DOCSLIB.ORG

Mersenne Twister – a Pseudo Random Number Generator and Its Variants

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Mersenne Twister – a Pseudo Random Number Generator and Its Variants Mersenne Twister – A Pseudo Random Number Generator and its Variants Archana Jagannatam Abstract: Random number generators(RNG) are widely being used in number of applications, particularly simulation and cryptography. They are a critical part of many cryptographic systems such as key generation, initialization vectors, message padding, nonces and many more. This paper discusses about the Mersenne Twister(MT), a pseudo random number generator(PRNG) and its variants. It mainly emphasizes on two of its variants. SIMD-Oriented Fast Mersenne Twister(SFMT) which is a 128-bit PRNG analogous to MT making full use of its features. And the cryptographically secure CryptMT, considered to be one of the fastest stream ciphers on a CPU with SIMD operations. It also briefly discusses the theories and the choice of parameters used in the algorithms. The requirements for a PRNG to be certified as a good and cryptographically secure PRNG will be presented. 1. Introduction: Random number generators are devices that generate a series of numbers or some kind of symbols that appear random. RNG’S are used for a variety of purposes such as simulating, modeling complex phenomena, cryptography and of course ever popular for games and gambling. There are two main approaches to generating random numbers, Pseudo Random Number Generators(PRNG) and True Random Number Generators(TRNG). TRNG extracts randomness from physical phenomena like atmospheric noise, little variations in mouse movements or the time between mouse strokes and feed then in to a computer. They are mainly used in games and gambling where genuine randomness is required, as they are to slow for use in statistical and cryptographic applications. In comparison to TRNG, PRNG’s are algorithms using some kind of mathematical formula or pre-calculated tables to generate a sequence of numbers that appear random. The sequence of numbers produced is not truly random. It is completely determined by an arbitrary initial state called seed state. If a PRNG's internal state contains n bits, its period can be no longer than 2n results. PRNG’s are efficient, deterministic and periodic which makes them suitable for applications where many numbers are required and where it is useful that the same sequence can be replayed easily such as simulation and modeling. A PRNG should posses some requirements to be considered as a good PRNG, such as uniformity, independence, long period, proper initialization, unpredictability, efficiency and portability. The quality of randomness of a PRNG is measured by subjecting it to a set of statistical testes called diehard tests. Every cryptographically secure PRNG should satisfy two basic requirements, next-bit test and state compromise extensions. This paper discusses Mersenne Twister(MT) which is a PRNG and which satisfies all the requirements to be certified as a good PRNG. MT is proposed in 1997 by Makoto Matsumoto and Takuji Nishimura. It provides for fast generation of very high-quality pseudorandom numbers with a long period length which is chosen to be a Mersenne prime, high order of dimensional equidistribution, speed and reliability. Later many different variants of MT has been introduced for better speed and security for cryptographic uses. Two of the variants this paper talks about are SIMD-Oriented Fast Mersenne Twister(SFMT) and cryptographically secure CryptMT. SFMT is introduced by Mutsuo Saito and Makoto Matsumoto in 2006. It is typically a Linear Feedback Shift Register(LFSR) which generates a 128-bit pseudorandom integer at one step. SFMT is introduced to use the new features of CPU’s such as Single Instruction Multiple Data (SIMD) operations (i.e., 128bit operations) and multi-stage pipelines. CryptMT is a stream cipher which uses MT and is considered to be cryptographically secure. It was developed by Makoto Matsumoto, Hagita Mariko, Takuji Nishimura and Mutsuo Saito in 2005. CryptMT ver. 3 is the latest version. In section 2.1 of this paper we discuss the theories behind MT and its algorithm. Section 2.2 discusses the choice of parameters for MT also presents a table showing values for different parameters of 32-bit MT. Section 2.3 talks about the limitations of MT such as initialization and security, and also the modification made to overcome the limitations. Section 3 introduces SFMT and 3.1 shows the theories and algorithms for SFMT, and also contains two figures of a circuit like description of SFMT19937 and block generation scheme. Next we talk about the choice of parameters of SFMT for the calculation of period and dimension of equidistribution in section 3.2. Then in 3.3 its limitation such as recovery from 0-excess state and the improvements made are discussed. Section 4 introduces CryptMT, we discuss its first version, the theories behind it and presents a block diagram of CryptMT ver. 1. Section 4.1 talks about its latest version CryptMT ver. 3, its theories and contains a figure showing combined generator. It also shows a table containing the parameters for the speed comparison of CryptMT with other stream ciphers. Then its advantages and shortcomings are discussed in section 4.2. The appendix of the paper shows the inversive-decimation method for primitivity testing. 