DOCSLIB.ORG

Monte Carlo: Techniques and Theory

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Monte Carlo: Techniques and Theory Monte Carlo: Techniques and Theory Ronald Kleiss1 IMAPP, Radboud University of Nijmegen version of February 11, 2019 John von Neumann Stanislav Ulam Nick Metropolis the other godfather the other godfather the other godfather `We guarantee that each number is random individually, but we don't guarantee that more than one of them is random' Unnamed programming consultant quoted in [1] [email protected] 1 Contents 1 Introduction: randomness and probability 11 1.1 Protohistory............................ 11 1.2 Random number streamsRandom numbers!stream....... 11 1.2.1 Random numbers: circulus in probando ......... 11 1.2.2 What is a random stream? Relying on probability... 11 1.2.3 What is probability? Relying on a random stream... 12 1.2.4 A difference between physics and mathematics..... 12 1.3 Miscellaneous probability items................. 12 1.3.1 Some notation in these notes............... 12 1.3.2 Moments and characteristic function.......... 13 1.3.3 The Chebyshev-Bienaym´einequality.......... 13 1.3.4 The Central Limit Theorem............... 14 2 Monte Carlo integration 16 2.1 The Monte Carlo idea...................... 16 2.1.1 Point sets and expectation values............ 16 2.1.2 Integration as archetype................. 16 2.1.3 Point sets, ensembles, and the Leap Of Faith..... 17 2.2 Finding estimators........................ 17 2.2.1 Direct sums, unequal-sums, and expectation values.. 17 2.2.2 The Monte Carlo estimators.............. 18 2.2.3 Positivity of E2 and E4 .................. 19 2.3 Estimating in practice...................... 20 2.3.1 Improved estimators................... 20 2.3.2 Numerical stability; the extended CGL algorithm... 20 2.3.3 How to do Monte Carlo integration........... 21 2.3.4 How to report Monte Carlo integration......... 22 2.3.5 How to interpret Monte Carlo integration....... 22 2.4 A test case............................ 23 2.5 Exercises.............................. 26 3 Random number generation 28 3.1 Introduction to random number sources............. 28 3.1.1 Natural vs Pseudo.................... 28 3.2 Pseudo-random number streams................. 29 3.2.1 The structure of pseudo-random number algorithms.. 29 2 3.2.2 The set of all algorithms................. 30 3.2.3 The concept of an arbitrary algorithm......... 30 3.2.4 Lessons from random algorithms............. 31 3.2.5 Shift-register PRNGs................... 32 3.3 Bad and good algorithms..................... 32 3.3.1 Bad: the midsquare algorithm............. 32 3.3.2 Bad: the chaos approach and the logistic map..... 34 3.3.3 Maybe not so bad: linear congruential methods.... 35 3.3.4 Horrible: RANDU, and a possible redemption...... 37 3.3.5 Good: RCARRY and RANLUX ................ 37 3.3.6 Good: the Mersenne Twister............... 39 3.4 Exercises.............................. 41 4 Testing PRNGs 43 4.1 Empirical testing strategies and doubts............. 43 4.1.1 The Leeb Conundrum: too much of a good thing... 43 4.1.2 Any test is a uniformity test............... 44 4.1.3 The χ2 characteristic................... 44 4.2 Theoretical testing strategies................... 46 4.2.1 The number-to-number correlation........... 46 4.2.2 The spectral test..................... 46 4.3 Exercises.............................. 46 5 Quasi-Monte Carlo 48 5.1 Generalities of QMC....................... 48 5.1.1 The New Leap of Faith.................. 48 5.1.2 The mechanism of error improvement......... 49 5.2 Error estimators.......................... 50 5.2.1 The first-order estimate................. 50 5.2.2 The second-order estimate................ 50 5.2.3 Payback time: Lack of Leap of Faith is Punished... 50 6 Nonuniformity of point sets 51 6.1 Measures of nonuniformity: Discrepancy............ 51 6.1.1 The star discrepancy................... 51 6.1.2 Random vs Regular: Translation vs Rotation..... 52 6.1.3 The Roth bound..................... 53 6.1.4 The Koksma-Hlawka inequality............. 53 3 6.1.5 The Wiener measure and the Wo´zniakowski Lemma.. 53 6.2 Measures of nonuniformity: Diaphony.............. 55 6.2.1 Fourier problem classes.................. 55 6.2.2 Fourier diaphony..................... 56 6.2.3 Choosing your strengths: examples of diaphony.... 57 6.3 QFT for diaphony......................... 58 6.3.1 The distribution of diaphony............... 58 6.3.2 Feynman rules for diaphony in the large-N limit.... 