random number generators based on permutations can pass … · 2019. 6. 10. · iso/iec 18031...
TRANSCRIPT
![Page 1: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/1.jpg)
Random Number Generators Based on Permutations
Can Pass the Collision Test
Alexey Urivskiy InfoTeCS
[email protected], [email protected]
CTCrypt’2019
![Page 2: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/2.jpg)
Pseudo Random Number Generators
G: 0,1 𝑚 → 0,1 𝑠 for 𝑠 ≫ 𝑚
Typical assumptions for a PRNG: • G is efficiently computable • the seed is uniformly distributed on 0,1 𝑚 • ‘random-like’
Theorem [Yao’82] : if for G the next bit cannot be predicted with probability better than ½ given any prefix by any polynomial predictor (the next-bit test) it will pass any polynomial statistical test.
![Page 3: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/3.jpg)
𝑉𝑛 – vector space of 𝑛-bit vectors 𝜎 – permutation on 𝑉𝑛
(Random) Permutations
0 1 2 … 2n-2 2n-1
𝜎(0) 𝜎(1) 𝜎(2) … 𝜎(2n-2) 𝜎(2n-1)
![Page 4: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/4.jpg)
PRNG on a Random Permutation
G1I: for i = 0 to s do 𝑇 ≔ 𝐼𝑉 + 𝑖 𝑚𝑜𝑑 2𝑛 𝑥𝑖 ≔ 𝜎 𝑇
𝐼𝑉 ∈ 𝑉𝑛 – initializing variable 𝜎 – random permutation on 𝑉𝑛
Consider the case 𝐬 < 𝑵 = 𝟐𝒏.
![Page 5: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/5.jpg)
Properties of G1I
G1I, in which is 𝜎 is modeled as an 𝑛-bit block cipher with a random key, is highly appreciated and widely used – ISO/IEC 18031 CTR_DRBG.
However, if G1I has output a symbol,
it will never output it again → For 𝐬~ 𝑵 due to the birthday paradox becomes distinguishable from a truly RNG.
![Page 6: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/6.jpg)
G2I: for 𝑖 = 0 to s do 𝑇 ≔ 𝑖 𝑚𝑜𝑑 2𝑛 𝑥𝑖 ≔ 𝜎1 𝑇 ⊕ 𝜎2(𝑇)
PRNGs on 2 Random Permutations
𝜎1, 𝜎2 – random permutation on 𝑉𝑛
![Page 7: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/7.jpg)
Conditional probability
Conditional probability 𝑃 𝑥𝑠 𝑥𝑠−1, 𝑥𝑠−2, … , 𝑥0 is the probability for a generator to output 𝑥𝑠 provided 𝑥𝑠−1, 𝑥𝑠−2, … , 𝑥0 were output before.
![Page 8: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/8.jpg)
Equivalent representation for G2I
0 1 2 3 … 𝑁 − 1
0
𝐌 =
0 1 2 3 … 𝑁 − 1
1 1 0 3 2 … 𝑁 − 2
2 2 3 0 1 … 𝑁 − 3
3 3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
⊕
![Page 9: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/9.jpg)
Equivalent representation for G2I
𝐌 =
0 1 2 3 … 𝑁 − 1
1 0 3 2 … 𝑁 − 2
2 3 0 1 … 𝑁 − 3
3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
𝑥0 = 3
2,1 ,
![Page 10: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/10.jpg)
Equivalent representation for G2I
𝐌 =
0 1 2 3 … 𝑁 − 1
1 0 3 2 … 𝑁 − 2
2 3 0 1 … 𝑁 − 3
3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
𝑥0 = 3
2,1 ,
![Page 11: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/11.jpg)
Equivalent representation for G2I
𝐌 =
0 1 2 3 … 𝑁 − 1
1 0 3 2 … 𝑁 − 2
2 3 0 1 … 𝑁 − 3
3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
𝑥0 = 3, 𝑥1 = 2
2,1 , (1,3)
![Page 12: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/12.jpg)
Equivalent representation for G2I
𝐌 =
0 1 2 3 … 𝑁 − 1
1 0 3 2 … 𝑁 − 2
2 3 0 1 … 𝑁 − 3
3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
𝑎0 = 3, 𝑎1 = 2
2,1 , (1,3)
![Page 13: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/13.jpg)
Equivalent representation for G2I
𝐌 =
0 1 2 3 … 𝑁 − 1
1 0 3 2 … 𝑁 − 2
2 3 0 1 … 𝑁 − 3
3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
𝑥0 = 3, 𝑥1 = 2, 𝑥2 = 𝑁 − 3
2,1 , (1,3), (N-1,2)
![Page 14: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/14.jpg)
Equivalent representation for G2I
𝐌 =
0 1 2 3 … 𝑁 − 1
1 0 3 2 … 𝑁 − 2
2 3 0 1 … 𝑁 − 3
3 2 1 0 … 𝑁 − 4
⋮ ⋮ ⋮ ⋮ ⋱ ⋮
𝑁 − 1 𝑁 − 2 𝑁 − 3 𝑁 − 4 … 0
𝑎0 = 3, 𝑎1 = 2, 𝑎2 = 𝑁 − 3
2,1 , (1,3), (N-1,2)
![Page 15: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/15.jpg)
Conditional probability for G2I
𝑷𝟏 =𝑵− 𝟐𝒔
𝑵 − 𝒔 𝟐≤ 𝑷 𝒙𝒔 𝒙𝒔−𝟏, 𝒙𝒔−𝟐, … , 𝒙𝟎 ≤
𝑵− 𝒔
𝑵 − 𝒔 𝟐= 𝑷𝟐
𝑷𝟏 <𝟏
𝑵< 𝑷𝟐
![Page 16: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/16.jpg)
Collision Test Collision – the occurrence of two or more identical symbols in the output sequence.
