RSA, Rabin

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography & Data Security - Comp 547. Assignment 5. Maxime CHAMBREUIL McGill ID:

RABIN PUBLIC-KEY CRYPTOSYSTEM IN RINGS OF POLYNOMIALS OVER FINITE FIELDS

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

5199/IOC5063 Theory of Cryptology, 2014 Fall

Aspect of Prime Numbers in Public Key Cryptosystem

Simple Unpredictable Pseudo-Random Number Generator

Elliptic Curve Cryptography

An Improved Pseudorandom Generator Based on Hardness of Factoring

Chapter 11 : Private-Key Encryption

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Digital Signature Scheme Based on a New Hard Problem

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Other Public-Key Cryptosystems

Ti Secured communications

An Improved Pseudo-Random Generator Based on Discrete Log

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Information Security

RSA ENCRYPTION USING THREE MERSENNE PRIMES

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco

Elementary Number Theory Review. Franz Luef

Elliptic Curve Cryptography

Number theory (Chapter 4)

CPSC 467: Cryptography and Computer Security

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Pseudorandom number generators based on random covers for finite groups

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CPSC 467b: Cryptography and Computer Security

Transcription:

Pseudo-random Number Generation Qiuliang Tang

Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private key in DSA The initialization vectors (IVs) used in ciphers

Pseudo-random Number Generator Pseudo-random number generator: A polynomial-time computable function f (x) that expands a short random string x into a long string f (x) that appears random Not truly random in that: Deterministic algorithm Dependent on initial values Objectives Fast Secure

Pseudo-random Number Generator Classical PRNGs Linear Congruential Generator Cryptographically Secure PRNGs RSA Generator Blum-Micali Generator Blum-Blum Blum-Shub Generator Standardized PRNGs ANSI X9.17 Generator FIPS 186 Generator

Linear Congruential Generator - Algorithm Based on the linear recurrence: x i = a x i-1 + b mod m i 1 Where x 0 is the seed or start value a is the multiplier b is the increment m is the modulus Output (x 1, x 2,, x k ) y i = x i mod 2 Y = (y 1 y 2 y k ) pseudo-random sequence of K bits

Linear Congruential Generator - Example Let x n = 3 x n-1 + 5 mod 31 n 1, n and x 0 = 2 3 and 31 are relatively prime, one-to to-one one (affine cipher) 31 is prime, order is 30 Then we have the 30 residues in a cycle: 2, 11, 7, 26, 21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 19, 0, 5, 20, 3, 14, 16, 22, 9, 1, 8, 29, 30 Pseudo-random sequences of 10 bits when x 0 = 2 1101010001 When x 0 = 3 0001101001

Linear Congruential Generator - Security Fast, but insecure Sensitive to the choice of parameters a, b, and m Serial correlation between successive values Short period, often m=2 32 or m=2 64

Linear Congruential Generator - Application Used commonly in compilers Rand() Not suitable for high-quality randomness applications Issues with the RANDU random number algorithm Use Mersenne Twister algorithm in Monte Carlo simulations Longer period 2 19937 19937-1 Not suitable for cryptographic applications Use cryptographically secure pseudo-random number generators

Cryptographically Secure Passing all polynomial-time statistical tests There is no polynomial-time algorithm that can correctly distinguish a string of k bits generated by a pseudo-random bit generator (PRBG) from a string of k truly random bits with probability significantly greater than ½ Probability distributions indistinguishable Passing the next-bit test Given the first k bits of a string generated by PRBG, there is no n polynomial-time algorithm that can correctly predict the next (k+1) th bit with probability significantly greater than ½ Next-bit unpredictable The two notions are equivalent Proved by Yao

Cryptographically Secure PRNGs A PRNG from any one-way function A function f is one-way if it is easy to compute y = f (x) but hard to compute x = f -1 (y) There is a PRNG if and only if there is a one-way function One-way functions The RSA function The discrete logarithm function The squaring function Cryptographically secure PRNGs RSA Generator Blum-Micali Generator Blum-Blum Blum-Shub Generator

RSA Generator - Algorithm Based on the RSA one-way function: x i = x b i-1 mod n i 1 Where x 0 is the seed, an element of Z * n n = p*q, p and q are large primes gcd (b, Φ(n) ) = 1 where Φ(n) = (p-1)(q 1)(q-1) n and b are public, p and q are secret Output (x 1, x 2,, x k ) y i = x i mod 2 Y = (y 1 y 2 y k ) pseudo-random sequence of K bits

RSA Generator - Security RSA Generator is provably secure RSA Generator is provably secure It is difficult to predict the next number in the sequence given the previous numbers, assuming that it is difficult to invert the RSA function (Shamir)

RSA Generator - Efficiency RSA Generator is relatively slow Each pseudo-random bit y i requires a modular exponentiation operation Can be improved by extracting j least significant bits of x i instead of 1 least significant bit, where j=cloglogn and c is a constant Micali-Schnorr Generator improves the efficiency

