introduction quality of random numbers – quality of random ... · rns – rngs thomas risse iia,...
TRANSCRIPT
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality of random numbers –Quality of random number generators
Thomas RisseInstitute of Informatics & Automation, IIA
Faculty E & I, Hochschule BremenUniversity of Applied Sciences
SIP31, 28.-29.10.2013Hochschule Bremen, University of Applied Sciences
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Agenda
1 Introduction
2 Deterministic RNGs
3 MATLABs random number generators
4 SAGEs random number generators
5 Criteria for pseudo random number generators
6 Quality Criteria for PRNGs
7 Comparison and Results
8 Resumé
The generation of random numbers is too important to be leftto chance – Robert R. Coveyou
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Motivationby Some Recent Examples
[email protected] 13/08/15Flaw in Android random number generatorleaves Bitcoin wallets open to theft. Users ofsuch apps are encouraged to migrate awayfrom insecure wallets through any feasiblemechanism as soon as possible.http://bitcoin.org/en/alert/2013-08-11-android
sans.org 13/08/31 [5] ’Security Analysis of Pseudo-RandomNumber Generators with Input /dev/random isnot Robust.’
c’t 22/2013 S.44, wired RSA Tells Its Developer Customers:Stop Using NSA-Linked Random Bit Generatorhttp://csrc.nist.gov/publications/
PubsDrafts.html#SP-800-90-ARev1BandC
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Introduction
Why random numbers, RNs?Why random number generators, RNGs?z.B. block ciphers, RSA-moduli, keystream generation, zeroknowledge authentication, [10], [4], [24], PQC [22] etc per [8]
• Deterministic/Pseudo-RNGs, DRNG/PRNG
• Physical/True RNGs, TRNG, PTRNG
Quality of random numbers = Quality of GeneratorsCriteria specified by diverse bodies, e.g.
• NIST [24] FIPS
• AIS 20 [9] and AIS 31 [10] of BSI [2] for Germany
disclaimer
Here, we in more detail examine the generators of uniformlydistributed random numbers of MATLAB and SAGE only!
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Deterministic RNGsTypical is some initialisation (seed) and computation of thenext random number based on the last random number(s).
• John von Neumann’s middle-square method from 1946:take any number (seed), square it, remove the middledigits of the resulting number as the ’random number’,then use that number as the seed for the next iteration.
• Linear congruential generators [12]:choose seed xo and compute xk+1 = a xk + c mod mfor k = 0, 1, . . . and suitable parameters a, c and m
• Linear Feedback Shift Registers, LFSRs:choose some initial state and run hardware, for example
next bit p(x) = x16 + x14 + x13 + x11 + 1 in GF2
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Deterministic RNGs’
• Mersenne1 twister algorithm [16]:choose N = 624 seeds, Y1, ... YN . Compute Yi for i>Nby h := Yi−N − Yi−N mod 231 + Yi−N+1 mod 231
Yi := Yi−227 ⊕ bh/2c ⊕ ((h mod 2) · 9908b0dfhex )Postprocessing then guarantees uniform distribution:x := Yi ⊕ bYi/211c; y := x ⊕ ((x · 27) ∧ 9d2c5680hex );z := y ⊕ ((y · 215) ∧ efc60000hex ); Zi := z ⊕ bz/218cPeriod is 219937−1 ≈ 4, 3·106001. Improvements see [20]
• Blum-Blum-Shub generator [1]:choose n = pq for suitable primes p and q, seed s withgcd(s, n) = 1, compute s0 = s2 mod n and for i = 0, 1, ...si+1 = s2
i mod n.If desired, get random bits by bi = si mod 2 or similar.
1M. Mersenne (1588-1648) www-history.mcs.st-andrews.ac.uk/Biographies/Mersenne.html
was the first to examine integers of the form 2n − 1. Some are prime! see GIMPS
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
MATLABs PRNGs
< 1995 mcg16807, Park & Miller’s PNRG [21]according to [19]:uses linear congruential generator witha = 75 = 16807, c = 0,m = 231 − 1 = 2147483647 when divided by mproduces random numbers ∈ [0, 1).
1995–2008 Marsaglia’s PNRG [13][14] according to [19]:initialize internal state or cache of 32 floatsz0, . . . , z31 ∈ (0, 1), an index No 3 i ∈ [0, 31],a random integer j and a borrow ’flag’ b.zi mod 32 := z(i+20) mod 32 − z(i+5) mod 32 − b
then b :=
{0 zi ≥ 02−53 zi < 0
, zi := zi +1 if zi <0.