2. Mersenne Twister: Mersenne Twister, the name derives from the fact that it uses a period which is a Mersenne prime. It is a modification of a Twisted Generalized Feedback Shift Register(TGFSR) which takes in an incomplete array to realize a Mersenne prime as its period and uses an inversive-decimation method for primitivity testing of a characteristic polynomial of a linear recurrence with a computational complexity of O(p2) where p is the degree of the polynomial. MT has a long period of 219937-1and a 623 dimensional equidistribution up to 32-bit accuracy, generating an output which is free of long-term correlations. It is considered to be fast, as it avoids multiplications and divisions and uses the advantages of cashes and pipelines and efficient in memory use as only 624 words needed for the working area. 2.1-MT Theories: MT generates a sequence of word vectors considered as uniform pseudorandom integers between 0 and w 2 -1, where w is the dimension of row vectors over the finite binary field F2. It is based on the following recurring equation: = ⊕ u l xk+n : xk+m (xk | xk+1 )A (1) Here: Integer n is the degree of recurrence. Integer m, 1≤ m ≤ n. A is a constant w × w matrix chosen to ease the matrix multiplication shown below 0 1 0 0 1 0 A = 1 aw−1 aw−2 a0 k is 0,1,2…… xn is a row vector of a word size w which is generated with k =0. x0, x1, …., xn-1 are initial seeds. l xk+1 are lower or rightmost r bits of xk+1 . u xk are upper or leftmost w – r bits of xk . ⊕ denotes a bitwise XOR. | denotes a concatenating operation. u l ( xk | xk+1 ) is the concatenation vector obtained by concatenating the upper w - r bits of xk and the lower l r bits of xk+1 in the order. Then the matrix A is multiplied from the right by this vector. Finally bitwise ⊕ u addition is performed to add xk+m , and then generate the next vector xk+n . The multiplication of ( xk l | xk+1 )A can be performed using simple bit shift operations as shown below. x >> 1 if x = 0 xA = 0 >> ⊕ = (x 1) a if x0 1 Where x is (xw−1 , xw−2 ,..., x0 ) , a is the bottom row vector of A and ‘ >>’ denotes bitwise right shifts. Thus the calculation of the recurrence (1) is realized with bitshift, bitwise EXCLUSIVE-OR, bitwise OR, and bitwise AND operations. MT has (n-1) dimensional equidistribution, which is a good characteristic of PRNG’s. k-distribution tests are considered to be a good way to measure the randomness of a PRNG. From the definition, a periodic = sequence X : x0 , x1,..., x p−1 with period p of w -bit integers is said to have k-dimensional equidistribution property if it has the maximum period and if any kw -bit pattern equally likely occurs as k-tuple = (xl , xl+1 ,..., xl+k−1 ) for l 0,1,2,... All the overlapping k-tuples appearing in one period, then the output k- tuples are uniformly distributed over the set of possible output numbers. A largest value of such k is called the dimension of equidistribution. To improve the k-distribution to v-bit accuracy of the raw sequences generated from the recursion (1), a method called tempering is used to produce the final pseudo random number. Each generated word is multiplied by a w × w invertible matrix T from right yielding a result of tempering matrix x into z := xT . The matrix T is chosen such that binary operations can be performed as: y := x ⊕ (x >> u) y := y ⊕ ((y << s) & b) y := y ⊕ ((y << t) & c) z := y ⊕ (y >> l) where u, s, t and l are tempering bit shifts. b and c are tempering bitmasks. ‘<<’ denotes a bitwise left shift and ‘&’ denotes a bitwise AND operation. MT works in two parts: recurring and tempering. The recurring is a form of Linear Feedback Shift Register(LFSR) in which each bit of the state derives from the recursion and each bit of the output also satisfies the recurring of the bits forming the states. Figure 1 shows a high level block diagram of MT. LFSR 32-bit 32-bit …………….. 32-bit 32-bit 0 1 622 623 Tempering 19937-bit output Fig 1. Block diagram of MT The shift register is composed of 624 elements and a total of 19937 cells.