Collision probability for a true RNG:
𝑷𝑰 𝒔 ≃ 𝟏 − 𝐞𝐱𝐩 −𝒔 𝒔 − 𝟏
𝟐𝑵
An RNG fails the collision test if the collision probability falls far from 𝑷𝑰 𝒔 .
![Page 17: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/17.jpg)
Collision Probability for G2I – 1
Let in the prefix 𝑥𝑠−1, 𝑥𝑠−2, … , 𝑥0 all symbols be different. No collision for 𝑥𝑠 happens with probability 𝑃𝑑 𝑠 + 1 = 𝑃 𝑥𝑠 ∉ {𝑥𝑠−1, … , 𝑥0} 𝑥𝑠−1 ≠ ⋯ ≠ 𝑥0
Proposition. 𝟏 − 𝒔𝑷𝟐 ≤ 𝑷𝒅(𝒔 + 𝟏) ≤ 𝟏 − 𝒔𝑷𝟏
![Page 18: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/18.jpg)
From the chain rule for the probability of joint events through conditional probabilities: the probability to found no collision in the prefix of length 𝑠 + 1
𝑷𝑫 𝒔 + 𝟏 = 𝑷 𝒙𝒔 ≠ ⋯ ≠ 𝒙𝟎 = 𝑷𝒅 𝒊 + 𝟏
𝒔
𝒊=𝟎
where 𝑃𝑑 1 = 1.
Collision Probability for G2I – 2
![Page 19: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/19.jpg)
𝑃𝐶 𝑠 + 1 - the probability for the collision to occur in the prefix of length 𝑠 + 1 for G2I :
𝟏 − 𝟏−𝒊 𝑵 − 𝟐𝒊
𝑵 − 𝒊 𝟐
𝒔
𝒊=𝟎
≤
𝑷𝑪 𝒔 + 𝟏
≤ 𝟏 − 𝟏−𝒊(𝑵 − 𝒊)
(𝑵 − 𝒊)𝟐
𝒔
𝒊=𝟎
Collision Probability for G2I – 3
![Page 20: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/20.jpg)
For 𝑧 ≪ 1, the Taylor series
exp 𝑧 = 1 + 𝑧 +𝑧2
2+ 𝑜 𝑧2 .
𝟏 −𝒊 𝑵 − 𝟐𝒊
𝑵 − 𝒊 𝟐≈ 𝒆𝒙𝒑 −
𝒊 𝑵 − 𝟐𝒊
𝑵 − 𝒊 𝟐
Technical details – 1
Thus, for 𝑠 ≪ 𝑁/2:
𝟏 −𝒊 𝑵 − 𝒊
𝑵 − 𝒊 𝟐≈ 𝒆𝒙𝒑 −
𝒊 𝑵 − 𝒊
𝑵 − 𝒊 𝟐
![Page 21: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/21.jpg)
𝒊 𝑵− 𝒊
𝑵 − 𝒊 𝟐
𝒔
𝒊=𝟎
= 𝒊
𝑵
𝒔
𝒊=𝟎
𝟏 +𝒊
𝑵+𝒊
𝑵
𝟐
+ 𝒐𝒊
𝑵
𝟐
Technical details – 2
𝒊 𝑵− 𝟐𝒊
𝑵 − 𝒊 𝟐
𝒔
𝒊=𝟎
= 𝒊
𝑵
𝒔
𝒊=𝟎
𝟏 −𝒊
𝑵
𝟐
+ 𝒐𝒊
𝑵
𝟐
For 𝑧 ≪ 1, the Taylor series
(1 + 𝑧)𝛼= 1 + 𝛼𝑧 +𝛼(𝛼−1)
2𝑧2 + 𝑜 𝑧2 :
![Page 22: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/22.jpg)
𝒊
𝒔
𝒊=𝟎
=𝒔(𝒔 + 𝟏)
𝟐
Technical details – 3
Тable sums
𝒊𝟐𝒔
𝒊=𝟎
=𝒔(𝒔 + 𝟏)(𝟐𝒔 + 𝟏)