To be uniformly distributed, the floating-pointfraction of each zi is XORed with j , a separatelygenerated 53bit integer random number.
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
MATLABs PRNGs’since 2007 Mersenne twister is the default PRNG
according to [19] cp rng('type') with type
’twister’ Mersenne Twister’combRecursive’ Combined Multiple Recursive’multFibonacci’ Multiplicative Lagged Fibonacci’v5uniform’ Legacy MATLAB 5.0 uniform generator’v5normal’ Legacy MATLAB 5.0 normal generator’v4’ Legacy MATLAB 4.0 generator
s.a. [15]
• Combined Multiple Recursive [6]: for example computex1,n = (1403580 x1,n−2 − 810728 x1,n−3) mod m1 andx2,n = (527612 x2,n−1 − 1370589 x2,n−3) mod m2 wherem1 = 232 − 209 and m2 = 232 − 22853. Combine x1,n
and x2,n to zn = (x1,n − x2,n) mod m1 and outputun = zn
m1+1 if zn > 0 and un = m1m1+1 if zn = 0.
• Multiplicative Lagged Fibonacci, cp wikipedia:Sn ≡ Sn−j ? Sn−k mod m with 0 < j < k where m = 232
or m = 264, and ? denotes multiplication or XOR.
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
SAGEs PRNGs• SAGE comprises several CASs. Thus, not surprisingly
SAGE offers a variety of built-in random numbergenerators.
• SAGE is object oriented. Hence, quite a lot of built-inobjects offer random_element methods, e.g.
ZZ random, uniformly distributed integers in agiven interval
QQ random, uniformly distributed rationalnumbers with numerators anddenominators in a given range
RR random, uniformly distributed floating pointnumbers with specified ’precision’ (numberof mantissa bits) in a given interval
which can be generalized to random elements ofpolynomial rings, to random elements of quotientpolynomial rings etc, of permutation groups
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
SAGEs vs MATLABs PRNGs’
But in SAGE there are also – to name a few as examples
• random matrices over given fields, i.e. any finite field aswell as Q, R and C
• random elements of partitions
• random elements of permutation groups
• random elements of (certain type of) graphs
• random elements of paths in a graph
In contrast, MATLAB (version 7.13) in addition only provides
randi integer random numbers
sprnd sparse random matrices
randperm random permutations of the integers 1, 2, . . . , n
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Criteria for pseudo RNGsBSI [2] offers (critique see [23])
1 Monobit Test
2 Poker Test
3 Run Tests
4 Longrun Test
5 Autocorrelation Tests
6 Uniform Distribution Test
7 Homogenity Tests
8 Entropy Test
In addition, NIST [24] offers
• binary matrix rank
• DFT
• template matching
• linear complexity
• random walks
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGsMonobit Test : FIPS, HAC [18], NIST [24], BSI [9],[10] pp44
T1Let n = 20000, T1 =
∑ni=1 bi . Bit sequence
(bi)n
i=1passes the Monobit Test if 9654 < T1 < 10346.
T1 is – independence assumed! – binomially distributed:E(T1) = np and Var(T1) = np(1−p) for p = P(b =1).For p = 1
2 SAGE [25] gives with any precisionP(9654 < T1 < 10346) ≈ 0.999999078354697.T1 is approximately N(np, npq)-distributed. SAGEP(9654 < T1 < 10346) ≈ P(|U| < 4.89317892581091)≈ 0.999999503899380 for N(0, 1)-distributed U, where
Φ(u) = 12
(1 + erf( u√
2))
is the distribution function of U.
⇒ BSI-error probability ≤ 1− 0.999999 = 10−6
NB [18],[9],[10] examine (also) the approximately χ2
distributed test statistic T ′1 = 1n (T1 − (n − T1))2 with
df = 1.
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality criteria for PRNGsPoker Test : FIPS, HAC [18] 2bit, NIST [24], BSI [9],[10] pp46 typo
T2
Let n = 20000. Every 4 bits give a nibble.Let hi := |{j : 8b4j−3 + 4b4j−2 + 2b4j−1 + b4j = i}|and T2 = 16
5000
∑15i=o h2
i − 5000. Bit sequence(bi)n
i=1passes the Poker Test, if 1.03 < T2 < 57.4.