59 6.3.3 Collecting bracelets.................... 60 6.3.4 The diaphony distribution for large N ......... 62 6.3.5 The saddle-point approximation............. 63 6.3.6 1=N corrections to the diaphony distribution...... 64 6.3.7 The two-point function................. 65 6.3.8 Testing too much: the Dirac limit............ 67 6.4 Measures of nonuniformity: χ2 ................. 68 6.4.1 The χ2 as a discrepancy................. 68 6.4.2 Large-N results for χ2 .................. 69 6.4.3 Two-point function and 1=N corrections for χ2 ..... 70 7 Superuniform point sets 72 7.1 Fixed point sets vs streams.................... 72 7.1.1 Diaphony minimisation................. 72 7.1.2 Korobov sequences: good lattice points......... 73 7.2 QRNG algorithms......................... 75 7.2.1 Richtmeyer-Kronecker streams.............. 75 7.2.2 Excursion into fractions (cont'd)............. 75 7.2.3 Rational approximations to irrationals......... 76 7.2.4 Almost-equidistancy for Richtmeyer sequences..... 77 7.2.5 van der Corput streams................. 79 7.2.6 Van der Corput sequences in more dimensions..... 81 7.2.7 Niederreiter streams................... 83 8 Variance reduction 84 8.1 Stratified sampling........................ 84 8.1.1 General strategy..................... 84 8.1.2 Uniform stratification................... 85 8.1.3 Stratification as quasification.............. 86 8.1.4 An example: VEGAS .................... 87 4 8.1.5 An example: PARNI .................... 87 8.2 Importance sampling....................... 87 8.2.1 General strategy..................... 87 8.2.2 Multichanneling...................... 87 9 Non-uniform PRNGs 88 9.1 The Art of Transforming, Rejecting, and Being Smart..... 88 9.2 The UA formalism........................ 88 9.2.1 Unitary algorithms as words and as pseudocode.... 88 9.2.2 Inversion of variates in UA................ 90 9.2.3 Rejection of variates in UA............... 91 9.3 Repertoire and the Rule of Nifty................. 93 9.3.1 Building up a repertoire................. 93 9.3.2 The normal distribution: the Box-M¨ulleralgorithm.. 94 9.3.3 The Euler algorithm................... 95 9.3.4 The Kinderman-Monahan algorithm.......... 97 9.4 Random-walk algorithms..................... 98 9.4.1 The Metropolis algorithm................ 99 9.4.2 An elementary case study for Metropolis........ 101 9.4.3 Applications of the Metropolis algorithm........ 102 9.4.4 Gibbs sampling...................... 103 9.4.5 An elementary case study for Gibbs........... 104 10 Phase space algorithms for particle physics 106 10.1 The uniform phase space problem in particle phenomenology. 106 10.2 Two-body phase space...................... 106 10.2.1 The two-body algorithm................. 106 10.2.2 Two-body reduction................... 107 10.3 The relativistic problem..................... 108 10.3.1 Two-body reduction algorithm.............. 108 10.3.2 Massless RAMBO ...................... 109 10.3.3 Inclusion of masses.................... 111 10.4 Nonrelativistic phase space: BOLTZ ............... 113 11 Appendices 116 11.0.1 Falling powers...................... 116 11.0.2 Relations between direct sums and unequal-sums... 117 11.0.3 An exponential sum and the Poisson formula...... 117 5 11.0.4 About the integral (40)................. 118 11.0.5 Selfies........................... 118 11.0.6 Serial correlation in a real-number model........ 119 11.0.7 The two-point function for the Euler diaphony..... 120 11.0.8 Rational denominators for continued fractions..... 120 List of Algorithms 1 Extended CGL algorithm for numerically safe updating of run- ning Monte Carlo estimators................... 22 2 The RCARRY algorithm using a cyclic register........... 38 3 The two major steps of the MT algorithm............. 41 4 The van der Corput transform φb(n).............. 80 5 The Box-M¨ulleralgorithm.................... 95 6 The Euler density with parameters p1; p2; : : : ; pn ........ 96 7 Generating the Cauchy density by ratio of uniforms...... 98 8 Two-bodyp phase space with masses m1;2 and total invariant energy s > m1 + m2 ...................... 107 9 Lorentz boost from P µ, with P 2 = s, at rest to given form, applied on vector pµ. The resultant vector is qµ......... 107 10 The Platzer algorithm for n ≥ 3................. 109 11 The RAMBO algorithm for n momenta with total invariant mass squared s ............................. 111 12 Lorentz boost from P µ, with P 2 = s, to rest from given form, applied on vector pµ. The resultant vector is qµ......... 111 13 Giving masses to massless momenta............... 