Random Number Generation INTRODUCTION .................................................................................................................................. 2 USAGE ................................................................................................................................................ 2 THE REQUIREMENT FROM DIFFERENT ALGORITHM ........................................................................... 3 (DESIRABLE) PROPERTIES OF PSEUDORANDOM NUMBERS ................................................................ 6 PSEUDORANDOM NUMBERS ............................................................................................................. 6 MULTIPLICATIVE CONGRUENTIAL METHOD........................................................................................ 7 LINEAR CONGRUENTIAL METHOD ...................................................................................................... 7 BLUM BLUM SHUB CRYPTOGRAPHIC PSEUDORANDOM NUMBER GENERATOR ................................. 8 TEST FOR RANDOM NUMBERS ........................................................................................................... 8 Introduction Truly random - is defined as exhibiting ``true'' randomness, such as the time between ``tics'' from a Geiger counter exposed to a radioactive element Pseudorandom - is defined as having the appearance of randomness, but nevertheless exhibiting a specific, repeatable pattern. numbers calculated by a computer through a deterministic process, cannot, by definition, be random Truly Random Pseudorandom Quasi-Random Usage Almost all network security protocols rely on the randomness of certain parameters Nonce - used to avoid replay session key Unique parameters in digital signatures Almost all cryptographic protocols require the generation and use of secret values that must be unknown to attackers. Random number generator (RNG) is required. For example RNGs are required to generate public/private key pairs for asymmetric (public key) algorithms including RSA, DSA, and Diffie-Hellman. Keys for symmetric and hybrid cryptosystems are also generated randomly. RNGs are also used to create challenges, nonces (salts), padding bytes, and blinding values. The one time pad – the only provably-secure encryption system – uses as much key material as cipher-text and requires that the key-stream be generated from a truly random process. Randomness in Cryptography •Generation of: –Nonce (only once used number) –Key –Challenge –Initialization vector –Padding byte –Blinding value The requirement from different algorithm The frequency and volume of require for random is different: RSA Required when key pair is generated, Thereafter, any number of messages can be signed without any further need for randomness. DSA Requires good random numbers for each signature . One time pad Requires a volume of randomness equal to all the messages to be processed. Encryption mi Key stream k generator zi ci g Decryption ci Key k stream generator zi mi (Desirable) Properties of Pseudorandom Numbers Desirable Attributes: Uniformity Independence Efficiency Replicability Long Cycle Length Uncorrelated Sequences - The sequences of random numbers should be serially uncorrelated Long Period - The generator should be of long period (ideally, the generator should not repeat; practically, the repetition should occur only after the generation of a very large set of random numbers). Uniformity - The sequence of random numbers should be uniform, and unbiased. That is, equal fractions of random numbers should fall into equal ``areas'' in space. Eg. if random numbers on [0,1) are to be generated, it would be poor practice were more than half to fall into [0, 0.1), presuming the sample size is sufficiently large. Efficiency - The generator should be efficient. Low overhead for massively parallel computations. Pseudorandom Numbers Randomly chosen numbers are needed for many purposes, including computer simulations. Pseudorandom numbers are not truly random since they are generated by systematic methods. The linear congruential method is one commonly used procedure for generating pseudorandom numbers. Four integers are needed: the modulus m, the multiplier a, the increment c, and seed x0, with 2 ≤ a < m, 0 ≤ c < m, 0 ≤ x0 < m. We generate a sequence of pseudorandom numbers {xn}, with 0 ≤ xn < m for all n, by successively using the recursively defined function Multiplicative Congruential Method Basic Relationship Xi+1 = a Xi (mod m), where a ³ 0 and m ³ 0 Most natural choice for m is one that equals to the capacity of a computer word. m = 2b (binary machine), where b is the number of bits in the computer word. m = 10d (decimal machine), where d is the number of digits in the computer word. Linear Congruential Method Xi+1 = (aXi + c) mod m, i = 0, 1, 2.... (Example) let X0 = 27, a = 17, c = 43, and m = 100, then X1 = (17*27 + 43) mod 100 = 2 R1 = 2 / 100 = 0.02 X2 = (17*2 + 43) mod 100 = 77 R2 = 77 / 100 = 0.77 LCGs are not recommended to be used in computer simulations, nor any other purposes which require higher degrees of randomness. Blum Blum Shub cryptographic pseudorandom number generator Test for Random Numbers 1. Frequency test. Uses the Kolmogorov-Smirnov or the chi-square test to compare the distribution of the set of numbers generated to a uniform distribution. 2. Runs test. Tests the runs up and down or the runs above and below the mean by comparing the actual values to expected values. The statistic for comparison is the chi-square. 3. Autocorrelation test. Tests the correlation between numbers and compares the sample correlation to the expected correlation of zero. 4. Gap test. Counts the number of digits that appear between repetitions of a particular digit and then uses the Kolmogorov-Smirnov test to compare with the expected number of gaps. 5. Poker test. Treats numbers grouped together as a poker hand. Then the hands obtained are compared to what is expected using the chi-square test. Entropy Information density of the content of a sequence High density usually means random Arithmetic Mean Chi-square Test Provides a probability for the randomness for a sequence