Bit generator

(1)

Topics in Algebra: Cryptography

Univ.-Prof. Dr. Goulnara ARZHANTSEVA

WS 2019

(2)

Pseudorandomness

Cryptography:

Symmetric and asymmetric cryptosystems;

One-way functions, Hash functions;

Key management, Digital Signatures, Applications;

Pseudorandom generators.

Encoding, Error-correction.

(3)

Randomness vs Pseudorandomness

Random numbers Pseudorandom number

Nondeterministic Deterministic

Physical processes, hardware Computer algorithm, software

No pattern Periodic

Unpredictable Predictable, depending on observers

Two of the most celebrated open problems in mathematics and computer science, theRiemann Hypothesisand theP vs. NP question, can be stated as problems about pseudorandomness.

(4)

Bit generator

A seed is a number (or a vector) used to initialize a pseudorandom number generator.

Definition: (k,l)-bit generator

k,l ∈N,l>k + 1. A(k,l)-bit generatoris f: (Z2)^k →(Z2)^l that isin P(as a function ofk).

The inputs₀∈(Z2)^k is theseed, and the outputf(s₀)∈(Z2)^l is the generated bitstring.

We assume thatlis a polynomial function ofk, called thestretch functionoff.

(5)

Bit generator

A seed is a number (or a vector) used to initialize a pseudorandom number generator.

Definition: (k,l)-bit generator

k,l ∈N,l>k + 1. A(k,l)-bit generatoris f: (Z2)^k →(Z2)^l that isin P(as a function ofk).

The inputs₀∈(Z2)^k is theseed, and the outputf(s₀)∈(Z2)^l is the generated bitstring.

We assume thatlis a polynomial function ofk, called thestretch functionoff.

(6)

Bit generator

A bit generator is deterministic.

We aim to construct bit generators so thatf(s₀) looks like random bits.

Such a bit generator is called apseudo-random bit generator(PRBG).

Example of use: A seed is a secrete key, and a bit-generator generates a key of the same length as the plaintext for the one-time pad.

(7)

Linear Feedback Shift Register: Definition

Definition: LFSR forc = (c₀, . . . ,c_l−1)^T ∈(Z2)^l of degreel >0,c₀6= 0 It is given by the linear recurrence:

s_n+l = (sn,· · · ,sn+l−1)·





 c₀

... c_l−1





 n>0, such that

t⁽⁰⁾:=t = (t₀,· · · ,t_l−1)∈(Z2)^l is theinitial value, s_i =t_i for 06i 6l−1,

t⁽ⁿ⁾:= (s_n,· · ·,s_n+l−1) is then-th state vector.

We writes :=hc,ti.

It is ofdegreelas each term depends on the previousl terms.

Question 23: Whyc₀6= 0?

(8)

Linear Feedback Shift Register: Example

LFSR forc= (1,1,0,0)^T ∈(Z2)⁴of degreel = 4 witht = (1 0 1 0)

s= 1,0,1,0,1,1,1,1,0,0,0,1,0,0,1,|1,0,1,0, . . .

Definition: periods of LFSR

s isk-periodicifs_i+k =s_i ∀i>0, or equivalently,t^(i+k)=t⁽ⁱ⁾∀i>0. c isk-periodicifs =hc,tiisk-periodic for allt ∈(Z2)^l.

Theperiodis the smallest such numberk.

Takek = 2^l−1. So, a short initial ‘key’ (seed) generates a keystream with a long period:

given anl-bit seed, an LFSR of degreelproduces 2^l −l−1 further bits before repeating.

Question 24: Is thisk the period?

(9)

Linear Feedback Shift Register: Example

LFSR forc= (1,1,0,0)^T ∈(Z2)⁴of degreel = 4 witht = (1 0 1 0)

s= 1,0,1,0,1,1,1,1,0,0,0,1,0,0,1,|1,0,1,0, . . . Definition: periods of LFSR

s isk-periodicifs_i+k =s_i ∀i>0, or equivalently,t^(i+k)=t⁽ⁱ⁾∀i>0.

c isk-periodicifs =hc,tiisk-periodic for allt ∈(Z2)^l. Theperiodis the smallest such numberk.

Takek = 2^l−1. So, a short initial ‘key’ (seed) generates a keystream with a long period:

given anl-bit seed, an LFSR of degreelproduces 2^l−l−1 further bits before repeating.

Question 24: Is thisk the period?

(10)

Linear Feedback Shift Register: Security

The LFSR is insecure! The knowledge of any 2l consecutive bits allows to determine the seed, and hence the entire sequence.