Blum-Micali Generator - Concept Discrete logarithm Let p be an odd prime, then (Z p*, ) is a cyclic group with order p-1 Let g be a generator of the group, then <g> = p-1, and for any element a in the group, we have g k = a mod p for some integer k If we know k, it is easy to compute a However, the inverse is hard to compute, that is, if we know a, it is hard to compute k = log g a Example (Z 17*, ) is a cyclic group with order 16, 3 is the generator of the group and 3 16 = 1 mod 17 Let k=4, 3 4 = 13 mod 17, which is easy to compute The inverse: 3 k = 13 mod 17, what is k? what about large p?

Blum-Micali Generator - Algorithm Based on the discrete logarithm one-way function: Let p be an odd prime, then (Z p*, ) is a cyclic group Let g be a generator of the group, then for any element a, we have g k = a mod p for some k Let x 0 be a seed x i = g x i-1 mod p i 1 Output (x 1, x 2,, x k ) y i = 1 if x i (p-1)/2 y i = 0 otherwise Y = (y 1 y 2 y k ) pseudo-random sequence of K bits

Blum-Micali Generator - Security Blum-Micali Generator is provably secure It is difficult to predict the next bit in the sequence given the previous bits, assuming it is difficult to invert the discrete logarithm function (by reduction)

Blum-Blum Blum-Shub Generator - Concept Quadratic residues Let p be an odd prime and a be an integer a is a quadratic residue modulo p if a is not congruent to 0 mod p and there exists an integer x such that a x 2 mod p a is a quadratic non-residue modulo p if a is not congruent to 0 mod p and a is not a quadratic residue modulo p Example Let p=5, then 1 2 =1, 2 2 =4, 3 2 =4, 4 2 =1 1 and 4 are quadratic residues modulo 5 2 and 3 are quadratic non-residues modulo 5

Blum-Blum Blum-Shub Generator - Algorithm Based on the squaring one-way function Let p, q be two odd primes and p q 3 p 3 mod 4 Let n = p*q Let x 0 be a seed which is a quadratic residue modulo n x i = x 2 i-1 mod n i 1 Output (x 1, x 2,, x k ) y i = x i mod 2 Y = (y 1 y 2 y k ) pseudo-random sequence of K bits

Blum-Blum Blum-Shub Generator - Security Blum-Blum Blum-Shub Generator is provably secure Euler s s criterion Legendre symbol Jacobi symbol Composite quadratic residues

Blum-Blum Blum-Shub Generator - Security Euler s s criterion Let p be an odd prime. Then a is a quadratic residue modulo p if and only if a (p-1)/2 Proof: 1)/2 1 mod p Suppose a x 2 mod p, then a (p-1)/2 x 2*(p-1)/2 x p-1 1 mod p (By Fermat s s little theorem) Suppose a (p-1)/2 1 mod p. Let g be a generator of the group (Z p*, ), then a g k mod p for some integer k We have a (p-1)/2 g k*(p-1)/2 g k/2 1 mod p Then k must be even Let k=2m, then a (g m ) 2 mod p which means that a is a quadratic residue modulo p

Blum-Blum Blum-Shub Generator - Security Legendre symbol Let p be an odd prime and a be an integer If a is a multiple of p, then a (p-1)/2 0 mod p If a is a quadratic residue modulo p, then a (p-1)/2 1 mod p If a is a quadratic non-residue modulo p, then a (p-1)/2-11 mod p since (a (p-1)/2 ) 2 a p-1 1 mod p Example: Let p=5 (0/5)=0; (1/5)=(4/5)=1; (2/5)=(3/5)=-1

Blum-Blum Blum-Shub Generator - Security Jacobi symbol Let n be an odd positive integer p i is the prime factor of n and e i is the power of the prime factor (a/p i ) is the Legendre symbol and (a/n) is the Jacobi symbol Example: Let n=15=3*5 (9/15)=(9/3)(9/5)=0 (11/15)=(11/3)(11/5)=(2/3)(1/5)=(-1)(1)= 1)(1)=-1 (8/15)=(8/3)(8/5)=(2/3)(3/5)=(-1)( 1)(-1)=11)=1 (4/15)=(4/3)(4/5)=(1)(1)=1

Blum-Blum Blum-Shub Generator - Security Composite quadratic residues Let p, q be two odd primes and n = p*q If (x/n( x/n) ) = (x/p)(x/q( x/p)(x/q) ) = 1, then either (x/p( x/p) ) = (x/q( x/q) ) = 1 x is a quadratic residue modulo n or (x/p( x/p) ) = (x/q( x/q) ) = -1 x is a pseudo-square square modulo n It is difficult to determine if x is a quadratic residue modulo n as factoring n=p*q is difficult Example: Let n=15=3*5 (8/15)=(8/3)(8/5)=(2/3)(3/5)=(-1)( 1)(-1)=1; 1)=1; 8 is a pseudo-square square (4/15)=(4/3)(4/5)=(1)(1)=1; 4 is a quadratic residue