T2 = 16n4
∑15i=o h2
i − n4 =∑15
i=o(hi−n4/16)2
n4/16 ≥ 0 with n4 = n4
is χ2-distributed with df =15. NB BSI P(χ2 ≥ 56.49) = 10−6
SAGE: P(1.03<T2<57.4) =∫ 57.4
1.03xdf/2−1e−x/2
2df/2Γ(df/2)dx ≈
0.999998985794408 ≈ 1− 10−6. NB: lopsided!We have Fdf (x) = P( df
2 ,x2 ) and for odd df
P( df2 ,
x2 ) = erf(
√x2 )− e−x/2
bdf/2c−1∑k=0
1Γ(k+3/2) ( x
2 )k+1/2
SAGE: P(1.03<T2<57.4) = F15(57.4)− F15(1.03) ≈0.999998985794408 ≈ 1− 10−6. NB: lopsided!
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Critera for PRNGsRun Tests: FIPS, HAC [18], NIST [24] #runs, BSI [9],[10] pp47
T3
Let n = 20000 and k` the number of runs of length `.The bit sequence
(bi)n
i=1 passes the Run Tests, ifk1 ∈ [2267, 2733], k2 ∈ [1079, 1421], k3 ∈ [502, 748],k4 ∈ [233, 402], k5 ∈ [90, 223] and k≥6 ∈ [90, 22
33]
0-runs or 1-runs of length ` occur with prun = 12`+2 in any
of the n− `− 1 places and in each of the two boundarieswith p′run = 2prun.⇒ E(K`) = n−`−1+2+2
2`+2 = n−`+32`+2 .
T3` =1∑
b=0
∑̀i=1
(k(b)i −E(Ki ))2
E(Ki ), ki = k (0)
i +k (1)i ≈ χ2-distributed,
df = 2`−1 = #observ – #params. NB [18] = 2`−2, NB [17] = 2`SAGE’s find_root gives: P(T31 < 10−12) ≈ 0.5 · 10−6
and P(T31 > 25.263820726226815) ≈ 0.5 · 10−6, (BSIonesided P(T31 < 23.9281269768) = 1− 10−6) withE(K1) = n+2
8 = 2500.25 implying NB k1 ∈ [2322, 2677]? resp. NB k1 ∈ [2327, 2673] ? Zählweise?
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGs
Longrun Test : FIPS, NIST [24] longest/block, BSI [9],[10] p49
T4Let n = 20000. The bit sequence
(bi)n
i=1 passes theLongrun Test, if k` = 0 for all ` ≥ 34.
P(k` = 0) =F (`)
n+22n with the Fibonacci `-step numbers [27]
F (`)k =
∑`i=1 F (`)
k−i with F (`)k =0 for k ≤ 0 and F (`)
1 =F (`)2 =1.
SAGE: P(k34 = 0) ≈ 0.999999418854882 ≈ 1− 10−6
und P(k` = 0)↗ for `↗By the way, roughly estimating SAGE givesP(k` > 0 for at least one ` ≥ 34) ≈ (n − 34)2−34 ≈1.16217415779829 · 10−6
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGs
Autocorrelation Test : HAC [18], NIST [24], BSI [9],[10] pp49
T5
Let n = 20000 and T5τ =∑n/4
j=1 bj ⊕ bj+τ forτ ∈ {1, 2, ..., n
4}. The bit squence(bi)n
i=1 passes theAutocorrelation Test, if |T5τ − n
8 | < 174 for all τ .NB: only the first half of the (bi) is relevant!?!
T5τ is approximately N( n4
12 ,
n4
12
12 )-distributed. With
SAGE u = 174√n/16
= 1.74·4√2≈ 4.92146319705837 we get
P(|T5τ − n8 | < 174) = P(|U| < u) = 2Φ(u)− 1 ≈
0.99999914100 ≈ 1− 10−6 for N(0, 1)-distributed U.
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGsUniform distribution Test: HAC 2bit, NIST
templatematching, BSI [9],[10] pp50
T6
Generate wj ∈ {0, 1}k from(bi)nk
i=1; T6x :=|{j:wj =x}|
n
is the relative frequency of x. The bit sequence(bi)nk
i=1passes the Uniform distribution Test for parametersk , n and α, if
∣∣T6x − 2−k∣∣ < α for all x ∈ {0, 1}k .
