Pseudo Random Bit

Generator
 Motivation
• It is crucial to security that cryptographic
keys are generated with a truly random
or at least a pseudo-random generation
process
• Otherwise , an attacker might reproduce
the key generation process and easily
find the key used to secure a specific
communication
 Motivation
• In cryptography, we are often in a situation
where we need a random integer or a
random sequence of bits.
• For example, secret keys are often required
to be random. But what does that really
mean?
• If we flip a coin eight times and assign 0 to
one of the sides and 1 to the other, then
the sequence 00000000 is just as likely as
the sequence 10011100.
• Still, our intuition tells us that the second
sequence is “more random” than the first
one.
• But actually, humans are quite bad at
consciously creating random sequences –
 Random numbers in
•
Cryptography
Random numbers are required in many places
• Producing good random number is difficult
• Generation of pseudo-random numbers is required in
cryptographic protocols for the generation of
• Example 1: One time pad
– Create a pad using random numbers
• Example 2: Initialization vectors
– Required for example by Cipher block Chaining
mode
• Example 3: Session Key
– Create a shared secret for a communication
session
– Cryptographic keys
– Nonce's
• Example usages
– Authentication with challenge-response mechanism,
e.g. GSM (Group SpécialeMobile), and UMTS
(Universal Mobile Telecommunications System )
authentication
 Randomness Definition
• Chaitin-Kolmogorov randomness (also called algorithmic
randomness)
– a string of bits is random if and only if it is shorter than any
computer program that can produce that string
• this basically means that random strings are those that
cannot be compressed.
• Consider the following two strings of length 64, each
containing only lowercase letters, numbers, and spaces:
• abababababababababababababababababababababababab
abababababababab
4c1j5b2p0cv4w1x8rx2y39umgw5q85s7uraqbjfdppa0q7ni
eieqe9noc4cvafzf The
• first string has a short English-language description, namely
"ab 32 times", which consists of 11 characters. The
second one has no obvious simple description (using the
same character set) other than writing down the string
itself, which has 64 characters.
•
• Statistical Randomness
 Inherent non-
randomness
• Because any PRNG run on a deterministic
computer (contrast quantum computer) is
deterministic, its output will inevitably have
certain properties that a true random sequence
would not exhibit.
– guaranteed periodicity—it is certain that if the
generator uses only a fixed amount of memory
then, given a sufficient number of iterations, the
generator will revisit the same internal state twice,
after which it will repeat forever. A generator that
isn't periodic can be designed, but its memory
requirements would grow as it ran. In addition, a
PRNG can be started from an arbitrary starting
point, or seed state, and will always produce an
identical sequence from that point on.
 cont
– In practice, many PRNGs exhibit
artifacts which can cause them to
fail statistically significant tests.
These include, but are certainly not
limited to:
• Shorter than expected periods for
some seed states (not full period)
• Poor dimensional distribution
• Successive values are not independent
• Some bits may be 'more random' than
others
• Lack of uniformity
 Random bits
• A sequence of random bits is a sequence where
the bits are independent from each other and
uniformly distributed.
• Random bits can be generated in may different
ways.
• As it turns out, most of these ways are rather
slow and/or expensive.
• Random-bit generators can be based on hardware
or on software.
• For hardware, you could use things like the time
elapsed between emission of particles during
radioactive decay, sounds from different
sources, air turbulence within a disk drive
causing random fluctuations in disk drive sector
read latency times or any other phenomena
• For software, you could use time, some kind of user input
(though having a human type 1’s and 0’s will most likely
not yield a good result,) or the system environment.
• Most likely, none of these methods will give us a uniform
distribution of 1’s and 0’s, but it can be solved by simple
de-skewing techniques.
• For example, you can look at pairs of bits, throw them
away if both bits are the same, and keep the first bit if
they are different.
• Of course, this means you have to produce at least 4 times
as many bits as you will need.
• Combining any number of these methods (as long as they
are independent) should yield results that are as least as
good as the best of the methods.
• There are different ways to accomplish this, a (possibly too)
simple method is to just XOR the results. A better
method would be to use some kind of hash-function on a
concatenation of the results.
 Random number,
Pseudorandom
• The outputs of pseudorandom
number generators are not truly
random
– they only approximate some of the
properties of random numbers.
– "Anyone who considers arithmetical
methods of producing random digits
is, of course, in a state of sin.”---
John von Neumann
– Truely random numbers can be
generated using hardware random
 Pseudo-random bits
• A way to save a lot of time is to use a pseudo-
random bit generator (PRBG). This is an
algorithm that takes a relatively small number
of random bits (length k) as input, and outputs a
longer sequence (length l) of bits, that appears
to be random.
• These algorithms are deterministic, that means
that they will always produce the same output
for a given input.
• The intent is to make the outputs
indistinguishable from truly random bit-strings.
 Random Bit Generator
-example
• Example: random.org
• Atmospheric noise
• You just need – microphone,
soundcard, frequency where
nobody is broadcasting
• Sample at 8kHz
• Discard the upper bits
• Create a stream using the lower bits
•
 Construction of PRG’s
• Theorem: Suppose there is a one
way permutation, then there is a
PRG with arbitrary polynomial
expansion.
• Need the following ideas:
– One way function
– One way permutation
– Hard core bit
 Pseudo Random Number
Generator (PRNG)

