• Principles of Pseudorandom Number

generation

• Pseudorandom Number Generators

Topics to • Pseudorandom Number Generation using a

Cover Block Cipher

• Stream Ciphers

• RC4
 PRINCIPLES OF
PSEUDORANDOM NUMBER
GENERATION
 • Key Distribution and Authentication
Applications Schemes.
of Random • Session Key Generation
Numbers in • Generation of bit stream for symmetric
Cryptography stream encryption
and N/w • IVs
security • Nonces
• Digital Signatures
 • Uniform Distribution
Requirement • Independence
s while • Unpredictability
Generating • Random Number Generator Source
Random • Length of Random Numbers
Numbers • Reproducibility
• Validation
 • Pseudorandom RNGs (PRNGs)

Different
• True RNGs (TRNGs)
Types of
Random
• Cryptographically Secure PRNGs
Number (CSPRNGs)
Generators
(RNGs) • Hybrid RNGs (HRNGs)
 • Cryptographic systems generally utilize
algorithms to generate random numbers.
• These algorithms operate in a predictable
manner, leading to number sequences that
Pseudorandom lack true randomness.
Numbers • However, a well-designed algorithm can
yield sequences that meet various
randomness criteria.
• The numbers produced by these algorithms
are known as pseudorandom numbers.
TRNGs
TRNGs (Entropy Sources)

• Mouse Movements
• Keystrokes
• Disk Electric Activity
• Instantaneous values of System Clock
• Avalanche Noise
• Magnetic Fluctuations
• Brownian Motion
• Environmental Conditions
PRNGs
 • Produce sequences which approximate
the properties of Random Numbers.
• Uses Seed as the initial value which is
fed to a deterministic algorithm.
• Period of the sequence is decided by the
PRNGs deterministic algorithm.
• A good PRNG follows a uniform
distribution.
• Most common deterministic algorithms
are LCG, Mersenne Twister, XorShift,
etc.
• Most common application is Symmetric
Stream Ciphers.
Pseudorandom
Function
(PRF)
 Differences between PRNGs and PRF
PRNGs PRF
• Inputs:- Seed • Inputs:- Seed, Context Specific
Value
• Output is predictable if seed is • Output is deterministic, but
known random
• Limited Key Space • Has more Key Space
• Less Secure • More Secure
 Purpose of PRNG and PRF Requirements

• Output Secrecy

• Risk of Knowledge by an attacker

• Brute Force Attack (BFA)

• Areas of Requirements:- Randomness, Unpredictability, and Seed Requirements

 Randomness in PRNGs
 PRNGs produce bit streams which are random, though deterministic.
 Multiple Tests are required to test the Randomness of PRNGs.

 NIST SP 800-22 specified Characteristics for Randomness:-

• Uniformity:- Probability of ‘1’s and ‘0’s is 50%.
• Scalability:- Any random subsequence taken from the main sequence should
also appear random.
• Consistency:- The PRNG's output should be reliable and similar regardless of
the seed value
 15 Tests Defined by SP 800-22 for Randomness in
PRNGs
• Frequency (Monobit)
• Runs Test
• Maurer Universal Statistical
• Block Frequency
• Longest Run of Ones
• Binary Matrix Rank Test
• Discrete Fourier (Spectral)
• Non-Overlapping Template
 15 Tests Defined by SP 800-22 for Randomness in
PRNGs (Contd..)

• Overlapping Template Matching

• The Linear Complexity Test
• The Serial Test
• Approximate Entropy
• Cumulative Sums
• Random Excursions
• Random Excursions Variant
 Unpredictability in PRNGs

• Forward Unpredictability

• Backward Unpredictability

• Tests used for Randomness are also used for testing Unpredictability

• Each bit of a sequence is like an independent event.

Seed
Requirement
s for PRNGs
 • Seed for PRNG must be secure and unpredictable.

• An attacker can predict the output if he/she has

knowledge regarding the seed.

• TRNG provides more randomness in the seed

Seed generation.

Requirements • PRNGs can be directly used for some applications

for PRNGs like stream ciphers, where TRNGs are not
practical.
(Contd..)
• Moreover, TRNG can have biased output, which
can be eliminated by using PRF.
PSEUDORANDOM NUMBER
GENERATORS
 • Uses a Linear Congruence Formula for generating
Linear a sequence of random numbers.

Congruential • Xn+1 = (a*Xn + c) mod m

Generator • m, a, c, Xn ∈ Z
(LCG) •m>0
•0<a<m
•0≤c<m
• 0 ≤ Xn < m

• Selection of a, c, m, play a crucial role in

developing a good random number generator.
 • Large ‘m’ would produce a long series of
distinct random numbers.
• Length of LCG cycle = Period
• LCG is said to achieve its full cycle if
Period = m
LCG • Period of LCG is high for good choices of
a, m, c.
(Contd..) • m ≈ 231 in programming environments.
• If m is of the form 2n (n ∈ Z), and right
choices for ‘a’ and ‘c’ are made, then the
period of LCG can be maximized.
  3 Tests proposed by PARK88 in evaluating an
RNG:-
• T1: The random number generator should create
all numbers from 0 to m−1 before starting over.
• T2: The sequence of numbers produced should
look random.
LCG • T3: The generator should work efficiently using
(Contd..) 32-bit math.

 Appropriate values of a, c, m, will make T1, T2,

and T3 pass.
  For T1, if m = prime, c = 0, specific values of ‘a’
produce a period = m-1
 For 32-bit Arithmetic, a convenient prime is 231 – 1.
 For 32-bit Arithmetic, Xn+1 = a*Xn mod (231 – 1)

LCG
 Methods to increase unpredictability feature in
(Contd..) LCG:-
• Using an internal system clock to modify the random
number stream.
• Restarting the sequence after every N numbers with
the current clock value (mod m) as the new seed.
• Adding the current clock value to each random
number (mod m) for further unpredictability.
 LCG (Numerical 1)

• Generate a sequence of random numbers (show first 6 numbers) which

would be generated using LCG with modulus = 123, seed = 73, multiplier =
5, and increment = 2.

Solution:-
• m = 123; X0 = 73; a = 5; c = 2

• Xn+1 = (5*Xn + 2) mod 123

 LCG (Numerical 1) (Contd..)

• X1 = (5*X0 + 2) mod 123 = 121

• X2 = (5*X1 + 2) mod 123 = 115
• X3 = (5*X2 + 2) mod 123 = 85
• X4 = (5*X3 + 2) mod 123 = 58
• X5 = (5*X4 + 2) mod 123 = 46

• Sequence = {73, 121, 115, 85, 58, 46, ……..}

 LCG (Numerical 2)

• Generate a sequence of random numbers (show first 6 numbers) which

would be generated using LCG with modulus = 100, seed = 27, multiplier =
17, and increment = 43.

Solution:-
• m = 100; X0 = 27; a = 17; c = 43

• Xn+1 = (17*Xn + 43) mod 100

 LCG (Numerical 2) (Contd..)

• X1 = (17*X0 + 43) mod 100 = 2

• X2 = (17*X1 + 43) mod 100 = 77
• X3 = (17*X2 + 43) mod 100 = 52
• X4 = (17*X3 + 43) mod 100 = 27
• X5 = (17*X4 + 43) mod 100 = 2

• Sequence = {27, 2, 77, 52, 27, 2, …..}

• Period = 4
 LCG (Numerical 3)

• Calculate the period for LCG with modulus = 8, seed = 4, multiplier = 5,

and increment = 3.

Solution:-
• m = 8; X0 = 4; a = 5; c = 3

• Xn+1 = (5*Xn + 3) mod 8

 LCG (Numerical 3) (Contd..)

• X1 = (5*X0 + 3) mod 8 = 7
• X2 = (5*X1 + 3) mod 8 = 6
• X3 = (5*X2 + 3) mod 8 = 1
• X4 = (5*X3 + 3) mod 8 = 0
• X5 = (5*X4 + 3) mod 8 = 3
• X6 = (5*X5 + 3) mod 8 = 2
• X7 = (5*X6 + 3) mod 8 = 5
• X8 = (5*X7 + 3) mod 8 = 4

• Period = 8
 • Simple to understand and easy to implement
• Efficient
• Limited Memory consumption
• Minimum state information is sufficient to
produce large outputs.
Pros and
Cons of LCG • Poor Randomness Quality
• Usually, LCG has a short period
• Predictability
• Sequential numbers generation
  Choose 2 large primes (‘p’ and ‘q’) such that
p≡q≡3(mod 4)
 n = p*q
Blum Blum  Choose a random number ‘s’ such that GCD(s,n) = 1
Shub  Algorithm:-
Generator
(BBSG)
2
X0 = s mod n
for i = 1 to ∞
{
Xi = (Xi−1)2 mod n
Bi = Xi mod 2
}
 BBSG
(Contd..)
 • BBSG is referred to as a CSPRNG.

• BBSG passes the Next Bit test.

BBSG • The goal is to make the sequence of bits

(Contd..) unpredictable for any practical algorithm.

• The security of BBS relies on the challenge of

factoring a large number n into its two prime
factors ‘p’ and ‘q’.
 BBSG (Numerical 1)

• Generate the random bit sequence (first 3 iterations) using BBSG with
following parameters:- 2 primes (7 and 11), and a seed of 12.

Solution:-
• p = 7, q = 11, s = 12
• n = p*q = 7*11 = 77
• X0 = s2 mod n = 122 mod 77 = 67

• X1 = (X0)2 mod n = 23
• B1 = X1 mod 2 = 1
 BBSG (Numerical 1) (Contd..)

• X2 = (X1)2 mod n = 67
• B2 = X2 mod 2 = 1

• X3 = (X2)2 mod n = 23
• B3 = X3 mod 2 = 1

• Sequence = {1, 1, 1, …….}

 BBSG (Numerical 2)

• Generate the random bit sequence (first 10 iterations) using BBSG with
following parameters:- 2 primes (31 and 59), and a seed of 45.

Solution:-
• p = 31, q = 59, s = 45
• n = p*q = 1829
• X0 = s2 mod n = 196

• X1 = (X0)2 mod n = 7
• B1 = X1 mod 2 = 1
 BBSG (Numerical 2) (Contd..)

• X2 = (X1)2 mod n = 49
• B2 = X2 mod 2 = 1

• X3 = (X2)2 mod n = 572

• B3 = X3 mod 2 = 0

• X4 = (X3)2 mod n = 1622

• B4 = X4 mod 2 = 0
 BBSG (Numerical 2) (Contd..)

• X5 = (X4)2 mod n = 782

• B5 = X5 mod 2 = 0

• X6 = (X5)2 mod n = 638

• B6 = X6 mod 2 = 0

• X7 = (X6)2 mod n = 1006

• B7 = X7 mod 2 = 0

• X8 = (X7)2 mod n = 599

• B8 = X8 mod 2 = 1
 BBSG (Numerical 2) (Contd..)

• X9 = (X8)2 mod n = 317

• B9 = X9 mod 2 = 1

• X10 = (X9)2 mod n = 1723

• B10 = X10 mod 2 = 1

• Sequence = {1, 1, 0, 0, 0, 0, 0, 1, 1, 1, ………}

 BBSG (Numerical 3)

• Calculate the period of BBSG with following parameters:- 2 primes (103 and
211), and a seed of 100. Also display, the corresponding random bit sequence.

Solution:-
• p = 103, q = 211, s = 100
• n = p*q = 21733
• X0 = s2 mod n = 10000

• X1 = (X0)2 mod n = 6467

• B1 = X1 mod 2 = 1
 BBSG (Numerical 3) (Contd..)
• X2 = (X1)2 mod n = 7797
• B2 = X2 mod 2 = 1

• X3 = (X2)2 mod n = 6008

• B3 = X3 mod 2 = 0

• X4 = (X3)2 mod n = 19284

• B4 = X4 mod 2 = 0

• X5 = (X4)2 mod n = 21026

• B5 = X5 mod 2 = 0
 BBSG (Numerical 3) (Contd..)

• X6 = (X5)2 mod n = 21723

• B6 = X6 mod 2 = 1

• X7 = (X6)2 mod n = 100

• B7 = X7 mod 2 = 0

• X8 = (X7)2 mod n = 10000

• B8 = X8 mod 2 = 0

• Period = 8; Sequence = {110001001100010011000100110001001……}

 • Simple to understand and easy to implement.
• Provides high security when large primes are
chosen.
Pros and • Good statistical properties
Cons of • Minimum state information is sufficient to
produce large outputs.
BBSG
• Management of Primes
• Management of Seed
• Sequential bits generation
• Less efficiency when Period is high
 PSEUDORANDOM NUMBER
GENERATION USING A BLOCK
CIPHER
 PRNG using Block Cipher

• A common way to create a PRNG is by using a symmetric block cipher.

• A symmetric block cipher takes a block of input PT and produces a block of
output CT that seems random.
• The output shows no patterns, making it hard to guess the input from the
output.
• This randomness makes symmetric block ciphers good for building PRNGs.
• Using a well-known block cipher like DES or AES helps ensure the PRNG is
secure.
• Many applications already use DES or AES, making it easy to integrate them
into PRNG systems.
 PRNG using Block Cipher (Contd..)

 Two common methods for creating a PNRG use 2 modes: CTR mode and OFB
mode (seed consists of encryption key, and a value V)

 CTR mode is suggested in:-

• NIST SP 800-90A
• ANSI standard X9.82
• RFC 4086 (from June 2005)

 OFB mode is recommended in:-

• ANSI standard X9.82
• RFC 4086
PRNG
based • V = Value of the preceding PRNG block

on OFB
PRNG based on OFB (Example)
PRNG
based
on CTR
• ‘V’ is incremented by 1 after each
encryption
 while (len (temp) < requested_number_of_bits)
{
b
V = (V + 1) mod 2
output_block = E(Key, V)
temp = temp || output_block
PRNG }
based on
CTR
(Algorithm)
PRNG based on CTR (Example)
STREAM CIPHERS
Stream Ciphers
 Stream Ciphers
• A stream cipher encrypts data one byte at a time.
• It can also work on one bit at a time or on larger units of bits.
• A key is used as input to a pseudorandom bit generator which
produces 8-bit random output called keystream.

• CT stream (1 Byte) = PT stream (1 Byte) ⊕ Keystream (1 Byte)

• DT stream (1 Byte) = CT stream (1 Byte) ⊕ Keystream (1 Byte)
 Stream Ciphers Design Considerations

The encryption sequence should have a large period.

The keystream should approximate the properties of a true random

number stream as close as possible.

A key length of at least 128 bits is desirable.

With a properly designed pseudorandom number generator a stream

cipher can be as secure as a block cipher of comparable key length.
RIVEST CIPHER (RC) 4
 RC4
• Designed in 1987 by Ron Rivest for RSA Security
• Variable key size stream cipher with byte-oriented operations
• Based on the use of a random permutation
• Eight to sixteen machine operations are required per output byte and the
cipher can be expected to run very quickly in software
• Used in the Secure Sockets Layer/Transport Layer Security (SSL/TLS)
standards that have been defined for communication between Web browsers
and servers
• Is also used in the Wired Equivalent Privacy (WEP) protocol and the newer
WiFi Protected Access (WPA) protocol that are part of the IEEE 802.11
wireless LAN standard
RC4 (Initial State of S and T)

for i = 0 to 255
{
S[i] = i;
T[i] = K[i mod keylen];
}
 RC4 (Initial Permutation of S)

j = 0;
for i = 0 to 255
{
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
}
 RC4 (Stream Generation)

i, j = 0;
while (true)
{
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
}
 Strength of RC4

• Several papers have studied attacks on RC4 encryption.

• Attacking RC4 with a strong key (like 128 bits) is not practical.

• The WEP protocol, meant to keep data private, has vulnerabilities.

• The key generation issue mainly affects WEP, not other uses of RC4.

• Improving key generation can fix the WEP vulnerability.

 Strength of RC4 (Contd..)
• A recent study found a serious problem in the RC4 key scheduling algorithm,
which makes it easier to guess the encryption key.
• Another study showed that flaws in the RC4 keystream can help recover the
same encrypted messages.
• Due to these weaknesses, the IETF banned RC4 for use in TLS in February
2015.
• NIST also banned RC4 for government use in their guidelines from September
2013.