Uniform distribution tests generalize Monobit Tests!BSI [9],[10] p55 Test Procedure B:•T6 with NB k = 1,n = 105 and α = 0.025. Explicitly p51: (bi)
ni=1 passes if
|T6o − 12 | < α ? •T1 ? NB only for ’PTRNG’.
let b ∈ {0, 1} and hb = #b in (bi)ni=1. independent!
χ2-adaption test: T6 =∑1
b=0(hb−n/2)2
n/2 is χ2-distributed
with df = 1. BSI condition |hbn −
12 | ≤ α for b ∈ {0, 1} ⇒
(hb− n2 )2 ≤ α2n2⇒ T6 ≤ 250. SAGE P(T6 ≤ 250) = 1,
NB while SAGE P(T6 ≤≈ 23.9) ≈ 1− 10−6 ?
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGsMultinomial/Homogeneity Test : BSI [9],[10] pp51
T7
Generate wi,j ∈ {0, 1, ..., s−1} for i = 1, .., hj = 1, .., n
of(bk)
k ,
i.e. h independent repetitions of the j-th experiment.Let fi(t) = |{j : wij = t}| and pt = 1
hn
∑hi=1 fi(t).
The bit sequence(bi)
i passes the Multinomial Testfor h, s, n and α if T7 ≤ χ2(α, (h−1)(s−1)) where
T7 =∑h
i=1
∑s−1t=o
(fi (t)−n pt )2
n pt
No longer up to date: BSI-example for h = s = 2, i.e. i = 1, 2and template t = 0, 1 – adapted from [7], Test 76.Two samples with n elements each wi,1,wi,2, . . . ,wi,n fori = 1, 2 of n bits each. Determineabsolute frequency fi (t) = |{j : wi,j = t}| of t in sample
relative frequency pt = f1(t)+f2(t)2n von t in both samples
T7 =∑h
i=1
∑s−1t=o
(fi (t)−npt )2
nptis χ2-distributed,
df = (h−1)(s−1) = 1 and according to BSI p37, Tabelle[9],[10] p46 P(T7 ≥ 15.13) = α = 0.0001 ?
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGsBSI [9],[10] pp55 Test Procedure B demands (typos) threetests – with NB three different representations•T7 pp51, p56,pp58 NB•T7 only for ’PTRNG’ in spite of pp58 (typos)
step 2 bits •T7?Extract TFr = {(b2j+1, b2j+2) : b2j+1 = r} with |TF0| = |TF1| =n1 = 105 from sequence. Determine vr (i) =
|{j:(b2j+1,i)∈TFr}|n1
.Sequence passes T7 if |v0(1)+v1(0)−1| < α1 = 0.02? v0(0)?v1(1)?
step 3 bits •T7 supposedly with h = 2? or h = 4?, s = 2Extract TFrs = {(b3j+1, .., b3j+3) : (b3j+1, b3j+2) = (rs)} with|TFoo| = |TFo1| = |TF1o| = |TF11| = n2 = 105 from sequence.Determine vrs(i) :=
|{j:(b3j+1,..,b3j+3)=(rsi)}|n2
.’for each s∈{0, 1} compare v0s and v1s with•T7 at α2 = 0.0001’
step 4 bits •T7 supposedly with h = 3? or h = 8?, s = 2Extract TFrst = {(b4j+1, ..., b4j+4) : (b4j+1, .., b4j+3) = (rst)} with|TFooo| = |TFoo1| = ... = |TF111| = n3 = 105 from sequence.Determine vrst(i) :=
|{j:(b4j+1,..,b4j+4)=(rsti)}|n3
.’for each (s, t)∈{0, 1}2 compare v0st and v1st with•T7 at α3 = 0.0001’
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGsEntropy Test : HAC, NIST
approx.entropy, BSI [9],[10] pp52
in accor-dance with [3],[4]
T8
Generate wn ∈ {0, 1}L aus(bi)(Q+K )L
i=1 . Let An be thedistance of wn to some identical predecessor,
i.e. An =
{n if there is no i ≥ 1 with wn = wn−i
min{i ≥ 1 : wn = wn−i} else
Let T8 = 1K
∑Q+Kn=Q+1 g(An) with g(i) = 1
log 2
∑i−1k=1
1k
≈log i+γ+ 1
2i +1
12i2
log 2 +O( 1i4 ) with γ ≈ 0.577216 Euler.
The bit sequence(bi)(Q+K )L
i=1 passes the Entropy Test,if T8 approximately N(µ, σ2)-distributed with’tabulated’ µ = µ(L,K ) and σ = σ(L,K ).