For eachn>0, the linear recurrence expressings_n+l is a linear equation in thel unknowns (c₀, . . . ,c_l−1). Forn∈ {0,1, . . . ,l−1}, we getllinear equations inlunknowns:

(s_l,s_l+1, . . . ,s2l−1) = (c₀,c₁,· · · ,cl−1)·







s₀ s₁ . . . s_l−1 s₁ s₂ . . . s_l

... ... ... sl−1 s_l . . . s2l−2







If the matrix has the inverse mod 2, then we find (c₀, . . . ,cl−1) and determine the entire sequence.

(11)

Test question

Question 25

Show that thel×lcoefficient matrix from the previous slide is indeed invertible mod 2.

Hint: letv_i = (s_i, . . . ,s_i+l−1) fori >0. The coefficient matrix has v₀, . . .vl−1as rows. The goal is to prove that theselvectors are linearly independent.

Remark: the coefficient matrix is an example of aHankel matrix.

(12)

A bit generator: Example

An LFSR of degreelis an example of a bit-generator.

Question 26

Consider an LFSR as a bit generator, what are, in this case, parametersk andlfrom the definition of bit-generator?

(13)

An RSA bit generator

Definition: RSA generator

Letp,q bek/2-bit primes,n=pq. Letebe such thatgcd(e, φ(n)) = 1.

A seeds₀is any element of (Zn)^×, so it hask bits. Fori >1, we define s_i+1=s_i^emodn,

and then we define

f(s₀) = (z₁,z₂, . . . ,z_l),

wherez_i =s_i mod 2,16i6l. Thenf is a(k,l)-RSA generator.

Public-key is (n,e) and private-key is (p,q).

Assumption: the Factoring is not in BPP.

(14)

Towards a pseudo-random number generator

A pseudo-random number generator should befast(i.e. computable in polynomial time) andsecure.

Our examples are fast. How secure they are?

Intuitively: it should beimpossiblein an amount of time that is

polynomial ink (equivalently, polynomial inl)to distinguisha string ofl bits produced by a PRBG from a string ofl truly random bits.

(15)

Towards a pseudo-random number generator

Example: if a bit generator produces 1 with probability 2/3, then on average a generated bitstring of lengthl will contain 2l/3 bits 1.

In contrast, a truely random bitstring of lengthl will containl/2 1’s on average.

Given a bitstring withl₁1’s, ifl₁> ^l/2+2l/3₂ = ₁₂^7l, then we conclude that it is a generated bitstring (not a truely random).

(16)

Deterministic distinguisher

Notation: zⁱ = (z₁, . . . ,z_i) Definition: Distinguisher

Letp₀andp₁be two probability distributions on (Z2)^l. Forj = 0,1 and z^l ∈(Z2)^l we denote byp_j(z^l) the probability that the stringz^l occurs in the distributionp_j. Let dst: (Z2)^l → {0,1}be a function and >0. We define

Edst(p_j) = ^X

{z^l∈(Z2)^l :dst(z^l)=1}

p_j(z^l).

We say that dstis an-distinguisherofp₀andp₁provided that

|Edst(p₀)−Edst(p₁)|>,

p₀andp₁are-distinguishableif there exists an-distinguisher ofp₀ andp₁.

If dst(z^l) can be computed in polynomial time, it is apolynomial-time distinguisher.

(17)

Randomized distinguisher

As above but with

Edst(p_j) = ^X

z^l∈(Z2)^l

p_j(z^l)·Pr[dst(z^l) = 1].

(18)

Towards a pseudorandom generator

Atruly randomsequence corresponds to theuniform distributionp_u_l on the set of all bitstrings of lengthl:

each string among all 2^l strings can occur with probability 1/2^l. Iff is a bit generator with ak-bit seed chosen uniformly at random, then we obtain a probability distributionp_f =f(pu_k) on the same set.

p_f is very non-uniform

If we assume that no two seeds give same sequence of bits. Then, of the 2^l possible sequences, 2^k sequences each occur with probability 1/2^k, and the remaining 2^l−2^k sequences never occur.

We would like to havef such thatpu_l andp_f are-distinguishable in polynomial time only for small values of.

Exercise: producing 0’s and 1’s with equal probability is not sufficient to ensure indistinguishability.

(19)

Towards a pseudorandom generator

(20)

Towards a pseudorandom generator

(21)

Next bit predictor

Letf be a (k,l)-bit generator.

Definition: Next bit predictor

Let 16i6l−1. Anext bit predictorforf is a function nbp: (Z2)ⁱ⁻¹→Z2,

which takes as input an (i−1)-tuplezⁱ⁻¹= (z₁, . . . ,z_i−1), the firsti−1 bits produced byf (given, an unknown, truly random,k-bit seed), and produces by a polynomial time probabilistic algorithm, theith bit of the bitstring generated byf (given the firsti−1 bits) with probability at least 1/2 +, where >0.

(22)

Next bit predictor: Theorem

p_f induces the probability distribution on any of thelgenerated bits (or on any subsequence of thesel generated bits).

