wie? wie man zuverlässig zufälliges · pdf filesymbol 'i' represents the...
TRANSCRIPT
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wie man zuverlässig Zufälliges erzeugt
Thomas RisseInstitut für Informatik & Automation, IIA
Fakultät Elektrotechnik & InformatikHochschule [email protected]
Diepholzer Kolloquium, Mi 15. Oktober 2014Private Hochschule für Wirtschaft und Technik
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Agenda
1 Wozu braucht man bloß Zufallszahlen?
2 Wie erzeut man Zufallszahlen?
Deterministische Zufallszahlen-Generatoren
Physikalische Zufallszahlen-Generatoren
3 Qualitätskriterien für RNGs
4 Zusammenfassung
Any one who considers arithmetical methods of producing randomdigits is, of course, in a state of sin.Jeder, der Zufallszahlen mit einer arithmetischen Methode erzeugenwill, ist nicht ganz bei Trost. – John von Neumann, 1951
The generation of random numbers is too important to be left tochance. – Robert R. Coveyou, 1970
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wozu bloß Zufallszahlen?
’analoge’ Beispiele
• Münzwurf zum Auslosen, Würfel zum Auswürfeln,Lotto-Fee für 6-aus-49 . . .
• Telefonbuch für repräsentative Stichproben instatistischen Untersuchungen
• für Simulationen: Buffon1sche Nadel (1733)
’digitale’ Beispiele
• für Kryptographie: one time pad, zero knowledgeauthentication, . . .
• für Statistik
• für Simulationen, genetische Algorithmen, IterierteFunktionssysteme
1Georges-Louis Leclerc de Buffon (1707-1788)www-history.mcs.st-andrews.ac.uk/Biographies/Buffon.html
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wozu bloß Zufallszahlen?etwa für Kryptographie I
• one time pad : A(lice) will B(ob) eine 0-1-Botschaft, z.B.’fuck NSA’, schicken, die nur er lesen können soll. Beideverfügen über eine (unendlich) lange, geheime Folge von0-1-Zufallszahlen, z.B. 01010101010. . .klar f u c k . . .klar 0x66 0x75 0x63 0x6B . . .klar 1100110 1110101 1100011 1101011 . . .key 0101010 1010101 0101010 1010101 . . .enc 1001100 0100000 1001001 0111110 . . .dec 1100110 1110101 1100011 1101011 . . .dec f u c k . . .
one time pad ist erwiesenermaßen unknackbar, solangeder Schlüssel aus echten Zufallszahlen besteht und nureinmal verwendet wird (one time!) – aber unrealistisch,denn wie soll der Schlüssel bloß übermittelt werden?
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wozu bloß Zufallszahlen?etwa für Kryptographie II
• zero knowledge authentication: A(lice) will sicherstellen,daß B(ob) ein gemeinsames Geheimnis, z.B. einPaßwort teilt, ohne daß er dieses offenbaren muß:
1 Alice sendet eine Zufallszahl n an Bob.2 Bob antwortet mit der mit dem gemeinsamen Paßwort
verschlüsselten Zufallszahl EncBob(n).3 Alice vergleicht Bobs Antwort mit der von ihr selbst
verschlüsselten Zufallszahl EncA(n).
Systeme mit Paaren aus individuellem öffentlichen undprivaten Schlüssel (public key crypto system, pkcs)erlauben u.a. den geschützten Austausch vonSchlüsseln. Die Schlüsselerzeugung in pkcs benötigtebenfalls Zufallszahlen!
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wozu bloß Zufallszahlen?etwa für Statistik
• wenn U gleichverteilt auf [0, 1] und F inv Umkehrfunktion derVerteilungsfunktion F , dann hat X = F inv (U) dieVerteilungsfunktion F : aus einer auf [0, 1] gleichverteiltenZufallsvariablen kann man beliebig verteilte Zufallsvariablenerzeugen, solange deren inverse Verteilungsfunktionangebbar ist:Wenn u Ausprägung einer auf [0, 1] gleichverteiltenZufallszahlen U ist, so ist x = F inv (u) Ausprägung derZufallsvariablen X mit Verteilungsfunktion F .