BSI [9],[10] pp55 Test Procedure B:(bi)n
i=1 passes•T8
with L = 8, Q = 10 · 2L = 2560,K = 1000 · 2L = 256000, µ = L,σ = c(L,K )
√Var(g(An))/K if T8 > 7.976
NB onesided? NB only for ’PTRNG’.
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Quality Criteria for PRNGsGenesis: Maurer’s universal test Coron 6≡ BSI
Maurer [17]: fTU = 1K
∑Q+Kn=Q+1 log2(An) with independent of n
E(fTU ) = E(log2(An)) = 2−L∑∞i=1(1− 2−L)i−1 log2(i) and
approximately Var(fTU ) = c2(L,K )Var(log2(An))/K with
c(L,K ) ≈ 0.7− 0.8L + (4 + 32
L ) K−3/L
15 for L� Q � KVar(log2(An)) = 2−L∑∞
i=1(1− 2−L)i−1 log22(i)− E2(fTU ).
Coron&Naccache [3],[4] generalize/correct Maurer tof gTU
= 1K
∑Q+Kn=Q+1 g(An), which for g(i) = 1
log 2
∑i−1k=1
1k gives
E(f gTU
) = L bit = Entropy of L-bit blocks of an ergodicstationary source as well as an exact representation and thusa better approximation of c(L,K ).NB Table 1 for Var(log2(An)), d(L) and e(L) inc2(L,K ) = d(L)+e(L) · 2L/K in [3] for log2, in [4] for said g
BSI [9],[10] with said g, typo also in [11] SAGE σ ≈ 0.002 vsBSI σ = 0.0014 and P(T8>7.976) = P(U>−10.64) ≈ 1 ?NB onesided? contrary to [17],[3],[4]
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
Comparison and Results
Here, in each version every random number generator it offerswas tested except respectively for the legacy ones.BSI-Tests MATLAB SAGE2
7.0 7.3 7.11 7.13 8.1 5.4.1
Monobit Test√ √ √ √ √ √
Poker Test√ √ √ √ √ √
Run Tests√ √ √ √ √ √
Longrun Test√ √ √ √ √ √
Autocorrelation Test√ √ √ √ √ √
Uniform Distribution Test√ √ √ √ √ √
Homogenity Test3√ √ √ √ √ √
Entropy Test√ √ √ √ √ √
2using ZZ.random_element(x=0, y=2, distribution=�uniform�)2with some interpretation of very problematic [10] pp50/51 and pp55
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
ResuméMATLAB
• ease of use combined with optional selection of specialgenerators
• randomization? usually by seeding using the system time
SAGE
• Here, only the generation of random integers is visible.
But weak legacy random number generators passevery BSI-test! Tests without discriminating power!
RNGs criteria for inclusion/exclusion of tests?[24], [8] u.a.: binary matrix rank, DFT, templatematching, linear complexity, random walks . . . ?error probabilities?•T0 not only for PRNGs?
PRNG What if PRNG produces always the same nrandom numbers which passed all tests?
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
References[1] Lenore Blum, Manuel Blum, Michael Shub: A Simple Unpredictable
Pseudo-Random Number Generator; SIAM Journal on Computing,Vol 15, Nr. 2, 364-383, May 1986
[2] BSI: Anwendungshinweise und Interpretationen (zum Schema), AIS;https://www.bsi.bund.de/DE/Themen/
ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/
AnwendungshinweiseundInterpretationen/AIS/aiscc_node.html
[3] Jean-Sebastien Coron, David Naccache: An Accurate Evaluation ofMaurers Universal Test; Proc. of SAC’98; Springer LNCS 1998,http://www.jscoron.fr/publications/universal.pdf
[4] Jean-Sebastien Coron: On the Security of Random Sources; in H.Imai, Y. Zheng, Eds.: Public-Key Cryptography; LNCS vol. 1560,29-42, Springer 1999 www.jscoron.fr/publications/entropy.pdf
[5] Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, DamienVergnaud, Daniel Wichs: Security Analysis of Pseudo-RandomNumber Generators with Input: /dev/random is not Robust; ACMConference on Computer and Communication Security, CCS,November 2013 http://eprint.iacr.org/2013/338.pdf
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
References’[6] P. L’Ecuyer, R. Simard, E.J. Chen, W.D. Kelton: An Objected-Oriented
Random-Number Package with Many Long Streams and Substreams;Operations Research, 50(6):1073-1075, 2002
[7] Gopal K. Kanji: 100 Statistical Tests; SAGE Publications 2006http://fcc-statistics.wikispaces.com/file/view/100+
Statistical+Tests.pdf
[8] Charmaine Kenny: Random Number Generators – An Evaluation andComparison of Random.org and Some Commonly Used Generators;Trinity College Dublin, April 2005,http://www.random.org/analysis/Analysis2005.pdf
[9] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [2]AIS20_Functionality_classes_for_random_number_generators.pdf
[10] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [2] 2011AIS31_Functionality_classes_for_random_number_generators.pdf
[11] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for True (Physical) Random NumberGenerators; s. [2], version 3.1, 2001AIS_31_Functionality_classes_evaluation_methodology_for_true_RNG_e.pdf
[12] Derrick H. Lehmer: Mathematical methods in large-scale computingunits; Ann. Computing Lab., Harvard Univ. 26 (1951), 141-146
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
References”[13] George Marsaglia: Random numbers fall mainly in the planes;
Proceedings of the National Academy of Sciences, 61 (1968), 25-28.
