Some Recent Results in Secure Pseudorandom Number Generation

1
Some Recent Results in Secure Pseudorandom Number
Generation
11th Workshop on Elliptic Curve Cryptography 2007
Dublin/September 6, 2007

• Berry Schoenmakers
• Joint work with Andrey Sidorenko and (partly)
  with Reza Rezaeian Farashahi
• Coding Crypto group
• TU Eindhoven

2
Plan

• 1. Revisiting a basic problem
• Random bits ? random numbers in a given interval.
  
• 2. Concrete security of provably secure PRGs
• Construction based on k-DDHI
• Cryptanalysis Dual Elliptic Curve Generator
• 3. New PRGs based on DDH
• Practically tight reduction to DDH
• Specific instances
• QR(p) group of quadratic residues modulo p
• Gq arbitrary subgroup of Zp
• open problem elliptic curve based one??

3
Random numbers in 0,B), 2n-1ltBlt2n

• Given a source of (uniform) random bits.
• Two folklore algorithms for generating x ?
  0,B).
• Alg.1 pick x ? 0,1n, using n random bits,
  until xltB
• Alg.2 pick x?0,1nk, using nk random bits
  output x mod B
• Properties
• Alg.1 perfectly uniform but wastes up to n bits
  on average (worst case B 2n-1 1) Las Vegas
  algorithm
• Alg.2 statistical distance ?lt1/2k wastes k bits
  exactly

4
Our algorithm

• Generate random x ? 0,B) bit by bit, starting
  from the most significant bit, comparing with
  most significant bits of B-1.
• Algorithm let xi be next random bit
• if xi gt (B-1)i, start all over too large
• if xi (B-1)i , continue with next bit
  unsure
• if xi lt (B-1)i , complete x with random bits and
  stop home free
• Randomness complexity n bits plus some waste.
• Question whats the waste?

Recursive version rand(B) if B1 then return
0 else repeat x 0,1 2
rand((B1)/2) until xltB return x
coin flip
5
Analysis of randomness complexity

• 1st computing the exact probability distribution
  and then the expected value is cumbersome
• We determine expected value E directly!
• Example S Si0..8 ri
• S Si0..8 ri 1 Si0..8 ri1 1r S, so S
  1/(1-r)
• Example T Si0..8 i ri
• T Si0..8 (1i) ri1 r S r T, so T
  r/(1-r)2
• By conditioning on the right event, this leads
  to
• E n 2n/B Si2..n i(1-(B-1)n-i)/2i lt n 3
• So, waste is bounded by a small constant!
• Averaged over all B, waste is approx. 1.1 random
  bits

6
Knuth-Yao 1976

• Minimize randomness complexity
• Average wasted random bits for x ? 0,B)
• ? 0.58 random bits on average, over all B
• lt 1 random bits for worst case B
• Actually, any probability distribution can be
  generated from random bits, with average waste lt
  2 bits (beyond entropy).

7
Knuth-Yao B5
0
1
2
0
1
3
4
2
3
4






8
Context of secure multiparty computation

• In context of secure multiparty computation
• Generating encrypted random bits is expensive.
• But, also comparing encrypted bits, arithmetic
  with encrypted bits, etc.
• Our algorithm strikes a better balance than
  Knuth-Yaos minimal waste algorithm (depending on
  the setting)
• cheaper to make our algorithm oblivious

Data independent execution paths
9
Pseudorandom Generator (PRG)
n truly random bits (seed)
10001010111001110101111010111101
Pseudorandom generator deterministic algorithm
10011010110110010101111010111101101011111011000100
11101000101110101011101011000
M bits that look random (pseudorandom sequence)

• Preferably Mgtgtn and a fast PRG
• Focus on provably secure PRGs
• PRG is called provably secure if breaking the
  PRG is as hard as solving a presumably hard
  problem

10
Provably secure PRGs
Pseudorandom sequence for a truly random seed
Distinguisher running time at mostT
I think that you gave me a pseudorandom sequence
OR
Truly random sequence of the same length
If probability of successful guess lt ½ (1 e) the
PRG is (T, e)-secure
11
Provably secure PRGs (cont.)
(T, e)-distinguisher for a PRG 0, 1n ? 0, 1M
(T', e')-solver for a hard problem with security
parameter n (e.g., DL problem in n-bit finite
field)
reduction