Z.B.: für p ∈ [0, 1] produzieren Ausprägungen uder auf [0, 1] gleichverteilten Zufallsvariablen Uper (u < p) eine 0-1-Zufallszahlenfolgemit P(X = 0) = p und P(X = 1) = q = 1− p.
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wozu bloß Zufallszahlen?etwa für fraktale Objekte
• iterative Funktionssysteme erzeugen fraktale Objekte:
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Wie erzeut man Zufallszahlen?
Es gibt zwei Klassen von Zufallszahlengeneratoren, RNGs
• Deterministische/Pseudo-RNGs, DRNG/PRNGalgorithmisch
• Physikalische/echte RNGs, TRNG, PTRNGaus Rausch-Quellen – harvesting noise
und Mischformen, wenn TRNG den seed für DRNG erzeugen.
Qualität der Zufallszahlen = Qualität ihrer GeneratorenDiverse Institutionen spezifizieren Güte-Kriterien, z.B.
USA NIST [14] FIPS
BRD AIS 20 [7] und AIS 31 [8] des BSI [2]
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Beispiele deterministischer RNGs I
Typisch sind Initialisierung (seed) und Berechnung dernächsten Zufallszahl basierend auf der letzten Zufallszahlbzw. auf den letzten Zufallszahlen.
• John von Neumann’s middle-square method from 1946:wähle irgendeine Zahl (seed), quadriere sie, entnimm diemittleren Ziffern des Quadrates als die nächste’Zufallszahl’ und wähle diese als seed für die nächsteIteration.
Gleichverteilung? Vorhersagbarkeit?
• Linear congruential generators [10]:Wähle seed xo und berechne xk+1 = a xk + c mod mfür k = 0, 1, . . . und geeignete Parameter a, c und m.
Gleichverteilung? Vorhersagbarkeit?
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Beispiele deterministischer RNGs IIJeder N-, Z-, Q- oder R-wertige RNG liefert einen 0-1-RNG!Jeder 0-1-RNG liefert N-, Z-, Q- oder R-wertige RNGs!
• Linear Feedback Shift Registers, LFSRs:Wähle initialen Zustand, die hardware erledigt den Rest,z.B.
next bit p(x) = x16 + x14 + x13 + x11 + 1 in GF2
Gleichverteilung? Vorhersagbarkeit?
• Blum-Blum-Shub generator 1986 [1]:wähle n = pq für prime p und q, wähle seed s mitgcd(s, n) = 1, berechne s0 = s2 mod n undsi+1 = s2
i mod n für i = 0, 1, ...
Gleichverteilung? Vorhersagbarkeit?
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Beispiele physikalischer RNGs I
Dioden-Rauschen [8] . . .A proposal for: Functionality classes for random number generators
18 September 2011 AIS 20 / AIS 31 page 117
Figure 9: Basic design of RNG with noisy diodes
443 The circuit for AC coupling, the negative feedback to the operational amplifier, the stabilization of the power supply and the temperature compensating effects are not shown in this figure. A drift of the noisy voltages or the operational amplifier output results in impulses that are too long or too small, causing a biased digitised noise signals. Therefore, the digitised random signal shall be passed to a Neumann/Peres unbiasing control. Clearly, long-term aging effects may be neglected here.
Variant of RNG Design with noise diodes
444 The advanced variant of the basic design outputs the number of Schmitt trigger impulses (caused by 0-1-crossings) modulo 2 as the digitised noise signal.
445 Figure 10 illustrates the advanced design.
Figure 10: Variant of the basic design of RNG with noisy diodes
clock
tot test online test
Vcc
digitisednoisesignal
+
_
clock
tot test online test
Vcc
digitisednoisesignal
+
_
+
_
+
_
tot test online test
Vcc
clock
digitisednoisesignal
+
_
tot test online test
Vcc
clock
digitisednoisesignal
+
_
+
_
+
_
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Beispiele physikalischer RNGs II
Jitter von Diodenring-Oscillatoren [18] . . .
3. TRNG Ring Design and Interaction
Figure 14: Two rings XOR'ed
Similar to the two rings, several rings with different ring lengths, namely 7-11, 11-13, 13-17 etc.,
can be used as the noise source of the TRNG.
3.3.3 Design with Multiple Rings
A multiple ring-based design was developed with several ring oscillators with different ring lengths.
