• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
This is a Chapter from the
Handbook of Applied Cryptography
, by A. Menezes, P. vanOorschot, and S. Vanstone, CRC Press, 1996.For further information, see
www.cacr.math.uwaterloo.ca/hac
CRC Press has granted the following specific permissions for the electronic version of thisbook:Permission is granted to retrieve, print and store a single copy of this chapter forpersonal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of theperson creating the copy, or making electronic copies available for retrieval byothers without prior permission in writing from CRC Press.Except where over-ridden by the specific permission above, the standard copyright noticefrom CRC Press applies to this electronic version:Neither this book nor any part may be reproduced or transmitted in any form orby any means, electronic or mechanical, including photocopying, microfilming,and recording, or by any information storage or retrieval system, without priorpermission in writing from the publisher.The consent of CRC Press does not extend to copying for general distribution,for promotion, for creating new works, or for resale. Specific permission must beobtained in writing from CRC Press for such copying.c
1997 by CRC Press, Inc.
 
Chapter 
5    
Pseudorandom Bits and Sequences 
Contents in Brief 
5.1 Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1695.2 Random bit generation
. . . . . . . . . . . . . . . . . . . . . . .
1715.3 Pseudorandom bit generation
. . . . . . . . . . . . . . . . . . . .
1735.4 Statistical tests
. . . . . . . . . . . . . . . . . . . . . . . . . . .
1755.5 Cryptographically secure pseudorandom bit generation
. . . . . .
1855.6 Notes and further references
. . . . . . . . . . . . . . . . . . . .
187
5.1 Introduction
The security of many cryptographicsystems dependsupon the generation of unpredictablequantities. Examples include the keystream in the one-time pad (
§
1.5.4), the secret key inthe DES encryption algorithm (
§
7.4.2), the primes
p,q
in the RSA encryption (
§
8.2) anddigital signature (
§
11.3.1) schemes, the private key
a
in the DSA (
§
11.5.1), and the chal-lenges used in challenge-response identification systems (
§
10.3). In all these cases, thequantities generatedmust be of sufficient size and be “random” in the sense that the proba-bilityof anyparticularvaluebeingselected must besufficientlysmall to precludean adver-saryfromgainingadvantagethroughoptimizingasearchstrategybasedonsuchprobability.For example, the key space for DES has size
2
56
. If a secret key
k
were selected using atrue randomgenerator,an adversary would on average have to try
2
55
possible keys beforeguessing the correct key
k
. If, on the other hand, a key
k
were selected by first choosing a16-bit random secret
s
, and then expanding it into a 56-bit key
k
using a complicated butpublicly known function
, the adversary would on average only need to try
2
15
possiblekeys (obtained by running every possible value for
s
through the function
).This chapter considers techniques for the generation of random and pseudorandombits and numbers. Related techniques for pseudorandom bit generation that are generallydiscussed in the literature in the context of stream ciphers, including linear and nonlinearfeedback shift registers (Chapter 6) and the output feedback mode (OFB) of block ciphers(Chapter 7), are addressed elsewhere in this book.
Chapter outline
The remainder of 
§
5.1 introduces basic concepts relevant to random and pseudorandombit generation.
§
5.2 considers techniques for random bit generation, while
§
5.3 considerssome techniques for pseudorandombit generation.
§
5.4 describes statistical tests designed169
 
170 Ch.5 Pseudorandom Bits and Sequence
to measure the quality of a random bit generator. Cryptographically secure pseudorandombitgeneratorsarethetopicof 
§
5.5.
§
5.6concludeswithreferencesandfurtherchapternotes.
5.1.1 Background and Classification
5.1 Definition
A
random bit generator 
is a device or algorithm which outputs a sequence of statistically independent and unbiased binary digits.
5.2 Remark
(
randombits vs. random numbers
) A randombit generatorcan be used to gener-ate (uniformlydistributed) randomnumbers. For example, a randominteger in the interval
[0
,n
]
can be obtained by generating a random bit sequence of length
lg
n
+ 1
, and con-verting it to an integer; if the resulting integer exceeds
n
, one option is to discard it andgenerate a new random bit sequence.
§
5.2 outlines some physical sources of random bits that are used in practice. Ideally,secretsrequiredincryptographicalgorithmsandprotocolsshouldbegeneratedwitha(true)randombit generator. However,the generationofrandombits isan inefficientprocedureinmostpracticalenvironments. Moreover,itmaybeimpracticaltosecurelystoreandtransmita largenumberof randombits if these are requiredin applicationssuch as the one-timepad(
§
6.1.1). In such situations, the problem can be ameliorated by substituting a random bitgenerator with a pseudorandom bit generator.
5.3 Definition
A
pseudorandom bit generator 
(PRBG) is a deterministic
1
algorithm which,givenatrulyrandombinarysequenceoflength
k
,outputsabinarysequenceoflength
l
k
which “appears” to be random. The input to the PRBG is called the
seed 
, while the outputof the PRBG is called a
pseudorandom bit sequence
.The output of a PRBG is
not 
random; in fact, the numberof possible output sequencesis atmostasmall fraction,namely
2
k
/
2
l
, ofall possiblebinarysequencesoflength
l
. Theintentis to take a small truly randomsequence and expand it to a sequence of much largerlength,in such a way that an adversary cannot efficiently distinguish between output sequences of the PRBG and truly random sequences of length
l
.
§
5.3 discusses ad-hoc techniques forpseudorandom bit generation. In order to gain confidence that such generators are secure,they should be subjected to a variety of statistical tests designed to detect the specific char-acteristics expected of random sequences. A collection of such tests is given in
§
5.4. Asthe following example demonstrates, passing these statistical tests is a
necessary
but not
sufficient 
condition for a generator to be secure.
5.4 Example
(
linear congruential generators
) A
linear congruential generator 
produces apseudorandomsequence of numbers
x
1
,x
2
,x
3
,...
according to the linear recurrence
x
n
=
ax
n
1
+
b
mod
m, n
1;
integers
a
,
b
,and
m
are
 parameters
whichcharacterizethegenerator,while
x
0
isthe(secret)
seed 
. While such generators are commonly used for simulation purposes and probabilisticalgorithms, and pass the statistical tests of 
§
5.4, they are
predictable
and hence entirely in-secure for cryptographic purposes: given a partial output sequence, the remainder of thesequence can be reconstructed even if the parameters
a
,
b
, and
m
are unknown.
1
 Deterministic
here means that given the same initial seed, the generator will always produce the same outputsequence.
c
1997 by CRC Press, Inc. — See accompanying notice at front of chapter.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...