𝟔
𝒊𝟑𝒔
𝒊=𝟎
=𝒔𝟐(𝒔 + 𝟏)𝟐
𝟒
![Page 23: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/23.jpg)
Lemma. For G2I:
𝟏 − 𝒆𝒙𝒑 −𝒔 𝒔 + 𝟏
𝟐𝑵+ 𝒔𝟒
𝟒𝑵𝟑≤
𝑷𝑪 𝒔 + 𝟏
≤ 𝟏 − 𝒆𝒙𝒑 −𝒔 𝒔+𝟏
𝟐𝑵−𝒔𝟑
𝟑𝑵𝟐−𝒔𝟒
𝟒𝑵𝟑
Collision Probability for G2I – 4
![Page 24: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/24.jpg)
PRNGs on Random Permutations
G1LI: 𝑀𝑆𝐵𝑛 𝜎1 𝑇 – truncation of a 2𝑛-bit permutation to 𝑛 bits
𝑀𝑆𝐵𝑛 𝜎1 𝑇 ⊕ 𝐿𝑆𝐵𝑛 𝜎1 𝑇
GXHI: – XOR of two halves of 2𝑛-bit permutation
𝜎2 𝑇 ⊕𝑀𝑆𝐵𝑛 𝜎1 𝑇
GXTrI: – XOR of an 𝑛-bit and a 2𝑛-bit permutations
![Page 25: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/25.jpg)
Conditional probabilities
G2I: 𝑷𝟏 =𝑵− 𝟐𝒔
𝑵 − 𝒔 𝟐≤ 𝑷 𝒙𝒔 𝑺 ≤
𝑵 − 𝒔
𝑵 − 𝒔 𝟐= 𝑷𝟐
GTrI: 𝑵− 𝒔
𝑵𝟐 − 𝒔≤ 𝑷 𝒙𝒔 𝑺 ≤
𝑵
𝑵𝟐 − 𝒔
GXHI: 𝑵− 𝒔
𝑵𝟐 − 𝒔≤ 𝑷 𝒙𝒔 𝑺 ≤
𝑵
𝑵𝟐 − 𝒔
GXTrI: 𝑵𝟐 −𝑵𝒔 − 𝒔
(𝑵 − 𝒔)(𝑵𝟐 − 𝒔)≤ 𝑷 𝒙𝒔 𝑺 ≤
𝑵𝟐 −𝑵𝒔
(𝑵 − 𝒔)(𝑵𝟐 − 𝒔)
![Page 26: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/26.jpg)
Lemma. For G1LI:
𝟏 − 𝒆𝒙𝒑 −𝒔 𝒔 + 𝟏
𝟐𝑵+ 𝒔𝟑
𝟐𝑵𝟐≤
𝑷𝑪 𝒔 + 𝟏
≤ 𝟏 − 𝒆𝒙𝒑 −𝒔 𝒔+𝟏
𝟐𝑵−𝒔𝟑
𝟑𝑵𝟑
Collision Probability for G1LI
![Page 27: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/27.jpg)
Examples
𝜹 ≈𝒔𝟐
𝟐𝑵≈𝒕𝟑
𝟑𝑵𝟐+𝒕𝟒
𝟒𝑵𝟑𝒆𝒙𝒑 −
𝒕𝟐
𝟐𝑵
Let 𝑠2 > 2𝑁, but 𝑠 ≪𝑁
2
Fix 𝛿 𝑠 = 𝑃𝐶 𝑠 + 1 − 𝑃𝐼 𝑠 + 1 Compare possible prefix lengths 𝒔 for G1I and 𝒕 for G2I.
![Page 28: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/28.jpg)
Examples
G1I: 𝒔 = 𝟐𝟑𝟎,𝟓 G2I: 𝒕 > 𝟐𝟔𝟑
𝑵 = 𝟐𝟏𝟐𝟖, 𝜹 = 𝟐−𝟔𝟖
G1I: 𝒔 = 𝟐𝟏𝟓,𝟓 G2I: 𝒕 > 𝟐𝟑𝟐
𝑵 = 𝟐𝟔𝟒, 𝜹 = 𝟐−𝟑𝟒
![Page 29: Random Number Generators Based on Permutations Can Pass … · 2019. 6. 10. · ISO/IEC 18031 CTR_DRBG. However, if G1I has output a symbol, it will never output it again → For](https://reader036.vdocuments.net/reader036/viewer/2022071606/61439bed6b2ee0265c0227f2/html5/thumbnails/29.jpg)
Thank you! Questions?