Load more

Recommended publications
  • A Note on Random Number Generation
    A note on random number generation Christophe Dutang and Diethelm Wuertz September 2009 1 1 INTRODUCTION 2 \Nothing in Nature is random. number generation. By \random numbers", we a thing appears random only through mean random variates of the uniform U(0; 1) the incompleteness of our knowledge." distribution. More complex distributions can Spinoza, Ethics I1. be generated with uniform variates and rejection or inversion methods. Pseudo random number generation aims to seem random whereas quasi random number generation aims to be determin- istic but well equidistributed. 1 Introduction Those familiars with algorithms such as linear congruential generation, Mersenne-Twister type algorithms, and low discrepancy sequences should Random simulation has long been a very popular go directly to the next section. and well studied field of mathematics. There exists a wide range of applications in biology, finance, insurance, physics and many others. So 2.1 Pseudo random generation simulations of random numbers are crucial. In this note, we describe the most random number algorithms At the beginning of the nineties, there was no state-of-the-art algorithms to generate pseudo Let us recall the only things, that are truly ran- random numbers. And the article of Park & dom, are the measurement of physical phenomena Miller (1988) entitled Random generators: good such as thermal noises of semiconductor chips or ones are hard to find is a clear proof. radioactive sources2. Despite this fact, most users thought the rand The only way to simulate some randomness function they used was good, because of a short on computers are carried out by deterministic period and a term to term dependence.
    [Show full text]
  • Package 'Randtoolbox'
    Package ‘randtoolbox’ January 31, 2020 Type Package Title Toolbox for Pseudo and Quasi Random Number Generation and Random Generator Tests Version 1.30.1 Author R port by Yohan Chalabi, Christophe Dutang, Petr Savicky and Di- ethelm Wuertz with some underlying C codes of (i) the SFMT algorithm from M. Mat- sumoto and M. Saito, (ii) the Knuth-TAOCP RNG from D. Knuth. Maintainer Christophe Dutang <[email protected]> Description Provides (1) pseudo random generators - general linear congruential generators, multiple recursive generators and generalized feedback shift register (SF-Mersenne Twister algorithm and WELL generators); (2) quasi random generators - the Torus algorithm, the Sobol sequence, the Halton sequence (including the Van der Corput sequence) and (3) some generator tests - the gap test, the serial test, the poker test. See e.g. Gentle (2003) <doi:10.1007/b97336>. The package can be provided without the rngWELL dependency on demand. Take a look at the Distribution task view of types and tests of random number generators. Version in Memoriam of Diethelm and Barbara Wuertz. Depends rngWELL (>= 0.10-1) License BSD_3_clause + file LICENSE NeedsCompilation yes Repository CRAN Date/Publication 2020-01-31 10:17:00 UTC R topics documented: randtoolbox-package . .2 auxiliary . .3 coll.test . .4 coll.test.sparse . .6 freq.test . .8 gap.test . .9 get.primes . 11 1 2 randtoolbox-package getWELLState . 12 order.test . 12 poker.test . 14 pseudoRNG . 16 quasiRNG . 22 rngWELLScriptR . 26 runifInterface . 27 serial.test . 29 soboltestfunctions . 31 Index 33 randtoolbox-package General remarks on toolbox for pseudo and quasi random number generation Description The randtoolbox-package started in 2007 during an ISFA (France) working group.
    [Show full text]
  • Gretl User's Guide
    Gretl User’s Guide Gnu Regression, Econometrics and Time-series Allin Cottrell Department of Economics Wake Forest university Riccardo “Jack” Lucchetti Dipartimento di Economia Università Politecnica delle Marche December, 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation (see http://www.gnu.org/licenses/fdl.html). Contents 1 Introduction 1 1.1 Features at a glance ......................................... 1 1.2 Acknowledgements ......................................... 1 1.3 Installing the programs ....................................... 2 I Running the program 4 2 Getting started 5 2.1 Let’s run a regression ........................................ 5 2.2 Estimation output .......................................... 7 2.3 The main window menus ...................................... 8 2.4 Keyboard shortcuts ......................................... 11 2.5 The gretl toolbar ........................................... 11 3 Modes of working 13 3.1 Command scripts ........................................... 13 3.2 Saving script objects ......................................... 15 3.3 The gretl console ........................................... 15 3.4 The Session concept ......................................... 16 4 Data files 19 4.1 Native format ............................................. 19 4.2 Other data file formats ....................................... 19 4.3 Binary databases ..........................................
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Scope of Various Random Number Generators in Ant System Approach for Tsp
    AC 2007-458: SCOPE OF VARIOUS RANDOM NUMBER GENERATORS IN ANT SYSTEM APPROACH FOR TSP S.K. Sen, Florida Institute of Technology Syamal K Sen ([email protected]) is currently a professor in the Dept. of Mathematical Sciences, Florida Institute of Technology (FIT), Melbourne, Florida. He did his Ph.D. (Engg.) in Computational Science from the prestigious Indian Institute of Science (IISc), Bangalore, India in 1973 and then continued as a faculty of this institute for 33 years. He was a professor of Supercomputer Computer Education and Research Centre of IISc during 1996-2004 before joining FIT in January 2004. He held a Fulbright Fellowship for senior teachers in 1991 and worked in FIT. He also held faculty positions, on leave from IISc, in several universities around the globe including University of Mauritius (Professor, Maths., 1997-98), Mauritius, Florida Institute of Technology (Visiting Professor, Math. Sciences, 1995-96), Al-Fateh University (Associate Professor, Computer Engg, 1981-83.), Tripoli, Libya, University of the West Indies (Lecturer, Maths., 1975-76), Barbados.. He has published over 130 research articles in refereed international journals such as Nonlinear World, Appl. Maths. and Computation, J. of Math. Analysis and Application, Simulation, Int. J. of Computer Maths., Int. J Systems Sci., IEEE Trans. Computers, Internl. J. Control, Internat. J. Math. & Math. Sci., Matrix & Tensor Qrtly, Acta Applicande Mathematicae, J. Computational and Applied Mathematics, Advances in Modelling and Simulation, Int. J. Engineering Simulation, Neural, Parallel and Scientific Computations, Nonlinear Analysis, Computers and Mathematics with Applications, Mathematical and Computer Modelling, Int. J. Innovative Computing, Information and Control, J. Computational Methods in Sciences and Engineering, and Computers & Mathematics with Applications.
    [Show full text]
  • Gretl 1.6.0 and Its Numerical Accuracy - Technical Supplement
    GRETL 1.6.0 AND ITS NUMERICAL ACCURACY - TECHNICAL SUPPLEMENT A. Talha YALTA and A. Yasemin YALTA∗ Department of Economics, Fordham University, New York 2007-07-13 This supplement provides detailed information regarding both the procedure and the results of our testing GRETL using the univariate summary statistics, analysis of variance, linear regression, and nonlinear least squares benchmarks of the NIST Statis- tical Reference Datasets (StRD), as well as verification of the random number generator and the accuracy of statistical distributions used for calculating critical values. The numbers of accurate digits (NADs) for testing the StRD datasets are also supplied and compared with several commercial packages namely SAS v6.12, SPSS v7.5, S-Plus v4.0, Stata 7, and Gauss for Windows v3.2.37. We did not perform any accuracy tests of the latest versions of these programs and the results that we supply for packages other than GRETL 1.6.0 are those independently verified and published by McCullough (1999a), McCullough and Wilson (2002), and Vinod (2000) previously. Readers are also referred to McCullough (1999b) and Keeling and Pavur (2007), which examine software accuracy and supply the NADS across four and nine software packages at once respectively. Since all these programs perform calculations using 64-bit floating point arithmetic, discrepan- cies in results are caused by differences in algorithms used to perform various statistical operations. 1 Numerical tests of the NIST StRD benchmarks For the StRD reference data sets, NIST provides certified values calculated with multiple precision in 500 digits of accuracy, which were later rounded to 15 significant digits (11 for nonlinear least squares).
    [Show full text]
  • 3 Uniform Random Numbers 3 3.1 Random and Pseudo-Random Numbers
    Contents 3 Uniform random numbers 3 3.1 Random and pseudo-random numbers . 3 3.2 States, periods, seeds, and streams . 5 3.3 U(0; 1) random variables . 8 3.4 Inside a random number generator . 10 3.5 Uniformity measures . 12 3.6 Statistical tests of random numbers . 15 3.7 Pairwise independent random numbers . 17 End notes . 18 Exercises . 20 1 2 Contents © Art Owen 2009{2013 do not distribute or post electronically without author's permission 3 Uniform random numbers Monte Carlo methods require a source of randomness. For the convenience of the users, random numbers are delivered as a stream of independent U(0; 1) random variables. As we will see in later chapters, we can generate a vast assortment of random quantities starting with uniform random numbers. In practice, for reasons outlined below, it is usual to use simulated or pseudo- random numbers instead of genuinely random numbers. This chapter looks at how to make good use of random number generators. That begins with selecting a good one. Sometimes it ends there too, but in other cases we need to learn how best to set seeds and organize multiple streams and substreams of random numbers. This chapter also covers quality criteria for ran- dom number generators, briefly discusses the most commonly used algorithms, and points out some numerical issues that can trap the unwary. 3.1 Random and pseudo-random numbers It would be satisfying to generate random numbers from a process that accord- ing to well established understanding of physics is truly random.
    [Show full text]
  • A Recap of Randomness the Mersene Twister Xorshift Linear
    Programmatic Entropy: Exploring the Most Prominent PRNGs Jared Anderson, Evan Bause, Nick Pappas, Joshua Oberlin A Recap of Randomness Random number generating algorithms are rated by two primary measures: entropy - the measure of disorder in the numbers created and period - how long it takes before the PRNG begins to inevitably cycle its pattern. While high entropy and a long period are desirable traits, it is Xorshift sometimes necessary to settle for a less intense method of random Linear Congruential Generators Xorshift random number generators are an extremely fast and number generation to not sacrifice performance of the product the PRNG efficient type of PRNG discovered by George Marsaglia. An xorshift is required for. However, in the real world PRNGs must also be evaluated PRNG works by taking the exclusive or (xor) of a computer word with a for memory footprint, CPU requirements, and speed. shifted version of itself. For a single integer x, an xorshift operation can In this poster we will explore three of the major types of PRNGs, their produce a sequence of 232 - 1 random integers. For a pair of integers x, history, their inner workings, and their uses. y, it can produce a sequence of 264 - 1 random integers. For a triple x, y, z, it can produce a sequence of 296 - 1, and so on. The Mersene Twister The Mersenne Twister is the most widely used general purpose pseudorandom number generator today. A Mersenne prime is a prime number that is one less than a power of two, and in the case of a 19937 mersenne twister, is its chosen period length (most commonly 2 −1).
    [Show full text]
  • 1. Monte Carlo Integration
    1. Monte Carlo integration The most common use for Monte Carlo methods is the evaluation of integrals. This is also the basis of Monte Carlo simulations (which are actually integrations). The basic principles hold true in both cases. 1.1. Basics Basic idea becomes clear from the • “dartboard method” of integrating the area of an irregular domain: Choose points randomly within the rectangular box A # hits inside area = p(hit inside area) Abox # hits inside box as the # hits . ! 1 1 Buffon’s (1707–1788) needle experiment to determine π: • – Throw needles, length l, on a grid of lines l distance d apart. – Probability that a needle falls on a line: d 2l P = πd – Aside: Lazzarini 1901: Buffon’s experiment with 34080 throws: 355 π = 3:14159292 ≈ 113 Way too good result! (See “π through the ages”, http://www-groups.dcs.st-and.ac.uk/ history/HistTopics/Pi through the ages.html) ∼ 2 1.2. Standard Monte Carlo integration Let us consider an integral in d dimensions: • I = ddxf(x) ZV Let V be a d-dim hypercube, with 0 x 1 (for simplicity). ≤ µ ≤ Monte Carlo integration: • - Generate N random vectors x from flat distribution (0 (x ) 1). i ≤ i µ ≤ - As N , ! 1 V N f(xi) I : N iX=1 ! - Error: 1=pN independent of d! (Central limit) / “Normal” numerical integration methods (Numerical Recipes): • - Divide each axis in n evenly spaced intervals 3 - Total # of points N nd ≡ - Error: 1=n (Midpoint rule) / 1=n2 (Trapezoidal rule) / 1=n4 (Simpson) / If d is small, Monte Carlo integration has much larger errors than • standard methods.
    [Show full text]
  • Ziggurat Revisited
    Ziggurat Revisited Dirk Eddelbuettel RcppZiggurat version 0.1.3 as of July 25, 2015 Abstract Random numbers following a Standard Normal distribution are of great importance when using simulations as a means for investigation. The Ziggurat method (Marsaglia and Tsang, 2000; Leong, Zhang, Lee, Luk, and Villasenor, 2005) is one of the fastest methods to generate normally distributed random numbers while also providing excellent statistical properties. This note provides an updated implementations of the Ziggurat generator suitable for 32- and 64-bit operating system. It compares the original implementations to several popular Open Source implementations. A new implementation embeds the generator into an appropriate C++ class structure. The performance of the different generator is investigated both via extended timing and through a series of statistical tests, including a suggested new test for testing Normal deviates directly. Integration into other systems such as R is discussed as well. 1 Introduction Generating random number for use in simulation is a classic topic in scientific computing and about as old as the field itself. Most algorithms concentrate on the uniform distribution. Its values can be used to generate randomly distributed values from other distributions simply by using the relevant inverse function. Regarding terminology, all computational algorithms for generation of random numbers are by definition deterministic. Here, we follow standard convention and refer to such numbers as pseudo-random as they can always be recreated given the seed value for a given sequence. We are not concerned in this note with quasi-random numbers (also called low-discrepnancy sequences). We consider this topic to be subset of pseudo-random numbers subject to distributional constraints.
    [Show full text]
  • Gretl Manual
    Gretl Manual Gnu Regression, Econometrics and Time-series Library Allin Cottrell Department of Economics Wake Forest University August, 2005 Gretl Manual: Gnu Regression, Econometrics and Time-series Library by Allin Cottrell Copyright © 2001–2005 Allin Cottrell Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation (see http://www.gnu.org/licenses/fdl.html). iii Table of Contents 1. Introduction........................................................................................................................................... 1 Features at a glance ......................................................................................................................... 1 Acknowledgements .......................................................................................................................... 1 Installing the programs................................................................................................................... 2 2. Getting started ...................................................................................................................................... 4 Let’s run a regression ...................................................................................................................... 4 Estimation output............................................................................................................................. 6 The
    [Show full text]
  • Feistel Cipher Structure
    Computer Security - Block Ciphers & DES (Data Encryption Standard) Howon Kim 2019.3 Agenda ◼ Review ◼ Block Ciphers & Stream Ciphers ❑ Stream Ciphers ❑ Block Ciphers ◼ DES ◼ Cryptanalysis ◼ Modes of Operations ◼ Next… 2 Review: Attack Types ◼ Attack types ❑ Ciphertext only ◼ Eve has only a copy of the ciphertext. ❑ Known plaintext ◼ Eve has a copy of a ciphertext and the corresponding plaintext. ◼ For example, if Eve knows that Alice always starts her message with “Dear Bob,” then Eve has a small piece of ciphertext and corresponding plaintext. ❑ Chosen plaintext ◼ Eve gains temporary access to the encryption machine. ◼ She cannot open it to find the key, but she can encrypt a large number of suitably chosen plaintexts and try to use the resulting ciphertexts to deduce the key. ❑ Chosen ciphertext ◼ Eve obtains temporary access to the decryption machine. 3 Review: Ciphertext Only Attack ◼ Eve has only the ciphertext. ❑ Y M W J J U F W Y X ◼ Her best strategy is an exhaustive search. ❑ There are only 26 possible keys. ❑ If the message is longer than a few letters, it is unlikely that there is more than one meaningful message that could be the plaintext. ◼ Try to decrypt it! 4 Review: Known Plaintext Attack ◼ It’s trivial.(only for shift cipher. Generally, not.) ❑ If Eve knows just one letter of the plaintext along with the corresponding letter of ciphertext, she can deduce the key. ◼ In this above example… ❑ Ciphertext: Y M W J J U F W Y X ❑ Plaintext: ? ? ? ? ? p ? ? ? ? 5 Review: CPA, CCA ◼ Attack 3: Chosen plaintext attack ❑ Choose the letter a as the plaintext.
    [Show full text]