112 14 The BOLTZ algorithm for total energy U and masses m1;2;:::;n . 114 6 The Buffon fragment from the water's edge, even as much as thou canst gather, [and] bring it to What follows is translated from the the scribe's apprentice. And [the scri- ‘Buffon fragment', clay tablet in Akka- be's apprentice] shall shape thereof [a dian discovered at the site of Jebel-i- tablet of] two cubits; and [the scribe's Qurul, most likely the library of the apprentice] shall draw many [lines on temple precinct of the deity Nisaba, the tablet] so that none approach nor which contained a school of the tupsar separate; and the empty
Load more

Recommended publications
  • Lecture 8: Key Derivation, Protecting Passwords, Slow Hashes, Merkle Trees
    Lecture 8: Key derivation, protecting passwords, slow hashes, Merkle trees Boaz Barak Last lecture we saw the notion of cryptographic hash functions which are functions that behave like a random function, even in settings (unlike that of standard PRFs) where the adversary has access to the key that allows them to evaluate the hash function. Hash functions have found a variety of uses in cryptography, and in this lecture we survey some of their other applications. In some of these cases, we only need the relatively mild and well-defined property of collision resistance while in others we only know how to analyze security under the stronger (and not precisely well defined) random oracle heuristic. Keys from passwords We have seen great cryptographic tools, including PRFs, MACs, and CCA secure encryptions, that Alice and Bob can use when they share a cryptographic key of 128 bits or so. But unfortunately, many of the current users of cryptography are humans which, generally speaking, have extremely faulty memory capacity for storing large numbers. There are 628 ≈ 248 ways to select a password of 8 upper and lower case letters + numbers, but some letter/numbers combinations end up being chosen much more frequently than others. Due to several large scale hacks, very large databases of passwords have been made public, and one estimate is that the most frequent 10, 000 ≈ 214 passwords account for more than 90% of the passwords chosen. If we choose a password at random from some set D then the entropy of the password is simply log |D|. Estimating the entropy of real life passwords is rather difficult.
    [Show full text]
  • Pseudorandomness and Computational Difficulty
    PSEUDORANDOMNESS AND COMPUTATIONAL DIFFICULTY RESEARCH THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF SCIENCE HUGO KRAWCZYK SUBMITTED TOTHE SENATEOFTHE TECHNION —ISRAEL INSTITUTE OF TECHNOLOGY SHVAT 5750 HAIFAFEBRUARY 1990 Amis padres, AurorayBernardo, aquienes debo mi camino. ALeonor,compan˜era inseparable. ALiat, dulzuraycontinuidad. This research was carried out in the Computer Science Department under the supervision of Pro- fessor Oded Goldreich. To Oded, my deep gratitude for being both teacher and friend. Forthe innumerable hoursofstimulating conversations. Forhis invaluable encouragement and support. Iamgrateful to all the people who have contributed to this research and given me their support and help throughout these years. Special thanks to Benny Chor,Shafi Goldwasser,Eyal Kushilevitz, Jacob Ukel- son and Avi Wigderson. ToMikeLuby thanks for his collaboration in the work presented in chapter 2. Ialso wish to thank the Wolf Foundation for their generous financial support. Finally,thanks to Leonor,without whom all this would not have been possible. Table of Contents Abstract ............................. 1 1. Introduction ........................... 3 1.1 Sufficient Conditions for the Existence of Pseudorandom Generators ........ 4 1.2 The Existence of Sparse Pseudorandom Distributions . ............ 5 1.3 The Predictability of Congruential Generators ............... 6 1.4 The Composition of Zero-Knowledge Interactive-Proofs . ........... 8 2. On the Existence of Pseudorandom Generators ............... 10 2.1. Introduction .......................... 10 2.2. The Construction of Pseudorandom Generators .............. 13 2.3. Applications: Pseudorandom Generators based on Particular Intractability Assump- tions . ............................ 22 3. Sparse Pseudorandom Distributions ................... 25 3.1. Introduction .......................... 25 3.2. Preliminaries ......................... 25 3.3. The Existence of Sparse Pseudorandom Ensembles ............. 27 3.4.