• Computer simulation of random

variables is the task of using
computers to generate many random
numbers that are independent and
identically distributed. It is also known
as random number generation (RNG).
• In fact, these computer-generated
random numbers form a deterministic
sequence, and the same list of
numbers will be cycled over and over
again. This cycle can be made to be so
long that the lack of true
independence is unimportant.
• Therefore, such computer codes are
often termed pseudo-random
number generators (PRNG).
• There exist mathematical
transformation methods to obtain
other distributions from uniform
variates. For this reason, most
PRNGs found in software libraries
produce uniform random numbers
in the unit interval (0, 1).
•
 Pseudo-Random Bit
Generators
• Deterministic functions E xa m p le :
– RNG : {0,1}n  {0,1} i := 0
» j := 0
do forever
• Stretch fixed-size seed i := i+1 mod 256
j := j+s[I] mod
to an unbounded 256
swap s[i],s[j]
sequence t := s[i]+s[j]
mod 256
output s[t]
that looks random
» S e e d : initialvalue of s

• Computable approximation S ize o f sta te : ( 2 256 ) 256

of one-time pad
»
• Example: RC4
 Stream Ciphers
One-time pad using a RNG
•

• Use k as seed? Ek(m) = m  RNG(k)

– Reuse problem!
»

• Typical usage (e.g., with DES)

• Ek(m) = DESk(s) , m 
stro n g fa st
RNG(s)
•

– Chose new s each time

 Pseudo-random Bit
Generator
• Several applications
– Key generation
– Some encryption algorithms, or
one-time pad
• Let l>k be integers
– Function f: Z2k Z2l computable in poly-time
– Then f called (k,l)-pseudo-random bit
generator
– The input s0 Z2k is called the seed
– Output f(s0) is called the pseudo-random 19
 Desired Properties
• Three important properties:
– Unbiased (uniform distribution):
• All values of whatever sample size
is collected are equiprobable
– Unpredictable (independence):
• It is impossible to predict what the
next output will be, given all the
previous outputs, but not the
internal "hidden" state.
– Irreproducible:
• Two of the same generators, given
the same starting conditions, will
produce different outputs.
 Desired Properties
• Usually when a person says
– A "good" pseudo-random number
generator
• they mean it is unbiased.
– A "true" PRNG
• they usually mean it's
irreproducible
– A "cryptographically strong" PRNG
• they mean it's unpredictable
– Very rarely they mean it's all threes
 More Properties
• Long period
– The generator should be of long
period
• Fast computation
– The generator should be
reasonably fast
• Security
– The generator should be secure
– What is security level of PRNG?
• There are many different PRBG’s out
there. One often used is the linear
congruential generator.
• It produces a pseudorandom sequence
of numbers through the formula
• xn = axn- 1 +b mod m, n1
• where a, b and m are chosen
parameters.
• This is a very useful function for things
like simulations or other algorithms
where the randomness is more
important than the secrecy, but it has
been proven completely insecure for
Secure PRBG’s should must have at least the
•

following properties:
1. The length k of the seed (the input to the
function) should be large enough, so that an
adversary cannot simply run through all
possibilities
2. The output sequences should be statistically
indistinguishable from random sequences
3. The output bits should be unpredictable to an
adversary with limited resources
 next-bit test
• The next-bit test (for condition 3):
• A PRBG is said to pass the next-bit
test if there is no polynomial-time
algorithm that given bits 0 to m-1
of an output sequence can predict
bit m with probability significantly
higher than 50%.
• A PRBG passing the next-bit test is
called cryptographically secure
(CSPRBG.)
 For condition 2
• A random sequence is assumed to have certain
properties. These properties should appear in
pseudo-random sequence as well.
• Some of these are mentioned in Golomb's randomness
postulates.
• For example, the number of 1's and 0's should be
about the same, the bits should not depend on each
other, and so on.
• There are tests for each of these properties.
• Failing one of these tests indicates non-randomness.
• Of course, passing one of these tests does not
guarantee randomness – in fact, even passing all of
these tests does not guarantee randomness.
• Each test just makes it more and more unlikely that a
sequence is non-random.
 Five tests for PRBG
• We will now present five tests that are
often used in testing PRBG's.
• They all test the hypothesis that the
sequence was generated by a random
number generator, with a significance
level of 5%.
• That means, that sequences actually
produced with a random number
generator are rejected with a
probability of 5%.
• This may seem like a lot, but it also
makes it more unlikely that we will
accept sequences that do not possess
 Frequency test
• The purpose of this test is to see if
there are about as many 1's as 0's.
•n: the number of bits,

•n0: the number of 0’s, (n0 − n1) 2

X1 =
•n1: the number of 1’s n
•

• X1 should be less than

3.8415
•
 The Serial Test
• This test is similar to the frequency test, but
looks for 2-bit subsequences instead.
• n: the number of bits, n0: the number of 0's,
n1: the number of 1's, n00: the number of
00's, ...
• For example, for the sequence 011100, the
values would be n=6, n0=3, n1=3, n00=1,
n01=1, n10=1, n11=2.
• X2 =
n−1
(
4 2
00 01
2
10
2
11 ) n(
2 2 2
n + n + n + n − n + n +1
2
0 1 )
•
X2
•
• should be less than 5.9915
 The Poker Test
• We divide the sequence into subsequences of a
certain length, and then test if these sequences
appear the same number of times. m is a
positive
 integer
 such as:  
n m n 
 ≥ 5.( 2 ), k =  ,

• 
m 

 m 
 
•
1 ≤ i ≤ 2 m
• ni is the number of occurrence of the ith
type of sequence of length mand
• The poker test is a generalisationof the
frequency test : m=1 in the poker
test yields the frequency test.
• The static used is:
•
m  2m 
• 2  2 
X =  ∑ n  −k
3 k  i 
• i = 1 
•
• X3 should be less than 14,0671
•
•
 The Run Test
• A run is a subsequence , which
consist of the consecutive 0’s or
consecutive 1’s. A run of 0’s is
called a gap, and a run of 1’s is
called a block.
• In runs test we check if the number
of runs is as expected for a random
sequence.
• The expected number of gaps or
blocks of length i in a random
sequence
( n − i of
+ 3length
) n is :
ei = i +2
• 2
•
• K is equal to the largest integer I for
which ei  5, Bi, Gi are the number
of gaps and blocks of length I in s
for each I, and 1  I  k
•
• The Statistics used is:
•
• k ( Bi − ei ) 2 k ( Gi − ei ) 2
• X4 = ∑ ei
+ ∑
ei
i =1 i =1
•
• X4 should be less than 9,4877
 The Autocorrelation test
• The purpose of the autocorrelation
test is to check that bits don't
depend on other bits. We choose a
number d, and then compare each
bit ito the bit i+d.
• If the two bits are the same too
often, or different too often, the
test rejects the input.
X5 should be less than 1,96 and bigger than
-1,96.
 PRG Definition
• Uk denotes the uniform distribution on
bit strings of length k
• Security is built-in following definition
• A PRG with expansion l(K) is a
deterministic poly-time algorithm
from bit strings to bit strings s.t.:
• L(k) is a polynomial in k s.t. l(k) > k
• No PPT distinguisher D exists with
• Prob(D(g(Uk)) = 1) – Prob(D(Ul(k) = 1)
• Non-negligible in terms of k
•
 Blum-Blum-Shub Pseudo
Random bit generator
• Setup: generate two large secret random (and
distinct) prime p and q, each congruent to 3
modulo 4, and compute n =pq (n =pq is an RSA
modulus with p,q = 3 mod 4.)
– Select a random integer s (the seed) in the
interval [1, n-1] such that gcd(s,n) = 1, and
compute x0= (s)2 mod n
– For i from 1 to l do the following:
1.xi = (xi-1 )2 mod n
2.zi = the least significant bit of xi
– The output sequence is z1,z2,..., zl
 Blum-Blum-Shub
• IETF RFC 1750 (Eastlake et al.)
states:
• “If you use no more than the
log2log2(xi) low order bits, then
predicting any additional bits from a
sequence generated in this manner
is provable [sic] as hard as factoring
n.”
–
 Blum-Blum-Shub
• Analysis by Koblitz and Menezes:
– Take the best bounds on security and
hardness of factoring known in the
literature.
– Apply them for j=9 and n with 768 bits,
extracting M=109 bits from the
generator.
– Allowing a success probability of 0.01 for
the adversary, what is the time bound
on the adversary?
– Answer: 2-264
– Yes, that is a negative sign in the
exponent!
• Concrete security analysis does not
 Security
• A PRNG suitable for cryptographic applications
is called a cryptographically secure PRNG
(CSPRNG).
– Its output should not only pass all
statistical tests for randomness but
satisfy some additional cryptographic
requirements.
– Used in many aspects of cryptography
require random numbers, for example:
• Key generation
• Nonces
• Salts in certain signature schemes,
(ECDSA, RSASSA-PSS).
• One-time pads
 CSPRNG
• CSPRNG requirements fall into two groups:
– their statistical properties are good (passing tests of
randomness),
– they hold up well in case of attack, even when (part of)
their secrets are revealed.
• A CSPRNG should satisfy the 'next-bit test'.
– Given the first l bits of a random sequence there is no
polynomial-time algorithm that can predict the next
bit with probability of success significantly higher than
1/2.
– It has been proven that a generator passing the next-bit
test will pass all other polynomial-time statistical tests
for randomness.
• should withstand state compromise extensions.
– That is, in the unfortunate case that part or all of the
state has been revealed (or guessed correctly), it
should be impossible to reconstruct the stream of
random numbers prior to the incident. Also if there is
an input of entropy, it should be infeasible to use
 Example
• the CSPRNG being considered
produces output by computing
some function of the next digit of pi
(ie, 3.1415...),
Ø it may well be random as pi
appears to be a random
sequence.
Ø However, this does not satisfy
the next-bit test, and
Ø thus is not cryptographically
secure.
Ø There exists an algorithm that
 Design
• divide designs of CSPRNGs into
classes:
– those based on block ciphers;
– those based upon hard mathematical
problems, and
– special-purpose designs.
•
 Designs based on
cryptographic primitives
• Designs based on cryptographic primitives
– A secure block cipher can also be converted into a CSPRNG by
running it in counter mode.
• This is done by choosing an arbitrary key and
encrypting a zero, then encrypting a 1, then
encrypting a 2, etc. The counter can also be
started at an arbitrary number other than
zero. Obviously, the period will be 2n for an
n-bit block cipher; equally obviously, the
initial values (i.e. key and 'plaintext') must
not become known to an attacker lest,
however good this CSPRNG construction
might be otherwise, all security be lost.
• A cryptographically secure hash of a counter might also act
as a good CSPRNG in some cases.
– it is necessary that the initial value of this counter is random
 DES Based Generator
• ANSI X9.17 PRNG (used by PGP,..)
– Inputs: two pseudo-random inputs
• one is a 64-bit representation of
date and time
• The other is 64-bit seed values
– Keys: three 3DES encryptions using
same keys
– Output:
• a 64-bit pseudorandom number and
• A 64-bit seed value for next-round
use
 ANSI X9.17
K1,K2