For 16i6l, we think of theith generated bitas a random variablez_i. Theorem: Next bit predictor

Letf be a (k,l)-bit generator. Then thenbpis an-ith bit predictor forf if and only if

X

zⁱ⁻¹∈(Z2)ⁱ⁻¹

p_f(zⁱ⁻¹)·Pr[z_i =nbp(zⁱ⁻¹)|zⁱ⁻¹]> 1 2 +.

(23)

Next bit predictor: a straightforward proof

Proof:

The probability of correctly predicting theith generated bit, Pr[z_i =nbp(zⁱ⁻¹)], is computed by summing over all possible

(i−1)-tupleszⁱ⁻¹= (z₁, . . .z_i−1) the product of the probability that the (i−1)-tuplezⁱ⁻¹is produced by the bit generatorf and the probability that theith bit is predicted correctly, given the (i−1)-tuplezⁱ⁻¹.

(24)

Main result

Main result: A next bit predictor is auniversal test

A bit generator is secure if and only if there does not exist any polynomial-time-ith bit predictor for the generator, except for very small values of.

One direction of the implication is given by the next result.

Here,Disthaszⁱ as an input, and 1 as output if the value predicted by nbp(zⁱ⁻¹) is the same as the actual value ofz_i.Otherwise, it outputs 0.

Theorem: fromnbpto distinguisher

Letnbpbe a polynomial time-ith bit predictor for the (k,l)-bit

generatorf, andp_f,pu_l be as above, on (Z2)ⁱ. Then the distinguisher algorithmDistis a polynomial-time-distinguisher ofp_f andp_u_l.

(25)

Theorem: from nbp to distinguisher

Proof: By definition,Dist(zⁱ) = 1⇐⇒nbp(zⁱ⁻¹) =z_i. Then, EDist(p_f) = ^X

zⁱ∈(Z2)ⁱ

p_f(zⁱ)·Pr[Dist(zⁱ) = 1] = ^X

zⁱ∈(Z2)ⁱ

p_f(zⁱ)·Pr[nbp(zⁱ⁻¹) =z_i]

Definez = (z₁, . . . ,zi−1,0) andz⁰ = (z₁, . . . ,zi−1,1). Then, p_f(z)·Pr[nbp(zⁱ⁻¹) = 0] +p_f(z⁰)·Pr[nbp(zⁱ⁻¹) = 1] =

p_f(zⁱ⁻¹)· ^X

j∈{0,1}

Pr[z_i =j|zⁱ⁻¹]·Pr[nbp(zⁱ⁻¹) =j] = p_f(zⁱ⁻¹)·Pr[z_i =nbp(zⁱ⁻¹)|zⁱ⁻¹].

It follows that

EDist(p_f) = ^X

zⁱ⁻¹∈(Z2)ⁱ⁻¹

p_f(zⁱ⁻¹)·Pr[z_i =nbp(zⁱ⁻¹)|zⁱ⁻¹]> 1 2+, asnbpis an-ith bit predictor (use the previous Theorem).

(26)

Theorem: from nbp to distinguisher

zⁱ∈(Z2)ⁱ

Definez = (z₁, . . . ,z_i−1,0) andz⁰ = (z₁, . . . ,z_i−1,1). Then, p_f(z)·Pr[nbp(zⁱ⁻¹) = 0] +p_f(z⁰)·Pr[nbp(zⁱ⁻¹) = 1] =

p_f(zⁱ⁻¹)· ^X

j∈{0,1}

It follows that

EDist(p_f) = ^X

zⁱ⁻¹∈(Z2)ⁱ⁻¹

(27)

Theorem: from nbp to distinguisher

zⁱ∈(Z2)ⁱ

p_f(zⁱ⁻¹)· ^X

j∈{0,1}

Pr[z_i =j|zⁱ⁻¹]·Pr[nbp(zⁱ⁻¹) =j] =

p_f(zⁱ⁻¹)·Pr[z_i =nbp(zⁱ⁻¹)|zⁱ⁻¹]. It follows that

EDist(p_f) = ^X

zⁱ⁻¹∈(Z2)ⁱ⁻¹

(28)

Theorem: from nbp to distinguisher

zⁱ∈(Z2)ⁱ

p_f(zⁱ⁻¹)· ^X

j∈{0,1}

It follows that

EDist(p_f) = ^X

zⁱ⁻¹∈(Z2)ⁱ⁻¹

(29)

Theorem: from nbp to distinguisher

zⁱ∈(Z2)ⁱ

p_f(zⁱ⁻¹)· ^X

j∈{0,1}

It follows that

EDist(p_f) = ^X

zⁱ⁻¹∈(Z2)ⁱ⁻¹

(30)

Theorem: from nbp to distinguisher (suite)

On the other hand, any predictor will predict theith bit of a truly random sequence with probability 1/2. Therefore,EDist(pu_l) = 1/2.Hence,

|EDist(p_u_l)−EDist(p_f)|>.

as required.

