5 Pseudorandom Generators
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Lecture 8: Key Derivation, Protecting Passwords, Slow Hashes, Merkle Trees
Lecture 8: Key derivation, protecting passwords, slow hashes, Merkle trees Boaz Barak Last lecture we saw the notion of cryptographic hash functions which are functions that behave like a random function, even in settings (unlike that of standard PRFs) where the adversary has access to the key that allows them to evaluate the hash function. Hash functions have found a variety of uses in cryptography, and in this lecture we survey some of their other applications. In some of these cases, we only need the relatively mild and well-defined property of collision resistance while in others we only know how to analyze security under the stronger (and not precisely well defined) random oracle heuristic. Keys from passwords We have seen great cryptographic tools, including PRFs, MACs, and CCA secure encryptions, that Alice and Bob can use when they share a cryptographic key of 128 bits or so. But unfortunately, many of the current users of cryptography are humans which, generally speaking, have extremely faulty memory capacity for storing large numbers. There are 628 ≈ 248 ways to select a password of 8 upper and lower case letters + numbers, but some letter/numbers combinations end up being chosen much more frequently than others. Due to several large scale hacks, very large databases of passwords have been made public, and one estimate is that the most frequent 10, 000 ≈ 214 passwords account for more than 90% of the passwords chosen. If we choose a password at random from some set D then the entropy of the password is simply log |D|. Estimating the entropy of real life passwords is rather difficult. -
1 Perfect Secrecy of the One-Time Pad
1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3. -
Pseudorandomness and Computational Difficulty
PSEUDORANDOMNESS AND COMPUTATIONAL DIFFICULTY RESEARCH THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF SCIENCE HUGO KRAWCZYK SUBMITTED TOTHE SENATEOFTHE TECHNION —ISRAEL INSTITUTE OF TECHNOLOGY SHVAT 5750 HAIFAFEBRUARY 1990 Amis padres, AurorayBernardo, aquienes debo mi camino. ALeonor,compan˜era inseparable. ALiat, dulzuraycontinuidad. This research was carried out in the Computer Science Department under the supervision of Pro- fessor Oded Goldreich. To Oded, my deep gratitude for being both teacher and friend. Forthe innumerable hoursofstimulating conversations. Forhis invaluable encouragement and support. Iamgrateful to all the people who have contributed to this research and given me their support and help throughout these years. Special thanks to Benny Chor,Shafi Goldwasser,Eyal Kushilevitz, Jacob Ukel- son and Avi Wigderson. ToMikeLuby thanks for his collaboration in the work presented in chapter 2. Ialso wish to thank the Wolf Foundation for their generous financial support. Finally,thanks to Leonor,without whom all this would not have been possible. Table of Contents Abstract ............................. 1 1. Introduction ........................... 3 1.1 Sufficient Conditions for the Existence of Pseudorandom Generators ........ 4 1.2 The Existence of Sparse Pseudorandom Distributions . ............ 5 1.3 The Predictability of Congruential Generators ............... 6 1.4 The Composition of Zero-Knowledge Interactive-Proofs . ........... 8 2. On the Existence of Pseudorandom Generators ............... 10 2.1. Introduction .......................... 10 2.2. The Construction of Pseudorandom Generators .............. 13 2.3. Applications: Pseudorandom Generators based on Particular Intractability Assump- tions . ............................ 22 3. Sparse Pseudorandom Distributions ................... 25 3.1. Introduction .......................... 25 3.2. Preliminaries ......................... 25 3.3. The Existence of Sparse Pseudorandom Ensembles ............. 27 3.4. -
6.045J Lecture 13: Pseudorandom Generators and One-Way Functions
6.080/6.089 GITCS April 4th, 2008 Lecture 16 Lecturer: Scott Aaronson Scribe: Jason Furtado Private-Key Cryptography 1 Recap 1.1 Derandomization In the last six years, there have been some spectacular discoveries of deterministic algorithms, for problems for which the only similarly-efficient solutions that were known previously required randomness. The two most famous examples are • the Agrawal-Kayal-Saxena (AKS) algorithm for determining if a number is prime or composite in deterministic polynomial time, and • the algorithm of Reingold for getting out of a maze (that is, solving the undirected s-t con nectivity problem) in deterministic LOGSPACE. Beyond these specific examples, mounting evidence has convinced almost all theoretical com puter scientists of the following Conjecture: Every randomized algorithm can be simulated by a deterministic algorithm with at most polynomial slowdown. Formally, P = BP P . 