DT
EDE

EDE
Si+1

Si
EDE

Ri
 Linear Congruential
Generator
• Protocol
– Let M be an integer and a, b less
than M
– Let k be number of bits of M
– Integer l is between k+1 and M-1
– Let s0 be a seed less than M
– Define si=asi-1 +b mod M
– Then the ith random bit is si mod 2
– It is not proved to be secure
 Parameter Setting
• Not all a, b are good and m should be
large
• For example, m is a large prime
number
• For fast computation, usually m=231 -
1
– And b is set to 0 often
• For this m, there are less than 100
integers a
– It generates all numbers less than m
– The generated sequences appear to
 RSA Generator
• Protocol
– Let p, q be two k/2 bits primes and
define n=pq
– Integer b: gcd(b, (n))=1
– Public: n, b; Private p,q
– A seed s0 with k bits
– Sequence si+1 =sib mod n
– Then the ith random bit is si mod 2
– It is proved to be secure!
 BBS Generator
• Blum-Blum-Shub Generator
– Let p, q be two k/2 bits primes and
define n=pq
– Here p=q=3 mod 4
• this guarantees that each quadratic
residue has one square root which is
also a quadratic residue
– gcd(φ(p-1), φ(q-1)) should be small
• this makes the cycle length large.
– Let QR(n) be all quadratic residues
modulo n
– Public: n; Private p,q
– A seed s0 with k bits from QR(n)
– Sequence si+1 =si2 mod n
 Cont on BBS
• Provably “secure”
– When the primes are chosen
appropriately,
– and O(log log n) bits of each Si are
output,
– then in the limit as n grows large,
distinguishing the output bits from
random will be at least as difficult as
factoring n.
• However,
– it's theoretically possible that a fast
algorithm for factoring will someday
 Discrete Logarithm
Generator
• Protocol
– Let p be a k-bit prime,
– Let  be primitive element modulo
p
– A seed s0 is any non-zero integer
less than p
– Define si+1 =  si mod p
– Then the ith random bit is
• 1 if si is larger than p/2
• 0 if si is less than p/2
 Standards
• A number of designs of CSPRNGs
have been standardized. They can
be found in:
– FIPS 186-2
– ANSI X9.17-1985 Appendix C
– ANSI X9.31-1998 Appendix A.2.4
– ANSI X9.62-1998 Annex A.4
•