Chapter 7 Random Numbers

Similar documents
CPSC 531: Random Numbers. Jonathan Hudson Department of Computer Science University of Calgary

How does the computer generate observations from various distributions specified after input analysis?

Systems Simulation Chapter 7: Random-Number Generation

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

How does the computer generate observations from various distributions specified after input analysis?

Stream Ciphers. Çetin Kaya Koç Winter / 20

Slides 3: Random Numbers

True & Deterministic Random Number Generators

Algorithms and Networking for Computer Games

Topics in Computer Mathematics

Pseudo-Random Numbers Generators. Anne GILLE-GENEST. March 1, Premia Introduction Definitions Good generators...

Uniform random numbers generators

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

Random Number Generation. Stephen Booth David Henty

Generating Random Variables

2-4 Zeros of Polynomial Functions

Topic Contents. Factoring Methods. Unit 3: Factoring Methods. Finding the square root of a number

UNIT 5:Random number generation And Variation Generation

2008 Winton. Review of Statistical Terminology

Uniform Random Number Generators

Intro to Theory of Computation

CPSC 467b: Cryptography and Computer Security

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Review of Statistical Terminology

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

( x) ( ) F ( ) ( ) ( ) Prob( ) ( ) ( ) X x F x f s ds

Number Theory. Modular Arithmetic

PUTNAM PROBLEMS SEQUENCES, SERIES AND RECURRENCES. Notes

Section 3.6 Complex Zeros

3.4. ZEROS OF POLYNOMIAL FUNCTIONS

Generating Uniform Random Numbers

Generating Uniform Random Numbers

Pseudorandom Sequences I: Linear Complexity and Related Measures

Generating pseudo- random numbers

Lecture 5: Random numbers and Monte Carlo (Numerical Recipes, Chapter 7) Motivations for generating random numbers

DE BRUIJN GRAPHS AND THEIR APPLICATIONS TO FAULT TOLERANT NETWORKS

Cyclic codes: overview

Math 3 Variable Manipulation Part 3 Polynomials A

Solutions, 2004 NCS/MAA TEAM COMPETITION

MATH 363: Discrete Mathematics

October 28, S4.4 Theorems about Zeros of Polynomial Functions

Lecture Notes. Advanced Discrete Structures COT S

Linear Feedback Shift Registers

Computer Science A Cryptography and Data Security. Claude Crépeau

Generating Uniform Random Numbers

HMMT February 2018 February 10, 2018

Homework 8 Solutions to Selected Problems

Uniform Random Binary Floating Point Number Generation

Commutative Rings and Fields

age for ^^Undergraduates Gregory V. Bard Providence, Rhode Island AMERICAN MATHEMATICAL SOCIETY

Questionnaire for CSET Mathematics subset 1

Computational Models Lecture 11, Spring 2009

Math 1302 Notes 2. How many solutions? What type of solution in the real number system? What kind of equation is it?

Show that the following problems are NP-complete

Lecture 1: Introduction to Public key cryptography

Discrete Math, Fourteenth Problem Set (July 18)

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

Summation polynomials and the discrete logarithm problem on elliptic curves

B. Maddah ENMG 622 Simulation 11/11/08

B. Encryption using quasigroup

Algebra 2 Notes AII.7 Polynomials Part 2

( ) ( ) Monte Carlo Methods Interested in. E f X = f x d x. Examples:

Chapter 4 Finite Fields

MATH 115, SUMMER 2012 LECTURE 12

Leftovers from Lecture 3

Chapter 2 Symmetric Encryption Algorithms

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

STREAM CIPHER. Chapter - 3

Partial Fractions. June 27, In this section, we will learn to integrate another class of functions: the rational functions.

