Topics in Algebra: Cryptography
Univ.-Prof. Dr. Goulnara ARZHANTSEVA
WS 2019
Pseudorandomness
Cryptography:
Symmetric and asymmetric cryptosystems;
One-way functions, Hash functions;
Key management, Digital Signatures, Applications;
Pseudorandom generators.
Encoding, Error-correction.
Randomness vs Pseudorandomness
Random numbers Pseudorandom number
Nondeterministic Deterministic
Physical processes, hardware Computer algorithm, software
No pattern Periodic
Unpredictable Predictable, depending on observers
Two of the most celebrated open problems in mathematics and computer science, theRiemann Hypothesisand theP vs. NP question, can be stated as problems about pseudorandomness.
Bit generator
A seed is a number (or a vector) used to initialize a pseudorandom number generator.
Definition: (k,l)-bit generator
k,l ∈N,l>k + 1. A(k,l)-bit generatoris f: (Z2)k →(Z2)l that isin P(as a function ofk).
The inputs0∈(Z2)k is theseed, and the outputf(s0)∈(Z2)l is the generated bitstring.
We assume thatlis a polynomial function ofk, called thestretch functionoff.
Bit generator
A seed is a number (or a vector) used to initialize a pseudorandom number generator.
Definition: (k,l)-bit generator
k,l ∈N,l>k + 1. A(k,l)-bit generatoris f: (Z2)k →(Z2)l that isin P(as a function ofk).
The inputs0∈(Z2)k is theseed, and the outputf(s0)∈(Z2)l is the generated bitstring.
We assume thatlis a polynomial function ofk, called thestretch functionoff.
Bit generator
A bit generator is deterministic.
We aim to construct bit generators so thatf(s0) looks like random bits.
Such a bit generator is called apseudo-random bit generator(PRBG).
Example of use: A seed is a secrete key, and a bit-generator generates a key of the same length as the plaintext for the one-time pad.
Linear Feedback Shift Register: Definition
Definition: LFSR forc = (c0, . . . ,cl−1)T ∈(Z2)l of degreel >0,c06= 0 It is given by the linear recurrence:
sn+l = (sn,· · · ,sn+l−1)·
c0
... cl−1
n>0, such that
t(0):=t = (t0,· · · ,tl−1)∈(Z2)l is theinitial value, si =ti for 06i 6l−1,
t(n):= (sn,· · ·,sn+l−1) is then-th state vector.
We writes :=hc,ti.
It is ofdegreelas each term depends on the previousl terms.
Question 23: Whyc06= 0?
Linear Feedback Shift Register: Example
LFSR forc= (1,1,0,0)T ∈(Z2)4of degreel = 4 witht = (1 0 1 0)
s= 1,0,1,0,1,1,1,1,0,0,0,1,0,0,1,|1,0,1,0, . . .
Definition: periods of LFSR
s isk-periodicifsi+k =si ∀i>0, or equivalently,t(i+k)=t(i)∀i>0. c isk-periodicifs =hc,tiisk-periodic for allt ∈(Z2)l.
Theperiodis the smallest such numberk.
Takek = 2l−1. So, a short initial ‘key’ (seed) generates a keystream with a long period:
given anl-bit seed, an LFSR of degreelproduces 2l −l−1 further bits before repeating.
Question 24: Is thisk the period?
Linear Feedback Shift Register: Example
LFSR forc= (1,1,0,0)T ∈(Z2)4of degreel = 4 witht = (1 0 1 0)
s= 1,0,1,0,1,1,1,1,0,0,0,1,0,0,1,|1,0,1,0, . . . Definition: periods of LFSR
s isk-periodicifsi+k =si ∀i>0, or equivalently,t(i+k)=t(i)∀i>0.
c isk-periodicifs =hc,tiisk-periodic for allt ∈(Z2)l. Theperiodis the smallest such numberk.
Takek = 2l−1. So, a short initial ‘key’ (seed) generates a keystream with a long period:
given anl-bit seed, an LFSR of degreelproduces 2l−l−1 further bits before repeating.
Question 24: Is thisk the period?