    [Show full text]
  • A Mathematical Formulation of the Monte Carlo Method∗
    A Mathematical formulation of the Monte Carlo method∗ Hiroshi SUGITA Department of Mathematics, Graduate School of Science, Osaka University 1 Introduction Although admitting that the Monte Carlo method has been producing practical results in many fields, a number of researchers have the following serious suspicion about it. The Monte Carlo method needs random numbers. But since no computer program can generate them, we execute a Monte Carlo method using a pseu- dorandom number generated by a computer program. Of course, such an expedient can never have any mathematical justification. As a matter of fact, this suspicion is a misunderstanding caused by prejudice. In this article, we propose a proper mathematical formulation of the Monte Carlo method, which resolves this suspicion. The mathematical definitions of the notions of random number and pseudorandom number have been known for quite some time. Indeed, the notion of random number was defined in terms of computational complexity by Kolmogorov and others in 1960’s ([3, 4, 6]), while the notion of pseudorandom number was defined in the context of cryptography by Blum and others in 1980’s ([1, 2, 14]). But unfortunately, those definitions have been thought to be useless until now in understanding and executing the Monte Carlo method. It is not because their definitions are improper, but because our way of thinking about the Monte Carlo method has been improper. In this article, we propose a mathematical formulation of the Monte Carlo method which is based on and theoretically compatible with those definitions of random number and pseudorandom number. Under our formulation, as a result, we see the following.
    [Show full text]
  • Measures of Pseudorandomness
    Katalin Gyarmati Measures of Pseudorandomness Abstract: In the second half of the 1990s Christian Mauduit and András Sárközy [86] introduced a new quantitative theory of pseudorandomness of binary sequences. Since then numerous papers have been written on this subject and the original theory has been generalized in several directions. Here I give a survey of some of the most important results involving the new quantitative pseudorandom measures of finite bi- nary sequences. This area has strong connections to finite fields, in particular, some of the best known constructions are defined using characters of finite fields and their pseudorandom measures are estimated via character sums. Keywords: Pseudorandomness, Well Distribution, Correlation, Normality 2010 Mathematics Subject Classifications: 11K45 Katalin Gyarmati: Department of Algebra and Number Theory, Eötvös Loránd University, Budapest, Hungary, e-mail: [email protected] 1Introduction In the twentieth and twenty-first centuries various pseudorandom objects have been studied in cryptography and number theory since these objects are widely used in modern cryptography, in applications of the Monte Carlo method and in wireless communication (see [39]). Different approaches and definitions of pseudorandom- ness can be found in several papers and books. Menezes, Oorschot and Vanstone [95] have written an excellent monograph about these approaches. The most frequent- ly used interpretation of pseudorandomness is based on complexity theory; Gold- wasser [38] has written a survey paper about this approach. However, recently the complexity theory approach has been widely criticized. One problem is that in this approach usually infinite sequences are tested while in the applications only finite sequences are used. Another problem is that most results are based on certain un- proved hypotheses (such as the difficulty of factorization of integers).
    [Show full text]
  • Pseudorandomness
    ~ MathDefs ~ CS 127: Cryptography / Boaz Barak Pseudorandomness Reading: Katz-Lindell Section 3.3, Boneh-Shoup Chapter 3 The nature of randomness has troubled philosophers, scientists, statisticians and laypeople for many years.1 Over the years people have given different answers to the question of what does it mean for data to be random, and what is the nature of probability. The movements of the planets initially looked random and arbitrary, but then the early astronomers managed to find order and make some predictions on them. Similarly we have made great advances in predicting the weather, and probably will continue to do so in the future. So, while these days it seems as if the event of whether or not it will rain a week from today is random, we could imagine that in some future we will be able to perfectly predict it. Even the canonical notion of a random experiment- tossing a coin - turns out that it might not be as random as you’d think, with about a 51% chance that the second toss will have the same result as the first one. (Though see also this experiment.) It is conceivable that at some point someone would discover some function F that given the first 100 coin tosses by any given person can predict the value of the 101th.2 Note that in all these examples, the physics underlying the event, whether it’s the planets’ movement, the weather, or coin tosses, did not change but only our powers to predict them. So to a large extent, randomness is a function of the observer, or in other words If a quantity is hard to compute, it might as well be random.