1.2 Cryptographic Codes 1.2.1 Caesar Cipher In this method, a plaintext message is converted to a ciphertext by simply adding 3 to each letter, wrapping around to A after you reach Z. This method is breakable by hand. 1.2.2 One-Time Pad The “one-time pad” uses a random key that must be as long as the message we want to en crypt. The exclusive-or operation is performed on each bit of the message and key (Msg ⊕ Key = EncryptedMsg) to end up with an encrypted message. The encrypted message can be decrypted by performing the same operation on the encrypted message and the key to retrieve the message (EncryptedMsg⊕Key = Msg). An adversary that intercepts the encrypted message will be unable to decrypt it as long as the key is truly random. -
A Mathematical Formulation of the Monte Carlo Method∗
A Mathematical formulation of the Monte Carlo method∗ Hiroshi SUGITA Department of Mathematics, Graduate School of Science, Osaka University 1 Introduction Although admitting that the Monte Carlo method has been producing practical results in many fields, a number of researchers have the following serious suspicion about it. The Monte Carlo method needs random numbers. But since no computer program can generate them, we execute a Monte Carlo method using a pseu- dorandom number generated by a computer program. Of course, such an expedient can never have any mathematical justification. As a matter of fact, this suspicion is a misunderstanding caused by prejudice. In this article, we propose a proper mathematical formulation of the Monte Carlo method, which resolves this suspicion. The mathematical definitions of the notions of random number and pseudorandom number have been known for quite some time. Indeed, the notion of random number was defined in terms of computational complexity by Kolmogorov and others in 1960’s ([3, 4, 6]), while the notion of pseudorandom number was defined in the context of cryptography by Blum and others in 1980’s ([1, 2, 14]). But unfortunately, those definitions have been thought to be useless until now in understanding and executing the Monte Carlo method. It is not because their definitions are improper, but because our way of thinking about the Monte Carlo method has been improper. In this article, we propose a mathematical formulation of the Monte Carlo method which is based on and theoretically compatible with those definitions of random number and pseudorandom number. Under our formulation, as a result, we see the following. -
Measures of Pseudorandomness
Katalin Gyarmati Measures of Pseudorandomness Abstract: In the second half of the 1990s Christian Mauduit and András Sárközy [86] introduced a new quantitative theory of pseudorandomness of binary sequences. Since then numerous papers have been written on this subject and the original theory has been generalized in several directions. Here I give a survey of some of the most important results involving the new quantitative pseudorandom measures of finite bi- nary sequences. This area has strong connections to finite fields, in particular, some of the best known constructions are defined using characters of finite fields and their pseudorandom measures are estimated via character sums. Keywords: Pseudorandomness, Well Distribution, Correlation, Normality 2010 Mathematics Subject Classifications: 11K45 Katalin Gyarmati: Department of Algebra and Number Theory, Eötvös Loránd University, Budapest, Hungary, e-mail: [email protected] 1Introduction In the twentieth and twenty-first centuries various pseudorandom objects have been studied in cryptography and number theory since these objects are widely used in modern cryptography, in applications of the Monte Carlo method and in wireless communication (see [39]). Different approaches and definitions of pseudorandom- ness can be found in several papers and books. Menezes, Oorschot and Vanstone [95] have written an excellent monograph about these approaches. The most frequent- ly used interpretation of pseudorandomness is based on complexity theory; Gold- wasser [38] has written a survey paper about this approach. However, recently the complexity theory approach has been widely criticized. One problem is that in this approach usually infinite sequences are tested while in the applications only finite sequences are used. Another problem is that most results are based on certain un- proved hypotheses (such as the difficulty of factorization of integers). -
Pseudorandomness