[14] George Marsaglia and A. Zaman: A new class of random numbergenerators, Annals of Applied Probability, 3 (1991), 462-480
[15] The Mathworks: Creating and Controlling a Random Number Stream;R2013b http://www.mathworks.de/de/help/matlab/math/
creating-and-controlling-a-random-number-stream.html
[16] M. Matsumoto, T. Nishimura: Mersenne Twister – A 623-dimensionallyequidistributed uniform pseudorandom number generator; ACM Trans.on Modeling and Computer Simulation Vol. 8, No. 1, January (1998)3-30 http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/
ARTICLES/mt.pdf
[17] Ueli M. Maurer: A Universal Statistical Test for Random BitGenerators; Journal of Cryptology, vol. 5, no. 2, 1992, 89-105 ftp://
ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf
[18] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone:Handbook of Applied Cryptography; CRC Press, October 1996http://cacr.uwaterloo.ca/hac/
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
References”
[19] Cleve Moler: Numerical Computing with MATLAB, Chapter 9 –Random Numbers; February 15, 2008, TheMathworkshttp://www.mathworks.com/moler/random.pdf
[20] François Panneton, Pierre L’Ecuyer, Makoto Matsumoto: ImprovedLong-Period Generators Based on Linear Recurrences Modulo 2;ACM Transactions on Mathematical Software, Vol. 32, No. 1, 2006,1-16 http://ir.lib.hiroshima-u.ac.jp/metadb/up/
81936204/ACMTraMath_32_1.pdf
[21] S.K. Park, K.W. Miller: Random number generators – Good ones arehard to find; Communications of the ACM, 31 (1988), 1192-1201http://www.cems.uwe.ac.uk/~irjohnso/coursenotes/
ufeen8-15-m/p1192-parkmiller.pdf
[22] Thomas Risse: How SAGE helps to implement Goppa Codes and theMcEliece Public Key Crypto System; Ubiquitous Computing andCommunication Journal, UbiCC, ISSN 1992-8424, Special Issue on5th International Conference on Information Technology (ICIT’11)www.weblearn.hs-bremen.de/risse/papers/UbiCC11
RNs – RNGs
Thomas RisseIIA, HSB, Germany
Introduction
DRNGs
MATLAB
SAGE
PRNG-criteria
DRNG-Critera
Results
Resumé
References”’
[23] Thomas Risse: Güte von Zufallszahlen – Qualität vonZufallszahlen-Generatoren; 11. workshop Mathematik für Ingenieure;Hochschule Bochum 30.9.2013www.weblearn.hs-bremen.de/risse/papers/MathEng11
[24] Andrew Rukhin et al: A Statistical Test Suite for Random andPseudorandom Number Generators for Cryptographic Applications;National Institute of Standards and Technology, NIST April 2010http://csrc.nist.gov/publications/nistpubs/
800-22-rev1a/SP800-22rev1a.pdf
[25] William A. Stein et al.: SAGE Mathematics Software – System forAlgebraic and Geometric Experimentation; www.SAGEmath.org
[26] Werner Schindler: Functionality Classes and Evaluation Methodologyfor Deterministic Random Number Generators; BSI, version 2.0, 1999AIS_20_Functionality_Classes_Evaluation_Methodology_DRNG_e.pdf
[27] Eric W. Weisstein: Run; MathWorld – A Wolfram Web Resourcehttp://mathworld.wolfram.com/Run.html