• If T'/e' T/e, reduction is called tight
• If T'/e' gtgt T/e, reduction is called not tight
• If the reduction is tight, a desired security
  level can be achieved for a relatively low value
  of security parameter n (seed length)

12
Formal Security of PRGs (Yao 1982)

• Un uniform distribution on 0, 1n
• UM uniform distribution on 0, 1M
• Pseudorandom generator PRG 0,1n ? 0, 1M
• Distinguisher D 0,1M ? 0, 1
• PRG is called (T, e)-secure if for all T-time D
• PrD(PRG(Un)) 1 PrD(UM) 1 lt e

13
Typical PRG
seed
state1
state2
statei


output1
output2
outputi
State should remain secret, given all outputs !
14
Blum-Micali PRG (1984)

• Based on DL-problem in Zp
• Provably secure
• Outputs just 1 bit per modular exponentiation

seed x ?R Zp
x ? gx
x ? gx
output x lt p/2
output x lt p/2
15
Blum-Micali PRG (cont.)
polynomial in n

• Blum-Micali PRG is (T, e)-secure if
• 128 n3 (M/e)4 T lt TDL(Zp)
• For M 220, T/e 280, this PRG is (T, e)-secure
  if n gt 61000
• Large seed length n implies poor efficiency
• due to far from tight reduction
• We propose a PRG with a much better security
  reduction
• based on the DDH assumption (stronger than DL
  assumption)
• output of n bits (instead of 1 bit) per iteration

subexponential in n
16
k-DDHI based PRG

• Universal hash function used as extractor
• Good results
• But assumption k-DDHI less standard
• k-DDHI distinguish

a ?R Zq s0? g y ?R 0,1l
s1 ? s0a
s2 ? s1a
output extract(s1,y)
output extract(s2,y)
17
Dual Elliptic Curve PRG

• Proposed by Barker and Kelsey in a NIST draft
  standard BK05
• For prime p 2256 2224 2192 2961, let
  E(Fp) be an elliptic curve such that E(Fp) is
  prime. Let P, Q ?R E(Fp)
• Sequence siQ is indistinguishable from sequence
  of uniformly random points under DDH assumption
  and x-logarithm assumption Brown 2006
• However, random bits are extracted from random
  points improperly so the PRG is insecure

seed s0 ?R Fp
s1 ? x(s0P)
s2 ? x(s1P)
output lsb240(x(s1Q))
output lsb240(x(s2Q))
18
Distinguishing attack
output lsb240(x(s1Q))
output lsb240(x(s2Q))
output lsb240(x(siQ))


block b1
block bi
block b2

• Point siQ is mapped to block lsb240(x(siQ))
• Blocks b ?R 0, 1240 have on average 216
  preimages
• Blocks lsb240(x(R)) with R ?R E(Fp) have on
  average more than 216 preimages
• For each block bi count the number of points P
  s.t. bi lsb240(x(P))
• If average number of preimages is above 216,
  decide that the sequence is pseudorandom
• Otherwise, decide that the sequence is truly
  random

19
Detailed analysis
Note the shift by 1
frequency
Fits normal distribution N(65537.0, 255.6)
216 65536
number of preimages

• We tested 330 outputs of Dual Elliptic Curve PRG
• each output consisted of 4000 output blocks
• Running time of the attack is about 3 hours on a
  3GHz Linux machine with 1Gb of memory

20
Decisional Diffie-Hellman (DDH) problem

• Gltggt is a multiplicative group of prime order q
• Algorithm A solves the DDH problem in G with
  advantage e iff for a random triple (a, b, r)
• Pr(A(g, ga, gb, gab) 1) Pr(A(g, ga, gb, gr)
  1) e
• For concrete analysis
• DDH problem is assumed to be as hard as the DL
  problem

21
DDH generator (intuition)

• Let a ? Zq be a fixed integer
• Consider Doubleg,a(b) (gb, gab) NR97
• for b ?R Zq the output is pseudorandom under DDH
• doubles the input
• Is Double a pseudorandom generator?
• No! It produces pseudorandom group elements
  rather than pseudorandom bits
• Converting group elements into bits is a
  non-trivial problem
• Double cannot be iterated to produce as much
  randomness as required by the application