The rings were designed with the lengths of 7,11,13,17,19 inverters each. Each ring was replicated
40 times amounting to a total of 200 rings. The 200 rings are XORed together to generate the output
signal. The rings are asynchronous to each other, and thus they are not clocked in this part of the
design. Figure 15 shows the multiple ring design. Symbol 'I' represents the length of the ring
according to the number of inverters and 'k' represents the number of rings in total. The period
usually depends on the number of inverters used and the delay of each inverter. The jitter generated
by each oscillator accounts for the randomness of the signal. The output from the XOR would be an
analog signal. It should be sampled, clocked to convert it to a digital signal. The output signal
consists of the periodic transitions of all the included 200 rings. The XOR output will oscillate in
the range of 150 to 200 MHz. The design was coded in VHDL and implemented on the Spartan 3-E
FPGA evaluation board. The output was driven through the I/O pins on the evaluation board and
measured on a Tektronix Oscilloscope.
22
Output Sequence
Bistabile Halbleiter-Ring-Laser [17] . . .
Ring laser
CCW
CW
B1
B2CW output
CCW output
Fig. 2. A schematic of a SRL device with spontaneous emission noise sources B1 and B2.
between the bidirectional and bistable regimes: First, the injection current to the SRL is adjustedso that the SRL operates in the bidirectional regime. In this case, the state of the system alwaysrelaxes to the stable point B in the phase space of the bidirectional regime (see Fig. 1 (a)). Itis important to note that the stable point B corresponds to a point on the stable manifold of thesaddle point S in the bistable regime. This means that when the injection current is suddenlyincreased so that the SRL operates in the bistable regime, the state is lain on the stable manifoldof the saddle point S in a bistable regime, as indicated by open circle in Fig. 1 (b). However,since the spontaneous emission noises are always coupled to the counter-propagating modes,the fluctuation of the state of the system due to the noises is amplified by the unstable manifoldof the saddle point S. Consequently, the state of the system relaxes to either of UCW or UCCW .The resetting of the final lasing state can be achieved by again decreasing the injection to thebidirectional regime and relaxing to stable point B. Accordingly, the stochastic mode-selectionis repeated by the modulation of the injection current between the bidirectional and bistableregimes, so that a random optical pulse train can be emitted in the CW and CCW directions.
2.3. Control of spontaneous emission noises
However, in the actual SRL devices, the spontaneous emission will not be isotropic due tomaterial non-uniformities, and they will not be equally coupled to the CW and CCW modes.Thus, actual SRL devices have a preferred direction, and the dominant output direction is repro-ducible [5]. For achieving the random operation with the equal probability of the appearanceof the CW or CCW lasing state, the amounts of the spontaneous emission noises coupled tothe CW and CCW modes should be controlled so that the asymmetry of the coupling is re-duced. We show that this is achieved by using two spontaneous emission noise sources. Figure2 shows a schematic of a SRL device with two spontaneous emission noises sources B1 andB2. The noises emitted from B1 and B2 are injected into a ring laser part in the CCW and CWdirection via a weakly coupled waveguide used as a directional coupler. For example, when B1is active, the amount of the spontaneous emission coupled to the CCW mode can be enhanced.A similar method for the control of the amounts of the spontaneous emission has been used forachieving the switching operation from CW (CCW) mode to CCW (CW) mode [1].
3. SRL device: design and fabrication
In order to implement the random optical pulse generation scheme mentioned in the previoussection, a SRL device was designed and fabricated in a InP/InGaAsP material system with anactive-passive integration. Figures 3 (a) and (b) show the schematic and picture of the fabricated
#140122 - $15.00 USD Received 23 Dec 2010; revised 28 Feb 2011; accepted 9 Mar 2011; published 4 Apr 2011(C) 2011 OSA 11 April 2011 / Vol. 19, No. 8 / OPTICS EXPRESS 7444
Atmospherische Störungen etc
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Beispiele physikalischer RNGs III
INTEL verwendet ein metasta-biles latch das abhängig vonthermischem Rauschen 0 oder1 produziert. [5], [16]
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für RNGsBSI [2] bietet/verordnet (Kritik siehe [13])
1 Monobit Test
2 Poker Test
3 Run Tests
4 Longrun Test
5 Autokorrelationstests
6 Gleichverteilungstest
7 Homogenitätstests
8 Entropie Test
NIST [14] gibt zusätzlich vor
• binary matrix rank
• DFT
• template matching
• linear complexity
• random walks
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsMonobit Test : FIPS, HAC [12], NIST [14], BSI [7],[8] pp44
T1Let n = 20000, T1 =
∑ni=1 bi . Bit sequence
(bi)n
i=1passes the Monobit Test if 9654 < T1 < 10346.