Tropical Polynomials

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Math Lecture 18 Notes

Chapter 2. Polynomial and Rational Functions. 2.5 Zeros of Polynomial Functions

The Adjacency Graphs of Linear Feedback Shift Registers with Primitive-like Characteristic Polynomials

DeBruijn Strings, Double Helices, and the Ehrenfeucht-Mycielski Mechanism

Fast correlation attacks on certain stream ciphers

Stream Ciphers and Number Theory

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

Math 261 Exercise sheet 5

Cryptographic Pseudo-random Numbers in Simulation

Random processes and probability distributions. Phys 420/580 Lecture 20

Statistics, Data Analysis, and Simulation SS 2013

Shor s Algorithm. Polynomial-time Prime Factorization with Quantum Computing. Sourabh Kulkarni October 13th, 2017

Introduction to Cryptology. Lecture 20

Continuing discussion of CRC s, especially looking at two-bit errors

Chapter 4 Mathematics of Cryptography

State Recovery Attacks on Pseudorandom Generators

NORTHERN INDIA ENGINEERING COLLEGE, LKO D E P A R T M E N T O F M A T H E M A T I C S. B.TECH IIIrd SEMESTER QUESTION BANK ACADEMIC SESSION

Simplifying Rational Expressions and Functions

Independent Events. Two events are independent if knowing that one occurs does not change the probability of the other occurring

P and NP. Or, how to make $1,000,000.

b) since the remainder is 0 I need to factor the numerator. Synthetic division tells me this is true

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

On The Nonlinearity of Maximum-length NFSR Feedbacks

Transcription:

Chapter 7 Random Numbers February 15, 2010 7 In the following random numbers and random sequences are treated as two manifestations of the same thing. A series of random numbers strung together is considered to be a random sequence. A random sequence chopped up into (fixed length?) blocks is considered to give rise to a series of random numbers. Random numbers are needed in cryptology as: 1. Keys for symmetric algorithms 2. Seeds for finding primes (example: RSA) 3. As sequences to help factorising (Pollard s Monte Carlo Method) 4. In challenge/response mechanisms 5. Sequences for Vernam cyphers etc We need to generate pseudo-random numbers. We need to be able to test a sequence to see if it is random (example: cypher-text). A random sequence of, say, N = 2n bits should have equal numbers of 0 s and 1 s. That is 2 n 1 0 s and 2 n 1 1 s. The standard deviation around this mean is σ = 1. i.e. Numbers of 0 s is equal to the number of 1 s = 4N 1/2 2 n 1 ± 0.25 2 n 2. A random sequence should also have no periodicity (zero autocorrelation) 1

A random sequence should also have a geometrical distribution of any given pattern, example: k 0 s or k 1 s. More specifically, if we define a run length of k 0 s as k 0 s followed by 1, given a start 10 (so that a run length of 3 0 s is...10001) then the expected value of k, with P rob(runlength = k) = 2 k, is E(k) = 2. If there are 2 n (= N) bits then (provided k n 2). Number of runs of length k 0 s is 2 n 2 k, number of runs of length k 1 s is 2 n 2 k and number of runs of length n 0 s or 1 s is 1. With, in all, 2 n 2 runs of 0 s and 2 n 2 runs of 1 s. Example n = 6, N = 64 = 2 6 We should have 32=2 5 0 s and 1 s 16=2 4 runs of 0 s of average length 1 runs of 1 s of average length 1 8 runs of single 0 s or 1 s 4 runs of two 0 s or 1 s 2 runs of three 0 s or 1 s 1 run of four 0 s or 1 s 1 run of six 0 s or 1 s But these are expectation values. In reality, with really random, sequences these figures will only be approximated. Really random numbers and sequences cannot be rationally constructed. We construct pseudo-random sequences. For really random sequences we need a random seed and some random perturbations of some regular pattern. Random seeds are relatively easily provided - example: by measuring data and intervals between key strokes input at a keyboard or perhaps from a physical source such as a quantum generator. Random perturbations are harder. Perhaps a computer programme may read an independent fine-resolution timer to get some random input - provided the programme itself contains a certain fluidity in its progress. (A pseudo-random sequence which adheres too closely to the supposed ideal of the geometrical distribution of run length of 0 s and 1 s would be rejected by a chi-square test!) Some methods for generating pseudo-random sequences: 1. Maximum length sequence One takes an (irreducible) primitive polynomial g(x) of degree t over GF (2). One forms the linear Feed Back Shift Register (LFBSR) 2

where the connections correspond to the non-zero coefficients in g(x) = g t x t + g t 1 x t 1 +... + g 1 x + g 0. The output stream is a Maximum Length Sequence (MLS). 3

Example g(x) = x 4 + x + 1 Note that there are not four 0 s (0000) because the scheme is linear and we would always have all zero s. Otherwise we have a geometric distribution. The register contains successively all possible non-zero patterns. 4