Linear Feedback Shift Register: Security
The LFSR is insecure! The knowledge of any 2l consecutive bits allows to determine the seed, and hence the entire sequence.
For eachn>0, the linear recurrence expressingsn+l is a linear equation in thel unknowns (c0, . . . ,cl−1). Forn∈ {0,1, . . . ,l−1}, we getllinear equations inlunknowns:
(sl,sl+1, . . . ,s2l−1) = (c0,c1,· · · ,cl−1)·
s0 s1 . . . sl−1 s1 s2 . . . sl
... ... ... sl−1 sl . . . s2l−2
If the matrix has the inverse mod 2, then we find (c0, . . . ,cl−1) and determine the entire sequence.
Test question
Question 25
Show that thel×lcoefficient matrix from the previous slide is indeed invertible mod 2.
Hint: letvi = (si, . . . ,si+l−1) fori >0. The coefficient matrix has v0, . . .vl−1as rows. The goal is to prove that theselvectors are linearly independent.
Remark: the coefficient matrix is an example of aHankel matrix.
A bit generator: Example
An LFSR of degreelis an example of a bit-generator.
Question 26
Consider an LFSR as a bit generator, what are, in this case, parametersk andlfrom the definition of bit-generator?
An RSA bit generator
Definition: RSA generator
Letp,q bek/2-bit primes,n=pq. Letebe such thatgcd(e, φ(n)) = 1.
A seeds0is any element of (Zn)×, so it hask bits. Fori >1, we define si+1=siemodn,
and then we define
f(s0) = (z1,z2, . . . ,zl),
wherezi =si mod 2,16i6l. Thenf is a(k,l)-RSA generator.
Public-key is (n,e) and private-key is (p,q).
Assumption: the Factoring is not in BPP.
Towards a pseudo-random number generator
A pseudo-random number generator should befast(i.e. computable in polynomial time) andsecure.
Our examples are fast. How secure they are?
Intuitively: it should beimpossiblein an amount of time that is
polynomial ink (equivalently, polynomial inl)to distinguisha string ofl bits produced by a PRBG from a string ofl truly random bits.
Towards a pseudo-random number generator
Example: if a bit generator produces 1 with probability 2/3, then on average a generated bitstring of lengthl will contain 2l/3 bits 1.
In contrast, a truely random bitstring of lengthl will containl/2 1’s on average.
Given a bitstring withl11’s, ifl1> l/2+2l/32 = 127l, then we conclude that it is a generated bitstring (not a truely random).
Deterministic distinguisher
Notation: zi = (z1, . . . ,zi) Definition: Distinguisher
Letp0andp1be two probability distributions on (Z2)l. Forj = 0,1 and zl ∈(Z2)l we denote bypj(zl) the probability that the stringzl occurs in the distributionpj. Let dst: (Z2)l → {0,1}be a function and >0. We define
Edst(pj) = X
{zl∈(Z2)l :dst(zl)=1}
pj(zl).
We say that dstis an-distinguisherofp0andp1provided that
|Edst(p0)−Edst(p1)|>,
p0andp1are-distinguishableif there exists an-distinguisher ofp0 andp1.
If dst(zl) can be computed in polynomial time, it is apolynomial-time distinguisher.
Randomized distinguisher
As above but with
Edst(pj) = X
zl∈(Z2)l
pj(zl)·Pr[dst(zl) = 1].
Towards a pseudorandom generator
Atruly randomsequence corresponds to theuniform distributionpul on the set of all bitstrings of lengthl:
each string among all 2l strings can occur with probability 1/2l. Iff is a bit generator with ak-bit seed chosen uniformly at random, then we obtain a probability distributionpf =f(puk) on the same set.
pf is very non-uniform
If we assume that no two seeds give same sequence of bits. Then, of the 2l possible sequences, 2k sequences each occur with probability 1/2k, and the remaining 2l−2k sequences never occur.
We would like to havef such thatpul andpf are-distinguishable in polynomial time only for small values of.
Exercise: producing 0’s and 1’s with equal probability is not sufficient to ensure indistinguishability.
Towards a pseudorandom generator
Atruly randomsequence corresponds to theuniform distributionpul on the set of all bitstrings of lengthl:
each string among all 2l strings can occur with probability 1/2l. Iff is a bit generator with ak-bit seed chosen uniformly at random, then we obtain a probability distributionpf =f(puk) on the same set.
pf is very non-uniform
If we assume that no two seeds give same sequence of bits. Then, of the 2l possible sequences, 2k sequences each occur with probability 1/2k, and the remaining 2l−2k sequences never occur.
We would like to havef such thatpul andpf are-distinguishable in polynomial time only for small values of.
Exercise: producing 0’s and 1’s with equal probability is not sufficient to ensure indistinguishability.
Towards a pseudorandom generator
Atruly randomsequence corresponds to theuniform distributionpul on the set of all bitstrings of lengthl:
each string among all 2l strings can occur with probability 1/2l. Iff is a bit generator with ak-bit seed chosen uniformly at random, then we obtain a probability distributionpf =f(puk) on the same set.
pf is very non-uniform
If we assume that no two seeds give same sequence of bits. Then, of the 2l possible sequences, 2k sequences each occur with probability 1/2k, and the remaining 2l−2k sequences never occur.
We would like to havef such thatpul andpf are-distinguishable in polynomial time only for small values of.
Exercise: producing 0’s and 1’s with equal probability is not sufficient to ensure indistinguishability.
Next bit predictor
Letf be a (k,l)-bit generator.
Definition: Next bit predictor
Let 16i6l−1. Anext bit predictorforf is a function nbp: (Z2)i−1→Z2,
which takes as input an (i−1)-tuplezi−1= (z1, . . . ,zi−1), the firsti−1 bits produced byf (given, an unknown, truly random,k-bit seed), and produces by a polynomial time probabilistic algorithm, theith bit of the bitstring generated byf (given the firsti−1 bits) with probability at least 1/2 +, where >0.
Next bit predictor: Theorem
pf induces the probability distribution on any of thelgenerated bits (or on any subsequence of thesel generated bits).
For 16i6l, we think of theith generated bitas a random variablezi. Theorem: Next bit predictor
Letf be a (k,l)-bit generator. Then thenbpis an-ith bit predictor forf if and only if
X
zi−1∈(Z2)i−1
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]> 1 2 +.
Next bit predictor: a straightforward proof
Proof:
The probability of correctly predicting theith generated bit, Pr[zi =nbp(zi−1)], is computed by summing over all possible
(i−1)-tupleszi−1= (z1, . . .zi−1) the product of the probability that the (i−1)-tuplezi−1is produced by the bit generatorf and the probability that theith bit is predicted correctly, given the (i−1)-tuplezi−1.
Main result
Main result: A next bit predictor is auniversal test
A bit generator is secure if and only if there does not exist any polynomial-time-ith bit predictor for the generator, except for very small values of.
One direction of the implication is given by the next result.
Here,Disthaszi as an input, and 1 as output if the value predicted by nbp(zi−1) is the same as the actual value ofzi.Otherwise, it outputs 0.
Theorem: fromnbpto distinguisher
Letnbpbe a polynomial time-ith bit predictor for the (k,l)-bit
generatorf, andpf,pul be as above, on (Z2)i. Then the distinguisher algorithmDistis a polynomial-time-distinguisher ofpf andpul.
Theorem: from nbp to distinguisher
Proof: By definition,Dist(zi) = 1⇐⇒nbp(zi−1) =zi. Then, EDist(pf) = X
zi∈(Z2)i
pf(zi)·Pr[Dist(zi) = 1] = X
zi∈(Z2)i
pf(zi)·Pr[nbp(zi−1) =zi]
Definez = (z1, . . . ,zi−1,0) andz0 = (z1, . . . ,zi−1,1). Then, pf(z)·Pr[nbp(zi−1) = 0] +pf(z0)·Pr[nbp(zi−1) = 1] =
pf(zi−1)· X
j∈{0,1}
Pr[zi =j|zi−1]·Pr[nbp(zi−1) =j] = pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1].
It follows that
EDist(pf) = X
zi−1∈(Z2)i−1
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]> 1 2+, asnbpis an-ith bit predictor (use the previous Theorem).
Theorem: from nbp to distinguisher
Proof: By definition,Dist(zi) = 1⇐⇒nbp(zi−1) =zi. Then, EDist(pf) = X
zi∈(Z2)i
pf(zi)·Pr[Dist(zi) = 1] = X
zi∈(Z2)i
pf(zi)·Pr[nbp(zi−1) =zi]
Definez = (z1, . . . ,zi−1,0) andz0 = (z1, . . . ,zi−1,1). Then, pf(z)·Pr[nbp(zi−1) = 0] +pf(z0)·Pr[nbp(zi−1) = 1] =
pf(zi−1)· X
j∈{0,1}
Pr[zi =j|zi−1]·Pr[nbp(zi−1) =j] = pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1].
It follows that
EDist(pf) = X
zi−1∈(Z2)i−1
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]> 1 2+, asnbpis an-ith bit predictor (use the previous Theorem).
Theorem: from nbp to distinguisher
Proof: By definition,Dist(zi) = 1⇐⇒nbp(zi−1) =zi. Then, EDist(pf) = X
zi∈(Z2)i
pf(zi)·Pr[Dist(zi) = 1] = X
zi∈(Z2)i
pf(zi)·Pr[nbp(zi−1) =zi]
Definez = (z1, . . . ,zi−1,0) andz0 = (z1, . . . ,zi−1,1). Then, pf(z)·Pr[nbp(zi−1) = 0] +pf(z0)·Pr[nbp(zi−1) = 1] =
pf(zi−1)· X
j∈{0,1}
Pr[zi =j|zi−1]·Pr[nbp(zi−1) =j] =
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]. It follows that
EDist(pf) = X
zi−1∈(Z2)i−1
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]> 1 2+, asnbpis an-ith bit predictor (use the previous Theorem).
Theorem: from nbp to distinguisher
Proof: By definition,Dist(zi) = 1⇐⇒nbp(zi−1) =zi. Then, EDist(pf) = X
zi∈(Z2)i
pf(zi)·Pr[Dist(zi) = 1] = X
zi∈(Z2)i
pf(zi)·Pr[nbp(zi−1) =zi]
Definez = (z1, . . . ,zi−1,0) andz0 = (z1, . . . ,zi−1,1). Then, pf(z)·Pr[nbp(zi−1) = 0] +pf(z0)·Pr[nbp(zi−1) = 1] =
pf(zi−1)· X
j∈{0,1}
Pr[zi =j|zi−1]·Pr[nbp(zi−1) =j] = pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1].
It follows that
EDist(pf) = X
zi−1∈(Z2)i−1
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]> 1 2+, asnbpis an-ith bit predictor (use the previous Theorem).
Theorem: from nbp to distinguisher
Proof: By definition,Dist(zi) = 1⇐⇒nbp(zi−1) =zi. Then, EDist(pf) = X
zi∈(Z2)i
pf(zi)·Pr[Dist(zi) = 1] = X
zi∈(Z2)i
pf(zi)·Pr[nbp(zi−1) =zi]
Definez = (z1, . . . ,zi−1,0) andz0 = (z1, . . . ,zi−1,1). Then, pf(z)·Pr[nbp(zi−1) = 0] +pf(z0)·Pr[nbp(zi−1) = 1] =
pf(zi−1)· X
j∈{0,1}
Pr[zi =j|zi−1]·Pr[nbp(zi−1) =j] = pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1].
It follows that
EDist(pf) = X
zi−1∈(Z2)i−1
pf(zi−1)·Pr[zi =nbp(zi−1)|zi−1]> 1 2+, asnbpis an-ith bit predictor (use the previous Theorem).
Theorem: from nbp to distinguisher (suite)
On the other hand, any predictor will predict theith bit of a truly random sequence with probability 1/2. Therefore,EDist(pul) = 1/2.Hence,
|EDist(pul)−EDist(pf)|>.
as required.