Blum-Blum Blum-Shub Generator - Security Why p q 3 p 3 mod 4 Such that every quadratic residue x has a square root y which is itself a quadratic residue Denote the square root of x to be y, that is, x=y 2 mod n Let p= 4m+3, then m=(p-3)/4. y = x (p+1)/4 mod p is a principal square root of x modulo p x (p-1)/2 =x (4m+3-1)/2 =x 2m+1 =1 mod p => x 2m+2 =x mod p =>(x m+1 ) 2 = x mod p => y = x m+1 = x (p+1)/4 y is a quadratic residue y (p-1)/2 = (x (p+1)/4 ) (p-1)/2 = (x (p-1)/2 ) (p+1)/4 =1 (p+1)/4 =1 mod p Similar for q, y = x (q+1)/4 mod q Since n=p*q and x is a quadratic residue modulo n, then x has a unique square root modulo n (Chinese remainder theorem) As a result, the mapping from x to x 2 mod n is a bijection from the set of quadratic residues modulo n onto itself

Blum-Blum Blum-Shub Generator - Application The basis for the Blum-Goldwasser probabilistic public-key encryption To generate the keystream during encryption and decryption

Standardized PRNGs General characteristics Not been proven to be cryptographically secure Sufficient for most applications Using one-way functions such as hash function SHA-1 1 or block cipher DES with secret key k Examples ANSI X9.17 Generator FIPS 186 Generator

ANSI X9.17 Generator Algorithm Let s be a random secret 64-bit seed, E k be the DES E-D-E E E two-key triple-encryption encryption with key k, and m be an integer I = E k (D), where D is a 64-bit representation of the date/time with finest available resolution For i=1,,m,m do x i = E k (I XOR s) s = E k (x i XOR I) Return (x 1, x 2, x m ) m pseudo-random 64-bit strings Used as an initialization vector or a key for DES

FIPS 186 Generator Used for DSA private keys Algorithm Let q be a 160-bit prime number, and m be an integer Let (b, G) = (160, DES) or (b, G) = (160..512, SHA-1) Let s be a random secret seed with b bits Let t be a 160-bit constant, t= 67452301 efcdab89 98badcfe 10325476 c3d2e1f0 For i=1 m m do Either select a b-bit b bit string y i, or set y i =0 (optional user input) z i = (s + y i ) mod 2 b a i = G(t, z i ) mod q s = (1 + s + a i ) mod 2 b Return (a 1, a 2,,, a m ) m pseudo-random numbers in [0, q-1] q

FIPS 186 Generator Used for DSA per message secret numbers Algorithm Let q be a 160-bit prime number, and m be an integer Let (b, G) = (160, DES) or (b, G) = (160..512, SHA-1) Let s be a random secret seed with b bits Let t be a 160-bit constant, t= efcdab89 98badcfe 10325476 c3d2e1f0 67452301 For i=1 m m do k i = G(t,, s) mod q s = (1 + s + k i ) mod 2 b Return (k 1, k 2,,, k m ) m pseudo-random numbers in [0, q-1] q

References 1. D. Stinson. Cryptography, Theory and Practice.. 3 rd Ed. Chapman & Hall/CRC, 2006 2. A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC Press, 1997 3. J. Hastad, R. Impagliazzo, L. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM Journal on Computing, 28(4): 1364-1393, 1999 4. S. Goldwasser and M. Bellare. Lecture Notes on Cryptography. 2008. http://cseweb.ucsd.edu/~mihir/papers/gb.pdf 5. P. Junod. Cryptographic Secure Pseudo-Random Bits Generation: The Blum-Blum-Shub Generator. 1999. http://crypto.junod.info/bbs.pdf 6. M. J. Fischer. Pseudorandom Sequence Generation. Yale University. http://zoo.cs.yale.edu/classes/cs467/2006f/course/handouts/ho15.pdf 7. Federal Information Processing Standards Publication. Digital Signature Standard (DSS). 2000. http://csrc.nist.gov/publications/fips/archive/fips186-2/fips186-2.pdf

Quiz 1. Name one criterion when considering a pseudo-random number generator to be cryptographically secure 2. Name the one-way function that the Blum-Micali generator is based on 3. What are the four concepts that are used when considering the security of the Blum-Blum Blum-Shub generator? 4. Let p be an odd prime and p 3 3 mod 4. Let x be a quadratic residue modulo p. Let y be the principal square root of x. What is y in terms of x and p? 5. Name the two standardized pseudo-random number generators Bonus: What are the two objectives when designing a pseudo-random number generator?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback