wie? wie man zuverlässig zufälliges · pdf filesymbol 'i' represents the...

Zufallszahlen

Thomas RisseHochschule Bremen

Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wie man zuverlässig Zufälliges erzeugt

Thomas RisseInstitut für Informatik & Automation, IIA

Fakultät Elektrotechnik & InformatikHochschule [email protected]

Diepholzer Kolloquium, Mi 15. Oktober 2014Private Hochschule für Wirtschaft und Technik

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Agenda

1 Wozu braucht man bloß Zufallszahlen?

2 Wie erzeut man Zufallszahlen?

Deterministische Zufallszahlen-Generatoren

Physikalische Zufallszahlen-Generatoren

3 Qualitätskriterien für RNGs

4 Zusammenfassung

Any one who considers arithmetical methods of producing randomdigits is, of course, in a state of sin.Jeder, der Zufallszahlen mit einer arithmetischen Methode erzeugenwill, ist nicht ganz bei Trost. – John von Neumann, 1951

The generation of random numbers is too important to be left tochance. – Robert R. Coveyou, 1970

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wozu bloß Zufallszahlen?

’analoge’ Beispiele

• Münzwurf zum Auslosen, Würfel zum Auswürfeln,Lotto-Fee für 6-aus-49 . . .

• Telefonbuch für repräsentative Stichproben instatistischen Untersuchungen

• für Simulationen: Buffon1sche Nadel (1733)

’digitale’ Beispiele

• für Kryptographie: one time pad, zero knowledgeauthentication, . . .

• für Statistik

• für Simulationen, genetische Algorithmen, IterierteFunktionssysteme

1Georges-Louis Leclerc de Buffon (1707-1788)www-history.mcs.st-andrews.ac.uk/Biographies/Buffon.html

http://www-history.mcs.st-andrews.ac.uk/Biographies/Buffon.html

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wozu bloß Zufallszahlen?etwa für Kryptographie I

• one time pad : A(lice) will B(ob) eine 0-1-Botschaft, z.B.’fuck NSA’, schicken, die nur er lesen können soll. Beideverfügen über eine (unendlich) lange, geheime Folge von0-1-Zufallszahlen, z.B. 01010101010. . .klar f u c k . . .klar 0x66 0x75 0x63 0x6B . . .klar 1100110 1110101 1100011 1101011 . . .key 0101010 1010101 0101010 1010101 . . .enc 1001100 0100000 1001001 0111110 . . .dec 1100110 1110101 1100011 1101011 . . .dec f u c k . . .

one time pad ist erwiesenermaßen unknackbar, solangeder Schlüssel aus echten Zufallszahlen besteht und nureinmal verwendet wird (one time!) – aber unrealistisch,denn wie soll der Schlüssel bloß übermittelt werden?

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wozu bloß Zufallszahlen?etwa für Kryptographie II

• zero knowledge authentication: A(lice) will sicherstellen,daß B(ob) ein gemeinsames Geheimnis, z.B. einPaßwort teilt, ohne daß er dieses offenbaren muß:

1 Alice sendet eine Zufallszahl n an Bob.2 Bob antwortet mit der mit dem gemeinsamen Paßwort

verschlüsselten Zufallszahl EncBob(n).3 Alice vergleicht Bobs Antwort mit der von ihr selbst

verschlüsselten Zufallszahl EncA(n).

Systeme mit Paaren aus individuellem öffentlichen undprivaten Schlüssel (public key crypto system, pkcs)erlauben u.a. den geschützten Austausch vonSchlüsseln. Die Schlüsselerzeugung in pkcs benötigtebenfalls Zufallszahlen!

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wozu bloß Zufallszahlen?etwa für Statistik

• wenn U gleichverteilt auf [0, 1] und F inv Umkehrfunktion derVerteilungsfunktion F , dann hat X = F inv (U) dieVerteilungsfunktion F : aus einer auf [0, 1] gleichverteiltenZufallsvariablen kann man beliebig verteilte Zufallsvariablenerzeugen, solange deren inverse Verteilungsfunktionangebbar ist:Wenn u Ausprägung einer auf [0, 1] gleichverteiltenZufallszahlen U ist, so ist x = F inv (u) Ausprägung derZufallsvariablen X mit Verteilungsfunktion F .

Z.B.: für p ∈ [0, 1] produzieren Ausprägungen uder auf [0, 1] gleichverteilten Zufallsvariablen Uper (u < p) eine 0-1-Zufallszahlenfolgemit P(X = 0) = p und P(X = 1) = q = 1− p.

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wozu bloß Zufallszahlen?etwa für fraktale Objekte

• iterative Funktionssysteme erzeugen fraktale Objekte:

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Wie erzeut man Zufallszahlen?

Es gibt zwei Klassen von Zufallszahlengeneratoren, RNGs

• Deterministische/Pseudo-RNGs, DRNG/PRNGalgorithmisch

• Physikalische/echte RNGs, TRNG, PTRNGaus Rausch-Quellen – harvesting noise

und Mischformen, wenn TRNG den seed für DRNG erzeugen.

Qualität der Zufallszahlen = Qualität ihrer GeneratorenDiverse Institutionen spezifizieren Güte-Kriterien, z.B.

USA NIST [14] FIPS

BRD AIS 20 [7] und AIS 31 [8] des BSI [2]

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Beispiele deterministischer RNGs I

Typisch sind Initialisierung (seed) und Berechnung dernächsten Zufallszahl basierend auf der letzten Zufallszahlbzw. auf den letzten Zufallszahlen.

• John von Neumann’s middle-square method from 1946:wähle irgendeine Zahl (seed), quadriere sie, entnimm diemittleren Ziffern des Quadrates als die nächste’Zufallszahl’ und wähle diese als seed für die nächsteIteration.

Gleichverteilung? Vorhersagbarkeit?

• Linear congruential generators [10]:Wähle seed xo und berechne xk+1 = a xk + c mod mfür k = 0, 1, . . . und geeignete Parameter a, c und m.


Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Beispiele deterministischer RNGs IIJeder N-, Z-, Q- oder R-wertige RNG liefert einen 0-1-RNG!Jeder 0-1-RNG liefert N-, Z-, Q- oder R-wertige RNGs!

• Linear Feedback Shift Registers, LFSRs:Wähle initialen Zustand, die hardware erledigt den Rest,z.B.

next bit p(x) = x16 + x14 + x13 + x11 + 1 in GF2


• Blum-Blum-Shub generator 1986 [1]:wähle n = pq für prime p und q, wähle seed s mitgcd(s, n) = 1, berechne s0 = s2 mod n undsi+1 = s2

i mod n für i = 0, 1, ...


Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Beispiele physikalischer RNGs I

Dioden-Rauschen [8] . . .A proposal for: Functionality classes for random number generators

18 September 2011 AIS 20 / AIS 31 page 117

Figure 9: Basic design of RNG with noisy diodes

443 The circuit for AC coupling, the negative feedback to the operational amplifier, the stabilization of the power supply and the temperature compensating effects are not shown in this figure. A drift of the noisy voltages or the operational amplifier output results in impulses that are too long or too small, causing a biased digitised noise signals. Therefore, the digitised random signal shall be passed to a Neumann/Peres unbiasing control. Clearly, long-term aging effects may be neglected here.

Variant of RNG Design with noise diodes

444 The advanced variant of the basic design outputs the number of Schmitt trigger impulses (caused by 0-1-crossings) modulo 2 as the digitised noise signal.

445 Figure 10 illustrates the advanced design.

Figure 10: Variant of the basic design of RNG with noisy diodes

clock

tot test online test

Vcc

digitisednoisesignal

+

_

clock


Vcc


+

_

+

_

+

_


Vcc

clock


+

_


Vcc

clock


+

_

+

_

+

_

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Beispiele physikalischer RNGs II

Jitter von Diodenring-Oscillatoren [18] . . .

3. TRNG Ring Design and Interaction

Figure 14: Two rings XOR'ed

Similar to the two rings, several rings with different ring lengths, namely 7-11, 11-13, 13-17 etc.,

can be used as the noise source of the TRNG.

3.3.3 Design with Multiple Rings

A multiple ring-based design was developed with several ring oscillators with different ring lengths.

The rings were designed with the lengths of 7,11,13,17,19 inverters each. Each ring was replicated

40 times amounting to a total of 200 rings. The 200 rings are XORed together to generate the output

signal. The rings are asynchronous to each other, and thus they are not clocked in this part of the

design. Figure 15 shows the multiple ring design. Symbol 'I' represents the length of the ring

according to the number of inverters and 'k' represents the number of rings in total. The period

usually depends on the number of inverters used and the delay of each inverter. The jitter generated

by each oscillator accounts for the randomness of the signal. The output from the XOR would be an

analog signal. It should be sampled, clocked to convert it to a digital signal. The output signal

consists of the periodic transitions of all the included 200 rings. The XOR output will oscillate in

the range of 150 to 200 MHz. The design was coded in VHDL and implemented on the Spartan 3-E

FPGA evaluation board. The output was driven through the I/O pins on the evaluation board and

measured on a Tektronix Oscilloscope.

22

Output Sequence

Bistabile Halbleiter-Ring-Laser [17] . . .

Ring laser

CCW

CW

B1

B2CW output

CCW output

Fig. 2. A schematic of a SRL device with spontaneous emission noise sources B1 and B2.

between the bidirectional and bistable regimes: First, the injection current to the SRL is adjustedso that the SRL operates in the bidirectional regime. In this case, the state of the system alwaysrelaxes to the stable point B in the phase space of the bidirectional regime (see Fig. 1 (a)). Itis important to note that the stable point B corresponds to a point on the stable manifold of thesaddle point S in the bistable regime. This means that when the injection current is suddenlyincreased so that the SRL operates in the bistable regime, the state is lain on the stable manifoldof the saddle point S in a bistable regime, as indicated by open circle in Fig. 1 (b). However,since the spontaneous emission noises are always coupled to the counter-propagating modes,the fluctuation of the state of the system due to the noises is amplified by the unstable manifoldof the saddle point S. Consequently, the state of the system relaxes to either of UCW or UCCW .The resetting of the final lasing state can be achieved by again decreasing the injection to thebidirectional regime and relaxing to stable point B. Accordingly, the stochastic mode-selectionis repeated by the modulation of the injection current between the bidirectional and bistableregimes, so that a random optical pulse train can be emitted in the CW and CCW directions.

2.3. Control of spontaneous emission noises

However, in the actual SRL devices, the spontaneous emission will not be isotropic due tomaterial non-uniformities, and they will not be equally coupled to the CW and CCW modes.Thus, actual SRL devices have a preferred direction, and the dominant output direction is repro-ducible [5]. For achieving the random operation with the equal probability of the appearanceof the CW or CCW lasing state, the amounts of the spontaneous emission noises coupled tothe CW and CCW modes should be controlled so that the asymmetry of the coupling is re-duced. We show that this is achieved by using two spontaneous emission noise sources. Figure2 shows a schematic of a SRL device with two spontaneous emission noises sources B1 andB2. The noises emitted from B1 and B2 are injected into a ring laser part in the CCW and CWdirection via a weakly coupled waveguide used as a directional coupler. For example, when B1is active, the amount of the spontaneous emission coupled to the CCW mode can be enhanced.A similar method for the control of the amounts of the spontaneous emission has been used forachieving the switching operation from CW (CCW) mode to CCW (CW) mode [1].

3. SRL device: design and fabrication

In order to implement the random optical pulse generation scheme mentioned in the previoussection, a SRL device was designed and fabricated in a InP/InGaAsP material system with anactive-passive integration. Figures 3 (a) and (b) show the schematic and picture of the fabricated

#140122 - $15.00 USD Received 23 Dec 2010; revised 28 Feb 2011; accepted 9 Mar 2011; published 4 Apr 2011(C) 2011 OSA 11 April 2011 / Vol. 19, No. 8 / OPTICS EXPRESS 7444

Atmospherische Störungen etc

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Beispiele physikalischer RNGs III

INTEL verwendet ein metasta-biles latch das abhängig vonthermischem Rauschen 0 oder1 produziert. [5], [16]

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für RNGsBSI [2] bietet/verordnet (Kritik siehe [13])

1 Monobit Test

2 Poker Test

3 Run Tests

4 Longrun Test

5 Autokorrelationstests

6 Gleichverteilungstest

7 Homogenitätstests

8 Entropie Test

NIST [14] gibt zusätzlich vor

• binary matrix rank

• DFT

• template matching

• linear complexity

• random walks

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsMonobit Test : FIPS, HAC [12], NIST [14], BSI [7],[8] pp44

T1Let n = 20000, T1 =

∑ni=1 bi . Bit sequence

(bi)n

i=1passes the Monobit Test if 9654 < T1 < 10346.

T1 is – independence assumed! – binomially distributed:E(T1) = np and Var(T1) = np(1−p) for p = P(b =1).For p = 1

2 SAGE [?] gives with any precisionP(9654 < T1 < 10346) ≈ 0.999999078354697.T1 is approximately N(np, npq)-distributed. SAGEP(9654 < T1 < 10346) ≈ P(|U| < 4.89317892581091)≈ 0.999999503899380 for N(0, 1)-distributed U, where

Φ(u) = 12

(1 + erf( u√

2))

is the distribution function of U.

⇒ BSI-error probability ≤ 1− 0.999999 = 10−6

NB [12],[7],[8] examine (also) the approximately χ2

distributed test statistic T ′1 = 1n (T1 − (n − T1))2 with

df = 1.

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsPoker Test : FIPS, HAC [12] 2bit, NIST [14], BSI [7],[8] pp46 typo

T2

Let n = 20000. Every 4 bits give a nibble.Let hi := |{j : 8b4j−3 + 4b4j−2 + 2b4j−1 + b4j = i}|and T2 = 16

5000

∑15i=o h2

i − 5000. Bit sequence(bi)n

i=1passes the Poker Test, if 1.03 < T2 < 57.4.

T2 = 16n4

∑15i=o h2

i − n4 =∑15

i=o(hi−n4/16)2

n4/16 ≥ 0 with n4 = n4

is χ2-distributed with df =15. NB BSI P(χ2 ≥ 56.49) = 10−6

SAGE: P(1.03<T2<57.4) =∫ 57.4

1.03xdf/2−1e−x/2

2df/2Γ(df/2)dx ≈

0.999998985794408 ≈ 1− 10−6. NB: lopsided!We have Fdf (x) = P( df

2 ,x2 ) and for odd df

P( df2 ,

x2 ) = erf(

√x2 )− e−x/2

bdf/2c−1∑k=0

1Γ(k+3/2) ( x

2 )k+1/2

SAGE: P(1.03<T2<57.4) = F15(57.4)− F15(1.03) ≈0.999998985794408 ≈ 1− 10−6. NB: lopsided!

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsRun Tests: FIPS, HAC [12], NIST [14] #runs, BSI [7],[8] pp47

T3

Let n = 20000 and k` the number of runs of length `.The bit sequence

(bi)n

i=1 passes the Run Tests, ifk1 ∈ [2267, 2733], k2 ∈ [1079, 1421], k3 ∈ [502, 748],k4 ∈ [233, 402], k5 ∈ [90, 223] and k≥6 ∈ [90, 22

33]

0-runs or 1-runs of length ` occur with prun = 12`+2 in any

of the n− `− 1 places and in each of the two boundarieswith p′run = 2prun.⇒ E(K`) = n−`−1+2+2

2`+2 = n−`+32`+2 .

T3` =1∑

b=0

∑i=1

(k(b)i −E(Ki ))2

E(Ki ), ki = k (0)

i +k (1)i ≈ χ2-distributed,

df = 2`−1 = #observ – #params. NB [12] = 2`−2, NB [11] = 2`SAGE’s find_root gives: P(T31 < 10−12) ≈ 0.5 · 10−6

and P(T31 > 25.263820726226815) ≈ 0.5 · 10−6, (BSIonesided P(T31 < 23.9281269768) = 1− 10−6) withE(K1) = n+2

8 = 2500.25 implying NB k1 ∈ [2322, 2677]? resp. NB k1 ∈ [2327, 2673] ? Zählweise?

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGs

Longrun Test : FIPS, NIST [14] longest/block, BSI [7],[8] p49

T4Let n = 20000. The bit sequence

(bi)n

i=1 passes theLongrun Test, if k` = 0 for all ` ≥ 34.

P(k` = 0) =F (`)

n+22n with the Fibonacci `-step numbers [19]

F (`)k =

∑`i=1 F (`)

k−i with F (`)k =0 for k ≤ 0 and F (`)

1 =F (`)2 =1.

SAGE: P(k34 = 0) ≈ 0.999999418854882 ≈ 1− 10−6

und P(k` = 0)↗ for `↗By the way, roughly estimating SAGE givesP(k` > 0 for at least one ` ≥ 34) ≈ (n − 34)2−34 ≈1.16217415779829 · 10−6

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGs

Autocorrelation Test : HAC [12], NIST [14], BSI [7],[8] pp49

T5

Let n = 20000 and T5τ =∑n/4

j=1 bj ⊕ bj+τ forτ ∈ {1, 2, ..., n

4}. The bit squence(bi)n

i=1 passes theAutocorrelation Test, if |T5τ − n

8 | < 174 for all τ .NB: only the first half of the (bi) is relevant!?!

T5τ is approximately N( n4

12 ,

n4

12

12 )-distributed. With

SAGE u = 174√n/16

= 1.74·4√2≈ 4.92146319705837 we get

P(|T5τ − n8 | < 174) = P(|U| < u) = 2Φ(u)− 1 ≈

0.99999914100 ≈ 1− 10−6 for N(0, 1)-distributed U.

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsUniform distribution Test: HAC 2bit, NIST

templatematching, BSI [7],[8] pp50

T6

Generate wj ∈ {0, 1}k from(bi)nk

i=1; T6x :=|{j:wj =x}|

n

is the relative frequency of x. The bit sequence(bi)nk

i=1passes the Uniform distribution Test for parametersk , n and α, if

∣∣T6x − 2−k∣∣ < α for all x ∈ {0, 1}k .

Uniform distribution tests generalize Monobit Tests!BSI [7],[8] p55 Test Procedure B:•T6 with NB k = 1,n = 105 and α = 0.025. Explicitly p51: (bi)

ni=1 passes if

|T6o − 12 | < α ? •T1 ? NB only for ’PTRNG’.

let b ∈ {0, 1} and hb = #b in (bi)ni=1. independent!

χ2-adaption test: T6 =∑1

b=0(hb−n/2)2

n/2 is χ2-distributed

with df = 1. BSI condition |hbn −

12 | ≤ α for b ∈ {0, 1} ⇒

(hb− n2 )2 ≤ α2n2⇒ T6 ≤ 250. SAGE P(T6 ≤ 250) = 1,

NB while SAGE P(T6 ≤≈ 23.9) ≈ 1− 10−6 ?

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsMultinomial/Homogeneity Test : BSI [7],[8] pp51

T7

Generate wi,j ∈ {0, 1, ..., s−1} for i = 1, .., hj = 1, .., n

of(bk)

k ,

i.e. h independent repetitions of the j-th experiment.Let fi(t) = |{j : wij = t}| and pt = 1

hn

∑hi=1 fi(t).

The bit sequence(bi)

i passes the Multinomial Testfor h, s, n and α if T7 ≤ χ2(α, (h−1)(s−1)) where

T7 =∑h

i=1

∑s−1t=o

(fi (t)−n pt )2

n pt

No longer up to date: BSI-example for h = s = 2, i.e. i = 1, 2and template t = 0, 1 – adapted from [6], Test 76.Two samples with n elements each wi,1,wi,2, . . . ,wi,n fori = 1, 2 of n bits each. Determineabsolute frequency fi (t) = |{j : wi,j = t}| of t in sample

relative frequency pt = f1(t)+f2(t)2n von t in both samples

T7 =∑h

i=1

∑s−1t=o

(fi (t)−npt )2

nptis χ2-distributed,

df = (h−1)(s−1) = 1 and according to BSI p37, Tabelle[7],[8] p46 P(T7 ≥ 15.13) = α = 0.0001 ?

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsBSI [7],[8] pp55 Test Procedure B demands (typos) three tests– with NB three different representations•T7 pp51, p56, pp58NB•T7 only for ’PTRNG’ in spite of pp58 (typos)

step 2 bits •T7?Extract TFr = {(b2j+1, b2j+2) : b2j+1 = r} with |TF0| = |TF1| =n1 = 105 from sequence. Determine vr (i) =

|{j:(b2j+1,i)∈TFr}|n1

.Sequence passes T7 if |v0(1)+v1(0)−1| < α1 = 0.02? v0(0)?v1(1)?

step 3 bits •T7 supposedly with h = 2? or h = 4?, s = 2Extract TFrs = {(b3j+1, .., b3j+3) : (b3j+1, b3j+2) = (rs)} with|TFoo| = |TFo1| = |TF1o| = |TF11| = n2 = 105 from sequence.Determine vrs(i) :=

|{j:(b3j+1,..,b3j+3)=(rsi)}|n2

.’for each s∈{0, 1} compare v0s and v1s with•T7 at α2 = 0.0001’

step 4 bits •T7 supposedly with h = 3? or h = 8?, s = 2Extract TFrst = {(b4j+1, ..., b4j+4) : (b4j+1, .., b4j+3) = (rst)} with|TFooo| = |TFoo1| = ... = |TF111| = n3 = 105 from sequence.Determine vrst(i) :=

|{j:(b4j+1,..,b4j+4)=(rsti)}|n3

.’for each (s, t)∈{0, 1}2 compare v0st and v1st with•T7 at α3 = 0.0001’

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsEntropy Test : HAC, NIST

approx.entropy, BSI [7],[8] pp52

in accor-dance with [3],[4]

T8

Generate wn ∈ {0, 1}L aus(bi)(Q+K )L

i=1 . Let An be thedistance of wn to some identical predecessor,

i.e. An =

{n if there is no i ≥ 1 with wn = wn−i

min{i ≥ 1 : wn = wn−i} else

Let T8 = 1K

∑Q+Kn=Q+1 g(An) with g(i) = 1

log 2

∑i−1k=1

1k

≈log i+γ+ 1

2i +1

12i2

log 2 +O( 1i4 ) with γ ≈ 0.577216 Euler.

The bit sequence(bi)(Q+K )L

i=1 passes the Entropy Test,if T8 approximately N(µ, σ2)-distributed with’tabulated’ µ = µ(L,K ) and σ = σ(L,K ).

BSI [7],[8] pp55 Test Procedure B:(bi)n

i=1 passes•T8 withL = 8, Q = 10 · 2L = 2560, K = 1000 · 2L = 256000,µ = L, σ = c(L,K )

√Var(g(An))/K if T8 > 7.976

NB onesided? NB only for ’PTRNG’.

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Qualitätskriterien für PRNGsGenesis: Maurer’s universal test Coron 6≡ BSI

Maurer [11]: fTU = 1K

∑Q+Kn=Q+1 log2(An) with independent of n

E(fTU ) = E(log2(An)) = 2−L∑∞i=1(1− 2−L)i−1 log2(i) and

approximately Var(fTU ) = c2(L,K )Var(log2(An))/K with

c(L,K ) ≈ 0.7− 0.8L + (4 + 32

L ) K−3/L

15 for L� Q � KVar(log2(An)) = 2−L∑∞

i=1(1− 2−L)i−1 log22(i)− E2(fTU ).

Coron&Naccache [3],[4] generalize/correct Maurer tof gTU

= 1K

∑Q+Kn=Q+1 g(An), which for g(i) = 1

log 2

∑i−1k=1

1k gives

E(f gTU

) = L bit = Entropy of L-bit blocks of an ergodicstationary source as well as an exact representation and thusa better approximation of c(L,K ).NB Table 1 for Var(log2(An)), d(L) and e(L) inc2(L,K ) = d(L)+e(L) · 2L/K in [3] for log2, in [4] for said g

BSI [7],[8] with said g, typo also in [9] SAGE σ ≈ 0.002 vs BSIσ = 0.0014 and P(T8>7.976) = P(U>−10.64) ≈ 1 ?NB onesided? contrary to [11],[3],[4]

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Zusammenfassung

• Sinn & Zweck von Zufallszahlen• Güte von Zufallszahlen

• Gleichverteilung• Unabhängigkeit• Unvorhersagbarkeit

Güte-Kriterien sind statistischer Natur!

• Erzeugung von Zufallszahlen:deterministische = pseudo vs physikalische = echte

• Güte von Zufallszahlen-Generatoren• RNGs erzeugen ’gute’ Zufallszahlen• mit wenig Aufwand, d.h. schnell

Die Suche nach besseren Zufallszahlen-Generatoren istvermutlich nicht zu Ende.

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Referenzen

[1] Lenore Blum, Manuel Blum, Michael Shub: A Simple UnpredictablePseudo-Random Number Generator; SIAM Journal on Computing,Vol 15, Nr. 2, 364-383, May 1986

[2] BSI: Anwendungshinweise und Interpretationen (zum Schema), AIS;https://www.bsi.bund.de/DE/Themen/

ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/

AnwendungshinweiseundInterpretationen/AIS/aiscc_node.html

[3] Jean-Sebastien Coron, David Naccache: An Accurate Evaluation ofMaurers Universal Test; Proc. of SAC’98; Springer LNCS 1998,http://www.jscoron.fr/publications/universal.pdf

[4] Jean-Sebastien Coron: On the Security of Random Sources; in H.Imai, Y. Zheng, Eds.: Public-Key Cryptography; LNCS vol. 1560,29-42, Springer 1999 www.jscoron.fr/publications/entropy.pdf

[5] M. Hamburg, P. Kocher, M. Marson: Analysis of Intel’s Ivy BridgeDigital Random Number Generator; http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf

https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/ZertifizierungnachCCundITSEC/AnwendungshinweiseundInterpretationen/AIS/aiscc_node.html



http://www.jscoron.fr/publications/universal.pdf

http://www.jscoron.fr/publications/entropy.pdf

http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf

http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Referenzen’

[6] Gopal K. Kanji: 100 Statistical Tests; SAGE Publications 2006http://fcc-statistics.wikispaces.com/file/view/100+

Statistical+Tests.pdf

[7] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [2]AIS20_Functionality_classes_for_random_number_generators.pdf

[8] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for Random Number Generators; s. [2] 2011AIS31_Functionality_classes_for_random_number_generators.pdf

[9] Wolfgang Killmann, Werner Schindler: Functionality Classes andEvaluation Methodology for True (Physical) Random NumberGenerators; s. [2], version 3.1, 2001AIS_31_Functionality_classes_evaluation_methodology_for_true_RNG_e.pdf