(31)

Main theorem

Theorem: from distinguisher tonbp Yao’1982

Supposedstis a (polynomial-time)-distinguisher ofp_f andp_u_l, where p_f is the probability distribution induced on (Z2)^l by the (k,l)-bit PRBG f, andpu_l is the uniform probability distribution on (Z2)^l. Then for some i,16i6l−1, there exists a polynomial-time/l-ith bit predictor forf.

That is, a pseudo-random bit generator is secure if there does not exist an-next bit predictor except for very small values of.

(32)

Main theorem: proof

Proof: (Hybrid argument)For 06i6l, letq_i be a probability

distribution on (Z2)^l with firsti bits generated byf, and the otherl−i bits are generated truly randomly. Thus,q₀=p_u_l andq_l =p_f.

By hypothesis,|Edst(q₀)−Edst(q_l)|>.By the triangle inequality,

|Edst(q₀)−Edst(q_l)|6

l

X

i=1

|Edst(qi−1)−Edst(q_i)|.

Then there isi, 16i 6l, such that|Edst(q_i−1)−Edst(q_i)|> _l. WLOG, we assume

Edst(q_i−1)−Edst(q_i)>

l.

We will construct an-ith bit predictor for this value ofi.

(33)

Main theorem: proof (continued)

Intuitively: The predicting algorithm produces anl-tuple according to qi−1, given thatzⁱ⁻¹is generated by the PRBG. Ifdstanswers 0, then it thinks that thel-tuple was generated according toq_i.

Theith bit is truly random inq_i−1, it is given by the PRBG inq_i. Hence, ifdstanswers 0, it thinks that theith bit,z_i is what would be produced by the PRBG. Thenz_i is our prediction for theith bit.

Ifdstanswers 1, it thinks thatz_i is truly random, so we take 1−z_i as our prediction for theith bit.

Input: zⁱ⁻¹= (z₁, . . . ,zi−1)

Choose(z_i, . . . ,z_l)∈(Z2)^l−i+1truly randomly Computez =dst(z₁, . . . ,z_l)

Definenbp(z₁, . . . ,zi−1) = (z+z_i) mod 2

(34)

Main theorem: proof (continued)

Intuitively: The predicting algorithm produces anl-tuple according to qi−1, given thatzⁱ⁻¹is generated by the PRBG. Ifdstanswers 0, then it thinks that thel-tuple was generated according toq_i.

Theith bit is truly random inq_i−1, it is given by the PRBG inq_i. Hence, ifdstanswers 0, it thinks that theith bit,z_i is what would be produced by the PRBG. Thenz_i is our prediction for theith bit.

Ifdstanswers 1, it thinks thatz_i is truly random, so we take 1−z_i as our prediction for theith bit.

Input: zⁱ⁻¹= (z₁, . . . ,zi−1)

Choose(z_i, . . . ,z_l)∈(Z2)^l−i+1truly randomly Computez =dst(z₁, . . . ,z_l)

Definenbp(z₁, . . . ,zi−1) = (z+z_i) mod 2

(35)

Main theorem: proof (continued)

Ifdstgives 0, then the prediction is correct with probabilityp_f(z_i |zⁱ⁻¹)

Ifdstgives 1, then it is correct with probability 1−p_f(z_i |zⁱ⁻¹).

Letz=z^l. We have

q_i−1(z)·p_f(z_i |zⁱ⁻¹) =q_i(z)/2.

(36)

Main theorem: proof (continued)

Pr[z_i =nbp(zⁱ⁻¹)] =

X

z∈(Z2)^l

qi−1(z)Pr[dst(z) = 0]·p_f(z_i |zⁱ⁻¹) +Pr[dst(z) = 1]·(1−p_f(z_i |zⁱ⁻¹))=

X

z∈(Z2)^l

q_i(z)

2 ·Pr[dst(z) = 0]+^X

z∈(Z2)^l

qi−1(z)·Pr[dst(z) = 1]−^X

z∈(Z2)^l

q_i(z)

2 ·Pr[dst(z) = 1]

= 1−Edst(q_i)

2 +Edst(q_i−1)−Edst(q_i)

2 = 1

2+Edst(q_i−1)−Edst(q_i)> 1 2+

l.

(37)

Main theorem: Summary

The-distinguishability implies/l-predictability.

Hybrid argument: if a distinguisher can-distinguish extreme hybrids given byp_f andpu_l, then it can also distinguish adjacent hybrids given byq_i−1andq_i, with gap at least/l.

The distinguisher is used to produce a predictor.

The contrapositive is thatunpredictability implies indistinguishability.