Main theorem
Theorem: from distinguisher tonbp Yao’1982
Supposedstis a (polynomial-time)-distinguisher ofpf andpul, where pf is the probability distribution induced on (Z2)l by the (k,l)-bit PRBG f, andpul is the uniform probability distribution on (Z2)l. Then for some i,16i6l−1, there exists a polynomial-time/l-ith bit predictor forf.
That is, a pseudo-random bit generator is secure if there does not exist an-next bit predictor except for very small values of.
Main theorem: proof
Proof: (Hybrid argument)For 06i6l, letqi be a probability
distribution on (Z2)l with firsti bits generated byf, and the otherl−i bits are generated truly randomly. Thus,q0=pul andql =pf.
By hypothesis,|Edst(q0)−Edst(ql)|>.By the triangle inequality,
|Edst(q0)−Edst(ql)|6
l
X
i=1
|Edst(qi−1)−Edst(qi)|.
Then there isi, 16i 6l, such that|Edst(qi−1)−Edst(qi)|> l. WLOG, we assume
Edst(qi−1)−Edst(qi)>
l.
We will construct an-ith bit predictor for this value ofi.
Main theorem: proof (continued)
Intuitively: The predicting algorithm produces anl-tuple according to qi−1, given thatzi−1is generated by the PRBG. Ifdstanswers 0, then it thinks that thel-tuple was generated according toqi.
Theith bit is truly random inqi−1, it is given by the PRBG inqi. Hence, ifdstanswers 0, it thinks that theith bit,zi is what would be produced by the PRBG. Thenzi is our prediction for theith bit.
Ifdstanswers 1, it thinks thatzi is truly random, so we take 1−zi as our prediction for theith bit.
Input: zi−1= (z1, . . . ,zi−1)
Choose(zi, . . . ,zl)∈(Z2)l−i+1truly randomly Computez =dst(z1, . . . ,zl)
Definenbp(z1, . . . ,zi−1) = (z+zi) mod 2
Main theorem: proof (continued)
Intuitively: The predicting algorithm produces anl-tuple according to qi−1, given thatzi−1is generated by the PRBG. Ifdstanswers 0, then it thinks that thel-tuple was generated according toqi.
Theith bit is truly random inqi−1, it is given by the PRBG inqi. Hence, ifdstanswers 0, it thinks that theith bit,zi is what would be produced by the PRBG. Thenzi is our prediction for theith bit.
Ifdstanswers 1, it thinks thatzi is truly random, so we take 1−zi as our prediction for theith bit.
Input: zi−1= (z1, . . . ,zi−1)
Choose(zi, . . . ,zl)∈(Z2)l−i+1truly randomly Computez =dst(z1, . . . ,zl)
Definenbp(z1, . . . ,zi−1) = (z+zi) mod 2
Main theorem: proof (continued)
Ifdstgives 0, then the prediction is correct with probabilitypf(zi |zi−1)
Ifdstgives 1, then it is correct with probability 1−pf(zi |zi−1).
Letz=zl. We have
qi−1(z)·pf(zi |zi−1) =qi(z)/2.
Main theorem: proof (continued)
Pr[zi =nbp(zi−1)] =
X
z∈(Z2)l
qi−1(z)Pr[dst(z) = 0]·pf(zi |zi−1) +Pr[dst(z) = 1]·(1−pf(zi |zi−1))=
X
z∈(Z2)l
qi(z)
2 ·Pr[dst(z) = 0]+X
z∈(Z2)l
qi−1(z)·Pr[dst(z) = 1]−X
z∈(Z2)l
qi(z)
2 ·Pr[dst(z) = 1]
= 1−Edst(qi)
2 +Edst(qi−1)−Edst(qi)
2 = 1
2+Edst(qi−1)−Edst(qi)> 1 2+
l.
Main theorem: Summary
The-distinguishability implies/l-predictability.
Hybrid argument: if a distinguisher can-distinguish extreme hybrids given bypf andpul, then it can also distinguish adjacent hybrids given byqi−1andqi, with gap at least/l.
The distinguisher is used to produce a predictor.
The contrapositive is thatunpredictability implies indistinguishability.