T1 is – independence assumed! – binomially distributed:E(T1) = np and Var(T1) = np(1−p) for p = P(b =1).For p = 1
2 SAGE [?] gives with any precisionP(9654 < T1 < 10346) ≈ 0.999999078354697.T1 is approximately N(np, npq)-distributed. SAGEP(9654 < T1 < 10346) ≈ P(|U| < 4.89317892581091)≈ 0.999999503899380 for N(0, 1)-distributed U, where
Φ(u) = 12
(1 + erf( u√
2))
is the distribution function of U.
⇒ BSI-error probability ≤ 1− 0.999999 = 10−6
NB [12],[7],[8] examine (also) the approximately χ2
distributed test statistic T ′1 = 1n (T1 − (n − T1))2 with
df = 1.
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsPoker Test : FIPS, HAC [12] 2bit, NIST [14], BSI [7],[8] pp46 typo
T2
Let n = 20000. Every 4 bits give a nibble.Let hi := |{j : 8b4j−3 + 4b4j−2 + 2b4j−1 + b4j = i}|and T2 = 16
5000
∑15i=o h2
i − 5000. Bit sequence(bi)n
i=1passes the Poker Test, if 1.03 < T2 < 57.4.
T2 = 16n4
∑15i=o h2
i − n4 =∑15
i=o(hi−n4/16)2
n4/16 ≥ 0 with n4 = n4
is χ2-distributed with df =15. NB BSI P(χ2 ≥ 56.49) = 10−6
SAGE: P(1.03<T2<57.4) =∫ 57.4
1.03xdf/2−1e−x/2
2df/2Γ(df/2)dx ≈
0.999998985794408 ≈ 1− 10−6. NB: lopsided!We have Fdf (x) = P( df
2 ,x2 ) and for odd df
P( df2 ,
x2 ) = erf(
√x2 )− e−x/2
bdf/2c−1∑k=0
1Γ(k+3/2) ( x
2 )k+1/2
SAGE: P(1.03<T2<57.4) = F15(57.4)− F15(1.03) ≈0.999998985794408 ≈ 1− 10−6. NB: lopsided!
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsRun Tests: FIPS, HAC [12], NIST [14] #runs, BSI [7],[8] pp47
T3
Let n = 20000 and k` the number of runs of length `.The bit sequence
(bi)n
i=1 passes the Run Tests, ifk1 ∈ [2267, 2733], k2 ∈ [1079, 1421], k3 ∈ [502, 748],k4 ∈ [233, 402], k5 ∈ [90, 223] and k≥6 ∈ [90, 22
33]
0-runs or 1-runs of length ` occur with prun = 12`+2 in any
of the n− `− 1 places and in each of the two boundarieswith p′run = 2prun.⇒ E(K`) = n−`−1+2+2
2`+2 = n−`+32`+2 .
T3` =1∑
b=0
∑i=1
(k(b)i −E(Ki ))2
E(Ki ), ki = k (0)
i +k (1)i ≈ χ2-distributed,
df = 2`−1 = #observ – #params. NB [12] = 2`−2, NB [11] = 2`SAGE’s find_root gives: P(T31 < 10−12) ≈ 0.5 · 10−6
and P(T31 > 25.263820726226815) ≈ 0.5 · 10−6, (BSIonesided P(T31 < 23.9281269768) = 1− 10−6) withE(K1) = n+2
8 = 2500.25 implying NB k1 ∈ [2322, 2677]? resp. NB k1 ∈ [2327, 2673] ? Zählweise?
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGs
Longrun Test : FIPS, NIST [14] longest/block, BSI [7],[8] p49
T4Let n = 20000. The bit sequence
(bi)n
i=1 passes theLongrun Test, if k` = 0 for all ` ≥ 34.