    [Show full text]
  • The Intel Random Number Generator
    ® THE INTEL RANDOM NUMBER GENERATOR CRYPTOGRAPHY RESEARCH, INC. WHITE PAPER PREPARED FOR INTEL CORPORATION Benjamin Jun and Paul Kocher April 22, 1999 Information in this white paper is provided without guarantee or warranty of any kind. This review represents the opinions of Cryptography Research and may or may not reflect opinions of Intel Corporation. Characteristics of the Intel RNG may vary with design or process changes. © 1999 by Cryptography Research, Inc. and Intel Corporation. 1. Introduction n = − H K∑ pi log pi , Good cryptography requires good random i=1 numbers. This paper evaluates the hardware- where pi is the probability of state i out of n based Intel Random Number Generator (RNG) possible states and K is an optional constant to for use in cryptographic applications. 1 provide units (e.g., log(2) bit). In the case of a Almost all cryptographic protocols require random number generator that produces a k-bit the generation and use of secret values that must binary result, pi is the probability that an output be unknown to attackers. For example, random will equal i, where 0 ≤ i < 2k . Thus, for a number generators are required to generate -k perfect random number generator, pi = 2 and public/private keypairs for asymmetric (public the entropy of the output is equal to k bits. This key) algorithms including RSA, DSA, and means that all possible outcomes are equally Diffie-Hellman. Keys for symmetric and hybrid (un)likely, and on average the information cryptosystems are also generated randomly. present in the output cannot be represented in a RNGs are also used to create challenges, nonces sequence shorter than k bits.
    [Show full text]
  • Pseudorandomness
    Foundations and Trends R in sample Vol. xx, No xx (xxxx) 1{180 c xxxx xxxxxxxxx DOI: xxxxxx Pseudorandomness Salil P. Vadhan1 1 Harvard UniversityCambridge, MA02138, USA, [email protected] Abstract Pseudorandomness is the theory of efficiently generating objects that \look random" despite being constructed using little or no randomness. This survey of the subject places particular emphasis on the intimate connections that have been discovered between a variety of fundamental \pseu- dorandom objects" that at first seem very different in nature: expander graphs, randomness ex- tractors, list-decodable error-correcting codes, samplers, and pseudorandom generators. The survey also illustrates the significance the theory of pseudorandomness has for the study of computational complexity, algorithms, cryptography, combinatorics, and communications. The structure of the presentation is meant to be suitable for teaching in a graduate-level course, with exercises accom- panying each chapter. To Kaya and Amari Acknowledgments My exploration of pseudorandomness began in my graduate and postdoctoral years at MIT and IAS, under the wonderful guidance of Oded Goldreich, Shafi Goldwasser, Madhu Sudan, and Avi Wigderson. It was initiated by an exciting reading group organized at MIT by Luca Trevisan, which immersed me in the subject and started my extensive collaboration with Luca. Through fortuitous circumstances, I also began to work with Omer Reingold, starting another lifelong collaboration. I am indebted to Oded, Shafi, Madhu, Avi, Luca, and Omer for all the insights and research experiences they have shared with me. I have also learned a great deal from my other collaborators on pseudorandomness, including Boaz Barak, Eli Ben-Sasson, Michael Capalbo, Kai-Min Chung, Nenad Dedic, Dan Gutfreund, Venkat Guruswami, Iftach Haitner, Alex Healy, Jesse Kamp, Danny Lewin, Shachar Lovett, Chi-Jen Lu, Michael Mitzenmacher, Shien Jin Ong, Michael Rabin, Anup Rao, Ran Raz, Leo Reyzin, Eyal Rozenman, Madhur Tulsiani, Chris Umans, Emanuele Viola, Hoeteck Wee, and David Zuckerman.
    [Show full text]
  • Pseudorandomness by Salil P
    Foundations and TrendsR in Theoretical Computer Science Vol. 7, Nos. 1–3 (2011) 1–336 c 2012 S. P. Vadhan DOI: 10.1561/0400000010 Pseudorandomness By Salil P. Vadhan Contents 1 Introduction 2 1.1 Overview of this Survey 2 1.2 Background Required and Teaching Tips 7 1.3 Notational Conventions 8 1.4 Chapter Notes and References 8 2 The Power of Randomness 10 2.1 Polynomial Identity Testing 10 2.2 The Computational Model and Complexity Classes 17 2.3 Sampling and Approximation Problems 23 2.4 Random Walks and S-T Connectivity 32 2.5 Exercises 40 2.6 Chapter Notes and References 46 3 Basic Derandomization Techniques 50 3.1 Enumeration 51 3.2 Nonconstructive/Nonuniform Derandomization 52 3.3 Nondeterminism 56 3.4 The Method of Conditional Expectations 58 3.5 Pairwise Independence 62 3.6 Exercises 73 3.7 Chapter Notes and References 77 4 Expander Graphs 80 4.1 Measures of Expansion 80 4.2 Random Walks on Expanders 92 4.3 Explicit Constructions 102 4.4 Undirected S-T Connectivity in Deterministic Logspace 116 4.5 Exercises 121 4.6 Chapter Notes and References 127 5 List-Decodable Codes 131 5.1 Definitions and Existence 131 5.2 List-Decoding Algorithms 141 5.3 List-decoding Views of Samplers and Expanders 151 5.4 Expanders from Parvaresh–Vardy Codes 155 5.5 Exercises 159 5.6 Chapter Notes and References 163 6 Randomness Extractors 166 6.1 Motivation and Definition 167 6.2 Connections to Other Pseudorandom Objects 178 6.3 Constructing Extractors 188 6.4 Exercises 202 6.5 Chapter Notes and References 209 7 Pseudorandom Generators 212 7.1 Motivation
    [Show full text]
  • Random Numbers for Large Scale Distributed Monte Carlo Simulations
    Institute for Theoretical Physics Preprint Random numbers for large scale distributed Monte Carlo simulations Heiko Bauke∗ Institut f¨ur Theoretische Physik, Universitat¨ Magdeburg, Universitatsplatz¨ 2, 39016 Magdeburg, Germany and Rudolf Peierls Centre for Theoretical Physics, University of Oxford, 1 Keble Road, Oxford, OX1 3NP, United Kingdom Stephan Mertens† Institut f¨ur Theoretische Physik, Universitat¨ Magdeburg, Universitatsplatz¨ 2, 39016 Magdeburg, Germany arXiv:cond-mat/0609584v2 [cond-mat.other] 3 Jul 2007 . Random numbers for large scale distributed Monte Carlo simulations Heiko Bauke∗ Institut f¨ur Theoretische Physik, Universitat¨ Magdeburg, Universitatsplatz¨ 2, 39016 Magdeburg, Germany and Rudolf Peierls Centre for Theoretical Physics, University of Oxford, 1 Keble Road, Oxford, OX1 3NP, United Kingdom Stephan Mertens† Institut f¨ur Theoretische Physik, Universitat¨ Magdeburg, Universitatsplatz¨ 2, 39016 Magdeburg, Germany (Dated: April 26, 2007) Monte Carlo simulations are one of the major tools in statistical physics, complex system science, and other fields, and an increasing number of these simulations is run on distributed systems like clusters or grids. This raises the issue of generating random numbers in a parallel, distributed environment. In this contribution we demonstrate that multiple linear recurrences in finite fields are an ideal method to produce high quality pseu- dorandom numbers in sequential and parallel algorithms. Their known weakness (failure of sampling points in high dimensions) can be overcome by an appropriate delinearization that preserves all desirable properties of the underlying linear sequence. PACS numbers: 02.70.-c, 02.70.Rr, 05.10.Ln 1. Introduction and we motivate their use as PRNGs. In section 3 we discuss various techniques for parallelizing a PRNG.