22
DDH generator (construction)

• rank is a bijection mapping elements of group G
  to numbers in Zq
• rank G ? Zq
• More generally, allow additional input/output
  number in Zl
• rank G Zl ? Zq Zl
• Public parameters for DDH generator x, y ?R G
• Outputs log2 q bits per step
• Seed length log2 q 2 log2 l

seed s ?R Zq, rx, ry ?R Zl
(s, rx) ? rank(xs, rx)
(s, rx) ? rank(xs, rx)

(z, ry) ? rank(ys, ry) output z
(z, ry) ? rank(ys, ry) output z
23
Security of the DDH generator

• DDH generator produces pseudorandom numbers in Zq
• if q ? 2n then it produces pseudorandom bits
  directly
• for arbitrary q, additional effort needed to
  convert numbers into bits (from integers in 0,q)
  to bits)
• Theorem.
• Assume that 0lt (2n q)/2n lt d.
• Then (T, e)-distinguisher for the DDH
  generator implies a (T, ne/M d)-solver for
  the DDH problem in G
• Proof is based on a hybrid argument
• Hybrids Hj (u1,u2,,uj-1,output1,,outputk-j1)
  
• A given 4-tuple (x,y,X,Y) is DDH tuple iff
  output Hj

24
PRG1 instance based on QR(p)

• Safe prime p 2q 1, with q prime
• G QR(p), G q
• Consider the following bijection (Chevassut et
  al. 2005 Cramer-Shoup 2003, and ?)
• rank QR(p) ? Zq with rank(x) min(x, p-x)
• Public parameters x, y ?R G
• Extracts n bits per iteration (2 modular
  exponentiations)

seed s ?R Zq
s ? rank(xs)
s ? rank(xs)
output rank(ys)
output rank(ys)
25
PRG1 (cont.)

• What seed length, n, guarantees security?
• recall that for Blum-Micali PRG n gt 61000
• PRG1 is (T, e)-secure if 2MT/ne lt TDL(QRp)
• For M 220, T/e 280, PRG1 is (T, e)-secure if
  
• n gt 1600
• The seed length n is short because the reduction
  is (almost) tight
• PRG1 is much more efficient than Blum-Micali PRG
• PRG1 based on a stronger assumption (the DDH
  assumption)
• Limitation works only for specific subgroup of
  Zp

26
PRG2 instance based on any subgroup

• G is a (prime) order q subgroup of Zp, p 1
  ql
• t is an element of Zp of order l, so tl 1
• Let rank G Zl ? Zq Zl be the following
  bijection
• rank(x, r) (x tr mod q, x tr div q)

seed s ?R Zq, rx, ry ?R Zl
(s, rx) ? rank(xs, rx)
(s, rx) ? rank(xs, rx)

(z, ry) ? rank(ys, ry) output z
(zi, ry) ? rank(ys, ry) output z
27
PRG by Jiang (2006)

seed (A0,A1) ?R Zq Zq
A2 ? grank(A0)rank(A1)
A3 ? grank(A1)rank(A2)
output rank(grank(A2))
output rank(grank(A3))

• Also, standard DDH assumption
• Speed of the two generators is the same
• Seed of our generator is twice as short as for
  Jiangs generator
• For most applications, the length of the seed is
  a critical issue
• Our generator can be used with any prime order
  group such that the elements of the group can be
  efficiently ranked
• Jiangs generator is designed for a specific
  subgroup of Zp for safe primes p

28
Conclusions

• DDH based PRGs
• Showed a general constructions of PRGs based on
  DDH assumption
• Specific instances of our DDH-based PRG are
  presented
• subgroup of quadratic residues modulo prime p
  seed length p
• Jiangs generator is an alternative in this case
• arbitrary order q subgroup of Zp -- seed length
  2p -q
• Open problem how to use an elliptic curve group?
• would result in considerably shorter seeds
• maybe use Kaliskis map from points on an
  elliptic curve (over Fq) and its quadratic twist
  to Z2q
• Revisiting problems related to conversion/extracti
  on of random bits, random numbers, random group
  elements, all in the context of secure multiparty
  computation leads to new approaches and
  solutions.

29
Authors address

• Berry Schoenmakers
• Coding and Crypto group
• Dept. of Mathematics and Computer Science
• Technical University of Eindhoven
• P.O. Box 513
• 5600 MB Eindhoven
• Netherlands
• berry_at_win.tue.nl
• http//www.win.tue.nl/berry/