P(k` = 0) =F (`)
n+22n with the Fibonacci `-step numbers [19]
F (`)k =
∑`i=1 F (`)
k−i with F (`)k =0 for k ≤ 0 and F (`)
1 =F (`)2 =1.
SAGE: P(k34 = 0) ≈ 0.999999418854882 ≈ 1− 10−6
und P(k` = 0)↗ for `↗By the way, roughly estimating SAGE givesP(k` > 0 for at least one ` ≥ 34) ≈ (n − 34)2−34 ≈1.16217415779829 · 10−6
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGs
Autocorrelation Test : HAC [12], NIST [14], BSI [7],[8] pp49
T5
Let n = 20000 and T5τ =∑n/4
j=1 bj ⊕ bj+τ forτ ∈ {1, 2, ..., n
4}. The bit squence(bi)n
i=1 passes theAutocorrelation Test, if |T5τ − n
8 | < 174 for all τ .NB: only the first half of the (bi) is relevant!?!
T5τ is approximately N( n4
12 ,
n4
12
12 )-distributed. With
SAGE u = 174√n/16
= 1.74·4√2≈ 4.92146319705837 we get
P(|T5τ − n8 | < 174) = P(|U| < u) = 2Φ(u)− 1 ≈
0.99999914100 ≈ 1− 10−6 for N(0, 1)-distributed U.
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsUniform distribution Test: HAC 2bit, NIST
templatematching, BSI [7],[8] pp50
T6
Generate wj ∈ {0, 1}k from(bi)nk
i=1; T6x :=|{j:wj =x}|
n
is the relative frequency of x. The bit sequence(bi)nk
i=1passes the Uniform distribution Test for parametersk , n and α, if
∣∣T6x − 2−k∣∣ < α for all x ∈ {0, 1}k .
Uniform distribution tests generalize Monobit Tests!BSI [7],[8] p55 Test Procedure B:•T6 with NB k = 1,n = 105 and α = 0.025. Explicitly p51: (bi)
ni=1 passes if
|T6o − 12 | < α ? •T1 ? NB only for ’PTRNG’.
let b ∈ {0, 1} and hb = #b in (bi)ni=1. independent!
χ2-adaption test: T6 =∑1
b=0(hb−n/2)2
n/2 is χ2-distributed
with df = 1. BSI condition |hbn −
12 | ≤ α for b ∈ {0, 1} ⇒
(hb− n2 )2 ≤ α2n2⇒ T6 ≤ 250. SAGE P(T6 ≤ 250) = 1,
NB while SAGE P(T6 ≤≈ 23.9) ≈ 1− 10−6 ?
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsMultinomial/Homogeneity Test : BSI [7],[8] pp51
T7
Generate wi,j ∈ {0, 1, ..., s−1} for i = 1, .., hj = 1, .., n
of(bk)
k ,
i.e. h independent repetitions of the j-th experiment.Let fi(t) = |{j : wij = t}| and pt = 1
hn
∑hi=1 fi(t).
The bit sequence(bi)
i passes the Multinomial Testfor h, s, n and α if T7 ≤ χ2(α, (h−1)(s−1)) where
T7 =∑h
i=1
∑s−1t=o
(fi (t)−n pt )2
n pt
No longer up to date: BSI-example for h = s = 2, i.e. i = 1, 2and template t = 0, 1 – adapted from [6], Test 76.Two samples with n elements each wi,1,wi,2, . . . ,wi,n fori = 1, 2 of n bits each. Determineabsolute frequency fi (t) = |{j : wi,j = t}| of t in sample
relative frequency pt = f1(t)+f2(t)2n von t in both samples
T7 =∑h
i=1
∑s−1t=o
(fi (t)−npt )2
nptis χ2-distributed,
df = (h−1)(s−1) = 1 and according to BSI p37, Tabelle[7],[8] p46 P(T7 ≥ 15.13) = α = 0.0001 ?
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsBSI [7],[8] pp55 Test Procedure B demands (typos) three tests– with NB three different representations•T7 pp51, p56, pp58NB•T7 only for ’PTRNG’ in spite of pp58 (typos)
step 2 bits •T7?Extract TFr = {(b2j+1, b2j+2) : b2j+1 = r} with |TF0| = |TF1| =n1 = 105 from sequence. Determine vr (i) =
|{j:(b2j+1,i)∈TFr}|n1
.Sequence passes T7 if |v0(1)+v1(0)−1| < α1 = 0.02? v0(0)?v1(1)?
step 3 bits •T7 supposedly with h = 2? or h = 4?, s = 2Extract TFrs = {(b3j+1, .., b3j+3) : (b3j+1, b3j+2) = (rs)} with|TFoo| = |TFo1| = |TF1o| = |TF11| = n2 = 105 from sequence.Determine vrs(i) :=
|{j:(b3j+1,..,b3j+3)=(rsi)}|n2
.’for each s∈{0, 1} compare v0s and v1s with•T7 at α2 = 0.0001’
step 4 bits •T7 supposedly with h = 3? or h = 8?, s = 2Extract TFrst = {(b4j+1, ..., b4j+4) : (b4j+1, .., b4j+3) = (rst)} with|TFooo| = |TFoo1| = ... = |TF111| = n3 = 105 from sequence.Determine vrst(i) :=
|{j:(b4j+1,..,b4j+4)=(rsti)}|n3
.’for each (s, t)∈{0, 1}2 compare v0st and v1st with•T7 at α3 = 0.0001’
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsEntropy Test : HAC, NIST
approx.entropy, BSI [7],[8] pp52
in accor-dance with [3],[4]
T8
Generate wn ∈ {0, 1}L aus(bi)(Q+K )L
i=1 . Let An be thedistance of wn to some identical predecessor,
i.e. An =
{n if there is no i ≥ 1 with wn = wn−i
min{i ≥ 1 : wn = wn−i} else
Let T8 = 1K
∑Q+Kn=Q+1 g(An) with g(i) = 1
log 2
∑i−1k=1
1k
≈log i+γ+ 1
2i +1
12i2
log 2 +O( 1i4 ) with γ ≈ 0.577216 Euler.
The bit sequence(bi)(Q+K )L
i=1 passes the Entropy Test,if T8 approximately N(µ, σ2)-distributed with’tabulated’ µ = µ(L,K ) and σ = σ(L,K ).
BSI [7],[8] pp55 Test Procedure B:(bi)n
i=1 passes•T8 withL = 8, Q = 10 · 2L = 2560, K = 1000 · 2L = 256000,µ = L, σ = c(L,K )
√Var(g(An))/K if T8 > 7.976
NB onesided? NB only for ’PTRNG’.
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Qualitätskriterien für PRNGsGenesis: Maurer’s universal test Coron 6≡ BSI
Maurer [11]: fTU = 1K
∑Q+Kn=Q+1 log2(An) with independent of n
E(fTU ) = E(log2(An)) = 2−L∑∞i=1(1− 2−L)i−1 log2(i) and
approximately Var(fTU ) = c2(L,K )Var(log2(An))/K with
c(L,K ) ≈ 0.7− 0.8L + (4 + 32
L ) K−3/L
15 for L� Q � KVar(log2(An)) = 2−L∑∞
i=1(1− 2−L)i−1 log22(i)− E2(fTU ).
Coron&Naccache [3],[4] generalize/correct Maurer tof gTU
= 1K
∑Q+Kn=Q+1 g(An), which for g(i) = 1
log 2
∑i−1k=1
1k gives
E(f gTU
) = L bit = Entropy of L-bit blocks of an ergodicstationary source as well as an exact representation and thusa better approximation of c(L,K ).NB Table 1 for Var(log2(An)), d(L) and e(L) inc2(L,K ) = d(L)+e(L) · 2L/K in [3] for log2, in [4] for said g
BSI [7],[8] with said g, typo also in [9] SAGE σ ≈ 0.002 vs BSIσ = 0.0014 and P(T8>7.976) = P(U>−10.64) ≈ 1 ?NB onesided? contrary to [11],[3],[4]
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Zusammenfassung
• Sinn & Zweck von Zufallszahlen• Güte von Zufallszahlen
• Gleichverteilung• Unabhängigkeit• Unvorhersagbarkeit
Güte-Kriterien sind statistischer Natur!
• Erzeugung von Zufallszahlen:deterministische = pseudo vs physikalische = echte
• Güte von Zufallszahlen-Generatoren• RNGs erzeugen ’gute’ Zufallszahlen• mit wenig Aufwand, d.h. schnell
Die Suche nach besseren Zufallszahlen-Generatoren istvermutlich nicht zu Ende.
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Referenzen
[1] Lenore Blum, Manuel Blum, Michael Shub: A Simple UnpredictablePseudo-Random Number Generator; SIAM Journal on Computing,Vol 15, Nr. 2, 364-383, May 1986
[2] BSI: Anwendungshinweise und Interpretationen (zum Schema), AIS;https://www.bsi.bund.de/DE/Themen/
ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/
AnwendungshinweiseundInterpretationen/AIS/aiscc_node.html
[3] Jean-Sebastien Coron, David Naccache: An Accurate Evaluation ofMaurers Universal Test; Proc. of SAC’98; Springer LNCS 1998,http://www.jscoron.fr/publications/universal.pdf
[4] Jean-Sebastien Coron: On the Security of Random Sources; in H.Imai, Y. Zheng, Eds.: Public-Key Cryptography; LNCS vol. 1560,29-42, Springer 1999 www.jscoron.fr/publications/entropy.pdf
[5] M. Hamburg, P. Kocher, M. Marson: Analysis of Intel’s Ivy BridgeDigital Random Number Generator; http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Referenzen’
[6] Gopal K. Kanji: 100 Statistical Tests; SAGE Publications 2006http://fcc-statistics.wikispaces.com/file/view/100+
Statistical+Tests.pdf
[7] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [2]AIS20_Functionality_classes_for_random_number_generators.pdf
[8] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [2] 2011AIS31_Functionality_classes_for_random_number_generators.pdf
[9] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for True (Physical) Random NumberGenerators; s. [2], version 3.1, 2001AIS_31_Functionality_classes_evaluation_methodology_for_true_RNG_e.pdf
[10] Derrick H. Lehmer: Mathematical methods in large-scale computingunits; Ann. Computing Lab., Harvard Univ. 26 (1951), 141-146
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Referenzen”[11] Ueli M. Maurer: A Universal Statistical Test for Random Bit
Generators; Journal of Cryptology, vol. 5, no. 2, 1992, 89-105 ftp://
ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf
[12] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone:Handbook of Applied Cryptography; CRC Press, October 1996http://cacr.uwaterloo.ca/hac/
[13] Thomas Risse: Güte von Zufallszahlen – Qualität vonZufallszahlen-Generatoren; 11. workshop Mathematik für Ingenieure;Hochschule Bochum 30.9.2013www.weblearn.hs-bremen.de/risse/papers/MathEng11
[14] Andrew Rukhin et al: A Statistical Test Suite for Random andPseudorandom Number Generators for Cryptographic Applications;National Institute of Standards and Technology, NIST April 2010http://csrc.nist.gov/publications/nistpubs/
800-22-rev1a/SP800-22rev1a.pdf
[15] Werner Schindler: Functionality Classes and Evaluation Methodologyfor Deterministic Random Number Generators; BSI, version 2.0, 1999AIS_20_Functionality_Classes_Evaluation_Methodology_DRNG_e.pdf
Zufallszahlen
Thomas RisseHochschule Bremen
Wozu?
Wie?DRNGs
TRNGs
RNG-Kriterien
Resumé
Referenzen”’
[16] Boris Škoric: True random number generation; TU Eindhoven 2003http://security1.win.tue.nl/~bskoric/physsec/files/
slides_03_TrueRandom.pdf
[17] Satoshi Sunada, Takahisa Harayama, Kenichi Arai, KazuyukiYoshimura, Ken Tsuzuki, Atsushi Uchida, Peter Davis: Random opticalpulse generation with bistable semiconductor ring lasers;http://www.opticsinfobase.org/oe/viewmedia.cfm?uri=
oe-19-8-7439&seq=0
[18] Prassanna Shanmuga Sundaram: Development of a FPGA-basedTrue Random Number Generator for Space Applications; LinköpingInstitute of Technologyhttp://liu.diva-portal.org/smash/get/diva2:
305133/FULLTEXT01.pdf
[19] Eric W. Weisstein: Run; MathWorld – A Wolfram Web Resourcehttp://mathworld.wolfram.com/Run.html