~ MathDefs ~ CS 127: Cryptography / Boaz Barak Pseudorandomness Reading: Katz-Lindell Section 3.3, Boneh-Shoup Chapter 3 The nature of randomness has troubled philosophers, scientists, statisticians and laypeople for many years.1 Over the years people have given different answers to the question of what does it mean for data to be random, and what is the nature of probability. The movements of the planets initially looked random and arbitrary, but then the early astronomers managed to find order and make some predictions on them. Similarly we have made great advances in predicting the weather, and probably will continue to do so in the future. So, while these days it seems as if the event of whether or not it will rain a week from today is random, we could imagine that in some future we will be able to perfectly predict it. Even the canonical notion of a random experiment- tossing a coin - turns out that it might not be as random as you’d think, with about a 51% chance that the second toss will have the same result as the first one. (Though see also this experiment.) It is conceivable that at some point someone would discover some function F that given the first 100 coin tosses by any given person can predict the value of the 101th.2 Note that in all these examples, the physics underlying the event, whether it’s the planets’ movement, the weather, or coin tosses, did not change but only our powers to predict them. So to a large extent, randomness is a function of the observer, or in other words If a quantity is hard to compute, it might as well be random. -
6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. 6.080/6.089 GITCS April 4th, 2008 Lecture 16 Lecturer: Scott Aaronson Scribe: Jason Furtado Private-Key Cryptography 1 Recap 1.1 Derandomization In the last six years, there have been some spectacular discoveries of deterministic algorithms, for problems for which the only similarly-efficient solutions that were known previously required randomness. The two most famous examples are • the Agrawal-Kayal-Saxena (AKS) algorithm for determining if a number is prime or composite in deterministic polynomial time, and • the algorithm of Reingold for getting out of a maze (that is, solving the undirected s-t con nectivity problem) in deterministic LOGSPACE. Beyond these specific examples, mounting evidence has convinced almost all theoretical com puter scientists of the following Conjecture: Every randomized algorithm can be simulated by a deterministic algorithm with at most polynomial slowdown. Formally, P = BP P . 1.2 Cryptographic Codes 1.2.1 Caesar Cipher In this method, a plaintext message is converted to a ciphertext by simply adding 3 to each letter, wrapping around to A after you reach Z. This method is breakable by hand. 1.2.2 One-Time Pad The “one-time pad” uses a random key that must be as long as the message we want to en crypt. The exclusive-or operation is performed on each bit of the message and key (Msg ⊕ Key = EncryptedMsg) to end up with an encrypted message. -
Lecture 3: Randomness in Computation
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science, we study randomness due to the following reasons: 1. Randomness is essential for computers to simulate various physical, chemical and biological phenomenon that are typically random. 2. Randomness is necessary for Cryptography, and several algorithm design tech- niques, e.g. sampling and property testing. 3. Even though efficient deterministic algorithms are unknown for many problems, simple, elegant and fast randomized algorithms are known. We want to know if these randomized algorithms can be derandomized without losing the efficiency. We address these in this lecture, and answer the following questions: (1) What is randomness? (2) How can we generate randomness? (3) What is the relation between randomness and hardness and other disciplines of computer science and mathematics? 1 What is Randomness? What are random binary strings? One may simply answer that every 0/1-bit appears with the same probability (50%), and hence 00000000010000000001000010000 is not random as the number of 0s is much more than the number of 1s. How about this sequence? 00000000001111111111 The sequence above contains the same number of 0s and 1s. However most people think that it is not random, as the occurrences of 0s and 1s are in a very unbalanced way. So we roughly call a string S 2 f0; 1gn random if for every pattern x 2 f0; 1gk, the numbers of the occurrences of every x of the same length are almost the same. -
The Intel Random Number Generator