Sequence shif ted out Content of register is as shif ted 0001 0010 0100 1001 0011 0110 1101 1010 0101 1011 0111 1111 1110 1100 1000... 0001 = 000100110101111 00... 2. De Bruijn Sequences (Non-linear, allow all-zeros ) These are Hamiltonian paths (a path visiting every node once) in a state diagram. We move from state to state designated by (x i x i+1... x i+m 1 ). The state has predecessor ( 0 x 0 1 i x i+1... x i+m 2 ) and successor (x i+1 x i+2... x i+m 1 ) 1 (and an associate (x i x i+1... x i+m 1 )). 5

The sequence emitted is the (overlapping) sequence of state names x i+m = f(x i, x i+1,... x i+m 1 ) to generate the Hamiltonian path. It can be shown that f() x i + g(x i+1... x i+m 1 ) if the associate is to be obtainable (and x i s predecessor unambiguous). Example 6

There are two Hamiltonian paths: 7

000 001 011 111 110 101 010 100 giving 00011101 00011101 000 and 000 001 010 101 011 111 110 100 giving 00010111 00010111 It can be shown that in an n-graph (binary) with n bits per state there exist 2 2n 1 n Hamiltonian paths. (It can also be shown that H n, a Hamiltonian path in an n-graph, is equivalent to E n 1, an Eulerian path in an (n 1)-graph. An Eulerian path visits every side (line) once.) In our example n = 3 so 2 2n 1 n = 2. 3. Linear Congruential Generator (LCG) LCGs generate sequences of pseudo-random numbers mod m. The general formula is x n+1 = (ax n + c) mod m equivalently x n = a n x 0 + c(a n 1) mod m. (a 1, but = x a 1 0 + nc if a = 1). The question is: What should the parameters a, c and m be? We want the sequence of integers to go through the full range mod m, i.e. 0, 1,... m 1 in some permuted order. Since 0 is included, we may take x 0 = 0 and have x n = a n x 0 + c(a n 1) mod m. Since 1 is included we have 1 = cr km for some a 1 r = ( an 1), k. Therefore c and m must be co-prime. a 1 We can choose m prime, but often the form of m is dictated by the application. If m is not prime with a factor d, then we have 8

x n = c r mod d x n = x n mod d c = c mod d Thus there is an inner loop, which if m = 2 t would show itself as repetitive cycles of the least significant bits of x n! Not very random! So avoid this. It can be shown that the periodicity of x n = λ with λ = LCM(λ i ) where m = Πp e i i and λ i = periodicity mod p e i i. To get maximum periodicity we require λ i = p e i i. It can be shown that this is achieved if (a 1) is divisible by p i for all i: Conclusion: (a) c is relatively prime to m (b) (a 1) is divisible by all prime factors p i of m (special case when p i = 2) Example m = 45 = 3 2 5 a = 16 so a 1 = 15 = 3 5 x 0 = 0, x 1 = 7, x 2 = 29, x 3 = 21, etc 0, 7, 29, 21, 28, 5, 42, 4, 26, 18, 25, 2, 39, 1, 23, 15, 22, 44, 36, 43, 20, 12, 19, 41, 33, 40, 17, 9, 16, 38, 30, 32, 14, 6, 13, 35, 27, 34, 11, 3, 10, 32, 24, 31, 8, (0). 4. Shuffling The pseudo-random sequence produced by for example an LCG can be shuffled to randomise it. For example one can incorporate the date and time=d, which hopefully flicks over rapidly. One uses a buffer b(i) i = 1, k holding LCG output. A possible scheme is (with x i m the LCG output) Initialise for i=1, k b(i)=x i n=k+1 Loop : Set t=d mod k j=t k xn m Output b(j) Set b(j)=x n n=n+1 The output is a function of the next x n read and the time. There are many other schemes and programs available for generating random numbers. It is important that they generate numbers of at least 2048 bits if they are to be useful cryptographically, and that their seed and any other external input cannot be guessed or generated by an attacker. For example, 9

with RSA an attacker might find it easier to generate the factors p, q of the modulus n (by running a version of the victim s key-generation program) rather than trying to factorise n. 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback