```Path: illuminati.io.com!uunet!MathWorks.Com!europa.eng.gtefsd.com!howland.reston
.ans.net!cs.utexas.edu!not-for-mail
From: ritter@io.com (Terry Ritter)
Newsgroups: sci.crypt

Subject: Re: Random/Pseudo Random Number Generator
Date: 18 Jun 1994 14:09:22 -0500
Organization: UTexas Mail-to-News Gateway
Lines: 194
Sender: nobody@cs.utexas.edu
Message-ID: <199406181908.OAA18085@indial1.io.com>
NNTP-Posting-Host: news.cs.utexas.edu

In
eachus@spectre.mitre.org (Robert I. Eachus) writes:

>  AFAIK the only algorithmic RNG that can be considered secure and has
>reasonable performance is Blum, Blum, and Shub.

Fine.  Let's talk about Blum, Blum, and Shub [1]:

It is interesting to see a BB&S RNG described by the phrase
"reasonable performance," in the light of Section 8 (Lengths of
periods (of the sequences produced by the X**2 mod N generator))
of the BB&S paper.

The BB&S generator differs from the usual Linear Feedback Shift
Register (LFSR) or Linear Congruential designs in that a BB&S
system does not create a single major cycle of known length.
(A "cycle" is a sequence of RNG states which repeat.)

Instead, a BB&S system creates cycles of various lengths, including
degenerate (zero-length) cycles and other cycles which are much
shorter than one might expect.  (I give some examples in my 1991
article [2]).

In Section 8 of the BB&S article, N = 23*47 is specifically
given as an example of "a special number of the prescribed
form."  23*47 = 1081, so this is the number of possible states.
Evaluation of this system finds four degenerate cycles, a
minimum (non-degenerate) cycle length of 10, a maximum of 110,
and an average of 24.  In particular, X0 = 46 is degenerate,
X0 = 47 is degenerate, X0 = 48 is on a 10-state cycle, and
X0 = 24 is on an 11-state cycle.  There are two 10-state
cycles, four 11-state cycles, and two 110-state cycles.

Thus, a BB&S generator cannot be initialized with random state,
because this state may happen to be on a short cycle.  If this were
allowed, the resulting sequence would become "predictable" as soon
as the cycle started to repeat.

This is prevented in a *real* BB&S design by mathematical proof
showing that such a design will have a long cycle of a predictable
length (given certain strenuous conditions on N), *and* by using the
algorithm in Section 9 (Algorithms for determining length of period
and random accessing) to show that an initial state (X0) is on such
a cycle.

In practice, the initial RNG state or "seed" must be constructed
from the cryptographic key, and then checked to see that it is on
a cycle of the desired length (it being much faster to check for
a particular length than it would be to measure arbitrary length).
(In a real system the state will be a very large multi-precision
integer.)  If the seed is on a cycle of the desired length, it must
be changed and checked again.  Some substantial effort is required
to find a valid seed, especially when compared to designs where
this sort of thing is unnecessary.  And this effort is required
every time a BB&S RNG is re-initialized.

Now, one might argue that the really short and dangerous cycles
are rare and can be ignored, but, as far as I know, there is no
math to support statements about the probability of short cycles
in this specific construction.  But in any case, the *entire reason*
for using the BB&S RNG (which is otherwise rather slow, being an
n**2 computation in terms of state-size) is that it has *provable*
strength.  And if the initial seed is not specially selected, the
proof will not hold.

It may be possible to save the current RNG state, and then use
"random accessing" as a message key, but the system will still be
substantially slower in execution than other alternatives.  Note
that, in the above example, the best we can hope to do is access
about 1/10 of the possible states (one long cycle), with an RNG
step operation (integer multiply and modulo divide) of n**2
complexity which must support the full state size.  We can thus
argue that such a generator takes perhaps 100 times the effort
that we might expect for the cycle length actually delivered.

It appears from my experiments [2:120] that about 3/4 of the
BB&S values are "arc states," which join some cycle in a
single step.  None of these states can occur once the RNG is
operating, yet they contribute an overhead to a large value
which must be computed.

And we have yet to discuss the computational effort required to
form N itself:

The primary BB&S requirement for N = P * Q is that P and Q
each be primes congruent to 3 mod 4.  This is exceedingly easy.

But to guarantee a particular cycle length (Section 8, Theorem
6), there are two more Conditions [1:378].  Condition 1 defines
that a prime is "special" if P = 2*P1 + 1, and P1 = 2*P2 + 1,
where P1 and P2 are odd primes.  Both P and Q are required to
be "special."  Finding a valid special primes P and Q is not
easy.

Condition 2 is somewhat more complex, and only rules out one
choice in four, but must be computed anyway if we are to have
a real BB&S design.

Again, we can choose not to have a guaranteed cycle length, but
if so, we do not have a BB&S design, and the result will not be
proven to be "unpredictable."  In which case, why would we use
it?

Presumably, the selection of N would be made off-line, but is very
expensive nevertheless.

>You could probably
>build a reasonable RNG out of RSA or Diffe-Helmann but I don't know of
>one.  Various generators based on DES or digest algorithms are either
>too slow, known to be breakable, or on shaky theoretical ground.

If firm theoretical results were required for cryptography, we would
all be using one-time pads.  No other cipher is generally-accepted
as provably secure.  So why are we not all using one-time pads?

Modern stream-cipher RNG's are typically much faster than DES, and
are often favorably compared to DES in terms of expected strength.
But strength is not necessarily the ultimate requirement:  Speed is
surprisingly important to the ordinary business use of cryptography,
because real cryptography is overhead.  If the effort involved in
should be used.  And very few businesses have the rest of their
operations run with security comparable to a serious stream cipher.
Ciphers alone cannot guarantee security, and a real cipher need
only be substantially more effort to break than the easiest other
way to gain the same information.

Attacking ciphertext is usually expensive and time-consuming,
making it generally the method of last resort.  Why not try
bribery, wiretaps, bugging, theft, or coercion first?

A modern stream-cipher design need not rely as heavily on a strong
RNG as older designs, but instead may use reversible nonlinear
combiners (of which my own Dynamic Substitution is a major design).
The use of nonlinear data combiners also supports multiple levels
of combining, something which is almost useless when using linear
additive combiners.  Nonlinear combiners also provide far more
protection for the RNG than additive combiners, which inherently
reveal an RNG byte for every known-plaintext pair.  This weakness
is present in stream ciphers with additive combiners, but is not
characteristic of stream ciphers as a class.

A fast linear RNG makes a fine cryptographic confusion generator,
*provided* that the sequence is isolated and "nonlinearized" before
it is used, *and* that the cipher design is inherently resistant to
known-plaintext attack.  It is not necessary to discard linear
designs, provided they are properly used.

Frankly, discussion of a need for theoretical strength would make
more sense in the context of the "details" which make theoretically-
strong systems weak in practice.  For example, consider the wide
use of PGP, which requires that public keys be *certified* before
theoretical strength can be achieved.  If we assume both RSA and
IDEA to be absolutely secure, key-certification is the remaining
limit on the strength of the system, and a very low limit it is.
Yet who bothers to validate the keys they use?  In light of this,
why would we consider "strength" (including theoretical strength)
to be a major factor in practical cryptography?

Why not set up an informant to distribute spoofed public keys,
and then set up the network to re-route e-mail between the
desired parties to a nationwide spoofing center?  This would
be easy, white-collar intelligence, perhaps arguably legal, if
the owner of a private system carrying the e-mail "approves"
such monitoring.

We don't hear much said about the issue of the widespread weak use
of PGP.  But this is probably because most people will only use
cryptography to the extent that it represents easy security.  When
informed that real security will take some effort, they say "Why
bother?"  Or, "It can't happen to me!"  Or (my favorite) "Since it
uses RSA, it must be secure; just study some number theory!"

Alas, "easy security" is an oxymoron.

References:

1.  Blum, L., M. Blum & M. Shub.  1986.  A Simple Unpredictable
Pseudo-Random Number Generator.  SIAM Journal on Computing.
15(2): 364-384.

2.  Ritter, T.  1991.  The Efficient Generation of Cryptographic
Confusion Sequences.  Cryptologia.  15(2): 81-139.

---
Terry Ritter   ritter@io.com

```