® THE INTEL RANDOM NUMBER GENERATOR CRYPTOGRAPHY RESEARCH, INC. WHITE PAPER PREPARED FOR INTEL CORPORATION Benjamin Jun and Paul Kocher April 22, 1999 Information in this white paper is provided without guarantee or warranty of any kind. This review represents the opinions of Cryptography Research and may or may not reflect opinions of Intel Corporation. Characteristics of the Intel RNG may vary with design or process changes. © 1999 by Cryptography Research, Inc. and Intel Corporation. 1. Introduction n = − H K∑ pi log pi , Good cryptography requires good random i=1 numbers. This paper evaluates the hardware- where pi is the probability of state i out of n based Intel Random Number Generator (RNG) possible states and K is an optional constant to for use in cryptographic applications. 1 provide units (e.g., log(2) bit). In the case of a Almost all cryptographic protocols require random number generator that produces a k-bit the generation and use of secret values that must binary result, pi is the probability that an output be unknown to attackers. For example, random will equal i, where 0 ≤ i < 2k . Thus, for a number generators are required to generate -k perfect random number generator, pi = 2 and public/private keypairs for asymmetric (public the entropy of the output is equal to k bits. This key) algorithms including RSA, DSA, and means that all possible outcomes are equally Diffie-Hellman. Keys for symmetric and hybrid (un)likely, and on average the information cryptosystems are also generated randomly. present in the output cannot be represented in a RNGs are also used to create challenges, nonces sequence shorter than k bits. -
Lecture 7: Pseudo Random Generators 1 Introduction 2
Introduction to Cryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example, randomness is needed for encrypting a session key in an SSL connection or for encrypting a hard drive. There are multiple challenges associated with generating randomness for modern systems: • True randomness is difficult to get • Large amounts of randomness are needed in practice Given these challenges, several different input sources are used for randomness on modern systems. For example, key strokes or mouse movements can be used as a source of randomness. However, these sources are limited in the amount of randomness they can generate. In addition, it is critical that the sources of randomness be truly random or close to being truly random. Several crypto-systems have been defeated1 because their randomness generators were broken (i.e. not truly random.) As a solution to both the challenges detailed above for generating randomness, an approach to build a kind of randomness generator that creates random strings of a desired length would be to first, start off with building a short random string (of length, say, n bits), and then, expand it to a longer random looking string k (of length, say, l(n) bits.) We can represent this "randomness" generator as f : f0; 1gn ! f0; 1gl(n) A key question is: Can we can really expand a short string with a few random bits into a longer string with many random bits? The answer lies in the definition of the term "random looking" that we we used in our definition above. -
Pseudorandom Generators
8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 Randomness is one of the fundamental computational resources and appears everywhere. In computer science, we study randomness due to the following reasons: First, computers are used to simulate various random processes in Physics, Chemistry and Biology. Second, ran- domness is widely used in Cryptography, and a few techniques of algorithm design (e.g. sampling, random walks) rely on randomness. Third, even though efficient deterministic al- gorithms are unknown for many problems, simple, elegant and fast randomized algorithms are known and easy to analyze. For many problems (e.g. primality testing), usually we have efficient randomized algorithms at first before we obtain deterministic polynomial-time algo- rithms eventually. This leads the question of derandomization, i.e., if we have a general way to derandomize randomized algorithms without significantly increasing their runtime. The answer to these questions have lead to the study of pseudorandomness. In today’s lecture, we will address the following three questions: (1) What is randomness? What are the possible ways to define randomness? (2) How do computer programs generate random numbers? Are these numbers truly random? (3) What the relationship between randomness and other disciplines of Computer Science and Mathematics? 8.1 What is Randomness? What are random binary strings? The best way to think about perfect randomness is as an arbitrary long sequence of binary strings, where every 0 or 1 appears equally, i.e. every 0/1- bit appears with the same probability (50%) in a random order. For instance, the string 00000000010000000001000010000 is not random as the number of 0s is much more than the number of 1s.