    [Show full text]
  • Pseudorandomness - I Instructor: Omkant Pandey Scribe: Aravind Warrier, Vaishali Chanana
    CSE 594 : Modern Cryptography 16/02/2017 Lecture 7: Pseudorandomness - I Instructor: Omkant Pandey Scribe: Aravind Warrier, Vaishali Chanana 1 Randomness Computer needs randomness for many of its operations. For example, randomness is needed for encrypting a session key in an SSL connection or for encrypting a hard drive. The question that arises is how a computer can get randomness. It can use key strokes or mouse movements to generate randomness but it proves out to be uniform as it depends on the entropy of the source. A natural approach for making any encryption scheme that uses key would be to start off with a short length random key k and expand it to longer random looking key k0 by using random key generator g such that k0 = g(k). One fundamental question is can we really expand few random bits into many random bits? The approach could be good in some cases. For instance, in Goldreich-Levin Theorem, pair-wise independent randomness did the job showing that it could be worked out with smaller randomness. But in cryptography, we need something as good as truly random. 2 Pseudorandomness Let us suppose there are n uniformly random bits: x = x1k:::kxn. Pseudorandomness is finding a deterministic (polynomial-time) algorithm G such that: • G(x) outputs a n + 1 bits: y = y1k:::kyn+1 • y looks as good as a truly random string r = r1k::krn+1 fG : f0; 1gn ! f0; 1gn+1g is called a pseudorandom generator(PRG) that takes n random bits of x with no additional randomness of its own and outputs n + 1 random bits of y.
    [Show full text]
  • Pseudorandomness - I
    Pseudorandomness - I 601.642/442: Modern Cryptography Fall 2019 601.642/442: Modern Cryptography Pseudorandomness - I Fall 2019 1 / 13 Randomness Your computer needs “randomness” for many tasks every day! Examples: encrypting a session-key for an SSL connection (login) encrypting your hard-drive for secure backup How does your computer generate this randomness? true randomness is difficult to get often, a lot of it is required (e.g. disk encryption) 601.642/442: Modern Cryptography Pseudorandomness - I Fall 2019 2 / 13 Randomness Common sources of randomness: key-strokes mouse movement power consumption ... These processes can only produce so much true randomness 601.642/442: Modern Cryptography Pseudorandomness - I Fall 2019 3 / 13 Fundamental Question Can we “expand” few random bits into many random bits? Many heuristic approaches; good in many cases, e.g., primality testing But not good for cryptography, such as for data encryption For crypto, need bits that are “as good as truly random bits” 601.642/442: Modern Cryptography Pseudorandomness - I Fall 2019 4 / 13 Pseudorandomness Suppose you have n uniformly random bits: x “ x1} ::: }xn Find a deterministic (polynomial-time) algorithm G such that: – Gpxq outputs a n ` 1 bits: y “ y1} ::: }yn`1 – y looks “as good as” a truly random string r “ r1} ::: }rn`1 G : t0; 1un Ñ t0; 1un`1 is called a pseudorandom generator (PRG) Think: What does “as good as truly random” mean? 601.642/442: Modern Cryptography Pseudorandomness - I Fall 2019 5 / 13 As good as truly random Should have no obvious patterns Pass all statistical tests that a truly random string would pass Number of 0’s and 1’s roughly the same ..
    [Show full text]
  • Pseudorandomness: Applications to Cryptography and Derandomization
    Pseudorandomness: Applications to Cryptography and Derandomization March 15, 2019 1 The Desire for Pseudorandom Generators 1.1 Motivation for Cryptography Consider the following canonical example in cryptography. Suppose Alice would like to securely send a message m to Bob. Crucially, she does not want that message to be read by an eavesdropper named Eve. Alice could do this by first sharing a key k with Bob and then sending the ciphertext c = m ⊕ k. Here, the ⊕ symbol stands for XOR. Bob could decrypt the ciphertext by taking the XOR of c with k: c ⊕ k = (m ⊕ k) ⊕ k = m This encryption/decryption scheme is called a one-time pad. Note two things about this construction. First, the key k must be as long as the message. Second, the key must be randomly chosen. Suppose, the key were not random and instead was the binary encoding of some Billboard Top 100 song. Then, Eve|if she knew the key was a Billboard Top 100 song|could try decrypting with all 100 possible keys and see which output made most sense. One-time pads have limited effectiveness in practice, however, because of two problems. First, generating a truly random key as long as the message is oftentimes infeasible.1 Second, the security of this procedure depends on Alice and Bob being able to securely communicate the key to each other; but doing that is just as hard as being able to securely communicate the message. We can avoid this problem by using pseudorandom generators. Alice and Bob could share a short seed s with each other and then apply a PRG G to get a much longer, seemingly random key equal to G(s).
    [Show full text]