[10] Derrick H. Lehmer: Mathematical methods in large-scale computingunits; Ann. Computing Lab., Harvard Univ. 26 (1951), 141-146

http://fcc-statistics.wikispaces.com/file/view/100+Statistical+Tests.pdf

http://fcc-statistics.wikispaces.com/file/view/100+Statistical+Tests.pdf

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Zertifierung/Interpretation/AIS20_Functionality_classes_for_random_number_generators.pdf?__blob=publicationFile

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Zertifierung/Interpretation/AIS31_Functionality_classes_for_random_number_generators.pdf?__blob=publicationFile

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_Functionality_classes_evaluation_methodology_for_true_RNG_e.pdf?__blob=publicationFile

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Referenzen”[11] Ueli M. Maurer: A Universal Statistical Test for Random Bit

Generators; Journal of Cryptology, vol. 5, no. 2, 1992, 89-105 ftp://

ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf

[12] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone:Handbook of Applied Cryptography; CRC Press, October 1996http://cacr.uwaterloo.ca/hac/

[13] Thomas Risse: Güte von Zufallszahlen – Qualität vonZufallszahlen-Generatoren; 11. workshop Mathematik für Ingenieure;Hochschule Bochum 30.9.2013www.weblearn.hs-bremen.de/risse/papers/MathEng11

[14] Andrew Rukhin et al: A Statistical Test Suite for Random andPseudorandom Number Generators for Cryptographic Applications;National Institute of Standards and Technology, NIST April 2010http://csrc.nist.gov/publications/nistpubs/

800-22-rev1a/SP800-22rev1a.pdf

[15] Werner Schindler: Functionality Classes and Evaluation Methodologyfor Deterministic Random Number Generators; BSI, version 2.0, 1999AIS_20_Functionality_Classes_Evaluation_Methodology_DRNG_e.pdf

ftp://ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf

ftp://ftp.inf.ethz.ch/pub/crypto/publications/Maurer92a.pdf

http://cacr.uwaterloo.ca/hac/

http://www.weblearn.hs-bremen.de/risse/papers/MathEng11

http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP800-22rev1a.pdf

http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP800-22rev1a.pdf

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_20_Functionality_Classes_Evaluation_Methodology_DRNG_e.pdf?__blob=publicationFile

Zufallszahlen


Wozu?

Wie?DRNGs

TRNGs

RNG-Kriterien

Resumé

Referenzen”’

[16] Boris Škoric: True random number generation; TU Eindhoven 2003http://security1.win.tue.nl/~bskoric/physsec/files/

slides_03_TrueRandom.pdf

[17] Satoshi Sunada, Takahisa Harayama, Kenichi Arai, KazuyukiYoshimura, Ken Tsuzuki, Atsushi Uchida, Peter Davis: Random opticalpulse generation with bistable semiconductor ring lasers;http://www.opticsinfobase.org/oe/viewmedia.cfm?uri=

oe-19-8-7439&seq=0

[18] Prassanna Shanmuga Sundaram: Development of a FPGA-basedTrue Random Number Generator for Space Applications; LinköpingInstitute of Technologyhttp://liu.diva-portal.org/smash/get/diva2:

305133/FULLTEXT01.pdf

[19] Eric W. Weisstein: Run; MathWorld – A Wolfram Web Resourcehttp://mathworld.wolfram.com/Run.html

http://security1.win.tue.nl/~bskoric/physsec/files/slides_03_TrueRandom.pdf

http://security1.win.tue.nl/~bskoric/physsec/files/slides_03_TrueRandom.pdf

http://www.opticsinfobase.org/oe/viewmedia.cfm?uri=oe-19-8-7439&seq=0

http://www.opticsinfobase.org/oe/viewmedia.cfm?uri=oe-19-8-7439&seq=0

http://liu.diva-portal.org/smash/get/diva2:305133/FULLTEXT01.pdf

http://liu.diva-portal.org/smash/get/diva2:305133/FULLTEXT01.pdf

http://mathworld.wolfram.com/Run.html

wie? wie man zuverlässig zufälliges · pdf filesymbol 'i' represents the...

Documents